Deploy Adaptive Engine on your own infrastructure using the Helm chart.
Self-hosted deployments have no external connectivity or telemetry requirements.
Prerequisites
Infrastructure
- Kubernetes cluster with:
- GPU VM(s) for
harmony compute plane
- CPU VM(s) for
control-plane and recipe-runner
- PostgreSQL 16+ (local or remote)
- Redis (local or remote)
- Shared storage (POSIX or S3-compatible)
- OIDC provider (Google Workspace, Azure Entra ID, Cognito, Keycloak, etc.)
- Domain name routing to the deployment
Kubernetes Requirements
- Kubernetes 1.28+
- Helm 3.8.0+
- NVIDIA GPU operator
- CUDA 12.8+ with driver 570.172.08+
Deployment Checklist
Verify GPU quota
Ensure cloud GPU quotas accommodate your instance types and counts.
Provision infrastructure
Deploy Kubernetes cluster, database, Redis, storage, and configure OIDC.
Get container registry access
Obtain access to Adaptive Engine private registry (requires commercial contract).
Configure Helm values
Pull the chart and customize values.yaml.
Set administrator emails in values.yaml before those users first log in.
Helm Configuration
Container Registry
containerRegistry: <aws_account_id>.dkr.ecr.<region>.amazonaws.com
harmony:
image:
repository: adaptive-repository
tag: harmony:latest
controlPlane:
image:
repository: adaptive-repository
tag: control-plane:latest
Resource Limits
harmony:
replicaCount: 1
gpusPerReplica: 8 # Match available GPUs per node
resources:
limits:
cpu: 8
memory: 64Gi
requests:
cpu: 8
memory: 60Gi
Secrets
secrets:
modelRegistryUrl: "s3://bucket-name/model_registry"
sharedDirectoryUrl: "s3://bucket-name/shared"
dbUrl: "postgres://user:password@host:5432/db_name"
cookiesSecret: "must-be-64-chars-or-more-change-me-secret-abc123..."
auth:
oidc:
providers:
- name: "Google"
key: "google"
issuer_url: "https://accounts.google.com"
client_id: "your-client-id"
client_secret: "your-client-secret"
scopes: ["email", "profile"]
pkce: true
allow_sign_up: true
If allow_sign_up: true, any OIDC member can access Adaptive Engine. Set to false and create users via SDK to restrict access.
Shared Cluster Configuration
Separate Namespace
helm install adaptive adaptive/adaptive \
--values ./values.yaml \
--namespace adaptive-engine \
--create-namespace
Node Selectors
Schedule Harmony on specific GPU nodes:
harmony:
nodeSelector:
eks.amazonaws.com/nodegroup: p5-h100
Dedicated GPU Nodes
Taint GPU nodes to prevent other workloads:
kubectl taint nodes <node_name> dedicated=adaptive-engine:NoSchedule
values.yaml:
harmony:
tolerations:
- key: dedicated
operator: Equal
value: adaptive-engine
effect: NoSchedule
Database TLS
Basic Encryption
dbUrl: "postgres://user:password@host/db?sslmode=require"
Certificate Verification
For full verification (sslmode=verify-full):
- Download the database server certificate
- Create a ConfigMap:
kubectl create configmap -n <namespace> db-ca --from-file=rds-ca-rsa2048-g1.pem
- Mount in
values.yaml:
volumes:
- name: db-ca
configMap:
name: db-ca
volumeMounts:
- name: db-ca
mountPath: /mnt/db-ca/
readOnly: true
- Reference in connection string:
dbUrl: "postgres://user:password@host/db?sslmode=verify-full&sslrootcert=/mnt/db-ca/rds-ca-rsa2048-g1.pem"
