Deepchecks Self-Hosted Enterprise runs entirely in your own infrastructure, giving you full control over networking, security, and scaling. The platform is designed to run on Kubernetes to ensure reliable performance and horizontal scalability in production environments. This documentation walks through the infrastructure components and configuration required to deploy Deepchecks successfully.

Deployment Overview

The high-level steps for deploying Deepchecks differ slightly between cloud and self-hosted environments. Use the tabs below to see the deployment journey for your target environment; each step links to the section with full instructions.

Confirm infrastructure prerequisites — verify your AWS account, EKS cluster, and minimum resource availability.
Configure SQS queues — create the message queues used by background workers.
Configure object storage — create an S3 bucket for ML models and application data.
Configure authentication — register an application with your identity provider for end-user login.
Obtain a license key — request your LICENSE_KEY from Deepchecks.
Configure your Kubernetes cluster — install required tooling, create the application secret, and configure permissions.
Install the NVIDIA GPU Operator — required for the gpu-runner worker.
Install the Helm chart — deploy Deepchecks into your cluster (see the Helm Chart Reference for chart version selection).
Configure DNS — point your domain at the ingress controller's external address.

Infrastructure Prerequisites

The following diagram illustrates a typical Deepchecks deployment running on AWS:

Prior to deploying Self-Hosted Enterprise, Deepchecks recommends having each of the following infrastructure components ready to go. Select your deployment environment below for provider-specific guidance.

Component	Recommendation	Notes
Kubernetes Cluster	Amazon EKS cluster deployed in at least 2 availability zones	We recommend a cluster configured with Karpenter for automatic node scaling. Kubernetes version 1.33 or higher is required.
GPU Nodes	g4dn.xlarge (1x NVIDIA T4, 4 vCPU, 16 GiB RAM)	Each GPU worker requires a dedicated node
Ingress Controller	AWS Load Balancer Controller	A dedicated subdomain is required for access to the application
Object Storage	AWS S3 Bucket
Database	AWS RDS PostgreSQL 16	We suggest starting with an instance such as db.r6g.large and scaling up if necessary. TLS connections are not currently supported.
Cache	AWS ElastiCache (Redis)	cache.t4g.micro is recommended for all deployment sizes. TLS connections are not currently supported.
Processing Queue	AWS SQS	See the Queue Configuration section for further details
Secrets Manager	AWS Secrets Manager	(Optional) Recommended for use with the External Secrets Operator for securely providing sensitive data to your deployment
Identity Provider		See Authentication for supported providers

Minimum Resource Requirements

The following table summarizes the default CPU and memory requests for each Deepchecks component. These represent the minimum resources your cluster must be able to schedule.

📘
Node Storage
We recommend that each node has a minimum of 150 GB of available storage.

Component	Replicas	CPU Request	Memory Request
Web Server	1	2000m	8Gi
Workers (each)
advanced-llm-prop-calculator	1	1000m	6Gi
batcher-runner	1	1000m	6Gi
dc-calibrator	1	1000m	6Gi
dc-proba-calculator	1	1000m	6Gi
estimate-annotation-calculator	1	1000m	6Gi
general-calc-runner	1	1000m	6Gi
garak-props-runner	1	1000m	6Gi
gpu-runner	1	1000m	6Gi
insights-runner	1	1000m	6Gi
llm-properties-calculator	1	1000m	6Gi
notifier	1	1000m	6Gi
pre-calc-eng	1	1000m	6Gi
translator	1	1000m	6Gi
Models Sync Job	1 (one-time)	2000m	8Gi
Total	14 + job	17 vCPU	94 Gi

📘
GPU Worker
The gpu-runner worker must run on a dedicated GPU-powered node and is not included in the CPU/memory totals above. Plan for an additional node with at least 4 vCPU, 16 GiB RAM, and one NVIDIA T4 (or equivalent) GPU. See the Infrastructure Prerequisites section for recommended GPU instance types.

All resource values can be customized in your values.yaml. See the Example Configurations section for details.

