Helm Chart

Deploy the OnePAM Zero Trust Access Gateway on Kubernetes using Helm.

OnePAM Gateway Helm Chart

Deploy and manage OnePAM gateways on Kubernetes clusters with the official Helm chart. Supports session recording, TLS, VPN, and multi-replica deployments.

GitHub 
helm repo add onepam https://onepamcom.github.io/helm-charts
helm install gateway onepam/onepam-gateway

Requirements

  • Kubernetes 1.24+
  • Helm 3.x
  • A registered gateway in your OnePAM instance (Gateway ID and API token)
  • Outbound HTTPS (443) to your OnePAM server

Quick Start

# Add the Helm repository
helm repo add onepam https://onepamcom.github.io/helm-charts
helm repo update

# Install with required values
helm install gateway onepam/onepam-gateway \
  --set gateway.gatewayId="YOUR-GATEWAY-ID" \
  --set gateway.apiUrl="https://onepam.com" \
  --set gateway.apiToken="YOUR-API-TOKEN" \
  --namespace onepam \
  --create-namespace

# Verify the deployment
kubectl -n onepam get pods

Configuration

Key Values
ValueDefaultDescription
gateway.gatewayId-Gateway ID from OnePAM (required)
gateway.apiUrl-OnePAM server URL (required)
gateway.apiToken-API token for gateway authentication (required)
gateway.secretKey-Gateway encryption secret key
gateway.publicDomain-Public FQDN for the gateway
gateway.listenAddr:443Listen address
gateway.mtls.enabledtrueEnable mTLS
gateway.vpn.enabledfalseEnable VPN
gateway.vpn.listenPort51820VPN listen port
replicaCount1Number of gateway replicas
image.repositoryonepam/gatewayContainer image repository
image.tag0.1.0Container image tag
existingSecret-Use an existing Kubernetes secret instead of chart-managed one
persistence.enabledtrueEnable persistent storage
persistence.size10GiPVC size
service.typeLoadBalancerKubernetes service type
service.port443Service port
service.mtlsPort9443mTLS port
service.vpnPort51820VPN port
service.annotations{}Service annotations for cloud load balancer configuration
S3 Session Recording
ValueDefaultDescription
gateway.s3.bucket-S3 bucket for session recordings
gateway.s3.region-S3 bucket region
gateway.s3.endpoint-Custom S3 endpoint URL (for S3-compatible stores)
gateway.s3.pathStylefalseUse path-style S3 requests
gateway.s3.prefix-Key prefix for stored recordings
gateway.s3.accessKey-S3 access key
gateway.s3.secretKey-S3 secret key
TLS / ACME
ValueDefaultDescription
gateway.acme.enabledfalseEnable Let's Encrypt TLS
gateway.acme.email-ACME registration email

The ACME certificate domain is set via gateway.publicDomain in the Key Values table above.

Security

The Helm chart applies pod-level hardening by default to follow Kubernetes security best practices:

SettingValueDescription
seccompProfileRuntimeDefaultRestricts syscalls to the container runtime default set
runAsNonRoottruePrevents the container from running as root
readOnlyRootFilesystemtrueMounts the container root filesystem as read-only
automountServiceAccountTokenfalseDisables automatic mounting of the service account token
capabilities.drop["ALL"]Drops all Linux capabilities

Example Values File

values.yaml
replicaCount: 1  # keep at 1 when using RWO persistent volumes

existingSecret: "onepam-gateway-secret"  # use a pre-created K8s secret

gateway:
  gatewayId: "your-gateway-uuid"
  apiUrl: "https://onepam.com"
  apiToken: "your-api-token"
  publicDomain: "gateway.example.com"

  s3:
    bucket: "onepam-recordings"
    region: "us-east-1"

  acme:
    enabled: true
    email: "admin@example.com"

  vpn:
    enabled: false

persistence:
  enabled: true
  size: 10Gi

resources:
  requests:
    cpu: 100m
    memory: 128Mi
  limits:
    cpu: 500m
    memory: 256Mi
# Deploy with values file
helm install gateway onepam/onepam-gateway \
  -f values.yaml \
  --namespace onepam \
  --create-namespace

Chart Management

# Upgrade to a newer chart version
helm repo update
helm upgrade gateway onepam/onepam-gateway -f values.yaml -n onepam

# Check release status
helm status gateway -n onepam

# View release history
helm history gateway -n onepam

# Rollback to a previous revision
helm rollback gateway 1 -n onepam

# Uninstall
helm uninstall gateway -n onepam