Aegis Install with Terraform
Deploy Aegis through the public Terraform Registry module with explicit controls for namespace, TLS, rollout, and rollback.
Prerequisites
- Terraform 1.5+ and Helm 3.13+.
- A Kubernetes cluster context already authenticated for the target environment.
- An Axis account with billing set up so you can generate a tenant-scoped deployment bundle and control-plane endpoint metadata (production default:
https://axis.velikey.com). - A remote encrypted Terraform state backend (S3 + KMS + DynamoDB lock recommended).
# manual-only example command -v terraform command -v kubectl command -v helm terraform version | head -n 1
Quickstart with Public Registry Module
Use the public module source and pin an explicit version. Generate the tenant bundle in Axis first, then feed the generated secret/values into Terraform.
# manual-only example
mkdir -p infra/aegis-terraform && cd infra/aegis-terraform
curl -sS -X POST "https://axis.velikey.com/api/agent-install/generate" \
-H "Content-Type: application/json" \
-H "Cookie: next-auth.session-token=<SESSION_COOKIE>" \
--data '{"customerName":"acme-prod","environment":"production","agentIdPrefix":"agent","expiresInDays":7}' \
> deployment-bundle.json
jq -r '.deploymentBundle.kubernetesSecretManifest' deployment-bundle.json > velikey-aegis-agent-secret.yaml
jq -r '.deploymentBundle.terraformModuleSnippet' deployment-bundle.json > main.tf
kubectl apply -f velikey-aegis-agent-secret.yaml
terraform init
terraform validate
terraform plan -out=tfplan
terraform apply tfplan
Production Profile and Secret Handling
- Pin module version and chart version for reproducible rollouts.
- Set image digests through
helm_valuesfor strict supply-chain control. - Never store tokens in
terraform.tfvarsor state output values. - Store the generated bundle artifacts in your normal secret-delivery path after you download them from Axis.
# illustrative example install -m 600 deployment-bundle.json ./secure/deployment-bundle.json git update-index --assume-unchanged ./secure/deployment-bundle.json kubectl apply -f velikey-aegis-agent-secret.yaml
Enterprise Wrapper Pattern
Standardize allowed override surfaces in a wrapper module and keep environment deltas in small overlay files.
# illustrative example
cat > modules/aegis-wrapper/main.tf <<'HCL'
variable "namespace" { type = string }
variable "release_name" { type = string }
variable "control_plane_url" { type = string }
module "aegis" {
source = "sgreysond/aegis/kubernetes"
version = "0.1.1"
namespace = var.namespace
release_name = var.release_name
chart_repository = "oci://ghcr.io/sgreysond/charts"
chart_name = "aegis"
chart_version = "0.1.1"
helm_values = {
"controlPlane.enabled" = "false"
"agent.controlPlaneUrl" = var.control_plane_url
"agent.secret.create" = "false"
"agent.secret.existingSecretName" = "velikey-aegis-agent-secret"
}
}
HCL
Rollback Procedure
Rollback should be version-based and auditable. Keep prior known-good module/chart versions documented per environment.
# manual-only example # 1) Set the prior known-good module/chart versions in your environment overlay. # 2) Re-run plan/apply and verify DaemonSet health. terraform plan -out=tfplan.rollback terraform apply tfplan.rollback kubectl -n velikey-aegis rollout status ds/velikey-aegis-agent --timeout=300s helm -n velikey-aegis history velikey-aegis
Validation Checks (Last Step)
# manual-only example terraform fmt -check terraform validate helm show chart oci://ghcr.io/sgreysond/charts/aegis --version 0.1.1 | head -n 10
Run these checks in CI for every Terraform/docs change touching install instructions.
Navigate Docs
Docs Index • Aegis Install on Kubernetes • Aegis Install with Helm • Public Endpoints