search

Kubernetes

EDDI runs natively on Kubernetes. This guide covers deployment options from a simple quickstart to production-grade configurations.

hashtag
Prerequisites

  • Kubernetes cluster (1.26+) — minikube, kind, GKE, EKS, AKS, or any conformant cluster

  • kubectl configured to access your cluster

  • Helm 3 (optional, for Helm chart deployment)

hashtag
Quick Start (5 minutes)

hashtag
Option A: Single-file manifest

Deploy EDDI + MongoDB with one command:

kubectl apply -f https://raw.githubusercontent.com/labsai/EDDI/main/k8s/quickstart.yaml

Then generate and store a vault master key:

# Generate the secret
kubectl create secret generic eddi-secrets \
  --namespace=eddi \
  --from-literal=EDDI_VAULT_MASTER_KEY="$(openssl rand -base64 24)" \
  --dry-run=client -o yaml | kubectl apply -f -

# Restart EDDI to pick up the key
kubectl rollout restart deployment/eddi -n eddi

# Access EDDI
kubectl port-forward svc/eddi 7070:7070 -n eddi

Open http://localhost:7070arrow-up-right.

hashtag
Option B: Using the helper script

PowerShell:

hashtag
Option C: Helm

hashtag
Deployment Options

EDDI provides modular overlays (Kustomize) and Helm values for different deployment profiles:

hashtag
Database Backend

Backend
Kustomize
Helm

MongoDB (default)

kubectl apply -k k8s/overlays/mongodb/

--set mongodb.enabled=true

PostgreSQL

kubectl apply -k k8s/overlays/postgres/

--set postgres.enabled=true --set mongodb.enabled=false --set eddi.datastoreType=postgres

hashtag
Optional Components

The component overlays (auth, nats, monitoring, etc.) are designed to be composed with a database overlay. They do not include the base EDDI manifests on their own.

Component
Description
Helm Values

Keycloak Auth

OIDC authentication

--set keycloak.enabled=true --set eddi.oidc.enabled=true

NATS JetStream

Durable messaging for multi-replica

--set nats.enabled=true --set eddi.messagingType=nats

Manager UI

Configuration dashboard

--set manager.enabled=true

Monitoring

Prometheus + Grafana

--set monitoring.prometheus.enabled=true

Ingress

External HTTPS access

--set ingress.enabled=true --set ingress.hosts[0].host=eddi.example.com

Production

HPA, PDB, NetworkPolicy

--set autoscaling.enabled=true --set podDisruptionBudget.enabled=true

hashtag
Composing Kustomize Overlays

Kustomize takes one directory as input. To combine components, create a kustomization.yaml that references multiple overlays:

Ready-made examples are provided in k8s/examples/:

hashtag
Architecture on Kubernetes

hashtag
Security

hashtag
Vault Master Key

The vault master key encrypts all stored API keys and secrets. If you lose this key, encrypted secrets are unrecoverable.

Three ways to manage it:

  1. Helper script (recommended for initial setup):

  2. Manual kubectl:

  3. External secrets (production): Use External Secrets Operatorarrow-up-right to sync from AWS Secrets Manager, HashiCorp Vault, Azure Key Vault, etc.

hashtag
Pod Security

EDDI runs as non-root user (UID 185) and is compatible with restricted Pod Security Standards:

hashtag
Network Policy

The production overlay includes a NetworkPolicy that restricts EDDI to:

  • Ingress: HTTP port 7070 from within the namespace + Ingress controllers

  • Egress: Database (MongoDB/PG), NATS, Keycloak, DNS, and external HTTPS (port 443 for LLM APIs)

hashtag
Scaling

hashtag
Single Replica (default)

Default configuration uses in-memory messaging — suitable for development and low-traffic deployments.

hashtag
Multi-Replica (production)

For horizontal scaling, enable NATS JetStream for durable message ordering:

Kustomize:

Helm:

hashtag
Monitoring

EDDI exposes Prometheus metrics at /q/metrics. The EDDI Deployment includes Prometheus scrape annotations by default:

Deploy the monitoring stack using the full example or Helm:

hashtag
Health Checks

EDDI provides three probe endpoints:

Endpoint
Probe Type
Purpose

/q/health/live

Liveness

Process is alive

/q/health/ready

Readiness + Startup

DB connected, ready for traffic

/q/metrics

Prometheus metrics

hashtag
File Structure

Note: Overlays marked (standalone) include the base and can be applied directly with kubectl apply -k. Overlays marked (component) must be composed with a standalone overlay — see Composing Kustomize Overlays.

hashtag
Troubleshooting

hashtag
EDDI pod stuck in CrashLoopBackOff

Check if the database is reachable:

Common causes:

  • MongoDB/PostgreSQL not yet ready (wait for StatefulSet pod)

  • Incorrect connection string in ConfigMap

  • Volume claims pending (check kubectl get pvc -n eddi)

hashtag
EDDI starts but readiness probe fails

Check the health endpoint:

hashtag
Vault key issues

If you see "vault master key not set" warnings, create the secret:

hashtag
PVC stuck in Pending

If PVCs aren't provisioning, check your StorageClass:

If your cluster doesn't have a default StorageClass, uncomment storageClassName in the StatefulSet manifests.

PreviousDockerNextRedHat OpenShift

Last updated

Was this helpful?