Documentation

Kubernetes Cloud Connector User Guide

User guide for running the Trusted Signatures container gateway locally with Docker or in Kubernetes, including API usage, health checks, and example manifests.

  • Docker and Kubernetes deployment
  • Simple HTTP `/seal` API
  • Security context example
Kubernetes Connector Overview Publisher Cloud Product Book Demo

Kubernetes proof

Run the sealing gateway with cluster-managed speed, scale, and control

The documented Kubernetes pattern uses a containerized HTTP gateway, replica-based scaling, and cluster security controls so platform teams can run sealing behind their own ingress, service, and operational policies.

Trust & Standards

HTTP

speed path

Applications call a simple `/seal` endpoint over internal HTTP without object-store staging or external orchestration layers.

3

replicas in the example

The documented Kubernetes manifest starts with three replicas behind a Service and Ingress for cluster-managed scaling.

Probe

operational readiness

Liveness and readiness checks on `/health` help the cluster route traffic only to healthy pods.

Hardened

security baseline

The example manifest runs as non-root, disables privilege escalation, and uses a read-only root filesystem.

Container Gateway User Guide

Overview

The Trusted Signatures container gateway provides a simple HTTP API for digitally sealing PDF documents. Deploy it as a Docker container in your infrastructure to integrate PDF sealing capabilities into your applications.

Note: Using this gateway requires a valid Trusted Signatures Container Gateway license. Usage is only permitted under the terms and conditions at https://trusted-signatures.com/terms/

Quick Start

Pull and Run

1
2

docker pull trustedsignatures/container-gateway:latest
docker run -p 8080:8080 trustedsignatures/container-gateway:latest

Test the API

1
2
3
4

# Health check
curl http://localhost:8080/health

# Response: {"status":"ok"}

API Reference

Base URL

When running locally: http://localhost:8080

Endpoints

Health Check

1

GET /health

Response:

1
2
3

{
  "status": "ok"
}

Seal PDF Document

1
2

POST /seal
Content-Type: application/json

Request Body:

1
2
3
4
5
6
7
8

{
  "pdfBuffer": "<base64-encoded-pdf>",
  "apiKey": "<base64-encoded-api-key>",
  "apiKeyId": "your-api-key-id",
  "tsaTimestamp": true,
  "includeLtv": true,
  "limitChanges": "no-changes"
}

Parameters:

  • pdfBuffer (required) - Base64-encoded PDF document
  • apiKey (required) - Hex-encoded API key from Trusted Signatures
  • apiKeyId (required) - Your API key identifier
  • tsaTimestamp (required) - Include timestamp authority signature
  • includeLtv (required) - Include Long Term Validation data
  • limitChanges (optional) - PDF modification restrictions:
    • "no-changes" - No modifications allowed
    • "allow-forms" - Allow form filling
    • "allow-comments" - Allow comments and annotations

Response:

1
2
3

{
  "sealedPdf": "<base64-encoded-sealed-pdf>"
}

Error Responses:

  • 400 - Missing required fields
  • 500 - Sealing operation failed

Deployment Examples

Docker Compose

Create docker-compose.yml:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

version: "3.8"

services:
  pdf-sealer:
    image: trustedsignatures/container-gateway:latest
    ports:
      - "8080:8080"
    restart: unless-stopped
    healthcheck:
      test:
        [
          "CMD",
          "wget",
          "--quiet",
          "--tries=1",
          "--spider",
          "http://localhost:8080/health",
        ]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 40s

  # Optional: Add nginx reverse proxy
  nginx:
    image: nginx:alpine
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./nginx.conf:/etc/nginx/nginx.conf:ro
      - ./ssl:/etc/nginx/ssl:ro
    depends_on:
      - pdf-sealer
    restart: unless-stopped

Run with:

1

docker-compose up -d

Kubernetes Deployment

Create k8s-deployment.yaml:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79

apiVersion: apps/v1
kind: Deployment
metadata:
  name: pdf-sealer-gateway
  labels:
    app: pdf-sealer-gateway
spec:
  replicas: 3
  selector:
    matchLabels:
      app: pdf-sealer-gateway
  template:
    metadata:
      labels:
        app: pdf-sealer-gateway
    spec:
      containers:
        - name: pdf-sealer
          image: trustedsignatures/container-gateway:latest
          ports:
            - containerPort: 8080
          resources:
            requests:
              memory: "256Mi"
              cpu: "250m"
            limits:
              memory: "512Mi"
              cpu: "500m"
          livenessProbe:
            httpGet:
              path: /health
              port: 8080
            initialDelaySeconds: 30
            periodSeconds: 10
          readinessProbe:
            httpGet:
              path: /health
              port: 8080
            initialDelaySeconds: 5
            periodSeconds: 5
          securityContext:
            runAsNonRoot: true
            runAsUser: 1001
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true

