---
title: On-premise installation procedure
description: This page describes the installation procedure for PingOne Recognize on-premise.
component: recognize
page_id: recognize:on-premise:on-premise-installation-procedure
canonical_url: https://docs.pingidentity.com/recognize/on-premise/on-premise-installation-procedure.html
llms_txt: https://docs.pingidentity.com/recognize/llms.txt
docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md
section_ids:
  general-configuration: General configuration
  namespace: Namespace
  helm-setup: Helm setup
  core-daemon: Core Daemon
  metrics-collector: Metrics Collector
  database-connection-and-sizing: Database connection and sizing
  operations-service: Operations Service
  administrator-dashboard: Administrator Dashboard
---

# On-premise installation procedure

## General configuration

PingOne Recognize is provided as a series of Helm charts. Helm charts contain configuration entries that can be overridden.

The following sections describe the relevant and supported configuration entries.

Other configuration entries can be overridden to suit customer needs, but are not explicitly supported by PingOne Recognize. For example:

```yaml
resources: {}
  # limits:
  #   cpu: 100m
  #   memory: 128Mi
  # requests:
  #   cpu: 100m
  #   memory: 128Mi

---
autoscaling:
# -- Enable Pod autoscaling
enabled: false
minReplicas: 1
maxReplicas: 100
targetCPUUtilizationPercentage: 80
targetMemoryUtilizationPercentage: 80

---
# -- List of certificates to be included in the pod
certificates: []
#  - name: storage-certificate
#    mountPath: "/etc/ssl/custom-ca/storage-cert.pem"
#    subPath: "storage-cert.pem"
#    readOnly: true
#  - name: db-cert
#    mountPath: "/etc/ssl/custom-ca/db-cert.pem"
#    subPath: "db-cert.pem"
#    readOnly: true
```

## Namespace

Namespaces can be overridden, but take extra care when configuring the endpoint in `values.yml`. For example:

```yaml
configMap:
  # Metrics Collector URI
  # `default` in this context references the namespace for the metrics-collector service
  metricsCollectorUrl: http://metrics-collector.default.svc.cluster.local
```

## Helm setup

The first step is to add the PingOne Recognize Helm repository to your Helm repository list with the following command:

```bash
helm repo add keyless https://example.com (the actual FQDN will be shared upon request)
```

The charts can then be listed:

```bash
helm search repo keyless
```

!["Helm search repo results](_images/keyless-helm-search.png)

The list of required values for each chart can be obtained using the `helm show values` command:

```bash
helm show values keyless/core-daemon
```

![Helm show values results](_images/keyless-helm-show-values.png)

Save and configure the reference `values.yaml` to suit your installation needs. Once configured, apply it with the following command:

```bash
helm upgrade --install <release-name (for example core-daemon)> keyless/core-daemon --atomic --wait
```

To allow container images to be pulled from the `quay.io` repository, a registry secret is required. This secret must contain the provided credentials in the format specified in the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/secret/#docker-config-secrets).

## Core Daemon

To set up this service, the cluster's internal endpoint is required to allow Core Daemon to connect to PostgreSQL and S3. The default values are sufficient unless each service is deployed in its own dedicated namespace.

If not using AWS, a key must be generated and mounted inside the Core Daemon pods:

```bash
openssl ecparam -name secp256k1 -genkey -noout -out private.pem
openssl ec -in private.pem -pubout -out public.pem

kubectl create secret generic keypair -n <core-daemon-namespace> --from-file=tls.crt=public.pem --from-file=tls.key=private.pem
```

```yaml
global:
  namespace: <core-daemon-namespace>

image:
  tag: 2.30.0

configMap:
  # -- REQUIRED IF NOT USING AWS
  keysFileSystemPublicPath: /etc/ssl/keypair/tls.crt
  keysFileSystemPrivatePath: /etc/ssl/keypair/tls.key

  coreDaemonConfigEnvironment: <environment>
  cloudAwsRegionStatic: <aws-region>
  awsRegion: <aws-region>
  springProfilesActive: json-logging
  cloudAwsS3BucketName: <bucket-name>
  csSpringDatasourceUrl: jdbc:postgresql://<hostname>:5432/<dbName>
  npSpringDatasourceUrl: jdbc:postgresql://<hostname>:5432/<dbName>
  loggingLevelCoreRequest: DEBUG

# -- REQUIRED IF NOT USING AWS
certificates:
  - name: keypair
    mountPath: /etc/ssl/keypair
    readOnly: true

# -- Suggested sizing
resources:
  ## -- Limits
  limits:
    cpu: 1800m
    memory: 2048Mi
  ## -- Requests
  requests:
    cpu: 100m
    memory: 512Mi
```

## Metrics Collector

This service reads and writes from a database for a BI function. A secret is required to access it.

### Database connection and sizing

The `configMap.springDatasource.url` variable holds the JDBC-formatted string to allow Metrics Collector to connect to its own database. The instance requires a dedicated schema (default: `metricscollector`):

```yaml
global:
  namespace: <metrics-collector-namespace>

image:
  tag: 1.13.3

configMap:
  springDatasource:
    url: jdbc:postgresql://<hostname>:5432/<dbName>

# -- Suggested sizing
resources:
  ## -- Limits
  limits:
    cpu: 1800m
    memory: 2048Mi
  ## -- Requests
  requests:
    cpu: 100m
    memory: 700Mi
```

## Operations Service

To set up this service, the cluster's internal endpoint is required to allow Operations Service to connect to Core Daemon. The default values are sufficient unless each service is deployed in its own dedicated namespace:

```yaml
global:
  namespace: <operations-service-namespace>

image:
  tag: 2.34.0

configMap:
  # -- Core Daemon URI
  apiCoreDaemonBasePath: http://core-daemon.default.svc.cluster.local/

# -- Suggested sizing
resources:
  ## -- Limits
  limits:
    cpu: 1800m
    memory: 2048Mi
  ## -- Requests
  requests:
    cpu: 100m
    memory: 512Mi
```

## Administrator Dashboard

To set up this service, the cluster's internal endpoint is required to allow the Administrator Dashboard to connect to Core Daemon. The default values are sufficient unless each service is deployed in its own dedicated namespace:

```yaml
global:
  namespace: <administrator-dashboard-namespace>

image:
  tag: v1.3.5

configMap:
  typeormUsername: sdk-customer-dashboard-user
  typeormDatabase: sdkcustomerdashboard
  typeormConnection: postgres
  typeormHost: <hostname>
  typeormMigrations: "./migrations/*.ts"
  typeormPort: 5432
  typeormSslRejectUnauthorized: true
  metricsCollectorUrl: http://metrics-collector
  coreDaemonUrl: http://core-daemon
  #The port the service is exposed on
  port: 3000
# -- Suggested sizing
resources:
  ## -- Limits
  limits:
    cpu: 800m
    memory: 2000Mi
  ## -- Requests
  requests:
    cpu: 50m
    memory: 400Mi
```