Skip to content
DeepintShield DeepintShield

Helm

Deploy DeepIntShield on Kubernetes using the official Helm chart. This is the recommended way to deploy DeepIntShield on Kubernetes with production-ready defaults and flexible configuration.

Prerequisites

Section titled “Prerequisites”
  • Kubernetes cluster (v1.19+)
  • kubectl configured
  • Helm 3.2.0+ installed
  • (Optional) Persistent Volume provisioner
  • (Optional) Ingress controller

Quick Start

Section titled “Quick Start”

Add Helm Repository

Section titled “Add Helm Repository”
Terminal window
helm repo add deepintshield https://maximhq.github.io/deepintshield/helm-charts
helm repo update

Install DeepIntShield

Section titled “Install DeepIntShield”
Terminal window
helm install deepintshield deepintshield/deepintshield --set image.tag=1.3.45

This deploys DeepIntShield with:

  • SQLite storage (10Gi PVC)
  • Single replica
  • ClusterIP service

Access DeepIntShield

Section titled “Access DeepIntShield”
Terminal window
kubectl port-forward svc/deepintshield 8080:8080
curl http://localhost:8080/metrics

Deployment Patterns

Section titled “Deployment Patterns”

Development Setup

Section titled “Development Setup”

Simple setup for local testing and development.

Terminal window
helm install deepintshield deepintshield/deepintshield \
  --set image.tag=1.3.45 \
  --set deepintshield.providers.openai.keys[0].value="sk-your-key" \
  --set deepintshield.providers.openai.keys[0].weight=1

Features:

  • SQLite storage
  • Single replica
  • No auto-scaling
  • ClusterIP service

Access:

Terminal window
kubectl port-forward svc/deepintshield 8080:8080

Configuration

Section titled “Configuration”

Key Parameters

Section titled “Key Parameters”
ParameterDescriptionDefault
image.tagRequired. DeepIntShield image version (e.g., 1.3.45)""
replicaCountNumber of replicas1
storage.modeStorage backend (sqlite/postgres)sqlite
storage.persistence.sizePVC size for SQLite10Gi
postgresql.enabledDeploy PostgreSQLfalse
vectorStore.enabledEnable vector storefalse
vectorStore.typeVector store type (weaviate/redis/qdrant). Use redis for Redis or Valkey-compatible servicesnone
deepintshield.encryptionKeyEncryption key""
ingress.enabledEnable ingressfalse
autoscaling.enabledEnable HPAfalse

Secret Reference Parameters

Section titled “Secret Reference Parameters”

Use existing Kubernetes secrets instead of plain-text values:

ParameterDescriptionDefault
deepintshield.encryptionKeySecret.nameSecret name for encryption key""
deepintshield.encryptionKeySecret.keyKey within the secret""
postgresql.external.existingSecretSecret name for PostgreSQL password""
postgresql.external.passwordKeyKey within the secret"password"
vectorStore.redis.external.existingSecretSecret name for Redis password""
vectorStore.redis.external.passwordKeyKey within the secret"password"
vectorStore.weaviate.external.existingSecretSecret name for Weaviate API key""
vectorStore.weaviate.external.apiKeyKeyKey within the secret"api-key"
vectorStore.qdrant.external.existingSecretSecret name for Qdrant API key""
vectorStore.qdrant.external.apiKeyKeyKey within the secret"api-key"
deepintshield.plugins.maxim.secretRef.nameSecret name for Maxim API key""
deepintshield.plugins.maxim.secretRef.keyKey within the secret"api-key"
deepintshield.providerSecrets.<provider>.existingSecretSecret name for provider API key""
deepintshield.providerSecrets.<provider>.keyKey within the secret"api-key"
deepintshield.providerSecrets.<provider>.envVarEnvironment variable name to inject""

Provider Configuration

Section titled “Provider Configuration”

Add provider keys via values file:

deepintshield:
  providers:
    openai:
      keys:
        - value: "sk-..."
          weight: 1
    anthropic:
      keys:
        - value: "sk-ant-..."
          weight: 1

Or via command line:

