FeatureSignals

On-Premises Deployment

Deploy FeatureSignals on your own infrastructure — Kubernetes clusters, virtual machines, or air-gapped environments. Full control over data, networking, and security posture.

Info

This guide covers advanced deployment scenarios. For a quick Docker Compose setup, see the Self-Hosting Onboarding Guide.

Deployment Options

FeatureSignals supports three on-premises deployment models:

Kubernetes

Deploy on any Kubernetes cluster (EKS, GKE, AKS, OpenShift, or bare-metal K8s). Helm chart available.

Virtual Machines

Deploy on VMs using Docker Compose or systemd. Suitable for traditional infrastructure.

Air-Gapped

Deploy in environments with no internet access. Pre-bundled images, offline docs, manual updates.

Kubernetes Deployment

FeatureSignals provides an official Helm chart for Kubernetes deployments. The chart includes the API server, Flag Engine dashboard, and configurable PostgreSQL (external or in-cluster).

Prerequisites

  • Kubernetes 1.28+ cluster with RBAC enabled
  • Helm 3.12+
  • Ingress controller (nginx-ingress, Traefik, or similar)
  • cert-manager (for automatic TLS)
  • PersistentVolume provisioner (for PostgreSQL storage)

Install via Helm

Bash
1
2
3
4
5
6
7
8
9
helm repo add featuresignals https://charts.featuresignals.com
helm repo update


helm install featuresignals featuresignals/featuresignals \
  --namespace featuresignals \
  --create-namespace \
  --set global.domain=featuresignals.example.com \
  --set postgresql.auth.password=$(openssl rand -base64 32) \
  --set jwtSecret=$(openssl rand -base64 64)

Production Values

For production, create a values file with production overrides:

values-prod.yamlYAML
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
replicaCount: 3


resources:
  requests:
    cpu: "1"
    memory: "2Gi"
  limits:
    cpu: "2"
    memory: "4Gi"


autoscaling:
  enabled: true
  minReplicas: 3
  maxReplicas: 10
  targetCPUUtilizationPercentage: 70


postgresql:
  primary:
    persistence:
      size: 50Gi
    resources:
      requests:
        cpu: "2"
        memory: "4Gi"


ingress:
  enabled: true
  className: nginx
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
  tls:
    - hosts:
        - featuresignals.example.com
        - api.featuresignals.example.com


monitoring:
  serviceMonitor:
    enabled: true

External database

For production, we strongly recommend using an external PostgreSQL instance (e.g., AWS RDS, Cloud SQL, or a dedicated Postgres cluster) rather than the in-cluster chart dependency. Set postgresql.enabled=false and configure externalDatabase.* in your values file.

Virtual Machine Deployment

For teams not using Kubernetes, FeatureSignals can be deployed on virtual machines using Docker Compose or as systemd services:

Docker Compose on VMs

Follow the standard Docker Compose setup with the following VM-specific considerations:

  • Place the VM behind a load balancer for high availability
  • Use an external PostgreSQL instance accessible from all VM replicas
  • Configure Docker to start containers on boot: docker compose up -d --restart always
  • Set up log forwarding to your centralized logging system

Systemd Service

For environments where Docker is not available, the Go API server can be compiled to a static binary and run as a systemd service:

/etc/systemd/system/featuresignals.serviceINI
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
[Unit]
Description=FeatureSignals API Server
After=network.target postgresql.service


[Service]
Type=simple
User=featuresignals
Group=featuresignals
WorkingDirectory=/opt/featuresignals
EnvironmentFile=/opt/featuresignals/.env
ExecStart=/opt/featuresignals/bin/server
Restart=always
RestartSec=5


[Install]
WantedBy=multi-user.target

Air-Gapped Environments

FeatureSignals supports deployment in environments with no internet access — common in government, financial, and defense sectors.

Image Bundling

FeatureSignals provides pre-bundled tarballs containing all Docker images, the Helm chart, and offline documentation:

Bash
1
2
3
4
5
6
7
8
9
10
11
12
# On an internet-connected machine:
docker pull featuresignals/server:v2.0.0
docker pull featuresignals/dashboard:v2.0.0
docker save featuresignals/server:v2.0.0 featuresignals/dashboard:v2.0.0 | gzip > featuresignals-images.tar.gz


# Download the offline bundle
wget https://releases.featuresignals.com/v2.0.0/offline-bundle.tar.gz


# Transfer to air-gapped environment via approved media
# Then load on the target machine:
docker load < featuresignals-images.tar.gz
tar xzf offline-bundle.tar.gz

Air-Gapped Considerations

  • No telemetry — FeatureSignals does not phone home. No usage data, error reports, or metrics leave your network.
  • License validation — Enterprise licenses are validated offline using signed tokens. No call to an external validation server is required.
  • Email delivery — Configure an internal SMTP relay for transactional emails (password resets, invitations). Without SMTP, these features will not function.
  • Updates — Upgrade by transferring new image tarballs and Helm charts via your approved data transfer process. Review the changelog for migration notes.
  • Documentation — The offline bundle includes a static HTML copy of the documentation. Serve it from an internal web server.

Security Considerations

Network Segmentation

Place the database on a private subnet with no public internet access. Only the API server and dashboard should be reachable (via load balancer or reverse proxy). Use security groups or firewall rules to restrict traffic between components to only the necessary ports.

Secrets Management

Never store secrets in configuration files committed to version control. Use a secrets manager appropriate for your environment: HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, or Kubernetes Secrets (with encryption at rest enabled).

TLS Everywhere

Encrypt all traffic — both external (client to server) and internal (service-to-service, service-to-database). Use mTLS for service-to-service communication where possible. The API server and database should communicate over TLS, even on private networks.

Data at Rest

Enable encryption at rest for all persistent storage: PostgreSQL (TDE or filesystem encryption), Kubernetes PersistentVolumes (storage class with encryption), and backup files. Never store unencrypted database dumps.

High Availability Architecture

For production deployments requiring high availability:

  • Multiple API server replicas — Deploy at least 3 replicas behind a load balancer for redundancy.
  • Stateless design — API servers are stateless. The evaluation cache uses PG LISTEN/NOTIFY for cross-instance invalidation.
  • Database HA — Use PostgreSQL streaming replication with automated failover (Patroni, Cloud SQL HA, or RDS Multi-AZ).
  • Load balancer health checks — Configure your load balancer to use the /health endpoint for liveness and /ready for readiness.
  • Graceful shutdown — API servers handle SIGTERM by draining in-flight requests before stopping (default: 30s grace period).

Split-brain prevention

FeatureSignals does not use leader election. All instances are active-active and rely on the database as the source of truth. Ensure your PostgreSQL HA setup prevents split-brain scenarios (e.g., using etcd-based leader election with Patroni).

Compliance & Regulatory

Deploying on-premises gives you full control over your compliance posture:

  • SOC 2 — Self-hosting FeatureSignals in your SOC 2-compliant infrastructure extends your existing controls to flag management.
  • HIPAA — FeatureSignals does not process PHI by default. With proper network controls and a BAA with your infrastructure provider, on-premises deployment supports HIPAA compliance.
  • GDPR — All data remains in your infrastructure within your chosen region. No data leaves your control.
  • FedRAMP / ITAR — Air-gapped deployment with FIPS 140-2 validated cryptography supports government compliance requirements.

Next Steps