If you’re new to Kubernetes, the Kubernetes for Docker Users primer covers Pods, Deployments, Services, PVCs, and Helm basics. For packaging and GitOps, see Kubernetes Packaging and Deployment.

Why not Bitnami?

The obvious choice for an in-cluster MongoDB is the Bitnami chart, which is widely used and simple to install. The problem is vector search. Applications that need semantic search or Atlas-style indexes require the mongot process — a sidecar that runs alongside mongod and handles full-text and vector indexes. Bitnami deploys a plain community MongoDB without mongot, so Atlas Search is simply not available.

The only supported path to mongot in a self-hosted environment is the MongoDB Kubernetes Operator, which introduces the MongoDBCommunity and MongoDBSearch custom resources. The operator manages the StatefulSet, replica set initialization, user creation, and TLS — and, when MongoDBSearch is enabled, injects the mongot sidecar with the right configuration.

Our chart wraps the operator’s CRDs with sensible defaults and a single helm upgrade --install interface, so operators don’t need to understand the operator’s internals to get a working cluster. You can run MongoDB with or without search; if you don’t need vector or full-text search, you can disable the mongot sidecar and save resources.

Two-phase install

mongot requires a running, authenticated replica set to connect to — it cannot start on a fresh cluster. The install therefore happens in two phases:

# Phase 1: bring up the replica set without search
helm upgrade --install mongodb oci://ghcr.io/analytiq-hub/mongodb-atlas-local \
  --version 2.0.1 --namespace mongodb \
  --set mongodb.adminPassword="..." \
  --set mongodb.appUser.password="..." \
  --set search.enabled=false

# Wait for replica set Ready
kubectl wait --for=condition=ready pod -l app=mongodb-mongodb-atlas-local \
  -n mongodb --timeout=300s

# Phase 2: enable search
helm upgrade mongodb oci://ghcr.io/analytiq-hub/mongodb-atlas-local \
  --version 2.0.1 --namespace mongodb --reuse-values \
  --set search.enabled=true

Attempting a single-phase install with search.enabled=true results in mongot crash-looping because the replica set isn’t ready to accept its connection.

Node sizing for stateful workloads

Adding MongoDB changes the cluster sizing arithmetic considerably. Each replica pod runs two containers: mongod (500m CPU, 400Mi) and mongodb-agent (500m CPU, 400Mi), plus a mongot sidecar (250m CPU, 250Mi) when search is enabled. A 3-replica set therefore requests ~2.25 vCPU and ~3.15 Gi of memory, on top of whatever other workloads you run.

The scheduler must fit the entire pod on one node. On a cluster with two t3.medium nodes (2 vCPU / 4 Gi each), if existing workloads already consume ~1.7 vCPU in requests, there may be ~2.2 vCPU free across both nodes — but never more than ~740m on a single node. A MongoDB pod that needs ~750m CPU cannot be scheduled. Adding a third node (or sizing nodes with enough headroom) resolves it.

The practical lesson: account for stateful pods when sizing the initial node group, or ensure the autoscaler can provision new nodes quickly enough not to block workloads.

EBS CSI Driver and the gp2 trap (EKS)

When we added MongoDB to an EKS cluster, PVCs sat in Pending indefinitely with the error:

no persistent volumes available for this claim and no storage class is set

EKS creates a gp2 StorageClass by default, but it has two problems. First, it is not marked as the default class — PVCs with an empty storageClassName get no provisioner assigned. Second, and more importantly, gp2 uses the legacy in-tree kubernetes.io/aws-ebs provisioner, which was removed in Kubernetes 1.27. On EKS 1.35, it is simply gone.

The fix is to create a gp3 StorageClass backed by the EBS CSI driver (ebs.csi.aws.com) and mark it as the cluster default:

apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: gp3
  annotations:
    storageclass.kubernetes.io/is-default-class: "true"
provisioner: ebs.csi.aws.com
volumeBindingMode: WaitForFirstConsumer
allowVolumeExpansion: true
parameters:
  type: gp3
  encrypted: "true"

WaitForFirstConsumer is important — it delays EBS volume creation until the pod is actually scheduled to a node, which ensures the volume is created in the correct availability zone. allowVolumeExpansion: true enables online resizing without pod restarts.

Provision this StorageClass (and the EBS CSI driver) via Terraform or your preferred IaC so new clusters get it automatically.

Summary

We use this chart for Doc Router and other applications that need MongoDB with vector search. For the full Doc Router deployment story (Helm chart, workers, CI/CD, multi-cloud), see Deploying Doc Router on Kubernetes.

Andrei Radulescu-Banu is the founder of DocRouter.AI (document processing with LLMs) and SigAgent.AI (Claude Agent monitoring). His company AnalytiqHub.com provides consulting services for cloud and AI engineering.

If you’re new to Kubernetes, start with Kubernetes for Docker Users: A Practical Primer, which covers the core concepts — Pods, Deployments, Services, Namespaces, Secrets, PVCs, Helm, and Kind — before diving into this post. For packaging and GitOps (Kustomize, Helm, Flux), see Kubernetes Packaging and Deployment.

Why Kubernetes?

Doc Router was originally deployed using Docker Compose, which worked well for single-node setups. As we started onboarding enterprise customers with availability and scalability requirements, we needed:

• Horizontal scaling — multiple replicas behind a load balancer
• Automated failover — pods restarted on failure without manual intervention
• Rolling deployments — zero-downtime upgrades
• Resource isolation — CPU and memory limits per component

Architecture

The production deployment consists of two main workloads:

• Frontend — Next.js server (SSR + API routes via NextAuth)
• Backend — FastAPI application with embedded background workers

Both run as Kubernetes Deployments behind a shared nginx ingress with TLS terminated by cert-manager (Let’s Encrypt).

MongoDB can run outside the cluster (MongoDB Atlas) or in-cluster via our mongodb-atlas-local Helm chart — see Self-Hosted MongoDB on Kubernetes with Atlas Search for the install guide. AWS S3 remains an external dependency.

Helm Chart

We packaged the deployment as a Helm chart (deploy/charts/doc-router) published to GitHub Container Registry (ghcr.io) as an OCI artifact. The chart is versioned independently of the Docker images, so we can update deployment configuration without rebuilding the application.

Key design decisions:

• Single values.yaml with sensible defaults — operators override only what differs per cluster
• ConfigMap for non-secret config — NEXTAUTH_URL, FASTAPI_ROOT_PATH, worker count, S3 bucket
• Kubernetes Secret for credentials — MongoDB URI, API keys, NextAuth secret — created by the deploy script, never stored in the chart
• Ingress host derived from APP_HOST — a single variable drives the entire URL configuration

Choosing a Container Registry

We evaluated two natural options: Amazon ECR (since we’re already on AWS/EKS) and GitHub Container Registry (ghcr.io) (since our source is on GitHub).

ECR has one significant operational advantage for EKS: nodes authenticate via IAM role, so there is no image pull secret to manage. Costs are low — $0.10/GB stored, with no data transfer charge for pulls within the same AWS region. However, ECR is tightly coupled to AWS. A second deployment on Digital Ocean or a customer’s on-premises cluster would need separate registry credentials and mirroring, making it a poor fit for a multi-cloud or self-hosted product.

ghcr.io is cloud-neutral — any cluster anywhere can pull images with a single token. It integrates naturally with GitHub Actions (the GITHUB_TOKEN secret already has packages: write permission), so publishing images is zero-configuration. The chart package also appears directly on the repository’s GitHub page alongside the source code and releases, which is the right home for an open-source project.

