AWS. EKS
IRSA gives pods short-lived role credentials. The workload assumes cross-account read-only roles in the target AWS accounts. RDS Postgres, ElastiCache Redis, and S3 for artifacts all stay in your VPC.
Self-Hosted Edition
Your cloud. Your data. Your perimeter.
Install GrandLine inside your own Kubernetes cluster with a single Helm chart. Data never leaves your boundary. Cloud access uses the same agentless, read-only credentials as SaaS.
Four supported deploy patterns
Pick the one that matches your control plane.
Azure. AKS
Workload Identity binds a Kubernetes service account to an Entra federated credential. Cloud reads go through that federated identity. Postgres Flexible Server and Azure Cache for Redis run inside your VNet.
GCP. GKE
Workload Identity maps a K8s SA to a Google service account. WIF covers cross-org reads if you manage multiple organizations. Cloud SQL for Postgres and Memorystore Redis live in your VPC.
Customer-managed Kubernetes
Bring your own Postgres and Redis. Install the Helm chart with values.yaml pointing at in-cluster or external services. We publish signed container images and SBOMs with every release.
Install in minutes
One chart. Reasonable defaults. Override what you need.
helm repo add grandline https://charts.grandline.com
helm install grandline grandline/grandline \
--namespace grandline --create-namespace \
--set edition=self-hosted \
--set postgres.external.url=postgres://... \
--set redis.external.url=redis://... \
--set ingress.host=grandline.internal \
--set tls.secretName=grandline-tls
See Docs for full values reference, air-gapped install notes, HPA and PDB examples, and upgrade procedure.
What stays in your boundary
Everything that matters.
Metadata
Discovered resources, relationships, tags, configurations. all stored in your Postgres.
Findings
Security findings and remediation state never leave your cluster.
Reports & diagrams
PDFs, DOCX, PNGs, SVGs are rendered by an in-cluster worker and stored in S3-compatible object storage you own.
We publish a hardened container image signed with cosign, an SPDX SBOM per release, and a Trivy scan report. We do not phone home. License keys are validated offline.
Cloud access models per deploy target
The same agentless, read-only story as SaaS. but issued by your identity provider.
AWS
IRSA in the GrandLine namespace plus cross-account read-only IAM roles in each target account, trusted with an external ID. AWS Organizations onboarding is supported.
Azure
AKS Workload Identity binds to an app registration with a federated credential. The app has Reader + a narrow list of data-plane roles (e.g., Storage Blob Data Reader) per subscription or Management Group.
GCP
GKE Workload Identity plus an organization-level service account with roles/viewer and roles/iam.securityReviewer. Cross-org federation via WIF.
Operations
Day-2 ready.
Observability
OpenTelemetry traces, Prometheus metrics, structured JSON logs.
Upgrades
Rolling deployment with HPA and PDB. Zero-downtime migrations via helm upgrade.
Backup
Your Postgres backups. We document PITR expectations and a restore runbook.
Air-gapped
Mirror our registry, bring your own CA bundle, validate the signed bundle offline.
When to choose Self-Hosted
Pick Self-Hosted if
You need full sovereignty over metadata, you run in GovCloud, classified, or tightly regulated regions, or you simply prefer to operate the stack your security team has already approved.
Pick SaaS if
Time to value matters more than owning the stack, you're on one of our supported residency regions, and you want automatic upgrades.