Scrydon
DeploymentLocation

On-Premise

The fastest path to a running Scrydon install on a self-managed Kubernetes cluster in your own data centre.

This is the quickest route to a working Scrydon install on a self-managed Kubernetes cluster that can pull images over the internet. Follow the five steps below top to bottom. For every override the chart exposes — routing, BYO database, TLS offloading, pod scheduling, low-resource trims — see the Helm reference.

Before you start

  • A Kubernetes 1.28+ cluster with a working storage provisioner (Ceph, vSphere, local-path, …) and kubectl access.
  • A license bundle from Scrydon — a JSON file shaped { "jwt": "…", "publicKey": "-----BEGIN PUBLIC KEY-----…" }.
  • Registry credentials for scrydonops.azurecr.io — one scoped token covers both chart and image pulls. Your account team issues the ACR token name (the username) and token value (the password).
  • A single DNS name pointing at your cluster's ingress (e.g. app.example.com).

Full resource sizing and the complete checklist live in Prerequisites.

Step 1: Log in to the registry

helm registry login scrydonops.azurecr.io --username <acr-token-name>
# (paste the token value at the password prompt)

Step 2: Create the namespace and pull secret

By default the chart deploys every service into one namespace, scrydon-platform. Create it and add the image-pull secret there:

kubectl create namespace scrydon-platform 2>/dev/null || true
kubectl create secret docker-registry scrydon-registry \
  --namespace scrydon-platform \
  --docker-server=scrydonops.azurecr.io \
  --docker-username=<acr-token-name> \
  --docker-password=<acr-token-password>

Splitting services across namespaces is opt-in via namespaces.* (see the Helm reference). If you do, create the same pull secret in each namespace you target.

Step 3: Write values.customer.yaml

This is the entire minimal install — the chart defaults to subpath routing, the traefik ingress class, a letsencrypt-prod issuer, and bundled Postgres / StarRocks / SeaweedFS / OPA. The one on-prem-specific value is global.storageClass: the chart ships no cloud default, so point it at your provisioner.

# Replace REPLACE-WITH-* with values you generate. Keep this file out of source control.

global:
  imageRegistry: scrydonops.azurecr.io  # pull images from the ACR you logged into
  imagePullSecrets:
    - name: scrydon-registry            # from Step 2
  storageClass: <your-storage-class>    # e.g. ceph-rbd, vsphere-csi, local-path

routing:
  host: app.example.com                 # the hostname your DNS points at

ingress:
  tls:
    enabled: true                       # browser reaches Scrydon over HTTPS (default is false)

# Secrets — generate fresh per deployment.
infra:
  db:
    credentials:
      password: REPLACE-WITH-DB-PASSWORD          # openssl rand -hex 16
auth:
  secrets:
    AUTH_SECRET: REPLACE-WITH-AUTH-SECRET         # openssl rand -hex 32
apiTable:
  secrets:
    STARROCKS_PASSWORD: REPLACE-WITH-STARROCKS-PW # openssl rand -hex 24

Step 4: Install

helm install scrydon oci://scrydonops.azurecr.io/scrydon/charts/scrydon \
  --version <version> \
  --namespace scrydon-platform \
  -f values.customer.yaml \
  --wait

The chart deploys the bundled Postgres and every Scrydon service into scrydon-platform, and runs the migration Jobs as Helm hooks.

Step 5: Run the setup wizard

Open https://app.example.com/platform/setup and complete the five steps: paste the { jwt, publicKey } license bundle, create the admin account, name your organization, configure email (or skip), and finish. Then sign in at https://app.example.com/.

The wizard, license bundle format, and pod/ingress/certificate verification are documented in full on the Helm reference.

On-prem specifics

These are the places an on-prem cluster differs from a managed cloud one:

  • Storage class — set global.storageClass (Step 3) to your provisioner. There is no cloud default.
  • Ingress — there's no cloud load balancer; expose Traefik via NodePort, MetalLB, or your own L4/L7 LB. See Routing modes.
  • TLS — if a hardware or edge load balancer terminates TLS in front of the cluster, see TLS Offloading.
  • Database — the bundled Postgres works out of the box; point at an external instance via BYO Database.
  • No outbound internet? If the cluster is fully isolated, use Air-Gapped Deployment instead — it ships images via a Zarf bundle.

All options

Everything beyond this minimal path — per-app subdomain routing, custom path prefixes, an existing Dapr control plane, StarRocks credential lock-down, low-resource trims, pod scheduling, and day-2 operations — lives in the Helm reference.

On this page

On this page

Before you startStep 1: Log in to the registryStep 2: Create the namespace and pull secretStep 3: Write values.customer.yamlStep 4: InstallStep 5: Run the setup wizardOn-prem specificsAll options
Edit on GitHubCreate documentation issue