Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.neuraltrust.ai/llms.txt

Use this file to discover all available pages before exploring further.

This guide walks you end-to-end through a hybrid deployment on any Kubernetes 1.24+ cluster — on-prem, bare metal, k3s, RKE2, Civo, DigitalOcean, IBM IKS, OKE, and so on. The Data Plane, TrustGate, and Firewall run in your cluster; the Control Plane UI, API, and Scheduler run on NeuralTrust SaaS. If you’re on EKS / AKS / GKE / OpenShift, prefer the dedicated guide for richer integrations. For the full-stack alternative, see Vanilla Kubernetes self-hosted.

What you’ll end up with

ComponentLocationReplicas
Data Plane API, worker, Kafka ConnectYour cluster2, 1, 1
TrustGate admin / gateway / actionsYour cluster2 each
Firewall gateway + 5 workersYour cluster2 + 5
ClickHouse, Kafka, PostgreSQL, RedisYour cluster (or external)1 each
Control Plane API, UI, SchedulerNeuralTrust SaaS
See Image catalog for the full inventory.

Prerequisites

ResourceRecommended
Kubernetes version1.24+
CPU pool≥ 4 × (8 vCPU / 32 GiB) for HA. Drop to 3 if Firewall workers run on GPU nodes.
GPU pool (optional, for GPU Firewall)4 vCPU / 16 GiB + 1 × NVIDIA GPU per node — 5 nodes (one per default Firewall worker)
StorageDefault StorageClass with ReadWriteOnce PVs
IngressNGINX, Traefik, HAProxy, or any conformant controller
TLScert-manager with Let’s Encrypt or internal CA
DNSA control over a base domain (e.g. platform.example.com)
Image pullgcr-keys.json from NeuralTrust
NeuralTrust tenantA SaaS Control Plane tenant — request from [email protected]
Sizing baseline: ~20.5 vCPU / 58.5 GiB requests / 80 GiB PVC (defaults with CPU Firewall).

Step 1 — Cluster prep

Install:
  • An ingress controller (NGINX, Traefik, HAProxy — see Vanilla Kubernetes overview › Required cluster setup).
  • cert-manager (for automated TLS).
  • A storage class with ReadWriteOnce support (local-path, Longhorn, Rook/Ceph, NFS CSI, etc.).
  • (Bare metal only) MetalLB or an external LB to give the ingress controller an IP.

Step 2 — Namespace and image pull secret

kubectl create namespace neuraltrust

kubectl create secret docker-registry gcr-secret \
  --docker-server=europe-west1-docker.pkg.dev \
  --docker-username=_json_key \
  --docker-password="$(cat path/to/gcr-keys.json)" \
  [email protected] \
  -n neuraltrust

Step 3 — Write your values overlay

Save as my-values.yaml: 
# Hybrid deployment on vanilla Kubernetes
global:
  platform: "kubernetes"
  domain: "platform.example.com"
  storageClass: ""               # use cluster default; or specify e.g. "longhorn"
  autoGenerateSecrets: true

# Control Plane disabled — runs on NeuralTrust SaaS
neuraltrust-control-plane:
  controlPlane:
    enabled: false
  infrastructure:
    postgresql:
      deploy: true        # for TrustGate admin metadata

# Data Plane in your cluster
neuraltrust-data-plane:
  dataPlane:
    enabled: true
    components:
      api:
        ingress:
          enabled: true
          className: "nginx"
          annotations: &nginx
            cert-manager.io/cluster-issuer: "letsencrypt-prod"
            nginx.ingress.kubernetes.io/ssl-redirect: "true"

# TrustGate
trustgate:
  enabled: true
  global:
    env:
      SERVER_BASE_DOMAIN: "platform.example.com"
  ingress:
    controlPlane:
      className: "nginx"
      annotations: *nginx
    dataPlane:
      className: "nginx"
      annotations: *nginx
    actions:
      className: "nginx"
      annotations: *nginx

