Skip to main content

1. Prerequisites

Before installing the Helm charts, ensure your Kubernetes environment meets the following requirements.
Note: Ensure that your VPC environment has network access to pull the required container images for the Enkrypt AI stack.

Namespaces

Create the following namespaces to isolate the application components: 
kubectl create namespace enkryptai-stack
kubectl create namespace redteam-jobs

Kubernetes Secrets

The following secrets must be created before installation. The Enkrypt AI team will provide the necessary secret values.
NamespaceSecret NameUsed By
enkryptai-stackelastic-env-secretgateway-kong, opensearch
enkryptai-stackfrontend-env-secretfrontend
enkryptai-stackgateway-env-secretgateway-kong
enkryptai-stackgateway-migration-env-secretgateway-kong
enkryptai-stackguardrails-env-secretguardrails
enkryptai-stackonpremSupabase (on-prem database)
enkryptai-stackopenfga-env-secretopenfga
enkryptai-stackopensearch-credopensearch
enkryptai-stackopensearch-securityconfigopensearch
enkryptai-stackpostgres-superuser-secretSupabase (on-prem)
enkryptai-stackredteam-proxy-env-secretredteaming
enkryptai-stacks3-credredteaming, Supabase (MinIO)
enkryptai-stacksuperuser-secretPostgres (CloudNativePG)
redteam-jobsredteam-proxy-env-secretredteam-jobs

Ingress and DNS Configuration

The Enkrypt AI stack requires three fully qualified domain names (FQDNs), each secured with a valid SSL/TLS certificate.
ComponentExample FQDNPurpose
Frontend UIapp.example.comEnkrypt AI Web UI - Frontend
API Gatewayapi.example.comBackend API traffic routing - Gateway-Kong
Auth Serviceauth.example.comAuthentication and DB APIs - Supabase
You can configure ingress using either NGINX with Cert Manager or the AWS Load Balancer (ALB) Controller with ACM.

Option A: NGINX Ingress Controller

If using NGINX, configure your values.yaml to use cert-manager for TLS. 
# values.yaml for enkryptai-stack chart
ingress:
  enabled: true
  className: nginx
  annotations:
    cert-manager.io/cluster-issuer: "letsencrypt-prod" # Or your preferred issuer
    nginx.ingress.kubernetes.io/proxy-buffer-size: "128k"
  hosts:
    - host: app.example.com
      paths:
        - path: /
          pathType: Prefix
  tls:
    - secretName: frontend-tls
      hosts:
        - app.example.com

Option B: AWS ALB Ingress Controller

If using the AWS ALB Controller, specify the ACM certificate ARN directly in the annotations. 
# values.yaml for enkryptai-stack chart
ingress:
  enabled: true
  className: alb
  annotations:
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP":80},{"HTTPS":443}]'
    alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:REGION:ACCOUNT_ID:certificate/CERT_ID
    alb.ingress.kubernetes.io/ssl-redirect: '443'
  hosts:
    - host: app.example.com
      paths:
        - path: /
          pathType: Prefix

Option C: Azure AGIC Ingress Controller

If using Azure Kubernetes Service (AKS) with Application Gateway Ingress Controller (AGIC), configure TLS with Azure Key Vault or managed certificates: 
# values.yaml for enkryptai-stack chart
ingress:
  enabled: true
  className: azure/application-gateway
  annotations:
    appgw.ingress.kubernetes.io/ssl-redirect: "true"
    appgw.ingress.kubernetes.io/backend-protocol: "https"
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
    cert-manager.io/acme-challenge-type: "http01"
  hosts:
    - host: app.example.com
      paths:
        - path: /
          pathType: Prefix
  tls:
    - secretName: frontend-tls
      hosts:
        - app.example.com