Pre-built images are available from GitHub Container Registry:
docker pull ghcr.io/tight-line/gatekeeperd:latest
docker pull ghcr.io/tight-line/gatekeeper-relay:latestRun the server with your configuration:
docker run -p 8080:8080 -p 9090:9090 \
-v /path/to/config.yaml:/etc/gatekeeper/config.yaml \
ghcr.io/tight-line/gatekeeperd:latest -listen :8080Run the relay client:
docker run \
-v /path/to/relay-config.yaml:/etc/gatekeeper/relay.yaml \
ghcr.io/tight-line/gatekeeper-relay:latest -config /etc/gatekeeper/relay.yamlAdd the Helm repository:
helm repo add gatekeeper https://tight-line.github.io/gatekeeper
helm repo updateInstall the server:
helm install gatekeeperd gatekeeper/gatekeeperd -f your-values.yamlInstall the relay client (in your private network):
helm install gatekeeper-relay gatekeeper/gatekeeper-relay -f your-relay-values.yamlSee the chart values files for all configuration options:
charts/gatekeeperd/values.yamlcharts/gatekeeper-relay/values.yaml
Requirements:
- Go 1.25 or later
Build both binaries:
git clone https://github.com/tight-line/gatekeeper.git
cd gatekeeper
make build-allThis produces:
bin/gatekeeperd- the webhook proxy serverbin/gatekeeper-relay- the relay client for private networks
Run the server:
./bin/gatekeeperd -config /path/to/config.yaml -listen :8080Run the relay client:
./bin/gatekeeper-relay -config /path/to/relay-config.yamlApply the kustomize manifests:
kubectl apply -k k8s/This creates:
- ConfigMap for configuration
- Secret for sensitive values (you must populate this)
- Deployment for gatekeeperd
- Service exposing ports 8080 (HTTP) and 9090 (metrics)
- PersistentVolumeClaim for ACME certificate cache (if using built-in TLS)
Edit k8s/configmap.yaml with your route configuration before applying.