Skip to main content
This guide walks you end-to-end through a fully self-hosted deployment on OpenShift — Control Plane API, UI, and Scheduler run in your cluster alongside the Data Plane, TrustGate, and Firewall. For the SaaS-hosted Control Plane alternative, see OpenShift hybrid.

What you’ll end up with

ComponentLocationReplicas
Control Plane API, UI, SchedulerYour OpenShift cluster2, 2, 1
Data Plane API, worker, Kafka ConnectYour OpenShift cluster2, 1, 1
TrustGate admin / gateway / actionsYour OpenShift cluster2 each
Firewall gateway + 5 workersYour OpenShift cluster2 + 5
ClickHouse, Kafka, PostgreSQL, RedisYour OpenShift cluster (or external)1 each
Sizing baseline: ~21–23 vCPU / 45–50 GiB RAM / 80 GiB PVC. See Image catalog.

Prerequisites

ResourceRecommended
OpenShift version4.10+
CPU pool node spec8 vCPU / 32 GiB
Min CPU nodes≥ 5 across 3 AZs. Drop to 4 if Firewall workers run on GPU nodes.
GPU pool (optional, for GPU Firewall)4 vCPU / 16 GiB + 1 × NVIDIA GPU — 5 nodes (one per default Firewall worker)
Sizing baseline~23.1 vCPU / 61.8 GiB requests / 80 GiB PVC (defaults, CPU Firewall)
StorageCluster default; for ClickHouse + Postgres prefer fast SSD
Custom domainA domain you control (e.g. platform.example.com)
CertificatesCustom Route TLS or cert-manager
Image pullgcr-keys.json from NeuralTrust

Step 1 — Project setup

Same as hybrid — see OpenShift hybrid › Step 1 and Step 2. Self-hosted has identical project/SCC requirements aside from slightly higher CPU/memory budget for CP components.

Step 2 — Write your values overlay

Save as my-values.yaml: 
# Self-hosted deployment on OpenShift
global:
  platform: "openshift"
  domain: "platform.example.com"          # custom domain or apps.<cluster>.openshift.com
  storageClass: ""                         # use cluster default
  autoGenerateSecrets: true
  security:
    allowInsecureImages: true

# Control Plane in your cluster
neuraltrust-control-plane:
  controlPlane:
    enabled: true                          # ← key difference from hybrid
    components:
      api:
        enabled: true
      app:
        enabled: true
      scheduler:
        enabled: true
  infrastructure:
    postgresql:
      deploy: true

# Data Plane
neuraltrust-data-plane:
  dataPlane:
    enabled: true

# TrustGate
trustgate:
  enabled: true
  global:
    env:
      SERVER_BASE_DOMAIN: "platform.example.com"

# Firewall
neuraltrust-firewall:
  firewall:
    enabled: true

# Infrastructure
infrastructure:
  clickhouse:
    deploy: true
  kafka:
    deploy: true
The chart will create Routes for every public component (see Step 4). 
neuraltrust-control-plane:
  controlPlane:
    components:
      app:
        ingress:
          route:
            tls:
              termination: edge
              certificate: |
                -----BEGIN CERTIFICATE-----
                ...
              key: |
                -----BEGIN PRIVATE KEY-----
                ...
      api:
        ingress:
          route:
            tls:
              termination: edge
              certificate: |
                -----BEGIN CERTIFICATE-----
                ...
              key: |
                -----BEGIN PRIVATE KEY-----
                ...
In production, prefer storing certs in OpenShift Secrets and referencing them via your secret-management workflow.

Using external managed services

neuraltrust-control-plane:
  infrastructure:
    postgresql:
      deploy: false
  controlPlane:
    components:
      postgresql:
        secrets:
          host: "<managed-postgres>.example.com"
          port: "5432"
          user: "neuraltrust"
          password: ""
          database: "neuraltrust"

infrastructure:
  clickhouse:
    deploy: false
    external:
      host: "your-tenant.clickhouse.cloud"
      port: "8443"
      user: "neuraltrust"
      password: ""
      database: "neuraltrust"
  kafka:
    deploy: false
    external:
      bootstrapServers: "<bootstrap>:9092"
For ClickHouse Cloud, see the native-port caveat. For external Kafka with SASL, see Authentication for external Kafka.

