PlainID Edge Deployment

Early Access Capability

PlainID Edge is a deployable component of the PlainID Authorization Platform that enables organizations to extend authorization controls into their own infrastructure. It is designed to be installed and operated within customer-managed environments, providing a consistent way to integrate authorization into AI and data ecosystems.

This guide focuses on how to deploy PlainID Edge across supported environments, including Kubernetes and containerized setups using Docker Compose. While the underlying architecture and components remain consistent, the deployment model can be adapted to fit different infrastructure requirements and operational preferences.

By following this guide, you will set up the core PlainID Edge services, configure connectivity to your AI tooling and data sources, and establish the foundation for discovery, enrichment, and authorization enforcement within your Environment.

Docker Compose

This section is a guide on how to deploy PlainID Edge in a containerized Environment using Docker Compose.
The Docker Compose recipe installs the foundational PlainID Edge components required for MCP Gateway, discovery, and RAG enrichment capabilities.
These steps assume that the containerized Environment is already available and that docker-compose (or an equivalent tool) is installed.

Early Access Prerequisites

Before proceeding with the installation, ensure that you have received access to pull these container images from Docker Hub:

plainid/enrichment-agent
plainid/vector-db-classifier-engine
plainid/discovery-agent
plainid/mcp-gateway

Contact PlainID Support.

A latest up-to-date recipe is available in our Github Repository.
The recipe is an example of a possible Docker Compose configuration, which should be tuned and updated based on your requirements.

Prerequisites

In cases when data enrichment is required, ensure you have the following:

A Pinecone API key
An OpenAI API key for vector-db-classifier-engine

Deploying the Stack

The following steps walk through cloning the example repository, configuring the required environment variables, and launching the Edge services using Docker Compose.

Clone the git repository with the example recipe:

$ git clone https://github.com/plainid-org/edge

Navigate to the recipe directory:

# If not in the edge directory, navigate to it
$ cd edge
# Navigate to the docker-compose recipe
$ cd docker-compose

Edit each config/<service>/.env and config/<service>/config.yaml file.

config/vector-db-classifier-engine/.env

OPENAI_API_KEY=<your-openai-api-key>

config/enrichment-agent/.env

JWT_VALIDATION_ENABLED=false
CLASSIFICATION_SERVICE_URL=http://vector-db-classifier-engine:8000
PINECONE_API_KEY=<your-pinecone-api-key>

config/mcp-gateway/.env
See About Scopes: /v1/docs/about-scopes-2

PLAINID_CLIENT_ID=<your-client-id>
PLAINID_CLIENT_SECRET=<your-client-secret>
PLAINID_RUNTIME_HOST=<plainid-runtime-hostname>
PLAINID_RUNTIME_PORT=8080

config/mcp-gateway/config.yaml
Configure the mcpServers block with the MCP endpoints relevant to your deployment.
The provided example uses Context7 as a placeholder: https://mcp.context7.com
config/discovery-agent/.env
See About Scopes: /v1/docs/about-scopes-2
Refer to:
API URL bases: /docs/core-helm-chart#api-url-bases
PlainID Discovery URLs: /docs/core-helm-chart#plainid-discovery-urls

PLAINID_API_URL=https://<plainid-api-endpoint>
PLAINID_DISCOVERY_URL=https://<plainid-lambda-url>
POP_ID=MCP
ENVIRONMENT_ID=<your-environment-id>
PLAINID_MCP_GATEWAY_URL=http://mcp-gateway:5235
PLAINID_CLIENT_ID=<your-client-id>
PLAINID_CLIENT_SECRET=<your-client-secret>

Start the stack (in the background):

$ docker compose up -d

After the stack starts successfully, the PlainID Edge services will run as containers within your environment. The MCP Gateway, discovery agent, and enrichment components will begin operating according to the configuration defined in the .env and config.yaml files.

You can verify that all services are running by using standard Docker commands such as docker compose ps or docker logs for troubleshooting and monitoring.

