Deploying Keeptrusts on Kubernetes
Kubernetes is the natural home for production Keeptrusts deployments. This guide covers Helm chart installation, choosing between DaemonSet and Deployment topologies, running the gateway as a sidecar, managing configs and secrets, configuring health probes, and autoscaling with HPA.
Use this page when
- You are deploying the Keeptrusts gateway on Kubernetes with Helm charts or raw manifests
- You need to choose between Deployment, DaemonSet, or sidecar topologies
- You want to configure ConfigMaps, Secrets, health probes, and HPA autoscaling for the gateway
Primary audience
- Primary: Technical Engineers
- Secondary: AI Agents, Technical Leaders
Helm Chart Installation
Quick Start
# Add the Keeptrusts Helm repository
helm repo add keeptrusts https://charts.keeptrusts.dev
helm repo update
# Install the gateway
helm install keeptrusts-gateway keeptrusts/gateway \
--namespace keeptrusts \
--create-namespace \
--set api.url=https://keeptrusts-api.internal:8080 \
--set api.key=kt_gk_your_key_here \
--set config.path=/etc/keeptrusts/policy-config.yaml
Values File
# values.yaml
replicaCount: 3
image:
repository: keeptrusts/gateway
tag: "latest"
pullPolicy: IfNotPresent
gateway:
port: 41002
apiUrl: https://keeptrusts-api.internal:8080
logLevel: info
config:
# Mount policy config from ConfigMap
configMapName: keeptrusts-policy-config
configMapKey: policy-config.yaml
secrets:
# Reference API key from Kubernetes Secret
apiKeySecretName: keeptrusts-gateway-secrets
apiKeySecretKey: api-key
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 500m
memory: 256Mi
autoscaling:
enabled: true
minReplicas: 2
maxReplicas: 10
targetCPUUtilizationPercentage: 70
probes:
liveness:
path: /health
port: 41002
initialDelaySeconds: 5
periodSeconds: 10
readiness:
path: /health
port: 41002
initialDelaySeconds: 3
periodSeconds: 5
Install with the values file:
helm install keeptrusts-gateway keeptrusts/gateway \
--namespace keeptrusts \
--create-namespace \
-f values.yaml
Deployment Topologies
Deployment (Recommended)
A standard Deployment with a Service provides the simplest operational model:
# gateway-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: keeptrusts-gateway
namespace: keeptrusts
labels:
app: keeptrusts-gateway
spec:
replicas: 3
selector:
matchLabels:
app: keeptrusts-gateway
template:
metadata:
labels:
app: keeptrusts-gateway
spec:
containers:
- name: gateway
image: keeptrusts/gateway:latest
ports:
- containerPort: 41002
name: http
env:
- name: KEEPTRUSTS_API_URL
value: "https://keeptrusts-api.internal:8080"
- name: KEEPTRUSTS_GATEWAY_TOKEN
valueFrom:
secretKeyRef:
name: keeptrusts-secrets
key: api-key
volumeMounts:
- name: config
mountPath: /etc/keeptrusts
readOnly: true
livenessProbe:
httpGet:
path: /health
port: 41002
initialDelaySeconds: 5
periodSeconds: 10
readinessProbe:
httpGet:
path: /health
port: 41002
initialDelaySeconds: 3
periodSeconds: 5
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 500m
memory: 256Mi
volumes:
- name: config
configMap:
name: keeptrusts-policy-config
---
apiVersion: v1
kind: Service
metadata:
name: keeptrusts-gateway
namespace: keeptrusts
spec:
selector:
app: keeptrusts-gateway
ports:
- port: 41002
targetPort: 41002
name: http
type: ClusterIP
DaemonSet
Use a DaemonSet when every node needs a local gateway instance — useful for latency-sensitive workloads or when you want to avoid cross-node network hops:
# gateway-daemonset.yaml
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: keeptrusts-gateway
namespace: keeptrusts
spec:
selector:
matchLabels:
app: keeptrusts-gateway
template:
metadata:
labels:
app: keeptrusts-gateway
spec:
containers:
- name: gateway
image: keeptrusts/gateway:latest
ports:
- containerPort: 41002
hostPort: 41002
env:
- name: KEEPTRUSTS_API_URL
value: "https://keeptrusts-api.internal:8080"
- name: KEEPTRUSTS_GATEWAY_TOKEN
valueFrom:
secretKeyRef:
name: keeptrusts-secrets
key: api-key
volumeMounts:
- name: config
mountPath: /etc/keeptrusts
readOnly: true
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
cpu: 200m
memory: 128Mi
volumes:
- name: config
configMap:
name: keeptrusts-policy-config
tolerations:
- operator: Exists
Topology Comparison
| Topology | Scaling | Latency | Resource Overhead |
|---|---|---|---|
| Deployment + Service | Horizontal (HPA) | Network hop to gateway pod | Concentrated on scheduled nodes |
| DaemonSet | One per node (automatic) | Local (same node) | On every node |
| Sidecar | One per app pod | Localhost | Per-pod overhead |
Sidecar Pattern
Inject the gateway as a sidecar container alongside your application:
# app-with-sidecar.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-ai-app
spec:
replicas: 2
selector:
matchLabels:
app: my-ai-app
template:
metadata:
labels:
app: my-ai-app
spec:
containers:
- name: app
image: my-ai-app:latest
env:
- name: OPENAI_BASE_URL
value: "http://localhost:41002/v1"
- name: OPENAI_API_KEY
valueFrom:
secretKeyRef:
name: keeptrusts-secrets
key: gateway-key
- name: keeptrusts-gateway
image: keeptrusts/gateway:latest
ports:
- containerPort: 41002
env:
- name: KEEPTRUSTS_API_URL
value: "https://keeptrusts-api.internal:8080"
- name: KEEPTRUSTS_GATEWAY_TOKEN
valueFrom:
secretKeyRef:
name: keeptrusts-secrets
key: api-key
volumeMounts:
- name: config
mountPath: /etc/keeptrusts
readOnly: true
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
cpu: 200m
memory: 128Mi
volumes:
- name: config
configMap:
name: keeptrusts-policy-config
The application sends requests to localhost:41002 — no network hop, no service discovery required.
