Skip to main content

Deploy Collate AI Proxy (CAIP)

Complete Deploy Collate before this step. CAIP must run in the same namespace as Collate.
CAIP (Collate AI Proxy) is the backend service powering AI features including AskCollate, Documentation Agent, Tier Agent, and DQ Generation Agent. It communicates with the Collate server via gRPC and authenticates using the user’s Personal Access Token (PAT), so agents inherit the user’s RBAC permissions.

LLM Provider Support

ProviderStatusChat ModelsEmbedding Models
AWS Bedrock✅ Default & RecommendedSonnet 4.5, Haiku 4.5Amazon Titan
Azure OpenAIAvailable (1.12+)GPT-4otext-embedding-3-small
OpenAIAvailable (1.12+)GPT-4otext-embedding-3-small

IAM Permissions for Bedrock (ROSA Only)

This section is ROSA/AWS-specific. For Azure OpenAI, skip to Configure Helm Values.
CAIP reuses the Collate server’s service account (openmetadata) and its existing IRSA role (openmetadata-rosa-role). Add a Bedrock inline policy to that role: 
cat > bedrock-policy.json <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "BedrockInferenceProfileAccess",
      "Effect": "Allow",
      "Action": "bedrock:InvokeModel*",
      "Resource": [
        "arn:aws:bedrock:*::foundation-model/*",
        "arn:aws:bedrock:*:*:inference-profile/*"
      ]
    }
  ]
}
EOF

aws iam put-role-policy \
  --role-name openmetadata-rosa-role \
  --policy-name bedrock-access \
  --policy-document file://bedrock-policy.json
Also confirm that the Anthropic models (Sonnet 4.5, Haiku 4.5) are enabled in your AWS region from the AWS Bedrock console.

Configure Helm Values

Create a values-caip-openshift.yaml file for your provider.

AWS Bedrock

imagePullSecrets:
  - name: collate-ecr-secret

collate:
  # Collate Kubernetes service DNS — must match the service name in the openmetadata namespace
  hostAndPort: http://openmetadata:8585

config:
  llmProvider:
    bedrock:
      awsRegion: <aws-region>  # e.g. us-east-1

# Reuse the Collate server service account — it already has the IRSA annotation for Bedrock
serviceAccount:
  create: false
  name: openmetadata

# [Any OpenShift] Required for restricted-v2 SCC on all OpenShift 4.x clusters
podSecurityContext: {}
securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop: [ALL]
  runAsNonRoot: true
  seccompProfile:
    type: RuntimeDefault

Azure OpenAI

replicaCount: 1

imagePullSecrets:
  - name: collate-ecr-secret

collate:
  hostAndPort: http://openmetadata:8585

config:
  llmProvider:
    type: openai
    model: gpt-4o
    modelSmall: gpt-4o
    openAI:
      apiKey: <AZURE_OPENAI_API_KEY>
      baseUrl: <AZURE_OPENAI_BASE_URL>
      azureOpenAI:
        enabled: true
        # Found in the Azure OpenAI Foundry Portal under your deployment details
        apiVersion: <AZURE_OPENAI_API_VERSION>
        deploymentName: <AZURE_OPENAI_DEPLOYMENT_NAME>
        resourceName: <AZURE_OPENAI_RESOURCE_NAME>

# [Any OpenShift] Required for restricted-v2 SCC on all OpenShift 4.x clusters
podSecurityContext: {}
securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop: [ALL]
  runAsNonRoot: true
  seccompProfile:
    type: RuntimeDefault
For Azure OpenAI setup (creating a resource group, deploying models, and obtaining credentials), see the Azure OpenAI Configuration section below.

Deploy

Add the Helm repo and deploy CAIP into the openmetadata namespace: 
helm repo add collate-ai-proxy https://open-metadata.github.io/collate-ai-proxy-helm-chart
helm repo update

helm upgrade --install caip collate-ai-proxy/collate-ai-proxy \
  --namespace openmetadata \
  --values values-caip-openshift.yaml
For subsequent upgrades: 
helm upgrade caip collate-ai-proxy/collate-ai-proxy \
  --namespace openmetadata \
  --values values-caip-openshift.yaml \
  --reuse-values

Verify the Pod

oc get pods -n openmetadata -l app.kubernetes.io/name=collate-ai-proxy

oc logs -n openmetadata -l app.kubernetes.io/name=collate-ai-proxy --tail=50

# Confirm IRSA env vars are injected (ROSA only)
oc exec -n openmetadata deployment/caip-collate-ai-proxy -- env | grep -E "AWS_ROLE_ARN|AWS_WEB_IDENTITY"

Configure Collate to Use CAIP

After CAIP is running, update your Collate deployment to point to it.

