On-Prem Infrastructure Requirements
This page covers all infrastructure that must be provisioned before deploying Unstract. Complete these steps first, then proceed to the Deployment Guide.
1. Infrastructure Prerequisites
The following infrastructure must be provisioned by the customer team before proceeding with the Helm installation. Use whatever provisioning approach follows your internal standards (Terraform, Pulumi, CloudFormation, manual setup, etc.).
Kubernetes Cluster
- Recommended version: >= 1.29 (latest tested: 1.33)
- Node autoscaling should be enabled
- Recommended to create in a single Availability Zone since some statefulset workloads do not have HA support yet. Multi-AZ can lead to volume attach errors
- Ingress controller as a K8s cluster add-on for load balancer creation (recommended)
- Ingress requires a maximum timeout of 900 seconds to work as expected (see Appendix c)
- In-house or cloud provider observability stack (recommended)
PostgreSQL Database
- Supported version: 15.0
- Minimum specs: 1 vCPU, 8 GiB RAM, 50 GiB SSD
- Autoscale enabled (recommended)
- A dedicated database for Unstract should be created within the PostgreSQL instance
Object Storage
- Managed blob storage: AWS S3 / Azure Blob Storage / GCP GCS
- IAM / service principal with read/write access to the target bucket or container
- See Appendix d for required storage configuration
DNS & SSL
- A domain for pointing to Unstract (e.g.,
unstract.<customer-domain>.com) - An active SSL certificate is required — HTTPS is mandatory for the authentication system to function properly
Networking
- Recommend allocating a subnet of
/18CIDR size for pods
Node Profile
| Machine Type | Label | Taint (NoSchedule) | Min | Max |
|---|---|---|---|---|
| 4 vCPU and 32 GiB | service: unstract | service: unstract | 2 | 4 |
The above is a small profile suitable for initial setup. For production sizing, see Appendix b.
It is expected that the workloads are to be deployed on non-spot nodepools.
Appendix
a. Cluster Nodes Config
- Minimum spec: 4 vCPU / 32 GiB
- Node autoscaling should be enabled
- Node Groups are optional based on the profile
- Recommended to create in a single AZ since:
- Some statefulset workloads do not have HA support
- Multi-AZ can lead to volume attach errors
b. Cluster Size Profiles
Small Profile (not recommended for high volume)
- No autoscaling (can be enabled if required)
- Only one default Node Group
| Machine Type | Label | Taint (NoSchedule) | Min | Max |
|---|---|---|---|---|
| 4 vCPU and 32 GiB | service: unstract | service: unstract | 2 | 4 |
Production Profile
- Different Node Groups based on workloads
- Add 50 GiB SSD for application data to each machine
| Machine Type | Label | Taint (NoSchedule) | Min | Max |
|---|---|---|---|---|
| 4 vCPU and 32 GiB | service: unstract | service: unstract | 5 | 16 |
It is expected that the workloads are to be deployed on non-spot nodepools.
c. Ingress Setup
All ingress types must support a 900-second timeout.
AWS ALB Ingress Controller
-
Required annotation:
# REF: https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/how-it-works/#ip-mode
alb.ingress.kubernetes.io/target-type: ip
Nginx Ingress Controller
-
Recommended ingress controller for Azure AKS
-
Required annotations (Community Version syntax):
# Default is 60. Must be increased to 900.
nginx.ingress.kubernetes.io/proxy-read-timeout: "900"
# Default is 1 MB. Must be increased for large document uploads.
# REF: https://docs.nginx.com/nginx-ingress-controller/configuration/ingress-resources/advanced-configuration-with-annotations/
nginx.org/client-max-body-size: "200m"
Avoid using nginx.ingress.kubernetes.io/rewrite-target annotation. In Community NGINX Controller versions >= v0.22.0, the old rewrite-target: / syntax causes authentication failures (401 Unauthorized responses). If you encounter login issues, remove any rewrite-target annotations from your ingress configuration.
d. Remote Storage Config
AWS
IAM Policy
Replace s3-bucket-name with desired S3 bucket name.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListBukcet",
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::<s3-bucket-name>"
]
},
{
"Sid": "ObjectAccess",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::<s3-bucket-name>",
"arn:aws:s3:::<s3-bucket-name>/*"
]
}
]
}
Helm Chart Values
secret.yaml:
PERMANENT_REMOTE_STORAGE: &PERMANENT_REMOTE_STORAGE '{"provider": "s3", "credentials": {"key":"<s3-access-key>","secret":"<s3-access-secret>","endpoint_url":"<s3-endpoint-url>"}}'
| Config placeholder | Expected credential |
|---|---|
s3-access-key | AWS access key |
s3-access-secret | AWS secret key |
s3-endpoint-url | e.g. https://s3.ap-south-1.amazonaws.com/ |
values.yaml — replace s3-bucket-name with desired S3 bucket name:
backend:
configMap:
REMOTE_SIMPLE_PROMPT_STUDIO_FILE_PATH: <s3-bucket-name>/simple-prompt-studio-data
REMOTE_PROMPT_STUDIO_FILE_PATH: <s3-bucket-name>/prompt-studio-data
platform:
configMap:
MODEL_PRICES_FILE_PATH: <s3-bucket-name>/cost/model_prices.json
prompt:
configMap:
REMOTE_PROMPT_STUDIO_FILE_PATH: <s3-bucket-name>/prompt-studio-data
Azure
Helm Chart Values
secret.yaml:
PERMANENT_REMOTE_STORAGE: &PERMANENT_REMOTE_STORAGE '{"provider": "abfs", "credentials": {"account_name":"<azure-account-name>","access_key":"<azure-access-key>","connection_string":"<azure-connection-string>"}}'
| Config placeholder | Expected credential |
|---|---|
azure-account-name | Azure account name |
azure-access_key | Azure access key |
azure-connection_string | E.g. DefaultEndpointsProtocol=https;AccountName=xxxxxxx;AccountKey=xxxxx;EndpointSuffix=core.windows.net |
values.yaml — replace azure-container-name with applicable Azure container name:
backend:
configMap:
REMOTE_SIMPLE_PROMPT_STUDIO_FILE_PATH: <azure-container-name>/simple-prompt-studio-data
REMOTE_PROMPT_STUDIO_FILE_PATH: <azure-container-name>/prompt-studio-data
platform:
configMap:
MODEL_PRICES_FILE_PATH: <azure-container-name>/cost/model_prices.json
prompt:
configMap:
REMOTE_PROMPT_STUDIO_FILE_PATH: <azure-container-name>/prompt-studio-data