Firewall: Kubernetes
Deploy the TruthVouch Governance Gateway on Kubernetes for production-grade, highly available AI governance.
Prerequisites
- Kubernetes 1.24+ cluster
- kubectl configured
- Helm 3.0+ installed
- PostgreSQL Operator (optional)
- 4GB RAM minimum per Gateway pod
Helm Installation
1. Add Helm Repository
helm repo add truthvouch https://charts.truthvouch.iohelm repo update2. Create Namespace
kubectl create namespace truthvouch3. Create Secrets
kubectl create secret generic gateway-secrets \ --from-literal=db-password=YourSecurePassword123! \ --from-literal=openai-api-key=sk-... \ --from-literal=anthropic-api-key=sk-ant-... \ -n truthvouch4. Install Chart
helm install truthvouch truthvouch/governance-gateway \ --namespace truthvouch \ --values values.yamlValues File
Create values.yaml:
replicaCount: 3
image: repository: truthvouch/governance-gateway tag: latest pullPolicy: IfNotPresent
imagePullSecrets: []
serviceAccount: create: true name: gateway
service: type: ClusterIP port: 50052 annotations: cloud.google.com/neg: '{"ingress": true}'
ingress: enabled: true className: nginx annotations: cert-manager.io/cluster-issuer: letsencrypt-prod hosts: - host: gateway.yourcompany.local paths: - path: / pathType: Prefix tls: - secretName: gateway-tls hosts: - gateway.yourcompany.local
resources: limits: cpu: 2000m memory: 4Gi requests: cpu: 1000m memory: 2Gi
autoscaling: enabled: true minReplicas: 3 maxReplicas: 10 targetCPUUtilizationPercentage: 70 targetMemoryUtilizationPercentage: 80
database: enabled: true type: postgresql host: postgres.truthvouch.svc.cluster.local port: 5432 name: truthvouch_gateway user: gateway_user existingSecret: gateway-secrets existingSecretPasswordKey: db-password
redis: enabled: true host: redis.truthvouch.svc.cluster.local port: 6379
monitoring: enabled: true prometheus: enabled: true port: 9090
nodeSelector: {}tolerations: []affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - weight: 100 podAffinityTerm: labelSelector: matchExpressions: - key: app operator: In values: - gateway topologyKey: kubernetes.io/hostnameManual Kubernetes Manifests
If not using Helm, deploy with raw manifests:
1. ConfigMap
apiVersion: v1kind: ConfigMapmetadata: name: gateway-config namespace: truthvouchdata: config.yaml: | server: host: 0.0.0.0 port: 50052 workers: 4 scanning: stages: - name: pii_scanner enabled: true - name: injection_scanner enabled: true2. Deployment
apiVersion: apps/v1kind: Deploymentmetadata: name: gateway namespace: truthvouchspec: replicas: 3 selector: matchLabels: app: gateway template: metadata: labels: app: gateway spec: serviceAccountName: gateway affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - weight: 100 podAffinityTerm: labelSelector: matchExpressions: - key: app operator: In values: - gateway topologyKey: kubernetes.io/hostname containers: - name: gateway image: truthvouch/governance-gateway:latest ports: - containerPort: 50052 name: grpc - containerPort: 9090 name: metrics env: - name: DATABASE_URL valueFrom: secretKeyRef: name: gateway-secrets key: database-url - name: OPENAI_API_KEY valueFrom: secretKeyRef: name: gateway-secrets key: openai-api-key resources: requests: cpu: 1000m memory: 2Gi limits: cpu: 2000m memory: 4Gi livenessProbe: grpc: port: 50052 initialDelaySeconds: 30 periodSeconds: 10 readinessProbe: grpc: port: 50052 initialDelaySeconds: 10 periodSeconds: 5 volumeMounts: - name: config mountPath: /app/config readOnly: true volumes: - name: config configMap: name: gateway-config3. Service