Core Helm Chart

This section describes how to deploy the PlainID Edge core Helm chart in a Kubernetes environment. The core deployment installs the foundational PlainID Edge components required for MCP Gateway, discovery, and RAG enrichment capabilities. These steps assume that the Kubernetes cluster is already available and that Helm is installed and configured.

Deployment Flow

Below is the PlainID Deployment Flow.

Provision a Kubernetes cluster.
Obtain access to the PlainID Helm OCI registry and container images.
Prepare a Helm values file:
- Configure PlainID endpoints and credentials
  - Extract the Client ID and Client Secret through the Tenant or Environment Settings.
    Refer to About Scopes for more information.
- Define Pinecone or MCP sources
- Configure enrichment and classification settings
- Provide required secrets
Install the core Helm chart.
Validate:
- Health endpoints
- MCP connectivity
- Discovery execution
- Enrichment results

Read more below to understand how the core components work in the deployment flow.

Core Components

The core chart installs the foundational Edge services required for the PlainID Edge deployment.

The guide walks through authenticating to the PlainID OCI Helm registry, validating chart access, and deploying the core chart with a custom values file. Each component within the chart can be enabled or disabled independently through Helm values, allowing the deployment to be tailored to specific operational requirements.

Early Access Prerequisites

Before proceeding with the installation, ensure that you have received credentials to the PlainID container registry oci://plainidio.azurecr.io.

Contact PlainID Support.

Warning
If you are using Helm v3.8.0 or higher, this is enabled by default. If you are using a lower version, you can enable OCI support by setting the following environment variable:
export HELM_EXPERIMENTAL_OCI=1

To set up the Core Helm Chart deployment:

$ helm registry login -u <SHARED_USERNAME> plainidio.azurecr.io
Password:
Login Succeeded

Notes:

Replace <SHARED_USERNAME> with the credentials provided by PlainID Support.

Validate access to the Helm charts. You can repeat these steps for each chart. The version number may vary.

% helm show chart oci://plainidio.azurecr.io/helm/core
Pulled: plainidio.azurecr.io/helm/core:1.0.6
Digest: sha256:c36916da0223fb5a441595bad1a5bdcb90fcea757345fb165af47d39152fc33a
apiVersion: v2
appVersion: 1.0.6
dependencies:
- condition: vector-db-classifier-engine.enabled
  name: vector-db-classifier-engine
  repository: oci://plainidio.azurecr.io/helm
  version: 1.0.1
- condition: enrichment-agent.enabled
  name: enrichment-agent
  repository: oci://plainidio.azurecr.io/helm
  version: 1.0.6
- condition: mcp-gateway.enabled
  name: mcp-gateway
  repository: oci://plainidio.azurecr.io/helm
  version: 1.0.4
- condition: discovery-agent.enabled
  name: discovery-agent
  repository: oci://plainidio.azurecr.io/helm
  version: 1.0.2
description: PlainID Edge Core Helm Umbrella chart for Kubernetes
icon: https://www.plainid.com/wp-content/uploads/2024/01/mobile-logo.png
maintainers:
- email: support@plainid.com
  name: PlainID
  url: https://plainid.com
name: core
type: application
version: 1.0.6

Note: By default, the latest version of the chart is shown.

Create a Kubernetes entity. This is not a PlainID-specific command. Ensure that your setting and secret are defined before continuing:

kubectl create secret docker-registry <YOUR_PULL_SECRET> \
  --namespace <namespace> \
  --docker-server=plainidio.azurecr.io \
  --docker-username=<token-name> \
  --docker-password=<token-password>

Deploy the core Helm chart. Ensure you replace <YOUR_VALUES_FILE> with the path to your Helm values file, and replace <HELM_RELEASE_NAME> with the name of your Helm release.

