prismeai-core (API gateway, console, runtime, workspaces, events) and prismeai-apps (functions, crawler, searchengine). This page is the single source of truth for installation — provider-specific notes live under Cloud Providers.
Prerequisites
- Kubernetes 1.26+ cluster on at least 3 nodes (multi-AZ recommended).
- Helm 3+.
- Databases provisioned and reachable from the cluster — see Databases.
- Object storage (S3-compatible, Azure Blob, GCS) — see Requirements.
- a RWX persistent volume — see Requirements.
- A way to inject secrets: Kubernetes Secrets, External Secrets Operator, Vault, AWS/Azure/GCP Secret Manager.
- A TLS certificate covering
api.<your-domain>andstudio.<your-domain>. - Registry credentials for
registry.gitlab.com(provided by Prisme.ai) — required for theappsnamespace.
1. Add the Helm repository
2. Configure the core namespace
Bootstrap prismeai-core-values.yaml from the chart’s full default values so nothing is silently left unset, then trim it down to what you actually override:
Self-signed TLS on your databases / Redis?
Mount the CA bundle as a
Mount the CA bundle as a
volume / volumeMounts on the relevant services and point the matching *_TLS_CA_FILE env var (e.g. BROKER_TLS_CA_FILE, PERMISSIONS_STORAGE_TLS_CA_FILE, SESSIONS_STORAGE_TLS_CA_FILE, CONTEXTS_CACHE_TLS_CA_FILE, USERS_STORAGE_TLS_CA_FILE, COLLECTIONS_STORAGE_TLS_CA_FILE, EVENTS_TOPICS_CACHE_TLS_CA_FILE) at the mounted filepath. The full list is in Environment Variables.Global configuration
Secret bootstrapping — global.secrets.allowCreation
oidc), the internal API key shared between services (internalSecurity.apiKey), and the workspace secrets encryption keys (secretsEncryption.masterKeys / refKeys). It does not affect user-provided secrets (broker, storage, cache, mailgun, …) — those are controlled by their respective existingSecret fields (see below).
Required workflow:
- First install — keep
allowCreation: trueso the chart seeds the internal secrets (OIDC, internal API key, encryption keys) with freshly generated values. Without this the platform cannot start. - After the first install — set
allowCreation: falseand keep it that way for every subsequenthelm templaterender or ArgoCD sync. (helm upgradeitself has cluster API access and preserves existing secrets correctly even withallowCreation: true, but you still wantfalseeverywhere to stay safe against any pipeline that doesn’t.)
User-provided secrets — existingSecret is authoritative
For every external credential (broker, storage.*, cache.*, providers.mailgun, object storage, …), the chart follows a strict rule:
- If
existingSecretis set → the chart never creates or overrides that Secret. The deployment references the named Secret as-is. Anyurl/passwordvalue left in your values file is silently ignored for that resource. Pre-create the Secret out of band (ExternalSecrets Operator, sealed-secrets, Vault,kubectl create secret, …) — this is the recommended GitOps-friendly pattern. - If
existingSecretis empty AND you provideurl/password→ the chart generates the Secret from those inline values. Useful for quick local trials; not recommended for production because plaintext credentials end up in your values file. - If both are empty → no Secret is created and the deployment fails to start. Pick one of the two patterns above.
global.secrets.allowCreation: a user secret with existingSecret set is safe under helm template, ArgoCD, restricted RBAC, or any offline render — no lookup is performed.
Secrets encryption keys
Prisme.ai encrypts workspace secrets at rest with envelope encryption (AES-256-GCM). The master key (KEK) and short-lived reference keys live in one Kubernetes Secret, read by the services asSECRETS_MASTER_KEYS / SECRETS_REF_KEYS.
The chart can auto-generate them, but auto-generation depends on lookup to preserve the keys across renders — and lookup returns empty under helm template and ArgoCD, so every render would emit new keys and make all encrypted data unrecoverable. For GitOps / helm template (the recommended setup), pre-create the Secret yourself and reference it with existingSecret; the chart then generates nothing and runs no lookup.
Generate the keys into a Secret you own (run once, before the first install)
openssl rand -hex 32 produces the 64-hex-character key the chart expects. Back up both values immediately — this Secret is your only copy. In GitOps, create it through your secret manager (Sealed Secrets, External Secrets, SOPS) so it is reproducible without committing plaintext keys.helm install you can instead let the chart auto-generate the keys — see auto-generation and the full value reference in Configuration.
prismeai-api-gateway
Authentication, mail, sessions, super-admin emails.
prismeai-workspaces
Workspace models, custom domains, upload limits. No specific env vars required.
prismeai-runtime
Automation engine — multi-threaded.
WORKSPACE_SECRET_* env vars on prismeai-runtime — the LLM Gateway and Storage workspaces won’t function without them. See LLM & vector store credentials for the full list.
Example with OpenSearch as the vector store and OpenAI as the LLM provider (prefer existingSecret / valueFrom.secretKeyRef in production):
prismeai-events
Activity log + retention.
Ingress and load balancer
Theprismeai-core chart ships a default core-ingress object — you only need to override its annotations, hosts and TLS secret to match your environment. Use a single ingress for both api.<your-domain> and studio.<your-domain>. Below is an AWS ALB example; equivalent annotations exist for Azure Application Gateway, GKE Ingress, OpenShift Routes.
