Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.neuraltrust.ai/llms.txt

Use this file to discover all available pages before exploring further.

All NeuralTrust images live in the private Google Artifact Registry
europe-west1-docker.pkg.dev/neuraltrust-app-prod/nt-docker/<name>. To mirror or rebrand the registry, set global.imageRegistry once and the chart will rewrite all subchart image paths automatically (the helper strips the default GCP prefix before prepending yours). All private images are pulled with gcr-secret (docker-registry type). The Kubernetes Secret name is configurable per subchart via imagePullSecrets.
Versions below reflect the current values.yaml defaults in the chart. They change with every chart release — always cross-check against the values.yaml of the chart version you’re installing.

Per-subchart inventory

clickhouse

ImageDefault tagPurposeDefault replicasStorage
…/clickhouse-server26.3ClickHouse DB (StatefulSet)150 GiB PVC
…/clickhouse-server26.3Backup CronJob (when clickhouse.backup.enabled: true)CronJob

kafka

ImageDefault tagPurposeDefault replicasStorage
…/kafka4.3.0Kafka broker (StatefulSet)110 GiB PVC

neuraltrust-data-plane

ImageDefault tagPurposeDefault replicas
…/data-plane-apiv1.24.11Data Plane API2
…/clickhouse-server26.3Init container clickhouse-migrations on API
…/workersv1.6.12Data Plane worker1
…/kafka-connectv0.3.1Kafka Connect Deployment1
…/kafka-connectv0.3.1Init container fix-connect-topics on Kafka Connect
…/data-plane-apiv1.24.11Ephemeral Kubernetes Job pods spawned by API for evals (k8sJobs.enabled: true, up to maxConcurrentJobs: 10)

neuraltrust-control-plane (only when controlPlane.enabled: true)

ImageDefault tagPurposeDefault replicas
…/control-plane-apiv1.18.3Control Plane API2
…/appv1.65.9Control Plane UI (Next.js)2
…/appv1.65.9Init container init-db (Prisma migrations) on UI
…/schedulerv1.9.7Scheduler1
…/postgres17-alpineInit container wait-for-postgresql on API + scheduler
…/postgres17-alpineIn-cluster PostgreSQL (when infrastructure.postgresql.deploy: true)1

trustgate

ImageDefault tagPurposeDefault replicas
…/trustgate-eev1.27.5TrustGate admin (trustgate-control-plane)2
…/trustgate-eev1.27.5TrustGate gateway (trustgate-data-plane)2
…/trustgate-eev1.27.5TrustGate actions (trustgate-actions)2
…/postgres17-alpineInit Job trustgate-postgresql-init (creates DB + user)Job
…/redis-stack-server7.2.0-v20Redis cache1

neuraltrust-firewall (default: enabled)

ImageDefault tagPurposeDefault replicas
…/firewall-cpuv2.9.6Gateway (CPU router)2
…/firewall-cpuv2.9.6Worker — toxicity1
…/firewall-cpuv2.9.6Worker — toolguard1
…/firewall-cpuv2.9.6Worker — prompt-jailbreak1
…/firewall-cpuv2.9.6Worker — prompt-moderation1
…/firewall-cpuv2.9.6Worker — response-jailbreak1
…/firewall-gpuv2.9.6GPU-accelerated workers (override workerDefaults.image)configurable

Optional add-on subcharts (off by default)

SubchartImage(s)Default tagToggle
neuraltrust-siem-connectorssiem-connectorsv0.2.2neuraltrust-siem-connectors.siemConnectors.enabled
neuraltrust-watchdogneuraltrust-watchdogChart appVersionneuraltrust-watchdog.enabled
Umbrella OpenTelemetry Collectorotel/opentelemetry-collector-contrib0.110.0global.observability.enabled

What’s deployed in each model

The two main deployment models are documented in Deployment models. The image footprint for each:
Chart default. Control Plane runs on NeuralTrust SaaS — no CP images in your cluster.
SubchartDeployed?Notes
neuraltrust-data-planeAPI ×2 + worker ×1 + Kafka Connect ×1
trustgate(typical)admin ×2, gateway ×2, actions ×2, Redis ×1
neuraltrust-firewallgateway ×2 + 5 workers (CPU by default, GPU optional)
clickhouse(or external)StatefulSet ×1
kafka(or external)StatefulSet ×1
neuraltrust-control-plane PostgreSQL(for TrustGate)StatefulSet ×1
neuraltrust-control-plane CP API/UI/Schedulerruns on NeuralTrust SaaS
Distinct in-cluster images (defaults):
  • data-plane-api, workers, kafka-connect
  • trustgate-ee, redis-stack-server, postgres (init Job)
  • firewall-cpu (gateway + 5 worker pods)
  • clickhouse-server, kafka, postgres
Total: ~10 distinct image repositories, ~16 running pods on chart defaults.