Queue Configuration

Overview

Deepchecks uses message queues to coordinate background processing tasks. All queues are created with a configurable prefix that must match the TENANT_NAME environment variable provided during Helm chart deployment. See Environment Variables for further details.

All queues are AWS SQS standard queues.

Table of required SQS queues and their configuration

Queue Name	Visibility Timeout	Max Receive Count
insights-calculator	360 seconds	3
insights-calculator-dlq	360 seconds	-
garak-props-calculator	360 seconds	3
garak-props-calculator-dlq	360 seconds	-
props-calc-batcher	360 seconds	3
props-calc-batcher-dlq	360 seconds	-
translation	660 seconds	3
translation-dlq	660 seconds	-
pre-calc-eng	660 seconds	3
pre-calc-eng-dlq	660 seconds	-
advanced-llm-prop-calculator	360 seconds	3
advanced-llm-prop-calculator-dlq	360 seconds	-
calibrator	360 seconds	3
calibrator-dlq	360 seconds	-
notifier	360 seconds	3
notifier-dlq	360 seconds	-
proba-calculator	360 seconds	3
proba-calculator-dlq	360 seconds	-
llm-properties	660 seconds	3
llm-properties-dlq	660 seconds	-
topics-inference	660 seconds	3
topics-inference-dlq	660 seconds	-
topics-train	660 seconds	3
topics-train-dlq	660 seconds	-
similarity-annotations	660 seconds	3
similarity-annotations-dlq	660 seconds	-
properties-calculator	660 seconds	3
properties-calculator-dlq	660 seconds	-
estimate-annotation-calculator	360 seconds	3
estimate-annotation-calculator-dlq	360 seconds	-
general-calc	660 seconds	3
general-calc-dlq	660 seconds	-

Example Terraform to create the required queues

The following Terraform example can be used to bootstrap your queues:

variable "queue_prefix" {
  description = "Prefix for queue names (must match TENANT_NAME)"
  type        = string
  default     = "deepchecks"
}

locals {
  queues = {
    insights-calculator = {
      visibility_timeout = 360
      max_receive_count  = 3
    }
    garak-props-calculator = {
      visibility_timeout = 360
      max_receive_count  = 3
    }
    props-calc-batcher = {
      visibility_timeout = 360
      max_receive_count  = 3
    }
    translation = {
      visibility_timeout = 660
      max_receive_count  = 3
    }
    pre-calc-eng = {
      visibility_timeout = 660
      max_receive_count  = 3
    }
    advanced-llm-prop-calculator = {
      visibility_timeout = 360
      max_receive_count  = 3
    }
    calibrator = {
      visibility_timeout = 360
      max_receive_count  = 3
    }
    notifier = {
      visibility_timeout = 360
      max_receive_count  = 3
    }
    proba-calculator = {
      visibility_timeout = 360
      max_receive_count  = 3
    }
    llm-properties = {
      visibility_timeout = 660
      max_receive_count  = 3
    }
    topics-inference = {
      visibility_timeout = 660
      max_receive_count  = 3
    }
    topics-train = {
      visibility_timeout = 660
      max_receive_count  = 3
    }
    similarity-annotations = {
      visibility_timeout = 660
      max_receive_count  = 3
    }
    properties-calculator = {
      visibility_timeout = 660
      max_receive_count  = 3
    }
    estimate-annotation-calculator = {
      visibility_timeout = 360
      max_receive_count  = 3
    }
    general-calc = {
      visibility_timeout = 660
      max_receive_count  = 3
    }
  }
}

# Dead Letter Queues
resource "aws_sqs_queue" "dlq" {
  for_each = local.queues

  name                       = "${var.queue_prefix}-${each.key}-dlq"
  visibility_timeout_seconds = each.value.visibility_timeout
}

# Main Queues
resource "aws_sqs_queue" "queue" {
  for_each = local.queues

  name                       = "${var.queue_prefix}-${each.key}"
  visibility_timeout_seconds = each.value.visibility_timeout

  redrive_policy = jsonencode({
    deadLetterTargetArn = aws_sqs_queue.dlq[each.key].arn
    maxReceiveCount     = each.value.max_receive_count
  })
}

Object Storage

Deepchecks requires access to object storage for storing ML models and application data.

