Products / Cluster foundation
TAIP Base
AvailableBare hosts to a working AI platform — even with the internet unplugged.
TAIP Base brings up the foundation TAIP runs on: a curated Kubernetes cluster with Cilium, Longhorn, cert-manager, Envoy Gateway, KServe model serving, and a self-hosted OIDC identity provider — every artifact pre-staged into a content-addressed bundle, every step idempotent and re-runnable. The same playbooks deploy to a connected lab and a fully air-gapped facility with no code changes; the 'online' path is the air-gapped path with a shorter staging step. GPU operators for NVIDIA, Huawei Ascend, and AMD dispatch per node label, so one cluster can mix vendors — and mix amd64 with arm64. It runs real clusters today, connected and fully air-gapped.
Specification
- Version
- v1.6 — generally available
- Stack
- Kubernetes (K3s) · Cilium · Longhorn · cert-manager · Envoy Gateway · self-hosted OIDC · KServe
- Networks
- On-prem · restricted · fully air-gapped (USB transfer supported)
- Accelerators
- NVIDIA GPU Operator (validated) · Ascend NPU and AMD ROCm (early) — mixed per node
- Architectures
- amd64 + arm64, mixed in one cluster
- Proven on
- Real clusters — connected and fully air-gapped
Proof, not promises
See it in one block.
No proprietary SDKs, no rewrites — TAIP Base meets your tools where they already are.
$ ./install/00-preflight.sh # read-only validation
$ ./install/03-install-cluster.sh --cluster site-a
ok k8s · cilium · longhorn · cert-manager · envoy-gateway · authentik
# Ctrl-C and re-run is the documented recovery path
# same bundle, same registry, same result — across sites and months▌ Content-addressed bundles: re-packing a version bump moves only changed layers. One registry serves many clusters.
Capabilities
What TAIP Base gives you
Air-gap first, not retrofitted
Charts vendored, images packed as OCI layouts, versions pinned, K3s system images resolved from the K3s binary itself so nothing can drift. Distribute by bucket, USB, or registry — the 'online' install is the air-gapped install with a shorter staging step.
One opinionated stack
Kubernetes + Cilium (eBPF CNI) + Longhorn (replicated block storage) + cert-manager + Envoy Gateway (Gateway API) + a self-hosted OIDC identity provider + KServe for model serving (default on, opt-out). Optional Kueue queueing and Ceph CSI storage when you need them. Optional GPU operators for NVIDIA, Ascend, and AMD — dispatched per node label, mixable in one cluster.
Idempotent and tagged
Every role is re-runnable; Ctrl-C and re-run is the documented recovery path. `--tags k8s,longhorn` re-applies a single layer. Preflight validates DNS, SSH, disks, and TLS before anything destructive; post-install verification checks every workload.
Self-hosted identity, by design
A self-hosted OIDC identity provider runs inside the cluster. kubectl authenticates via OIDC against it. Per-app OIDC registration is one idempotent script — TAIP apps get client secrets and tokens generated automatically. No SaaS dependency, ever.
How it works
From bare hosts to a working platform.
- Step 01
Stage the bundle
Helm charts, image layouts, binaries, certs — packed once on a connected build host. Content-addressed: version bumps move only changed layers.
- Step 02
Run the playbooks
Preflight validates first. Install is idempotent, tagged, re-runnable. The same flow online, restricted, or fully air-gapped.
- Step 03
Cluster is ready
Kubernetes + Cilium + Longhorn + Envoy Gateway + self-hosted OIDC — wired up, verified, SSO from day one.
Who it's for
Built for these teams
- Regulated industries (healthcare, finance, government, defense)
- Edge and field deployments on customer hardware
- Teams standing up a new on-prem AI platform