Terminal window
helm install deepintshield deepintshield/deepintshield \
  --set image.tag=1.3.45 \
  --set deepintshield.providers.openai.keys[0].value="sk-..." \
  --set deepintshield.providers.openai.keys[0].weight=1

Using Environment Variables for Provider Keys

Section titled “Using Environment Variables for Provider Keys”

DeepIntShield supports env.VAR_NAME syntax to reference environment variables. Combined with providerSecrets, you can keep API keys in Kubernetes secrets:

deepintshield:
  providers:
    openai:
      keys:
        - value: "env.OPENAI_API_KEY"  # References environment variable
          weight: 1


  # Inject secrets as environment variables
  providerSecrets:
    openai:
      existingSecret: "my-openai-secret"
      key: "api-key"
      envVar: "OPENAI_API_KEY"

This pattern:

  1. Creates a Kubernetes secret with the API key
  2. Injects the secret as an environment variable (OPENAI_API_KEY)
  3. DeepIntShield resolves env.OPENAI_API_KEY at runtime

Plugin Configuration

Section titled “Plugin Configuration”

Enable and configure plugins:

deepintshield:
  plugins:
    telemetry:
      enabled: true
      config: {}


    logging:
      enabled: true
      config: {}


    governance:
      enabled: true
      config:
        is_vk_mandatory: false


    semanticCache:
      enabled: true
      config:
        provider: "openai"
        embedding_model: "text-embedding-3-small"
        dimension: 1536
        threshold: 0.8
        ttl: "5m"
        cache_by_model: true
        cache_by_provider: true

Operations

Section titled “Operations”

Upgrade

Section titled “Upgrade”
Terminal window
# Update repository
helm repo update


# Upgrade with same values
helm upgrade deepintshield deepintshield/deepintshield --reuse-values


# Upgrade with new values
helm upgrade deepintshield deepintshield/deepintshield -f your-values.yaml

Rollback

Section titled “Rollback”
Terminal window
# View release history
helm history deepintshield


# Rollback to previous version
helm rollback deepintshield


# Rollback to specific revision
helm rollback deepintshield 2

Uninstall

Section titled “Uninstall”
Terminal window
# Uninstall release
helm uninstall deepintshield


# Delete PVCs (if you want to remove data)
kubectl delete pvc -l app.kubernetes.io/instance=deepintshield

Scale

Section titled “Scale”
Terminal window
# Scale manually
kubectl scale deployment deepintshield --replicas=5


# Or update via Helm
helm upgrade deepintshield deepintshield/deepintshield \
  --set replicaCount=5 \
  --reuse-values

Monitoring

Section titled “Monitoring”

Prometheus Metrics

Section titled “Prometheus Metrics”

DeepIntShield exposes Prometheus metrics at /metrics.

Enable ServiceMonitor for automatic scraping:

serviceMonitor:
  enabled: true
  interval: 30s
  scrapeTimeout: 10s

Health Checks

Section titled “Health Checks”

Check pod health:

Terminal window
# View pod status
kubectl get pods -l app.kubernetes.io/name=deepintshield


# Check logs
kubectl logs -l app.kubernetes.io/name=deepintshield --tail=100


# Describe pod
kubectl describe pod -l app.kubernetes.io/name=deepintshield

Metrics Endpoints

Section titled “Metrics Endpoints”
Terminal window
# Port forward
kubectl port-forward svc/deepintshield 8080:8080


# Check metrics
curl http://localhost:8080/metrics


# Check health
curl http://localhost:8080/health

Troubleshooting

Section titled “Troubleshooting”

Pod Not Starting

Section titled “Pod Not Starting”
Terminal window
# Check events
kubectl describe pod -l app.kubernetes.io/name=deepintshield


# Check logs
kubectl logs -l app.kubernetes.io/name=deepintshield


# Common issues:
# - Image pull errors: Check repository access
# - PVC binding: Check PVC status
# - Config errors: Validate ConfigMap

Database Connection Issues

Section titled “Database Connection Issues”
Terminal window
# For embedded PostgreSQL
kubectl exec -it deployment/deepintshield-postgresql -- psql -U deepintshield


