Documentation Index
Fetch the complete documentation index at: https://docs.neuraltrust.ai/llms.txt
Use this file to discover all available pages before exploring further.
This guide walks you end-to-end through a hybrid deployment on EKS — the Data Plane, TrustGate, and Firewall run in your EKS cluster; the Control Plane UI, API, and Scheduler run on NeuralTrust SaaS.
For the full-stack alternative, see AWS self-hosted.
What you’ll end up with
| Component | Location | Replicas |
|---|
| Data Plane API, worker, Kafka Connect | Your EKS cluster | 2, 1, 1 |
| TrustGate admin / gateway / actions | Your EKS cluster | 2 each |
| Firewall gateway + 5 workers | Your EKS cluster | 2 + 5 |
| ClickHouse, Kafka, PostgreSQL, Redis | Your EKS cluster (or external) | 1 each |
| Control Plane API, UI, Scheduler | NeuralTrust SaaS | — |
Prerequisites
| Resource | Recommended |
|---|
| EKS version | 1.28+ |
| CPU pool node type | m5.2xlarge (8 vCPU / 32 GiB) |
| Min CPU nodes | ≥ 4 across 3 AZs. Drop to 3 if Firewall workers run on GPU nodes. |
| GPU pool (optional, for GPU Firewall) | g4dn.xlarge (4 vCPU / 16 GiB / 1 × T4) — 5 nodes (one per default Firewall worker) |
| Storage | EBS CSI driver + gp3 storage class |
| Ingress | AWS Load Balancer Controller v2.6+ |
| Certificate | ACM cert in the cluster region covering *.<your-domain> |
| DNS | Route 53 hosted zone (or any DNS provider) |
| Image pull | gcr-keys.json from NeuralTrust |
| NeuralTrust tenant | A SaaS Control Plane tenant — request from [email protected] |
Step 1 — Provision EKS and add-ons
eksctl create cluster \
--name neuraltrust \
--region <REGION> \
--version 1.30 \
--nodegroup-name app \
--node-type m5.2xlarge \
--nodes 4 --nodes-min 4 --nodes-max 8 \
--with-oidc \
--managed
aws eks update-kubeconfig --region <REGION> --name neuraltrust
kubectl get nodes
--nodes 5 --nodes-min 5 to fit the additional Control Plane footprint.
Install the AWS Load Balancer Controller and EBS CSI driver (see AWS overview › Required cluster add-ons).
Step 2 — Namespace and image pull secret
kubectl create namespace neuraltrust
kubectl create secret docker-registry gcr-secret \
--docker-server=europe-west1-docker.pkg.dev \
--docker-username=_json_key \
--docker-password="$(cat path/to/gcr-keys.json)" \
[email protected] \
-n neuraltrust
Step 3 — Request the ACM certificate
aws acm request-certificate \
--domain-name "*.platform.example.com" \
--validation-method DNS \
--region <REGION>
Step 4 — Write your values overlay
Save as my-values.yaml:
# Hybrid deployment on EKS
global:
platform: "aws"
domain: "platform.example.com"
storageClass: "gp3"
autoGenerateSecrets: true
# Control Plane disabled — runs on NeuralTrust SaaS
neuraltrust-control-plane:
controlPlane:
enabled: false
infrastructure:
postgresql:
deploy: true # for TrustGate admin metadata
# Data Plane in your cluster
neuraltrust-data-plane:
dataPlane:
enabled: true
components:
api:
ingress:
enabled: true
annotations:
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/target-type: ip
alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
alb.ingress.kubernetes.io/certificate-arn: "arn:aws:acm:<REGION>:<ACCOUNT_ID>:certificate/<CERT_ID>"
# TrustGate
trustgate:
enabled: true
global:
env:
SERVER_BASE_DOMAIN: "platform.example.com"
ingress:
controlPlane:
annotations:
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/target-type: ip
alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
alb.ingress.kubernetes.io/certificate-arn: "arn:aws:acm:<REGION>:<ACCOUNT_ID>:certificate/<CERT_ID>"
dataPlane:
annotations:
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/target-type: ip
alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
alb.ingress.kubernetes.io/certificate-arn: "arn:aws:acm:<REGION>:<ACCOUNT_ID>:certificate/<CERT_ID>"
actions:
annotations:
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/target-type: ip
alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
alb.ingress.kubernetes.io/certificate-arn: "arn:aws:acm:<REGION>:<ACCOUNT_ID>:certificate/<CERT_ID>"
# Firewall in-cluster
neuraltrust-firewall:
firewall:
enabled: true
# Infrastructure
infrastructure:
clickhouse:
deploy: true
kafka:
deploy: true
Using managed AWS data services
infrastructure:
clickhouse:
deploy: false
external:
host: "your-tenant.aws.clickhouse.cloud"
port: "8443"
user: "neuraltrust"
password: ""
database: "neuraltrust"
kafka:
deploy: false
external:
bootstrapServers: "b-1.msk-cluster.<id>.kafka.<REGION>.amazonaws.com:9092"
