Documentation
Deployment guide
Cordum does not ship a single-binary production mode. The supported deployment paths are Docker Compose, the Kubernetes production overlay, and the Helm chart. Production mode hardens TLS and disables insecure shortcuts.
Local / dev Compose
cordumctl up andcordumctl devboth drive Docker Compose and auto-generate local TLS certificates when missing.
Release Compose
Usedocker-compose.release.ymlfor production-style Compose withCORDUM_ENV=productionand explicit TLS wiring.
Kubernetes / Helm
Usedeploy/k8s/productionor./cordum-helmfor production clusters.
Docker Compose
Local stack
export CORDUM_API_KEY="$(openssl rand -hex 32)" cordumctl up # direct compose export REDIS_PASSWORD="$(openssl rand -hex 32)" docker compose build docker compose up -d
For production-style Compose, mount the appropriate certs and enable the server-side TLS variables described indocs/guides/production-deployment.md.
Kubernetes overlay
kubectl -n cordum create secret tls cordum-server-tls --cert=server.crt --key=server.key kubectl apply -k deploy/k8s/production/
Helm
helm install cordum ./cordum-helm -n cordum --create-namespace --set secrets.apiKey=$(openssl rand -hex 32) --set redis.auth.password=$(openssl rand -hex 32) --set global.production=true
Production checklist
- Set CORDUM_ENV=production on control-plane services.
- Provision strong CORDUM_API_KEY and REDIS_PASSWORD secrets.
- Mount server TLS certs for gateway, safety-kernel, and context-engine.
- Configure client TLS for NATS and Redis.
- Keep anonymous auth and insecure header-principal overrides disabled.
- Enable monitoring for gateway status, metrics, and container health.
Source of truth:docs/guides/production-deployment.md