Common deployment options

This guide covers common deployment options and configurations for Patronus AI:

• Docker Hub (to access private images)
• (Optional) cert-manager (to manage TLS certificates)
• (Optional) ExternalDNS (to synchronize ingresses with the DNS service)
• (Optional) Pod Authentication (to authenticate to AI services in the same cloud provider)

Docker Hub

Patronus AI provides Docker images through Docker Hub. Using the credentials you received, create a Kubernetes secret named regcred:

kubectl create secret docker-registry regcred \
  --docker-server=https://index.docker.io/v1/ \
  --docker-username=patronusdevops \
  --docker-password=******

Add the following to your values.yaml file, for example in the postinstall section:

postinstall:
  imagePullSecrets:
    - name: regcred

cert-manager

To automatically configure TLS certificates issued by Let's Encrypt (ACME), use cert-manager.

Install cert-manager by following the Installing with Helm guide.

After installation, apply the following configuration:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: <YOUR_EMAIL>
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
      - http01:
          ingress:
            class: <INGRESS_CLASS>

Where <INGRESS_CLASS> can be:

• nginx (for the NGINX Ingress Controller)
• azure/application-gateway (for Azure Application Gateway Ingress Controller (AGIC))

For AWS you can use AWS Certificate Manager to issue the certificates along with AWS Load Balancer Controller.

Update the values.yaml file to use these certificates, for example in patronus-backend section:

patronus-backend:
  ingress:
    enabled: true
    className: <INGRESS_CLASS>
    annotations:
      cert-manager.io/cluster-issuer: letsencrypt-prod
    hosts:
      - host: <PATRONUS_BACKEND_API_HOST>
        paths:
          - path: /
            pathType: Prefix
    tls:
      - hosts:
          - <PATRONUS_BACKEND_API_HOST>
        secretName: patronus-backend-tls-cert

ExternalDNS

To automatically create DNS entries for ingress hostnames, use ExternalDNS.

Install ExternalDNS by following the tutorial for your cloud provider:

• AWS
• Azure DNS
• GKE with nginx-ingress-controller

Pod Authentication

Patronus AI supports authentication to each cloud's AI service using a credential-free connection:

• AWS: EKS -> SageMaker
• Azure: AKS -> Azure OpenAI
• GCP: GKE -> Vertex AI

Example configurations for values.yaml file:

serviceAccount:
  name: gpt
  annotations:
    eks.amazonaws.com/role-arn: <IAM_ROLE_ARN>

External documentation:

• cert-manager
• Use Let's Encrypt certificates on Application Gateway for AKS clusters
• ExternalDNS
• Tutorial: Connect to Azure OpenAI Service in AKS using Workload Identity
• Configure Workload Identity Federation with Kubernetes
• IAM roles for service accounts
• AWS Load Balancer Controller

← Back to Self Hosting Guide