Skip to content

Service Gateway


Using helm install, you may install the sg-gateway chart with authentication and encryption disabled by default:


  - name: kx-repo-access

Install the gateway chart provided the above values.yml:

helm install sg-gateway kxi-repo/sg-gateway -f values.yml

The gateway will be configured as a ClusterIP type service with port 8080 accepting internal HTTP requests.

The gateway by itself will do nothing without any worker pods to utilize. The Stream Processor workers should be deployed for it do any meaningful work.

However, you may port-forward the gateway and perform a readiness check with curl to /ready:

curl localhost:8080/ready

Helm setup

Add the KX Helm chart repository to your helm install:

helm repo add --username <username> --password <password> \
"kxi-repo" has been added to your repositories

Update your helm repository local chart cache:

helm repo update
Hang tight while we grab the latest from your chart repositories...
...Successfully got an update from the "kxi-repo" chart repository
Update Complete. ⎈Happy Helming!⎈

Add a secret to your cluster to allow access to the image:

kubectl create secret docker-registry kx-repo-access \
    --docker-username=<username> \
    --docker-password=<password> \


Configuration is done by specifying values in a YAML file.

Global options

Globals are documented under enterprise, as they apply to all of KX microservices


name description default
auth.enabled If true, integrate with Keycloak authorization false
ssl.enabled If true, integrate with cert-manager for tcps:// encryption false
autoscaling.enabled If true, use a horizontal pod auto-scaler false
autoscaling.minReplicas Minimum number of replicas to keep around 1
autoscaling.maxReplicas Maximum number of replicas that can be scaled to 100
autoScaling.targetCPUUtilizationPercentage Threshold CPU utilization percentage for when a replica should be made 80
autoScaling.stabilizationWindowSeconds Window of seconds to wait after threshold is crossed before scaling occurs 300
caIssuer.create If true create a new CA Issuer false Name of the CA Issuer N/A
caIssuer.secretName Name of the secret containing the Certificate and Private key N/A
env Key value pairs of environment variables KXI_SG_NO_RC: "true"
ipcPort Port Number to use for internal q IPC protocol requests 5050
secureIpcPort Port Number to use for external q IPC protocol requests that may use authorization 6050
httpPort Port number to use for HTTP requests 8080
imagePullSecrets Array of name keyed secrets imagePullSecrets: [{ name: kxi-image-secret }]
image.component The name of the image. Unlikely this should be updated! kxi-sg-gw
image.repository The repository to fetch the image from.
image.pullPolicy The image pull policy. One of IfNotPresent or Always IfNotPresent
image.tag The image tag 0.0.0
replicaCount Only used when autoscaling.enabled is false. Sets a constant number of replicas 2
externalService.enabled Used for configuring a LoadBalancer (or other type) that is meant to receive external TCPS requests false
externalService.type One of LoadBalancer, ClusterIP LoadBalancer
externalService.secureIPCPort Must match secureIpcPort 6050
resources.limits.cpu CPU Limit 1000m
resources.limits.memory Memory Limit 4096Mi
resources.requests.cpu Initially requested CPU 250m
resources.requests.memory Initially requested Memory 512Mi

Common and Global values

Common values used by all Kx Helm charts like fullnameOverride, and service are omitted here.


The sg-gateway chart does not require a license to run, unlike most microservices images. A license will be required for the database/worker charts.


The Service Gateway can be configured to work with Keycloak for Authorization of requests via JWT Bearer tokens in the HTTP Authorization header, or as the password of q IPC request.

The chart does not deploy Keycloak and it must be preconfigured.

The Keycloak configuration settings go under the global key and are configured using the same keys as in our enterprise offering.

The name of a realm is required, as well as an URL for the auth/ landing page.

For example:

  enabled: true
    realm: insights

Once this is deployed, access tokens acquired from Keycloak can be provided in the Authorization: header of HTTP requests.

curl -X POST --header "Content-Type: application/json"\
    --header "Accepted: application/json"\
    --header "Authorization: Bearer $TOKEN"\
    --data '{"table":"trace"}'\

Or as the password for a q IPC request, given the username token:

h:hopen `$":tcps://",getenv `TOKEN;
resp:h (`.kxi.getData;enlist[`table]!enlist`trace;`;()!());

For further details on how to configure Keycloak, view the enterprise documentation for Keycloak and Helm.


The global.encryption.enabled may be set to enable end to end encryption for a microservice.

If custom resources for istio have been configured, use the following values:

    enabled: true

If custom resources have not been configured, you will see an error indicating you need them:

Encryption may not be enabled as the required CRDs are not installed - ""

SSL for q IPC

We recommend using istio to proxy requests to the Service Gateway and terminate SSL before it reaches the pod, using encryption.enabled: true over using this option as it will cover both q IPC and http protocols.

However, sg-gateway can be configured to use Java Keystore files for tcps:// requests by setting ssl.enabled: true.

This option requires the Kubernetes cert-manager to configure Keystore files.

The configuration must define an existing CA Issuer and the chart will take care of requesting a Keystore on deployment.

  enabled: true
    name: kxi-certificate
    secretName: kxi-certificate