Deployment Architecture
Calabi is packaged as a set of per-service Docker images. The Community Edition (CE) image is distributed from ghcr.io/calabi-ai/ (GitHub Container Registry — free, public, no auth required). Paid tiers (Starter, Professional, Enterprise) are distributed from public.ecr.aws/calabi/. A single Helm chart with tier-specific value files controls which services are deployed. A license key (JWT) controls what the UI unlocks. All tiers use the same images — the tier determines which containers run and which features are active.
Packaging Model
Image Registries
Calabi uses two registries depending on tier:
| Tier | Registry | Authentication |
|---|---|---|
| Community Edition (CE) | ghcr.io/calabi-ai/ | None — free public pull |
| Starter, Professional, Enterprise | public.ecr.aws/calabi/ | None — paid tiers authenticate via license key, not registry |
CE Image (GitHub Container Registry)
ghcr.io/calabi-ai/
└── calabi-ce:1.0.0 ← Single all-in-one CE image (also :latest)
Source: github.com/calabi-ai/calabi-ce (public)
Paid Tier Images (AWS Public ECR)
public.ecr.aws/calabi/
├── calabi-ui:1.0.0 ← Branded Calabi interface (same image all tiers)
├── calabi-gateway:1.0.0 ← Path-based routing to all services
├── calabi-license-proxy:1.0.0 ← JWT validation + AWS metering
├── calabi-iq:1.0.0 ← CalabiIQ (BI Analytics)
├── calabi-connect:1.0.0 ← Data ingestion backend
├── calabi-connect-ui:1.0.0 ← Calabi Connect interface
├── calabi-pipelines:1.0.0 ← DAG orchestration (Airflow)
├── calabi-notebooks:1.0.0 ← Calabi Notebooks
├── calabi-ide:1.0.0 ← Calabi IDE (browser-based)
├── calabi-ml:1.0.0 ← Calabi ML (experiment tracking)
├── calabi-ai-builder:1.0.0 ← AI Builder (visual pipeline)
├── calabi-ai-chat:1.0.0 ← AI Chat (local models)
├── calabi-local-models:1.0.0 ← Local LLM inference engine
├── calabi-automate:1.0.0 ← Calabi Automate
├── calabi-cloud-query:1.0.0 ← Cloud Operations — inventory
├── calabi-compliance:1.0.0 ← Cloud Operations — compliance
├── calabi-monitoring:1.0.0 ← Calabi Monitoring (dashboards)
├── calabi-metrics:1.0.0 ← Calabi Metrics (collection)
├── calabi-logs:1.0.0 ← Calabi Logs (aggregation)
├── calabi-catalogue:1.0.0 ← Catalogue backend
├── calabi-db:1.0.0 ← Shared database
└── calabi-search:1.0.0 ← Search index
Set up CE image in local Docker
Community Edition runs on a single host using Docker Compose. The image is publicly hosted on GitHub Container Registry — no authentication, no license key, no signup.
Prerequisites
- Docker Engine 20.10+ and Docker Compose v2
- 8 GB RAM free (minimum), 16 GB recommended
- 10 GB free disk space
- Ports 8080 (gateway) and 8088 (BI Analytics) available
Step 1 — Clone the repository
git clone https://github.com/calabi-ai/calabi-ce.git
cd calabi-ce
The repo contains docker-compose.yaml, .env, and seed scripts. No build step required — the image is pulled pre-built from ghcr.io/calabi-ai/calabi-ce:1.0.0.
Step 2 — Pull the CE image
docker pull ghcr.io/calabi-ai/calabi-ce:1.0.0
The image is ~2.1 GB compressed. No docker login required — the image is public.
Step 3 — Start the stack
docker compose up -d
This starts 7 containers:
services:
calabi-gateway: # Gateway — routes / → calabi-ui, /bi → calabi-iq
calabi-ui: # Catalogue + Governance interface
calabi-license-proxy: # CE limit enforcement (5 users, 500 assets)
calabi-iq: # CalabiIQ (BI Analytics)
calabi-catalogue: # Catalogue backend
calabi-db: # Shared database (PostgreSQL)
calabi-search: # Search index (OpenSearch)
Step 4 — Wait for setup to complete
First boot takes 2–3 minutes — the ce-setup one-shot container seeds the admin user, sample data (3 databases, 5 schemas, 15 tables), and ingests BI dashboard metadata (11 dashboards, 120 charts).
