Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.neuraltrust.ai/llms.txt

Use this file to discover all available pages before exploring further.

NeuralTrust Platform has first-class support for Red Hat OpenShift 4.10 and newer — on ROSA, ARO, OpenShift on bare metal, IPI/UPI, and self-managed OpenShift in any cloud. The chart ships a dedicated values-openshift.yaml reference and uses OpenShift Routes by default for external access.

Pick your path

Hybrid (recommended)

Data Plane + TrustGate + Firewall in your OpenShift cluster. Control Plane on NeuralTrust SaaS. Fastest path.

Self-hosted

Full stack including Control Plane UI in your cluster. For sovereignty, air-gapped, or fully-disconnected OpenShift environments.
If you’re unsure which model fits, see Deployment models.

Cluster prerequisites

ResourceRecommended
OpenShift version4.10 or newer
CPU pool node type8 vCPU / 32 GiB recommended (4 vCPU / 16 GiB also works but doubles the node count)
Min CPU nodes≥ 4 for hybrid (CPU Firewall), ≥ 5 for self-hosted (CPU Firewall). Subtract one when using GPU Firewall workers. ≥ 3 AZs for HA.
GPU pool (optional)4 vCPU / 16 GiB + 1 × NVIDIA GPU — 5 nodes (one per default Firewall worker). Requires the NVIDIA GPU Operator.
Storage classCluster default (typically gp3-csi, managed-premium, pd-balanced, or ocs-storagecluster-ceph-rbd)
External accessOpenShift Routes (default) or Ingress (when integrating with external L7 LB)
DNSOpenShift wildcard DNS (e.g. *.apps.<cluster>.openshift.com) or a custom domain
CertificatesOpenShift router cert (default), custom Route TLS, or Ingress with cert-manager
Image pullgcr-secret (docker-registry) — must be linked to the workload service accounts
OptionalNVIDIA GPU Operator for Firewall GPU workers
See Deployment models › Sizing baseline for the math behind these recommendations.

Required setup

# Log in
oc login -u kubeadmin -p <password> https://api.<cluster>.openshift.com:6443

# Create the project
oc new-project neuraltrust

# Create the image pull secret
oc create secret docker-registry gcr-secret \
  --docker-server=europe-west1-docker.pkg.dev \
  --docker-username=_json_key \
  --docker-password="$(cat path/to/gcr-keys.json)" \
  [email protected] \
  -n neuraltrust

# Link the pull secret to the default service account (or per-component SAs after install)
oc secrets link default gcr-secret --for=pull -n neuraltrust
oc secrets link builder gcr-secret --for=pull -n neuraltrust
For the NVIDIA GPU Operator: follow the Red Hat documentation, then enable Firewall GPU workers (see Firewall deployment).

Architecture

All workloads run inside your OpenShift cluster. Data never leaves your environment.

OpenShift-specific defaults

When global.platform: "openshift":
  • External access: Routes (not Ingress). Hostnames follow the long service-name pattern: <service-name>.<global.domain>. Example:
    ServiceRoute hostname
    TrustGate admintrustgate-admin.<domain>
    TrustGate gatewaytrustgate-gateway.<domain>
    TrustGate actionstrustgate-actions.<domain>
    Control Plane APIcontrol-plane-api.<domain>
    Control Plane UIcontrol-plane-app.<domain>
    Control Plane schedulercontrol-plane-scheduler.<domain>
    Data Plane APIdata-plane-api.<domain>
    This is different from the chart’s Ingress hostname scheme on other clouds (admin.<domain>, gateway.<domain>, etc.). It matches the OpenShift convention for Route names.
  • TLS: edge-terminated Routes use the OpenShift router cert by default. For custom certs, populate spec.tls.certificate on the Route (the chart’s per-Route values support this).
  • Security context: respects SCC. The chart relaxes hardcoded UID/GID where OpenShift assigns them; ClickHouse and PostgreSQL specifically have OpenShift-aware container security contexts.
  • Image pull: gcr-secret must be linked to each component’s service account (oc secrets link <sa> gcr-secret --for=pull).

Switching to Ingress

To use Kubernetes Ingress instead of Routes (e.g. when integrating with an external NGINX ingress controller): 
trustgate:
  ingress:
    controlPlane:
      enabled: true
      className: "nginx"
When you enable Ingress on OpenShift, the chart stops creating the Route for that component. Hostnames then revert to the short prefix scheme (admin.<domain>, gateway.<domain>).

Common configuration

Reference values file

The chart ships values-openshift.yaml as a tested baseline for OpenShift installs. Copy it, set your domain, and adjust toggles.

Custom Route certificates

trustgate:
  ingress:
    controlPlane:
      route:
        tls:
          termination: edge
          certificate: |
            -----BEGIN CERTIFICATE-----
            ...
          key: |
            -----BEGIN PRIVATE KEY-----
            ...
For most production deployments, prefer storing certificates in OpenShift Secrets and referencing them, rather than inlining PEM in values.

Internal-only Routes

trustgate:
  ingress:
    controlPlane:
      route:
        host: "trustgate-admin.apps-internal.example.com"
Pair with a private router shard or a separate router with internal DNS for cluster-internal exposure.

Storage class

global:
  storageClass: "ocs-storagecluster-ceph-rbd"  # for OpenShift Data Foundation
  # or "managed-premium" on ARO / "gp3-csi" on ROSA

GPU node pool (NVIDIA GPU Operator)

After installing the GPU Operator from OperatorHub: 
oc label machineset gpu-pool cluster.x-k8s.io/node-pool=gpu-pool -n openshift-machine-api
Then enable Firewall GPU workers (see Firewall deployment).

ROSA / ARO / on-prem differences

TopicROSA (AWS)ARO (Azure)OpenShift on-prem
Default storage classgp3-csimanaged-premiumvaries — check oc get sc
Default DNS*.apps.<cluster>.openshiftapps.com*.apps.<cluster>.<region>.aroapp.ioyour customer DNS
Cluster-bound networkingAWS PrivateLinkAzure Private Linkdepends on infra
GPU node groupsAWS-side: g5/g6 ASGsAzure-side: Standard_NC*depends on infra

Backup and data lifecycle

For production OpenShift:
  • PostgreSQL: use managed databases (RDS, Azure Database for PostgreSQL, Cloud SQL) and set neuraltrust-control-plane.infrastructure.postgresql.deploy: false.
  • ClickHouse: enable clickhouse.backup.enabled: true with S3, GCS, or Azure Blob targets, or run ClickHouse Cloud externally.
  • Kafka: external Confluent Cloud / MSK / Event Hubs; set infrastructure.kafka.deploy: false.
External-infra reference: Configuration scenarios.

Verification

oc get pods -n neuraltrust
oc get route -n neuraltrust

curl https://data-plane-api.apps.<cluster>.openshift.com/health

Common issues

SymptomLikely causeFix
Pods stuck CreateContainerConfigErrorgcr-secret not linked to the service accountoc secrets link <component-sa> gcr-secret --for=pull -n neuraltrust
Route hostname unexpectedMixing Route vs IngressWhen Ingress is enabled on a component, the chart skips its Route
Pod fails to start with SCC errorCustom UID conflicts with SCCUse oc adm policy add-scc-to-user anyuid -z <sa> only as a last resort; prefer adjusting the chart values
PVC stuck PendingWrong storage classoc get sc; set global.storageClass to a valid one
ClickHouse fails on first startUID/GID mismatchThe chart sets OpenShift-friendly SCC for CH; verify you haven’t overridden podSecurityContext

Next steps