The catch: ghcr.io packages are private by default for organizations, and GitHub’s free tier includes only 500 MB storage and 1 GB transfer per month. For clusters that pull large images repeatedly, those limits are reached quickly. Making packages public eliminates the cost entirely, but requires an organization admin to enable public package creation in the org settings — it is disabled by default.

We chose ghcr.io and made our packages public. The images contain no secrets — only application code — so public visibility is appropriate and keeps infrastructure simple. Clusters pull anonymously with no credentials required.

For customers who need private images (for example, an enterprise build with proprietary integrations), the REGISTRY_PROVIDER variable in the overlay .env file can be switched to aws or do to use ECR or Digital Ocean Container Registry instead, with registry login handled automatically by the deploy scripts.

Merging Workers into FastAPI

The original architecture ran the background workers (OCR, LLM, KB indexing, webhooks) as a separate process alongside uvicorn. In Kubernetes, this meant each backend pod ran two Python processes, consuming ~375 MB of memory.

We merged the workers into the FastAPI lifespan using asyncio.create_task:

@asynccontextmanager
async def lifespan(app):
    # startup
    worker_tasks = start_workers(n_workers)
    yield
    # shutdown
    for task in worker_tasks:
        task.cancel()
    await asyncio.gather(*worker_tasks, return_exceptions=True)

This halved per-pod memory usage (~190 MB) and eliminated the process management overhead. The workers share the same event loop as the API, which is safe because all worker I/O is already async.

Worker Polling Optimization

With multiple replicas, each pod runs a full set of worker coroutines polling MongoDB queues. At idle with 4 workers per pod, that was ~80 MongoDB queries per second cluster-wide.

We implemented exponential backoff with shared state across parallel workers:

_queue_idle_sleep: dict[str, float] = {}  # shared across all workers on a queue

# on idle: back off
sleep = _queue_idle_sleep.get("ocr", POLL_MIN_SLEEP)
await asyncio.sleep(sleep)
_queue_idle_sleep["ocr"] = min(sleep * 2, POLL_MAX_SLEEP)

# on message found: reset for all workers on this queue
_queue_idle_sleep["ocr"] = POLL_MIN_SLEEP

This reduces idle polling to near-zero while keeping response latency low when work arrives.

Graceful Shutdown

When Kubernetes scales down a pod (HPA scale-in or rolling update), it sends SIGTERM. We needed in-flight jobs to be marked as failed rather than silently abandoned.

Since workers are asyncio tasks, cancellation arrives as asyncio.CancelledError — a BaseException, not caught by except Exception. We added explicit handling in each worker:

try:
    await ad.msg_handlers.process_ocr_msg(analytiq_client, msg)
except asyncio.CancelledError:
    logger.warning(f"Worker cancelled mid-flight on msg {msg.get('_id')}, marking failed")
    await ad.queue.delete_msg(analytiq_client, "ocr", str(msg["_id"]), status="failed")
    raise  # allow the task to actually cancel

The failed job can then be retried on another pod.

Database Migrations as a Helm Pre-Upgrade Hook

Running database migrations safely in a multi-replica environment requires that migrations complete before any new application code starts serving traffic. In Docker Compose this is handled by startup ordering, but in Kubernetes rolling updates, new pods can start before old ones are gone — with no guarantee about migration timing.

We solved this with a Helm hook Job that runs migrate.py using the same backend image, annotated to execute before the upgrade rolls out:

annotations:
  "helm.sh/hook": pre-upgrade,pre-rollback
  "helm.sh/hook-weight": "-5"
  "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation

The pre-upgrade hook ensures migrations run and complete successfully before Helm touches any Deployment. If the migration Job fails, Helm aborts the upgrade entirely — the old version keeps running. hook-delete-policy: hook-succeeded cleans up the completed Job automatically, keeping the namespace tidy. The before-hook-creation policy ensures the old Job is removed if a previous run left one behind.

One subtlety: at pre-upgrade time, the ConfigMap has not yet been updated by Helm (hooks run before regular resources). The migration Job therefore mounts only the Secret — which contains MONGODB_URI — and not the ConfigMap:

envFrom:
- secretRef:
    name: doc-router-secrets
# ConfigMap intentionally omitted — not yet updated at hook time

This means migrate.py must be written to need only the database connection string, with no dependency on application config values.

The result is a safe, atomic upgrade sequence: migrate → roll out new pods → terminate old pods — with automatic rollback if the migration fails.

HPA Tuning

We configured Horizontal Pod Autoscaler on the backend with both CPU and memory targets:

metrics:
- type: Resource
  resource:
    name: cpu
    target:
      type: Utilization
      averageUtilization: 80
- type: Resource
  resource:
    name: memory
    target:
      type: Utilization
      averageUtilization: 80

A subtle issue: HPA scale-down uses ceil(currentReplicas × currentUtil / targetUtil). With 5 pods at 72% memory utilization against an 80% target, ceil(5 × 72/80) = ceil(4.5) = 5 — the ceiling arithmetic created a deadlock where the cluster could never scale below 5 pods.

The fix was increasing the memory request from 512 Mi to 768 Mi. After the worker merge reduced actual usage to ~190 MB, utilization dropped to ~25% — well below the threshold — and the cluster scaled back down to the minimum of 2 replicas.

Environment Configuration

Next.js NEXT_PUBLIC_* variables are baked into the browser bundle at build time, not injected at runtime. This caused a subtle bug: our local .env.local file set NEXT_PUBLIC_FASTAPI_FRONTEND_URL=http://127.0.0.1:8000. Because .env.local wasn’t listed in .dockerignore, it was copied into the Docker build context and read by Next.js during npm run build — silently overriding the intended production value and baking the localhost URL into every image.

We fixed this in two steps:

1. Exclude all .env.* files from the Docker build context by adding **/.env.* to .dockerignore, so local development env files can never leak into images.

2. Remove NEXT_PUBLIC_FASTAPI_FRONTEND_URL entirely. Rather than baking an absolute URL into the bundle, the frontend now always calls /fastapi — a relative path that works from any hostname. Next.js rewrites proxy /fastapi/:path* to the backend service URL at the server layer:

// next.config.mjs
async rewrites() {
  return [{
    source: '/fastapi/:path*',
    destination: `${process.env.FASTAPI_BACKEND_URL}/fastapi/:path*`,
  }];
}

FASTAPI_BACKEND_URL is a server-side runtime variable (not NEXT_PUBLIC_) pointing to the in-cluster backend service (http://backend.<namespace>.svc.cluster.local:8000). It is never exposed to the browser. The result is a truly environment-agnostic frontend image that requires no rebuild when moving between clusters.

CI/CD Pipeline

Structure

We use three GitHub Actions workflows:

• backend-tests.yml — runs Python tests against a local MongoDB Atlas instance (with vector search via mongodb-atlas-local) plus TypeScript tests. Triggered by workflow_call or workflow_dispatch.
• frontend-build.yml — runs npm run build for the Next.js frontend. Also triggered by workflow_call or workflow_dispatch.
• ci.yml — runs both test workflows on every pull request to main.
• release.yml — triggered on semver tags (v[0-9]*.[0-9]*.[0-9]*). Runs both test workflows first, then builds and pushes Docker images if they pass.

Why semver tags, not branch pushes

An early version of the pipeline ran tests on every push to main and triggered builds from there. This caused two problems:

1. Tests ran twice per release — once on the branch push, once triggered by the tag.
2. The tag trigger didn’t wait for tests — if a tag was pushed immediately after a commit, the build could race ahead of a still-running test run.

