Deploy a gateway
Deploy a Sentinel gateway via Docker, CLI, or Helm
The Sentinel gateway is a containerized, lightweight security proxy designed to run closest to your applications.
To register with the SUPERWISE® control plane, a gateway needs a valid SUPERWISE® API Client ID and Secret (how to generate credentials). Every deployment method below requires them.
Architecture lifecycle & states
Once deployed, the gateway continuously communicates with the control plane to report its status and pull configuration updates.
-
Pending → Active: A newly deployed gateway starts in
Pending. Once the control plane receives its first heartbeat, the gateway becomesActive. -
Heartbeats: The gateway sends a heartbeat every 60 seconds. If an
Activegateway misses heartbeats for 10 minutes (10 consecutive), it drops back toPending.
Deployment options
Option 1: Plain Docker
For stand-alone machines, testing, or isolated server instances, you can run Sentinel directly via Docker. Because the underlying image binaries vary, make sure to pick the command corresponding to your target platform hardware architecture (e.g., Linux x86 vs. Apple Silicon).
Docker run
The Sentinel image is published for linux/amd64. The --platform linux/amd64 flag is required on Apple Silicon Macs (M1/M2/M3) and is harmless on native amd64 hosts.
docker run --platform linux/amd64 \
--name sentinel \
-p 8000:8000 \
-e SENTINEL_ID=$SENTINEL_ID \
-e SW_CLIENT_ID=$SW_CLIENT_ID \
-e SW_CLIENT_SECRET=$SW_CLIENT_SECRET \
us-central1-docker.pkg.dev/admina33d6818/sentinel-public/sentinel:latestdocker run --platform linux/amd64 `
--name sentinel `
-p 8000:8000 `
-e SENTINEL_ID=$env:SENTINEL_ID `
-e SW_CLIENT_ID=$env:SW_CLIENT_ID `
-e SW_CLIENT_SECRET=$env:SW_CLIENT_SECRET `
us-central1-docker.pkg.dev/admina33d6818/sentinel-public/sentinel:latestOption 2: The Sentinel CLI (local deployments only)
The sentinel command-line tool provides a simplified developer workflow to provision and toggle local gateways only.
To manage your gateway status, use the native start/stop commands:
sentinel gateway start
sentinel gateway stop
State matching intelligence
- Explicit provisioning: When running
sentinel gateway start(or executing a clean quickstart), you can supply a specific--sentinel-idparameter directly to fetch a designated cloud profile configuration. - Smart fallback: The CLI automatically reads your local state files. If it detects a previously configured profile, it will intelligently prompt or suggest resuming that exact local container configuration instead of creating a new Sentinel.
🛠️ Under the hood: The CLI manages and persists its tracking state, provider configurations, and assigned gateway parameters locally inside a state file located at
~/.config/sentinel/config.json.
Option 3: Helm (production-scale Kubernetes)
For enterprise-grade production environments requiring horizontal scaling, high availability, and native monitoring, SUPERWISE® provides a managed Helm chart. This enables seamless provisioning directly inside your existing Kubernetes clusters.
helm upgrade --install sentinel-customers \
oci://us-central1-docker.pkg.dev/admina33d6818/sentinel-public/sentinel-customers \
--set global.imageRegistry=us-central1-docker.pkg.dev/admina33d6818/sentinel-public \
--set gateway-server.image.repository=sentinel \
--set gateway-server.image.tag=latest \
--set "gateway-server.env[0].name=SENTINEL_ID,gateway-server.env[0].value=$SENTINEL_ID" \
--set "gateway-server.env[1].name=SW_CLIENT_ID,gateway-server.env[1].value=$SW_CLIENT_ID" \
--set "gateway-server.env[2].name=SW_CLIENT_SECRET,gateway-server.env[2].value=$SW_CLIENT_SECRET"Next steps
- Point your applications at the gateway: Connect your applications
- Proxy a self-hosted or alternative model: Custom providers
