Skip to main content

There are steps in this guide where TrueFoundry team will have to be involved. Please reach out to support@truefoundry.com to get the credentials

Key Components

To install the control plane on your generic Kubernetes infrastructure, you need to install the following components:
  • TrueFoundry Control Plane (Shipped as a helm chart called truefoundry)
  • PostgreSQL Database (Managed or Self-Hosted with PostgreSQL >= 13)
  • Blob Storage (S3, Minio, or any other S3 compatible storage)
PostgreSQL SSL Configuration: For PostgreSQL 17+, SSL must be disabled in the database configuration. This can typically be done by setting SSL-related parameters to false or 0 in your database configuration.

Compute Requirements

TrueFoundry ships as a helm chart that has configurable options to deploy the control plane according to your needs. The compute requirements change based on the scale of the number of users and requests. Here are a few scenarios that you can choose from based on your needs.
  • Small (Dev)
  • Medium (Prod)
  • Large (Prod)
The small tier is recommended for development purposes. Here all the components are deployed on Kubernetes and in non HA mode (single replica). This is suitable if you are just testing out the different features of TrueFoundry.
This setup brings up 1 replica of the services and is not highly-available. It can enable you to test the features but we do not recommend this for production mode.
ComponentCPUMemoryStorageMin NodesRemarks
Helm-Chart
(Control Plane components)		4 vCPU8GB60GB
Persistent Volumes (Block Storage) On Kubernetes		2
Pods should be spread over min 2 nodes
Postgres
(Deployed on Kubernetes)		0.5 vCPU0.5GB5GB
Persistent Volumes (Block Storage) On Kubernetes		PostgreSQL version >= 13
IOPS: Default (suitable for dev/testing)
Blob Storage
(S3 Compatible)		20GB

Prerequisites for Installation

  1. Kubernetes Cluster: K8s cluster 1.27+ with minimum 4vCPU and 8GB RAM.
  2. Support for dynamic provisioning of storage for PVC (such as local storage provisioners, Longhorn, OpenEBS, or other on-premises storage solutions) and support for exposing the control plane dashboard via:
    • Ingress controller (e.g., Nginx Ingress Controller), or
    • Istio service mesh
  3. Domain to map the ingress of the Control Plane dashboard along with certificate for the domain.
    This Domain will be referred as Control Plane URL in our documentation.
  4. Egress access to TrueFoundry Central Auth Server:
    • https://auth.truefoundry.com
    • https://login.truefoundry.com
  5. Tenant Name, Licence key, and image pull secret from TrueFoundry team. If you have not registered yet, please visit TrueFoundry to register.
  6. PostgreSQL database (version >= 13). We recommend managed PostgreSQL database for production environments. For instance requirements, refer to the Compute Requirements section.
    In case you do not have a managed database for testing purposes, set devMode to true in the values file to spin up a local PostgreSQL database.
  7. Blob Storage to store artifacts and logs (S3, Minio, or any other S3 compatible storage).

Installation Instructions

1

Setup Blob Storage

You need to configure S3-compatible blob storage (such as Minio, AWS S3, or any other S3-compatible storage) to store artifacts, logs, and AI Gateway request logs.
If you’re using Minio or another S3-compatible storage solution, you’ll need to provide the following configuration:
  1. Bucket Name: Name of the S3-compatible bucket
  2. Region: Region identifier (can be any string for Minio)
  3. Access Key ID: Access key for authentication
  4. Secret Access Key: Secret key for authentication
  5. Endpoint URL: Full URL to your S3-compatible storage endpoint
These values will be used in the configuration steps below.
Make sure your blob storage is accessible from your Kubernetes cluster and note down all credentials and endpoints for the next steps.
2