The current design avoids both: release.yml is only triggered by a semver tag, and the build-push job declares needs: [test-backend, test-frontend], so Docker images are never built unless all tests pass on that exact commit. Tests run exactly once per release.

The ci.yml workflow handles the PR gate separately — developers get test feedback on their branch without triggering a build.

Reusable test workflows

Making the test workflows workflow_call-able (rather than duplicating the job definitions in both ci.yml and release.yml) keeps the test logic in one place. Both workflows call the same definitions; any change to the test steps is automatically reflected in both gates.

workflow_dispatch is kept on each test workflow so that individual test suites can be re-run manually from the GitHub Actions UI without needing to push a commit or tag.

Image tagging

The build step computes image tags from the git tag:

TAG="$"          # e.g. v27.0.1-rc2 or v27.0.1
FRONTEND_TAGS="${FRONTEND}:${TAG}"
# :latest only for stable releases (no pre-release suffix)
if [[ "$TAG" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
  FRONTEND_TAGS="${FRONTEND_TAGS},${FRONTEND}:latest"
fi

Release candidates (v27.0.1-rc2) get a versioned tag only. Stable releases (v27.0.1) also update :latest. This means a cluster running :latest auto-updates on the next helm upgrade, while a cluster pinned to a specific tag is unaffected.

Helm chart publishing is manual

The Helm chart is published separately with ./deploy/scripts/publish-chart.sh <overlay>. We kept this manual for two reasons: the chart version is independent of the app version (you might push 10 image releases without any chart changes), and publishing the chart is a deliberate operator action — it should not happen automatically on every tag.

Egress IPs and External Service Whitelisting

A practical difference between EKS and DOKS emerged when connecting to MongoDB Atlas, which requires IP whitelisting for all incoming connections.

On EKS, the cluster’s private node group sits behind a single NAT gateway. All outbound traffic from every pod — regardless of which node it runs on — exits through one stable public IP. Adding that single IP to MongoDB Atlas’s allowlist is all that’s needed, and the IP never changes when nodes are replaced or the cluster scales.

On DOKS, there is no NAT gateway by default. Each node is assigned its own public IP, and pods reach the internet directly through the node they’re scheduled on. This means:

• There is no single egress IP — the source address MongoDB sees depends on which node the backend pod happens to be running on.
• With two nodes, you need two IPs in the allowlist. With autoscaling, new nodes get new IPs, and the allowlist breaks until you add them.

For a fixed-size dev cluster, the workaround is to whitelist all current node IPs. For a production DOKS cluster with autoscaling, the correct solution is to provision a Digital Ocean Load Balancer as a NAT gateway, routing all cluster egress through a single stable IP. This adds ~$12/month but is the only reliable option when the external service requires a static source address.

For our dev cluster (doc-router-dev), we whitelist the two node IPs directly. For production DOKS deployments, a managed NAT gateway is required.

Overlay-based Deploy Scripts

Rather than a one-size-fits-all deploy script, we use an overlay pattern:

.env              # shared defaults (local dev values)
.env.eks-test     # overrides for the test EKS cluster
.env.eks-prod     # overrides for production

The deploy scripts (k8s-deploy.sh, build-push.sh) accept an overlay name and source both files, with the overlay taking precedence. A single variable — APP_HOST — drives all URL configuration, making it straightforward to add a new environment. k8s-deploy.sh is idempotent — it uses helm upgrade --install and handles both fresh installs and rolling updates without any distinction.

What’s Next

• On-premises distribution — Helm chart and images are public on ghcr.io; self-hosted MongoDB is available via the mongodb-atlas-local chart (see Self-Hosted MongoDB on Kubernetes with Atlas Search); documentation for a one-command on-prem install is the next step
• Offline license keys — JWT-based licenses signed with a private key, verified against a public key baked into the image, for air-gapped installations
• Multi-cloud support — Digital Ocean Kubernetes is now supported alongside EKS; Azure Kubernetes Service support is planned

Andrei Radulescu-Banu is the founder of DocRouter.AI (document processing with LLMs) and SigAgent.AI (Claude Agent monitoring). His company AnalytiqHub.com provides consulting services for cloud and AI engineering.

The manifest problem

A real Kubernetes application needs dozens of YAML files: Deployments, Services, ConfigMaps, Secrets, Ingress rules, HorizontalPodAutoscalers, PodDisruptionBudgets. Writing them by hand is feasible once, but the moment you need the same app running in three environments — local, staging, production — you face a choice:

• Copy the files for each environment and keep them in sync manually (fragile)
• Use a tool that handles the variation for you

Two tools dominate: Kustomize and Helm. They solve the same problem differently, and many projects use both — Helm for third-party software, Kustomize for their own app.

Kustomize — layered YAML patches

Kustomize ships with kubectl (no install needed) and works with plain YAML. The idea is a base + overlays structure:

manifests/
  base/
    deployment.yaml      # canonical deployment
    service.yaml
    kustomization.yaml   # lists the resources
  overlays/
    dev/
      kustomization.yaml # patches for dev
      patch-replicas.yaml
    prod/
      kustomization.yaml # patches for prod
      patch-replicas.yaml
      patch-resources.yaml

The base defines the resource once. Each overlay patches only what differs. A typical patch looks like:

# overlays/prod/patch-replicas.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: backend
spec:
  replicas: 4       # override base value of 2

To deploy the prod overlay:

kubectl apply -k overlays/prod/

Kustomize merges the base YAML with all patches before sending anything to the API server. You always see plain, readable YAML — there is no templating language to learn, and the output is predictable.

Variable substitution

For values that vary by environment (hostnames, image tags, resource sizes), Kustomize offers substituteFrom: it reads variables from a ConfigMap or Secret and injects them into the manifests at apply time:

# kustomization.yaml
configurations:
  - var-references.yaml
vars:
  - name: APP_DOMAIN
    objref:
      kind: ConfigMap
      name: project-values
      apiVersion: v1
    fieldref:
      fieldpath: data.domain

This is less flexible than Helm’s full templating but keeps the YAML closer to what Kubernetes actually receives.

What Kustomize does not do

Kustomize has no concept of a release, no revision history, and no built-in rollback. If you apply a broken overlay, you must fix it and reapply, or manually apply a previous version. For the same reason, there is no --atomic safety net — if a deployment fails mid-rollout, you notice from kubectl output, not from the packaging tool.

Helm — templated packages

Helm wraps Kubernetes YAML in a full templating engine (Go templates) and adds lifecycle management on top. A chart is a directory:

doc-router/
  Chart.yaml          # name, version, appVersion
  values.yaml         # default values
  templates/
    deployment.yaml   # Go template
    service.yaml
    ingress.yaml
    _helpers.tpl      # reusable template fragments

A template looks like:

# templates/deployment.yaml
spec:
  replicas: 
  template:
    spec:
      containers:
        - name: backend
          image: ":"
          resources:
            requests:
              cpu: 

To install with custom values:

helm upgrade --install doc-router ./doc-router \
  --set replicaCount=4 \
  --set image.tag=v1.2.3

Or via an override file:

helm upgrade --install doc-router ./doc-router -f values-prod.yaml

Release history and rollback

Helm records every install and upgrade as a numbered revision in the cluster. You can inspect history and roll back:

helm history doc-router -n doc-router
helm rollback doc-router 2 -n doc-router   # back to revision 2

With --atomic, a failed upgrade automatically triggers a rollback — the old version keeps running uninterrupted.

