Skip to content
TAIP

Products / Cluster foundation

TAIP Base

Available

An air-gap-first Kubernetes platform

TAIP Base brings up the foundation TAIP runs on: a curated Kubernetes cluster with Cilium, Longhorn, cert-manager, Envoy Gateway, Zot, Authentik, and KServe — every artifact pre-staged, every step idempotent. The same playbook deploys to a connected lab and a fully air-gapped facility with no code changes. Identity is self-hosted; no node ever needs to reach the public internet.

All products
Networks
On-prem · restricted · air-gap
Stack
K8s · Cilium · Longhorn · Envoy · Authentik
Bundle
Pre-staged · pinned · reproducible

Capabilities

What TAIP Base gives you

01

Air-gap first, not retrofitted

Charts vendored as tarballs. Images saved as `.tar.gz` and loaded on first boot. Versions pinned. The 'online' install path is the air-gapped path with a shorter staging step.

02

One opinionated stack

Kubernetes + Cilium (eBPF CNI) + Longhorn (replicated block storage) + cert-manager + Envoy Gateway (Gateway API) + Zot (OCI registry) + Authentik (OIDC). Optional GPU Operator, Kueue, KServe.

03

Idempotent and tagged

Every Ansible role is re-runnable. `--tags k8s,longhorn` re-applies a single layer. Re-running against a healthy cluster is a no-op — the same artifact bundle rolls out across a fleet over weeks or months.

04

Self-hosted identity, by design

Authentik runs inside the cluster. kubectl authenticates via OIDC against it. Application SSO and group claims flow through the same provider — no SaaS dependency, no external directory service.

How it works

From bare hosts to a working platform.

  1. Step 01

    Stage the bundle

    Helm charts, image archives, binaries, certs — vendored once on a connected build host. Byte-for-byte reproducible.

  2. Step 02

    Run the playbook

    `ansible-playbook site.yml`. Idempotent, tagged, re-runnable. The same flow online, partially-restricted, or fully air-gapped.

  3. Step 03

    Cluster is ready

    Kubernetes + Cilium + Longhorn + Envoy Gateway + Zot + Authentik — wired up. SSO via your IdP from day one.

Who it's for

Built for these teams

  • Regulated industries (healthcare, finance, government, defense)
  • Edge and field deployments on customer hardware
  • Teams standing up a new on-prem AI platform