Deploy AuthProxy
The customer-facing deployment package is the AuthProxy Helm chart. The repository also contains Kustomize overlays for the hosted demo and disposable pull-request environments; they are useful examples, but they are not a general production distribution.
Recommended production topology
Section titled “Recommended production topology”flowchart TB
Internet["Users and OAuth providers"] --> Ingress["TLS ingress / load balancer"]
Host["Host application"] --> API["AuthProxy API"]
Ingress --> Public["AuthProxy public service"]
Operators["Operators"] --> Admin["AuthProxy admin API"]
subgraph Cluster["Private compute environment"]
Public
API
Admin
Worker["AuthProxy worker"]
end
Public --> DB[("PostgreSQL")]
API --> DB
Admin --> DB
Worker --> DB
Public --> Redis[("Redis")]
API --> Redis
Worker --> Redis
API --> Blob[("S3-compatible blob storage")]
Cluster --> OTEL["OpenTelemetry collector"]
KMS["KMS / secret provider"] --> Cluster
For a durable installation:
- use PostgreSQL rather than SQLite;
- use an external Redis service for sessions, tasks, OAuth round trips, and rate-limit state;
- use persistent S3-compatible storage if full request or response bodies are recorded;
- terminate TLS at a trusted ingress or load balancer;
- inject JWT, actor, database, Redis, and encryption material through Secrets;
- keep the API and Admin service private unless a documented use case requires public access; and
- export telemetry to an operator-managed collector.
AuthProxy services can run in one process or separately. The chart defaults to
one Deployment running the enabled services. Install separate releases with
different services.*.enabled values when independent scaling or network
boundaries are required.
Choose a deployment path
Section titled “Choose a deployment path”| Path | Use it for | Guide |
|---|---|---|
| Helm OCI chart | Customer, staging, and production Kubernetes installs | Install with Helm |
| Kustomize overlays | The project’s hosted demo and disposable PR demos | Demo Kustomize layouts |
| Container image | Docker, custom schedulers, or a custom Kubernetes package | Container images |
| Project EKS/Terraform stack | Reproducing the maintainers’ AWS demo infrastructure | EKS runbook |
Production decisions
Section titled “Production decisions”Before deployment, decide:
- which service endpoints are internet-facing;
- how host identities become actors and namespace permissions;
- where credentials, JWT keys, and encryption wrapping material live;
- whether request/response bodies are recorded and how long they are retained;
- how schema migrations and application rollouts are coordinated;
- how backups cover PostgreSQL and any blob store;
- which labels are safe to project into telemetry; and
- how key, database, and signing-key rotations are tested.
Continue with the security review checklist and operations overview before calling an environment production-ready.