Publishing charts as OCI artifacts

A packaged chart can be pushed to any OCI-compatible registry (ghcr.io, ECR, Docker Hub) and pulled from anywhere:

helm push doc-router-0.3.7.tgz oci://ghcr.io/analytiq-hub
helm upgrade --install doc-router oci://ghcr.io/analytiq-hub/doc-router --version 0.3.7

This means a customer cluster can install your app with a single command, pulling both the chart and images from the same registry, with no Git access required.

Kustomize vs Helm — when to use each

In practice many projects use both: Helm for installing third-party dependencies (ingress-nginx, cert-manager, MongoDB operator), and Kustomize for their own application manifests. The two are compatible — a Kustomize overlay can reference a Helm chart as a generator.

GitOps — the cluster manages itself

Both Kustomize and Helm, as described so far, are imperative: a human (or a CI job) runs a command that pushes changes into the cluster. GitOps flips this model.

In GitOps, the desired cluster state is declared in a Git repository (or an OCI artifact registry). A controller running inside the cluster continuously watches that source and reconciles actual state to match it. No one runs helm upgrade — the cluster pulls its own updates.

Developer pushes to Git / CI pushes OCI artifact
         ↓
  Source of truth updated
         ↓
  In-cluster controller detects drift
         ↓
  Controller applies the diff
         ↓
  Cluster matches desired state

The key property: the cluster self-heals. If someone manually deletes a Deployment or edits a ConfigMap, the controller notices the drift and reverts it within seconds. The Git repo (or OCI artifact) is always the authoritative source.

Flux — a GitOps controller

Flux is one of the two dominant GitOps controllers (the other is Argo CD). It runs as a set of controllers in the cluster and watches sources:

Sources

Flux can watch:

• Git repositories — on every push, Flux reconciles the cluster
• OCI artifact registries — on every flux push artifact, Flux pulls and applies
• Helm repositories — for managing Helm releases declaratively

Core resources

GitRepository / OCIRepository — defines where Flux watches:

apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: OCIRepository
metadata:
  name: my-app
  namespace: flux-system
spec:
  interval: 1m
  url: oci://123456789.dkr.ecr.us-east-1.amazonaws.com/my-app-manifests
  ref:
    tag: latest

Kustomization — tells Flux what to apply from the source:

apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
  name: my-app
  namespace: flux-system
spec:
  interval: 5m
  sourceRef:
    kind: OCIRepository
    name: my-app
  path: ./manifests/kubernetes/overlays/prod
  prune: true      # delete resources removed from source
  healthChecks:
    - apiVersion: apps/v1
      kind: Deployment
      name: backend
      namespace: my-app

HelmRelease — manages a Helm release declaratively:

apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
  name: ingress-nginx
  namespace: flux-system
spec:
  interval: 1h
  chart:
    spec:
      chart: ingress-nginx
      version: "4.11.3"
      sourceRef:
        kind: HelmRepository
        name: ingress-nginx
  values:
    controller:
      replicaCount: 2

CI/CD with Flux

A typical Flux-based pipeline looks like:

1. Developer opens a PR
2. CI runs tests
3. PR merged to main
4. CI builds Docker image → pushes to ECR
5. CI packages Kustomize manifests as OCI artifact → flux push artifact → ECR
6. Flux detects new artifact version
7. Flux applies manifests to cluster
8. Cluster rolls out new Deployment

Steps 6–8 happen automatically, inside the cluster, with no deploy script and no human intervention.

Flux vs running deploy scripts

GitOps is the right choice for teams with multiple people deploying to shared clusters, or for production environments where drift must be detected and prevented. For a small team or a self-hosted product where simplicity matters, shell scripts with helm upgrade --install are easier to understand, debug, and hand off to a customer.

Summary

A mature production setup typically uses all three: Kustomize or Helm for defining manifests, Flux or Argo CD for reconciling them, and a CI pipeline that produces the artifacts both consume.

Next: Deploying Doc Router on Kubernetes walks through a real application deployment (Helm chart, workers, CI/CD, EKS and Digital Ocean). If you need in-cluster MongoDB with vector search, see Self-Hosted MongoDB on Kubernetes with Atlas Search.

Andrei Radulescu-Banu is the founder of DocRouter.AI (document processing with LLMs) and SigAgent.AI (Claude Agent monitoring). His company AnalytiqHub.com provides consulting services for cloud and AI engineering.

Here’s how the key concepts map across.

From containers to Pods

In Docker Compose, the unit of work is a container. In Kubernetes, it is a Pod — a group of one or more containers that always run together on the same machine and share a network namespace. Most Pods contain a single container, but some use sidecars: a main process plus a helper (a log shipper, a proxy, or in our case the mongot search process alongside mongod).

Pods are ephemeral. When a Pod dies, Kubernetes replaces it with a new one — possibly on a different machine, with a new IP address. You never SSH into a Pod or rely on its IP being stable.

Deployments — the equivalent of a Compose service

A Deployment tells Kubernetes: “keep N replicas of this Pod running at all times.” If a Pod crashes, the Deployment controller starts a replacement. If you push a new image, it performs a rolling update — starting new Pods before terminating old ones so traffic is never interrupted.

In Docker Compose terms, a Deployment is your service: block plus restart policies and rolling update logic built in.

Services — stable internal addresses

Because Pod IPs change on every restart, Kubernetes introduces Services: stable DNS names and virtual IPs that front a group of Pods. A Service named backend in the doc-router namespace is reachable at backend.doc-router.svc.cluster.local from anywhere in the cluster, regardless of how many backend Pods exist or where they are running.

This replaces the automatic DNS that Docker Compose sets up between containers on the same network.

Namespaces — isolation within a cluster

A Namespace is a logical partition of the cluster. Resources in different namespaces don’t collide even if they share a name. A typical setup uses separate namespaces for each concern: doc-router for the application, mongodb for the database, ingress-nginx for the load balancer, cert-manager for TLS certificates.

In Docker Compose terms, a namespace is roughly equivalent to a separate Compose project — distinct networks and name scopes.

ConfigMaps and Secrets — environment variables at scale

Docker Compose lets you set environment: variables inline or via an .env file. Kubernetes separates non-sensitive config from sensitive config:

• ConfigMap — key-value pairs mounted as environment variables or files. Used for things like FASTAPI_ROOT_PATH, worker count, S3 bucket name.
• Secret — base64-encoded values stored (optionally encrypted at rest) separately from your app manifests. Used for database URIs, API keys, and auth secrets. Pods reference Secrets by name; the values are injected at runtime, never baked into the image.

PersistentVolumeClaims — durable storage

Docker Compose uses named volumes (backed by the local filesystem) to persist data across container restarts. Kubernetes uses PersistentVolumeClaims (PVCs): a request for a piece of storage of a given size and access mode. The cluster fulfils the claim by provisioning a real volume — an EBS disk on AWS, a DO Block Storage volume on Digital Ocean — and mounting it into the Pod.

PVCs survive Pod restarts and rescheduling. If a database Pod moves to a different node, the volume is detached and reattached automatically. Storage is provisioned dynamically by a StorageClass, which specifies the provisioner (e.g. ebs.csi.aws.com on EKS) and volume type.

Ingress and the load balancer

In Docker Compose you typically expose one port from one container. In Kubernetes, multiple Services need to be reachable from the outside under different paths or hostnames, all through a single external IP.

ingress-nginx is a Kubernetes controller that runs an nginx reverse proxy inside the cluster. When deployed on EKS, it automatically provisions an AWS Network Load Balancer with a stable public IP. You define Ingress rules — “route /fastapi to the backend Service, everything else to the frontend Service” — and ingress-nginx handles the routing. On a new cluster, the load balancer is the only resource with a public IP; everything else is internal.

cert-manager — automatic TLS

cert-manager is a Kubernetes controller that watches Ingress resources and automatically requests TLS certificates from Let’s Encrypt. When you annotate an Ingress with cert-manager.io/cluster-issuer: letsencrypt-prod, cert-manager handles the ACME challenge, obtains the certificate, stores it in a Secret, and renews it before it expires. You never touch a certificate manually.

