Production Kubernetes Deployment

A comprehensive guide for deploying Fides in production Kubernetes environments with external managed services.

This guide covers production deployments with external databases, Redis, object storage, and advanced configuration. For simpler development setups with in-cluster dependencies, see the Basic Kubernetes Installation.

Prerequisites

Before starting, ensure you're familiar with:

The Fides Kubernetes Architecture to understand component interactions
Your cloud provider's managed services (PostgreSQL, Redis, Object Storage)
Helm v3 (opens in a new tab) and kubectl

Required External Services

Production deployments require these externally managed services:

Service	Purpose	Examples
PostgreSQL	Primary database for application state	AWS RDS, Google Cloud SQL
Redis/Valkey	Caching and message broker for job queues	AWS ElastiCache, Google Cloud Memorystore
Object Storage	Downloadable reports and file storage	AWS S3, Google Cloud Storage
Ingress	Load balancing and TLS termination	AWS Load Balancer Controller, GCP Ingress
CDN (Optional)	Static asset caching and global distribution	AWS CloudFront, Cloudflare

This guide uses the official Fides Helm chart (opens in a new tab) which provides production-ready defaults. The Helm chart is designed to be flexible and adaptable to your organization's unique infrastructure requirements.

Production Deployment Steps

Step 1: Set Up PostgreSQL Database

Fides uses PostgreSQL as its primary application database. Configure a managed PostgreSQL instance, then create a Kubernetes secret for Fides to use.

AWS RDS Aurora PostgreSQL

Recommended instance size: db.t3.medium or larger
Enable automatic backups
Configure security groups to allow access from your Kubernetes cluster

Configuration Details to Collect:

DB_HOST: RDS endpoint hostname
DB_PORT: Port (typically 5432)
DB_DATABASE: Database name (e.g., fides)
DB_USERNAME: Database user (e.g., fides_user)
DB_PASSWORD: User password

Create PostgreSQL Secret:

kubectl create secret generic fides-postgres-secret \
  --from-literal=DB_HOST=<your-database-endpoint> \
  --from-literal=DB_PORT=5432 \
  --from-literal=DB_DATABASE=fides \
  --from-literal=DB_USERNAME=<your-db-username> \
  --from-literal=DB_PASSWORD=<your-db-password>

Step 2: Set Up Redis Cache

Fides uses Redis/Valkey for temporary storage and worker job queues. Configure a managed Redis instance, then create a Kubernetes secret for Fides configuration.

AWS ElastiCache for Redis

Recommended node type: cache.t3.micro or larger
Enable automatic backups
Configure security groups to allow access from your Kubernetes cluster

Configuration Details to Collect:

REDIS_HOST: ElastiCache endpoint hostname
REDIS_PORT: Port (typically 6379)
REDIS_PASSWORD: AUTH token/password

Create Redis Secret:

kubectl create secret generic fides-redis-secret \
  --from-literal=REDIS_HOST=<your-redis-endpoint> \
  --from-literal=REDIS_PORT=6379 \
  --from-literal=REDIS_PASSWORD=<your-redis-password>

Step 3: Set Up Object Storage

Fides uses object storage for downloadable reports. Configure your object storage bucket and collect the necessary authentication details.

AWS S3 Setup:

Create S3 bucket with private access (block all public access)
Configure bucket region (note: should match your Kubernetes cluster region for optimal performance)
Set up authentication:
- Recommended: IAM roles for service accounts (IRSA) for automatic credential management
- Alternative: Access keys (requires manual credential management)

Configuration Details to Collect:

Bucket name and region
Authentication credentials:
- IAM Role ARN (IRSA), or
- Access key ID and secret

Security Considerations:

Enable bucket encryption at rest (opens in a new tab)
Configure lifecycle policies for automatic cleanup of old reports
Ensure bucket permissions allow only Fides service accounts to read/write

Post-Deployment Configuration: After deployment, you'll need the bucket name to configure Fides storage destinations for privacy request data exports. See the Configure Storage Destinations guide for detailed setup instructions.

