Deploy AI Gateway - TrueFoundry Docs

Key Components

To install the complete control plane on your own infrastructure, you need to install the following components:

Truefoundry Control Plane + Gateway (Shipped as a single helm chart called truefoundry)
PostgreSQL Database (Managed or Self-Hosted with PostgreSQL >= 13)
Blob Storage (S3, GCS, Azure Container or any other S3 compatible storage)

Compute Requirements

Truefoundry ships as a helm chart (https://github.com/truefoundry/infra-charts/tree/main/charts/truefoundry) that has configurable options to either deploy both Deployment and AI Gateway feature or just choose the one of them according to your needs. The compute requirements change based on the set of features and the scale of the number of users and requests. Here are a few scenarios that you can choose from based on your needs.

Small (Dev)
Medium (Prod)
Large (Prod)

The small tier is recommended for development purposes. Here all the components are deployed on Kubernetes and in non HA mode (single replica). This is suitable if you are just testing out the different features of Truefoundry.

This setup brings up 1 replica of the services and is not highly-available. It can enable you to test the features but we do not recommend this for production mode.

AWS
GCP
Azure

Component	CPU	Memory	Storage	Min Nodes	Remarks
Helm-Chart (AI Gateway Control Plane components)	6 vCPU	12GB	60GB _{Persistent Volumes (Block Storage) On Kubernetes}	2 _{Pods should be spread over min 2 nodes}	_{Cost: ~ $220 pm(EC2 and EC2 others)}
Helm-Chart (AI Gateway component only)	1 vCPU	512Mi	-	1 _{Pods should be spread over min 1 node}	_{Cost: ~ $35 pm(EC2 and EC2 others)}
Postgres (Deployed on Kubernetes)	0.5 vCPU	0.5GB	5GB _{Persistent Volumes (Block Storage) On Kubernetes}		_{Cost: ~ $15 pm (RDS compute and storage)}
Blob Storage (S3 Compatible)			20GB		_{Cost: ~ $3 pm (S3 storage)}

Component	CPU	Memory	Storage	Min Nodes	Remarks
Helm-Chart (AI Gateway Control Plane components)	6 vCPU	12GB	60GB _{Persistent Volumes (Block Storage) On Kubernetes}	2 _{Pods should be spread over min 2 nodes}	_{Cost: ~ Coming up}
Helm-Chart (AI Gateway component only)	1 vCPU	512Mi	-	1 _{Pods should be spread over min 1 node}	_{Cost: ~ Coming up}
Postgres (Deployed on Kubernetes)	0.5 vCPU	0.5GB	5GB _{Persistent Volumes (Block Storage) On Kubernetes}		_{Cost: ~ Coming up}
Blob Storage (S3 Compatible)			20GB		_{Cost: ~ Coming up}

Component	CPU	Memory	Storage	Min Nodes	Remarks
Helm-Chart (AI Gateway Control Plane components)	6 vCPU	12GB	60GB _{Persistent Volumes (Block Storage) On Kubernetes}	2 _{Pods should be spread over min 2 nodes}	_{Cost: ~ Coming up}
Helm-Chart (AI Gateway component only)	1 vCPU	512Mi	-	1 _{Pods should be spread over min 1 node}	_{Cost: ~ Coming up}
Postgres (Deployed on Kubernetes)	0.5 vCPU	0.5GB	5GB _{Persistent Volumes (Block Storage) On Kubernetes}		_{Cost: ~ Coming up}
Blob Storage (S3 Compatible)			20GB		_{Cost: ~ Coming up}

The medium tier is configured for production and will suffice teams of 10-500 members.

The AI Gateway is configured for a minimum 3 replicas (1 vCPU 1GB each) which can handle around 500 requests/second to LLMs.It’s configured to be horizontally scalable and autoscale when the load increases. The Block Storage and S3 are used to store LLM request logs. The size is dependent on the size and number of requests and should be set as per the expected usage.

AWS
GCP
Azure

Component	CPU	Memory	Storage	Min Nodes	Remarks
Helm-Chart (AI Gateway Control Plane components)	14 vCPU	32GB	250GB	3 _{Pods should be spread over min 3 nodes}	_{Cost: ~ $600 pm (EC2 and EC2 others)}
Helm-Chart (AI Gateway component only)	3 vCPU	3GB	-	3 _{Pods should be spread over min 3 nodes}	_{Cost: ~ $105 pm (EC2 and EC2 others)}
Postgres (Managed Database)	2 vCPU	4GB	30GB		_{Cost: ~ $60 pm (RDS compute and storage)}
Blob Storage (S3 Compatible)			500GB		_{Cost: ~ $15 pm (S3 storage)}

Component	CPU	Memory	Storage	Min Nodes	Remarks
Helm-Chart (AI Gateway Control Plane components)	14 vCPU	32GB	250GB	3 _{Pods should be spread over min 3 nodes}	_{Cost: ~ Coming up}
Helm-Chart (AI Gateway component only)	3 vCPU	3GB	-	3 _{Pods should be spread over min 3 nodes}	_{Cost: ~ Coming up}
Postgres (Managed Database)	2 vCPU	4GB	30GB		_{Cost: ~ Coming up}
Blob Storage (S3 Compatible)			500GB		_{Cost: ~ Coming up}

Component	CPU	Memory	Storage	Min Nodes	Remarks
Helm-Chart (AI Gateway Control Plane components)	14 vCPU	32GB	250GB	3 _{Pods should be spread over min 3 nodes}	_{Cost: ~ Coming up}
Helm-Chart (AI Gateway component only)	3 vCPU	3GB	-	3 _{Pods should be spread over min 3 nodes}	_{Cost: ~ Coming up}
Postgres (Managed Database)	2 vCPU	4GB	30GB		_{Cost: ~ Coming up}
Blob Storage (S3 Compatible)			500GB		_{Cost: ~ Coming up}

The large tier is configured for production and will suffice organizations of 500-50000 members.

The AI Gateway is configured for a minimum 10 replicas (1 vCPU 1GB each) which can handle around 2000 requests/second to LLMs.It’s configured to be horizontally scalable and autoscale when the load increases. The Block Storage and S3 are used to store LLM request logs. The size is dependent on the size and number of requests and should be set as per the expected usage.

AWS
GCP
Azure

Component	CPU	Memory	Storage	Min Nodes	Remarks
Helm-Chart (AI Gateway Control Plane components)	32 vCPU	64GB	400GB	10 _{Pods should be spread over min 10 nodes}	_{Cost: ~ $1400 pm (EC2 and EC2 others)}
Helm-Chart (AI Gateway component only)	10 vCPU	10GB	-	10 _{Pods should be spread over min 10 nodes}	_{Cost: ~ $350 pm (EC2 and EC2 others)}
Postgres (Managed Database)	2 vCPU	4GB	30GB		_{Cost: ~ $60 pm (RDS compute and storage)}
Blob Storage (S3 Compatible)			1000GB		_{Cost: ~ $30 pm (S3 storage)}

Component	CPU	Memory	Storage	Min Nodes	Remarks
Helm-Chart (AI Gateway Control Plane components)	32 vCPU	64GB	400GB	10 _{Pods should be spread over min 10 nodes}	_{Cost: ~ Coming up}
Helm-Chart (AI Gateway component only)	10 vCPU	10GB	-	10 _{Pods should be spread over min 10 nodes}	_{Cost: ~ Coming up}
Postgres (Managed Database)	2 vCPU	4GB	30GB		_{Cost: ~ Coming up}
Blob Storage (S3 Compatible)			1000GB		_{Cost: ~ Coming up}

Component	CPU	Memory	Storage	Min Nodes	Remarks
Helm-Chart (AI Gateway Control Plane components)	32 vCPU	64GB	400GB	10 _{Pods should be spread over min 10 nodes}	_{Cost: ~ Coming up}
Helm-Chart (AI Gateway component only)	10 vCPU	10GB	-	10 _{Pods should be spread over min 10 nodes}	_{Cost: ~ Coming up}
Postgres (Managed Database)	2 vCPU	4GB	30GB		_{Cost: ~ Coming up}
Blob Storage (S3 Compatible)			1000GB		_{Cost: ~ Coming up}

