🧭Overview

Introduction

In addition to the SaaS offering, Toucan provides a self-hosted solution that you can deploy on your own infrastructure.

For teams that value full control, customization, and data ownership, our self-hosted solution offers a powerful alternative. Deploy it in your own environment, tailor every aspect to fit your infrastructure, and meet specific compliance or security requirements with confidence.

Self-hosting gives you the flexibility to scale and integrate on your terms, while still benefiting from the same robust features that power our SaaS offering. Whether you're navigating strict internal policies or simply prefer managing everything in-house, our self-hosted option gives you the freedom and autonomy to build your ideal setup.

From v2 to v3

Since Toucan v2, the architecture of Toucan has greatly changed for high-availability and safer deployment. In the past, our deployment looked like this:

The back-end, being a stateful monolith, hinders our scalability, availability and development velocity. To improve performance and resolves these issues, the product has broken down the monolith into multiple services:

• Tucana (nginx): the reverse proxy, with authorization capability, and also frontend.

• The layout service: the service that handles the layout of the dashboard.

• The dataset service: the service that handles the configuration of the datasets, including the secrets.

• Hashicorp Vault: the service that stores the secrets, connected to the dataset service.

• The data execution service: the service responsible for executing the queries. Highly scalable.

• The impersonation service: a small service used by internal service to authenticate as another user.

• SpiceDB: an authorization service.

• Curity: an Identity Provider and authentication service.

• Gotenberg: the PDF rendering service.

• And the persistence: PostgreSQL, Redis, and S3.

• (And sadly, legacy services: Laputa and MongoDB. Based on the timing of you reading this, we might have already removed them!)

Wow, that's a lot of component!

Indeed, which is why we've adopted Kubernetes and Helm charts to automatically configure and enforce a safe and secure configuration made for easy management and deployment!

Using Helm, the package manager for Kubernetes deployment

While Kubernetes seems complicated, the Helm package manager makes it simple and easy to deploy the Toucan stack.

If you look at the diagram, after Laputa and MongoDB will be removed, Toucan's infrastructure will be stateless and will simply depends on industry-standard, battle-tested, secure software.

If you use our Helm Charts as-is, without any further customization, you can think of our stack like a single package:

Meaning, you only need to configure:

• Two HTTP routes, one for the NGINX proxy and one for the authentication service.

• The storage.

And that's it!

Thanks to Helm, we can also provide a default configuration that is secure, easy to maintain and also easily customizable.

Differences between self-hosted and SaaS

The differences are mostly due to limitations of a self-hosted environment.

• SAML2 is not available at the moment, so you should opt for SSO OIDC.

• Analytics is not available.

What's next

Now you know what we are going to deploy. You can either follow the quick stark if you are already confortable with Kubernetes and Helm:

However, if you are not yet familiar with Kubernetes, we recommend you to follow the "Getting Started" chapter: