Aegis Install with Helm
Install Aegis directly from the public Helm OCI chart and standardize production values for public endpoint operation.
Prerequisites
- Helm 3.13+ and Kubernetes 1.28+ access.
- An Axis account with billing set up so you can generate a tenant-scoped deployment bundle.
- Public/private endpoint design selected (Ingress or LoadBalancer).
- Control-plane URL and trust chain ready (production default:
https://axis.velikey.com).
# executable example command -v helm command -v kubectl helm version --short kubectl version --client
Quickstart from OCI Registry
# manual-only example
export CHART="oci://ghcr.io/sgreysond/charts/aegis"
export CHART_VERSION="0.1.1"
export NAMESPACE="velikey-acme-prod-production"
export RELEASE="acme-prod-production-aegis"
curl -sS -X POST "https://axis.velikey.com/api/agent-install/generate" \
-H "Content-Type: application/json" \
-H "Cookie: next-auth.session-token=<SESSION_COOKIE>" \
--data '{"customerName":"acme-prod","environment":"production","agentIdPrefix":"agent","expiresInDays":7}' \
> deployment-bundle.json
jq -r '.deploymentBundle.kubernetesSecretManifest' deployment-bundle.json > "$RELEASE-agent-secret.yaml"
jq -r '.deploymentBundle.helmValuesYaml' deployment-bundle.json > values-prod.yaml
kubectl apply -f "$RELEASE-agent-secret.yaml"
helm pull "$CHART" --version "$CHART_VERSION"
helm upgrade --install "$RELEASE" "$CHART" \
--version "$CHART_VERSION" \
--namespace "$NAMESPACE" \
--create-namespace \
--values values-prod.yaml
Production Values Baseline
- Pin image digests for control plane and agent in production.
- Set requests/limits and enforce PDB/autoscaling where needed.
- Define TLS secrets via cert-manager or pre-provisioned certificates.
- Keep endpoint/TLS policy explicit and environment-specific.
# illustrative example
cat > values-public-endpoint.yaml <<'YAML'
ingress:
enabled: true
className: "nginx"
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
hosts:
- host: "edge.example.com"
paths:
- path: /
pathType: Prefix
tls:
enabled: true
secretName: "edge-example-tls"
agent:
tls:
enabled: true
secretName: "aegis-agent-tls"
YAML
Change Management: Canary and Rollback
Use one release per environment. Canary changes by applying a canary values file to a dedicated namespace, then promote.
# manual-only example # Canary namespace release helm upgrade --install "$RELEASE-canary" "$CHART" \ --version "$CHART_VERSION" \ --namespace "$NAMESPACE-canary" \ --create-namespace \ --values values-prod.yaml \ --values values-canary.yaml kubectl -n "$NAMESPACE-canary" rollout status ds/"$RELEASE-canary-agent" --timeout=300s # Roll back primary release if needed helm -n "$NAMESPACE" rollback "$RELEASE" 1 kubectl -n "$NAMESPACE" rollout status ds/"$RELEASE-agent" --timeout=300s
Troubleshooting Matrix
- Secret mismatch: generated secret manifest was not applied into the same namespace as the Helm release.
- TLS trust failure: invalid CA bundle mounted for
agent.controlPlaneCa. - Enrollment failures: control-plane URL unreachable from node network path.
- Readiness failures: cert/key path mismatch when
agent.tls.enabled=true.
# manual-only example kubectl -n "$NAMESPACE" get pods -l app.kubernetes.io/component=agent kubectl -n "$NAMESPACE" logs daemonset/"$RELEASE-agent" --tail=200 kubectl -n "$NAMESPACE" get secret "$RELEASE-agent-secret" -o yaml kubectl -n "$NAMESPACE" describe daemonset "$RELEASE-agent"
Validation Checks (Last Step)
# executable example helm show values oci://ghcr.io/sgreysond/charts/aegis --version 0.1.1 | head -n 40 helm template dryrun-aegis oci://ghcr.io/sgreysond/charts/aegis \ --version 0.1.1 \ --set controlPlane.enabled=false \ --set agent.enabled=true \ --set agent.controlPlaneUrl=https://axis.velikey.com \ --set agent.secret.create=false \ --set agent.secret.existingSecretName=dryrun-aegis-secret \ | sed -n '1,12p'
Navigate Docs
Docs Index • Aegis Install on Kubernetes • Aegis Install with Terraform • Public Endpoints