Create an S3 bucket for use by the Deepchecks application.

📘
Bucket Name
Note the name of the bucket you create as you will need to set it as the GENERAL.MODELS_BUCKET_NAME environment variable in the Helm chart.

Authentication

End users authenticate to Deepchecks through an external OAuth 2.0 / OIDC identity provider. Select the provider by setting OAUTH.PROVIDER and supply its connection details via the OAUTH.CLIENT_ID, OAUTH.CLIENT_SECRET, OAUTH.SERVER_URL, and OAUTH.TENANT_URL environment variables (see Environment Variables for the full list).

`OAUTH.PROVIDER`	Identity provider
`auth0`	Auth0
`entra_id`	Microsoft Entra ID
`dex`	Dex

Set OAUTH.PROVIDER=auth0 and provide your Auth0 application credentials via the OAUTH.* environment variables.

Licensing

Deepchecks deployments are activated using a license key issued by Deepchecks. Two activation modes are supported.

Mode	When to use	Key environment variable
Online	The cluster has outbound network access to `licensing.cdn.deepchecks.com`.	`LICENSE_KEY`
Offline (air-gapped)	The cluster cannot reach the public licensing server.	`PRODUCT_KEY`

⚠️
Mutually Exclusive
Set either LICENSE_KEY or PRODUCT_KEY — never both. If both are set, LICENSE_KEY takes precedence.

Online activation

Used by all cloud deployments and any on-premises cluster with internet egress.

Receive your LICENSE_KEY from Deepchecks support.
Add LICENSE_KEY to the Kubernetes Secret referenced by global.secretName.

The application validates the key against the Deepchecks licensing server periodically.

Offline (air-gapped) activation

For clusters with no outbound access to the Deepchecks licensing server, a PRODUCT_KEY is issued against the UUID of the kube-system namespace, binding it to that specific cluster. The Kubernetes cluster must be provisioned before a PRODUCT_KEY can be issued.

Retrieve your cluster UUID. Run the following against your target cluster:
```
kubectl get namespace kube-system -o jsonpath='{.metadata.uid}'
```
The UUID is generated when the cluster is created and persists across upgrades and node replacements.
Submit the cluster UUID along with your customer details to Deepchecks support.
Receive your PRODUCT_KEY from Deepchecks.
Provision external dependencies. PostgreSQL, Redis/Valkey, RabbitMQ, and S3-compatible object storage must be running and reachable from the cluster before deploying the Helm chart.
Configure the deployment. Add PRODUCT_KEY to the Kubernetes Secret referenced by global.secretName and ensure LICENSE_KEY is not set.

Kubernetes Configuration

Supported Environments:

Amazon Elastic Kubernetes Service (EKS) on EC2
Kubernetes version 1.33 or higher
Clusters configured with Karpenter are recommended for automatic node scaling
Amazon EKS on Fargate is not supported

Tooling

We require you to install and configure the following Kubernetes tooling:

Install helm by following these instructions
Install kubectl by following these instructions
Configure kubectl to connect to your cluster:

See here for how to configure your kubecontext for AWS EKS.

Create a Kubernetes namespace for your Deepchecks deployment (this can also be done as part of the Helm deployment):

kubectl create namespace deepchecks

Configuring Kubernetes Secrets

Sensitive credentials must be available in a Kubernetes Secret during deployment. The secret must be referenced in your values.yaml file at global.secretName. Ensure all required secrets are configured before deploying. See the Environment Variables section for the full list.

📘
External Secrets Operator
While creating a Kubernetes Secret manually will work, we recommend using the External Secrets Operator with your secrets manager of choice (e.g., AWS Secrets Manager, Azure Key Vault, Google Secret Manager) to securely create this secret on your behalf.