# Firewall in-cluster
neuraltrust-firewall:
  firewall:
    enabled: true

# Infrastructure
infrastructure:
  clickhouse:
    deploy: true
  kafka:
    deploy: true

Using external infrastructure

infrastructure:
  clickhouse:
    deploy: false
    external:
      host: "your-tenant.clickhouse.cloud"
      port: "8443"
      user: "neuraltrust"
      password: ""
      database: "neuraltrust"
  kafka:
    deploy: false
    external:
      bootstrapServers: "<bootstrap>:9092"

neuraltrust-control-plane:
  infrastructure:
    postgresql:
      deploy: false
  controlPlane:
    components:
      postgresql:
        secrets:
          host: "<external-postgres>"
          port: "5432"
          user: "neuraltrust"
          password: ""
          database: "neuraltrust"
For ClickHouse Cloud, see the native-port caveat. For external Kafka with SASL/SCRAM/PLAIN/IAM, see Authentication for external Kafka. Pre-create the neuraltrust and trustgate databases/users on Postgres — see Required databases & users.

Step 4 — Install

helm upgrade --install neuraltrust-platform \
  oci://europe-west1-docker.pkg.dev/neuraltrust-app-prod/helm-charts/neuraltrust-platform \
  --version <VERSION> \
  --namespace neuraltrust \
  -f my-values.yaml

kubectl get pods -n neuraltrust -w

Step 5 — DNS

Get the ingress controller’s external IP / hostname: 
kubectl get svc -n ingress-nginx
Add A / CNAME records pointing each platform host to it:
HostComponent
data-plane-api.platform.example.comData Plane API
admin.platform.example.comTrustGate admin
gateway.platform.example.comTrustGate proxy
actions.platform.example.comTrustGate actions
Once DNS resolves, cert-manager will issue Let’s Encrypt certs (if you used the HTTP-01 solver).

Step 6 — Enroll the Data Plane with NeuralTrust SaaS

1

Get the Data Plane JWT secret

kubectl get secret data-plane-jwt-secret -n neuraltrust \
  -o jsonpath='{.data.DATA_PLANE_JWT_SECRET}' | base64 -d
2

Open the NeuralTrust portal

Log in at the URL provided by NeuralTrust.
3

Connect the Data Plane

Team Settings → Advanced → Connect Data Plane. Provide the Data Plane API URL (https://data-plane-api.platform.example.com), the JWT secret, and the region. See Platform › Advanced.
4

Verify connectivity

On success, your data plane shows as Connected in the portal.

Step 7 — Send traffic through TrustGate

Point your AI applications at https://gateway.platform.example.com. See TrustGate › Getting started for plugin and route configuration.

Verification

kubectl get pods -n neuraltrust
kubectl get ingress -n neuraltrust -o wide
kubectl get certificate -n neuraltrust   # if using cert-manager

curl https://data-plane-api.platform.example.com/health
curl https://gateway.platform.example.com/__health
In the NeuralTrust portal: Data Plane status Connected, TrustGate receiving traffic, Firewall classifying (if enabled).

Upgrading

helm upgrade neuraltrust-platform \
  oci://europe-west1-docker.pkg.dev/neuraltrust-app-prod/helm-charts/neuraltrust-platform \
  --version <NEW_VERSION> \
  --namespace neuraltrust \
  -f my-values.yaml

Migration to self-hosted

neuraltrust-control-plane:
  controlPlane:
    enabled: true
Add DNS for app.platform.example.com, api.platform.example.com, scheduler.platform.example.com. See Self-hosted on vanilla Kubernetes for the full picture.

Troubleshooting

SymptomLikely causeFix
Portal says “Data Plane unreachable”DNS not propagated, cert pending, or firewall blocks the SaaS Control Planecurl https://data-plane-api.<domain>/health from outside your network
cert-manager challenge stuckDNS not resolving, or ingress can’t reach the world for HTTP-01kubectl describe challenge -n neuraltrust
PVC stuck PendingNo default storage classMark one default and re-apply
Pods OOMKilledUnder-sized nodesScale node spec or reduce replica counts in values
TrustGate can’t reach FirewallService name mismatchDefault is http://firewall:80