Two timeouts to tune
These are two different settings on the load balancer and they must both be set:client_keep_alive— how long the LB keeps a client TCP connection open between requests so the browser can reuse the same socket. Set to 60 s (must be under the api-gateway server keep-alive of 70 s, otherwise the LB sends requests on a socket the gateway just closed and you get 502s).idle_timeout— the longest period of inactivity allowed on an in-flight request before the LB cuts it. Set to 300 s so server-sent events and long LLM streaming responses don’t get killed mid-flight.
ALB example
Make sure the annotations match the ones expected by your Ingress Controller.prismeai-events benefits from sticky sessions — pin clients via a header (e.g. user-agent consistent hash) at the ingress or via an Istio DestinationRule.
3. Configure the apps namespace
Bootstrap prismeai-apps-values.yaml the same way — dump the chart defaults first, then override only what you need:
apps namespace pulls images from a private registry, so the registry credentials below are mandatory.
License + registry credentials. The
apps chart (functions, crawler, searchengine) is gated by your subscription license. Credentials for registry.gitlab.com are issued as a GitLab Deploy Token — contact support@prisme.ai if you don’t have them yet.prismeai-functions
Custom code execution (JavaScript / Python).
extraObjects :
prismeai-crawler
Web crawler and document indexing.
prismeai-searchengine
Query routing on top of crawled indices.Make sure the
ELASTIC_INDICES_PREFIX match the one in prismeai-crawler with a yaml anchor :
4. Cross-cutting configuration (both charts)
The next two settings live underglobal.* and behave identically on both prismeai-core and prismeai-apps. Define them in both values files when applicable — same block, same Secret reference.
Trusting an extra CA bundle (private PKI / self-signed)
Mandatory if any URL the platform calls — LLM gateway, vector store, OIDC IdP, managed Elasticsearch or OpenSearch, internal HTTP APIs, third-party APIs hit by user Custom Code — is signed by a private PKI or a self-signed certificate. Configureglobal.extraCABundle to propagate your CA bundle to every pod in one shot. On prismeai-apps, an init container automatically merges your bundle with the service image’s system trust store so public HTTPS keeps working.
Full step-by-step → Trusting an extra CA bundle.
HTTP/HTTPS proxy
Mandatory if the cluster has no direct egress to the internet (LLM providers, OIDC IdP, public sites for the crawler, third-party APIs called by automations or user Custom Code). Configureglobal.proxy (httpProxy / httpsProxy / noProxy) to set HTTP_PROXY & friends on every pod.
Don’t forget to append your HTTP-based external hosts to noProxy (managed Elasticsearch or OpenSearch, S3 / Blob / GCS, internal LLM gateway, OIDC IdP) — Mongo/Postgres/Redis are binary protocols and bypass the proxy natively.
Full step-by-step → HTTP/HTTPS Proxy.
5. Cloud-specific configuration
Beyond the cross-cutting settings above, each cloud provider exposes its own Helm-level tweaks — most often ingress annotations (load balancer class, TLS / ACM certificates, keep-alive and idle timeouts, sticky sessions), but also persistent storage classes, workload identity bindings and registry pull secrets. Before installing, open the page matching your target platform and apply the provider-specific values it documents:- AWS — ALB ingress, IRSA, EFS / EBS storage classes.
- Azure — Application Gateway / NGINX ingress, Workload Identity, Azure Files / Disk.
- GCP — GCE ingress, Workload Identity, Filestore / PD storage classes.
- OVHcloud — Managed Kubernetes ingress and storage.
- OpenShift — Routes vs. ingress, SCCs, operators.
6. Install both charts
helm upgrade after editing the matching values file.
Troubleshooting: ImagePullBackOff on the apps namespace
Troubleshooting: ImagePullBackOff on the apps namespace
If pods stay in Then set
ImagePullBackOff, the registry secret was not created or doesn’t carry the right credentials. The chart creates it automatically when global.repository.create: true — if you manage secrets externally, create it by hand:global.repository.create: false and keep imagePullSecretName: "registry-secret" so the chart references the existing secret.7. Readiness check
Once both charts are installed and pods are running, validate the deployment from the UI:- Open the platform URL and sign in with a superadmin account — any email listed in
adminson the API gateway values (seeprismeai-api-gateway). - On first login, initialize the first organization by filling only its name and slug. The platform then loads with a left menu exposing Builder and Govern.
- Open the native Govern app from the left menu and go to the Infrastructure page. Verify the platform is healthy by testing native Services & databases connectivity with the Test buttons at the bottom of the page.
Vector store connectivity is validated later, once the Storage workspace has been imported — see Install products → Vector store. The
WORKSPACE_SECRET_storage_* env vars set on prismeai-runtime in step 2 are consumed by that workspace at import time.helm upgrade before continuing.
8. PostgreSQL
Compared to MongoDB, only three keys change. Each is marked with apostgresql comment in the values file.
Database permissions
Key:global.storage.permissions
Set driver: postgresql and the connection URL in url (not recommended for production) or via the existingSecret.
sslmode=require is mandatory.Database users
Key:prismeai-api-gateway.storage.users — same structure.
Database collections
Key:prismeai-runtime.storage.collections — same structure.
See the PostgreSQL page for version requirements and managed service recommendations.
9. Upgrade, rollback, uninstall
Next Steps
Configuration
Post-install settings: image tags, LLM / vector store credentials, auth, mail, retention, uploads, readiness check.
Cloud Providers
Provider-specific managed services, IaC modules and ingress annotations.
Databases
PostgreSQL or MongoDB, Redis, Elasticsearch or OpenSearch.
Resources & HPA
Resource requests, limits and Horizontal Pod Autoscaling.
Environment Variables
Full env-var reference per service.
Operations
Scaling, updates and backups.