--- title: "Choose a Cloud Profile" url: "https://docs.caracal.run/operations/cloud-native-profiles/" markdown_url: "https://docs.caracal.run/markdown/operations/cloud-native-profiles.md" description: "Configure Caracal for managed Kubernetes, managed Postgres, Redis, ingress, secrets, and observability." page_type: "reference" concepts: [] requires: [] --- # Choose a Cloud Profile Canonical URL: https://docs.caracal.run/operations/cloud-native-profiles/ Markdown URL: https://docs.caracal.run/markdown/operations/cloud-native-profiles.md Description: Configure Caracal for managed Kubernetes, managed Postgres, Redis, ingress, secrets, and observability. Page type: reference Concepts: none Requires: none --- Cloud-native Caracal deployments should use the Helm chart with externalized state: managed Postgres, managed Redis, platform secrets, ingress, NetworkPolicy, and cluster observability. For a concrete, copy-paste version of this profile — including External Secrets manifests, a production overlay, cert-manager TLS ingress, and a per-cloud (EKS/GKE/AKS) substitution table — see [Deploy on Managed Kubernetes](/operations/cloud-reference-deployments/). ## Profile Map | Profile | Values to adjust | | --- | --- | | Evaluation | `global.mode=rc`, short retention, limited replicas, temporary secrets, no public ingress unless required. | | Production | `global.mode=stable`, managed Postgres/Redis, TLS ingress, NetworkPolicy, PDB/HPA, ServiceMonitor, PrometheusRule. | | Private cluster | Disable public ingress; expose API/Gateway through internal load balancers or service mesh. | | Regulated workload | Enforce external secret manager, immutable backups, audit export, restricted egress, and incident evidence retention. | ## Managed Dependency Contract | Dependency | Requirements | | --- | --- | | Postgres | TLS-capable connection, migration role, durable backups, point-in-time recovery, sufficient connection capacity. | | Redis | Streams support, authentication, memory policy sized for audit/revocation/outbox traffic, persistence according to recovery goals. | | Secrets | Runtime Secret with database, Redis, admin, Coordinator, zone KEK, audit HMAC, stream HMAC, and Gateway-STS HMAC keys. | | Observability | Metrics scraping for all services and alerts equivalent to the chart PrometheusRule. | ## Network Stance The chart NetworkPolicy allows Caracal pod-to-pod traffic and storage egress. Add explicit DNS, HTTPS, identity provider, object store, and provider API egress only as needed. ```yaml networkPolicy: enabled: true allowOpenDns: false allowOpenHttps: false dnsEgress: [] extraEgress: [] extraIngress: [] ``` ## Ingress Stance Expose only the endpoints required by your environment: | Endpoint | When to expose | | --- | --- | | Gateway | Required for protected resource traffic through Caracal Gateway. | | API | Required for Console/Admin clients outside the cluster. | | STS | Expose only when token exchange clients cannot reach it privately. | | Audit/Coordinator/Control | Prefer private access. | The chart currently has optional Ingress templates for Gateway and API. ## Validation 1. Render manifests with production values. 2. Confirm no plaintext secrets are committed. 3. Confirm NetworkPolicy egress covers required provider APIs and object stores. 4. Confirm ServiceMonitor or equivalent metrics scraping is active. 5. Confirm backup and restore evidence exists for Postgres and runtime secrets. ## Next Step Use [Deploy on Managed Kubernetes](/operations/cloud-reference-deployments/) for a concrete External Secrets, cert-manager, managed Postgres, and managed Redis deployment.