Setup PostgreSQL Database

Ensure you have a PostgreSQL database (version >= 13) set up and accessible from your Kubernetes cluster.
For production environments, we strongly recommend using a managed PostgreSQL service:
  1. Create a PostgreSQL instance with the specifications from the Compute Requirements section
  2. Create a database named truefoundry (or your preferred name)
  3. Create a user with full permissions on this database
  4. Note down the following details:
    • DB_HOST: Database hostname or IP address
    • DB_PORT: Database port (usually 5432)
    • DB_NAME: Database name
    • DB_USERNAME: Database username
    • DB_PASSWORD: Database password
For development or testing purposes only, you can deploy PostgreSQL on Kubernetes:
  1. Set devMode.enabled: true in the values file (shown in a later step)
  2. The PostgreSQL will be automatically deployed with the control plane
This setup is NOT highly-available and should NOT be used for production environments.
PostgreSQL SSL Configuration: For PostgreSQL 17+, SSL must be disabled in the database configuration. This can typically be done by setting SSL-related parameters to false or 0 in your database configuration.
3

Add Helm Repository

Add the ArgoCD helm repository:
helm repo add argo https://argoproj.github.io/argo-helm
helm repo update argo
4

Install ArgoCD

Install ArgoCD if not already installed:
helm install argocd argo/argo-cd \
--namespace argocd \
--create-namespace \
--version 7.8.26 \
--set server.extraArgs[0]="--insecure" \
--set server.extraArgs[1]="--application-namespaces=*" \
--set controller.extraArgs[0]="--application-namespaces=*" \
--set applicationSet.enabled=false \
--set notifications.enabled=false \
--set dex.enabled=false
5

Create Kubernetes Secrets

We will create two secrets in this step:
  1. Store the License Key and DB Credentials
  2. Store the Image Pull Secret
We need to create a Kubernetes secret containing the licence key and database credentials that you configured in the previous step.
Use the PostgreSQL database credentials from the “Setup PostgreSQL Database” step above.
truefoundry-creds.yaml
apiVersion: v1
kind: Secret
metadata:
  name: truefoundry-creds
type: Opaque
stringData:
  TFY_API_KEY: <TFY_API_KEY> # Provided by TrueFoundry team
  DB_HOST: <DB_HOST>
  DB_NAME: <DB_NAME>
  DB_USERNAME: <DB_USERNAME>
  DB_PASSWORD: <DB_PASSWORD>
Apply the secret to the Kubernetes cluster (Assuming you are installing the control plane in the truefoundry namespace)
kubectl apply -f truefoundry-creds.yaml -n truefoundry
We need to create a Image Pull Secret to enable pulling the truefoundry images from the private registry.
truefoundry-image-pull-secret.yaml
apiVersion: v1
kind: Secret
metadata:
  name: truefoundry-image-pull-secret
type: kubernetes.io/dockerconfigjson
data:
  .dockerconfigjson: <IMAGE_PULL_SECRET> # Provided by TrueFoundry team
Apply the secret to the Kubernetes cluster (Assuming you are installing the control plane in the truefoundry namespace)
kubectl apply -f truefoundry-image-pull-secret.yaml -n truefoundry
6

Create HelmChart Values File

Create a values file as given below and replace the following values:
  • Control Plane URL: URL that you will map to the control plane dashboard (e.g., https://truefoundry.example.com)
  • Tenant Name: Tenant name provided by TrueFoundry team
  • Blob Storage Configuration: Use the bucket name, region, access keys, and endpoint URL from the “Setup Blob Storage” step above
truefoundry-values.yaml
global:
  # Domain to map the control plane dashboard
  controlPlaneURL: https://truefoundry.example.com

  # Ask TrueFoundry team to provide these
  tenantName: <TENANT_NAME>

  # Choose the resource tier as per your needs
  resourceTier: medium # or small or large

  # This is the reference to the secrets we created in the previous step
  existingTruefoundryCredsSecret: "truefoundry-creds"
  imagePullSecrets:
  - name: "truefoundry-image-pull-secret"
  ## Add if you have restricted public registry access
  # image:
  #   pullSecretNames: 
  #   - "truefoundry-image-pull-secret"

  config:
    defaultCloudProvider: "aws"
    storageConfiguration:
      # Use the blob storage configuration from "Setup Blob Storage" step
      awsS3BucketName: "<S3_BUCKET_NAME>"
      awsRegion: "<S3_REGION>"
      # For S3-compatible storage (Minio, etc.), provide credentials and endpoint
      awsAccessKeyId: "<AWS_ACCESS_KEY_ID>"
      awsSecretAccessKey: "<AWS_SECRET_ACCESS_KEY>"
      awsEndpointURL: "<AWS_ENDPOINT_URL>" # e.g., http://minio.example.com
      # awsAllowHttp: "true" # Optional: Enable if using HTTP instead of HTTPS
      
