AI-augmented load balancer with a Go-native control plane, multi-protocol data plane, and first-class observability.
Hecate separates the control plane (configuration, RBAC, automation) from the data plane (listeners, WAF, intelligent routing). It gives operators a Go/htmx Web UI, a fully documented REST API, and automation tooling for everything from ACME certificate management to AI-driven backend selection.
- Multi-protocol VIPs: Terminate or passthrough TCP, UDP, HTTP, and HTTPS listeners with host/SNI/path routing and FQDN filters.
- AI-assisted routing & WAF: EWMA, weighted, AI-hint policies, plus adaptive WAF scoring backed by the observability pipeline.
- Secrets & security: Vault/KMS integration for certificates, OIDC secrets, API token keys; MFA + RBAC-aware UI/API; CSP + auth rate limiting everywhere.
- Operational excellence: Built-in ACME automation, Valkey-backed caches, event-driven hot reloads, and Kubernetes manifests (including NetworkPolicies) ready to use.
- Observability by design: Unified metrics/logs/traces with dashboards, health history, and AI model lifecycle management.
- Prerequisites: PostgreSQL 14+, Valkey/Redis (optional for stickiness caches), Go 1.25, Node 18+ for Playwright tooling.
- Configure: Copy
deployments/k8s/configmap.yamlas a reference or export theHECATE_*environment variables (database DSN, session secret, secrets provider, etc.). - Set the seed admin password: export
HECATE_ADMIN_SEED_PASSWORD=<your initial admin password>before the first migration/seed run (you can omit it after theadminuser exists). - Run the control plane:
go run ./cmd/hecate-control
- Run the data plane (in another shell):
go run ./cmd/hecate-data
- Browse to http://localhost:8080, sign in with the credentials you injected via
HECATE_ADMIN_SEED_PASSWORD, and begin configuring VIPs, backend groups, and TLS profiles.
- Rootless containers / Podman:
deployments/containers/*build OCI images that run as UID65532, anddeployments/podman/compose.yamlspins up Postgres, Valkey, and both planes with one command. - Kubernetes / Helm: Apply the manifests in
deployments/k8sor install the bundled chart (deployments/helm/hecate). NetworkPolicies, CronJobs, and Prometheus integration are included. - Argo CD / GitOps: Use the ready-made
deployments/argocd/application.yamlto sync the Helm chart via Argo CD with automated drift detection and CI/CD pipelines. - OpenShift: Follow the hardened flow in docs/deployment.md for SCC, Route, and registry integration guidance.
The full, environment-agnostic deployment guide (Podman → Kubernetes → OpenShift) lives in docs/deployment.md; it also lists every secret that must be injected at deploy time so nothing sensitive is committed to git.
| Topic | Description |
|---|---|
| Product Overview | Visual tour, architecture summary, core workflows, and links to detailed guides. |
| Architecture | In-depth design (control/data planes, AI, WAF, observability). |
| Deployment Guide | Step-by-step procedures for Podman, Helm/Kubernetes, and OpenShift + image build instructions. |
| Authentication & RBAC | Flows for local auth, MFA, OIDC, and RBAC modelling. |
| Operations, Secrets | ACME automation, API token rotation tooling, secrets guidance. |
| Testing, E2E Guide | Unit/integration plans, Playwright specs, and screenshot automation (docs/screenshots.md). |
| Implementation Status | Checklist of delivered features and outstanding work. |
Hecate ships with a Playwright utility (tests/e2e/screenshots.spec.ts) that captures key UI surfaces. Set HECATE_E2E_CAPTURE_SHOTS=1 and run the spec to regenerate the PNGs in docs/images/. See docs/screenshots.md for details.
- Run unit/integration tests with
go test ./.... - Execute the Playwright suite via
npx playwright test(requires browsers installed vianpx playwright install). - Static analysis, linting, and release steps are documented under
docs/testinganddocs/releases.
Issues and pull requests are welcome—review the implementation checklist to see current priorities.