Prerequisites for Installation

Kubernetes Cluster: K8s cluster 1.27+.
Support for dynamic provisioning of storage for PVC (for e.g AWS EBS, Azure Disk etc.) and support for ingress controller (for e.g. Nginx Ingress Controller) or istio service mesh for exposing the control plane dashboard and AI Gateway at an endpoint.
Domain to map the ingress of the Control Plane dashboard and AI Gateway along with certificate for the domain.
This Domain will be referred as Control Plane URL in our documentation.
Egress Access from TrueFoundry:
- https://auth.truefoundry.com - Central Authentication Server for licensing and authentication
- https://login.truefoundry.com - Login UI for the central authentication server
- https://catalogue.truefoundry.com - Central Repository for fetching catalogues for latest model, their public cost, mcp servers, etc.
- https://analytics.truefoundry.com - Analytics Server for sending usage analytics to TrueFoundry.
Tenant Name, Licence key, and image pull secret - This will be given by TrueFoundry team. Make sure your organization is registered((https://truefoundry.com/register)) on TrueFoundry.
One Tenant Name and Licence key must only be used to setup one Control Plane. Later, switching to new tenant name and licence key would lead to complete data lose of existing control plane.
PostgreSQL database. We usually recommend managed PostgreSQL database (For e.g. AWS RDS, or Google Cloud SQL, or Azure Database for PostgreSQL) for production environments.
- PostgreSQL version >= 13
- IOPS: Default (suitable for dev/testing).
- For PostgreSQL 17+: Disable SSL, for AWS: by setting force_ssl parameter to 0 in the parameter group, for Azure: by setting require_secure_transport parameter to false in the parameter group
- For instance requirements, refer to the Compute Requirements section.
  In case, you do not have a managed database just for testing purposes, set devMode to true in the values file to spin up a local PostgreSQL database.
Blob Storage to store the AI Gateway request logs (either S3, GCS, Azure Blob Storage, or any other S3 compatible storage). You can find the instructions in the guide below.

Installation Instructions

AWS
GCP
Azure
Openshift
On-Prem

Create S3 Bucket

Create a S3 Bucket with following config:

Make sure the bucket has lifecycle configuration to abort multipart upload set for 7 days.
Make sure CORS is applied on the bucket with the below configuration:

[
  {
    "AllowedHeaders": ["*"],
    "AllowedMethods": ["GET", "POST", "PUT"],
    "AllowedOrigins": ["*"],
    "ExposeHeaders": ["ETag"],
    "MaxAgeSeconds": 3000
  }
]

Setup Control Plane Platform IAM Role

Creating AWS IAM Role for Control Plane

Control Plane IAM Role needs to have permission to access the S3 bucket created in the previous step.

Create a new IAM role for Control Plane with a suitable name like tfy-control-plane-platform-deps
Add the following trust policy to the Control Plane IAM Role:

{
  "Version": "2012-10-17",
  "Statement": [
      {
          "Effect": "Allow",
          "Principal": {
              "Federated": "arn:aws:iam::<ACCOUNT_ID>:oidc-provider/oidc.eks.<AWS_REGION>.amazonaws.com/id/<OIDC_ID>"
          },
          "Action": "sts:AssumeRoleWithWebIdentity",
          "Condition": {
              "StringEquals": {
                  "oidc.eks.<AWS_REGION>.amazonaws.com/id/<OIDC_ID>:sub": [
                      "system:serviceaccount:truefoundry:truefoundry",
                  ]
              }
          }
      }
  ]
}

In place of <ACCOUNT_ID>, <AWS_REGION>, and <OIDC_ID> you can also give the values from your EKS cluster. You can find the OIDC_ID from the EKS cluster. Also, here we are assuming that the service account is truefoundry and the namespace is truefoundry, you can change it as per your needs.

Create a IAM Policy to allow access to the S3 Bucket with following config:

{
  "Statement": [
    {
      "Sid": "S3",
      "Effect": "Allow",
      "Action": ["s3:*"],
      "Resource": [
        "arn:aws:s3:::<YOUR_S3_BUCKET_NAME>",
        "arn:aws:s3:::<YOUR_S3_BUCKET_NAME>/*"
      ]
    }
  ],
  "Version": "2012-10-17"
}

Attach the IAM Policy to the Control Plane Platform IAM Role. You can also attach the IAM policy to access AWS bedrock models from the link here.

If you are integrating with AWS bedrock models from a different AWS account, you can check the FAQ section.

Create Postgres RDS Database

Create a Postgres RDS instance of size db.t3.medium with storage size of 30GB.

Important Configuration Notes: - For PostgreSQL 17: Disable SSL by setting force_ssl parameter to 0 in the parameter group - Security Group: Ensure your RDS security group has inbound rules allowing traffic from EKS node security groups

In case you want to setup PostgreSQL on Kubernetes and not use RDS for testing purposes, skip this step and set devMode to true in the values file below

Create Kubernetes Secrets

We will create two secrets in this step:

Store the License Key and DB Credentials
Store the Image Pull Secret

Create Kubernetes Secret for License Key and DB Credentials

We need to create a Kubernetes secret containing the licence key and db credentials.

If you are using PostgreSQL on Kubernetes in the dev mode, the values will be as follows:DB_HOST: <HELM_RELEASE_NAME>-postgresql.<NAMESPACE>.svc.cluster.local // eg. truefoundry-postgresql.truefoundry.svc.cluster.localDB_NAME: truefoundryDB_USERNAME: postgres # In order to use custom username, please update the same at postgresql.auth.usernameDB_PASSWORD: randompassword # You can change this to any value here.

truefoundry-creds.yaml

apiVersion: v1
kind: Secret
metadata:
  name: truefoundry-creds
type: Opaque
stringData:
  TFY_API_KEY: <TFY_API_KEY> # Provided by TrueFoundry team
  DB_HOST: <DB_HOST>
  DB_NAME: <DB_NAME>
  DB_USERNAME: <DB_USERNAME>
  DB_PASSWORD: <DB_PASSWORD>

Apply the secret to the Kubernetes cluster (Assuming you are installing the control plane in the truefoundry namespace)

kubectl apply -f truefoundry-creds.yaml -n truefoundry

Create Kubernetes Secret for Image Pull Secret

We need to create a Image Pull Secret to enable pulling the truefoundry images from the private registry.

truefoundry-image-pull-secret.yaml

apiVersion: v1
kind: Secret
metadata:
  name: truefoundry-image-pull-secret
type: kubernetes.io/dockerconfigjson
data:
  .dockerconfigjson: <IMAGE_PULL_SECRET> # Provided by TrueFoundry team

Apply the secret to the Kubernetes cluster (Assuming you are installing the control plane in the truefoundry namespace)

kubectl apply -f truefoundry-image-pull-secret.yaml -n truefoundry

Create HelmChart Values file

Create a values file as given below and replace the following values:

Control Plane URL: URL that you will map to the control plane dashboard (e.g., https://truefoundry.example.com)
Tenant Name: Tenant name provided by TrueFoundry team
AWS S3 Bucket Name: Name of the S3 bucket you created in the previous step (e.g., my-truefoundry-bucket)
AWS Region: Region of the S3 bucket you created in the previous step (e.g., us-west-2)
Control Plane IAM Role ARN: ARN of the IAM role you created in the previous step (e.g., arn:aws:iam::123456789012:role/tfy-control-plane-platform-deps)

truefoundry-values.yaml

global:
  # Domain to map the platform to
  controlPlaneURL: https://example.com

  # Ask TrueFoundry team to provide these
  tenantName: <TENANT_NAME>

  # Choose the resource tier as per your needs
  resourceTier: medium # or small or large

  # This is the reference to the secrets we created in the previous step
  existingTruefoundryCredsSecret: "truefoundry-creds"
  imagePullSecrets:
    - name: "truefoundry-image-pull-secret"
  ## Add if you have restricted public registry access
  # image:
  #   pullSecretNames:
  #   - "truefoundry-image-pull-secret"

  config:
    defaultCloudProvider: "aws"
    storageConfiguration:
      awsS3BucketName: "<AWS_S3_BUCKET_NAME>"
      awsRegion: "<AWS_REGION>"

  serviceAccount:
    annotations:
      eks.amazonaws.com/role-arn: <CONTROL_PLANE_IAM_ROLE_ARN>

  ingress:
    hosts:
      - example.com
    enabled: true
    annotations: {}
    ingressClassName: nginx # Replace with your ingress class name

# In case, you want to spin up PostgreSQL on kubernetes, enable this
# Please add creds and host details in the secret `truefoundry-creds` in the previous step
devMode:
  enabled: false
tags:
  llmGateway: true
  llmGatewayRequestLogging: true

# Disable few dependencies for only LLM Gateway setup
tfyBuild:
  enabled: false
sfyManifestService:
  enabled: false
tfyController:
  enabled: false
tfyConfigs:
  enabled: false

Install Helm chart

helm upgrade --install truefoundry oci://tfy.jfrog.io/tfy-helm/truefoundry -n truefoundry --create-namespace -f truefoundry-values.yaml

Create GCP Storage Bucket

We will need a GCS bucket to store the LLM request logs.

