Skip to main content
This guide is for organisations who have a commercial license for Speckle Enterprise, including Intelligence, and are deploying on their own infrastructure.If you are looking for guidance on how to use Speckle Intelligence features, please refer to our Analytics & Intelligence documentation.

Speckle Enterprise Intelligence deployment guide

We recommend that you first familiarise yourself with Intelligence.

Prerequisites

Before you can configure Speckle Enterprise Intelligence, your organization will have already completed the following steps:
  1. Speckle Server: Deployed Speckle Enterprise Server on Kubernetes. See our instructions for deploying on Kubernetes and configuring Speckle Enterprise Server for more details.
  2. Speckle Automate: Deployed Speckle Automate on Kubernetes. See our instructions for deploying Speckle Automate for more details.
  3. License Acquisition: Acquired a commercial license for Speckle Enterprise from Speckle Systems. This license should include permissions for deploying Intelligence.
  4. Package Registry Token: Obtained a package registry token from Speckle Systems to access the private Helm charts & Docker images for Enterprise features.
  5. Package Registry URL: Received the URL for the private package registry hosting the Intelligence Helm charts and Docker images.
Speak to your Speckle representative if you need assistance with any of the prerequisites.

Infrastructure

Speckle Enterprise Intelligence requires the following infrastructure components:
  • Kubernetes Cluster: A Kubernetes cluster to host the Intelligence components. This can be a managed service (e.g., EKS, AKS, GKE) or a self-hosted cluster.
    • It is possible to host Intelligence in the same cluster as your Speckle Enterprise Server deployment.
    • We recommend using a separate namespace for isolation, resource management, and security.
  • Domain: A domain name for accessing the Intelligence dashboard. This must be a different domain from your Speckle Server deployment as there may be path routing conflicts if hosted on the same domain.

Configuration Steps

Retrieving the Helm Chart

  1. To access the private Helm charts for Speckle Enterprise Intelligence, you need to log in to the Speckle Enterprise package registry: 
    helm login <PACKAGE_REGISTRY_URL> --username <PACKAGE_REGISTRY_USERNAME> --password <PACKAGE_REGISTRY_TOKEN>
  2. Once authenticated, you can pull the Intelligence Helm chart and investigate its contents: 
    helm pull <PACKAGE_REGISTRY_URL>/speckle-intelligence-chart --untar
  3. We recommend reading the values.yaml file included in the Helm chart to understand all the configuration options available for Intelligence. A json.schema file is also included to provide validation and documentation for each configuration option.
  4. We also recommend understanding the architecture of the Kubernetes resources deployed by the Helm chart. Please contact your Speckle representative if you have further questions.
  5. Create an empty values.yaml file which we will use to configure our deployment: 
    touch values.yaml

Image Pull Secrets

The Helm Chart references Docker Images that are hosted in the same private registry as the Helm Chart. You will need to create an Image Pull secret in Kubernetes to allow your cluster to authenticate with the registry and pull the necessary images.
  1. Create a Kubernetes Secret of type dockerconfigjson: 
    kubectl create secret docker-registry speckle-enterprise-registry \
--docker-server=<PACKAGE_REGISTRY_URL> \
--docker-username=<PACKAGE_REGISTRY_USERNAME> \
--docker-password=<PACKAGE_REGISTRY_TOKEN> \
-n <NAMESPACE> \
--dry-run=client \
-o yaml | kubectl apply -f -
  2. Confirm the secret is deployed successfully. 
    kubectl get secret speckle-enterprise-registry -n <NAMESPACE>
  3. Update the Helm values.yaml file to reference the image pull secret: 
    imagePullSecrets:
  - name: speckle-enterprise-registry

Security settings

Speckle Intelligence is designed to be embedded within an iframe within pages hosted by Speckle server. To ensure the security of this setup, you need to configure Content Security Policy (CSP) settings to allow embedding the Intelligence dashboard. The frameAncestors directives in the CSP settings specify which domains are allowed to embed the Intelligence dashboard within an iframe. If no frameAncestors directives are specified, the default is to restrict embedding from only the same domain as the Intelligence dashboard. The frameSource directives specify which domains the Intelligence dashboard is allowed to load javascript, styles, image blobs and other resources from. They do not control which sites may embed the dashboard itself (that is governed by the frameAncestors directives). Typically, this should include the domain of your Speckle Intelligence deployment. The trustedProxies settings specify which proxies are trusted to forward requests to the Intelligence dashboard. This is used by the Intelligence server to log the original client IP address for requests. This is optional, if you are not using any proxies or do not need to log client IP addresses, you can leave this empty.
  1. Update the Helm values.yaml file to include the appropriate security settings for your deployment: 
    security:
  frameAncestors:
    - 'yourSpeckleServerDomain.example.com'
  frameSource:
    - 'yourSpeckleIntelligenceDomain.example.com'
  trustedProxies:
    - 'IP_ADDRESS' # e.g. your ingress controller IP address or CIDR range


### Ingress Configuration

To access the Intelligence dashboard, you need to either configure an Ingress resource in Kubernetes or the Gateway API HttpRoute to route traffic to the Intelligence service. The exact configuration will depend on your cluster setup and the ingress strategy you are using.

1. Update the Helm values.yaml file to include the appropriate ingress settings for your deployment:

  ```yaml
  ingress:
    enabled: true
    className: "nginx"
    annotations:
      # Add any necessary annotations for your ingress controller here, e.g. for cert-manager integration:
      cert-manager.io/cluster-issuer: letsencrypt-prod
    hosts:
      - host: yourSpeckleIntelligenceDomain.example.com
        paths:
          # Please retain this path, the dashboards expect to serve all paths under the root.
          - path: /
            pathType: ImplementationSpecific
    tls:
      - secretName: speckle-intelligence-tls
        hosts:
          - yourSpeckleIntelligenceDomain.example.com

Gateway API HttpRoute Configuration

If you are using the Gateway API instead of Ingress, you can configure an HttpRoute to route traffic to the Intelligence service. The exact configuration will depend on your cluster setup and the Gateway API implementation you are using. The Helm Chart only provides the relevant HttpRoute configuration for the Intelligence service, you will need to ensure a Gateway and Gateway class exist in your cluster and update the HttpRoute configuration to reference the correct Gateway and hostnames for your deployment.
  1. Update the Helm values.yaml file to include the appropriate configuration for your deployment: 
    httpRoute:
  enabled: true
  annotations: {}
  parentRefs:
  - name: gateway
    sectionName: http
  hostnames:
  - yourSpeckleIntelligenceDomain.example.com
  rules:
  - matches:
    # Please retain this path, the dashboards expect to serve all paths under the root.
    - path:
        type: PathPrefix
        value: /

Deploying the Helm Chart

  1. The Kubernetes RBAC user deploying Intelligence will require permissions to create namespaces, deployments, services, configmaps, secrets, and other resources required by the Helm Chart. Please ensure your user has the necessary permissions before proceeding.
  2. Use Helm to deploy Speckle Enterprise Intelligence: 
    helm install speckle-intelligence <PACKAGE_REGISTRY_URL>/speckle-intelligence-chart \
--namespace <NAMESPACE> \
-f values.yaml

Updating Speckle Server Configuration

After deploying Speckle Enterprise Intelligence, you need to update your Speckle Server configuration to point to the new Intelligence deployment.
  1. Update the Speckle Server configuration (values.yaml) file to include the URL (including https protocol)of your Intelligence deployment: 
    dashboards:
  origin: 'https://yourSpeckleIntelligenceDomain.example.com'
Last modified on April 1, 2026