Ingress

By default, the OpenShell gateway is only reachable inside the cluster. To let CLI clients connect without a kubectl port-forward, expose the gateway through an ingress.

OpenShell uses the Kubernetes Gateway API for ingress. The chart creates a GRPCRoute that routes inbound gRPC traffic to the gateway pod. You need a Gateway API implementation installed on your cluster to fulfill the GRPCRoute. This page uses Envoy Gateway, which the chart is tested with.

Install Envoy Gateway

Envoy Gateway installs the Gateway API CRDs and registers the eg GatewayClass:

$
helm install eg \
>
  oci://docker.io/envoyproxy/gateway-helm \
>
  --version v1.7.2 \
>
  --namespace envoy-gateway-system \
>
  --create-namespace \
>
  --wait

Verify the GatewayClass is accepted:

$
kubectl get gatewayclass eg

The ACCEPTED column should show True.

Install OpenShell with Gateway API enabled

Enable the GRPCRoute and let the chart create a Gateway resource in the openshell namespace:

$
helm upgrade --install openshell \
>
  oci://ghcr.io/nvidia/openshell/helm-chart \
>
  --version <version> \
>
  --namespace openshell \
>
  --set grpcRoute.enabled=true \
>
  --set grpcRoute.gateway.create=true \
>
  --set grpcRoute.gateway.className=eg

Get the external address

After the Gateway is provisioned, Envoy Gateway creates a LoadBalancer service in the openshell namespace. Wait for it to get an external address:

$
kubectl -n openshell get svc -l gateway.envoyproxy.io/owning-gateway-name=openshell

After the EXTERNAL-IP is assigned, register the gateway with the CLI:

$
openshell gateway add http://<external-ip> --name production
$
openshell status

SSH Relay

Sandbox SSH uses the gateway endpoint registered with the CLI. No separate Helm SSH host or port values are required.

Next Steps

Return to Setup to complete the installation.