Skip to content
GOVERN Admin

Kubernetes Deployment

The GOVERN Helm chart is the recommended way to deploy GOVERN to Kubernetes. It supports all major distributions (EKS, AKS, GKE, OpenShift, bare metal).

Prerequisites

  • Kubernetes 1.28+
  • Helm 3.14+
  • Persistent volume provisioner
  • Ingress controller (nginx-ingress recommended)
  • PostgreSQL 15+ (or use bundled)
  • Redis 7+ (or use bundled)

Add Helm Repository

Terminal window
helm repo add govern https://charts.govern.archetypal.ai
helm repo update

Minimal Install

Terminal window
# Install with bundled PostgreSQL and Redis (not recommended for production)
helm install govern govern/govern \
  --namespace govern \
  --create-namespace \
  --set global.licenseKey=$GOVERN_LICENSE_KEY

Production Install

Terminal window
# Create namespace and secrets
kubectl create namespace govern


kubectl create secret generic govern-secrets \
  --namespace govern \
  --from-literal=api-key=$GOVERN_API_KEY \
  --from-literal=secret-key=$GOVERN_SECRET_KEY \
  --from-literal=db-password=$DB_PASSWORD \
  --from-literal=redis-password=$REDIS_PASSWORD


# Install GOVERN
helm install govern govern/govern \
  --namespace govern \
  --values values-production.yaml

values-production.yaml

global:
  licenseKey: ""  # Set via --set or secret


api:
  replicas: 2
  resources:
    requests:
      cpu: 500m
      memory: 512Mi
    limits:
      cpu: 2000m
      memory: 2Gi


app:
  replicas: 2
  resources:
    requests:
      cpu: 100m
      memory: 128Mi
    limits:
      cpu: 500m
      memory: 512Mi


# External PostgreSQL
postgresql:
  enabled: false  # Disable bundled PostgreSQL
  external:
    host: postgres.internal.company.com
    port: 5432
    database: govern
    username: govern
    existingSecret: govern-secrets
    secretKey: db-password


# External Redis
redis:
  enabled: false  # Disable bundled Redis
  external:
    host: redis.internal.company.com
    port: 6379
    existingSecret: govern-secrets
    secretKey: redis-password


ingress:
  enabled: true
  className: nginx
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
  hosts:
    - host: govern.company.com
      paths:
        - path: /
          pathType: Prefix
  tls:
    - secretName: govern-tls
      hosts:
        - govern.company.com


autoscaling:
  enabled: true
  minReplicas: 2
  maxReplicas: 10
  targetCPUUtilizationPercentage: 70


persistence:
  storageClass: standard  # Your StorageClass name
  size: 50Gi

Upgrading

Terminal window
# Pull latest chart
helm repo update


# Preview changes
helm diff upgrade govern govern/govern --namespace govern --values values-production.yaml


# Apply upgrade
helm upgrade govern govern/govern \
  --namespace govern \
  --values values-production.yaml \
  --wait \
  --timeout 10m

Monitoring

GOVERN exposes Prometheus metrics at /metrics. Configure scraping:

# values addition for Prometheus
api:
  metrics:
    enabled: true
    serviceMonitor:
      enabled: true  # Requires Prometheus Operator
      namespace: monitoring
      interval: 30s

Verifying Deployment

Terminal window
# Check pod status
kubectl get pods -n govern


# Check events
kubectl get events -n govern --sort-by=.lastTimestamp


# Check health
kubectl exec -n govern deployment/govern-api -- curl -s localhost:3001/health | jq .


# View logs
kubectl logs -n govern deployment/govern-api --tail=100 -f