// the find
openrundev/openrun
Deployment platform for code-first internal tools. Deploy web apps declaratively, on a single-node or on Kubernetes.
OpenRun is a self-hosted deployment platform for internal tools that sits between 'just run Docker' and 'full Kubernetes with ArgoCD'. It manages container lifecycles, handles TLS, and provides OAuth/SAML auth at the proxy layer — all configured declaratively with Starlark files in Git. Target audience is small engineering teams who need to ship a handful of internal apps without standing up a full IDP like Backstage.
1. Single-node to Kubernetes parity with no config changes is genuine — most comparable tools (Coolify, Dokku, CapRover) stop at single-node. 2. Auth at the proxy layer means OAuth/OIDC/SAML works for any containerized app without touching its code, which is exactly what internal tools need. 3. Starlark config is actually concise — the examples show deploying multiple apps in a dozen lines versus equivalent Kubernetes YAML that would be pages. 4. Scale-to-zero is first-class, not an afterthought — useful for internal tools that get hit twice a day and shouldn't burn compute all week.
1. Single-container constraint is a hard wall — no Docker Compose means any app that needs a sidecar (Redis, a local DB, a worker) can't use OpenRun without externalizing those dependencies. 2. The project was recently renamed from 'Clace' (static assets and generated file names throughout the repo still say clace) — 853 stars and 27 forks with an identity change this recent is a real longevity risk before betting internal tooling on it. 3. The built-in hypermedia app framework (htmx + Starlark + Go templates running in a sandbox) is bundled alongside the deployment platform — mixing 'deploy my container' with 'build apps in our framework' makes the scope unclear and the second mode is a non-trivial framework to adopt on its own terms. 4. The Starlark sandbox security model for the built-in app server gets described but performance characteristics don't — evaluating Starlark per request with an allowlist-based permissions system could bite you at any meaningful traffic level.