Deployment Overview
Watchlight Beacon is the control plane for AI Agent Runtime Governance. It can be deployed using Docker Compose for evaluation and development, or Helm for production Kubernetes environments.
Deployment Tiers
Beacon services are organized into tiers. Start with Tier 1 and enable additional tiers as your governance requirements grow.
| Tier | Services | Purpose |
|---|---|---|
| Tier 1: Discovery & Registry | wl-registry, wl-registry-frontend, wl-discover, postgresql | Discover and catalog AI agents and MCP servers in your environment |
| Tier 2: Authorization | + wl-apdp, wl-apdp-frontend | Add Cedar-based policy authorization for agent actions |
| Tier 3: Runtime Enforcement Proxy | + wl-proxy, wl-secrets-broker | Full enforcement proxy with credential injection and response scrubbing |
Tier 3 (Runtime Enforcement Proxy) is under active development and will be available in an upcoming release.
Deployment Methods
| Method | Best For | Prerequisites | Guide |
|---|---|---|---|
| Beacon Installer | Single-host, evaluation, production Docker | Docker 24+ with Compose v2 | Self-contained script with TLS and secret management |
| Docker Compose | Custom Docker Compose, development | Docker 24+ with Compose v2 | Manual compose setup |
| Helm (Kubernetes) | Production, multi-node, cloud-native | Kubernetes 1.27+, Helm 3.12+ | Production-grade with HA, autoscaling, ingress |
Decision Tree
Use Docker Compose if:
- You are evaluating Beacon for the first time
- You need a single-host deployment (VM, bare metal, or EC2 instance)
- You want to be up and running in under 10 minutes
Use Helm if:
- You are deploying to a production Kubernetes cluster (EKS, GKE, AKS, on-prem)
- You need horizontal scaling, rolling updates, or pod disruption budgets
- You require integration with existing ingress controllers and cert-manager
Services Reference
| Service | Default Port | Image | Description |
|---|---|---|---|
| wl-registry | 8080 | ghcr.io/watchlight-ai-beacon/wl-registry | AI Agent and MCP server registry API |
| wl-registry-frontend | 3001 (container 80) | ghcr.io/watchlight-ai-beacon/wl-registry-frontend | Registry dashboard |
| wl-discover | (daemon) | ghcr.io/watchlight-ai-beacon/wl-discover | Network scanner and agent detector |
| wl-apdp | 8081 | ghcr.io/watchlight-ai-beacon/wl-apdp | Agentic Policy Decision Point |
| wl-apdp-frontend | 3000 (container 80) | ghcr.io/watchlight-ai-beacon/wl-apdp-frontend | Policy management dashboard |
| wl-proxy | 8080 | ghcr.io/watchlight-ai-beacon/wl-proxy | Agent runtime enforcement proxy |
| wl-secrets-broker | 8082 | ghcr.io/watchlight-ai-beacon/wl-secrets-broker | Credential injection for governed agents |
| postgresql | 5432 | postgres:16 | Database (built-in or BYO) |
Minimum Resource Requirements
| Tier | CPUs | RAM | Disk |
|---|---|---|---|
| Tier 1 (Discovery & Registry) | 2 | 2 GB | 10 GB |
| Tier 2 (+ Authorization) | 2 | 4 GB | 10 GB |
| Tier 3 (Full Governance) | 4 | 8 GB | 20 GB |
These are minimum requirements for evaluation. Production deployments should allocate additional resources based on the number of agents, servers, and request throughput.
Image Registry
All container images are hosted on the GitHub Container Registry (GHCR):
ghcr.io/watchlight-ai-beacon/<service>:<version>
The current version is 0.3.0-preview. A GHCR access token with read:packages scope is required to pull images. Contact Watchlight AI to obtain access.
Next Steps
- Quickest start: Use the Beacon Installer — single script, handles TLS and secrets
- Docker Compose: Follow the Docker Compose guide for manual compose setup
- Production Kubernetes: See the Helm deployment guide