not.bot Verify: Preflight Checklist
not.bot™ Verify: Pre-flight Checklist
Complete every item before you open the Deployment Checklist. Missing prerequisites cause most first-deploy failures.
Infrastructure
| # | Requirement | How to verify | Done |
|---|---|---|---|
| 1 | Kubernetes cluster with a configured kubectl context | kubectl cluster-info returns a running control plane |
☐ |
| 2 | Helm 3 installed | helm version shows v3.x |
☐ |
| 3 | helm-diff plugin installed | helm plugin list includes diff |
☐ |
| 4 | PostgreSQL 14 or later, reachable from inside the cluster | psql -h <HOST> -U <USER> -c "SELECT version();" shows 14+ |
☐ |
| 5 | Keycloak 22 or later, reachable from inside the cluster | Browse to your Keycloak admin console and confirm login | ☐ |
| 6 | A container registry your cluster can pull from | docker pull <YOUR_REGISTRY>/any-existing-image succeeds |
☐ |
| 7 | Cluster supports internal LoadBalancer Services | Managed K8s (EKS/GKE/AKS) supports this by default. On bare-metal, kubectl get pods -n metallb-system shows running pods |
☐ |
Workstation tools
| # | Requirement | How to verify | Done |
|---|---|---|---|
| 8 | openssl | openssl version returns a version |
☐ |
| 9 | OpenBao CLI (bao) installed |
bao --version returns a version |
☐ |
If you intend to rebuild the OpenBao image from source for supply-chain validation, also install Docker with buildx. See Deployment Checklist Appendix A. The mainline flow uses the pre-built image shipped in the chart and requires no compiler toolchain.
Access
| # | Requirement | How to verify | Done |
|---|---|---|---|
| 10 | DNS control for the domain in your deployment-config.json | You can add a TXT record at the root of that domain | ☐ |
| 11 | DNS control for the internal zone holding your admin service hostname | You can add a CNAME for Decision H in that zone | ☐ |
| 12 | Permission to create namespaces in the Kubernetes cluster | kubectl auth can-i create namespaces returns yes |
☐ |
| 13 | Permission to create secrets in the Kubernetes cluster | kubectl auth can-i create secrets returns yes |
☐ |
Deployment package
| # | Requirement | How to verify | Done |
|---|---|---|---|
| 14 | deployment-config.json from your welcome email | File contains your customerId, organizationName, apiKey, billingServerUrl, and domain | ☐ |
| 15 | not.bot_verify_deployment.zip from your welcome email | Unzips to a helm/ directory with three subdirectories: admin-service, openBao, signer-service |
☐ |
Decisions to make before you start
You will need these values during deployment. Decide on them now so you are not stopping mid-checklist.
| # | Decision | Your value |
|---|---|---|
| A | Kubernetes namespace for OpenBao | _______________ |
| B | Kubernetes namespace for the admin service | _______________ |
| C | Kubernetes namespace for signature servers | _______________ |
| D | OpenBao namespace name (internal to OpenBao, not Kubernetes) | _______________ |
| E | PostgreSQL database name | _______________ |
| F | PostgreSQL admin user — name (default notbot_admin) and password |
name: _______________ password: _______________ |
| G | PostgreSQL signer user — name (default notbot_signer) and password |
name: _______________ password: _______________ |
| H | Internal hostname operators use to reach the admin UI (e.g. admin.internal.example.com) | _______________ |
| I | Internal hostname for the signature server load balancer (e.g. signer.internal.example.com) | _______________ |
| J | TLS certificate for the admin LB (cloud-managed cert ARN/resource ID, or path to BYO cert + key) | _______________ |
| K | TLS certificate for the signature server LB (Decision I's hostname). May be the same multi-SAN cert as Decision J or a separate cert. | _______________ |
Decision H appears in Keycloak redirects, Helm values, and your internal DNS zone. Decision I appears in Helm values, your internal DNS zone, and the SDK configuration. Use the exact same value everywhere each one appears.
If any item above is incomplete, resolve it before proceeding. The Deployment Checklist assumes all of these are in place.