Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/autom8ter/helmgate

secure grpc/graphQL/REST API for managing k8s applications with helm
https://github.com/autom8ter/helmgate

api golang graphql grpc istio kubernetes

Last synced: 20 days ago
JSON representation

secure grpc/graphQL/REST API for managing k8s applications with helm

Host: GitHub
URL: https://github.com/autom8ter/helmgate
Owner: autom8ter
License: apache-2.0
Created: 2021-01-07T02:33:11.000Z (almost 4 years ago)
Default Branch: master
Last Pushed: 2021-03-04T00:54:56.000Z (over 3 years ago)
Last Synced: 2024-06-21T03:02:33.557Z (5 months ago)
Topics: api, golang, graphql, grpc, istio, kubernetes
Language: Go
Homepage: https://autom8ter.github.io/helmgate/
Size: 3.71 MB
Stars: 3
Watchers: 1
Forks: 0
Open Issues: 1
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

        # helmgate

A secure API for easily deploying applications on Kubernetes with Helm charts

[![GoDoc](https://godoc.org/github.com/autom8ter/helmgate?status.svg)](https://godoc.org/github.com/autom8ter/helmgate/helmgate-client-go)

- [API Documentation](https://autom8ter.github.io/helmgate/)

                                        

## Features

- [x] [Headless](https://en.wikipedia.org/wiki/Headless_software)

- [x] [Stateless](https://nordicapis.com/defining-stateful-vs-stateless-web-services/)

- [x] [gRPC](https://grpc.io/) support

    - [protobuf schema](schema.proto)

- [x] [graphQL](https://graphql.org/) support `/graphql`

    - [graphQL schema](schema.graphql)

- [x] REST support `/`

    - [openapi schema](schema.swagger.json)

- [x] Serve gRPC, graphQL, & REST on same port

- [x] Authentication - JWT/OAuth with remote JWKS verification

- [x] Authorization - [Rego](https://www.openpolicyagent.org/docs/latest/policy-language/) based Authorization engine

- [x] Direct [Helm](https://helm.sh/) client integration(no exec'ing out to shell)

- [x] Autogenerated Client gRPC SDK's

    - [x] Go

        - [![GoDoc](https://godoc.org/github.com/autom8ter/helmgate?status.svg)](https://godoc.org/github.com/autom8ter/helmgate/helmgate-client-go)

    - [x] [Node](./gen/grpc/node)

    - [x] [PHP](./gen/grpc/php)

    - [x] [C#](./gen/grpc/csharp)

    - [x] [Java](./gen/grpc/java)

    - [x] [gRPC Web](./gen/grpc/web)

- [x] Structured JSON Logs

- [x] Metrics Server(prometheus/pprof)

- [x] [Sample Kubernetes Manifest](k8s.yaml)

    

## Helpful Links

- [Helm Docs](https://helm.sh/docs/)

## Command Line

```

helmgate -h

Usage of helmgate:

      --config string   path to config file (env: HELMGATE_JWKS_URI) (default "helmgate.yaml")

```

## Sample Config

```yaml

# port to serve on. metrics server is started on this port+1

port: 8820

# enable debug logs

debug: true

# rego policy for authorization. inputs: input.claims(map), input.headers(map), input.request(map), input.method(string)

# caution - this one allows any request

rego_policy: |-

  package helmgate.authz

  default allow = true

# query the allow variable

rego_query: "data.helmgate.authz.allow"

# remote json web keys uri for verifying inbound JWTs

jwks_uri: "https://www.googleapis.com/oauth2/v3/certs"

# add list of helm repos to load at startup

repos:

  - name: "stable"

    url: "https://charts.helm.sh/stable"

```

## User Interface

Please take a look at the following options for stategate user-interface clients:

- [OAuth GraphQL Playground](https://github.com/autom8ter/oauth-graphql-playground): A graphQL IDE that may be used to connect & interact with the full functionality of the stategate graphQL API as an authenticated user

## Notes

- graphQL API is served on :8820/graphql by default

- gRPC API is served on :8820 by default

- metrics server(prometheus/pprof) is served on :8821 by default

- intended to be exposed publicly behind an SSL load balancer/ingress as an alternative to exposing your Kubernetes API

- jwks uri is used to fetch public keys from a remote source in order to verify inbound JWTs - this is authentication

    - if no jwks uri is provided, inbound jwt's will not be verified(insecure)

- a rego policy may be added to the helmgate config in order to implement fine-grainded authorization

    - if the rego policy is empty, a default allow-all policy will be used(insecure)

- input attributes passed to the rego authorization policy on each client request include: 

    - `input.claims(map)` - the payload/claims of the inbound jwt

    - `input.headers(map)`- the headers of the inbound request

    - `input.request(map)` - the payload of the inbound request

    - `input.method(string)` - the gRPC method of the inbound request