Helm — packaging it all together

Kubernetes resources are defined as YAML files. A real application needs dozens of them: Deployments, Services, ConfigMaps, Secrets, Ingress rules, PodDisruptionBudgets. Helm is the package manager for Kubernetes — it bundles all those YAML files into a chart, parameterises them with a values.yaml file, and installs or upgrades the whole bundle with a single command:

helm upgrade --install doc-router oci://ghcr.io/analytiq-hub/doc-router \
  --namespace doc-router --set appHost=example.com ...

A chart can be published as an OCI artifact to any container registry alongside the Docker images.

If Docker Compose is a docker run wrapper, Helm is closer to an apt package: versioned, reproducible, and upgradeable.

How Helm applies changes

Every time you run helm upgrade, Helm compares the new rendered YAML against what it last applied and sends only the diff to the Kubernetes API — resources that haven’t changed are left untouched. Helm records each upgrade as a numbered revision, stored as a Secret in the cluster:

$ helm history doc-router -n doc-router
REVISION  STATUS     CHART           APP VERSION  DESCRIPTION
1         superseded doc-router-0.3.5  v27.0.0    Install complete
2         superseded doc-router-0.3.6  v27.0.1    Upgrade complete
3         deployed   doc-router-0.3.7  v27.0.2    Upgrade complete

Rolling back to a known-good state

If an upgrade goes wrong, rolling back to the previous revision is a single command:

helm rollback doc-router -n doc-router        # rolls back to revision 2
helm rollback doc-router 1 -n doc-router      # rolls back to a specific revision

Helm re-applies the exact YAML from that revision — the same image tags, the same config values — so the cluster returns to the state that last worked. Using --atomic during an upgrade makes this automatic: if the new Pods don’t become healthy within the timeout, Helm rolls back on its own without any manual intervention.

Zero-downtime rolling updates

When Helm upgrades a Deployment with a new image, Kubernetes does not restart all Pods at once. It uses a rolling update strategy controlled by two parameters:

strategy:
  type: RollingUpdate
  rollingUpdate:
    maxUnavailable: 0   # never take a pod down before a new one is ready
    maxSurge: 1         # allow one extra pod above the desired count during the rollout

With maxUnavailable: 0, Kubernetes starts a new Pod with the new image first. Only after that Pod passes its readiness probe — meaning it is actually serving traffic — does Kubernetes terminate one of the old Pods. This continues one Pod at a time until all replicas are on the new version. At no point does the number of healthy Pods drop below the desired count.

The result: an upgrade from v27.0.1 to v27.0.2 with two replicas proceeds as:

1. Start new Pod (v27.0.2) — 2 old + 1 new running
2. New Pod passes readiness check
3. Terminate one old Pod — 1 old + 1 new running
4. Start second new Pod — 1 old + 2 new running
5. Second new Pod passes readiness — terminate last old Pod
6. Rollout complete — 2 new Pods running, zero downtime

If the new Pod fails its readiness check at step 2, the rollout pauses. No old Pods have been terminated, so the old version continues serving 100% of traffic. With --atomic, Helm then rolls the release back automatically.

Running Kubernetes locally with Kind

Before deploying to a real cluster, it’s useful to test locally using Kind (Kubernetes in Docker). Kind runs an entire Kubernetes cluster — control plane and worker nodes — as Docker containers on your laptop. There is no cloud provider, no load balancer, and no cloud volumes; Kind uses your local filesystem for storage and NodePort services for external access.

./deploy/scripts/setup-kind.sh   # creates the Kind cluster
./deploy/scripts/deploy-kind.sh  # installs the Helm chart locally

The same chart that runs on EKS runs on Kind, with a different values-kind.yaml override file. This lets you iterate on chart changes without incurring cloud costs or waiting for node provisioning.

Summary

Next: Kubernetes Packaging and Deployment: Kustomize, Helm, and GitOps goes deeper into packaging manifests and GitOps with Flux.

Andrei Radulescu-Banu is the founder of DocRouter.AI (document processing with LLMs) and SigAgent.AI (Claude Agent monitoring). His company AnalytiqHub.com provides consulting services for cloud and AI engineering.

How can you structure a SaaS business so that AI makes your business more valuable, rather than just blowing it up?

These three strategies match AI to different parts of a product life cycle - launching, growing, or harvesting profits.

Launch to AI Buyers

SaaS companies are losing human seats. On the other hand, they are expanding sales to AI.

AI is a rapidly growing channel. It works like this: People ask their AI to do something. Then the AI finds, acquires, and uses services. Coding agents work aggressively to find and embed services. Other types of AI buyers include task-focused agents, chatbots and search engines, and personal assistants like Claude Cowork and OpenClaw.

You can sell your existing product to AI buyers. However, you will want to try some new packaging. For example, humans have spent 30 years rejecting micropayments, preferring to to buy chunky subscriptions that require fewer purchase decisions. AI agents use “X402” to make a stream of small payments, averaging around 20 cents per transaction.

Have you built an AI channel?

• Can AI find and recommend your product?
• Can it use your product?
• Can it onboard its human to use your product?
• Can it buy your product?

Grow with Increased Velocity

Is the product actively competing for new customers in an existing market?

In the age of AI, you will be less sure about what features, benefits, and channels will win. When you see that something is working, you want to grab share. A basic starting point is to maximize velocity with AI.

Your programmers have increased their velocity by using AI coders. Now it is your turn to automate more of the steps in product delivery. AI can look at data and interview customers to figure out what use cases to focus on. It can write change requests and feature requests. It can write code (we knew that). It can review code. It can deploy and monitor deployments. It can encourage each customer to expand usage. It can pull their data from competing systems. It can’t do all of these things with high quality today. It will be surprisingly good at all of them by the end of 2026.

You will free up time as you add individual agents and tools for each step. You will get a sudden surge of velocity when the steps link together into a “software factory”.

Then you will be ready to beat the competition when you see an opportunity.

Increase Profitability for Mature Products

Does the product have a bombproof customer base that renews every year and just wants the product to work?

Many SaaS products end up in this situation. The customers want continuity and reliability. As a new product developer, it causes me agony to say this, but those customers do NOT want you to bother them about a lot of new stuff.

You can run this business with six people, and a bunch of AI assistants. Then it will be more profitable. The Silicon Valley guys are talking about how AI assistants can power a billion dollar company run by a single person. That will be awesome because one person is both agile (no meetings about HR or change management) and cheap. More practically, we can catch up with SaaStr to enjoy “Eight-figure revenue with single-digit headcount.”

The classic startup team is:

• A “hustler” who makes sales, gets resources, and organizes. This is often a CEO role
• A “hipster” who handles marketing and customer experience
• A “hacker” who builds out the technical aspects of a product

You can run a business with these three roles. Because your deliverable is continuity, each person will need a backup and successor. You end up with six people.

Lock these guys down, pay them well, and find good backups. You are delivering confidence in the continuity and reliability of your product and team.

Next Steps

This article illustrates three different ways to use AI:

• As a customer for new launches. I am working on an AI channel grader that will figure out where a product is effectively selling to AI, and where we need to improve the packaging.
• As a worker in a software factory that increases production velocity. I am working on adding software factory capabilities to our TIPL project launcher.
• As an assistant for humans that increases revenue per employee. You can fill this slot with your own priorities.