Example: creating the secret manually

kubectl create secret generic deepchecks-secrets \
  --namespace deepchecks \
  --from-literal=DATABASE.URI='postgresql://user:pass@host:5432/dbname' \
  --from-literal=OAUTH.CLIENT_SECRET='your-oauth-secret' \
  --from-literal=WEBAPP.AUTH_JWT_SECRET='your-jwt-secret' \
  --from-literal=LICENSE_KEY='your-license-key'

For on-premises deployments, also include the storage credentials:

--from-literal=STORAGE_ACCESS_KEY_ID='your-storage-access-key' \
--from-literal=STORAGE_SECRET_ACCESS_KEY='your-storage-secret-key'

GPU Nodes

In order for Kubernetes to utilize GPU nodes, the NVIDIA GPU Operator must be installed on your cluster. The installation process is the same across all supported Kubernetes distributions (EKS, AKS, GKE, and on-premises).

Example values.yaml for the NVIDIA GPU Operator

This example works as of GPU Operator version 0.18.0:

nodeSelector:
  role: gpu
affinity: null

tolerations:
  - key: CriticalAddonsOnly
    operator: Exists
  - key: nvidia.com/gpu
    operator: Exists

📘
GPU Node Configuration
In this example GPU nodes have the label role: gpu. Be sure to configure the operator as suits your deployment needs. The gpu-runner worker must run on a GPU-powered node. You can configure this via the Helm chart.

Application Permissions

The Deepchecks application requires access to cloud provider APIs for object storage and message queue operations.

The recommended approach is to use IRSA or Pod Identities to provide AWS permissions to the application.

Required IAM Policy

📘
Variable Replacement
Replace BUCKET_NAME, REGION, ACCOUNT_ID and TENANT_NAME with the relevant values.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "s3:Get*",
        "s3:List*",
        "s3:Put*",
        "s3:Delete*"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::<BUCKET_NAME>",
        "arn:aws:s3:::<BUCKET_NAME>/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "sqs:SendMessage",
        "sqs:ReceiveMessage",
        "sqs:DeleteMessage",
        "sqs:GetQueueAttributes",
        "sqs:GetQueueUrl"
      ],
      "Resource": "arn:aws:sqs:<REGION>:<ACCOUNT_ID>:<TENANT_NAME>*"
    },
    {
      "Action": [
        "bedrock:InvokeModel"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

Mirroring Artifacts for Air-Gapped Clusters

📘
On-Premises Only
This section applies only to self-hosted clusters that cannot reach registry.cdn.deepchecks.com. If your cluster has outbound network access, you can skip this section and follow Registry Authentication instead.

Air-gapped deployments must mirror two artifacts to an internal registry before installing:

The application image (registry.cdn.deepchecks.com/deepchecks/llm), which contains the web server and all background workers.
The Helm chart (oci://registry.cdn.deepchecks.com/deepchecks/llm-stack), which orchestrates the deployment.

📘
Versions for This Documentation Version
Use application image tag 0.44.0 and Helm chart version 2.2.1 (or later) with this version of the documentation. The application image follows semantic versioning (<MAJOR>.<MINOR>.<PATCH>) and matches the application version in the documentation. The chart and application are versioned independently — see the Helm Chart Reference for the compatibility matrix.

Application Image

Pull the image from the Deepchecks registry on a host with outbound network access:

docker login registry.cdn.deepchecks.com
docker pull registry.cdn.deepchecks.com/deepchecks/llm:0.44.0

Re-tag and push the image into your internal registry:

docker tag registry.cdn.deepchecks.com/deepchecks/llm:0.44.0 <INTERNAL_REGISTRY>/deepchecks/llm:0.44.0
docker push <INTERNAL_REGISTRY>/deepchecks/llm:0.44.0

Helm Chart

Pull the chart from the Deepchecks OCI registry on a host with outbound network access. This produces a .tgz archive in the current directory:

helm registry login registry.cdn.deepchecks.com
helm pull oci://registry.cdn.deepchecks.com/deepchecks/llm-stack --version 2.2.1
# Produces llm-stack-2.2.1.tgz

Push the chart into your internal OCI registry:
```
helm registry login <INTERNAL_REGISTRY>
helm push llm-stack-2.2.1.tgz oci://<INTERNAL_REGISTRY>/deepchecks
```
Alternatively, transfer the .tgz file directly to your air-gapped environment and install it from disk (helm install deepchecks ./llm-stack-2.2.1.tgz ...) without pushing to a registry.

