Our Python SDK got smarter. We developed a Typscript SDK too. We are updating our SDK code blocks. Python SDKhere.Typscript SDKhere.
Description

Prerequisites

Requirements and prerequisites for self-hosting Patronus AI

Before deploying Patronus AI in your environment, ensure you have the following prerequisites in place.

Infrastructure requirements

Kubernetes cluster

Access to a Kubernetes cluster with minimum node requirements:

  • Additional GPU nodes if you plan to deploy containerized models

Supported cloud providers

Patronus AI supports deployment on the following cloud platforms:

  • AWS - Amazon Elastic Kubernetes Service (EKS)
  • Azure - Azure Kubernetes Service (AKS)
  • GCP - Google Kubernetes Engine (GKE)
  • Other Kubernetes-compatible platforms

Container registry

For production deployments, it's recommended to set up an internal container registry within your Kubernetes cluster or private network. This eliminates external dependencies and provides better control over image distribution.

Benefits:

  • Reduced dependency on external registries
  • Faster image pull times within the cluster
  • Better control over image versions and security
  • Compliance with air-gapped or restricted network environments
  • Improved reliability and availability

Supported registry options:

  • Harbor - Enterprise-grade registry with security scanning and replication
  • JFrog Artifactory - Universal artifact repository with Docker registry support
  • AWS Elastic Container Registry (ECR) - Managed registry for AWS deployments
  • Azure Container Registry (ACR) - Managed registry for Azure deployments
  • Google Artifact Registry - Managed registry for GCP deployments
  • Docker Registry - Simple, lightweight registry solution
  • Other OCI-compliant container registries

Setup requirements:

  1. Deploy and configure your internal registry
  2. Configure authentication and access control
  3. Set up SSL/TLS certificates for secure communication
  4. Pull Patronus AI images from the external registry using provided credentials
  5. Push images to your internal registry
  6. Update values.yaml to point to your internal registry:
global:
  image:
    registry: <YOUR_INTERNAL_REGISTRY>  # e.g., registry.mycompany.com
    tag: <GLOBAL_IMAGE_TAG>

After setting up your internal registry, you'll need to migrate all Patronus AI images. The Patronus team can provide a complete list of required images and tags for your deployment version.

Patronus Docker registry access

  • Docker Hub username and password for accessing private Patronus AI images
  • Required for initial image download and migration to your internal registry
  • If you were not provided with Docker credentials, reach out to the Patronus AI team

Cloud provider credentials

Appropriate permissions and credentials for your chosen cloud provider to:

  • Create and manage Kubernetes resources
  • Configure ingress controllers
  • Set up DNS records (if using ExternalDNS)
  • Manage TLS certificates (if using cert-manager)

Required tools

Helm

Helm 3.x installed on your local machine or deployment environment

kubectl

Kubernetes command-line tool configured to connect to your cluster

  • Verify connectivity: kubectl get pods

Docker

Docker installed and configured for pulling images from the Patronus registry

Storage services

PostgreSQL

  • PostgreSQL 16.x or compatible version
  • Can be deployed in-cluster or as an external managed service (recommended for production)
  • Used for storing evaluation logs and associated metadata

Redis

  • Redis 7.x or compatible version
  • Can be deployed in-cluster or as an external managed service (recommended for production)
  • Used for caching operations and storing state in evaluation runs

Optional: ClickHouse

  • Recommended for tracing features
  • Provides better performance for storing evaluation logs
  • Can be replaced by PostgreSQL if not available

Optional: Weaviate

  • Vector database for Patronus Trace Insights
  • Recommended for efficient similarity search and semantic analysis
  • Can be replaced by PostgreSQL with pgvector extension if not available

Networking requirements

Domain names

Prepare domain names or subdomains for the following services:

  • Patronus App (Frontend) - e.g., app.example.com
  • Patronus Backend API - e.g., api.example.com
  • Patronus Admin Portal - e.g., admin.example.com

Ingress controller

Install and configure an ingress controller for your Kubernetes cluster:

  • AWS: AWS Load Balancer Controller or NGINX Ingress Controller
  • Azure: Application Gateway Ingress Controller (AGIC) or NGINX Ingress Controller
  • GCP: GKE Ingress Controller or NGINX Ingress Controller

TLS certificates

Prepare TLS certificates for HTTPS access:

  • Use cert-manager with Let's Encrypt (recommended)
  • AWS Certificate Manager (for AWS deployments)
  • Manually managed certificates

DNS management

  • Access to your DNS provider to configure DNS records
  • Optional: ExternalDNS for automated DNS record management

Authentication provider

Patronus AI uses Vouch Proxy to integrate with your Identity Provider (IdP). Vouch Proxy supports most OIDC and OAuth2 providers out of the box.

You can test your IdP configuration using the official Vouch Proxy Helm chart before integrating with Patronus AI.

Identity provider (IdP)

Choose an authentication strategy:

  • Production environments: SSO/OIDC provider integration

    • Microsoft Entra ID (Azure AD)
    • Google Identity (Google Workspace)
    • Amazon Cognito
    • Auth0
    • Other OIDC-compatible providers

  • POC/UAT/Development environments: Simple username and password authentication

Vouch Proxy configuration examples

For reference configurations for all supported providers, see the official Vouch Proxy configuration examples.

OAuth configuration

If using an IdP, prepare:

  • OAuth client ID
  • OAuth client secret
  • Authorization and token endpoints
  • Appropriate redirect URIs configured in your IdP

Configuration files

Helm values file

You should receive example values.yaml configuration files from the Patronus AI team. If not received, contact the team before proceeding.

Required configuration values

Prepare the following values for your deployment:

  • <GLOBAL_IMAGE_TAG> - Version/tag of container images
  • <GLOBAL_IMAGE_REGISTRY> - Container registry URL
  • <GLOBAL_ADMIN_SECRET> - Admin secret key (securely generated)
  • <GLOBAL_POSTGRESQL_POSTGRES_PASSWORD> - PostgreSQL admin password
  • <GLOBAL_POSTGRESQL_PASSWORD> - PostgreSQL user password
  • <GLOBAL_REDIS_PASSWORD> - Redis password
  • <POST_INSTALL_CUSTOMER_NAME> - Your organization name
  • <PATRONUS_APP_HOST> - Frontend application URL
  • <PATRONUS_DOMAIN> - Base domain
  • <PATRONUS_BACKEND_API_HOST> - Backend API URL
  • <PATRONUS_ADMIN_PORTAL_HOST> - Admin portal URL

Security considerations

  • Ensure secure storage of all passwords and secrets
  • Use secret management solutions (e.g., AWS Secrets Manager, Azure Key Vault, Google Secret Manager)
  • Generate strong, unique passwords for all services
  • Configure network policies and security groups appropriately
  • Plan for regular security updates and patches

Optional components

GPU resources

If deploying containerized models:

  • GPU-enabled Kubernetes nodes
  • Appropriate GPU drivers and device plugins installed
  • Sufficient VRAM for your chosen models

Pod authentication

For credential-free authentication to cloud AI services:

  • AWS: IAM roles for service accounts (IRSA) configured
  • Azure: Workload Identity configured
  • GCP: Workload Identity Federation configured

Next steps

Once you have all prerequisites in place, proceed to:

  1. Architecture Overview - Understand the system architecture
  2. Vouch-Proxy configurations test - Step-by-step guide to test your Identity Provider configuration
  3. Helm chart Installation - Begin the installation process

← Back to Self Hosting Guide

On this page