Create GCS bucket

To setup GCP Storage for control plane, follow the steps below:

Create a GCP bucket.
- Make sure to add the lifecycle configurations on the bucket to delete multipart upload after 7 days.
- For this go to GCP bucket -> Lifecycle -> Add a rule
- Select Delete multi-part upload for 7 days
We also need to add the CORS policy to the GCP bucket. Right now adding the CORS policy to the GCP bucket is not possible through the console so for this, we will use gsutil
1. Create a file called cors.json using the below command
cat > cors.json <<EOF [ { "origin": ["*"], "method": ["GET", "POST", "PUT"], "maxAgeSeconds": 3600 } ] EOF
Attach the above CORS policy to the service account by running the following command using gsutils
gsutil cors set cors.json gs://BUCKET_NAME

Create a custom IAM role with the following permissions and add to the serviceaccount created above:

[
  "storage.objects.create",
  "storage.objects.delete",
  "storage.objects.get",
  "storage.objects.list",
  "storage.objects.update",
  "storage.buckets.create",
  "storage.buckets.get",
  "storage.buckets.list",
  "storage.buckets.create",
  "storage.buckets.update",
  "storage.multipartUploads.create",
  "storage.multipartUploads.list",
  "storage.multipartUploads.listParts",
  "storage.multipartUploads.abort",
  "resourcemanager.projects.get",
];

Add the following IAM condition - resource.name.startsWith('projects/\_/buckets/<bucket name>}') to the above IAM role.

Create Google Cloud SQL for PostgreSQL database

Create a Google Cloud SQL for PostgreSQL database of size db-custom-1-3840 with storage size of 30GB.

Important Configuration Notes: - For PostgreSQL 17+: Disable SSL Security > Allow unencrypted network traffic - Firewall Rules: Ensure your database firewall rules allow inbound traffic from GKE node pools

In case you want to setup PostgreSQL on Kubernetes in the dev mode, skip this step and set devMode to true in the values file in the steps below.

Create Kubernetes Secrets

We will create two secrets in this step:

Store the License Key and DB Credentials
Store the Image Pull Secret

Create Kubernetes Secret for License Key and DB Credentials

We need to create a Kubernetes secret containing the licence key and db credentials.

truefoundry-creds.yaml

apiVersion: v1
kind: Secret
metadata:
  name: truefoundry-creds
type: Opaque
stringData:
  TFY_API_KEY: <TFY_API_KEY> # Provided by TrueFoundry team
  DB_HOST: <DB_HOST>
  DB_NAME: <DB_NAME>
  DB_USERNAME: <DB_USERNAME>
  DB_PASSWORD: <DB_PASSWORD>

Apply the secret to the Kubernetes cluster (Assuming you are installing the control plane in the truefoundry namespace)

kubectl apply -f truefoundry-creds.yaml -n truefoundry

Create Kubernetes Secret for Image Pull Secret

We need to create a Image Pull Secret to enable pulling the truefoundry images from the private registry.

truefoundry-image-pull-secret.yaml

apiVersion: v1
kind: Secret
metadata:
  name: truefoundry-image-pull-secret
type: kubernetes.io/dockerconfigjson
data:
  .dockerconfigjson: <IMAGE_PULL_SECRET> # Provided by TrueFoundry team

Apply the secret to the Kubernetes cluster (Assuming you are installing the control plane in the truefoundry namespace)

kubectl apply -f truefoundry-image-pull-secret.yaml -n truefoundry

Create Helm chart Values file

Create a values file as given below and replace the following values:

Control Plane URL: URL that you will map to the control plane dashboard.
Tenant Name: Tenant name provided by TrueFoundry team.
GCP Project ID: GCP project ID provided by TrueFoundry team.
GCP Storage Bucket Name: Name of the GCS bucket you created in the previous step.
GCP Service Account Name: Name of the GCP service account you created in the previous step.

truefoundry-values.yaml

global:
  # Domain to map the control plane dashboard
  controlPlaneURL: https://example.com

  # Ask TrueFoundry team to provide these
  tenantName: <TENANT_NAME>

  # Choose the resource tier as per your needs
  resourceTier: medium # or small or large

  # This is the reference to the secrets we created in the previous step
  existingTruefoundryCredsSecret: "truefoundry-creds"
  imagePullSecrets:
    - name: "truefoundry-image-pull-secret"
  ## Add if you have restricted public registry access
  # image:
  #   pullSecretNames:
  #   - "truefoundry-image-pull-secret"

  config:
    defaultCloudProvider: "gcp"
    storageConfiguration:
      googleCloudProjectId: "<GCP_PROJECT_ID>"
      googleCloudStorageBucketName: "<GCP_STORAGE_BUCKET_NAME>"

  serviceAccount:
    annotations:
      iam.gke.io/gcp-service-account: <CONTROL_PLANE_GCP_SERVICE_ACCOUNT_NAME>@<PROJECT_ID>.iam.gserviceaccount.com

  ingress:
    hosts:
      - example.com
    enabled: true
    annotations: {}
    ingressClassName: nginx # Replace with your ingress class name

# In case, you want to spin up PostgreSQL on kubernetes, enable this
devMode:
  enabled: false
tags:
  llmGateway: true
  llmGatewayRequestLogging: true

# Disable few dependencies for only LLM Gateway setup
tfyBuild:
  enabled: false
sfyManifestService:
  enabled: false
tfyController:
  enabled: false
tfyConfigs:
  enabled: false

Install Helm chart

helm upgrade --install truefoundry oci://tfy.jfrog.io/tfy-helm/truefoundry -n truefoundry --create-namespace -f truefoundry-values.yaml

Create Azure Blob Storage

To setup Azure Blob Storage for control plane, follow the steps below:

Create a Azure Storage account in your resource group
1. Instance details - You must Geo-redundant storage to make sure your data is available through other regions in case of region unavailability.
2. Security - Make sure
  1. DISABLE Allow enabling anonymous access on individual containers
  2. ENABLE Enable storage account key access
3. Network access - ENABLE Allow public access from all networks
4. Recovery - You can keep it to default for 7 days.
Create an Azure container inside the above storage account.
Search for CORS from the left panel and for Blob service (optional for File service Queue service and Table Service, only apply the change if you are using them) select the below options
1. Allowed Origins - * or your control plane URL
2. Allowed Methods - GET, POST, PUT
3. Allowed Headers - *
4. Exposed Headers - Etag
5. MaxAgeSeconds - 3600
Collect the following information
1. Standard endpoint - Endpoint of the blob storage Once the container is created we need to get the standard endpoint of the blob storage along with the container which will look something like this. Replace this with your storage account name and the container name.
  https://*mystorageaccount*.blob.core.windows.net/*mycontainer*/
2. Connection string - From the Azure portal in your storage account, head over to the Security + Networking section under Access keys which will contain the Connection String .

Create Azure Database for PostgreSQL database

Create a PostgreSQL database of size GP_Standard_D4ds_v5 with storage size of 30GB.

