# On-premise deployment

{% hint style="info" %}
**Note**: On-premise deployment is available only for users subscribed to our [Enterprise plan](https://www.groundcover.com/pricing).
{% endhint %}

groundcover on-premise installation allows you to use groundcover in secured environments without relying on outbound connections except for authentication purposes (Auth0).

<figure><img src="https://2771001740-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FUHgqKYgCiRKdOpWQdi52%2Fuploads%2Fgit-blob-6f87b7d59357dfed295155006502cd010e583c0c%2Fimage%20(37).png?alt=media" alt=""><figcaption></figcaption></figure>

In this mode, groundcover installation includes 3 additional components:

* `router` - the frontend microservice
* `grafana`
* `postgresql` - db backend for the router and grafana microservices

#### Load the enterprise image pull secret

* Upon subscribing to [Enterprise plan](https://www.groundcover.com/pricing), you should receive a `groundcover-enterprise-key` Kubernetes Secret Object.
* Create a groundcover naåmespace (if not created by now)\
  `kubectl create ns groundcover`
* Load the image pull secret into the namespace\
  `kubectl create -f groundcover-enterprise-key.yml --namespace=groundcover`

#### Create the Helm override

```yaml
global:
  telemetry:
    enabled: false

saas:
  tls_skip_verify: true
  scheme: ws
  host: router-proxy
  port: 80

router:
  enabled: true
  imagePullSecrets:
  - groundcover-enterprise-key
  ingress:
    enabled: true # in case your are exposing the frontend
  ingresses:
    - name: frontend
      ingressClassName: #{lb class in case your are exposing the frontend}
      annotations:
      hosts:
        - host: #{domain}
          paths:
            - path: /
              pathType: Prefix
              port: 80
```

#### Optional: use existing PostgreSQL

* Create a database on existing PostgresSQL

```sql
CREATE DATABASE grafana;
CREATE DATABASE rbac;
CREATE DATABASE kong;
```

* Either manually or using a secret manager, create a secret in the following structure:

```
apiVersion: v1
kind: Secret
metadata:
  name: groundcover-postgresql
  namespace: groundcover
stringData:
  postgres-password: <password>
type: Opaque
```

* Create/Update helm overrides file, with the following override:

```
global:
  postgresql:
    enabled: false
    overrideUrl: <postgres-url> #postgresql.default.svc.cluster.local:5432
    auth:
      existingSecret: groundcover-postgresql
      secretKeys:
        adminPasswordKey: postgres-password
```