      # Alternative: Use Kubernetes secret for credentials (recommended for production)
      # awsAccessKeyId: ${k8s-secret/truefoundry-creds/AWS_ACCESS_KEY_ID}
      # awsSecretAccessKey: ${k8s-secret/truefoundry-creds/AWS_SECRET_ACCESS_KEY}

# In case, you want to spin up PostgreSQL on kubernetes, enable this
# Please add creds and host details in the secret `truefoundry-creds`
devMode:
  enabled: false

truefoundryFrontendApp:
  ingress:
    hosts:
      - truefoundry.example.com # Replace with your domain (without https://)
    enabled: false
    annotations: {}
    ingressClassName: nginx # Replace with your ingress class name

# Enable AI Gateway features
tags:
  llmGateway: true
  llmGatewayRequestLogging: true
7

Install TrueFoundry Control Plane

Install the TrueFoundry control plane using the OCI helm chart:
helm upgrade --install truefoundry oci://tfy.jfrog.io/tfy-helm/truefoundry \
-n truefoundry --create-namespace -f truefoundry-values.yaml
8

Configure Load Balancer and DNS

  1. Get the IP address of the load balancer:
kubectl get svc -n truefoundry
  1. Point your control plane domain to this IP address in your DNS provider.
  2. Configure TLS certificates for the load balancer to terminate TLS traffic.
9

Verify Installation

  1. Wait for all pods to be running:
kubectl get pods -n argocd
kubectl get pods -n truefoundry
  1. Access the control plane at your configured URL and login with the same credentials used to register the tenant.

Setting Up Compute Plane

After installing the control plane, you need to set up a compute plane where your applications will run.
Compute Plane InstallationFor complete instructions on setting up the compute plane on your generic cluster, please refer to the Generic Compute Plane Setup guide.
Important: Setting Up Control Plane as a Compute PlaneWhen installing the control plane, you need to set up the control plane cluster as a compute plane managed by TrueFoundry itself. This allows you to manage control plane upgrades and configuration through the TrueFoundry UI.To enable this, you MUST disable all add-ons to avoid conflicts with existing cluster components. The add-ons that should be disabled include:
  • ArgoCD - Already installed separately in Step 2
  • Argo Workflows - Conflicts with control plane installation
  • Argo Rollouts - Conflicts with control plane installation
  • Istio - Conflicts if already present
  • Cert Manager - Conflicts if already present
  • Prometheus - Conflicts if already present
  • KEDA - Conflicts if already present
These add-ons will be automatically disabled when you use the TrueFoundry chart for control plane installation (they are not included in the values file above).

Configuring Node Pools for TrueFoundry

To enable node pools in your cluster with TrueFoundry, follow these steps:

Node Pool Label Configuration

Ensure all nodes in your cluster have a node pool label. This label should follow the format <nodepool-label-key>: <nodepool-name>. Example: If your node pool label key is truefoundry.com/nodepool, each node should have a label like truefoundry.com/nodepool: <nodepool-name>. To configure the label key in TrueFoundry:
  1. Click on edit in the Cluster and then toggle on the Advanced Fields section.
  2. Under Node Label Keys, fill in the Nodepool Selector Label with your chosen label key.

GPU Node Pool Configuration

To deploy workloads on GPU nodes, assign labels to GPU node pools indicating the GPU type. Label Key: truefoundry.com/gpu_type Possible Values:
  • A10G, A10_12GB, A10_24GB, A10_4GB, A10_8GB
  • A100_40GB, A100_80GB
  • H100_80GB, H100_94GB, H200
  • L4, L40S
  • P100, P4, T4, V100
Example: If you have a nodepool with A10G (24GB) nodes, label nodes of this nodepool with truefoundry.com/gpu_type: A10_24GB.

Adding Domain for Workloads

  1. Add a separate domain for hosting workloads (can be a wildcard domain).
  2. Point the domain to the load balancer IP address.
  3. Configure TLS certificate for the domain.
  4. Add the domain in the TrueFoundry platform UI.

Adding Docker Registry

Check the integrations section to configure container registries for your deployments.