Installation

Image: repo.roboflow.com/roboflow-edge/secure-gateway

Pulls are public and anonymous — no docker login or API key required. There is no :latest tag (forbidden by design); pin a published build tag such as 0.1.0-70 or an image digest.

1. Run with the local disk cache (default)

docker run -d \
  --name secure-gateway \
  -p 80:80 \
  -v gateway-cache:/var/cache/secure-gateway \
  repo.roboflow.com/roboflow-edge/secure-gateway:0.1.0-70

2. Or back the cache with S3

Set CACHE_S3_BUCKET and the gateway uses S3 instead of local disk — ideal when the host is ephemeral. Leave the access keys unset to use an instance/IAM role.

docker run -d \
  --name secure-gateway \
  -p 80:80 \
  -e CACHE_S3_BUCKET=my-gateway-cache \
  -e CACHE_S3_REGION=us-east-1 \
  -e CACHE_S3_PREFIX=cache/ \
  -e CACHE_S3_ACCESS_KEY=AKIA... \
  -e CACHE_S3_SECRET_KEY=... \
  repo.roboflow.com/roboflow-edge/secure-gateway:0.1.0-70

3. Verify

docker logs secure-gateway
curl http://localhost/health
# {"status":"healthy"}

A docker-compose.yml is included in the repo for local runs. For production, front the container with a load balancer that terminates TLS (see TLS & Certificates) and point your devices at it with the client installer.

The Helm chart lives in the roboflow-edge repo at secure-gateway/helm and installs from that local path — there is no public chart repository to add. It is an MVP chart: one Deployment, one ConfigMap, one Service (ClusterIP on port 80), and an optional Secret for S3 credentials. The cache is always S3, so pods stay stateless.

1. Pre-create the S3 credential secret

kubectl create secret generic gateway-s3 \
  --from-literal=access-key=AKIA... \
  --from-literal=secret-key=...

On EKS you can skip this and rely on IRSA, GKE Workload Identity, or a node IAM role — leave auth empty and the AWS SDK picks up the pod's credentials.

2. Install the chart

helm install gateway ./secure-gateway/helm \
  --set cache.s3.bucket=my-gateway-cache \
  --set cache.s3.region=us-east-1 \
  --set cache.s3.auth.existingSecret=gateway-s3

3. Or use a values file

replicaCount: 1

service:
  type: ClusterIP
  port: 80

gateway:
  apiUrl: "https://api.roboflow.com"
  repoUrl: "https://repo.roboflow.com"
  extraProxyHosts: ""

cache:
  s3:
    bucket: my-gateway-cache
    region: us-east-1
    prefix: cache/
    endpointUrl: ""        # set for MinIO / GCS / R2
    auth:
      existingSecret: gateway-s3

# Anything not surfaced above goes through extraEnv verbatim
extraEnv:
  - name: CACHE_ADMIN_TOKEN
    valueFrom:
      secretKeyRef:
        name: gateway-admin
        key: token

4. Verify

kubectl get pods
kubectl logs -l app.kubernetes.io/name=secure-gateway

The chart deliberately omits Ingress, HPA/PDB, NetworkPolicy, a dedicated ServiceAccount, and in-pod TLS — terminate TLS at an Ingress or LoadBalancer in front of the Service, or extend the chart. For full-stack examples (ALB, ACM certs, IRSA), see Deployment Examples.