---
apiVersion: v1
kind: Service
metadata:
  name: pdf-sealer-service
spec:
  selector:
    app: pdf-sealer-gateway
  ports:
    - protocol: TCP
      port: 80
      targetPort: 8080
  type: ClusterIP

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: pdf-sealer-ingress
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /
spec:
  rules:
    - host: pdf-sealer.yourdomain.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: pdf-sealer-service
                port:
                  number: 80

Deploy with:

1

kubectl apply -f k8s-deployment.yaml

Usage Examples

JavaScript/Node.js

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

const fs = require("fs");

async function sealPdf() {
  const pdfBuffer = fs.readFileSync("document.pdf");
  const apiKeyHex = "your-hex-api-key"; // Hex string from Trusted Signatures

  const response = await fetch("http://localhost:8080/seal", {
    method: "POST",
    headers: {
      "Content-Type": "application/json",
    },
    body: JSON.stringify({
      pdfBuffer: pdfBuffer.toString("base64"),
      apiKey: apiKeyHex,
      apiKeyId: "your-key-id",
      tsaTimestamp: true,
      includeLtv: true,
      limitChanges: "no-changes",
    }),
  });

  const result = await response.json();
  const sealedPdf = Buffer.from(result.sealedPdf, "base64");
  fs.writeFileSync("sealed-document.pdf", sealedPdf);
}

Python

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

import requests
import base64

def seal_pdf():
    with open('document.pdf', 'rb') as f:
        pdf_data = base64.b64encode(f.read()).decode()

    api_key_hex = 'your-hex-api-key'  # Hex string from Trusted Signatures

    response = requests.post('http://localhost:8080/seal', json={
        'pdfBuffer': pdf_data,
        'apiKey': api_key_hex,
        'apiKeyId': 'your-key-id',
        'tsaTimestamp': True,
        'includeLtv': True,
        'limitChanges': 'no-changes'
    })

    result = response.json()
    sealed_pdf = base64.b64decode(result['sealedPdf'])

    with open('sealed-document.pdf', 'wb') as f:
        f.write(sealed_pdf)

cURL

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

# Prepare base64 encoded PDF and hex API key
PDF_B64=$(base64 -i document.pdf)
API_KEY_HEX="your-hex-api-key"

# Seal the PDF
curl -X POST http://localhost:8080/seal \
  -H "Content-Type: application/json" \
  -d "{
    \"pdfBuffer\": \"$PDF_B64\",
    \"apiKey\": \"$API_KEY_HEX\",
    \"apiKeyId\": \"your-key-id\",
    \"tsaTimestamp\": true,
    \"includeLtv\": true,
    \"limitChanges\": \"no-changes\"
  }" | jq -r '.sealedPdf' | base64 -d > sealed-document.pdf

Configuration

Environment Variables

The container doesn’t require environment variables for basic operation. All configuration is handled through the API request parameters.

Resource Requirements

  • Memory: 256MB minimum, 512MB recommended
  • CPU: 0.25 cores minimum, 0.5 cores recommended
  • Storage: Ephemeral only (no persistent storage needed)

Networking

  • Port: 8080 (HTTP)
  • Protocol: HTTP/1.1
  • Outbound: HTTPS to api.trusted-signatures.com (port 443)

Security Considerations

API Security

  • No authentication is built into the container
  • Implement authentication at the reverse proxy/ingress level
  • Consider rate limiting to prevent abuse
  • Use HTTPS in production environments

Network Security

  • Container makes outbound HTTPS calls to Trusted Signatures API
  • Trusted Signatures API does NOT receive the PDF or any of its metadata
  • No inbound network requirements beyond HTTP API
  • Consider network policies in Kubernetes environments

Data Security

  • PDF documents are processed in memory only
  • No data is persisted to disk
  • API keys are handled securely (base64 transport only)

Monitoring and Troubleshooting

Health Monitoring

Use the /health endpoint for:

  • Load balancer health checks
  • Kubernetes liveness/readiness probes
  • Monitoring system checks

Logs

  • Container logs to stdout/stderr
  • Error details included in API responses
  • No sensitive data logged

Common Issues

  • Connection refused: Check container is running and port mapping
  • 400 errors: Verify all required fields are provided
  • 500 errors: Check API key validity and network connectivity

Licensing

This Container Gateway requires a valid Trusted Signatures Container Gateway license for production use. Usage is only permitted under the terms and conditions available at https://trusted-signatures.com/terms/

Contact Trusted Signatures for:

  • License acquisition
  • Pricing information
  • Enterprise support

Support

For technical support or questions about the Trusted Signatures service:

Need architectural review?

Book a technical walkthrough

For enterprise rollout, we can review trust model, controls, and integration patterns with your team.

Book Demo See Pricing