Skip to content

autom8ter/helmgate

Repository files navigation

helmgate

A secure API for easily deploying applications on Kubernetes with Helm charts

GoDoc

Features

Helpful Links

Command Line

helmgate -h
Usage of helmgate:
      --config string   path to config file (env: HELMGATE_JWKS_URI) (default "helmgate.yaml")

Sample Config

# port to serve on. metrics server is started on this port+1
port: 8820
# enable debug logs
debug: true
# rego policy for authorization. inputs: input.claims(map), input.headers(map), input.request(map), input.method(string)
# caution - this one allows any request
rego_policy: |-
  package helmgate.authz

  default allow = true
# query the allow variable
rego_query: "data.helmgate.authz.allow"
# remote json web keys uri for verifying inbound JWTs
jwks_uri: "https://www.googleapis.com/oauth2/v3/certs"
# add list of helm repos to load at startup
repos:
  - name: "stable"
    url: "https://charts.helm.sh/stable"

User Interface

Please take a look at the following options for stategate user-interface clients:

  • OAuth GraphQL Playground: A graphQL IDE that may be used to connect & interact with the full functionality of the stategate graphQL API as an authenticated user

Notes

  • graphQL API is served on :8820/graphql by default
  • gRPC API is served on :8820 by default
  • metrics server(prometheus/pprof) is served on :8821 by default
  • intended to be exposed publicly behind an SSL load balancer/ingress as an alternative to exposing your Kubernetes API
  • jwks uri is used to fetch public keys from a remote source in order to verify inbound JWTs - this is authentication
    • if no jwks uri is provided, inbound jwt's will not be verified(insecure)
  • a rego policy may be added to the helmgate config in order to implement fine-grainded authorization
    • if the rego policy is empty, a default allow-all policy will be used(insecure)
  • input attributes passed to the rego authorization policy on each client request include:
    • input.claims(map) - the payload/claims of the inbound jwt
    • input.headers(map)- the headers of the inbound request
    • input.request(map) - the payload of the inbound request
    • input.method(string) - the gRPC method of the inbound request