Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.neuraltrust.ai/llms.txt

Use this file to discover all available pages before exploring further.

This guide walks you end-to-end through a fully self-hosted deployment on EKS — Control Plane API, UI, and Scheduler run in your cluster alongside the Data Plane, TrustGate, and Firewall. For the SaaS-hosted Control Plane alternative, see AWS hybrid.

What you’ll end up with

ComponentLocationReplicas
Control Plane API, UI, SchedulerYour EKS cluster2, 2, 1
Data Plane API, worker, Kafka ConnectYour EKS cluster2, 1, 1
TrustGate admin / gateway / actionsYour EKS cluster2 each
Firewall gateway + 5 workersYour EKS cluster2 + 5
ClickHouse, Kafka, PostgreSQL, RedisYour EKS cluster (or external)1 each
Sizing baseline: ~21–23 vCPU / 45–50 GiB RAM / 80 GiB PVC. See Image catalog for the full inventory.

Prerequisites

ResourceRecommended
EKS version1.28+
CPU pool node typem5.2xlarge or m6i.2xlarge (8 vCPU / 32 GiB)
Min CPU nodes≥ 5 across 3 AZs. Drop to 4 if Firewall workers run on GPU nodes.
GPU pool (optional, for GPU Firewall)g4dn.xlarge — 5 nodes (one per default Firewall worker)
Sizing baseline~23.1 vCPU / 61.8 GiB requests / 80 GiB PVC (defaults, CPU Firewall)
StorageEBS CSI driver + gp3 (or io2 for ClickHouse)
IngressAWS Load Balancer Controller v2.6+
CertificateACM cert covering *.<your-domain>
DNSRoute 53 hosted zone (or any DNS provider)
Image pullgcr-keys.json from NeuralTrust

Step 1 — Provision EKS and add-ons

Same as the hybrid guide — see AWS hybrid › Step 1. Self-hosted has identical cluster requirements aside from a slightly higher CPU/memory headroom for CP components.

Step 2 — Namespace and image pull secret

kubectl create namespace neuraltrust

kubectl create secret docker-registry gcr-secret \
  --docker-server=europe-west1-docker.pkg.dev \
  --docker-username=_json_key \
  --docker-password="$(cat path/to/gcr-keys.json)" \
  [email protected] \
  -n neuraltrust

Step 3 — Request the ACM certificate

aws acm request-certificate \
  --domain-name "*.platform.example.com" \
  --validation-method DNS \
  --region <REGION>
Add the CNAME validation record in Route 53; cert issuance takes a few minutes.

Step 4 — Write your values overlay

Save as my-values.yaml: 
# Self-hosted deployment on EKS
global:
  platform: "aws"
  domain: "platform.example.com"
  storageClass: "gp3"
  autoGenerateSecrets: true

# Control Plane in your cluster
neuraltrust-control-plane:
  controlPlane:
    enabled: true                       # ← key difference from hybrid
    components:
      api:
        enabled: true
        ingress:
          enabled: true
          annotations: &alb
            alb.ingress.kubernetes.io/scheme: internet-facing
            alb.ingress.kubernetes.io/target-type: ip
            alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
            alb.ingress.kubernetes.io/certificate-arn: "arn:aws:acm:<REGION>:<ACCOUNT_ID>:certificate/<CERT_ID>"
      app:
        enabled: true
        ingress:
          enabled: true
          annotations: *alb
      scheduler:
        enabled: true
        ingress:
          enabled: true
          annotations: *alb
  infrastructure:
    postgresql:
      deploy: true

# Data Plane
neuraltrust-data-plane:
  dataPlane:
    enabled: true
    components:
      api:
        ingress:
          enabled: true
          annotations: *alb

# TrustGate
trustgate:
  enabled: true
  global:
    env:
      SERVER_BASE_DOMAIN: "platform.example.com"
  ingress:
    controlPlane:
      annotations: *alb
    dataPlane:
      annotations: *alb
    actions:
      annotations: *alb