Configure `values.yaml`

After mirroring, point the chart at your mirror and disable the model sync job:

Override the image repository so the chart pulls the application image from your mirror:
```
global:
  image:
    repository: <INTERNAL_REGISTRY>/deepchecks
```
Disable the model sync job. It downloads model artefacts from the public internet and is not used in air-gapped deployments:
```
modelsSync:
  enabled: false
```
See Disabling Model Sync (Air-Gapped Deployments) for details on pre-loading the storage bucket.

When you reach the Installation step, install from your mirrored chart instead of the public registry — for example helm install deepchecks oci://<INTERNAL_REGISTRY>/deepchecks/llm-stack --version 2.2.1 --values values.yaml.

Deploying the Deepchecks Helm Chart

Deepchecks is distributed as a Helm chart named llm-stack, which packages the llm application image (web server and all background workers) along with the cluster resources required to run it. The chart is hosted as an OCI artifact at oci://registry.cdn.deepchecks.com/deepchecks/llm-stack; the application image is hosted at registry.cdn.deepchecks.com/deepchecks/llm.

The chart is versioned independently from the application. See the Helm Chart Reference for the compatibility matrix between chart and application versions, upgrade notes, and the values schema.

Registry Authentication

In order to access the Helm chart and container images you will need your credentials from the Deepchecks team.

helm registry login registry.cdn.deepchecks.com

Image Pull Secret

Container images are pulled from a private registry, so the deployment namespace needs an image pull secret referenced from global.imagePullSecrets. Create it with kubectl:

kubectl create secret docker-registry deepchecks-registry \
  --namespace deepchecks \
  --docker-server=registry.cdn.deepchecks.com \
  --docker-username=<USERNAME> \
  --docker-password=<LICENSE_KEY>

Then reference it in values.yaml:

global:
  imagePullSecrets:
    - name: deepchecks-registry

See the Kubernetes documentation for further details.

Installation

helm install deepchecks oci://registry.cdn.deepchecks.com/deepchecks/llm-stack \
  --values values.yaml \
  --namespace deepchecks \
  --create-namespace

⏳
Deployment Timeout
As part of the deployment, a Kubernetes job will run to populate the object storage bucket with required model data. This job requires internet access to pull model artifacts. Typically this takes approximately 2 minutes, but depends on network performance. If your Helm commands are timing out, add --timeout 20m0s.

⚠️
Sync Job
As part of the Helm deployment each Deployment has an initContainer that checks that a 'sync' Job has completed successfully. If the Job is manually deleted, new pods will fail to start. Setting modelsSync.enabled: false removes both the Job and the initContainer check, so air-gapped deployments are unaffected by this constraint.

Disabling Model Sync (Air-Gapped Deployments)

For air-gapped deployments where internet access is unavailable or model syncing is not needed, you can disable the model sync job by setting modelsSync.enabled to false in your values.yaml:

modelsSync:
  enabled: false

⚠️
Pre-load Models
When model sync is disabled, models must be pre-loaded into the storage bucket before deployment. The application will not attempt to download or synchronize model artifacts at startup. Instructions for obtaining the model artifacts will be provided by Deepchecks at deployment time.

DNS Configuration

Configure a DNS record for the FQDN you set in WEBAPP.DEPLOYMENT_URL (for example, deepchecks.example.com) pointing to your ingress controller's external address:

AWS: a CNAME record pointing to the AWS Load Balancer Controller's provisioned ALB hostname.
Azure: an A record pointing to the Kong (or other) ingress controller's external IP.
GCP: an A record pointing to the Google Cloud Application Load Balancer's external IP provisioned by the GKE Ingress Controller.
On-Premises: an A or CNAME record pointing to your ingress controller's external address.

