VeliKey VeliKey
Login Start Free Trial

Aegis Install on Kubernetes

Use Helm to deploy the Aegis agent DaemonSet and attach tenant-scoped bootstrap credentials.

Last updated
February 27, 2026
Source
VeliKey Docs Team
Owner
Aegis Product Engineering

Overview

In Kubernetes, Aegis runs as a DaemonSet and references a secret containing bootstrap and control-plane auth material.

Cluster operators should keep release names and namespace conventions stable for predictable operational runbooks.

Endpoint Assumptions

  • Production auth and API host: https://axis.velikey.com (signin: https://axis.velikey.com/auth/signin).
  • Non-production override: set AXIS_BASE_URL explicitly before running docs commands.
  • Generate tenant-scoped bundle files from Axis rather than hand-authoring bootstrap secrets.

Actionable Steps

  1. Generate a deployment bundle in Axis and save the generated Kubernetes secret manifest locally.
  2. Deploy the chart with the generated secret name, release, and namespace.
  3. Wait for DaemonSet readiness and inspect logs for enrollment success.
# manual-only example
curl -sS -X POST "https://axis.velikey.com/api/agent-install/generate" \
  -H "Content-Type: application/json" \
  -H "Cookie: next-auth.session-token=<SESSION_COOKIE>" \
  --data '{"customerName":"acme-prod","environment":"production","agentIdPrefix":"agent","expiresInDays":7}' \
  > deployment-bundle.json

jq -r '.deploymentBundle.kubernetesSecretManifest' deployment-bundle.json > velikey-aegis-agent-secret.yaml
jq -r '.deploymentBundle.helmValuesYaml' deployment-bundle.json > values-production.yaml

kubectl apply -f velikey-aegis-agent-secret.yaml

helm upgrade --install "acme-prod-production-aegis" oci://ghcr.io/sgreysond/charts/aegis \
  --version "0.1.1" \
  --namespace velikey-acme-prod-production \
  --create-namespace \
  --values values-production.yaml

kubectl -n velikey-acme-prod-production rollout status ds/acme-prod-production-aegis-agent --timeout=240s

Validation Checks (Last Step)

# executable example
command -v helm
command -v kubectl
command -v bash

Run these checks from the same shell session used for chart deployment.

Common Failure Modes

  • Secret keys are misspelled, so pods start but fail to authenticate to Axis.
  • Namespace mismatch between secret and Helm release prevents secret mount resolution.
  • Rolling updates stall due to node taints or restrictive PodSecurity admission.

Enterprise Install Paths

For production rollout runbooks, use the dedicated IaC/operator guides:

Navigate Docs

Docs IndexPrevious: Aegis Install on EC2Install with TerraformInstall with HelmPublic EndpointsTroubleshooting