Deploying Prisme.ai on OpenShift

This page covers the OpenShift-specific bits. The actual Helm install — values, ingress, env vars — lives in Install with Helm.

Recommended managed services

Component	OpenShift / on-prem option	Notes
Kubernetes	OpenShift 4.x (OCP, ROSA, ARO, OpenShift on IBM Cloud).	3+ worker nodes, ≥ 4 vCPU / 16 GB each.
MongoDB	MongoDB Enterprise Operator for OpenShift, or external Atlas. See MongoDB.
PostgreSQL (alternative)	Crunchy Postgres for Kubernetes operator. See PostgreSQL.
Elasticsearch	Elasticsearch Operator (ECK) or OpenSearch Operator. See Elasticsearch.
Redis	Redis Operator for OpenShift (standard Redis, no modules required). See Redis.
Object storage	OpenShift Data Foundation (Noobaa) or external S3-compatible (MinIO, Ceph RGW).
File storage (PVC RWX)	OpenShift Data Foundation (CephFS) or external NFS.
Ingress	OpenShift Routes (HAProxy-based) with TLS edge termination.
TLS / Certificates	cert-manager Operator, or import a wildcard certificate.
Secrets	HashiCorp Vault + Vault Agent Injector, or External Secrets Operator.

Persistent storage

The shared RWX PVC (used by prismeai-functions) must be backed by CephFS (via OpenShift Data Foundation) or NFS, with the right RWX storage class set on the PVC.

Security Context Constraints (SCCs)

OpenShift restricts container privileges by default. Apply (or grant) an SCC compatible with running the platform images as non-root:

restricted-v2 works for most services if the chart’s default securityContext.runAsUser is honored.
prismeai-functions forks isolated child processes — review its SCC requirements with Prisme.ai before granting elevated privileges.

Make sure the service account used by each Helm release is bound to the appropriate SCC.

Routes vs Ingress

Prisme.ai’s chart ships Kubernetes Ingress resources by default. On OpenShift you have two options:

Keep Ingress — OpenShift’s Ingress Operator translates them to Routes automatically.
Use Routes directly — disable the chart’s Ingress and create two Routes (api, studio) with TLS edge termination and a haproxy.router.openshift.io/timeout: 300s annotation to keep SSE / websocket connections alive.

DNS and TLS

Create two records:

api.<your-domain>     -> OpenShift router VIP / Cloud LB
studio.<your-domain>  -> same

Certificate covering both, managed by cert-manager or imported as a Route TLS secret.

Next Steps

Install with Helm

Configure values and deploy core + apps namespaces.

Databases

PostgreSQL or MongoDB, Redis, Elasticsearch or OpenSearch.

Install products

Fresh-install walkthrough.

Migration v27

Migrate an existing instance to v27.

​Recommended managed services

​Persistent storage

​Security Context Constraints (SCCs)

​Routes vs Ingress

​DNS and TLS

​Next Steps