# Check connectivity from pod
kubectl exec -it deployment/deepintshield -- nc -zv deepintshield-postgresql 5432


# Check secret
kubectl get secret deepintshield-config -o yaml

High Memory Usage

Section titled “High Memory Usage”
Terminal window
# Check resource usage
kubectl top pods -l app.kubernetes.io/name=deepintshield


# Increase limits
helm upgrade deepintshield deepintshield/deepintshield \
  --set resources.limits.memory=4Gi \
  --reuse-values

Ingress Not Working

Section titled “Ingress Not Working”
Terminal window
# Check ingress status
kubectl describe ingress deepintshield


# Check ingress controller logs
kubectl logs -n ingress-nginx -l app.kubernetes.io/name=ingress-nginx


# Verify DNS
nslookup deepintshield.yourdomain.com

Advanced Configuration

Section titled “Advanced Configuration”

Custom Values File

Section titled “Custom Values File”

Create my-values.yaml:

image:
  tag: "1.3.45"  # Required: specify the DeepIntShield version


replicaCount: 3


storage:
  mode: postgres


postgresql:
  enabled: true
  auth:
    password: "secure-password"


autoscaling:
  enabled: true
  minReplicas: 3
  maxReplicas: 10


ingress:
  enabled: true
  className: nginx
  hosts:
    - host: deepintshield.example.com
      paths:
        - path: /
          pathType: Prefix


deepintshield:
  encryptionKey: "your-32-byte-key"
  providers:
    openai:
      keys:
        - value: "sk-..."
          weight: 1

Install:

Terminal window
helm install deepintshield deepintshield/deepintshield -f my-values.yaml

Environment Variables

Section titled “Environment Variables”

Add custom environment variables:

env:
  - name: CUSTOM_VAR
    value: "custom-value"


envFrom:
  - secretRef:
      name: deepintshield-secrets
  - configMapRef:
      name: deepintshield-config

Node Affinity

Section titled “Node Affinity”

Deploy to specific nodes:

nodeSelector:
  node-type: ai-workload


affinity:
  podAntiAffinity:
    requiredDuringSchedulingIgnoredDuringExecution:
      - labelSelector:
          matchLabels:
            app.kubernetes.io/name: deepintshield
        topologyKey: kubernetes.io/hostname


tolerations:
  - key: "gpu"
    operator: "Equal"
    value: "true"
    effect: "NoSchedule"

Enterprise Deployment

Section titled “Enterprise Deployment”

For enterprise customers, DeepIntShield provides dedicated container images hosted in private registries with additional features, support, and SLAs.

Private Container Registry

Section titled “Private Container Registry”

Enterprise customers receive access to DeepIntShield images in a private container registry. To use your enterprise registry, override the image.repository with your provided registry URL:

enterprise-gcp.yaml
image:
  repository: us-west1-docker.pkg.dev/deepintshield-enterprise/your-org/deepintshield
  tag: "latest"


imagePullSecrets:
  - name: gcr-secret

Create the pull secret:

Terminal window
kubectl create secret docker-registry gcr-secret \
  --docker-server=us-west1-docker.pkg.dev \
  --docker-username=_json_key \
  --docker-password="$(cat service-account-key.json)" \
  --docker-email=your-email@example.com

Full Enterprise Configuration

Section titled “Full Enterprise Configuration”

Complete example for enterprise deployments with all recommended settings:

enterprise-full.yaml
image:
  # Your enterprise registry URL (provided by Maxim)
  repository: us-west1-docker.pkg.dev/deepintshield-enterprise/your-org/deepintshield
  tag: "latest"


imagePullSecrets:
  - name: enterprise-registry-secret


replicaCount: 3


# Production-grade resources
resources:
  requests:
    cpu: 1000m
    memory: 2Gi
  limits:
    cpu: 4000m
    memory: 8Gi


# Auto-scaling for high availability
autoscaling:
  enabled: true
  minReplicas: 3
  maxReplicas: 20
  targetCPUUtilizationPercentage: 70
  targetMemoryUtilizationPercentage: 80


