helmgate

A secure API for easily deploying applications on Kubernetes with Helm charts

• API Documentation

Features

• Headless

• Stateless

• gRPC support

  • protobuf schema

• graphQL support /graphql

  • graphQL schema

• REST support /

  • openapi schema

• Serve gRPC, graphQL, & REST on same port

• Authentication - JWT/OAuth with remote JWKS verification

• Authorization - Rego based Authorization engine

• Direct Helm client integration(no exec'ing out to shell)

• Autogenerated Client gRPC SDK's

  • Go
    • 
  • Node
  • PHP
  • C#
  • Java
  • gRPC Web

• Structured JSON Logs

• Metrics Server(prometheus/pprof)

• Sample Kubernetes Manifest

Helpful Links

• Helm Docs

Command Line

helmgate -h
Usage of helmgate:
      --config string   path to config file (env: HELMGATE_JWKS_URI) (default "helmgate.yaml")

Sample Config

# port to serve on. metrics server is started on this port+1
port: 8820
# enable debug logs
debug: true
# rego policy for authorization. inputs: input.claims(map), input.headers(map), input.request(map), input.method(string)
# caution - this one allows any request
rego_policy: |-
  package helmgate.authz

  default allow = true
# query the allow variable
rego_query: "data.helmgate.authz.allow"
# remote json web keys uri for verifying inbound JWTs
jwks_uri: "https://www.googleapis.com/oauth2/v3/certs"
# add list of helm repos to load at startup
repos:
  - name: "stable"
    url: "https://charts.helm.sh/stable"

User Interface

Please take a look at the following options for stategate user-interface clients:

• OAuth GraphQL Playground: A graphQL IDE that may be used to connect & interact with the full functionality of the stategate graphQL API as an authenticated user

Notes

• graphQL API is served on :8820/graphql by default
• gRPC API is served on :8820 by default
• metrics server(prometheus/pprof) is served on :8821 by default
• intended to be exposed publicly behind an SSL load balancer/ingress as an alternative to exposing your Kubernetes API
• jwks uri is used to fetch public keys from a remote source in order to verify inbound JWTs - this is authentication
  • if no jwks uri is provided, inbound jwt's will not be verified(insecure)
• a rego policy may be added to the helmgate config in order to implement fine-grainded authorization
  • if the rego policy is empty, a default allow-all policy will be used(insecure)
• input attributes passed to the rego authorization policy on each client request include:
  • input.claims(map) - the payload/claims of the inbound jwt
  • input.headers(map)- the headers of the inbound request
  • input.request(map) - the payload of the inbound request
  • input.method(string) - the gRPC method of the inbound request