Important Configuration Notes: - For PostgreSQL 17+: Disable SSL, allowing both encrypted and unencrypted client communications, you can change the server parameter require_secure_transport to OFF - Security Group: Ensure your database firewall rules allow inbound traffic from AKS node pools

In case you want to setup PostgreSQL on Kubernetes in the dev mode, skip this step and set devMode to true in the values file in the steps below.

Create Kubernetes Secrets

We will create two secrets in this step:

Store the License Key and DB Credentials
Store the Image Pull Secret

Create Kubernetes Secret for License Key and DB Credentials

We need to create a Kubernetes secret containing the licence key and db credentials.

truefoundry-creds.yaml

apiVersion: v1
kind: Secret
metadata:
  name: truefoundry-creds
type: Opaque
stringData:
  TFY_API_KEY: <TFY_API_KEY> # Provided by TrueFoundry team
  DB_HOST: <DB_HOST>
  DB_NAME: <DB_NAME>
  DB_USERNAME: <DB_USERNAME>
  DB_PASSWORD: <DB_PASSWORD>

Apply the secret to the Kubernetes cluster (Assuming you are installing the control plane in the truefoundry namespace)

kubectl apply -f truefoundry-creds.yaml -n truefoundry

Create Kubernetes Secret for Image Pull Secret

We need to create a Image Pull Secret to enable pulling the truefoundry images from the private registry.

truefoundry-image-pull-secret.yaml

apiVersion: v1
kind: Secret
metadata:
  name: truefoundry-image-pull-secret
type: kubernetes.io/dockerconfigjson
data:
  .dockerconfigjson: <IMAGE_PULL_SECRET> # Provided by TrueFoundry team

Apply the secret to the Kubernetes cluster (Assuming you are installing the control plane in the truefoundry namespace)

kubectl apply -f truefoundry-image-pull-secret.yaml -n truefoundry

Create HelmChart Values file

Create a values file as given below and replace the following values:

Control Plane URL: URL that you will map to the control plane dashboard.
Tenant Name: Tenant name provided by TrueFoundry team.
Azure Blob URI: Azure Blob URI provided by TrueFoundry team.
Azure Blob Connection String: Azure Blob Connection String provided by TrueFoundry team.

truefoundry-values.yaml

global:
  # Domain to map the platform to
  controlPlaneURL: https://example.com

  # Ask TrueFoundry team to provide these
  tenantName: <TENANT_NAME>

  # This is the reference to the secrets we created in the previous step
  existingTruefoundryCredsSecret: "truefoundry-creds"
  imagePullSecrets:
    - name: "truefoundry-image-pull-secret"
  ## Add if you have restricted public registry access
  # image:
  #   pullSecretNames:
  #   - "truefoundry-image-pull-secret"

  # Choose the resource tier as per your needs
  resourceTier: medium # or small or large

  config:
    defaultCloudProvider: "azure"
    storageConfiguration:
      azureBlobUri: "<AZURE_BLOB_URI>"
      # Add the connection string as part of truefoundry-creds secret(refer - https://github.com/truefoundry/infra-charts/blob/main/charts/truefoundry/README.md#using-k8s-secret-for-additional-fields):
      azureBlobConnectionString: ${k8s-secret/truefoundry-creds/AZURE_BLOB_CONNECTION_STRING}
  ingress:
    hosts:
      - example.com
    enabled: true
    annotations: {}
    ingressClassName: nginx # Replace with your ingress class name
# In case, you want to spin up PostgreSQL on kubernetes, enable this
# Please add creds and host details in the secret `truefoundry-creds`
devMode:
  enabled: false
tags:
  llmGateway: true
  llmGatewayRequestLogging: true

tfyBuild:
  enabled: false
sfyManifestService:
  enabled: false
tfyController:
  enabled: false
tfyConfigs:
  enabled: false

Install Helm chart

helm upgrade --install truefoundry oci://tfy.jfrog.io/tfy-helm/truefoundry -n truefoundry --create-namespace -f truefoundry-values.yaml

In OpenShift clusters, the values file will be slightly different. The rest of the steps remains the exact same as what you would do for AWS/GCP/Azure.The values file will be as follows:

truefoundry-values.yaml

global:
  # Domain to map the control plane dashboard
  controlPlaneURL: https://example.com

  # Ask TrueFoundry team to provide these
  tenantName: <TENANT_NAME>

  # This is the reference to the secrets we created in the previous step
  existingTruefoundryCredsSecret: "truefoundry-creds"
  imagePullSecrets:
    - name: "truefoundry-image-pull-secret"
  ## Add if you have restricted public registry access
  # image:
  #   pullSecretNames:
  #   - "truefoundry-image-pull-secret"

  # Choose the resource tier as per your needs
  resourceTier: medium # or small or large

  config:
    defaultCloudProvider: "aws"
    storageConfiguration:
      awsS3BucketName: "<AWS_S3_BUCKET_NAME>"
      awsRegion: "<AWS_REGION>"

  serviceAccount:
    annotations:
      eks.amazonaws.com/role-arn: <CONTROL_PLANE_IAM_ROLE_ARN>
  ingress:
    hosts:
      - example.com
    enabled: true
    annotations: {}
    ingressClassName: nginx # Replace with your ingress class name
    # For haproxy openshift, please add the following annotation to the ingress
    haproxy.router.openshift.io/rewrite-target: /
# In case, you want to spin up PostgreSQL on kubernetes, enable this
# Please add creds and host details in the secret `truefoundry-creds`
devMode:
  enabled: false
tags:
  llmGateway: true
  llmGatewayRequestLogging: true

# Disable few dependencies for only LLM Gateway setup
tfyBuild:
  enabled: false
sfyManifestService:
  enabled: false
tfyController:
  enabled: false
tfyConfigs:
  enabled: false

Get S3 compatible storage

You can use Minio or any other S3 compatible storage.

Using Minio (Self-Hosted S3-Compatible Storage)

If you’re using Minio or another S3-compatible storage solution, you’ll need to provide the following configuration:

Bucket Name: Name of the S3-compatible bucket
Region: Region identifier (can be any string for Minio)
Access Key ID: Access key for authentication
Secret Access Key: Secret key for authentication
Endpoint URL: Full URL to your S3-compatible storage endpoint

These values will be used in the configuration steps below.

Create Postgres database

If you have a managed postgres database, we highly recommend you to use it. If you don’t have one, you can create a PostgreSQL database of size equivalent to db.t3.medium with storage size of 30GB.

Important Configuration Notes:

For PostgreSQL 17+: Disable SSL by setting force_ssl parameter to 0 in the parameter group
Security Group: Ensure your database security group/firewall rules allow traffic from Kubernetes node groups

Using Managed PostgreSQL

For production environments, we strongly recommend using a managed PostgreSQL service:

Create a PostgreSQL instance with the specifications from the Compute Requirements section
Create a database named truefoundry (or your preferred name)
Create a user with full permissions on this database
Note down the following details:
- DB_HOST: Database hostname or IP address
- DB_PORT: Database port (usually 5432)
- DB_NAME: Database name
- DB_USERNAME: Database username
- DB_PASSWORD: Database password

Using PostgreSQL on Kubernetes (Dev/Testing Only)

For development or testing purposes only, you can deploy PostgreSQL on Kubernetes:

Set devMode.enabled: true in the values file (shown in a later step)
The PostgreSQL will be automatically deployed with the control plane

This setup is NOT highly-available and should NOT be used for production environments.