Step 4: Create Fides Security Secret

Generate security credentials and encryption keys for the Fides application.

Create Security Secret:

kubectl create secret generic fides-security-secret \
  --from-literal=FIDES__SECURITY__APP_ENCRYPTION_KEY="$(openssl rand -hex 16)" \
  --from-literal=FIDES__SECURITY__OAUTH_ROOT_CLIENT_ID="fides-production-client" \
  --from-literal=FIDES__SECURITY__OAUTH_ROOT_CLIENT_SECRET="$(openssl rand -hex 32)" \
  --from-literal=FIDES__SECURITY__DRP_JWT_SECRET="$(openssl rand -hex 32)" \
  --from-literal=FIDES__SECURITY__ROOT_USERNAME=admin \
  --from-literal=FIDES__SECURITY__ROOT_PASSWORD=<your-admin-password>

Note: The openssl rand -hex commands generate cryptographically secure random keys. Replace <your-admin-password> with a strong password for the Fides admin user.

Step 5: Configure Enterprise Image Access

Prerequisites: Complete Steps 1-4 and obtain Docker credentials from Ethyca support.

Configure access to the Fides Enterprise image for additional features and capabilities.

Create Docker Registry Secret:

kubectl create secret docker-registry fides-docker-secret \
  --docker-server=docker.io \
  --docker-username=<username-from-ethyca> \
  --docker-password=<token-from-ethyca> \
  --docker-email=<your-email>

Configure Enterprise Image:

# Add to values-production.yaml
fides:
  image:
    repository: "ethyca/fidesplus"
    tag: "latest"  # or specific version tag
  imagePullSecrets:
    - name: "fides-docker-secret"

Step 6: Install the Fides Helm Chart

Prerequisites: Complete Steps 1-5 (Docker registry secret optional for enterprise features).

The Helm chart uses pre-built images hosted on public DockerHub by default. Configure the Docker registry secret from Step 5 only if you need Fides Enterprise features.

Create a custom values.yaml file to configure Fides for production:

# values-production.yaml
fides:
  count: 2  # Multiple pods for high availability
  publicHostname: "admin.privacy.company.com"
  configuration:
    dbSecretName: "fides-postgres-secret"
    redisSecretName: "fides-redis-secret" 
    fidesSecuritySecretName: "fides-security-secret"
 
privacyCenter:
  count: 2  # Multiple pods for high availability
  publicHostname: "privacy.company.com"
 
# Disable in-cluster databases (use external)
postgresql:
  deployPostgres: false
 
redis:
  deployRedis: false
 
# Use existing object storage bucket
s3:
  createS3Bucket: false
  bucketName: "your-fides-reports-bucket"
  region: "your-region"
 
# Enable ingress
ingress:
  enabled: true

Deploy Fides with your custom configuration:

# Deploy with custom values
helm install fides ethyca/fides --values values-production.yaml
 
# Monitor deployment progress
kubectl get pods -w

Verify the deployment:

# Check all pods are running
kubectl get pods
 
# Check service status
kubectl get services
 
# Test health endpoint (requires port-forward initially)
kubectl port-forward svc/fides 8080:8080
curl http://localhost:8080/health

Security Best Practice: Never hardcode credentials in values.yaml files. All sensitive data should be stored in Kubernetes Secrets.

Step 7: Enable Workers and Background Processing

Prerequisites: Complete Steps 1-6 with Fides deployed and accessible.

Enable background workers for privacy request processing, consent management, and other background tasks.

Worker Configuration:

# Add to values-production.yaml
fides:
  workers:
    - name: other
      count: 2
      excludeQueues:
        - fides.dsr
        - fides.privacy_preferences

For detailed worker configuration including product-specific requirements (Lethe, Janus, Helios), resource sizing, and advanced customization, see the Workers Reference guide.

