Skip to main content

Kubernetes Deployment Guide

This guide walks through deploying the AgentSuite-Blue protection stack on a Kubernetes cluster using a Helm chart. This guide covers integrating the target agent through Virtue Gateway. Hook-based integration is simpler and requires fewer Docker images.

Prerequisites

RequirementDetails
KubernetesA working cluster (v1.25+) with kubectl configured against it
HelmHelm 3.x on the workstation running the install
DockerUsed locally to authenticate against the image registry
RAM16 GB minimum across cluster nodes (32 GB recommended)
Disk~20 GB of node storage available for image pulls and PVCs
NVIDIA GPU nodeRequired for Action Guard (16 GB+ VRAM). Without a GPU node, disable Action Guard in values-prod.yaml — the rest of the platform will still run.
Registry credentialsA GCP service-account key file provided by your Virtue AI representative

Container Images

All images are hosted in us-docker.pkg.dev/customer-docker-virtueai/<your-tenant>/ and fall into two categories.

Protection Service

Core product images that secure agent tool calls:

ImageDescription
protection/mcp-gatewayAgent gateway API and MCP endpoint
protection/mcp-gateway-workerBackground task worker
protection/mcp-gateway-schedulerScheduled task runner
protection/action-guardTool-call safety evaluator
protection/action-guard-workerAction Guard background worker
protection/action-guard-schedulerAction Guard scheduler
protection/virtue-authAuthentication and user management
protection/dashboardVirtueGuard management UI
protection/vllm-topicguardLocal LLM server backing Action Guard (requires GPU)
protection/postgresPostgreSQL for gateway and auth databases
protection/redisRedis for the gateway task queue

Test Suite Sandbox (optional)

Only deployed via the optional demo Helm chart:

ImageDescription
test-suite/attack-managerTest orchestrator
test-suite/sandbox-apiSandbox backend APIs
test-suite/sandbox-postgresJira database
test-suite/atlassian-apiJira API backend
test-suite/mailpitEmail server for the Gmail sandbox
gitlab/gitlab-ceGitLab CE instance

Deployment process

Step 1: Extract the Code Bundle

Your Virtue AI representative will provide a bundle (e.g. agentsuite-k8s.zip) containing the Helm charts and helper scripts.

unzip agentsuite-k8s.zip
cd agentsuite-k8s

Step 2: Authenticate to the Image Registry

Log in to the GCP Artifact Registry using the service-account credentials provided with your bundle:

docker login -u _json_key --password-stdin https://us-docker.pkg.dev < serviceaccount.json

The same serviceaccount.json is reused by the Helm chart to create an imagePullSecret in the target namespace.

For details on the credential format, see the GCP Artifact Access Guide.

Step 3: Configure Deployment Values

Copy the example values file and edit it for your environment:

cp helm-gateway/values-example.yaml helm-gateway/values-prod.yaml

Generate Required Secrets

DB_PASS=$(openssl rand -hex 16)  && echo "DB password : $DB_PASS"
SECRET=$(openssl rand -hex 32)   && echo "JWT key     : $SECRET"

Open helm-gateway/values-prod.yaml and apply the following changes:

FieldWhat to Set
gateway-db.secretEnv.POSTGRES_PASSWORDDB_PASS from above
mcp-gateway.secretEnv.DATABASE_URLReplace the password placeholder with DB_PASS
virtue-auth.secretEnv.DATABASE_URLReplace the password placeholder with DB_PASS
mcp-gateway.secretEnv.SECRET_KEYSECRET from above
virtue-auth.secretEnv.SECRET_KEYSame SECRET (must match mcp-gateway)
virtue-auth.secretEnv.BOOTSTRAP_ADMIN_PASSWORDChoose an admin password

Optional Overrides

FieldWhen to ChangeDefault
mcp-gateway.ingress.enabledSet true to expose the gateway via a domain name with an ingress controller (HAProxy, NGINX, Traefik)false
dashboard.ingress.enabledSame as above, for the dashboardfalse
mcp-gateway.ingress.classNameYour ingress controller name (e.g. nginx, haproxy, traefik)
dashboard.ingress.classNameSame as above
gateway-db.enabledSet false to use your own external PostgreSQL instead of the bundled onetrue
gateway-db.persistence.sizePoC environments can use 5–10G20G

Step 4: Deploy the Protection Stack

REGISTRY_KEY_FILE=serviceaccount.json \
VALUE_FILE=helm-gateway/values-prod.yaml \
bash helm-gateway/deploy.sh install

This installs:

  • MCP Gateway
  • Virtue Auth
  • Dashboard
  • PostgreSQL
  • Redis
  • (Optional) Action Guard and vLLM

Verify the deployment:

kubectl get pods -n virtue-gateway
kubectl get svc -n virtue-gateway

All pods should report Running / Ready. The dashboard is exposed on port 23000 by default — either via the ingress you configured or via kubectl port-forward.

Step 5: Deploy the Demo Sandbox (Optional)

For demo or evaluation environments, the bundled sandbox can be installed with a separate Helm chart:

REGISTRY_KEY_FILE=serviceaccount.json bash helm-demo/deploy.sh install

This installs the attack manager, Jira and Gmail sandboxes, Mailpit, and GitLab CE.

⚠️ Only required for demo/test scenarios — do not run this in production.

Step 6: Initialize Local Test Access

If you do not have an ingress configured and want to reach the dashboard locally, run:

bash setup-k8s.sh

The script:

  • Port-forwards the gateway and sandbox services to localhost
  • Initializes the gateway
  • Injects test data into the sandbox (if installed)
  • Prepares the local test environment

Local endpoints once it finishes:

Connecting Your Agent

After the gateway and guard model are running, point your agent at the gateway's MCP endpoint instead of the upstream MCP servers — see the Hook Integration docs for framework-specific examples (Google ADK, OpenAI Agents SDK, Claude Agent SDK, LangChain, Strands, Microsoft 365). The required values (GATEWAY_SERVER_URL, ACCESS_TOKEN) are visible in the dashboard under Gateways → <your gateway>.