Step 3 — Install

helm upgrade --install neuraltrust-platform \
  oci://europe-west1-docker.pkg.dev/neuraltrust-app-prod/helm-charts/neuraltrust-platform \
  --version <VERSION> \
  --namespace neuraltrust \
  -f my-values.yaml

oc get pods -n neuraltrust -w
Initial install takes 4–6 minutes. After install, link gcr-secret to component service accounts (see OpenShift hybrid › Step 7).

Step 4 — Routes and DNS

oc get route -n neuraltrust
Self-hosted creates Routes for all public components:
RouteHostRequired
control-plane-appcontrol-plane-app.<domain>
control-plane-apicontrol-plane-api.<domain>
control-plane-schedulercontrol-plane-scheduler.<domain>
data-plane-apidata-plane-api.<domain>
trustgate-admintrustgate-admin.<domain>
trustgate-gatewaytrustgate-gateway.<domain>
trustgate-actionstrustgate-actions.<domain>
For a custom domain, add CNAMEs pointing each host at the OpenShift router’s canonical hostname.

Step 5 — First login to the Control Plane

  1. Open https://control-plane-app.<domain>.
  2. Get the bootstrap credentials: 
    oc logs -n neuraltrust deploy/control-plane-app -c init-db | grep -i bootstrap
  3. Sign in, configure SSO (Platform › SSO), rotate the bootstrap admin password.
  4. Configure LLM providers, integrations, and policies.

Step 6 — Send traffic through TrustGate

Point your AI applications at https://trustgate-gateway.<domain>. Telemetry flows through TrustGate → Data Plane → ClickHouse, surfaced by your self-hosted Control Plane UI.

Verification

oc get pods -n neuraltrust
oc get route -n neuraltrust

curl https://control-plane-api.<domain>/health
curl https://control-plane-app.<domain>
curl https://data-plane-api.<domain>/health
curl https://trustgate-gateway.<domain>/__health

Upgrading

helm upgrade neuraltrust-platform \
  oci://europe-west1-docker.pkg.dev/neuraltrust-app-prod/helm-charts/neuraltrust-platform \
  --version <NEW_VERSION> \
  --namespace neuraltrust \
  -f my-values.yaml
Watch the init-db init container of the new CP UI pod for Prisma migration errors.

Air-gapped / disconnected OpenShift

Common for sovereign-cloud and government OpenShift installs.
  1. Mirror images to your internal registry (Red Hat Quay or any OCI registry). Use oc-mirror or helm template … | yq … (see Image catalog › Mirroring).
  2. Override the registry: 
    global:
  imageRegistry: "registry.internal.example.com/neuraltrust"
  3. Proxy egress: 
    global:
  proxy:
    enabled: true
    httpProxy: "http://proxy.corp.example:3128"
    httpsProxy: "http://proxy.corp.example:3128"
    noProxy: "localhost,127.0.0.1,.cluster.local,.svc"
  4. Pre-load Firewall model weights or mirror huggingface.co if using the Firewall with HF token.
  5. TLS: bring your own Route certificates instead of public CAs.

Migration to hybrid

neuraltrust-control-plane:
  controlPlane:
    enabled: false
Enroll the existing Data Plane with NeuralTrust SaaS — see OpenShift hybrid › Step 8.

Troubleshooting

SymptomLikely causeFix
CP UI blankAPI URL wrongVerify control-plane-api.<domain> Route and config
Login failsDB migration failedoc logs -c init-db on CP UI pod
Scheduler not running jobsCan’t reach Data Plane APIVerify data-plane-api.<domain> Route and TLS
Pods ImagePullBackOffgcr-secret not linked to SARe-run oc secrets link for each component SA
ClickHouse Permission denied on PVCSCC overrideDon’t override podSecurityContext for CH on OpenShift