Create Kubernetes Secrets

We will create two secrets in this step:

Store the License Key and DB Credentials
Store the Image Pull Secret

Create Kubernetes Secret for License Key and DB Credentials

We need to create a Kubernetes secret containing the licence key and db credentials.

truefoundry-creds.yaml

apiVersion: v1
kind: Secret
metadata:
  name: truefoundry-creds
type: Opaque
stringData:
  TFY_API_KEY: <TFY_API_KEY> # Provided by TrueFoundry team
  DB_HOST: <DB_HOST>
  DB_NAME: <DB_NAME>
  DB_USERNAME: <DB_USERNAME>
  DB_PASSWORD: <DB_PASSWORD>

Apply the secret to the Kubernetes cluster (Assuming you are installing the control plane in the truefoundry namespace)

kubectl apply -f truefoundry-creds.yaml -n truefoundry

Create Kubernetes Secret for Image Pull Secret

We need to create a Image Pull Secret to enable pulling the truefoundry images from the private registry.

truefoundry-image-pull-secret.yaml

apiVersion: v1
kind: Secret
metadata:
  name: truefoundry-image-pull-secret
type: kubernetes.io/dockerconfigjson
data:
  .dockerconfigjson: <IMAGE_PULL_SECRET> # Provided by TrueFoundry team

Apply the secret to the Kubernetes cluster (Assuming you are installing the control plane in the truefoundry namespace)

kubectl apply -f truefoundry-image-pull-secret.yaml -n truefoundry

Create HelmChart Values file

Create a values file as given below and replace the following values:

Control Plane URL: URL that you will map to the control plane dashboard.
Tenant Name: Tenant name provided by TrueFoundry team.
AWS S3 Bucket Name: AWS S3 Bucket Name
AWS Region: AWS Region
AWS Access Key ID: AWS Access Key ID
AWS Secret Access Key: AWS Secret Access Key
AWS Endpoint URL: URL for your S3 compatible Blob storage

truefoundry-values.yaml

global:
  # Domain to map the control plane dashboard
  controlPlaneURL: https://example.com

  # Ask TrueFoundry team to provide these
  tenantName: <TENANT_NAME>

  # This is the reference to the secrets we created in the previous step
  existingTruefoundryCredsSecret: "truefoundry-creds"
  imagePullSecrets:
    - name: "truefoundry-image-pull-secret"
  ## Add if you have restricted public registry access
  # image:
  #   pullSecretNames:
  #   - "truefoundry-image-pull-secret"

  # Choose the resource tier as per your needs
  resourceTier: medium # or small or large

  config:
    defaultCloudProvider: "aws"
    storageConfiguration:
      # In case of S3 compatible storage, provide the details here
      awsS3BucketName: "<AWS_S3_BUCKET_NAME_EQUIVALENT>"
      awsRegion: "<AWS_REGION_EQUIVALENT>"
  ingress:
    hosts:
      - example.com
    enabled: true
    annotations: {}
    ingressClassName: nginx # Replace with your ingress class name
# In case, you want to spin up PostgreSQL on kubernetes, enable this
# Please add creds and host details in the secret `truefoundry-creds`
devMode:
  enabled: false
tags:
  llmGateway: true
  llmGatewayRequestLogging: true

servicefoundryServer:
  env:
    AWS_ACCESS_KEY_ID: <AWS_ACCESS_KEY_ID_EQUIVALENT>
    AWS_SECRET_ACCESS_KEY: <AWS_SECRET_ACCESS_KEY_EQUIVALENT>
    AWS_ENDPOINT_URL: <AWS_ENDPOINT_URL_EQUIVALENT>
    # AWS_ALLOW_HTTP: <AWS_ALLOW_HTTP_EQUIVALENT> (optional)

deltaFusionIngestor:
  env:
    AWS_ACCESS_KEY_ID: <AWS_ACCESS_KEY_ID_EQUIVALENT>
    AWS_SECRET_ACCESS_KEY: <AWS_SECRET_ACCESS_KEY_EQUIVALENT>
    AWS_ENDPOINT_URL: <AWS_ENDPOINT_URL_EQUIVALENT>
    # AWS_ALLOW_HTTP: <AWS_ALLOW_HTTP_EQUIVALENT> (optional)

deltaFusionQueryServer:
  env:
    AWS_ACCESS_KEY_ID: <AWS_ACCESS_KEY_ID_EQUIVALENT>
    AWS_SECRET_ACCESS_KEY: <AWS_SECRET_ACCESS_KEY_EQUIVALENT>
    AWS_ENDPOINT_URL: <AWS_ENDPOINT_URL_EQUIVALENT>
    # AWS_ALLOW_HTTP: <AWS_ALLOW_HTTP_EQUIVALENT> (optional)

# Disable few dependencies for only LLM Gateway setup
tfyBuild:
  enabled: false
sfyManifestService:
  enabled: false
tfyController:
  enabled: false
tfyConfigs:
  enabled: false

Install Helm chart

helm upgrade --install truefoundry oci://tfy.jfrog.io/tfy-helm/truefoundry -n truefoundry --create-namespace -f truefoundry-values.yaml

FAQ

How to add multiple gateway planes to the control plane?

You can add multiple gateway planes to the control plane by following the steps below:

Create Kubernetes Secret for License Key and DB Credentials

We will create two secrets in this step:

Store the License Key
Store the Image Pull Secret

Create Kubernetes Secret for License Key

We need to create a Kubernetes secret containing the licence key.

Same license key will be used for all the gateway planes as used for the control plane

truefoundry-creds.yaml

apiVersion: v1
kind: Secret
metadata:
  name: truefoundry-creds
type: Opaque
stringData:
  TFY_API_KEY: <TFY_API_KEY>

Apply the secret to the Kubernetes cluster (Assuming you are installing the control plane in the truefoundry namespace)

kubectl apply -f truefoundry-creds.yaml -n truefoundry

Create Kubernetes Secret for Image Pull Secret

We need to create a Image Pull Secret to enable pulling the truefoundry images from the private registry.

Same image pull secret will be used for all the gateway planes as used for the control plane. Use your credentials if you are pulling TrueFoundry images from your registry.

truefoundry-image-pull-secret.yaml

apiVersion: v1
kind: Secret
metadata:
  name: truefoundry-image-pull-secret
type: kubernetes.io/dockerconfigjson
data:
  .dockerconfigjson: <IMAGE_PULL_SECRET> # Provided by TrueFoundry team

Apply the secret to the Kubernetes cluster (Assuming you are installing the control plane in the truefoundry namespace)

kubectl apply -f truefoundry-image-pull-secret.yaml -n truefoundry

Create Helm chart Values file for gateway plane

Create a values file as given below and replace the following values:

CONTROL_PLANE_URL: URL that you will map to the control plane dashboard.
TENANT_NAME: Tenant name provided by TrueFoundry team.
GATEWAY_ENDPOINT_HOST: The domain where you will expose the gateway endpoint (e.g., gateway.example.com)

truefoundry-gateway-values.yaml

global:
  # This is the reference to the secrets we created in the previous step
  imagePullSecrets:
    - name: "truefoundry-image-pull-secret"

  # Choose the resource tier as per your needs
  resourceTier: medium # or small or large
  controlPlaneURL: <CONTROL_PLANE_URL> # eg. https://example-company.truefoundry.cloud
  tenantName: <TENANT_NAME>

ingress:
  enabled: true
  annotations: {}
  ingressClassName: nginx
  tls: []
  hosts:
    - <GATEWAY_ENDPOINT_HOST>

# Optional: Istio configuration (if using Istio instead of standard ingress)
# istio:
#   virtualservice:
#     hosts:
#       - <GATEWAY_ENDPOINT_HOST>
#     enabled: true
#     retries:
#       enabled: true
#       retryOn: gateway-error
#     gateways:
#       - istio-system/tfy-wildcard
#     annotations: {}

Install Helm chart for gateway plane

helm upgrade --install tfy-llm-gateway oci://tfy.jfrog.io/tfy-helm/tfy-llm-gateway -n truefoundry --create-namespace -f truefoundry-gateway-values.yaml

Can I use my Artifactory as a mirror to pull images?

Yes. You can configure your Artifactory to mirror our registry.

Credentials for accessing the TrueFoundry private registry are required and will be provided during onboarding.

1. Registry Configuration

URL: https://tfy.jfrog.io/

2. Update Helm values

global:
  image:
    registry: <YOUR_REGISTRY> # Replace with your registry
postgresql:
  image:
    registry: <YOUR_REGISTRY> # Replace with your registry, use this if `devMode` is enabled

Can I copy images to my own private registry?

Yes. We provide a script that uses the truefoundry Helm Chart to identify and copy required images to your private registry.

Credentials for accessing the TrueFoundry private registry are required and will be provided during onboarding.

