Warpgate

Warpgate is the lightweight sidecar agent that connects your workload to Mezusphere. It implements the inverted ingress model: instead of opening inbound ports and configuring firewalls, Warpgate connects outward to Mezusphere’s global edge.

How it works

Warpgate starts alongside your workload
It initiates an outbound TLS 1.3 connection to Mezusphere’s global edge
It authenticates using a service account API key
Mezusphere forwards end-user traffic through this established tunnel
Warpgate passes the traffic to your workload on localhost

Your workload never accepts inbound connections from the internet. There are no open ports, no firewall rules, and no public IP addresses required.

Deployment options

Docker

Run Warpgate as a container alongside your application:

docker run mezusphere/warpgate \
  --token YOUR_WARPGATE_TOKEN \
  --upstream localhost:8080

Or add it to your docker-compose.yml:

services:
  app:
    image: your-app:latest
    ports:
      - "8080:8080"

  warpgate:
    image: mezusphere/warpgate
    command: ["--token", "YOUR_WARPGATE_TOKEN", "--upstream", "app:8080"]
    depends_on:
      - app

Standalone binary

Download the Warpgate binary for your platform and run it directly:

# Download
curl -fsSL https://get.mezusphere.com/warpgate | sh

# Run as a foreground process
warpgate --token YOUR_WARPGATE_TOKEN --upstream localhost:8080

# Or run as a systemd service
sudo warpgate install --token YOUR_WARPGATE_TOKEN --upstream localhost:8080
sudo systemctl start warpgate

Supported platforms: Linux (amd64, arm64), macOS (amd64, arm64), Windows (amd64).

Kubernetes

Deploy Warpgate as a sidecar container in your pod:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-service
spec:
  template:
    spec:
      containers:
        - name: app
          image: your-app:latest
          ports:
            - containerPort: 8080
        - name: warpgate
          image: mezusphere/warpgate
          args:
            - "--token"
            - "YOUR_WARPGATE_TOKEN"
            - "--upstream"
            - "localhost:8080"

Works with any Kubernetes distribution: EKS, GKE, AKS, k3s, or self-managed clusters.

Configuration

Command-line flags

Flag	Description	Default
`--token`	Service account API key for authentication	Required
`--upstream`	Address of your workload	`localhost:8080`
`--log-level`	Logging verbosity (debug, info, warn, error)	`info`

Environment variables

All flags can also be set via environment variables with the WARPGATE_ prefix:

Variable	Equivalent flag
`WARPGATE_TOKEN`	`--token`
`WARPGATE_UPSTREAM`	`--upstream`
`WARPGATE_LOG_LEVEL`	`--log-level`

Connectivity

Outbound connection

Warpgate establishes a persistent outbound connection to Mezusphere’s global edge using TLS 1.3 with mutual authentication (mTLS). The connection is:

Encrypted: TLS 1.3, no downgrade
Authenticated: mutual TLS with service account credentials
Persistent: maintained for the lifetime of the Warpgate process
Reconnecting: automatic reconnection with backoff on network interruption

Network requirements

Warpgate requires only outbound HTTPS connectivity. No inbound ports, no firewall rules, no VPN configuration needed.

Direction	Port	Protocol	Purpose
Outbound	443	TLS 1.3	Connection to Mezusphere edge

Cloud-agnostic

Warpgate works identically regardless of where your workload runs:

AWS (EC2, ECS, EKS, Lambda)
Google Cloud (GCE, GKE, Cloud Run)
Azure (VMs, AKS, Container Instances)
On-premises data centers
Local development machines
Edge devices (Raspberry Pi, IoT)

The deployment pattern is always the same: run Warpgate alongside your workload, provide a token, point it at your upstream.

Resource usage

Warpgate is designed to be lightweight:

Single static binary
Minimal memory footprint
Negligible CPU overhead
No disk I/O beyond logging

It is not a proxy, not a service mesh control plane, and not an agent that phones home with telemetry.