Collate Helm Chart

Add the following to your values-openshift.yaml and run helm upgrade: 
collate:
  aiProxy:
    enabled: true

helm upgrade openmetadata open-metadata/openmetadata \
  --namespace openmetadata \
  --values values-openshift.yaml \
  --reuse-values

Environment Variables (Custom Chart)

If you deployed Collate with a custom Helm chart, add these environment variables: AWS Bedrock: 
extraEnvs:
  - name: EMBEDDING_PROVIDER
    value: bedrock
  - name: AI_PLATFORM_HOST
    value: caip-collate-ai-proxy
  - name: AWS_BEDROCK_REGION
    value: <aws-region>
Azure OpenAI: 
extraEnvs:
  - name: OPENAI_API_KEY
    value: <AZURE_OPENAI_SEMANTIC_SEARCH_KEY>
  - name: OPENAI_API_ENDPOINT
    value: <AZURE_OPENAI_SEMANTIC_SEARCH_ENDPOINT>
  - name: OPENAI_DEPLOYMENT_NAME
    value: <AZURE_OPENAI_SEMANTIC_SEARCH_DEPLOYMENT_NAME>
  - name: OPENAI_API_VERSION
    value: <AZURE_OPENAI_SEMANTIC_SEARCH_API_VERSION>
  - name: OPENAI_EMBEDDING_MODEL_ID
    value: text-embedding-3-small

Validation

Once deployed and configured, verify CAIP is healthy from the Collate UI: Settings → Preferences → Health Check All AI services should show a healthy status.

Hardware Requirements

CAIP is stateless — no persistent storage is required.
ResourceMinimum
CPU300m
Memory2Gi
StorageNone

Azure OpenAI Configuration

If using Azure OpenAI, follow these steps to create the required resources:
  1. Sign in to the Azure portal and create a dedicated resource group.
  2. Navigate to Azure OpenAI (Microsoft Foundry) and create a new service. Fill in the resource group, name, and region; leave other settings as default.
  3. Once created, click Go to Foundry Portal (Microsoft Foundry).
  4. Under Shared Resources → Deployments, click Deploy model → Deploy base model.
    • Deploy a chat model (e.g. gpt-4o) for CAIP.
    • Deploy a separate embedding model (text-embedding-3-small) for Collate Server semantic search.
  5. From each deployment’s detail page, collect: API key, deployment name, API version, base URL, and resource name.

Supported Models

All OpenAI GPT models are supported. Collate recommends gpt-4o for CAIP.

Troubleshooting

Pod Stuck in Pending

oc describe pod -n openmetadata -l app.kubernetes.io/name=collate-ai-proxy
SymptomCauseFix
Insufficient cpu / memoryCluster at capacityReduce resources.requests in values-caip-openshift.yaml
ImagePullBackOffECR pull secret missing or expiredRecreate collate-ecr-secret — see Deploy Collate
unable to validate against any SCCSecurity context incompatible with restricted-v2Ensure podSecurityContext: {} and securityContext block match the values above

Bedrock Access Denied (ROSA)

# Check IRSA env vars are injected into the pod
oc exec -n openmetadata deployment/caip-collate-ai-proxy -- env | grep AWS

# Verify the service account has the IRSA annotation
oc get sa openmetadata -n openmetadata -o jsonpath='{.metadata.annotations}'
If Bedrock calls are failing:
  1. Confirm the bedrock-access inline policy was attached: aws iam get-role-policy --role-name openmetadata-rosa-role --policy-name bedrock-access
  2. Verify the trust policy sub condition matches system:serviceaccount:openmetadata:openmetadata exactly.
  3. Confirm the Anthropic models are enabled in your AWS region in the Bedrock console.

CAIP Cannot Reach Collate

CAIP connects to Collate via the Kubernetes service DNS name. Test connectivity from inside the CAIP pod: 
oc exec -n openmetadata deployment/caip-collate-ai-proxy -- \
  curl -s http://openmetadata:8585/healthcheck
Expected: {"status":"OK"} If this fails, check that hostAndPort in your values matches the actual Collate service name and port in the openmetadata namespace: 
oc get svc -n openmetadata