The application is unreachable until DNS resolves to the ingress endpoint.

KEDA Autoscaling (Optional)

KEDA can be used to automatically scale workers based on queue depth. This is optional but recommended for production deployments.

Install KEDA on your cluster, then configure auto-wired scaling in your values.yaml:

kedaAutoscaling:
  enabled: true
  provider: "aws"
  aws:
    region: "<AWS_REGION>"
    queuePrefix: "<TENANT_NAME>"
    accountId: "<AWS_ACCOUNT_ID>"
    authenticationRef:
      name: "aws-credentials"
      kind: ClusterTriggerAuthentication

kedaTriggerAuthentication:
  enabled: true
  items:
    - name: aws-credentials
      scope: cluster
      podIdentity:
        provider: aws

Environment Variables

Non-sensitive values can be passed directly via the Helm chart's global.env configuration. For sensitive values, create a Kubernetes Secret and reference it via global.secretName.

Environment Variables

Variable	Description	Required	Default/Valid Values	Format/Notes	Sensitive
Database
`DATABASE.URI`	PostgreSQL database connection string	Yes		Format: `postgresql://<username>:<password>@<host>:<port>/<database>` (default port `5432`). The database user requires full access to the target database; the application creates and migrates schema on startup. No additional setup is required.	Yes
General
`GENERAL.MODELS_BUCKET_NAME`	Name of the storage bucket/container where ML models are stored	Yes		This is the name of the bucket/container that you created in the Object Storage section.
Logger
`LOGGER.FORMATTER`	Output format for application logs	No	Default: `JSON`, Valid: `JSON`, `TEXT`
`LOGGER.LEVEL`	Logging level	No	Default: `INFO`, Valid: `DEBUG`, `INFO`, `WARNING`, `ERROR`
OAuth
`OAUTH.CLIENT_ID`	OAuth client identifier provided by your identity provider	Yes
`OAUTH.CLIENT_SECRET`	OAuth client secret provided by your identity provider	Yes		Store securely and never commit to version control	Yes
`OAUTH.PROVIDER`	OAuth provider type	Yes	Default: `auth0`, Valid: `auth0`, `entra_id`, `dex`	See Authentication for setup details
`OAUTH.SERVER_URL`	Base URL of your OAuth authorization server (the OIDC issuer URL)	Yes		e.g. `https://example.auth0.com`, `https://login.microsoftonline.com/<TENANT_ID>/v2.0`, or `https://dex.example.com`
`OAUTH.TENANT_URL`	Tenant-specific URL for your OAuth provider	Yes		For Auth0/Dex this is typically the same as `OAUTH.SERVER_URL`. For Entra ID use `https://login.microsoftonline.com/<TENANT_ID>`
Redis
`REDIS.HOST`	Hostname or IP address of the Redis/Valkey server	Yes
`REDIS.PASSWORD`	Authentication password for Redis/Valkey server	No (only if authentication is enabled)		Store securely if authentication is enabled	Yes
`REDIS.PORT`	Port number for Redis/Valkey connection	Yes	Default: `6379`
Tenant
`TENANT_NAME`	Name of the default tenant. Used as prefix for queue names and other tenant-specific resources.	Yes		Format: Lowercase alphanumeric characters and hyphens only. This tenant is automatically created when the application first starts.
`LICENSE_KEY`	License key provided by Deepchecks for your deployment	Yes (unless `PRODUCT_KEY` is set)		Also used as the password for accessing the container registry. For air-gapped deployments use `PRODUCT_KEY` instead. See Licensing.	Yes
`CREATE_ORG_FOR_USER`	Email address of the first user in the system (will have 'Owner' role)	Yes		This user must be the first to log in. They can subsequently transfer ownership.
Web Application
`WEBAPP.AUTH_JWT_SECRET`	Secret key used to sign JWT tokens for API authentication	Yes		Generate with `openssl rand -base64 32`. Minimum 32 characters. Store securely.	Yes
`WEBAPP.DEPLOYMENT_URL`	FQDN where the application is deployed	Yes		Format: Complete URL including protocol (e.g., `https://deepchecks.example.com`).
On-Premises Only
`STORAGE_ACCESS_KEY_ID`	Access key ID for S3-compatible storage	Yes (on-prem only)		Required when using S3-compatible storage (MinIO, Ceph, etc.)	Yes
`STORAGE_SECRET_ACCESS_KEY`	Secret access key for S3-compatible storage	Yes (on-prem only)		Required when using S3-compatible storage	Yes
`STORAGE_ENDPOINT`	Endpoint URL of S3-compatible storage	Yes (on-prem only)		e.g., `https://minio.example.com:9000`
`RABBITMQ_URL`	AMQP connection URL for your RabbitMQ broker	Yes (on-prem only)		Format: `amqp://<username>:<password>@<host>:<port>/`. Store securely if credentials are embedded.	Yes
`PRODUCT_KEY`	Product key for air-gapped deployments	Yes (air-gapped only)		Use instead of `LICENSE_KEY` when the deployment cannot reach the Deepchecks licensing server. Bound to the cluster's `kube-system` UUID. See Offline (air-gapped) activation.	Yes