Generic Registry
AWS ECR Registry

1. Install required dependencies

Skopeo
- Used to perform the image copy operation.
Helm
- Used to get the list of images from the TrueFoundry Helm Chart.

2. Add TrueFoundry Helm Chart repository

helm repo add truefoundry https://truefoundry.github.io/infra-charts
helm repo update

3. Authenticate to the TrueFoundry source registry

skopeo login -u <USERNAME> -p <PASSWORD> https://tfy.jfrog.io/

Replace <USERNAME> with the TrueFoundry registry username.
Replace <PASSWORD> with the TrueFoundry registry password.

4. Authenticate to your destination registry

skopeo login -u <USERNAME> -p <PASSWORD> <YOUR_REGISTRY>

Replace <USERNAME> with your registry username.
Replace <PASSWORD> with your registry password.
Replace <YOUR_REGISTRY> with the URL of your registry.Skopeo will use authentication details for a registry that was previously authenticated with docker login.Alternatively, you can use the --dest-user and --dest-password flags to provide the username and password for the destination registry.

5. Run Clone Image Script

export TRUEFOUNDRY_HELM_CHART_VERSION=<TRUEFOUNDRY_HELM_CHART_VERSION>
export TRUEFOUNDRY_HELM_VALUES_FILE=<TRUEFOUNDRY_HELM_VALUES_FILE>
export DEST_REGISTRY=<YOUR_DESTINATION_REGISTRY>

# Dry-run example
curl -s https://raw.githubusercontent.com/truefoundry/infra-charts/main/scripts/clone_images_to_your_registry.sh | bash -s -- --helm-chart truefoundry --helm-version $TRUEFOUNDRY_HELM_CHART_VERSION --helm-values $TRUEFOUNDRY_HELM_VALUES_FILE --dest-registry $DEST_REGISTRY --dry-run

# Live example
curl -s https://raw.githubusercontent.com/truefoundry/infra-charts/main/scripts/clone_images_to_your_registry.sh | bash -s -- --helm-chart truefoundry --helm-version $TRUEFOUNDRY_HELM_CHART_VERSION --helm-values $TRUEFOUNDRY_HELM_VALUES_FILE --dest-registry $DEST_REGISTRY

Replace <TRUEFOUNDRY_HELM_CHART_VERSION> with the version of the Truefoundry helm chart you want to use. You can find the latest version in the changelog.Replace <TRUEFOUNDRY_HELM_VALUES_FILE> with the path to the values file you created in the Installation Instructions.Replace <DEST_REGISTRY> with the URL of your registry.

6. Update the Helm values file to use your registry

global:
  image:
    registry: <YOUR_REGISTRY> # Replace with your registry
postgresql:
  image:
    registry: <YOUR_REGISTRY> # Replace with your registry, use this if `devMode` is enabled

1. Install required dependencies

Skopeo
- Used to perform the image copy operation.
Helm
- Used to get the list of images from the TrueFoundry Helm Chart.
AWS CLI
- Used to perform AWS ECR actions to validate and create repositories.

2. Add TrueFoundry Helm Chart repository

helm repo add truefoundry https://truefoundry.github.io/infra-charts
helm repo update

3. Authenticate to the TrueFoundry source registry

skopeo login -u <USERNAME> -p <PASSWORD> https://tfy.jfrog.io/

Replace <USERNAME> with the TrueFoundry registry username.
Replace <PASSWORD> with the TrueFoundry registry password.

4. Authenticate to your destination registry

# Set your AWS profile
export AWS_PROFILE=<AWS_PROFILE>

# Authenticate to ECR using the profile
aws ecr get-login-password --region us-west-2 | skopeo login --username AWS --password-stdin <YOUR_ECR_REGISTRY>

Replace <AWS_PROFILE> with your AWS profile name.
Replace <YOUR_ECR_REGISTRY> with the URL of your ECR registry (ex. 123456789012.dkr.ecr.us-east-2.amazonaws.com).Skopeo will use authentication details for a registry that was previously authenticated with docker login.

5. Run Clone Image Script

This script creates required ECR repositories and copies images.
Optionally append a path to your registry URL to namespace repositories (e.g., 123456789012.dkr.ecr.us-east-2.amazonaws.com/truefoundry).

export TRUEFOUNDRY_HELM_CHART_VERSION=<TRUEFOUNDRY_HELM_CHART_VERSION>
export TRUEFOUNDRY_HELM_VALUES_FILE=<TRUEFOUNDRY_HELM_VALUES_FILE>
export DEST_REGISTRY=<YOUR_DESTINATION_REGISTRY>

# Dry-run example
curl -s https://raw.githubusercontent.com/truefoundry/infra-charts/main/scripts/clone_images_to_your_registry.sh | bash -s -- --helm-chart truefoundry --helm-version $TRUEFOUNDRY_HELM_CHART_VERSION --helm-values $TRUEFOUNDRY_HELM_VALUES_FILE --dest-registry $DEST_REGISTRY --dry-run

# Live example
curl -s https://raw.githubusercontent.com/truefoundry/infra-charts/main/scripts/clone_images_to_your_registry.sh | bash -s -- --helm-chart truefoundry --helm-version $TRUEFOUNDRY_HELM_CHART_VERSION --helm-values $TRUEFOUNDRY_HELM_VALUES_FILE --dest-registry $DEST_REGISTRY

Replace <TRUEFOUNDRY_HELM_CHART_VERSION> with the TrueFoundry Helm chart version. Find the latest version in the changelog.Replace <TRUEFOUNDRY_HELM_VALUES_FILE> with the path to your values file from Installation Instructions.Replace <YOUR_DESTINATION_ECR_REGISTRY> with your ECR registry URL (e.g., 123456789012.dkr.ecr.us-east-2.amazonaws.com/truefoundy).

6. Update the Helm values file to use your registry

global:
  image:
    registry: <YOUR_REGISTRY> # Replace with your registry
postgresql:
  image:
    registry: <YOUR_REGISTRY> # Replace with your registry, use this if `devMode` is enabled

How to install in an air-gapped / restricted network environment?

An air-gapped environment is isolated from the internet. Since the control plane and gateway plane ship as a single helm chart (truefoundry), you only need to make the container images available in your private registry and update the helm values to point to it.

Copy images to your private registry — set up a registry mirror or copy images directly using the steps described in the FAQs above
Update helm values to point to your private registry (see the helm value overrides in the same FAQs above)
Continue with the standard installation on this page

How to integrate with AWS bedrock models from a different AWS account?

You can integrate with AWS bedrock models from a different AWS account by following the steps below:

Add the following IAM policy to the control plane IAM role so that it can assume the IAM role of the AWS account that has the bedrock models:

{
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Resource": "*"
    }
  ],
  "Version": "2012-10-17"
}

In the IAM role in the destination AWS account (which has bedrock access), add the following trust policy to allow the control plane IAM role to assume it:

{
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "<CONTROL_PLANE_IAM_ROLE_ARN>"
      },

      "Action": "sts:AssumeRole"
    }
  ],
  "Version": "2012-10-17"
}

Now you can use the IAM role of the destination AWS account while integrating AWS bedrock models in the TrueFoundry AI gateway.

Do we need any NFS volumes in Kubernetes for the AI Gateway or Control Plane?

No, we only need block storage for installing and running Truefoundry. This should be supported via the CSI driver and only ReadWriteOnce access is required.

