Skip to main content

1. Prerequisites

Before installing the Helm charts, ensure your Kubernetes environment meets the following requirements.
Note: Ensure that your VPC environment has network access to pull the required container images for the Enkrypt AI stack.

Namespaces

Create the following namespaces to isolate the application components: 
kubectl create namespace enkryptai-stack
kubectl create namespace redteam-jobs

Kubernetes Secrets

The following secrets must be created before installation. The Enkrypt AI team will provide the necessary secret values.
NamespaceSecret NameUsed By
enkryptai-stackelastic-env-secretgateway-kong, opensearch
enkryptai-stackfrontend-env-secretfrontend
enkryptai-stackgateway-env-secretgateway-kong
enkryptai-stackgateway-migration-env-secretgateway-kong
enkryptai-stackguardrails-env-secretguardrails
enkryptai-stackonpremSupabase (on-prem database)
enkryptai-stackopenfga-env-secretopenfga
enkryptai-stackopensearch-credopensearch
enkryptai-stackopensearch-securityconfigopensearch
enkryptai-stackpostgres-superuser-secretSupabase (on-prem)
enkryptai-stackredteam-proxy-env-secretredteaming
enkryptai-stacks3-credredteaming, Supabase (MinIO)
enkryptai-stacksuperuser-secretPostgres (CloudNativePG)
redteam-jobsredteam-proxy-env-secretredteam-jobs

SMTP Requirements

We require SMTP to enable login. Right now, on-prem deployments only support SMTP based sign-in. If you want to use your own SMTP provider, update the relevant environment variables in your on-prem secret 6-onprem.yaml and re-apply it. Enkryptai can also supply an SMTP service (powered by Resend). If you choose that option, make sure smtp.resend.com is whitelisted in your environment. To configure any SMTP provider, update the environment variables shown below and re-apply the secret. 
GOTRUE_MAILER_EXTERNAL_HOSTS: smtp.resend.com

GOTRUE_SMTP_ADMIN_EMAIL: [email protected]                                                                                                                    
GOTRUE_SMTP_HOST: smtp.resend.com                                                                                                                                     
GOTRUE_SMTP_PORT: "587"                                                                                                                                               
GOTRUE_SMTP_SENDER_NAME: [email protected] 

smtppassword: your_password

smtpusername: your_username

Ingress and DNS Configuration

The Enkrypt AI stack requires three fully qualified domain names (FQDNs), each secured with a valid SSL/TLS certificate.
ComponentExample FQDNPurpose
Frontend UIapp.example.comEnkrypt AI Web UI - Frontend
API Gatewayapi.example.comBackend API traffic routing - Gateway-Kong
Auth Serviceauth.example.comAuthentication and DB APIs - Supabase
You can configure ingress using either NGINX with Cert Manager or the AWS Load Balancer (ALB) Controller with ACM.

Option A: NGINX Ingress Controller

If using NGINX, configure your values.yaml to use cert-manager for TLS. 
# values.yaml for enkryptai-stack chart
ingress:
  enabled: true
  className: nginx
  annotations:
    cert-manager.io/cluster-issuer: "letsencrypt-prod" # Or your preferred issuer
    nginx.ingress.kubernetes.io/proxy-buffer-size: "128k"
  hosts:
    - host: app.example.com
      paths:
        - path: /
          pathType: Prefix
  tls:
    - secretName: frontend-tls
      hosts:
        - app.example.com

Option B: AWS ALB Ingress Controller

If using the AWS ALB Controller, specify the ACM certificate ARN directly in the annotations. 
# values.yaml for enkryptai-stack chart
ingress:
  enabled: true
  className: alb
  annotations:
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP":80},{"HTTPS":443}]'
    alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:REGION:ACCOUNT_ID:certificate/CERT_ID
    alb.ingress.kubernetes.io/ssl-redirect: '443'
  hosts:
    - host: app.example.com
      paths:
        - path: /
          pathType: Prefix

Option C: Azure AGIC Ingress Controller

If using Azure Kubernetes Service (AKS) with Application Gateway Ingress Controller (AGIC), configure TLS with Azure Key Vault or managed certificates: 
# values.yaml for enkryptai-stack chart
ingress:
  enabled: true
  className: azure/application-gateway
  annotations:
    appgw.ingress.kubernetes.io/ssl-redirect: "true"
    appgw.ingress.kubernetes.io/backend-protocol: "https"
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
    cert-manager.io/acme-challenge-type: "http01"
  hosts:
    - host: app.example.com
      paths:
        - path: /
          pathType: Prefix
  tls:
    - secretName: frontend-tls
      hosts:
        - app.example.com