Track progress:
docker compose logs -f ce-setup
Wait for the line ce-setup completed successfully before proceeding.
Step 5 — Log in
Open http://localhost:8080 in your browser.
| Field | Value |
|---|---|
ce-admin@calabi.dev | |
| Password | Calabi@CE2025! |
Step 6 — Verify BI Analytics
From the sidebar, click BI Analytics. The dashboard should show 138 data assets, 2 users, and embedded Superset dashboards. If the BI panel is still loading, the backing service takes ~30 extra seconds to warm up.
Run CE alongside another stack
To run CE on alternate ports (e.g. when a Starter stack is already using 8080/8088), use the bundled overlay:
docker compose -f docker-compose.yaml -f docker-compose.ce-local.yaml --env-file .env.ce up -d
This runs CE on http://localhost:9080 (gateway) and http://localhost:9088 (BI).
Stop and clean up
docker compose down # Stop containers, keep data volumes
docker compose down -v # Stop and delete all CE data
CE limits
The license-proxy enforces CE limits at the request level:
- 5 users maximum
- 500 data assets maximum
- Core modules only — Catalogue, Governance, BI Analytics (reporting)
- All other modules (Data Engineering, Data Science, Cloud Operations) are visible in the UI but locked with an upgrade prompt
To unlock additional modules, upgrade to a paid tier.
Helm Chart Structure
calabi/ ← helm repo: https://helm.calabi.ai
├── Chart.yaml
├── values.yaml ← CE defaults (core services only)
├── values-starter.yaml ← Starter overrides
├── values-professional.yaml ← Professional overrides
├── values-enterprise.yaml ← Enterprise overrides
└── templates/
├── _helpers.tpl
├── core/ ← Always deployed (all tiers)
│ ├── calabi-ui.yaml
│ ├── gateway.yaml
│ ├── license-proxy.yaml
│ ├── calabi-catalogue.yaml
│ ├── database.yaml
│ └── search-engine.yaml
├── bi/
│ └── calabiiq.yaml ← enabled: true in CE+
├── data-engineering/
│ ├── connect.yaml ← enabled: true in Starter+
│ ├── airflow.yaml
│ ├── notebooks.yaml
│ └── ide.yaml
├── data-science/
│ ├── ml.yaml ← enabled: true in Professional+
│ ├── ai-builder.yaml
│ ├── ai-chat.yaml
│ ├── local-models.yaml
│ └── automate.yaml
└── cloud-ops/
├── cloud-query.yaml ← enabled: true in Enterprise
├── compliance.yaml
├── monitoring.yaml
├── metrics.yaml
└── logs.yaml
values.yaml Structure
global:
imageRegistry: "public.ecr.aws/calabi"
imagePullPolicy: IfNotPresent
licenseKey: "" # Set to license.key contents for paid tiers
modules:
bi:
enabled: true # CE+
dataEngineering:
enabled: false # Starter+
dataScience:
enabled: false # Professional+
cloudOps:
enabled: false # Enterprise only
monitoring:
enabled: false # Enterprise only
catalogue:
replicaCount: 1
resources:
requests: { cpu: "500m", memory: "1Gi" }
limits: { cpu: "2", memory: "4Gi" }
Install & Upgrade Commands
# Add Helm repo
helm repo add calabi https://helm.calabi.ai
helm repo update
# Community Edition (no license key needed)
helm install calabi calabi/calabi \
--namespace calabi --create-namespace
# Starter
helm install calabi calabi/calabi \
-f values-starter.yaml \
--set global.licenseKey="$(cat license.key)" \
--namespace calabi --create-namespace
# Professional
helm install calabi calabi/calabi \
-f values-professional.yaml \
--set global.licenseKey="$(cat license.key)" \
--namespace calabi --create-namespace
# Enterprise
helm install calabi calabi/calabi \
-f values-enterprise.yaml \
--set global.licenseKey="$(cat license.key)" \
--namespace calabi --create-namespace
Upgrading Tier
Upgrading is a single helm upgrade — no data migration, no image swap:
# Upgrade from Starter → Professional
helm upgrade calabi calabi/calabi \
-f values-professional.yaml \
--set global.licenseKey="$(cat new-license.key)" \
--namespace calabi
New containers start, additional modules unlock in the UI, and existing data is preserved.
