Privacy Dynamics Self-hosted

Installing Privacy Dynamics


Deploy latest version

From the Replicated admin console, click on the "Check for Update" link to get the latest version of Privacy Dynamics. The latest version is displayed on the top of the list. It will show "Pending Config" as the customer needs to input some values, click on "Configure" to enter the configuration. This action will navigate to the "Config" tab.

"Dataframe Upload Secret" and "Profile Upload Secret" are specified by each customer. "UI Fully Qualified Domain Name" should be and "API Fully Qualified Domain Name" should be, where the sub-domain matches the customer's chosen sub-domain.

Set environment variables

  • Dataframe Upload Secret. A 12 character alphanumeric encryption secret used to protect data.
  • Profile Upload Secret. A 12 character alphanumeric encryption secret used to encrypt data connection credentials. Changing the secret will invalidate historical job information.
  • Storage class for data volume. The installation requires a PhysicalVolumeClaim that supports ReadWriteMany access mode for its temporary storage. Azure users can use the azurefile-csi StorageClass. AWS users can follow our directions to set up EFS storage. For Google cloud we recommend using CSI drivers for FileStore.


It is possible to manage the internal application database separately, though this is mainly for legacy users. To do so, check the "Use External PostgreSQL Database" box and follow the instructions for setting up an external database.

Auxiliary Software

To make the install process easier, it is possible to install auxiliary software that will assist in the functioning of Privacy Dynamics software. Installation through this method is entirely optional. The following software are currently available:

  • NGINX Ingress Controller - Privacy Dynamics software assumes an NGINX ingress controller is present, this will install the standard ingress-nginx Helm chart, which will create an IngressClass called nginx and, for public clouds, can provision a load balancer.
  • ExternalDNS - this connects to a public cloud DNS provider (e.g. Route 53 or Cloud DNS) to create DNS records when a new ingress is created.
  • cert-manager - this provisions certificates from a public CA for ingresses on your cluster.
    • We have included the capability to create a ClusterIssuer using the ACME Issuer type with a DNS01 challenge. The default Certificate Authority is Let's Encrypt. You can decline creating the ClusterIssuer if you have different requirements.
  • Loki - this is the popular log aggregator from Grafana Labs
  • Prometheus stack - this is a bundle of Prometheus/Alertmanager and Grafana

If you are using cert-manager and our ClusterIssuer, the installer can also attempt to create the ingresses for the Privacy Dynamics application, API, and KOTS Admin Console.

Verify the application is running

Once the application is deployed, its pods will be running on the cluster. You can view them by running the command kubectl get pods -n pvcy.

  • analyzer-app is the front-end application.
  • privacy-api is the back-end application.
  • celery are the data-processing containers.
  • nginx-privacy-api is a proxy server for the back-end (privacy-api).
  • redis task queue.
  • reloader synchronizes the state of the pods if any config values are changed.

View the application logs using: kubectl logs api-[XXX] -n pvcy. You may see migrations run on the pvcydb.

Verify API endpoint

You can make a basic HTTP request to verify that the API ingress has been setup right. This call does not need authentication.

curl --insecure
  "result": "Ping succeeded",
  "request_id": "590ffb9d72f3230e316dd3b7cbe5a553",
  "processing_time": "0.00026s",
  "request_timestamp": 1667912466
Install Replicated
Application Ingress