Follow here for updates and ideas.

Single-prompt tools like DocRouter.AI shine for ~20-25 page docs… but what about massive collated files with labs, facesheets, insurance cards, and multiple patients mixed together? → One prompt = impossible.

Enter the solution: Temporal + DocRouter.AI in a smart, scalable workflow.

This post describes a real-world implementation that uses Temporal to orchestrate document processing workflows with DocRouter.AI, solving the challenge of processing massive medical records through intelligent multi-step orchestration.

The implementation is available at doc-router-temporal and processes medical documents containing hundreds of pages, extracting patient names, dates of birth, and medical insurance information.

The Problem: Massive Medical Records Need Smart Orchestration

Medical records often come as massive collated files containing 200+ pages with:

• Lab results and test reports
• Patient facesheets with demographics
• Insurance cards and coverage details
• Clinical notes and progress reports
• Multiple patients’ information mixed together

The challenge: These documents are too large to process in a single LLM prompt due to token limits (typically 128K-200K tokens). One prompt = impossible for comprehensive extraction.

The solution: A multi-step workflow that intelligently orchestrates the process:

1. Split: Break the massive PDF into individual pages
2. Classify: Identify each page’s type and which patient it belongs to
3. Group: Intelligently group pages by patient
4. Extract: Process each patient’s page bundle for precise, targeted extraction

Why This Pattern Rocks

This Temporal + DocRouter.AI combination delivers powerful advantages:

✅ Constant memory usage — scales effortlessly to 1,000+ pages without running out of resources

✅ Super general pattern → classify → group → process per group → works for any document type

✅ Fully durable & retry-safe thanks to Temporal’s built-in resilience

✅ Built lightning-fast in just a couple of days using AI tools

✅ Parallel processing — handles multiple patients simultaneously while maintaining order

✅ Production-ready with automatic error handling, timeouts, and state management

The Smart Workflow in Action

Here’s how the Temporal + DocRouter.AI workflow processes massive medical records:

🔹 Temporal splits the 200+ page PDF into individual pages

🔹 Uploads them one by one to DocRouter.AI for processing

🔹 DocRouter classifies each page → identifies patient name + document type (lab results, insurance card, facesheet, etc.)

🔹 Temporal intelligently groups pages by patient using fuzzy name matching and DOB correlation

🔹 Sends each patient’s page bundle back to DocRouter.AI for precise, targeted extraction

🔹 Temporal aggregates everything → clean, complete per-patient results

Technical Implementation

Why Temporal?

Temporal provides durable workflow orchestration that’s perfect for this use case. Unlike traditional approaches (queues, background jobs, or simple scripts), Temporal handles:

• Durable execution: Resumes from crashes during 200-page processing
• Parallel processing: Processes multiple pages simultaneously while maintaining order
• Error handling: Automatic retries for API rate limits and network issues
• State management: Tracks processed pages and identified patients
• Long-running workflows: Handles processes that take minutes to hours

Temporal’s architecture is built around two key concepts: Workflows (orchestration logic) and Activities (actual work). The diagram below illustrates how these components work together:

The Workflow Implementation

The implementation uses a hierarchical workflow structure with two main workflows:

1. Classify and Group PDF Pages (ClassifyAndGroupPDFPagesWorkflow): Chunks the PDF, classifies each page, and groups pages by patient
2. Extract Insurance Information (ClassifyGroupAndExtractInsuranceWorkflow): Creates patient-specific PDFs and extracts insurance card data

The main workflow (ClassifyGroupAndExtractInsuranceWorkflow) orchestrates the entire process:

Creating Schemas and Prompts with Claude Agent

Before building the Temporal workflow, we created the extraction schemas and prompts using the Claude Agent for DocRouter.AI (an MCP server at doc-router/packages/typescript/mcp).

The Claude Agent allows Claude Code to create extraction schemas and prompts. For example, you can prompt: “Create a schema for extracting patient information from medical record pages” and it will validate, create, and test the schema automatically.

The diagram below illustrates how DocRouter.AI operations work and how they integrate with Temporal workflows:

Key distinction: DocRouter.AI implements discrete operations (single prompt-and-schema processing per document), while Temporal implements the workflow orchestration (chunking, grouping, uploading pages for classification, and uploading chunks for extraction).

For this implementation, we created:

• medical_page_classifier: Classifies pages as labs, facesheets, insurance cards, clinical notes, or other document types
• insurance_card: Extracts insurance card information from patient pages

Workflow Implementation

The main workflow (ClassifyGroupAndExtractInsuranceWorkflow) orchestrates the entire process. Complete implementation: workflows/classify_group_and_extract_insurance.py.

Step 1: Classify and Group Pages

The workflow calls ClassifyAndGroupPDFPagesWorkflow to:

1. Chunk the PDF into individual pages
2. Classify each page using DocRouter.AI
3. Group pages by patient using name and DOB matching

The grouping logic (activities/group_classification_results.py) includes name normalization, DOB parsing, and fuzzy matching with Levenshtein distance to handle typos and variations.

Step 2: Extract Insurance Information

For each patient group, the workflow:

1. Creates patient-specific PDFs with only that patient’s pages (activities/create_and_upload_patient_pdf.py)
2. Uploads them to DocRouter.AI for insurance card extraction
3. Polls for completion and retrieves results

To avoid passing large binary data through Temporal, PDFs are read from disk and uploaded directly to DocRouter.AI.

Creating Temporal Workflows with Cursor

The Temporal workflow was developed in Cursor using natural language prompts. Cursor’s AI understood the codebase context and Temporal patterns, enabling rapid development without deep workflow expertise.

Key benefits:

• Context awareness across multiple files and existing activities
• Automatic Temporal pattern suggestions (activities, workflows, child workflows)
• Natural language refactoring and error handling implementation

Example development prompts:

“Create a workflow that processes each patient’s pages into separate PDFs, uploads them with insurance_card tag, waits for completion, then retrieves insurance extraction results.”

“Add fuzzy name matching to group pages with names differing by up to 2 letters using Levenshtein distance.”

“Handle edge cases where medical records contain individual patient names vs. multiple patient summaries.”

Cursor handled the complex Temporal implementation, error handling, and performance optimizations, resulting in production-ready code in just a few hours.

Key Implementation Details

Design Decisions

• Avoid large data transfer: PDFs are read from disk and uploaded directly to DocRouter.AI, not passed through Temporal
• Parallel processing: Multiple patients processed concurrently with status polling
• Error handling: Retry logic, graceful degradation, and timeout handling
• State management: Only document IDs and metadata flow through Temporal to keep history efficient

Results

The implementation successfully processes massive medical record documents with hundreds of pages, extracting patient names, dates of birth, and medical insurance information. It handles large documents (200+ pages), parallel patient processing, error recovery, and long-running operations.

Running the Workflow

# Start the Temporal worker
python worker.py

# In another terminal, run the client
python client_classify_group_and_extract_insurance.py <path_to_pdf>

See the README and client script for details.

The workflow returns JSON with file name, page classifications, schedule pages, and patient data with insurance information.

We’re in a New Era

What used to take months of engineering can now be shipped in days.

This Temporal + DocRouter.AI pipeline was built end-to-end using Claude Code-based Agent (for prompts + schemas) + Cursor (for Temporal workflows). I barely knew Temporal before starting — didn’t matter. AI tools let me iterate fast, prototype, and perfect the logic in record time.

The result: reliable, scalable document processing with durable workflows, parallel processing, and rapid schema iteration. The implementation took just 2 days to build and handles 200+ page medical records like a champ.