What is the structure of access logs

We log access information in standard output with the following format:

logfmt
json

These can be switched with the help of an environment variable to the AI Gateway installation. (Default: logfmt)

Log format

Standard log format structure:

time="%START_TIME%" level=%LEVEL% ip=%IP_ADDRESS% tenant=%TENANT_NAME% user=%SUBJECT_TYPE%:%SUBJECT_SLUG% model=%MODEL_ID% method=%METHOD% path=%PATH% status=%STATUS_CODE% time_taken=%DURATION%ms trace_id=%TRACE_ID%

Log operator	Details
START_TIME	ISO timestamp for request start. eg. 2025-08-12 13:34:50
LEVEL	info\|warn\|error
IP_ADDRESS	IP address of the caller. eg. ::ffff:10.99.55.142
TENANT_NAME	Name of the tenant. eg. truefoundry
SUBJECT_TYPE	user\|virtualaccount
SUBJECT_SLUG	Email or virtual account name. eg. tfy-user@truefoundry.com\|demo-virtualaccount
MODEL_ID	Model ID. eg. openai-default/gpt-5
METHOD	GET\|POST\|PUT
PATH	Path of the request. eg. /api/inference/openai/chat/completions
STATUS_CODE	200\|400\|401\|403\|429\|500
DURATION	Duration of the request. eg. 12
TRACE_ID	Trace ID of the request

Examples:

time="2025-08-12 13:34:50" level=info ip=::ffff:10.99.55.142 tenant=truefoundry user=virtualaccount:demo-virtualaccount model=openai-default/gpt-5 method=POST path=/api/inference/openai/chat/completions status=200 time_taken=53ms trace_id=587b2a946c13f62f9160674a8c983ce3

How to use SSO directly without using TrueFoundry Auth Server?

By default, the control plane uses the TrueFoundry Auth Server for user authentication. However, you can configure it to use your own external identity provider instead. We support both OIDC and SAML-compliant identity providers. Read more

Requests to the gateway are timing out after a certain duration

If your LLM requests are timing out after a certain duration, the first thing to check is the traces in the TrueFoundry dashboard. Look at the request duration — if you see requests consistently timing out at exactly 60 seconds, the issue is almost certainly the load balancer, not the TrueFoundry AI Gateway. The TrueFoundry gateway does not impose any request timeout.

Traces showing requests timing out at 60 seconds

This commonly happens when an Application Load Balancer (ALB) is placed in front of the gateway to expose it. The default Connection idle timeout on AWS ALBs is 60 seconds, which is too short for long-running LLM inference requests (especially streaming responses or large prompts).Solution: Increase the idle timeout on your AWS ALB to a higher value (e.g., 300 seconds or more).You can find this setting in the AWS Console under EC2 → Load Balancers → Select your ALB → Attributes tab → Connection idle timeout.

You can also update it via the AWS CLI:

aws elbv2 modify-load-balancer-attributes \
  --load-balancer-arn <YOUR_ALB_ARN> \
  --attributes Key=idle_timeout.timeout_seconds,Value=300

If you are using an ingress controller (e.g., NGINX Ingress) in addition to the ALB, also verify that the ingress controller’s proxy timeout settings are configured appropriately.

Can I get TrueFoundry metrics in Victoria Metrics instead of Prometheus?

Yes. TrueFoundry supports exporting metrics to Victoria Metrics as an alternative to Prometheus. To enable this, add the following to your truefoundry-values.yaml file and upgrade the Helm release:

This only installs the VMServiceScrape and related custom resources for scraping TrueFoundry metrics. It does not deploy Victoria Metrics itself — you are responsible for installing and managing your own Victoria Metrics instance.

truefoundry-values.yaml

victoriaMetricsMonitoring:
  enabled: true

Then upgrade the Helm release to apply the changes:

helm upgrade --install truefoundry oci://tfy.jfrog.io/tfy-helm/truefoundry -n truefoundry --create-namespace -f truefoundry-values.yaml

How to enable SSL for PostgreSQL connections?

The TrueFoundry control plane supports SSL connections to PostgreSQL. You can configure SSL by setting the DB_SSL_MODE environment variable in your truefoundry-values.yaml.Supported DB_SSL_MODE values:

Mode	Encryption	Certificate Validation	Use Case
`disable`	No	No	Local development or trusted networks
`no-verify`	Yes	No	Managed databases with self-signed or unverified certs
`require`	Yes	Yes (system CA store)	When you have a valid CA certificate and want full verification
`verify-ca`	Yes	Yes (custom CA)	Same as `require` but explicitly checks CA
`verify-full`	Yes	Yes (CA + hostname)	Strictest mode, validates CA and hostname

SSL certificate environment variables:

Variable	Purpose	Required
`DB_SSL_CA_PATH`	Path to the server CA certificate file	For `require`, `verify-ca`, or `verify-full` modes
`DB_SSL_CERT_PATH`	Path to the client certificate file (for mTLS)	Only for mTLS (GCP Cloud SQL, Azure Database for PostgreSQL)
`DB_SSL_KEY_PATH`	Path to the client private key file (for mTLS)	Only for mTLS (GCP Cloud SQL, Azure Database for PostgreSQL)

The certificate requirements vary by cloud provider. AWS RDS only needs the server CA bundle (DB_SSL_CA_PATH), while GCP Cloud SQL and Azure Database for PostgreSQL may require all three certificate paths when client certificate authentication (mTLS) is enabled. Refer to the cloud-specific control plane documentation for detailed examples.

Scenario 1: Encrypted connection without certificate validation (no-verify)This is the simplest option for managed databases. It encrypts the connection but skips server certificate validation.

truefoundry-values.yaml

servicefoundryServer:
  env:
    DB_SSL_MODE: "no-verify"
mlfoundryServer:
  env:
    DB_SSL_MODE: "no-verify"

Scenario 2: Encrypted connection with certificate validation (require)This mode encrypts the connection and validates the server certificate. You must provide the appropriate certificate files for your database provider. The example below shows the full configuration with all three certificate paths (for GCP/Azure mTLS). For AWS RDS, only DB_SSL_CA_PATH is needed.Create a Kubernetes Secret containing your certificate files:

# AWS RDS (CA bundle only)
kubectl create secret generic db-ssl-certs \
  --from-file=ca-certificate.crt=/path/to/your/ca-certificate.crt \
  -n truefoundry

# GCP Cloud SQL / Azure (full mTLS)
kubectl create secret generic db-ssl-certs \
  --from-file=ca-certificate.crt=/path/to/server-ca.pem \
  --from-file=client-cert.pem=/path/to/client-cert.pem \
  --from-file=client-key.pem=/path/to/client-key.pem \
  -n truefoundry

Then configure truefoundry-values.yaml to mount the certificates and set the SSL paths:

truefoundry-values.yaml

servicefoundryServer:
  env:
    DB_SSL_MODE: "require"
    DB_SSL_CA_PATH: "/etc/ssl/custom/ca-certificate.crt"
    # Only needed for mTLS (GCP Cloud SQL, Azure Database for PostgreSQL)
    DB_SSL_CERT_PATH: "/etc/ssl/custom/client-cert.pem"
    DB_SSL_KEY_PATH: "/etc/ssl/custom/client-key.pem"
  extraVolumes:
    - name: db-ssl-certs
      secret:
        secretName: db-ssl-certs
  extraVolumeMounts:
    - name: db-ssl-certs
      mountPath: /etc/ssl/custom
      readOnly: true
mlfoundryServer:
  env:
    DB_SSL_MODE: "require"
    DB_SSL_CA_PATH: "/etc/ssl/custom/ca-certificate.crt"
    # Only needed for mTLS (GCP Cloud SQL, Azure Database for PostgreSQL)
    DB_SSL_CERT_PATH: "/etc/ssl/custom/client-cert.pem"
    DB_SSL_KEY_PATH: "/etc/ssl/custom/client-key.pem"
  extraVolumes:
    - name: db-ssl-certs
      secret:
        secretName: db-ssl-certs
  extraVolumeMounts:
    - name: db-ssl-certs
      mountPath: /etc/ssl/custom
      readOnly: true

Upgrade the Helm release to apply the changes:

helm upgrade --install truefoundry oci://tfy.jfrog.io/tfy-helm/truefoundry -n truefoundry --create-namespace -f truefoundry-values.yaml

How to configure custom CA certificates?

If your TrueFoundry deployment needs to trust custom Certificate Authorities (e.g., for internal services, private registries, or corporate proxies), you can configure custom CA certificates in the Helm chart.There are two methods to provide custom CA certificates:

Method 1: Pass customCA as a multiline string

You can directly provide the CA certificate content as a multiline string in your values.yaml:

truefoundry-values.yaml

global:
  customCA:
    enabled: true
    certificate: |
      -----BEGIN CERTIFICATE-----
      MIIDXTCCAkWgAwIBAgIJAKZ7VqHEqvmKMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
      BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
      ... (rest of your certificate) ...
      -----END CERTIFICATE-----

This method is suitable when you have one or a few CA certificates to add.

