Blueprint Governance
Overview¶
Blueprint governance across organizations enables centralized management of blueprints in the system-catalog project of the default organization and allows tenant organizations to consume those blueprints indirectly during instance or cluster launch.
Blueprints are resolved internally through compute profiles or service profiles and are not listed, copied, or managed within tenant projects.
Purpose¶
This capability provides platform or partner administrators with a controlled mechanism to standardize blueprint usage across tenant organizations while defining clear boundaries on what can and cannot be overridden during instance launch.
Applicability¶
This behavior applies when:
- Blueprints are created and maintained in the system-catalog project
- Compute or service profiles reference those blueprints
- Profiles are shared with tenant organizations
- Instances or clusters are launched using shared profiles
Blueprint Configuration Flow¶
Step 1: Create a Blueprint in the System Catalog¶
Create a blueprint in the system-catalog project of the default organization. This blueprint defines the base cluster configuration and any associated add-ons.
The blueprint remains owned and managed only in the system-catalog project.
Step 2: Create a Compute or Service Profile and Configure Blueprint Details¶
In PaaS Studio, create a Compute Profile or Service Profile in the system-catalog project of the default organization.
In the Input Settings section, configure the Blueprint Name and Blueprint Version inputs:
-
Show to User Controls whether the blueprint fields are visible and overrideable during instance launch. When disabled, the values defined in the profile are enforced.
-
System Variable Hides the blueprint fields from tenant users and allows the system to populate the values internally. This option is available only for profiles created in the system-catalog project.
These settings determine whether blueprint values are enforced centrally or can be overridden by tenant users during instance launch.
Step 3: Share the Profile with Tenant Organizations Using the Operations Console¶
In the Operations Console, navigate to System Resources → Compute Profiles or Service Profiles and select the profile created in the system-catalog project.
Use the sharing option to control profile access:
- Share the profile with all organizations, or
- Select specific tenant organizations and enable sharing for the required projects
Once shared, the profile becomes available for use in the selected tenant organizations. Tenant users can consume the profile during instance launch, but cannot modify the profile configuration itself. Blueprint behavior during instance launch continues to be governed by the Show to User and System Variable settings defined in the profile.
Step 4: Launch Instances from Tenant Organizations¶
Log in to a tenant organization and launch an instance using the shared compute or service profile.
During instance launch:
- The blueprint configuration from the profile is applied automatically
- If blueprint overrides were enabled in the profile, the blueprint name or version can be modified
- If overrides were disabled, the predefined blueprint configuration is enforced