ConfigMap and Secret Management
Policy Config via ConfigMap
apiVersion: v1
kind: ConfigMap
metadata:
name: keeptrusts-policy-config
namespace: keeptrusts
data:
policy-config.yaml: |
keeptrusts:
gateway:
name: production-gateway
policies:
- name: pii-redaction
type: output_filter
action: redact
patterns: ["SSN", "credit_card"]
- name: spend-limit
type: spend_limit
action: block
max_daily_usd: 1000
providers:
- name: openai
provider: openai
secret_key_ref:
store: OPENAI_API_KEY
Secrets via Kubernetes Secrets
apiVersion: v1
kind: Secret
metadata:
name: keeptrusts-secrets
namespace: keeptrusts
type: Opaque
stringData:
api-key: "kt_gk_your_gateway_key"
provider-openai: "sk-your-openai-key"
For production, use an external secrets operator (e.g., External Secrets Operator with Vault or AWS Secrets Manager) instead of plain Kubernetes Secrets.
External Secrets Integration
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: keeptrusts-secrets
namespace: keeptrusts
spec:
refreshInterval: 1h
secretStoreRef:
name: vault-backend
kind: ClusterSecretStore
target:
name: keeptrusts-secrets
data:
- secretKey: api-key
remoteRef:
key: secret/keeptrusts/gateway
property: api-key
- secretKey: provider-openai
remoteRef:
key: secret/keeptrusts/providers
property: openai-key
HPA Autoscaling
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: keeptrusts-gateway
namespace: keeptrusts
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: keeptrusts-gateway
minReplicas: 2
maxReplicas: 10
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 70
- type: Resource
resource:
name: memory
target:
type: Utilization
averageUtilization: 80
behavior:
scaleUp:
stabilizationWindowSeconds: 30
policies:
- type: Pods
value: 2
periodSeconds: 60
scaleDown:
stabilizationWindowSeconds: 300
policies:
- type: Pods
value: 1
periodSeconds: 120
Scale-down is deliberately slower than scale-up to avoid flapping during traffic spikes.
Health Probes
The gateway /health endpoint returns structured health information:
{
"status": "healthy",
"version": "1.0.0",
"uptime_seconds": 3600,
"policies_loaded": 5,
"last_config_reload": "2026-04-23T10:00:00Z"
}
Configure both liveness and readiness probes. The readiness probe ensures traffic is only sent to gateways that have loaded their policy config. The liveness probe restarts gateways that become unresponsive.
For AI systems
- Canonical terms: Helm chart, Deployment, DaemonSet, sidecar, ConfigMap, Secret, HPA, liveness probe, readiness probe,
keeptrusts/gatewayimage - Helm repo:
https://charts.keeptrusts.dev, chart:keeptrusts/gateway - Health endpoints:
/health(port 41002),/readyz(port 41002) - Key env vars:
KEEPTRUSTS_API_URL,KEEPTRUSTS_GATEWAY_TOKEN - HPA default: min 2, max 10, target 70% CPU
- Related pages: Service Mesh Integration, Monitoring & Alerting, Upgrade Procedures
For engineers
- Install with
helm install keeptrusts-gateway keeptrusts/gateway -n keeptrusts --create-namespace -f values.yaml - Store gateway API key in a Kubernetes Secret and reference via
secretKeyRefin the pod spec - Mount policy config from a ConfigMap at
/etc/keeptrusts/policy-config.yaml - Configure readiness probe on
/healthwithinitialDelaySeconds: 3— prevents traffic before policies load - Set HPA
targetCPUUtilizationPercentage: 70withminReplicas: 2for production - For sidecar topology, add the gateway container to your application pod spec and route to
localhost:41002 - Validate:
kubectl rollout status deployment/keeptrusts-gateway -n keeptruststhencurl <gateway-svc>/health
For leaders
- Kubernetes deployment provides auto-healing, rolling updates, and horizontal scaling for the gateway fleet
- Sidecar topology adds per-pod governance with no network hop — useful for latency-sensitive workloads
- HPA autoscaling responds to traffic spikes automatically without manual intervention
- Readiness probes prevent traffic to gateways that haven't loaded policies, eliminating governance gaps during restarts
- Resource limits (100m–500m CPU, 128–256Mi memory) keep gateway infrastructure costs predictable
Next steps
- Add mTLS with Service Mesh Integration for zero-trust networking
- Set up Monitoring & Alerting with Prometheus metrics from
/metrics - Plan Upgrade Procedures for rolling gateway updates