$ helm install <HELM_RELEASE_NAME> oci://plainidio.azurecr.io/helm/core -f <YOUR_VALUES_FILE>

The following example shows a sample values file. This is a basic configuration for Pinecone RAG enrichment. For advanced configurations, see the relevant subpages:

---
global:
  imagePullSecrets:
    - name: "<YOUR_PULL_SECRET>"
vector-db-classifier-engine:
  secret:
    OPENAI_API_KEY: "YOUR_OPENAI_API_KEY"
enrichment-agent:
  env:
    JWT_VALIDATION_ENABLED: "false"
    CLASSIFICATION_SERVICE_URL: "http://<HELM_RELEASE_NAME>-vector-db-classifier-engine:8000"
  secret:
    PINECONE_API_KEY: "YOUR_PINECONE_API_KEY"
mcp-gateway:
  plainIDConfig:
    config.yaml: |
      mcpServers:
        context7:
          url: "https://mcp.context7.com/mcp"
          transportType: "streamable-http"
          headersToForward:
            - "Authorization"
            - "X-User-Token"
            - "X-Agent-Token"
      plainID:
        runtimeBaseURL: "http://${PLAINID_RUNTIME_HOST}:${PLAINID_RUNTIME_PORT}/api"
        toolsAsset: "tools"
        clientID: "${PLAINID_CLIENT_ID}"
        clientSecret: "${PLAINID_CLIENT_SECRET}"
        emptyOnError: false
        plugins:
          logger:
            enable: true
          presidio:
            enable: false
            analyzer_url: "http://${PRESIDIO_ANALYZER_HOST}:${PRESIDIO_ANALYZER_PORT}/analyze"
            anonymizer_url: "http://${PRESIDIO_ANONYMIZER_HOST}:${PRESIDIO_ANONYMIZER_PORT}/anonymize"
            threshold: 0.5
          dataFilter:
            enable: false
            authHeader: "X-User-Token"
            filterUrl: "http://${DATAFILTER_HOST}:${DATAFILTER_PORT}/resql"
            clientID: "${DATAFILTER_CLIENT_ID}"
            clientSecret: "${DATAFILTER_CLIENT_SECRET}"
            flags:
              emptyAllowedTreatAsPermitted: true
              ignoreRuntimeAllowedFields: true
              expandStarColumn: false
              oppositeColumnFilteringBehavior: true
              runtimeAllowedAsMasked: false
              runtimeCLSAsMasked: true
        headersToForward:
          - "Authorization"
          - "X-User-Token"
          - "X-Agent-Token"
      mcpProxy:
        addr: 5432
        pingInterval: 10
discovery-agent:
  plainIDConfig:
    config.yaml |
      plainIdUrl: "https://api.acmefinance.plainid.cloud"
      plainIdDiscoveryUrl: "https://api.app.acmefinance.companyx.cloud"
      discoverySources:
        - popId: POP456
          environmentId: "550e8400-e29b-41d4-a716-446655440000"
          type: Pinecone
          periodicStart: "0 0 1 * * ?"
          vendor:
            pinecone:
              apiKey: "your-pinecone-api-key"
              sampleLimit: 50000
            collections:
              mode: exclude
              patterns:
                - "users"
                - "books_.*"
          plainIdCredentials:
            clientId: "your-client-id"
            clientSecret: "your-client-secret"
          metadataKeys:
            mode: exclude
            patterns:
              - "createdAt"
              - "timestamp.*"
          availabilityThreshold: 0.1

Every individual component can be disabled by configuring the enabled: false parameter in individual components.

Example:

vector-db-classifier-engine:
  enabled: false

API URL Bases

Accessing the APIs is through a dedicated domain or URL, according to your PlainID tenant location:

United States (US) - https://api.us1.plainid.io
Canada (CA) - https://api.ca1.plainid.io
Europe (EU) - https://api.eu1.plainid.io

PlainID Discovery URLs

Accessing the PlainID Discovery APIs is through a dedicated domain or URL:

United States (US) - https://api.us1.app.plainid.io
Europe (EU) - https://api.eu1.app.plainid.io
Canada (CA) - https://api.ca1.app.plainid.io