apiVersion: v1kind: Servicemetadata: name: gateway namespace: truthvouchspec: type: ClusterIP selector: app: gateway ports: - name: grpc port: 50052 targetPort: 50052 - name: metrics port: 9090 targetPort: 90904. Ingress
apiVersion: networking.k8s.io/v1kind: Ingressmetadata: name: gateway namespace: truthvouch annotations: cert-manager.io/cluster-issuer: letsencrypt-prod nginx.ingress.kubernetes.io/backend-protocol: "GRPC"spec: ingressClassName: nginx tls: - hosts: - gateway.yourcompany.local secretName: gateway-tls rules: - host: gateway.yourcompany.local http: paths: - path: / pathType: Prefix backend: service: name: gateway port: number: 50052HorizontalPodAutoscaler
apiVersion: autoscaling/v2kind: HorizontalPodAutoscalermetadata: name: gateway-hpa namespace: truthvouchspec: scaleTargetRef: apiVersion: apps/v1 kind: Deployment name: gateway minReplicas: 3 maxReplicas: 10 metrics: - type: Resource resource: name: cpu target: type: Utilization averageUtilization: 70 - type: Resource resource: name: memory target: type: Utilization averageUtilization: 80 behavior: scaleDown: stabilizationWindowSeconds: 300 scaleUp: stabilizationWindowSeconds: 0PodDisruptionBudget
apiVersion: policy/v1kind: PodDisruptionBudgetmetadata: name: gateway-pdb namespace: truthvouchspec: minAvailable: 2 selector: matchLabels: app: gatewayMonitoring with Prometheus
ServiceMonitor
apiVersion: monitoring.coreos.com/v1kind: ServiceMonitormetadata: name: gateway namespace: truthvouchspec: selector: matchLabels: app: gateway endpoints: - port: metrics interval: 30sPostgreSQL with CloudSQL Proxy
For managed databases (Google Cloud SQL, AWS RDS):
apiVersion: apps/v1kind: Deploymentmetadata: name: gateway namespace: truthvouchspec: template: spec: serviceAccountName: gateway containers: - name: gateway image: truthvouch/governance-gateway:latest env: - name: DATABASE_URL value: postgresql://gateway_user:password@127.0.0.1:5432/truthvouch_gateway - name: cloud-sql-proxy image: gcr.io/cloudsql-docker/cloud-sql-proxy:1.33 command: - "/cloud_sql_proxy" - "-instances=project:region:instance=tcp:5432" securityContext: runAsNonRoot: trueChecking Deployment Status
# Check rollout statuskubectl rollout status deployment/gateway -n truthvouch
# View pod logskubectl logs -f deployment/gateway -n truthvouch
# Check resource usagekubectl top pods -n truthvouch
# View eventskubectl get events -n truthvouch --sort-by='.lastTimestamp'Upgrades
# Update Helm charthelm repo updatehelm upgrade truthvouch truthvouch/governance-gateway \ --namespace truthvouch \ --values values.yaml
# Monitor rolling updatekubectl rollout status deployment/gateway -n truthvouchTroubleshooting
Pods not starting
# Check pod statuskubectl describe pod gateway-xxxx -n truthvouch
# Check eventskubectl get events -n truthvouchDatabase connection issues
# Verify secret existskubectl get secret gateway-secrets -n truthvouch
# Test database connectivitykubectl run -it postgres-client --image=postgres:16 --rm -- \ psql postgresql://gateway_user:password@postgres:5432/truthvouch_gatewayHigh latency
# Check node resourceskubectl top nodes
# Check pod resource limitskubectl describe deployment gateway -n truthvouchCost Optimization
Reduce replicas for non-prod
# In values.yamlreplicaCount: 1 # Development/stagingautoscaling: minReplicas: 1 maxReplicas: 3Use spot/preemptible instances
affinity: nodeAffinity: preferredDuringSchedulingIgnoredDuringExecution: - weight: 100 nodeSelector: cloud.google.com/gke-preemptible: "true"See Docker deployment for configuration details.