Uninstalling
helm uninstall calabi --namespace calabi
Uninstalling does not delete persistent data in your databases or object storage. Database volumes and S3 data must be cleaned up separately if no longer needed.
Service Layout (Kubernetes)
All Calabi services are co-located in a single namespace. Traffic enters through the gateway and is routed path-based to each service.
Internet → Load Balancer → calabi-gateway
├── / → calabi-ui (Catalogue)
├── /bianalyst → calabi-iq (CalabiIQ)
├── /dataingestion → calabi-connect-ui
├── /airflow → calabi-pipelines
├── /mlflow → calabi-ml
├── /aibuilder → calabi-ai-builder
├── /openwebui → calabi-ai-chat
├── /automate → calabi-automate
└── /cloud → calabi-cloud-query
Container Count by Tier
| Tier | Containers | Services Added |
|---|---|---|
| CE | 7 | Gateway · UI · License Proxy · Catalogue · CalabiIQ · Database · Search Engine |
| Starter | 12 | + Calabi Connect · Connect UI · Calabi Pipelines · Notebooks · IDE |
| Professional | 17 | + Calabi ML · AI Builder · AI Chat · Local Models · Calabi Automate |
| Enterprise | 22+ | + Cloud Query · Compliance · Calabi Monitoring · Calabi Metrics · Calabi Logs |
License Key System
The calabi-license-proxy service validates the license key offline — no phone-home required.
{
"iss": "calabi.ai",
"tier": "professional",
"modules": ["bi", "data-engineering", "data-quality", "data-science"],
"maxUsers": 50,
"maxAssets": 50000,
"features": { "sso": true, "rbac": true, "audit": true },
"exp": 1735689600
}
How it works:
- Signed with Calabi's private key; verified with the public key embedded in the
calabi-license-proxyimage - No license key → CE mode (5 users, 500 assets, core modules only)
- Expired key → graceful CE fallback with upgrade banner
- The gateway enforces user/asset limits at the request level via
auth_request - Air-gap safe — works fully offline after the initial image pull
Secret Management
For Kubernetes deployments, Calabi integrates with AWS Secrets Manager via the External Secrets Operator. Secrets are injected as environment variables — no credentials are baked into images.
Secret naming convention:
/calabi/{tenant}/{service}/{key}
# Examples:
/calabi/acme/catalogue/db-password
/calabi/acme/iq/secret-key
/calabi/acme/pipelines/fernet-key
/calabi/acme/oauth2/client-secret
For self-hosted deployments outside AWS, standard Kubernetes Secret objects work identically — simply set values in values.yaml or reference your existing secret store.
AWS Marketplace
Calabi is published on AWS Marketplace as a Helm container product. After subscribing:
- AWS generates and delivers a license key for your tier
- You receive ECR image pull access (Marketplace-replicated)
- Install with the standard
helm installcommand using the Marketplace-provided license key - Usage (active users, managed assets) is metered automatically and billed through your AWS account monthly — no separate invoicing
helm install calabi \
oci://marketplace.ecr.aws/calabi/calabi \
--set global.licenseKey="$MARKETPLACE_LICENSE_KEY" \
-f values-professional.yaml \
--namespace calabi --create-namespace
What's Next
- Tiers & Features — CE vs Starter vs Professional vs Enterprise
- Medallion Architecture — Bronze, Silver, and Gold data layers
- Governance Overview — RBAC, SSO, audit logs, and compliance
- Helm Configuration — Full values reference