Method 2: Use an existing ConfigMap containing CA certificate(s)

If you already have your custom CA certificates in a Kubernetes ConfigMap, you can reference it directly. An initContainer will merge the custom CA with the system CAs.

Create a ConfigMap with your custom CA certificate(s)

Create a Kubernetes ConfigMap containing your custom CA certificate(s):

kubectl create configmap custom-ca-certificates \
  --from-file=ca-certificates.crt=custom-ca.crt \
  -n truefoundry

Alternatively, if you want to create it from a YAML file:

custom-ca-configmap.yaml

apiVersion: v1
kind: ConfigMap
metadata:
  name: custom-ca-certificates
  namespace: truefoundry
data:
  ca-certificates.crt: |
    -----BEGIN CERTIFICATE-----
    ... (your custom CA certificate content) ...
    -----END CERTIFICATE-----

Apply the ConfigMap:

kubectl apply -f custom-ca-configmap.yaml

Reference the ConfigMap in your Helm values

Update your truefoundry-values.yaml to reference the ConfigMap:

truefoundry-values.yaml

global:
  customCA:
    enabled: true
    existingConfigMap:
      name: custom-ca-certificates

Upgrade the Helm installation

Apply the changes by upgrading your Helm release:

helm upgrade --install truefoundry oci://tfy.jfrog.io/tfy-helm/truefoundry \
  -n truefoundry --create-namespace -f truefoundry-values.yaml

Method 2b: Use an existing ConfigMap with `overrideCAList`

If you want the ConfigMap to replace the system CA bundle entirely instead of merging, set overrideCAList to true. In this mode, the ConfigMap is mounted directly at /etc/ssl/certs/ (no initContainer is used), so the ConfigMap must contain the full CA bundle (system + custom CAs).

Prepare your CA certificate file

Add your custom CA certificate(s) to your system’s CA bundle. On a Linux system with the certificate file saved as custom-ca.crt:

# Copy the certificate to the CA directory
sudo cp custom-ca.crt /usr/local/share/ca-certificates/

# Update the CA certificates bundle
sudo update-ca-certificates

This will generate or update /etc/ssl/certs/ca-certificates.crt with your custom CA included (system CAs + your custom CA).

Create a ConfigMap from the complete ca-certificates.crt file

Create a Kubernetes ConfigMap containing the complete CA bundle:

kubectl create configmap custom-ca-certificates \
  --from-file=ca-certificates.crt=/etc/ssl/certs/ca-certificates.crt \
  -n truefoundry

Alternatively, if you want to create it from a YAML file:

custom-ca-configmap.yaml

apiVersion: v1
kind: ConfigMap
metadata:
  name: custom-ca-certificates
  namespace: truefoundry
data:
  ca-certificates.crt: |
    -----BEGIN CERTIFICATE-----
    ... (your complete ca-certificates.crt content including system + custom CAs) ...
    -----END CERTIFICATE-----

Apply the ConfigMap:

kubectl apply -f custom-ca-configmap.yaml

Reference the ConfigMap in your Helm values with overrideCAList

Update your truefoundry-values.yaml to reference the ConfigMap with overrideCAList enabled:

truefoundry-values.yaml

global:
  customCA:
    enabled: true
    existingConfigMap:
      name: custom-ca-certificates
      overrideCAList: true

Upgrade the Helm installation

Apply the changes by upgrading your Helm release:

helm upgrade --install truefoundry oci://tfy.jfrog.io/tfy-helm/truefoundry \
  -n truefoundry --create-namespace -f truefoundry-values.yaml

When overrideCAList is set to true, the ConfigMap is mounted directly replacing the system CA bundle. Your ConfigMap must contain the complete CA bundle (system CAs + your custom CAs). If you only include your custom CAs, all standard public CA trust will be lost and outbound HTTPS connections to public services will fail.

The custom CA certificates will be mounted into all TrueFoundry pods and added to the system’s trust store. This ensures that all outgoing HTTPS connections from TrueFoundry services will trust your custom CAs.

After adding custom CA certificates, verify that your TrueFoundry pods have restarted and are running correctly. You may need to restart existing pods for the changes to take effect.

How to enable and access control plane monitoring (Grafana)?

TrueFoundry ships with a built-in monitoring stack that includes Grafana dashboards for the control plane. To enable it, add the following to your truefoundry-values.yaml:

truefoundry-values.yaml

truefoundryMonitoring:
  enabled: true
  grafana:
    grafana.ini:
      auth.jwt:
        jwk_set_url: >-
          https://<your-truefoundry-control-plane-url>/api/svc/v1/keys/<tenant-name>/jwks

Then upgrade the Helm release to apply the changes:

helm upgrade --install truefoundry oci://tfy.jfrog.io/tfy-helm/truefoundry \
  -n truefoundry --create-namespace \
  -f truefoundry-values.yaml

Once enabled, platform admins can access the Grafana dashboard at:

https://<your-truefoundry-control-plane-url>/admin/grafana/

Replace <your-truefoundry-control-plane-url> with your actual control plane domain (e.g., app.example.com) and <tenant-name> with your TrueFoundry tenant name provided during onboarding.
Only users with the admin role can access this endpoint.
Make sure to include the trailing / at the end of the URL.
If you already have Prometheus or VictoriaLogs in your cluster, you can point the monitoring stack to them using externalServices instead of installing new instances.

For the full configuration reference, see the Control Plane Monitoring guide.

How do you add default metadata to all requests passing via the gateway?

You can attach default metadata to every request that passes through the AI Gateway by setting the DEFAULT_GATEWAY_METADATA environment variable on the gateway. The value should be a JSON string of key-value pairs.Add the following to your gateway configuration in values file of the gateway plane:

tfy-llm-gateway:
  env:
    DEFAULT_GATEWAY_METADATA: '{"org":"internal"}'

The metadata key-value pairs will be automatically included in every request routed through the gateway. You can use this to tag requests with organizational identifiers, environment labels, or any other metadata your downstream systems need.

How to use HTTPRoute to route traffic using Kubernetes Gateway API?

The TrueFoundry Helm charts support the Kubernetes Gateway API as an alternative to standard Ingress resources. Use HTTPRoute when your cluster uses a Gateway API-compatible controller (e.g. Envoy Gateway, Istio, NGINX Gateway Fabric, GKE Gateway).Control plane (truefoundry chart)Add the following to your truefoundry-values.yaml, setting parentRefs to point to your existing Gateway:

truefoundry-values.yaml

global:
  httpRoute:
    enabled: true
    parentRefs:
      - name: my-gateway        # Name of your Gateway resource
        namespace: gateway-system  # Namespace where the Gateway is deployed
        sectionName: https      # Listener section on the Gateway (e.g. http or https)
    hostnames:
      - "app.example.com"       # Hostname that this HTTPRoute should match

Then apply:

helm upgrade --install truefoundry oci://tfy.jfrog.io/tfy-helm/truefoundry \
  -n truefoundry --create-namespace \
  -f truefoundry-values.yaml

Only one routing method should be enabled at a time. Disable global.ingress.enabled and global.virtualservice.enabled when using httpRoute.
The sectionName must match a named listener on your Gateway resource. Omit it if your Gateway has a single unnamed listener.
TLS termination is handled by the parent Gateway — no TLS configuration is needed on the HTTPRoute itself.

Platform

​Key Components

​Compute Requirements

​Prerequisites for Installation

​Installation Instructions

​FAQ

​Log format

​Method 1: Pass customCA as a multiline string

​Method 2: Use an existing ConfigMap containing CA certificate(s)

​Method 2b: Use an existing ConfigMap with overrideCAList

Key Components

Compute Requirements

Prerequisites for Installation

Installation Instructions

FAQ

Log format

Method 1: Pass customCA as a multiline string

Method 2: Use an existing ConfigMap containing CA certificate(s)

Method 2b: Use an existing ConfigMap with `overrideCAList`