Skip to main content
Guardian is Metoro’s AI. It can investigate alerts and production issues, verify deployments, assist debugging, and generate code fixes when the relevant integrations are configured. For the full set of Guardian capabilities, see AI SRE Overview. Metoro AI is disabled by default in on-premises installations. Enable it by configuring the hub apiserver with an OpenAI-compatible Responses API endpoint and an API key. The model does not need to be hosted by OpenAI. It must expose an OpenAI-compatible API for the model name you configure.

Requirements

  • A running Metoro hub installation.
  • A model endpoint reachable from the apiserver pods.
  • An API key for the model endpoint.
  • A model name or deployment name for normal AI requests.
  • Optionally, a separate model name or deployment name for summary requests.

Create the API Key Secret

Store the model API key in a Kubernetes Secret in the hub namespace. Do not put the key directly in the Helm values file. 
kubectl -n metoro-hub create secret generic metoro-ai-openai \
  --from-literal=METORO_AI_OPENAI_API_KEY="CHANGE_ME_MODEL_API_KEY" \
  --dry-run=client -o yaml | kubectl apply -f -
If your hub uses a namespace other than metoro-hub, use that namespace instead.

Configure Helm Values

Add the following block to the hub values file: 
ai:
  enabled: true
  openai:
    enabled: true
    model: gpt-5.2
    summaryModel: gpt-5.1-codex-mini
    baseUrl: CHANGE_ME_MODEL_BASE_URL # Example: https://models.example.com/openai/v1
    apiKeyHeader: CHANGE_ME_MODEL_API_KEY_HEADER # Example: api-key; use "" for standard bearer auth
    externalApiSecret:
      enabled: true
      secretName: metoro-ai-openai
      keys:
        apiKey: METORO_AI_OPENAI_API_KEY
Set the fields as follows:
FieldRequiredDescription
ai.enabledYesGlobal AI enablement flag for the hub.
ai.openai.enabledYesEnables the OpenAI-compatible client used by Metoro AI.
ai.openai.modelYesModel or deployment name for primary AI requests. This value is passed through as an opaque model identifier.
ai.openai.summaryModelNoModel or deployment name for summary requests. If empty, Metoro uses ai.openai.model.
ai.openai.baseUrlYesOpenAI-compatible API root. For example, https://models.example.com/openai/v1.
ai.openai.apiKeyHeaderNoHeader used to send the API key. Leave empty for standard Authorization: Bearer API key auth. Set this when your endpoint expects a custom key header.
ai.openai.externalApiSecret.enabledYesSet to true to read the API key from an existing Kubernetes Secret.
ai.openai.externalApiSecret.secretNameYesName of the Kubernetes Secret that contains the API key.
ai.openai.externalApiSecret.keys.apiKeyYesSecret key that contains the API key value.
For Azure OpenAI-compatible /openai/v1 endpoints that expect the Azure API key header, set: 
apiKeyHeader: api-key
For custom gateways, set apiKeyHeader to the header name required by the gateway.

Apply to an Existing Hub

Edit metoro-hub-values.yaml and add the ai block above. Apply the updated values: 
`helm upgrade --install metoro oci://quay.io/metoro/charts/metoro-onprem
  --namespace metoro-hub
  --version CHANGE_ME_YOUR_CURRENT_METORO_VERSION
  --values metoro-hub-values.yaml
If you install from an OCI chart instead of a local chart path, keep the same values file and use your normal chart reference and chart version.

Verify the Rollout

Wait for the apiserver rollout: 
kubectl -n metoro-hub rollout status deploy/apiserver --timeout=10m
Confirm the apiserver Deployment has the AI environment variables: 
kubectl -n metoro-hub get deploy apiserver \
  -o jsonpath='{range .spec.template.spec.containers[?(@.name=="apiserver")].env[*]}{.name}{"\n"}{end}' \
  | grep '^METORO_AI'
Expected names: 
METORO_AI_ENABLED
METORO_AI_OPENAI_ENABLED
METORO_AI_OPENAI_MODEL
METORO_AI_OPENAI_SUMMARY_MODEL
METORO_AI_OPENAI_BASE_URL
METORO_AI_OPENAI_API_KEY

Enable Guardian AI in the UI

After the apiserver rollout completes, enable Guardian AI in Metoro. Go to Settings -> Features -> Guardian AI -> Guardian AI Status and turn on the toggle. Guardian AI Status toggle in Settings -> Features -> Guardian AI. After Guardian AI is enabled, the home page should show Guardian AI chat. You can also open Guardian AI chat by pressing g, then c, from anywhere in the platform. Guardian pages, including Guardian Issues and Guardian Deployment Verification, are available from the Guardian section in the side bar. Home page with Guardian AI chat enabled
Code fix workflows are not currently available in on-premises installations.

Verify Guardian Chat

Open Guardian AI chat and ask anything: For example: 
What is your favourite pasta shape?
Guardian AI chat prompt with "What is your favourite pasta shape?" entered. Guardian should return a normal chat response from the configured model endpoint. Guardian AI chat response from the configured model endpoint.

Troubleshooting

Helm Fails Before Applying

Check that all required fields are set when both ai.enabled and ai.openai.enabled are true:
  • ai.openai.model
  • ai.openai.baseUrl
  • ai.openai.externalApiSecret.secretName
  • ai.openai.externalApiSecret.keys.apiKey

AI Requests Return 401 Unauthorized

Check:
  • The API key value in the Kubernetes Secret.
  • ai.openai.baseUrl points at the OpenAI-compatible API root.
  • ai.openai.apiKeyHeader matches the endpoint. Leave it empty for bearer auth. Use api-key for Azure OpenAI-compatible endpoints that expect the Azure API key header.

Guardian AI Pages Still Show Disabled or Chat Is Missing

After the Helm values are applied and the in-platform Guardian AI Status toggle is on, allow up to 5 minutes for the change to take effect. If Guardian AI pages still show as disabled or Guardian AI chat does not appear on the home page, clear the browser cache and hard reload the platform. If the UI still does not update, verify the apiserver rollout and the METORO_AI environment variables again. If issues persist, contact support. We are here to help!