SecureGate Docs

Deployment

Local development with compose.yml, Kubernetes deployment with GPU scheduling, and multi-environment configuration

Local Development

The full stack runs locally via compose.yml:

git clone https://github.com/securegate-ai/api.git
cd api/deploy
docker compose up

Services Started

ServicePortGPUDescription
api-gateway8080NoGo API gateway (hanzo/base)
ingest-service8002YesFace + weapon detection
embed-service8001YesArcFace embeddings + vector search
enhance-service8003YesCodeFormer + RealESRGAN
minio9000NoS3-compatible object storage
redis6379NoEnhance job queue

GPU services require NVIDIA Container Toolkit. Without a GPU, services fall back to CPU inference (slower but functional).

compose.yml Structure

services:
  api-gateway:
    image: ghcr.io/securegate-ai/api-gateway:dev
    ports: ["8080:8080"]
    environment:
      - INGEST_URL=http://ingest-service:8002
      - EMBED_URL=http://embed-service:8001
      - ENHANCE_URL=http://enhance-service:8003

  ingest-service:
    image: ghcr.io/securegate-ai/ingest-service:dev
    ports: ["8002:8002"]
    deploy:
      resources:
        reservations:
          devices:
            - capabilities: [gpu]

  embed-service:
    image: ghcr.io/securegate-ai/embed-service:dev
    ports: ["8001:8001"]
    deploy:
      resources:
        reservations:
          devices:
            - capabilities: [gpu]

  enhance-service:
    image: ghcr.io/securegate-ai/enhance-service:dev
    ports: ["8003:8003"]
    deploy:
      resources:
        reservations:
          devices:
            - capabilities: [gpu]

  minio:
    image: minio/minio:latest
    ports: ["9000:9000", "9001:9001"]
    command: server /data --console-address ":9001"

  redis:
    image: redis:7-alpine
    ports: ["6379:6379"]

Kubernetes Deployment

Production deployments use K8s manifests with Kustomize (not Helm).

Directory Structure

deploy/k8s/
+-- base/
|   +-- kustomization.yaml
|   +-- api-gateway.yaml
|   +-- ingest-service.yaml
|   +-- embed-service.yaml
|   +-- enhance-service.yaml
+-- overlays/
    +-- dev/
    |   +-- kustomization.yaml
    +-- test/
    |   +-- kustomization.yaml
    +-- main/
        +-- kustomization.yaml

Deploy

cd deploy/k8s/overlays/dev
kubectl kustomize . | kubectl apply -f -

GPU Scheduling

GPU services request NVIDIA GPUs via K8s resource limits:

resources:
  requests:
    cpu: "2"
    memory: "8Gi"
    nvidia.com/gpu: "1"
  limits:
    cpu: "4"
    memory: "16Gi"
    nvidia.com/gpu: "1"

The cluster must have the NVIDIA device plugin installed (k8s-device-plugin). GPU nodes are labeled with nvidia.com/gpu.present=true and tainted so only GPU workloads schedule on them.

Health Checks

All services expose health endpoints for K8s probes:

livenessProbe:
  httpGet:
    path: /health
    port: 8080
  initialDelaySeconds: 10
  periodSeconds: 30

readinessProbe:
  httpGet:
    path: /health
    port: 8080
  initialDelaySeconds: 5
  periodSeconds: 10

Environments

EnvironmentDomainGCP ProjectK8s Context
Devsecuregate.dev.satschel.comsecuregate-devnetgke_securegate-devnet_us-central1_dev
Testsecuregate.test.satschel.comsecuregate-testnetgke_securegate-testnet_us-central1_test
Prodsecuregate.satschel.comsecuregate-mainnetgke_securegate-mainnet_us-central1_main

Ingress

Traffic routes through Hanzo Ingress (shared with other services on the same cluster). Hostname-based routing resolves the correct backend:

securegate.dev.satschel.com -> api-gateway (dev namespace)
securegate.test.satschel.com -> api-gateway (test namespace)
securegate.satschel.com -> api-gateway (prod namespace)

TLS is terminated at the ingress layer. Custom domains for white-label tenants use SNI-based routing.

CI/CD

Images are built via CI/CD on push to branch. Images are never built locally.

BranchImage TagEnvironment
devghcr.io/securegate-ai/*:devsecuregate-devnet
testghcr.io/securegate-ai/*:testsecuregate-testnet
mainghcr.io/securegate-ai/*:mainsecuregate-mainnet

All images are built --platform linux/amd64 for GKE node compatibility.

Secrets

All secrets (API keys, database credentials, model tokens) are stored in Hanzo KMS and synced to K8s via KMSSecret CRDs. Secrets are never hardcoded in manifests, env files, or code.

apiVersion: kms.hanzo.ai/v1
kind: KMSSecret
metadata:
  name: securegate-secrets
spec:
  path: securegate/\{env\}/api
  keys:
    - SENSITY_API_KEY
    - AGORA_APP_ID
    - S3_ACCESS_KEY
    - S3_SECRET_KEY

Training

Training pipeline — weapon detection fine-tuning, ArcFace domain adaptation, quality scoring, and benchmarking

Security

Encryption hierarchy, Cloud HSM, MPC threshold signing, per-tenant data isolation, and zero-knowledge architecture

On this page

Local DevelopmentServices Startedcompose.yml StructureKubernetes DeploymentDirectory StructureDeployGPU SchedulingHealth ChecksEnvironmentsIngressCI/CDSecrets