You want to deploy ggscout in your Kubernetes cluster, but it doesn’t have access to the GitGuardian platform, preventing you from viewing the NHI inventory from the dashboard.
ggbridge
can help you establish a secure and mTLS-authenticated gateway between your network and the GitGuardian platform, allowing ggscout to communicate with the GitGuardian public API, and thus, transmit the inventory.
As you can see in the diagram above, we configure the ggbridge client to expose an internal API endpoint dedicated to communicating with the GitGuardian API through ggbridge’s secure tunnel.
Before configuring the ggbridge client on you side, ensure that the GitGuardian team has created a dedicated ggbridge server for your organization. You can manage and configure your ggbridge instance directly from the GitGuardian dashboard, where you will have access to its settings (hostname, certificates...) and operational status.
If you do not yet have a dedicated Bridge, please contact the GitGuardian support team to request its creation before proceeding with the deployment.
To enable the web tunnel and expose the GitGuardian API on your private internal network, you need to configure the ggbridge client.
Follow these steps to create a values.yaml
file with the appropriate Helm values.
Configure the ggbridge client to connect to your hostname:
hostname: <my-subdomain>.ggbridge.gitguardian.com
tls:
enabled: true
existingSecret: ggbridge-client-crt
existingSecretKeys:
caCrt: ca.crt
crt: tls.crt
key: tls.key
hostname
: The subdomain assigned to your ggbridge instance.tls.enabled
: Enables TLS for secure communication.tls.existingSecret
: References the Kubernetes secret storing your client certificates.tls.existingSecretKeys
: Specifies the keys within the secret.
The web tunnel allows HTTP traffic from the client to the server:
client:
tunnels:
web:
enabled: true
There are multiple ways to expose the GitGuardian API within your network. You can use one of the following Kubernetes resources:
This option is only viable if the ggbridge client is deployed in the same Kubernetes cluster as ggscout. It enables internal communication using a Kubernetes service.
proxy:
tunnels:
web:
service:
listeners:
- name: <my-service-name>
backend: api.gitguardian.com
The GitGuardian API will be accessible internally at:
http://<my-service-name>.<namespace>.svc.cluster.local
Helm values file example 👉 values-service.yaml
Expose the API externally using an Ingress resource:
proxy:
tunnels:
web:
ingress:
enabled: true
className: <my-ingress-className> # (Optional) Uses the default Ingress class if not set
listeners:
- hostname: api-gitguardian.<my-domain>
backend: api.gitguardian.com
tls:
secretName: <my-tls-secret>
The GitGuardian API will be accessible at:
https://api-gitguardian.<my-domain>
Helm values file example 👉 values-ingress.yaml
For environments using the Gateway API, you can configure it as follows:
proxy:
tunnels:
web:
gateway:
enabled: true
className: <my-gateway-className> # (Optional) Uses the default Gateway class if not set
listeners:
- hostname: api-gitguardian.<my-domain>
backend: api.gitguardian.com
tls:
secretName: <my-tls-secret>
The GitGuardian API will be accessible at:
https://api-gitguardian.<my-domain>
Helm values file example 👉 values-gateway.yaml
Install/Upgrade the GGbridge client using Helm:
helm -n ggbridge upgrade --install --create-namespace \
ggbridge oci://ghcr.io/gitguardian/ggbridge/helm/ggbridge \
-f values.yaml
To enable ggscout to communicate with the GitGuardian API via the configured ggbridge client, update the values.yaml
file with the internal API endpoint:
inventory:
config:
gitguardian:
endpoint: "<my-api-endpoint>"
api_token: <my-api-token>
endpoint
: The internal URL of the GitGuardian API.api_token
: The authentication token for API access.
Refer to the ggscout GitHub project for more documentation on how to configure the Helm chart.
Add the repository to Helm with:
helm repo add gg-nhi https://gitguardian.github.io/nhi-scout-helm-charts
Install/Upgrade the Scout using Helm:
helm -n scout upgrade --install --create-namespace \
scout gg-nhi/nhi-scout \
-f values.yaml