Sizing & resource defaults

Per-component requests / limits (from chart values.yaml). Multiply by the replica count to get the per-component total contribution to cluster requests.
ComponentReplicasCPU req / limitMemory req / limitGPU
ClickHouse12 / 44 Gi / 8 Gi
Kafka1500m / 11 Gi / 2 Gi
PostgreSQL11 / 22 Gi / 4 Gi
Data Plane API22 / 44 Gi / 6 Gi
Data Plane worker11 / 24 Gi / 8 Gi
Kafka Connect1500m / 12 Gi / 4 Gi
CP scheduler1100m / 200m256 Mi / 512 Mi
CP API21 / 21 Gi / 2 Gi
CP UI (app)2250m / 500m512 Mi / 1 Gi
TrustGate admin2500m / 12 Gi / 4 Gi
TrustGate gateway22 / 44 Gi / 8 Gi
TrustGate actions2500m / 12 Gi / 4 Gi
Redis1500m / 11 Gi / 2 Gi
Firewall gateway2250m / 500m256 Mi / 512 Mi
Firewall worker (×5: toxicity, toolguard, prompt-jailbreak, prompt-moderation, response-jailbreak)51 / 1.54 Gi / 6 Gi
Firewall GPU worker (replaces CPU worker)per poolsame as CPU + nvidia.com/gpu: 1same1 GPU
K8s eval Job (ephemeral, spawned by Data Plane API)up to 10100m / 500m256 Mi / 1 Gi

Realistic cluster totals

Firewall is always deployed — the choice is whether its 5 default workers run on the CPU pool or move to a separate GPU pool.
ModelCPU pool requestsPVCMin CPU nodes (8 vCPU / 32 GiB)GPU pool
Hybrid + CPU Firewall (default)~20.5 vCPU / ~58.5 GiB~80 GiB≥ 4
Hybrid + GPU Firewall~15.5 vCPU / ~38.5 GiB~80 GiB≥ 3≥ 5 GPU pods
Self-hosted + CPU Firewall~23.1 vCPU / ~61.8 GiB~80 GiB≥ 5
Self-hosted + GPU Firewall~18.1 vCPU / ~41.8 GiB~80 GiB≥ 4≥ 5 GPU pods
CPU Firewall workers contribute 5 vCPU + 20 GiB to the main pool. Switching to GPU workers moves that load to dedicated GPU nodes (one GPU per worker without CUDA MPS). For per-cloud node SKUs (e.g. e2-standard-8, m5.2xlarge, Standard_D8s_v5, g4dn.xlarge for GPU) and HA layout, see the cloud-specific overview pages and Deployment models › Sizing baseline.

Mirroring images for air-gapped installs

To pre-pull every image the chart would deploy with your overrides: 
helm template neuraltrust-platform \
  oci://europe-west1-docker.pkg.dev/neuraltrust-app-prod/helm-charts/neuraltrust-platform \
  --version <VERSION> \
  -f my-values.yaml \
  | yq '.. | select(has("image")) | .image' \
  | sort -u
Then mirror each image to your internal registry and set: 
global:
  imageRegistry: "registry.internal.example.com/neuraltrust"
The chart strips the default europe-west1-docker.pkg.dev/neuraltrust-app-prod/nt-docker prefix from subchart image paths and replaces it with your registry. Per-subchart image.repository overrides still win if set explicitly.

Pull policy

ComponentDefault pull policy
Data Plane API, worker, Kafka ConnectAlways
Control Plane API, UI, Scheduler, PostgresAlways
TrustGate admin, gateway, actionsAlways
TrustGate RedisAlways (parent override)
Firewall gateway + workersIfNotPresent
ClickHouse, KafkaIfNotPresent
Always ensures pinned tags still revalidate on rollouts. Override per component if you mirror to an internal registry that doesn’t change tags.