OpenGate/ Docs

Kubernetes Deployment

On this page

Prerequisites

ToolVersion
Kubernetes1.28+
Helm3+
PostgreSQLManaged (RDS, Cloud SQL) or operator
RedisManaged (ElastiCache, Memorystore) or Redis Operator

Cluster Layout

┌────────────────────────────────────────────────────────────────┐
│                  Kubernetes Cluster                            │
│                                                                │
│  ┌──────────────── namespace: opengate ──────────────────────┐ │
│  │                                                           │ │
│  │  ┌─────────────────────────────────────────────────────┐  │ │
│  │  │              Ingress Controller (Nginx)             │  │ │
│  │  │         iam.yourdomain.com → gateway:8080           │  │ │
│  │  └────────────────────────┬────────────────────────────┘  │ │
│  │                           │                               │ │
│  │  ┌────────────────────────▼────────────────────────────┐  │ │
│  │  │      opengate-gateway  (Deployment: 2 replicas)     │  │ │
│  │  └──────┬───────┬──────┬──────┬──────┬─────────────────┘  │ │
│  │         │       │      │      │      │                    │ │
│  │       auth    user   realm  rbac  client  mfa  session    │ │
│  │    (2 pods) (2 pods) (2 pods) ...                         │ │
│  │                                                           │ │
│  │  ┌──────────────────────────────────────────────────────┐ │ │
│  │  │           ConfigMap: opengate-config                 │ │ │
│  │  │           Secret: opengate-secrets                   │ │ │
│  │  └──────────────────────────────────────────────────────┘ │ │
│  └───────────────────────────────────────────────────────────┘ │
│                                                                │
│  External: PostgreSQL RDS · Redis ElastiCache · Kafka MSK      │
└────────────────────────────────────────────────────────────────┘

Namespace & ConfigMap

kubectl create namespace opengate
k8s/configmap.yamlyaml
apiVersion: v1
kind: ConfigMap
metadata:
name: opengate-config
namespace: opengate
data:
POSTGRES_HOST: "rds-endpoint.us-east-1.rds.amazonaws.com"
POSTGRES_PORT: "5432"
REDIS_HOST: "elasticache-endpoint.cache.amazonaws.com"
REDIS_PORT: "6379"
KAFKA_BOOTSTRAP_SERVERS: "kafka-broker-1:9092,kafka-broker-2:9092"
JWT_ISSUER_URI: "https://iam.yourdomain.com/realms/master"
---
apiVersion: v1
kind: Secret
metadata:
name: opengate-secrets
namespace: opengate
type: Opaque
stringData:
POSTGRES_PASSWORD: "your-db-password"
REDIS_PASSWORD: "your-redis-password"
kubectl apply -f k8s/configmap.yaml

Service Deployment

k8s/user-service.yamlyaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: opengate-user-service
namespace: opengate
spec:
replicas: 2
selector:
  matchLabels:
    app: opengate-user-service
template:
  metadata:
    labels:
      app: opengate-user-service
    annotations:
      prometheus.io/scrape: "true"
      prometheus.io/path: "/actuator/prometheus"
      prometheus.io/port: "8082"
  spec:
    containers:
      - name: user-service
        image: opengate/user-service:latest
        ports:
          - containerPort: 8082
        envFrom:
          - configMapRef:
              name: opengate-config
          - secretRef:
              name: opengate-secrets
        env:
          - name: POSTGRES_DB
            value: opengate_users
        readinessProbe:
          httpGet:
            path: /actuator/health/readiness
            port: 8082
          initialDelaySeconds: 30
          periodSeconds: 10
        livenessProbe:
          httpGet:
            path: /actuator/health/liveness
            port: 8082
          initialDelaySeconds: 60
          periodSeconds: 30
        resources:
          requests:
            memory: "256Mi"
            cpu: "250m"
          limits:
            memory: "512Mi"
            cpu: "500m"
---
apiVersion: v1
kind: Service
metadata:
name: opengate-user-service
namespace: opengate
spec:
selector:
  app: opengate-user-service
ports:
  - port: 8082
    targetPort: 8082

Ingress (Gateway)

k8s/ingress.yamlyaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: opengate-ingress
namespace: opengate
annotations:
  nginx.ingress.kubernetes.io/ssl-redirect: "true"
  nginx.ingress.kubernetes.io/proxy-body-size: "10m"
  cert-manager.io/cluster-issuer: "letsencrypt-prod"
spec:
ingressClassName: nginx
tls:
  - hosts:
      - iam.yourdomain.com
    secretName: opengate-tls
rules:
  - host: iam.yourdomain.com
    http:
      paths:
        - path: /
          pathType: Prefix
          backend:
            service:
              name: opengate-gateway
              port:
                number: 8080

Horizontal Scaling

k8s/hpa.yamlyaml
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: opengate-user-service-hpa
namespace: opengate
spec:
scaleTargetRef:
  apiVersion: apps/v1
  kind: Deployment
  name: opengate-user-service
minReplicas: 2
maxReplicas: 10
metrics:
  - type: Resource
    resource:
      name: cpu
      target:
        type: Utilization
        averageUtilization: 70

Stateless services can scale freely

gateway, user-service, realm-service, rbac-service, and client-service are fully stateless — scale them freely. auth-service and session-service share Redis state and can also scale horizontally.