# Pre-flight Checklist ## not.bot™ Verify: Pre-flight Checklist Complete every item before you open the Deployment Checklist. Missing prerequisites cause most first-deploy failures. --- ### Infrastructure | # | Requirement | How to verify | Done | |---|-------------|---------------|------| | 1 | Kubernetes cluster with a configured kubectl context | `kubectl cluster-info` returns a running control plane | ☐ | | 2 | Helm 3 installed | `helm version` shows v3.x | ☐ | | 3 | helm-diff plugin installed | `helm plugin list` includes `diff` | ☐ | | 4 | PostgreSQL 14 or later, reachable from inside the cluster | `psql -h -U -c "SELECT version();"` shows 14+ | ☐ | | 5 | Keycloak 22 or later, reachable from inside the cluster | Browse to your Keycloak admin console and confirm login | ☐ | | 6 | A container registry your cluster can pull from | `docker pull /any-existing-image` succeeds | ☐ | | 7 | Cluster supports internal LoadBalancer Services | Managed K8s (EKS/GKE/AKS) supports this by default. On bare-metal, `kubectl get pods -n metallb-system` shows running pods | ☐ | ### Workstation tools | # | Requirement | How to verify | Done | |---|-------------|---------------|------| | 8 | openssl | `openssl version` returns a version | ☐ | | 9 | OpenBao CLI (`bao`) installed | `bao --version` returns a version | ☐ | > If you intend to rebuild the OpenBao image from source for supply-chain validation, also install Docker with buildx. See Deployment Checklist Appendix A. The mainline flow uses the pre-built image shipped in the chart and requires no compiler toolchain. ### Access | # | Requirement | How to verify | Done | |---|-------------|---------------|------| | 10 | DNS control for the domain in your deployment-config.json | You can add a TXT record at the root of that domain | ☐ | | 11 | DNS control for the internal zone holding your admin service hostname | You can add a CNAME for Decision H in that zone | ☐ | | 12 | Permission to create namespaces in the Kubernetes cluster | `kubectl auth can-i create namespaces` returns `yes` | ☐ | | 13 | Permission to create secrets in the Kubernetes cluster | `kubectl auth can-i create secrets` returns `yes` | ☐ | ### Deployment package | # | Requirement | How to verify | Done | |---|-------------|---------------|------| | 14 | deployment-config.json from your welcome email | File contains your customerId, organizationName, apiKey, billingServerUrl, and domain | ☐ | | 15 | not.bot_verify_deployment.zip from your welcome email | Unzips to a `helm/` directory with three subdirectories: admin-service, openBao, signer-service | ☐ | ### Decisions to make before you start You will need these values during deployment. Decide on them now so you are not stopping mid-checklist. | # | Decision | Your value | |---|----------|------------| | A | Kubernetes namespace for OpenBao | _______________ | | B | Kubernetes namespace for the admin service | _______________ | | C | Kubernetes namespace for signature servers | _______________ | | D | OpenBao namespace name (internal to OpenBao, not Kubernetes) | _______________ | | E | PostgreSQL database name | _______________ | | F | PostgreSQL admin user — name (default `notbot_admin`) and password | name: _______________ password: _______________ | | G | PostgreSQL signer user — name (default `notbot_signer`) and password | name: _______________ password: _______________ | | H | Internal hostname operators use to reach the admin UI (e.g. admin.internal.example.com) | _______________ | | I | Internal hostname for the signature server load balancer (e.g. signer.internal.example.com) | _______________ | | J | TLS certificate for the admin LB (cloud-managed cert ARN/resource ID, or path to BYO cert + key) | _______________ | | K | TLS certificate for the signature server LB (Decision **I**'s hostname). May be the same multi-SAN cert as Decision **J** or a separate cert. | _______________ | Decision H appears in Keycloak redirects, Helm values, and your internal DNS zone. Decision I appears in Helm values, your internal DNS zone, and the SDK configuration. Use the exact same value everywhere each one appears. --- If any item above is incomplete, resolve it before proceeding. The Deployment Checklist assumes all of these are in place.