# Firewall
neuraltrust-firewall:
  firewall:
    enabled: true

# Infrastructure
infrastructure:
  clickhouse:
    deploy: true
    persistence:
      storageClass: "io2"
      size: 200Gi
  kafka:
    deploy: true
The YAML anchor &alb and alias *alb deduplicate the ALB annotation block across all ingresses. Helm renders it verbatim — no special action required.
neuraltrust-control-plane:
  infrastructure:
    postgresql:
      deploy: false
  controlPlane:
    components:
      postgresql:
        secrets:
          host: "<rds-endpoint>.rds.amazonaws.com"
          port: "5432"
          user: "neuraltrust"
          password: ""
          database: "neuraltrust"

infrastructure:
  clickhouse:
    deploy: false
    external:
      host: "your-tenant.aws.clickhouse.cloud"
      port: "8443"
      user: "neuraltrust"
      password: ""
      database: "neuraltrust"
  kafka:
    deploy: false
    external:
      bootstrapServers: "b-1.msk-cluster.<id>.kafka.<REGION>.amazonaws.com:9092"
ClickHouse Cloud has a native-port caveat — review before installing. MSK with IAM auth requires extraEnv + a custom signer image; see Authentication for external Kafka.

Step 5 — Install

helm upgrade --install neuraltrust-platform \
  oci://europe-west1-docker.pkg.dev/neuraltrust-app-prod/helm-charts/neuraltrust-platform \
  --version <VERSION> \
  --namespace neuraltrust \
  -f my-values.yaml

kubectl get pods -n neuraltrust -w
Initial install takes 4–6 minutes.

Step 6 — DNS

Get the ALB hostnames: 
kubectl get ingress -n neuraltrust -o wide
Self-hosted exposes:
HostComponentRequired
app.platform.example.comControl Plane UI
api.platform.example.comControl Plane API
scheduler.platform.example.comControl Plane Scheduler
data-plane-api.platform.example.comData Plane API
admin.platform.example.comTrustGate admin
gateway.platform.example.comTrustGate proxy
actions.platform.example.comTrustGate actions
Create CNAME records in Route 53 pointing each host at the ALB hostname.

Step 7 — First login to the Control Plane

  1. Open https://app.platform.example.com.
  2. Get the bootstrap credentials: 
    kubectl logs -n neuraltrust deploy/control-plane-app -c init-db | grep -i bootstrap
  3. Sign in, configure SSO (Platform › SSO), and rotate the bootstrap admin password.
  4. From the dashboard, configure LLM providers, integrations, and policies.

Step 8 — Send traffic through TrustGate

Point your AI applications at https://gateway.platform.example.com. Telemetry flows through TrustGate → Data Plane → ClickHouse, surfaced by your self-hosted Control Plane UI.

Verification

kubectl get pods -n neuraltrust
kubectl get ingress -n neuraltrust -o wide

curl https://api.platform.example.com/health
curl https://app.platform.example.com
curl https://data-plane-api.platform.example.com/health
curl https://gateway.platform.example.com/__health

Upgrading

helm upgrade neuraltrust-platform \
  oci://europe-west1-docker.pkg.dev/neuraltrust-app-prod/helm-charts/neuraltrust-platform \
  --version <NEW_VERSION> \
  --namespace neuraltrust \
  -f my-values.yaml
The Control Plane UI runs a Prisma migration on rollout — watch the init-db init container of the new pod for migration errors.

Migration to hybrid

Flip the flag and upgrade; enroll your existing Data Plane with the SaaS Control Plane afterwards: 
neuraltrust-control-plane:
  controlPlane:
    enabled: false
See AWS hybrid › Step 7.

Air-gapped EKS

  1. Mirror chart images to ECR (see Image catalog › Mirroring).
  2. Set global.imageRegistry to your ECR repo.
  3. Configure global.proxy.* if egress goes through a forward proxy.
  4. Pre-load Firewall model weights or mirror huggingface.co.

Troubleshooting

SymptomLikely causeFix
CP UI shows blank pageAPI URL wrongVerify api.<domain> ingress and config
Login failsDB migration failedkubectl logs -c init-db on CP UI pod
Scheduler not running jobsCan’t reach Data Plane APIVerify data-plane-api.<domain> and TLS
PVC stuck PendingEBS CSI missingVerify addon installed