Example Configurations

The examples below show provider-specific overrides on top of the chart's defaults. To inspect the full default chart values, run:

helm show values oci://registry.cdn.deepchecks.com/deepchecks/llm-stack --version <CHART_VERSION>

For details on the chart's structure and the most commonly customised keys, see the Helm Chart Reference.

Example client values.yaml

serviceAccount:
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/DeepchecksRole

global:
  image:
    tag: "0.44.0"
  imagePullSecrets:
    - name: deepchecks-registry
  secretName: "deepchecks-secrets"
  env:
    CREATE_ORG_FOR_USER: "[email protected]"
    TENANT_NAME: "example"
    GENERAL.MODELS_BUCKET_NAME: "deepchecks-models"
    LOGGER.LEVEL: "INFO"
    REDIS.HOST: "host.redis.example.com"
    REDIS.PORT: "6379"
    LOGGER.FORMATTER: "TEXT"
    WEBAPP.DEPLOYMENT_URL: "https://deepchecks.example.com"
    OAUTH.PROVIDER: "auth0"
    OAUTH.SERVER_URL: "https://example.auth0.com"
    OAUTH.TENANT_URL: "https://example.auth0.com"
    OAUTH.CLIENT_ID: "your-client-id"

web:
  ingress:
    enabled: true
    className: "alb"
    annotations:
      alb.ingress.kubernetes.io/scheme: internet-facing
    host: deepchecks.example.com
    tls:
      - hosts:
          - deepchecks.example.com
        secretName: deepchecks-tls

workers:
  gpu-runner:
    nodeSelector:
      role: gpu
    tolerations:
      - effect: NoSchedule
        key: nvidia.com/gpu
        operator: Exists

Deployment Overview

Infrastructure Prerequisites

Minimum Resource Requirements

Node Storage

GPU Worker

Queue Configuration

Overview

Object Storage

Bucket Name

Authentication

Licensing

Mutually Exclusive

Online activation

Offline (air-gapped) activation

Kubernetes Configuration

Tooling

Configuring Kubernetes Secrets

External Secrets Operator

GPU Nodes

GPU Node Configuration

Application Permissions

Variable Replacement

Mirroring Artifacts for Air-Gapped Clusters

On-Premises Only

Versions for This Documentation Version

Application Image

Helm Chart

Configure values.yaml

Deploying the Deepchecks Helm Chart

Registry Authentication

Image Pull Secret

Installation

Deployment Timeout

Sync Job

Disabling Model Sync (Air-Gapped Deployments)

Pre-load Models

DNS Configuration

KEDA Autoscaling (Optional)

Environment Variables

Example Configurations

Configure `values.yaml`