Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.neuraltrust.ai/llms.txt

Use this file to discover all available pages before exploring further.

NeuralTrust Platform runs on any Kubernetes 1.24+ distribution — managed clouds, on-prem clusters, bare metal, k3s / RKE2, IBM Cloud Kubernetes Service, Oracle OKE, Civo, DigitalOcean Kubernetes, and so on. This guide covers the cloud-agnostic path; if you’re on EKS / AKS / GKE / OpenShift, use the dedicated guide for richer integrations:

Pick your path

Hybrid

Data Plane + TrustGate + Firewall in your cluster. Control Plane runs on NeuralTrust SaaS. Fastest to first dashboard.

Self-hosted

Full stack including Control Plane API, UI, and Scheduler in your cluster. For air-gapped, on-prem, or sovereignty mandates.
If you’re unsure which model fits your environment, see Deployment models.

Cluster prerequisites

ResourceRecommended
Kubernetes version1.24+
CPU pool node spec8 vCPU / 32 GiB recommended; ≥ 4 nodes for hybrid (CPU Firewall), ≥ 5 nodes for self-hosted (CPU Firewall). Subtract one when using GPU Firewall workers.
GPU pool (optional)4 vCPU / 16 GiB + 1 × NVIDIA GPU per node — 5 nodes (one per default Firewall worker)
Storage classA default StorageClass with ReadWriteOnce PV provisioning (local-path, Longhorn, Rook/Ceph, NFS CSI, etc.)
Ingress controllerNGINX, Traefik, HAProxy, or any conformant ingress
TLScert-manager with Let’s Encrypt or internal CA, or pre-existing TLS secrets
DNSAny DNS provider that can resolve your domain to the ingress LB/node IPs
Image pullgcr-secret (docker-registry) with gcr-keys.json from NeuralTrust, OR a mirrored internal registry for air-gapped
OptionalNVIDIA device plugin for GPU Firewall workers

Required cluster setup

# NGINX ingress
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm install ingress-nginx ingress-nginx/ingress-nginx \
  -n ingress-nginx --create-namespace

# cert-manager
helm repo add jetstack https://charts.jetstack.io
helm install cert-manager jetstack/cert-manager \
  -n cert-manager --create-namespace \
  --set installCRDs=true
Create a ClusterIssuer:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: [email protected]
    privateKeySecretRef:
      name: letsencrypt-prod-key
    solvers:
      - http01:
          ingress:
            class: nginx

Architecture

All workloads run inside your cluster. Data never leaves your environment.

Kubernetes-specific defaults

When global.platform: "kubernetes":
  • Ingress class: not set automatically — you set className per ingress (typically nginx, traefik, etc.).
  • No cloud annotations are applied automatically. You can add any annotations through ingress.annotations.
  • TLS: when a per-ingress secretName is set, the chart references it directly; when not set and global.ingress.tls.autoGenerate: true (default), the chart creates a shared self-signed kubernetes.io/tls secret.
  • Storage class: uses the cluster default unless you set global.storageClass.

Common configuration

Ingress with cert-manager

trustgate:
  ingress:
    enabled: true
    className: "nginx"
    annotations:
      cert-manager.io/cluster-issuer: "letsencrypt-prod"
      nginx.ingress.kubernetes.io/ssl-redirect: "true"

Pre-existing TLS secret

trustgate:
  ingress:
    enabled: true
    className: "nginx"
    tls:
      secretName: "wildcard-platform-example-com"
Make sure the Secret exists in the neuraltrust namespace.

Storage class

global:
  storageClass: "local-path"           # k3s default
  # storageClass: "longhorn"           # Rancher Longhorn
  # storageClass: "rook-ceph-block"    # Rook/Ceph
  # storageClass: "nfs-client"         # NFS CSI
Per-component override for ClickHouse on faster storage: 
clickhouse:
  persistence:
    storageClass: "rook-ceph-block"
    size: 200Gi

GPU node label for Firewall workers

kubectl label nodes <gpu-node-name> gpu-node-pool=gpu-pool
Install the NVIDIA device plugin, then enable Firewall GPU workers (see Firewall deployment).

Backup and data lifecycle

Because there’s no cloud-managed backup story on vanilla Kubernetes, choose an explicit backup strategy:
  • PostgreSQL: schedule pg_dump CronJobs to your S3-compatible object store, or use CloudNativePG for built-in PITR.
  • ClickHouse: enable clickhouse.backup.enabled: true with any S3-compatible endpoint (MinIO, Wasabi, on-prem Ceph RGW, etc.).
  • Kafka: standard MirrorMaker or a managed Kafka offering.
  • PVC snapshots: use Velero with restic for cluster-wide backup and DR.
External-infra reference: Configuration scenarios.

Verification

kubectl get pods -n neuraltrust
kubectl get ingress -n neuraltrust -o wide

curl https://data-plane-api.platform.example.com/health

Common issues

SymptomLikely causeFix
Ingress IP pendingNo LB controller / MetalLB on bare metalInstall MetalLB or expose ingress via NodePort + external proxy
PVC stuck PendingNo default storage classkubectl get storageclass; mark one default with storageclass.kubernetes.io/is-default-class=true
cert-manager challenge failsDNS not resolving, or HTTP-01 challenge can’t reach ingressCheck kubectl get certificate -A and kubectl describe challenge
ImagePullBackOffgcr-secret missing or wrongRecreate with the JSON key from NeuralTrust; or use a mirrored internal registry
Pods OOMKilledUnder-sized nodesRaise node spec; deploy to dedicated nodes with nodeSelector

Next steps