Skip to content
TAIP

Products / Cluster foundation

TAIP Base

Available

Bare hosts to a working AI platform — even with the internet unplugged.

TAIP Base brings up the foundation TAIP runs on: a curated Kubernetes cluster with Cilium, Longhorn, cert-manager, Envoy Gateway, KServe model serving, and a self-hosted OIDC identity provider — every artifact pre-staged into a content-addressed bundle, every step idempotent and re-runnable. The same playbooks deploy to a connected lab and a fully air-gapped facility with no code changes; the 'online' path is the air-gapped path with a shorter staging step. GPU operators for NVIDIA, Huawei Ascend, and AMD dispatch per node label, so one cluster can mix vendors — and mix amd64 with arm64. It runs real clusters today, connected and fully air-gapped.

Specification

Version
v1.6 — generally available
Stack
Kubernetes (K3s) · Cilium · Longhorn · cert-manager · Envoy Gateway · self-hosted OIDC · KServe
Networks
On-prem · restricted · fully air-gapped (USB transfer supported)
Accelerators
NVIDIA GPU Operator (validated) · Ascend NPU and AMD ROCm (early) — mixed per node
Architectures
amd64 + arm64, mixed in one cluster
Proven on
Real clusters — connected and fully air-gapped

Proof, not promises

See it in one block.

No proprietary SDKs, no rewrites — TAIP Base meets your tools where they already are.

idempotent from bare metal
$ ./install/00-preflight.sh                      # read-only validation
$ ./install/03-install-cluster.sh --cluster site-a
ok  k8s · cilium · longhorn · cert-manager · envoy-gateway · authentik
# Ctrl-C and re-run is the documented recovery path
# same bundle, same registry, same result — across sites and months

Content-addressed bundles: re-packing a version bump moves only changed layers. One registry serves many clusters.

Capabilities

What TAIP Base gives you

01

Air-gap first, not retrofitted

Charts vendored, images packed as OCI layouts, versions pinned, K3s system images resolved from the K3s binary itself so nothing can drift. Distribute by bucket, USB, or registry — the 'online' install is the air-gapped install with a shorter staging step.

02

One opinionated stack

Kubernetes + Cilium (eBPF CNI) + Longhorn (replicated block storage) + cert-manager + Envoy Gateway (Gateway API) + a self-hosted OIDC identity provider + KServe for model serving (default on, opt-out). Optional Kueue queueing and Ceph CSI storage when you need them. Optional GPU operators for NVIDIA, Ascend, and AMD — dispatched per node label, mixable in one cluster.

03

Idempotent and tagged

Every role is re-runnable; Ctrl-C and re-run is the documented recovery path. `--tags k8s,longhorn` re-applies a single layer. Preflight validates DNS, SSH, disks, and TLS before anything destructive; post-install verification checks every workload.

04

Self-hosted identity, by design

A self-hosted OIDC identity provider runs inside the cluster. kubectl authenticates via OIDC against it. Per-app OIDC registration is one idempotent script — TAIP apps get client secrets and tokens generated automatically. No SaaS dependency, ever.

How it works

From bare hosts to a working platform.

  1. Step 01

    Stage the bundle

    Helm charts, image layouts, binaries, certs — packed once on a connected build host. Content-addressed: version bumps move only changed layers.

  2. Step 02

    Run the playbooks

    Preflight validates first. Install is idempotent, tagged, re-runnable. The same flow online, restricted, or fully air-gapped.

  3. Step 03

    Cluster is ready

    Kubernetes + Cilium + Longhorn + Envoy Gateway + self-hosted OIDC — wired up, verified, SSO from day one.

Who it's for

Built for these teams

  • Regulated industries (healthcare, finance, government, defense)
  • Edge and field deployments on customer hardware
  • Teams standing up a new on-prem AI platform