# MSK with IAM auth requires extraEnv + a custom signer image; see Feature flags ›
# Authentication for external Kafka before adopting in production.
neuraltrust-control-plane:
infrastructure:
postgresql:
deploy: false
controlPlane:
components:
postgresql:
secrets:
host: "<rds-endpoint>.rds.amazonaws.com"
port: "5432"
user: "neuraltrust"
password: "" # inject via --set or pre-created secret
database: "neuraltrust"
Step 5 — Install
helm upgrade --install neuraltrust-platform \
oci://europe-west1-docker.pkg.dev/neuraltrust-app-prod/helm-charts/neuraltrust-platform \
--version <VERSION> \
--namespace neuraltrust \
-f my-values.yaml
kubectl get pods -n neuraltrust -w
Step 6 — DNS
Get the ALB hostnames assigned to each ingress:
kubectl get ingress -n neuraltrust -o wide
| Host | Component |
|---|
data-plane-api.platform.example.com | Data Plane API |
admin.platform.example.com | TrustGate admin |
gateway.platform.example.com | TrustGate proxy |
actions.platform.example.com | TrustGate actions |
Step 7 — Enroll the Data Plane with NeuralTrust SaaS
Get the Data Plane JWT secret
kubectl get secret data-plane-jwt-secret -n neuraltrust \
-o jsonpath='{.data.DATA_PLANE_JWT_SECRET}' | base64 -d
Open the NeuralTrust portal
Log in at the URL provided by NeuralTrust (typically https://app.neuraltrust.ai).
Connect the Data Plane
Team Settings → Advanced → Connect Data Plane. Provide your Data Plane API URL (https://data-plane-api.platform.example.com), the JWT secret, and the region. See Platform › Advanced for the full UI walkthrough. Verify connectivity
The portal issues a health check against your Data Plane API. On success, your data plane shows as Connected and dashboards begin populating once TrustGate routes traffic.
Step 8 — Send traffic through TrustGate
Point your AI applications at https://gateway.platform.example.com. For gateway / route / plugin configuration, see TrustGate › Getting started.
Verification
kubectl get pods -n neuraltrust
kubectl get ingress -n neuraltrust -o wide
curl https://data-plane-api.platform.example.com/health
curl https://gateway.platform.example.com/__health
Upgrading
helm upgrade neuraltrust-platform \
oci://europe-west1-docker.pkg.dev/neuraltrust-app-prod/helm-charts/neuraltrust-platform \
--version <NEW_VERSION> \
--namespace neuraltrust \
-f my-values.yaml
Migration to self-hosted
Flip the Control Plane flag and add DNS for app.*, api.*, scheduler.*:
neuraltrust-control-plane:
controlPlane:
enabled: true
Troubleshooting
| Symptom | Likely cause | Fix |
|---|
| Portal says “Data Plane unreachable” | DNS not propagated, ACM cert not issued, or security group blocks SaaS Control Plane | curl https://data-plane-api.<domain>/health from outside your VPC |
| Ingress doesn’t get an ALB | AWS LB Controller missing IAM | Check kube-system logs |
PVC stuck Pending | EBS CSI driver missing | Verify the addon is installed and IRSA role is attached |
| TrustGate can’t reach Firewall | Service name mismatch | Default is http://firewall:80 — verify NEURAL_TRUST_FIREWALL_URL in trustgate-secrets |