Deploy Worker Changes:

helm upgrade fides ethyca/fides --values values-production.yaml
kubectl rollout restart deployment/fides
 
# Verify worker health
curl https://your-fides-domain/health/workers

Important: Worker recognition requires a main Fides deployment restart. Plan for a brief service interruption.

Step 8: Configure External Access

Prerequisites: Complete Steps 1-7 with workers deployed.

Configure ingress and TLS certificates to make Fides accessible via custom domains.

Fides uses hostname-based routing to serve two applications from one ingress:

Admin Interface (fides.publicHostname): API and administrative dashboard
Privacy Center (privacyCenter.publicHostname): Public-facing privacy portal

Option 1: AWS Load Balancer Controller (Recommended for AWS)

The Fides Helm chart can install the AWS Load Balancer Controller. Here's a minimal example with common annotations—modify as needed for your environment:

# Enable AWS Load Balancer Controller installation
ingress:
  installIngressController:
    awsLoadBalancerController: true
  enabled: true
  className: "alb"
  annotations:
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/target-type: ip
 
# Hostname configuration
fides:
  publicHostname: "admin.privacy.company.com"
privacyCenter:
  publicHostname: "privacy.company.com"

Option 2: Existing Ingress Controller

If you already have an ingress controller installed:

ingress:
  installIngressController:
    awsLoadBalancerController: false
  enabled: true
  className: "nginx"  # or your ingress class
 
fides:
  publicHostname: "admin.privacy.company.com"
privacyCenter:
  publicHostname: "privacy.company.com"

Step 9: Configure CDN (Optional)

Prerequisites: Complete Steps 1-8 with external access configured.

Optimize Privacy Center performance with a CDN. These instructions are specific to AWS CloudFront; contact support for assistance with other CDN providers.

CloudFront Distribution Settings:

Origin: Your Kubernetes ingress HTTPS URL
Compression: Enable Brotli and Gzip
Security: HTTPS-only with TLS 1.2 minimum

Request Policy (Headers Forwarded to Origin): Forward these 10 headers to ensure proper Privacy Center functionality:

Access-Control-Request-Headers
Access-Control-Request-Method
CloudFront-Viewer-Country
CloudFront-Viewer-Country-Name
CloudFront-Viewer-Country-Region
CloudFront-Viewer-Country-Region-Name
Origin
Next-Router-State-Tree
Next-Url
RSC

Plus: Forward all cookies and all query strings.

Cache Key Configuration: Include only these geolocation headers in the cache key for region-specific caching:

CloudFront-Viewer-Country
CloudFront-Viewer-Country-Region

Plus: Include all query strings in the cache key.

Cache Behavior Rules:

Static assets (CSS, JS, images): Cache for 1 hour with geolocation-based cache keys

Important: The cache key uses minimal headers (country/region only) to enable efficient region-specific caching, while the request policy forwards all necessary headers to ensure the Privacy Center functions correctly.

Step 10: Configure Cluster Sizing

Prerequisites: Complete Steps 1-9.

Configure the number of pods based on your expected traffic and usage patterns.

Note: The public Helm chart doesn't currently include Horizontal Pod Autoscaler (HPA) configuration but can be easily extended based on your preferences.

# Add to values-production.yaml
fides:
  count: 3  # Scale based on expected API traffic
 
privacyCenter:
  count: 2  # Scale based on expected user traffic

Sizing Considerations:

Fides servers: Scale based on API requests, admin users, and integration volume
Privacy Center: Scale based on end-user traffic and consent management load
Workers: See the Workers Reference for detailed resource requirements, scaling considerations, and configuration examples for all worker types

For assistance with production sizing based on your specific usage patterns and requirements, contact Ethyca support.

Next Steps

With your production Fides deployment complete:

Configure storage destinations for privacy request exports
Set up integrations to connect to your data systems
Review security best practices for production deployments
Configure background workers based on your product usage (Lethe, Janus, Helios)
Set up monitoring and alerting for your deployment

Architecture Overview Terraform