Aegis Install with Helm
Install Aegis directly from the public Helm OCI chart and standardize production values for public endpoint operation.
Prerequisites
- Helm 3.13+ and Kubernetes 1.28+ access.
- Tenant bootstrap secret prepared in target namespace.
- Public/private endpoint design selected (Ingress or LoadBalancer).
- Control-plane URL and trust chain ready (production default:
https://axis.velikey.com).
# executable example command -v helm command -v kubectl helm version --short kubectl version --client
Quickstart from OCI Registry
# manual-only example
export CHART="oci://ghcr.io/sgreysond/charts/aegis"
export CHART_VERSION="0.1.1"
export NAMESPACE="velikey-aegis"
export RELEASE="velikey-aegis"
helm pull "$CHART" --version "$CHART_VERSION"
kubectl -n "$NAMESPACE" create secret generic "$RELEASE-agent-secret" \
--from-literal=AEGIS_BOOTSTRAP_TOKEN='REDACTED' \
--from-literal=AEGIS_CP_BEARER='REDACTED' \
--dry-run=client -o yaml | kubectl apply -f -
cat > values-prod.yaml <<'YAML'
controlPlane:
enabled: false
agent:
enabled: true
controlPlaneUrl: "https://axis.velikey.com"
secret:
create: false
existingSecretName: "velikey-aegis-agent-secret"
resources:
requests:
cpu: "100m"
memory: "128Mi"
limits:
cpu: "500m"
memory: "512Mi"
YAML
helm upgrade --install "$RELEASE" "$CHART" \
--version "$CHART_VERSION" \
--namespace "$NAMESPACE" \
--create-namespace \
--values values-prod.yaml
Production Values Baseline
- Pin image digests for control plane and agent in production.
- Set requests/limits and enforce PDB/autoscaling where needed.
- Define TLS secrets via cert-manager or pre-provisioned certificates.
- Keep endpoint/TLS policy explicit and environment-specific.
# illustrative example
cat > values-public-endpoint.yaml <<'YAML'
ingress:
enabled: true
className: "nginx"
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
hosts:
- host: "edge.example.com"
paths:
- path: /
pathType: Prefix
tls:
enabled: true
secretName: "edge-example-tls"
agent:
tls:
enabled: true
secretName: "aegis-agent-tls"
YAML
Change Management: Canary and Rollback
Use one release per environment. Canary changes by applying a canary values file to a dedicated namespace, then promote.
# manual-only example # Canary namespace release helm upgrade --install "$RELEASE-canary" "$CHART" \ --version "$CHART_VERSION" \ --namespace "$NAMESPACE-canary" \ --create-namespace \ --values values-prod.yaml \ --values values-canary.yaml kubectl -n "$NAMESPACE-canary" rollout status ds/"$RELEASE-canary-agent" --timeout=300s # Roll back primary release if needed helm -n "$NAMESPACE" rollback "$RELEASE" 1 kubectl -n "$NAMESPACE" rollout status ds/"$RELEASE-agent" --timeout=300s
Troubleshooting Matrix
- Secret mismatch:
AEGIS_BOOTSTRAP_TOKENorAEGIS_CP_BEARERmissing in existing secret. - TLS trust failure: invalid CA bundle mounted for
agent.controlPlaneCa. - Enrollment failures: control-plane URL unreachable from node network path.
- Readiness failures: cert/key path mismatch when
agent.tls.enabled=true.
# manual-only example kubectl -n "$NAMESPACE" get pods -l app.kubernetes.io/component=agent kubectl -n "$NAMESPACE" logs daemonset/"$RELEASE-agent" --tail=200 kubectl -n "$NAMESPACE" get secret "$RELEASE-agent-secret" -o yaml kubectl -n "$NAMESPACE" describe daemonset "$RELEASE-agent"
Validation Checks (Last Step)
# executable example helm show values oci://ghcr.io/sgreysond/charts/aegis --version 0.1.1 | head -n 40 helm template dryrun-aegis oci://ghcr.io/sgreysond/charts/aegis \ --version 0.1.1 \ --set controlPlane.enabled=false \ --set agent.enabled=true \ --set agent.controlPlaneUrl=https://axis.velikey.com \ | sed -n '1,12p'
Navigate Docs
Docs Index • Aegis Install on Kubernetes • Aegis Install with Terraform • Public Endpoints