If you’re building AI-powered document workflows (especially in healthcare), this combo is 🔥.

Code available at doc-router-temporal.

• Temporal Documentation
• DocRouter.AI Documentation
• DocRouter.AI MCP Server

The Evolution: From Method to Theme

Analytiq Pages started as a methodology for building company websites using Jekyll, GitHub Pages, and Tailwind CSS. Today, we’re proud to release it as Analytiq Pages Theme - a fully packaged Jekyll theme that makes this powerful combination accessible to everyone.

✨ What’s New in Analytiq Pages Theme

🚀 Advanced Features

• Tailwind CSS Integration: Modern, responsive design with utility-first styling
• Enhanced Syntax Highlighting: Beautiful code blocks with copy functionality using highlight.js
• Interactive Diagrams: Full Excalidraw integration for creating and embedding technical diagrams
• Professional Blog Layouts: Complete blog system with sidebar, pagination, and category support
• Responsive Navigation: Mobile-first navigation with dropdown menus and hamburger menu
• Dark Theme Support: Built-in dark mode (Minima skin) for modern aesthetics

🛠 Developer Experience

• Three Customization Hooks: Override custom-head.html, custom-header.html, and custom-footer.html for site-specific modifications
• Reusable Components: Pre-built Tailwind components (alerts, buttons, cards)
• SEO Optimized: Integrated jekyll-seo-tag for better search engine visibility
• PDF Embedding: Native support for embedding PDF documents
• RSS Feed Generation: Automatic blog feed generation with jekyll-feed

🎨 Content Features

• MathJax Support: Render mathematical equations in your content
• Multiple Layouts: Specialized layouts for homepages, blog posts, documentation, and more
• Excalidraw Editor: Built-in diagram editor accessible at /excalidraw-edit
• Smart Embeds: Flexible diagram embedding with static, interactive, and link modes

Installation: Get Started in Minutes

Option 1: Quick Start with Existing Site

Add to your Jekyll site’s Gemfile:

gem "analytiq-pages-theme", git: "https://github.com/analytiq-hub/analytiq-pages-theme"

Or for a specific stable version:

gem "analytiq-pages-theme", git: "https://github.com/analytiq-hub/analytiq-pages-theme", tag: "v0.1.6"

Update your _config.yml:

theme: analytiq-pages-theme

Install and serve:

bundle install
bundle exec jekyll serve

Option 2: New Site from Scratch

The simplest way to get started:

# Create new Jekyll site
jekyll new my-company-site
cd my-company-site

# Replace minima theme with analytiq-pages-theme in Gemfile
sed -i 's/gem "minima".*/gem "analytiq-pages-theme", git: "https:\/\/github.com\/analytiq-hub\/analytiq-pages-theme", tag: "v0.1.6"/' Gemfile

# Configure theme in _config.yml
sed -i 's/^theme: .*/theme: analytiq-pages-theme/' _config.yml

# Install and serve
bundle install
bundle exec jekyll serve

Or if you prefer manual editing:

# Create new Jekyll site
jekyll new my-company-site
cd my-company-site

# Edit Gemfile: replace the minima line with:
# gem "analytiq-pages-theme", git: "https://github.com/analytiq-hub/analytiq-pages-theme", tag: "v0.1.6"

# Edit _config.yml: replace the theme line with:
# theme: analytiq-pages-theme

# Install and serve
bundle install
bundle exec jekyll serve

Visit http://localhost:4000 to see your new site!

Option 3: Local Installation (Alternative)

If you encounter repository access issues, you can install the theme locally:

# Download the theme release
curl -L https://github.com/analytiq-hub/analytiq-pages-theme/archive/refs/tags/v0.1.6.zip -o theme.zip
unzip theme.zip
mv analytiq-pages-theme-0.1.6/ _themes/analytiq-pages-theme/

# Or clone locally if you have access
git clone https://github.com/analytiq-hub/analytiq-pages-theme.git _themes/analytiq-pages-theme
cd _themes/analytiq-pages-theme && git checkout v0.1.6

# Add to _config.yml
echo "theme: _themes/analytiq-pages-theme" >> _config.yml

Key Improvements Over Manual Setup

Before (Analytiq Pages Method)

• Manual Tailwind CSS configuration
• Custom Jekyll setup for each project
• Repeated configuration of syntax highlighting
• Manual Excalidraw integration setup
• No standardized component library

After (Analytiq Pages Theme)

• One-line installation: theme: analytiq-pages-theme
• Pre-configured features: Everything works out of the box
• Professional components: Reusable Tailwind components included
• Advanced integrations: Excalidraw, MathJax, PDF embeds ready to use
• Consistent experience: Standardized layouts and styling across sites

Showcase: Real-World Examples

The theme powers several professional websites:

• Analytiq Hub - Business intelligence and analytics platform
• DocRouter.AI - AI-powered document routing solution
• SigAgent.AI - Signature analysis and automation platform
• Bitdribble - Technology consulting and development

Migration Guide: Upgrading from Analytiq Pages

If you’re currently using the Analytiq Pages methodology, migration is straightforward:

1. Add the theme to your Gemfile and _config.yml
2. Remove manual Tailwind configuration (now handled by the theme)
3. Update custom includes to use the new hook system
4. Migrate Excalidraw files to assets/excalidraw/ directory

Your existing content and configuration will continue to work seamlessly.

Technical Architecture

The theme is built with modern web standards:

analytiq-pages-theme/
├── _layouts/           # 5 specialized layouts
├── _includes/          # 16+ reusable components
├── assets/
│   ├── css/           # Tailwind + custom styles
│   └── js/            # Pagination, Excalidraw renderer
├── _config.yml        # Default configuration
└── analytiq-pages-theme.gemspec

Dependencies:

• Jekyll >= 3.9, < 5.0 (supports both GitHub Pages and Jekyll 4.x)
• jekyll-feed ~> 0.12
• jekyll-seo-tag ~> 2.6
• jekyll-pdf-embed ~> 1.1

Why Choose Analytiq Pages Theme?

For Startups & Small Businesses

• Zero hosting costs with GitHub Pages
• Professional appearance without design costs
• Content-first approach with Markdown simplicity
• Scalable foundation that grows with your business

For Agencies & Consultants

• Rapid deployment for client websites
• Consistent branding across projects
• Advanced features for technical content
• Easy customization for client-specific needs

For Enterprise Teams

• Git-based workflows for version control and collaboration
• Security compliance with GitHub’s enterprise infrastructure
• SEO optimization built-in
• Extensible architecture for custom requirements

Troubleshooting

Jekyll Version Compatibility

The theme supports both Jekyll 3.9+ (GitHub Pages) and Jekyll 4.x (modern installations). If you encounter version conflicts:

# For GitHub Pages compatibility (Jekyll 3.x)
gem "github-pages", group: :jekyll_plugins

# For modern Jekyll 4.x installations
gem "jekyll", "~> 4.3"

The theme will work with either version automatically.

Bundle Install Issues

# Clear bundle cache
bundle cache clean --force

# Clear bundler git cache
rm -rf ~/.local/share/gem/ruby/cache/bundler/git/

# Try installing again
bundle install

Theme Not Loading

• Verify _config.yml has theme: analytiq-pages-theme
• Clear Jekyll cache: rm -rf _site .jekyll-cache
• Rebuild: bundle exec jekyll build

Getting Help & Contributing

• Documentation: Comprehensive README at analytiq-pages-theme
• Issues & Support: GitHub Issues for bug reports and feature requests
• Contributing: Pull requests welcome for theme improvements
• Migration Support: Contact us for help upgrading from manual Analytiq Pages setups

How This Fits Into Your Stack

Analytiq Pages Theme transforms our proven methodology into a professional, reusable solution that makes building beautiful company websites accessible to everyone. Whether you’re launching a startup, building client sites, or managing enterprise web presence, this theme delivers the perfect balance of simplicity and power.

