Prerequisites
Requirements before deploying the Scrydon platform
Before deploying Scrydon, ensure your environment meets the requirements below.
Kubernetes
- Version: Kubernetes 1.28 or later
- Helm: Helm 3.14 or later
- A namespace-scoped service account with permissions to create Deployments, Services, Ingresses, Secrets, and ConfigMaps
PostgreSQL
The Helm chart bundles PostgreSQL 18 with pgvector by default (infra.db.enabled: true). No external database is required for standard deployments — the bundled instance pre-creates every database the enabled services need.
Bring your own (managed) Postgres
If you prefer a managed instance (RDS, Cloud SQL, Azure Database for PostgreSQL, Supabase, Neon, CloudNativePG, …), set infra.db.enabled: false and pre-provision the following before running helm install — the chart's migration Jobs will crash on first install otherwise.
| Requirement | Notes |
|---|---|
| Version | PostgreSQL 15 or later |
| Extension | pgvector must be installable. Most managed providers ship it (RDS ≥ 15.3, Cloud SQL 15+, Azure Flexible Server with azure.extensions=VECTOR, Supabase, Neon). |
Databases to pre-create. One per enabled component — every component is enabled by default in the chart, so plan for all five unless you've disabled something:
| Database | Required when | pgvector? |
|---|---|---|
auth | always | yes |
agentic | always | yes |
analytics | analytics.enabled: true (default) | no |
cortex (or cortex.database.name) | cortex.enabled: true (default) | yes |
ontology (or apiOntology.database.name) | apiOntology.enabled: true (default) | no |
Apply this against your managed Postgres before helm install:
CREATE DATABASE auth;
CREATE DATABASE agentic;
CREATE DATABASE analytics; -- if analytics.enabled (default)
CREATE DATABASE cortex; -- if cortex.enabled (default)
CREATE DATABASE ontology; -- if apiOntology.enabled (default)
\c auth
CREATE EXTENSION IF NOT EXISTS vector;
\c agentic
CREATE EXTENSION IF NOT EXISTS vector;
\c cortex
CREATE EXTENSION IF NOT EXISTS vector;See Managed Postgres (BYO Database) for per-provider notes, the corresponding infra.db.external.* Helm values, and connection-pooling guidance.
DNS
The default and recommended routing mode is subpath — every Scrydon app lives behind a single hostname under a path prefix. You need one DNS A (or CNAME) record pointing at the cluster ingress IP:
| Hostname | Routes |
|---|---|
app.yourdomain.com | /cortex, /agentic, /analytics, /platform, /api/auth, /api/ontology, /api/table, /agentic/realtime, /marimo |
Replace app.yourdomain.com with your actual hostname.
If you instead use subdomain routing (per-app hostnames), you will need one A record per app — see Routing Modes for the full mapping and the trade-offs.
TLS Certificates
All services must be served over HTTPS. We recommend cert-manager with Let's Encrypt for automatic certificate provisioning:
# Install cert-manager (if not already present)
helm repo add jetstack https://charts.jetstack.io
helm install cert-manager jetstack/cert-manager \
--namespace cert-manager --create-namespace \
--set installCRDs=trueAlternatively, you can supply your own certificates as Kubernetes TLS Secrets and reference them in Helm values.
License Bundle
You must have a valid Scrydon license bundle before completing setup. Contact sales@scrydon.com to request one.
The bundle is a JSON file containing both the signed JWT and the matching RSA public key:
{
"jwt": "eyJhbGciOiJSUzI1NiIs…",
"publicKey": "-----BEGIN PUBLIC KEY-----\nMIIBIjAN…\n-----END PUBLIC KEY-----"
}After installing the chart, paste the bundle into the /setup wizard. Alternatively, pre-seed it via the auth.secrets.LICENSE and auth.secrets.LICENSE_PUBLIC_KEY Helm values — see Helm.
To inspect a bundle before installing — confirm the tier, entitlements, and expiry match what you ordered — use the in-browser License Checker.
License verification runs in the api-platform pod at runtime (the @scrydon/better-auth-license Better-Auth plugin) — there is no init container and no scrydon-license Kubernetes Secret to manage. The bundle lives in the platform_config table and is rotated through the platform UI.
See Licensing for the full lifecycle.
Resource Requirements
Minimum (Evaluation / Small Teams)
| Resource | Requirement |
|---|---|
| CPU | 6 vCPU |
| RAM | 32 GB |
| Disk | 80 GB (database + StarRocks + images) |
| GPU | Not required |
These numbers assume the full default stack (Platform UI, Agentic, Cortex, Analytics, the bundled Postgres, SeaweedFS, and a single-pod StarRocks for Managed Tables). To run on smaller nodes (4 vCPU / 16 GB), trim the optional components — see Helm → Trimming for low-resource installs.
Recommended (Production)
| Resource | Requirement |
|---|---|
| CPU | 16 vCPU |
| RAM | 64 GB |
| Disk | 200 GB SSD |
| GPU | Optional — required only for local AI model inference (e.g., running Ollama in-cluster) |
Note: GPU resources are contractually licensed (your license JWT will reflect your entitlement), but Scrydon does not runtime-enforce GPU limits. GPU nodes are only needed if you plan to run local inference models inside your cluster.
Per-Service Memory Limits
The Helm chart applies the following memory limits per pod (single-replica defaults). Use these to size node pools and HPA targets — sum across enabled services, then add 30% headroom for kube system pods, Dapr sidecars (~250 MiB each), and burst capacity.
| Service | Memory limit | Notes |
|---|---|---|
platform (UI) | 1 GiB | SSR shell + control-plane routes |
agentic (workflow app) | 4 GiB | Heaviest app — workflow engine + Dapr actor host |
agentic-realtime | 512 MiB | WebSocket fan-out |
analytics (UI) | 2 GiB | SSR + chart rendering |
cortex (chat UI) | 2 GiB | SSR + LLM streaming proxy |
api-platform (auth/API) | 2 GiB | Catalog + workspace sources |
api-ontology | 512 MiB | Optional |
api-table | 512 MiB | Enabled by default — backs Managed Tables; disable with apiTable.enabled: false |
marimo-sidecar | 2 GiB | Python kernel for analytics notebooks |
infra.db (Postgres) | 1 GiB | Bundled — disable if using managed Postgres |
infra.seaweedfs | 1 GiB | Bundled — disable if using managed S3 |
infra.starrocks | 8 GiB | Enabled by default (single-pod allin1); disable with infra.starrocks.enabled: false or replace with the StarRocks Operator for multi-AZ |
Limits were last revised on 2026-05-18 following the v1.3.5-rc.54 binary-minification rollout (PR #1142), which roughly doubled steady-state RSS for the SSR apps. If you upgrade across that boundary on a pre-existing cluster, verify your node pool has headroom for the new limits before running helm upgrade.
Key Environment Variables
The Helm chart injects these environment variables automatically from your values file. You do not need to set them manually, but you should understand what they configure:
| Variable | Description | Set Via |
|---|---|---|
AUTH_URL | Internal URL of the api-platform service | auth.publicUrl in values |
DATABASE_URL | PostgreSQL connection string | auth.database.* in values |
DAPR_HTTP_PORT | Dapr sidecar port (set when Dapr is enabled) | dapr.enabled in values |
Next step: Pick where you're deploying — On-Premise, Azure, or Air-Gapped — or go straight to the Helm reference.