select * from cloud;— now running in your cluster.
Steampipe is the zero-ETL way to query APIs and services with SQL. This Helm chart deploys Steampipe on Kubernetes as a persistent service, exposing a PostgreSQL-compatible endpoint — available to every workload in your cluster, all the time.
| Benefit | Description |
|---|---|
| 🔄 Always-on | Persistent service mode — no cold start, always ready to query |
| 🌐 Cluster-wide access | Any pod can connect to the built-in PostgreSQL endpoint |
| 🔐 Enterprise auth | Optional OAuth2 Proxy integration (OIDC, Google, GitHub, Keycloak…) |
| ☁️ Multi-cloud at once | Query AWS, GCP, Azure, Kubernetes — all from a single endpoint |
| 🔌 BI tool friendly | Connect Grafana, Metabase, or any PostgreSQL client directly |
┌─────────────────────────────────────────────────────────────┐
│ Kubernetes Cluster │
│ │
│ ┌──────────────────────────────────────────────────────┐ │
│ │ Steampipe Pod │ │
│ │ │ │
│ │ ┌─────────────┐ ┌──────────────────────────────┐ │ │
│ │ │ initContainer│ │ steampipe container │ │ │
│ │ │ │ │ │ │ │
│ │ │ plugin install│ │ :9193 PostgreSQL endpoint │ │ │
│ │ └──────────────┘ └──────────────────────────────┘ │ │
│ └──────────────────────────────────────────────────────┘ │
│ │ │
│ ┌───────────┐ │ postgres:// │
│ │ Service │ │ │
│ │ ClusterIP │◀──────────────┘ │
│ │ :9193 │ │
│ └─────┬─────┘ │
│ │ │
│ ├──────────────▶ Grafana / psql / BI tools │
│ │ │
│ ┌─────▼──────────────────────────────────────────────┐ │
│ │ Powerpipe Pod (optional) │ │
│ │ │ │
│ │ ┌──────────────┐ ┌───────────────────────────┐ │ │
│ │ │ initContainer │ │ powerpipe container │ │ │
│ │ │ │ │ │ │ │
│ │ │ mod install │ │ :9033 HTTP dashboard │ │ │
│ │ └───────────────┘ └───────────────────────────┘ │ │
│ └─────────────────────────────────────────────────────┘ │
│ │ │
│ ┌───────────┐ ┌──────────▼───┐ ┌───────────────────┐ │
│ │ Service │ │ Ingress │ │ oauth2-proxy │ │
│ │ ClusterIP │ │ (HTTP ✅) │ │ (optional) │ │
│ │ :9033 │ │ │ │ OIDC / Google / │ │
│ └───────────┘ └──────────────┘ │ GitHub / Keycloak│ │
│ └───────────────────┘ │
└─────────────────────────────────────────────────────────────┘
- Kubernetes
1.21+ - Helm
3.9+
helm repo add helm-steampipe https://devops-ia.github.io/helm-steampipe
helm repo update
helm install steampipe helm-steampipe/steampipehelm install steampipe helm-steampipe/steampipe \
--set initContainer.plugins[0]=aws \
--set initContainer.plugins[1]=kuberneteshelm install steampipe helm-steampipe/steampipe \
--set ingress.enabled=true \
--set ingress.hosts[0].host=steampipe.example.com \
--set "ingress.hosts[0].paths[0].path=/" \
--set oauth2Proxy.enabled=true \
--set initContainer.plugins[0]=aws \
--set initContainer.plugins[1]=kubernetes# values-aws.yaml
initContainer:
plugins:
- aws
extraConfig:
secrets:
enabled: true
config:
- name: aws-credentials
type: Opaque
data:
aws.spc: |
connection "aws" {
plugin = "aws"
regions = ["us-east-1", "eu-west-1"]
}
extraVolumeMount:
- name: aws-credentials
mountPath: /home/steampipe/.steampipe/config/aws.spc
subPath: aws.spc
readOnly: true
extraVolumes:
- name: aws-credentials
secret:
secretName: aws-credentialshelm install steampipe helm-steampipe/steampipe -f values-aws.yamlThen connect from any pod in your cluster:
psql -h steampipe -p 9193 -U steampipe steampipe
steampipe=> select instance_id, instance_type, region from aws_ec2_instance limit 10;# values-k8s.yaml
initContainer:
plugins:
- kubernetes
serviceAccount:
create: true
annotations:
# For GKE Workload Identity, add: iam.gke.io/gcp-service-account: ...helm install steampipe helm-steampipe/steampipe -f values-k8s.yaml-- How many pods are running per namespace?
select namespace, count(*) as pod_count
from kubernetes_pod
where phase = 'Running'
group by namespace
order by pod_count desc;# values-multicloud.yaml
initContainer:
plugins:
- aws
- gcp
- azure
extraConfig:
secrets:
enabled: true
config:
- name: cloud-connections
type: Opaque
data:
aws.spc: |
connection "aws" {
plugin = "aws"
regions = ["*"]
}
gcp.spc: |
connection "gcp" {
plugin = "gcp"
}
azure.spc: |
connection "azure" {
plugin = "azure"
}
extraVolumeMount:
- name: cloud-connections
mountPath: /home/steampipe/.steampipe/config/aws.spc
subPath: aws.spc
readOnly: true
- name: cloud-connections
mountPath: /home/steampipe/.steampipe/config/gcp.spc
subPath: gcp.spc
readOnly: true
- name: cloud-connections
mountPath: /home/steampipe/.steampipe/config/azure.spc
subPath: azure.spc
readOnly: true
extraVolumes:
- name: cloud-connections
secret:
secretName: cloud-connectionsSteampipe exposes a PostgreSQL-compatible endpoint on port 9193. Connect any BI tool that supports PostgreSQL:
| Tool | Connection string |
|---|---|
| Grafana | Host: steampipe:9193, Database: steampipe, User: steampipe |
| Metabase | PostgreSQL connection → steampipe:9193 |
| DBeaver | PostgreSQL driver → jdbc:postgresql://steampipe:9193/steampipe |
| psql | psql -h steampipe -p 9193 -U steampipe steampipe |
Enable the PostgreSQL service in your values:
bbdd:
enabled: true
port: 9193
listen: networkSteampipe v2 has no built-in authentication. Use oauth2-proxy to add OIDC/OAuth2 authentication in front of it. See the oauth2-proxy provider docs for all supported identity providers.