Ready to upgrade your web presence? Try Analytiq Pages Theme today!

This theme powers the very website you’re reading now. Experience the Analytiq Pages Theme in action and see the source code for implementation examples.

📢 Join the discussion on LinkedIn about modern Jekyll themes and web development workflows.

This playbook shows how we built one open-source AI SaaS framework that powers SigAgent.AI (real-time AI agent monitoring), DocRouter.AI (smart document understanding), and client consulting portals. The same infrastructure, different AI workflows.

The Problem: Infrastructure is Commodity

When we launched DocRouter.AI, we spent three months building the same infrastructure every AI product needs:

• Authentication: NextAuth for user sessions, OAuth providers, role-based access
• Billing: Stripe integration for subscriptions, credit packs, usage tracking
• AI Layer: LiteLLM for LLM routing, error handling, cost tracking
• Observability: OpenTelemetry for tracing AI workflows, debugging failures
• Data Storage: MongoDB for user data, usage logs, analytics

When we built SigAgent.AI, we cloned DocRouter’s codebase. In three weeks, it was live with full Stripe integration, authentication, and monitoring—90% code reuse.

Key Insight: AI SaaS infrastructure is commodity. Differentiation lies in AI workflows, not plumbing.

The Solution: Modular, Reusable Stack

Our platform follows four principles:

1. Shared Core, Custom Workflows

The core provides:

• Frontend: Next.js with NextAuth and Tailwind CSS
• Backend: FastAPI with MongoDB
• AI Layer: LiteLLM for multi-provider LLM APIs
• Observability: OpenTelemetry integration
• Billing: Stripe for subscriptions, credit packs, usage-based invoicing

Each product adds specialized workflows:

• DocRouter.AI: Document parsing, field extraction, validation
• SigAgent.AI: Trace ingestion, anomaly detection, performance analytics
• Consulting Portals: Lab automation, custom reporting, enterprise integrations

Architecture Comparison

Here’s how the two products differ architecturally while sharing the same foundation. These diagrams are rendered directly from Excalidraw files:

Both architectures share:

• Next.js frontend with NextAuth authentication
• FastAPI backend integrated with Stripe for payments
• MongoDB for data persistence
• REST APIs, Python & TypeScript SDKs for programmatic access
• MCP Server and Claude agent

The key difference is in the specialized routes and data models:

• SigAgent adds telemetry, traces, and OpenTelemetry endpoints
• DocRouter adds documents, OCR, forms, schemas, and prompts

2. Vibe-Coded Branding

Products are forked and branded directly in source code—colors, logos, messaging, domains. No abstraction layers:

• Fast Iteration: Clone repo, search-replace branding, update Tailwind colors
• Full Control: Every pixel customizable
• Stripe Integration: Product-specific metadata tags (product=sig_agent, product=doc_router)

// SigAgent.AI branding in Layout.tsx
export const metadata = {
  title: 'SigAgent.AI',
  description: 'Real-time AI agent monitoring and telemetry...',
};

<header className="bg-blue-600 border-b border-blue-700">
  <Link href="/" className="text-xl font-semibold text-white">
    SigAgent.AI
  </Link>
</header>

// DocRouter.AI branding (same file, different values)
export const metadata = {
  title: 'Smart Document Router',
  description: 'AI-powered document understanding...',
};

<header className="bg-green-600 border-b border-green-700">
  <Link href="/" className="text-xl font-semibold text-white">
    <span className="block sm:hidden">DocRouter.AI</span>
    <span className="hidden sm:block">Smart Document Router</span>
  </Link>
</header>

Why it works: Vibe coding trades abstraction for speed. Need a new product? Fork, customize, ship.

3. Open Core, Closed Workflows

• Open-source core: Apache license enables community contributions, transparency for enterprise buyers
• Closed workflows: AI logic (SigAgent’s anomaly detection, DocRouter’s extraction) remains proprietary IP
• Hybrid advantage: Open plumbing attracts contributors, closed AI preserves competitive moats

Real-World Applications

DocRouter.AI: The Foundation (3 months to develop)

Our first product extracts structured data from documents using LLMs. We built the full infrastructure from scratch in 3 months:

Monetization Model:

• Free Tier: 100 Service Processing Units (SPUs)
• Individual/Team: $250/$1,000/month with SPU allowances
• Credit Packs: A-la-carte SPUs for usage spikes
• Enterprise: Custom contracts with outcome-based pricing

Key Lesson: Treat billing as infrastructure, not a feature. Build once, reuse everywhere.

SigAgent.AI: The Clone (3 weeks)

Real-time AI agent monitoring using OpenTelemetry traces. 90% code reuse:

Same Infrastructure:

• NextAuth authentication with Google/GitHub OAuth
• Stripe billing with product-specific metadata (product=sig_agent)
• OpenTelemetry for trace analysis

New AI Logic: Trace anomaly detection replaces document processing

Pricing: $25/$100/month (scaled down from DocRouter’s enterprise focus)

Client Consulting Portals (3 weeks)

When clients need custom AI portals, we fork and customize:

Process:

1. Clone repository and rebrand via source code changes
2. Add client-specific AI workflows (lab automation, custom reporting)
3. Deploy with pre-configured Kubernetes + Terraform

Example: Lab platform client got an AI portal monitoring their Claude coding copilot and OpenAI chat agents, with automated workflow validation.

Team: Product manager (10h/week) + AI architect (20h/week)

Result: Monetization-ready portal reusing 95% of existing infrastructure.

Why This Works: Key Lessons

Your Implementation Playbook

1. Identify Commodities: Auth, billing, observability, LLM routing are table stakes
2. Build Modular Core: Invest upfront in reusable infrastructure
3. Vibe Code Branding: Fork repos, search-replace strings, customize in source
4. Encapsulate UI + AI Logic: Keep specialized UI and AI workflows separate from infrastructure
5. Infrastructure-ize Billing: Wire Stripe from day one for turnkey monetization
6. Open Plumbing, Close AI: Share infrastructure, protect unique UI + AI logic

The Open-Source Framework

We’ve packaged this approach into an open-source framework:

Tech Stack: Next.js, FastAPI, MongoDB, Stripe, LiteLLM, OpenTelemetry

Features:

• Authentication with NextAuth
• Stripe billing with usage metering
• OpenTelemetry observability
• Multi-tenant support
• Pre-built templates for document AI, agent monitoring, chat portals

Documentation: Deployment guides for AWS or Kubernetes

Why Open Source? Every AI builder faces infrastructure challenges. By sharing the plumbing, we raise the ecosystem’s bar and differentiate on AI workflows.

Results Proven:

• DocRouter.AI: 3 months (built infrastructure)
• SigAgent.AI: 3 weeks (90% reuse)
• Client Portals: 3 weeks (95% reuse, custom workflows)

Ready to build? Start with commodity infrastructure, encapsulate unique AI logic, ship fast. Velocity wins in AI.

Interested? Contact Analytiq Hub or follow SigAgent.AI and DocRouter.AI

Related Posts

• How I Built a Reusable AI Monetization Platform with Stripe
• How To Train Your AI Agent
• DocRouter.AI: An AI Backbone for Document Processing
• SigAgent.AI - Tracing Claude Agents

Subscribe to our RSS feed for more on building AI SaaS products.