Helm Chart Requirements for Data Sovereignty Deployment
Required Servicesβ
Core Application Stackβ
- drupal: Main application pods with llm_platform recipe
- litellm: Universal AI provider gateway
- ollama: Local AI inference engine
- qdrant: Vector database for semantic search
- redis: Session storage and caching
- mariadb: Primary database with encryption
- nginx: Reverse proxy with SSL termination
Security Componentsβ
- NetworkPolicies: Pod-to-pod communication restrictions
- PodSecurityPolicies: Container security hardening
- ServiceMesh (Istio): Zero-trust networking
- SealedSecrets: Encrypted secret management
- Cert-Manager: Automated SSL certificate management
Data Sovereignty Featuresβ
- PersistentVolumes: Encrypted storage with local retention
- Velero: Backup operator for disaster recovery
- Prometheus: Metrics collection and monitoring
- Grafana: Monitoring dashboards
- Ingress: Traffic routing with geo-blocking
Configuration Requirementsβ
Drupal Configurationβ
drupal:
recipe: llm_platform
variant: enterprise
persistence:
enabled: true
size: 10Gi
storageClass: encrypted-local
config:
ollama_url: "http://ollama:11434"
litellm_url: "http://litellm:4000"
qdrant_url: "http://qdrant:6333"
LiteLLM Gatewayβ
litellm:
config:
providers:
- name: ollama
base_url: "http://ollama:11434"
priority: 1
- name: openai
api_key: "${OPENAI_API_KEY}"
priority: 2
features:
load_balancing: true
cost_tracking: true
health_checks: true
Ollama Configurationβ
ollama:
models:
- llama3.2:7b
- nomic-embed-text
resources:
requests:
memory: 4Gi
cpu: 2
limits:
memory: 8Gi
cpu: 4
Vector Databaseβ
qdrant:
persistence:
size: 20Gi
storageClass: fast-ssd
config:
cluster_size: 3
replication_factor: 2
Security Hardeningβ
Network Policiesβ
networkPolicies:
- name: drupal-ingress
podSelector:
app: drupal
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
app: nginx
ports:
- protocol: TCP
port: 80
Pod Securityβ
podSecurityPolicy:
allowPrivilegeEscalation: false
runAsNonRoot: true
runAsUser: 1000
fsGroup: 2000
seccompProfile:
type: RuntimeDefault
Data Classificationβ
Storage Classesβ
storageClasses:
- name: encrypted-local
provisioner: kubernetes.io/no-provisioner
parameters:
type: local
encryption: aes-256
locality: restricted
Backup Configurationβ
velero:
schedule: "0 2 * * *"
retention: 30d
storageLocation: local-only
excludeResources:
- secrets
- tokens
Monitoring Stackβ
Prometheus Configurationβ
prometheus:
scrapeConfigs:
- job_name: drupal
static_configs:
- targets: ['drupal:9090']
- job_name: litellm
static_configs:
- targets: ['litellm:8080']
Grafana Dashboardsβ
- AI Provider Performance
- Data Sovereignty Compliance
- Security Audit Logs
- Resource Usage Analytics
Missing Componentsβ
Infrastructureβ
- Container vulnerability scanning
- Automated secret rotation
- Multi-region data replication
- Disaster recovery automation
Securityβ
- Runtime threat detection
- Behavioral analytics
- Advanced audit logging
- Compliance automation
Data Governanceβ
- Data lineage tracking
- Automated data classification
- Retention policy enforcement
- Consent management
Deployment Checklistβ
Pre-Deploymentβ
- Kubernetes cluster with RBAC enabled
- Storage classes configured for encryption
- Network policies tested
- Secrets management configured
Post-Deploymentβ
- SSL certificates installed
- Monitoring dashboards configured
- Backup schedules verified
- Security scans completed
- Compliance audit passed
Compliance Notesβ
Data Residencyβ
- All data processing occurs within cluster boundaries
- No external API calls for sensitive data
- Local storage with encryption at rest
- Audit trails for all data access
Security Standardsβ
- Zero-trust network architecture
- Encrypted communication between services
- Regular security scanning and updates
- Role-based access control enforcement
Operational Securityβ
- Automated backup and recovery procedures
- Monitoring and alerting for anomalies
- Regular security assessments
- Incident response procedures