⚠️ Ingress note: Steampipe exposes a PostgreSQL (TCP) endpoint, not HTTP. Standard Kubernetes Ingress (L7) will not proxy PostgreSQL traffic. Use a TCP-capable Ingress controller (e.g., NGINX TCP passthrough, TraefikIngressRouteTCP) or aLoadBalancerservice (bbdd.serviceType: LoadBalancer).
# values-oauth2.yaml
ingress:
enabled: true
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
hosts:
- host: steampipe.example.com
paths:
- path: /
pathType: Prefix
tls:
- secretName: steampipe-tls
hosts:
- steampipe.example.com
oauth2Proxy:
enabled: true
config:
clientID: "YOUR_CLIENT_ID"
clientSecret: "YOUR_CLIENT_SECRET"
cookieSecret: "RANDOM_32_BYTE_BASE64"
configFile: |
email_domains = [ "yourcompany.com" ]
provider = "oidc"
oidc_issuer_url = "https://keycloak.example.com/realms/myrealm"Browse the full plugin catalog at hub.steampipe.io/plugins — 100+ providers available.
| Plugin | Install | Description |
|---|---|---|
| AWS | aws |
400+ tables for EC2, S3, IAM, RDS, and more |
| GCP | gcp |
Compute, Storage, BigQuery, GKE, IAM |
| Azure | azure |
Virtual Machines, Storage, AKS, Entra ID |
| Kubernetes | kubernetes |
Pods, Deployments, Services, RBAC |
| GitHub | github |
Repos, PRs, Issues, Actions, Secrets |
| Terraform | terraform |
Parse Terraform state and HCL files |
| Datadog | datadog |
Monitors, dashboards, logs, metrics |
initContainer:
plugins:
- aws
- gcp
- kubernetes
- githubMods are no longer managed by Steampipe v2. Use Powerpipe to install and run compliance and insights mods.
Powerpipe provides dashboards, benchmarks, and compliance checks on top of Steampipe's SQL engine. This chart can deploy Powerpipe as a separate pod that connects to Steampipe's PostgreSQL endpoint.
# values-powerpipe.yaml
initContainer:
plugins:
- aws
bbdd:
enabled: true
listen: "network"
env:
- name: STEAMPIPE_DATABASE_PASSWORD
valueFrom:
secretKeyRef:
name: steampipe-password
key: password
powerpipe:
enabled: true
image:
repository: ghcr.io/turbot/powerpipe
tag: "latest"
mods:
- github.com/turbot/steampipe-mod-aws-compliance
env:
- name: STEAMPIPE_DATABASE_PASSWORD
valueFrom:
secretKeyRef:
name: steampipe-password
key: password
ingress:
enabled: true
className: nginx
hosts:
- host: powerpipe.example.com
paths:
- path: /
pathType: Prefixkubectl create secret generic steampipe-password --from-literal=password=your-secure-password
helm install steampipe helm-steampipe/steampipe -f values-powerpipe.yamlThen visit https://powerpipe.example.com to run compliance benchmarks in your browser.
Browse the full catalog at hub.powerpipe.io/mods:
| Mod | Description |
|---|---|
steampipe-mod-aws-compliance |
CIS, PCI DSS, HIPAA, SOC 2 for AWS |
steampipe-mod-aws-well-architected |
AWS Well-Architected Framework checks |
steampipe-mod-kubernetes-compliance |
NSA, CIS benchmarks for Kubernetes |
steampipe-mod-azure-compliance |
CIS, HIPAA, NIST for Azure |
steampipe-mod-gcp-compliance |
CIS, NIST for Google Cloud |
steampipe-mod-terraform-aws-compliance |
Security checks for Terraform AWS configs |
Note: Powerpipe's Ingress is standard HTTP (L7) — it works with any Kubernetes Ingress controller. Unlike Steampipe's PostgreSQL endpoint, no TCP passthrough is needed.
This chart is kept up-to-date automatically:
| Tool | What it updates | Schedule |
|---|---|---|
| updatecli | appVersion when Steampipe releases a new version |
Daily |
| updatecli | powerpipe.image.tag when Powerpipe releases a new version |
Daily |
| updatecli | Helm dependency versions — oauth2-proxy (minor) | Weekly |
| updatecli | Helm dependency versions — oauth2-proxy (major) | Monthly |
| Dependabot | GitHub Actions & npm dependencies | Monthly |
For full configuration reference, see the chart README.
Contributions are welcome! Please:
- Fork the repository
- Create a feature branch (
git checkout -b feat/my-feature) - Commit your changes following Conventional Commits
- Open a Pull Request
See TESTING.md for how to run lint and tests locally.
Found a bug? Open an issue.
Built with ❤️ for the Steampipe community