The NeuralTrust Platform Helm chart has first-class support for OpenShift. Setting global.platform: "openshift" switches the chart to use OpenShift Routes by default, applies OpenShift-compatible security contexts, and adjusts annotations.
This page covers the OpenShift-specific bits. For the rest of the install workflow (component toggles, infrastructure modes, upgrades), see the Kubernetes install guide.
Prerequisites
- OpenShift 4.10 or newer.
- Helm 3.8 or newer (OCI registry support).
- The
oc CLI configured against your cluster.
- A NeuralTrust-issued GCR JSON key for image pull.
- (Optional) An ingress controller — only needed if you prefer Ingress over Routes.
- (Optional) cert-manager — only needed for automatic TLS issuance.
Quick start
Create the project and image pull secret
oc new-project neuraltrust
oc create secret docker-registry gcr-secret \
--docker-server=europe-west1-docker.pkg.dev \
--docker-username=_json_key \
--docker-password="$(cat path/to/gcr-keys.json)" \
[email protected] \
-n neuraltrust
Install with the OpenShift platform selector
helm upgrade --install neuraltrust-platform \
oci://europe-west1-docker.pkg.dev/neuraltrust-app-prod/helm-charts/neuraltrust-platform \
--version <VERSION> \
--namespace neuraltrust \
--set global.platform=openshift \
--set global.domain="apps.mycluster.example.com"
global.domain should be your OpenShift wildcard application domain (the value behind *.apps.<cluster>.<base>).All platform secrets are auto-generated on first install. See Secrets management.Verify Routes and pods
oc get pods -n neuraltrust
oc get routes -n neuraltrust
oc get svc -n neuraltrust
For a more controlled rollout, copy the pre-built values-openshift.yaml from the chart repo and customize from there:curl -sLO https://raw.githubusercontent.com/NeuralTrust/neuraltrust-platform/main/values-openshift.yaml
cp values-openshift.yaml my-values.yaml
# Edit domain, storage class, and any overrides
helm upgrade --install neuraltrust-platform \
oci://europe-west1-docker.pkg.dev/neuraltrust-app-prod/helm-charts/neuraltrust-platform \
--version <VERSION> \
--namespace neuraltrust \
-f my-values.yaml
Routes vs Ingress
By default, when global.platform: "openshift" the chart creates OpenShift Routes for external access. To use Kubernetes Ingress instead, enable ingress on each component:
global:
platform: "openshift"
domain: "apps.mycluster.example.com"
ingress:
provider: "openshift" # or your custom ingress controller
trustgate:
ingress:
enabled: true
neuraltrust-control-plane:
controlPlane:
components:
api:
ingress:
enabled: true
app:
ingress:
enabled: true
| Aspect | Routes (default) | Ingress |
|---|
| Controller | Built into OpenShift | Bring your own (NGINX, HAProxy, etc.) |
| TLS | Managed by the OpenShift router | Standard kubernetes.io/tls secrets or cloud-managed |
| When to use | Almost always — closest match to OpenShift conventions | When you’ve standardized on a specific ingress controller across all clusters |
Security Context Constraints (SCC)
The chart adapts security contexts automatically when global.platform: "openshift". If specific pods fail with SCC errors:
# Inspect which SCC a pod is using
oc get pod <pod-name> -n neuraltrust -o jsonpath='{.metadata.annotations.openshift\.io/scc}'
# Grant a more permissive SCC if needed (use the least permissive that resolves the issue)
oc adm policy add-scc-to-user anyuid -z default -n neuraltrust
Granting anyuid is the most common quick fix but also the most permissive. Review your organization’s SCC policy before applying it in production. The chart respects custom runAsUser and fsGroup values — set those explicitly if you need to fit a stricter SCC.
Storage class
Match the chart’s storage class to what your OpenShift cluster provides:
global:
storageClass: "gp3-csi" # ROSA / AWS-backed clusters
# storageClass: "managed-csi" # ARO / Azure
# storageClass: "standard-csi" # OpenShift on GCP
# storageClass: "ocs-storagecluster-ceph-rbd" # ODF / Ceph
Image pull secret on OpenShift
If image pull errors persist after creating gcr-secret, link it to the default service account:
oc secrets link default gcr-secret --for=pull -n neuraltrust
imagePullSecrets on each subchart:
neuraltrust-data-plane:
imagePullSecrets: "my-secret"
neuraltrust-control-plane:
imagePullSecrets: "my-secret"
trustgate:
imagePullSecrets: "my-secret"
GPU Firewall workers on OpenShift
GPU Firewall workers usually require dedicated MachineSet labels and taints. Align workerDefaults.nodeSelector and workerDefaults.tolerations with your node-pool configuration:
neuraltrust-firewall:
firewall:
enabled: true
workerDefaults:
image:
repository: "europe-west1-docker.pkg.dev/.../firewall-gpu"
nodeSelector:
nvidia.com/gpu.present: "true"
tolerations:
- key: "nvidia.com/gpu"
operator: "Exists"
effect: "NoSchedule"
resources:
limits:
nvidia.com/gpu: "1"
hostIPC: true
hostIPC: true typically requires a permissive SCC (e.g. hostmount-anyuid or a dedicated SCC). See Firewall deployment for the full configuration matrix.
Verification
# Pods
oc get pods -n neuraltrust
# Routes
oc get routes -n neuraltrust
# Test connectivity (Route hostnames vary by component)
curl https://$(oc get route data-plane-api-route -n neuraltrust -o jsonpath='{.spec.host}')/health
curl https://$(oc get route control-plane-api-route -n neuraltrust -o jsonpath='{.spec.host}')/health
Troubleshooting
Pod fails to start
oc logs <pod-name> -n neuraltrust
oc describe pod <pod-name> -n neuraltrust
oc get events -n neuraltrust --sort-by='.lastTimestamp'
Image pull errors
oc get secret gcr-secret -n neuraltrust
oc secrets link default gcr-secret --for=pull -n neuraltrust
Route not accessible
oc get route <route-name> -n neuraltrust -o yaml
oc describe route <route-name> -n neuraltrust
*.apps.<cluster>.<base> resolves to the OpenShift router and that any external firewall allows inbound HTTPS.
PostgreSQL connection issues
oc get secret postgresql-secrets -n neuraltrust -o jsonpath='{.data.DATABASE_URL}' | base64 -d
oc run -it --rm pg-test --image=postgres:17.2-alpine --restart=Never -n neuraltrust -- \
psql "$(oc get secret postgresql-secrets -n neuraltrust -o jsonpath='{.data.DATABASE_URL}' | base64 -d)"