# PostgreSQL storage
storage:
  mode: postgres


postgresql:
  enabled: true
  auth:
    password: "secure-password"  # Use existingSecret in production
  primary:
    persistence:
      size: 100Gi
    resources:
      requests:
        cpu: 1000m
        memory: 2Gi
      limits:
        cpu: 4000m
        memory: 8Gi


# Vector store for semantic caching
vectorStore:
  enabled: true
  type: weaviate
  weaviate:
    enabled: true
    persistence:
      size: 100Gi


# Ingress with TLS
ingress:
  enabled: true
  className: nginx
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    nginx.ingress.kubernetes.io/proxy-body-size: "100m"
  hosts:
    - host: deepintshield.yourcompany.com
      paths:
        - path: /
          pathType: Prefix
  tls:
    - secretName: deepintshield-tls
      hosts:
        - deepintshield.yourcompany.com


# DeepIntShield configuration
deepintshield:
  encryptionKeySecret:
    name: "deepintshield-encryption"
    key: "key"


  client:
    initialPoolSize: 1000
    dropExcessRequests: true
    enableLogging: true
    disableContentLogging: false  # Set to true for compliance
    logRetentionDays: 365
    enforceGovernanceHeader: true
    allowDirectKeys: false
    maxRequestBodySizeMb: 100
    allowedOrigins:
      - "https://yourcompany.com"
      - "https://*.yourcompany.com"


  # Use secrets for provider keys
  providers:
    openai:
      keys:
        - value: "env.OPENAI_API_KEY"
          weight: 1
    anthropic:
      keys:
        - value: "env.ANTHROPIC_API_KEY"
          weight: 1


  providerSecrets:
    openai:
      existingSecret: "provider-api-keys"
      key: "openai-api-key"
      envVar: "OPENAI_API_KEY"
    anthropic:
      existingSecret: "provider-api-keys"
      key: "anthropic-api-key"
      envVar: "ANTHROPIC_API_KEY"


  # Governance with authentication
  governance:
    authConfig:
      isEnabled: true
      disableAuthOnInference: false
      existingSecret: "deepintshield-admin-credentials"
      usernameKey: "username"
      passwordKey: "password"


  # Enable all plugins
  plugins:
    telemetry:
      enabled: true
    logging:
      enabled: true
    governance:
      enabled: true
      config:
        is_vk_mandatory: true
    semanticCache:
      enabled: true
      config:
        provider: "openai"
        embedding_model: "text-embedding-3-small"
        dimension: 1536
        threshold: 0.85
        ttl: "1h"


# Pod distribution
affinity:
  podAntiAffinity:
    requiredDuringSchedulingIgnoredDuringExecution:
      - labelSelector:
          matchLabels:
            app.kubernetes.io/name: deepintshield
        topologyKey: kubernetes.io/hostname

Enterprise Prerequisites

Section titled “Enterprise Prerequisites”

Before deploying, create the required secrets:

Terminal window
# 1. Registry pull secret (see registry-specific instructions above)


# 2. Encryption key
kubectl create secret generic deepintshield-encryption \
  --from-literal=key='your-32-byte-encryption-key'


# 3. Provider API keys
kubectl create secret generic provider-api-keys \
  --from-literal=openai-api-key='sk-...' \
  --from-literal=anthropic-api-key='sk-ant-...'


# 4. Admin credentials (for governance)
kubectl create secret generic deepintshield-admin-credentials \
  --from-literal=username='admin' \
  --from-literal=password='secure-admin-password'

Install Enterprise Build

Section titled “Install Enterprise Build”
Terminal window
helm install deepintshield deepintshield/deepintshield -f enterprise-full.yaml

Enterprise Support

Section titled “Enterprise Support”

Enterprise customers have access to:

  • Dedicated Slack channel for support
  • Priority bug fixes and feature requests
  • Custom feature development
  • SLA guarantees
  • Compliance documentation (SOC2, HIPAA, etc.)

Contact support@getmaxim.ai for enterprise support.

Resources

Section titled “Resources”

Next Steps

Section titled “Next Steps”
  1. Configure provider keys
  2. Enable plugins
  3. Set up observability
  4. Configure governance