Skip to main content
This guide walks you end-to-end through a hybrid deployment on OpenShift — the Data Plane, TrustGate, and Firewall run in your OpenShift cluster; the Control Plane UI, API, and Scheduler run on NeuralTrust SaaS. For the full-stack alternative, see OpenShift self-hosted.

What you’ll end up with

ComponentLocationReplicas
Data Plane API, worker, Kafka ConnectYour OpenShift cluster2, 1, 1
TrustGate admin / gateway / actionsYour OpenShift cluster2 each
Firewall gateway + 5 workersYour OpenShift cluster2 + 5
ClickHouse, Kafka, PostgreSQL, RedisYour OpenShift cluster (or external)1 each
Control Plane API, UI, SchedulerNeuralTrust SaaS
See Image catalog for the full inventory.

Prerequisites

ResourceRecommended
OpenShift version4.10+
CPU pool node spec8 vCPU / 32 GiB
Min CPU nodes≥ 4 across 3 AZs. Drop to 3 if Firewall workers run on GPU nodes.
GPU pool (optional, for GPU Firewall)4 vCPU / 16 GiB + 1 × NVIDIA GPU — 5 nodes (one per default Firewall worker). Requires NVIDIA GPU Operator.
StorageCluster default; for ROSA, gp3-csi; for ARO, managed-premium; for ODF, ocs-storagecluster-ceph-rbd
DNSOpenShift wildcard or custom domain (e.g. platform.example.com)
CertificatesRouter default cert, custom Route TLS, or cert-manager + Routes
Image pullgcr-keys.json from NeuralTrust
NeuralTrust tenantA SaaS Control Plane tenant — request from [email protected]
Sizing baseline: ~20.5 vCPU / 58.5 GiB requests / 80 GiB PVC (defaults with CPU Firewall).

Step 1 — Create the project

oc login -u <user> -p <password> https://api.<cluster>.openshift.com:6443
oc new-project neuraltrust

oc create secret docker-registry gcr-secret \
  --docker-server=europe-west1-docker.pkg.dev \
  --docker-username=_json_key \
  --docker-password="$(cat path/to/gcr-keys.json)" \
  [email protected] \
  -n neuraltrust

# Pre-link to default + builder service accounts
oc secrets link default gcr-secret --for=pull -n neuraltrust
oc secrets link builder gcr-secret --for=pull -n neuraltrust
After the chart install, link gcr-secret to the component-specific service accounts as well (see Step 7).

Step 3 — Write your values overlay

Save as my-values.yaml: 
# Hybrid deployment on OpenShift
global:
  platform: "openshift"
  domain: "apps.<cluster>.openshift.com"   # OpenShift wildcard
  # or domain: "platform.example.com"      # for a custom domain
  storageClass: ""                          # use cluster default
  autoGenerateSecrets: true
  security:
    allowInsecureImages: true               # required for some upstream images on OpenShift

# Control Plane disabled — runs on NeuralTrust SaaS
neuraltrust-control-plane:
  controlPlane:
    enabled: false
  infrastructure:
    postgresql:
      deploy: true        # for TrustGate admin metadata

# Data Plane in your cluster
neuraltrust-data-plane:
  dataPlane:
    enabled: true

# TrustGate
trustgate:
  enabled: true
  global:
    env:
      SERVER_BASE_DOMAIN: "apps.<cluster>.openshift.com"

# Firewall in-cluster
neuraltrust-firewall:
  firewall:
    enabled: true

# Infrastructure
infrastructure:
  clickhouse:
    deploy: true
  kafka:
    deploy: true
For OpenShift, the chart creates Routes, not Ingresses, when global.platform: "openshift". Route hostnames follow the long pattern: data-plane-api.<domain>, trustgate-admin.<domain>, trustgate-gateway.<domain>, trustgate-actions.<domain>.

Using external managed services

infrastructure:
  clickhouse:
    deploy: false
    external:
      host: "your-tenant.clickhouse.cloud"
      port: "8443"
      user: "neuraltrust"
      password: ""
      database: "neuraltrust"
  kafka:
    deploy: false
    external:
      bootstrapServers: "<bootstrap>:9092"

neuraltrust-control-plane:
  infrastructure:
    postgresql:
      deploy: false
  controlPlane:
    components:
      postgresql:
        secrets:
          host: "<rds-or-aro-postgres>.example.com"
          port: "5432"
          user: "neuraltrust"
          password: ""
          database: "neuraltrust"
For ROSA, RDS or Aurora is the natural choice; for ARO, Azure Database for PostgreSQL Flexible Server fits. For ClickHouse Cloud, see the native-port caveat before installing.

