# On-premise deployment

{% hint style="info" %}
**Note**: On-premise deployment is available only for users subscribed to our [Enterprise plan](https://www.groundcover.com/pricing).
{% endhint %}

groundcover on-premise installation allows you to use groundcover in secured environments without relying on outbound connections except for authentication purposes (Auth0).

{% hint style="info" %}
**Agent Mode on on-premises deployments.** Agent Mode is available on AWS or GCP - contact your groundcover account team to set up the required LLM services. Enabling it introduces additional outbound traffic to the configured cloud LLM service (AWS Bedrock or Google Cloud Vertex AI), so if you require a fully air-gapped environment, leave Agent Mode disabled. See [Agent Mode Requirements](/use-groundcover/agent-mode/requirements.md).
{% endhint %}

<figure><img src="/files/VpoasNibvCR1S8ySEByP" alt=""><figcaption></figcaption></figure>

In this mode, groundcover installation includes 3 additional components:

* `router` - the frontend microservice
* `grafana`
* `postgresql` - db backend for the router and grafana microservices

#### Load the enterprise image pull secret

* Upon subscribing to [Enterprise plan](https://www.groundcover.com/pricing), you should receive a `groundcover-enterprise-key` Kubernetes Secret Object.
* Create a groundcover naåmespace (if not created by now)\
  `kubectl create ns groundcover`
* Load the image pull secret into the namespace\
  `kubectl create -f groundcover-enterprise-key.yml --namespace=groundcover`

#### Create the Helm override

```yaml
global:
  telemetry:
    enabled: false

saas:
  tls_skip_verify: true
  scheme: ws
  host: router-proxy
  port: 80

router:
  enabled: true
  imagePullSecrets:
  - groundcover-enterprise-key
  ingress:
    enabled: true # in case your are exposing the frontend
  ingresses:
    - name: frontend
      ingressClassName: #{lb class in case your are exposing the frontend}
      annotations:
      hosts:
        - host: #{domain}
          paths:
            - path: /
              pathType: Prefix
              port: 80
```

#### Optional: use existing PostgreSQL

* Create a database on existing PostgresSQL

```sql
CREATE DATABASE grafana;
CREATE DATABASE rbac;
CREATE DATABASE kong;
```

* Either manually or using a secret manager, create a secret in the following structure:

```
apiVersion: v1
kind: Secret
metadata:
  name: groundcover-postgresql
  namespace: groundcover
stringData:
  postgres-password: <password>
type: Opaque
```

* Create/Update helm overrides file, with the following override:

```
global:
  postgresql:
    enabled: false
    overrideUrl: <postgres-url> #postgresql.default.svc.cluster.local:5432
    auth:
      existingSecret: groundcover-postgresql
      secretKeys:
        adminPasswordKey: postgres-password
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.groundcover.com/customization/customize-deployment/on-premise-deployment.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.