Requirements

This page lists every prerequisite for running Platform-Kernel in self-hosted mode. All versions are pinned to values verified in docker/versions.env and go.work (April 2026). Do not use older versions — several components rely on behaviors introduced in specific releases.

Software Prerequisites

Runtime Stack

Component	Min version	Pinned in project	Notes
Go	1.26.0	`1.26.1` (`go.work`)	Required: range-over-func, toolchain directive
Node.js	24.0.0	`≥ 24.0.0` (`package.json`)	LTS 2026 — required by pnpm 10
pnpm	10.0.0	`≥ 10.0.0` (`package.json`)	Workspace protocol v2
Docker Engine	29.0.0	`29.4.1` (April 2026 GA)	Compose Specification v3
Docker Compose	5.0.0	Plugin v5.x	`docker compose` (no hyphen)

Infrastructure Services

All versions below are pulled from docker/versions.env — the single source of truth for the entire deployment:

Service	Image	Version	Role
PostgreSQL	`postgres:17-alpine`	`17`	Primary OLTP database
ClickHouse	`clickhouse/clickhouse-server:25.3-alpine`	`25.3`	OLAP / analytics
Apache Kafka	`apache/kafka:3.9.0`	`3.9.0`	Domain events (KRaft, no ZooKeeper)
RabbitMQ	`rabbitmq:4.1-management-alpine`	`4.1`	Transactional queues, DLQ
Valkey	`valkey/valkey:8.1-alpine`	`8.1`	Redis-compatible cache
HashiCorp Vault	`hashicorp/vault:1.19`	`1.19` (project pin)	Secrets, JWT signing keys
SeaweedFS	`chrislusf/seaweedfs:3.84`	`3.84`	S3-compatible file storage
Envoy	`envoyproxy/envoy:v1.33-latest`	`1.33`	API Gateway (xDS)
GoFeatureFlag	`gofeatureflag/flagd:v1.42.0`	`v1.42.0`	Feature flags
ClamAV	`clamav/clamav:1.4`	`1.4`	Antivirus scanning (files service)

Vault version note: The project pins Vault 1.19 in docker/versions.env. Vault 2.0.0 was released April 2026 and introduces breaking changes in the Agent and SPIFFE integrations. Migration guide will be provided before upgrading pinned version.

Kubernetes (production)

Component	Minimum	Recommended
Kubernetes	`1.30`	`1.36` (April 2026 GA)
Helm CLI	`4.0.0`	`4.1.4` (April 2026 GA)
Istio	`1.25`	`1.29.2` (April 2026 GA)
cert-manager	`1.16`	`1.17+`

Hardware Sizing

Memory requirements are derived from deploy.resources.limits in docker/docker-compose.yml.

Development (single host, Docker Compose)

Resource	Minimum	Recommended
CPU	4 cores	8 cores
RAM	16 GB	32 GB
Disk (OS + images)	40 GB SSD	80 GB NVMe
Disk (data volumes)	50 GB	200 GB
Network	100 Mbps	1 Gbps

The full stack requires approximately 9 GB RAM at steady state (all 24 containers). Key consumers:

Container	RAM limit
`platform-clickhouse`	2 GB
`platform-kafka`	512 MB
`platform-postgres`	512 MB
`platform-sonarqube`	2 GB (CI-only, optional)
`platform-files`	512 MB (`bimg/libvips` headroom)
`platform-rabbitmq`	256 MB
`platform-valkey`	256 MB
All 12 Go services	~128 MB each

Production (Kubernetes, multi-node)

Minimum 3-node cluster for high availability:

Node role	vCPU	RAM	Storage
Control plane	4	8 GB	80 GB SSD
Worker (stateless services)	8	32 GB	100 GB NVMe
Worker (stateful: PG, CH)	16	64 GB	1 TB NVMe

Recommended minimum cluster for production traffic:

3 control-plane nodes
3+ stateless worker nodes (Go services, Gateway, Envoy)
2+ stateful nodes (PostgreSQL primary + replica, ClickHouse)

Network Requirements

Required Open Ports

All inter-service communication uses the platform-network Docker bridge (172.20.0.0/16). The following ports must be reachable from the host or load balancer:

Port	Protocol	Service	Direction
`8080`	HTTP	API Gateway (HTTP health + REST)	Inbound (public)
`50051`	gRPC	API Gateway (gRPC)	Internal only
`50050`	gRPC	IAM Service	Internal only
`50052`	gRPC	Data Layer	Internal only
`50053`	gRPC	Event Bus	Internal only
`50054`	gRPC	Notify Service	Internal only
`50055`	gRPC	Billing Service	Internal only
`50056`	gRPC	Integration Hub	Internal only
`50057`	gRPC	File Storage	Internal only
`50058`	gRPC	Money Service	Internal only
`50059`	gRPC	Audit Service	Internal only
`50060`	gRPC	Module Registry	Internal only
`50061`	gRPC	Domain Resolver	Internal only
`5432`	TCP	PostgreSQL	Internal only
`9092`	TCP	Kafka (KRaft)	Internal only
`5672` / `15672`	TCP	RabbitMQ / Management UI	Internal / ops
`8123` / `9000`	HTTP / TCP	ClickHouse HTTP + native	Internal only
`6379`	TCP	Valkey	Internal only
`8200`	HTTP	HashiCorp Vault	Internal + ops
`8333` / `8888` / `9333`	HTTP	SeaweedFS S3/filer/master	Internal only
`1031`	HTTP	GoFeatureFlag	Internal only
`3310`	TCP	ClamAV	Internal only

TLS / mTLS

All gRPC channels between Go services use mutual TLS (mTLS) enforced by the services/shared/mtls package. Certificates are issued and rotated by HashiCorp Vault PKI secrets engine. In development, Vault runs in dev mode with self-signed certificates.

In production (Kubernetes + Istio 1.29), mTLS is additionally enforced at the sidecar proxy level. Envoy terminates external TLS (Let's Encrypt via Certbot v4.0.0).

DNS Requirements

Wildcard DNS record for custom domains: *.your-domain.com → Load Balancer IP
Internal service discovery: Kubernetes DNS / Docker Compose service names (e.g., iam:50050, kafka:9092)

Operating System

OS	Support level
Ubuntu 24.04 LTS	✅ Primary (CI-verified)
Debian 12	✅ Supported
RHEL 9 / Rocky Linux 9	✅ Supported
macOS 15 (Sequoia)	✅ Development only
Windows	❌ Not supported (Go workspace requires POSIX)

Pre-flight Checklist

Before running docker compose up, verify:

# Go workspace version
go version
# → go version go1.26.1 darwin/arm64 (or linux/amd64)

# Node version (must be ≥ 24)
node --version
# → v24.x.x

# pnpm version (must be ≥ 10)
pnpm --version
# → 10.x.x

# Docker Engine
docker version --format '{{.Server.Version}}'
# → 29.x.x

# Docker Compose plugin
docker compose version
# → Docker Compose version v5.x.x

# Available RAM (Linux)
free -h | awk '/^Mem/{print $2}'
# Must be ≥ 16G for dev stack

Software Prerequisites​

Runtime Stack​

Infrastructure Services​

Kubernetes (production)​

Hardware Sizing​

Development (single host, Docker Compose)​

Production (Kubernetes, multi-node)​

Network Requirements​

Required Open Ports​

TLS / mTLS​

DNS Requirements​

Operating System​

Pre-flight Checklist​

See Also​