Step 4 — Install

helm upgrade --install neuraltrust-platform \
  oci://europe-west1-docker.pkg.dev/neuraltrust-app-prod/helm-charts/neuraltrust-platform \
  --version <VERSION> \
  --namespace neuraltrust \
  -f my-values.yaml

Step 5 — Check Routes and DNS

oc get route -n neuraltrust
You should see Routes for:
RouteHost
data-plane-apidata-plane-api.<domain>
trustgate-admintrustgate-admin.<domain>
trustgate-gatewaytrustgate-gateway.<domain>
trustgate-actionstrustgate-actions.<domain>
If you’re using the OpenShift wildcard DNS (*.apps.<cluster>...), Routes are reachable immediately. For a custom domain, add CNAME records pointing to your router’s canonical hostname.

Step 6 — Custom TLS for Routes (optional)

By default, Routes use the OpenShift router’s wildcard certificate. To bring your own cert, attach it to each Route: 
trustgate:
  ingress:
    controlPlane:
      route:
        tls:
          termination: edge
          certificate: |
            -----BEGIN CERTIFICATE-----
            ...
          key: |
            -----BEGIN PRIVATE KEY-----
            ...
Prefer storing certs in OpenShift Secrets and templating values from there. After install, ensure every component service account can pull from the private registry: 
for sa in \
  data-plane-api data-plane-worker kafka-connect \
  trustgate-control-plane trustgate-data-plane trustgate-actions \
  firewall ; do
    oc secrets link "$sa" gcr-secret --for=pull -n neuraltrust
done
(Service-account names may vary slightly — check oc get sa -n neuraltrust.)

Step 8 — Enroll the Data Plane with NeuralTrust SaaS

1

Get the Data Plane JWT secret

oc get secret data-plane-jwt-secret -n neuraltrust \
  -o jsonpath='{.data.DATA_PLANE_JWT_SECRET}' | base64 -d
2

Open the NeuralTrust portal

Log in at the URL provided by NeuralTrust.
3

Connect the Data Plane

Team Settings → Advanced → Connect Data Plane. Provide the Data Plane Route URL (https://data-plane-api.<domain>), the JWT secret, and the region. See Platform › Advanced.
4

Verify connectivity

On success, your data plane shows as Connected in the portal.

Step 9 — Send traffic through TrustGate

Point your AI applications at the TrustGate Route: https://trustgate-gateway.<domain>. For gateway / route / plugin configuration, see TrustGate › Getting started.

Verification

oc get pods -n neuraltrust
oc get route -n neuraltrust

curl https://data-plane-api.<domain>/health
curl https://trustgate-gateway.<domain>/__health
In the NeuralTrust portal: Data Plane status Connected, TrustGate receiving traffic, Firewall classifying (if enabled).

Upgrading

helm upgrade neuraltrust-platform \
  oci://europe-west1-docker.pkg.dev/neuraltrust-app-prod/helm-charts/neuraltrust-platform \
  --version <NEW_VERSION> \
  --namespace neuraltrust \
  -f my-values.yaml

Migration to self-hosted

neuraltrust-control-plane:
  controlPlane:
    enabled: true
The chart adds Routes for control-plane-api.<domain>, control-plane-app.<domain>, control-plane-scheduler.<domain>. See Self-hosted on OpenShift for the full picture.

Troubleshooting

SymptomLikely causeFix
Pods stuck ImagePullBackOffgcr-secret not linked to the SAoc secrets link <sa> gcr-secret --for=pull -n neuraltrust
Route returns 503Backend pods not Readyoc get pods — check readiness probes
Pod SCC errorCustom UID conflictsVerify you haven’t overridden podSecurityContext to a fixed UID
ClickHouse Permission denied on PVCUID/GID conflictThe chart sets OpenShift-aware SCC; check that you haven’t disabled it
TrustGate can’t reach FirewallService name mismatchDefault is http://firewall:80