Aegis Install with Terraform
Deploy Aegis through the public Terraform Registry module with explicit controls for namespace, TLS, rollout, and rollback.
Prerequisites
- Terraform 1.5+ and Helm 3.13+.
- A Kubernetes cluster context already authenticated for the target environment.
- Tenant-scoped bootstrap secret and control-plane endpoint (production default:
https://axis.velikey.com). - A remote encrypted Terraform state backend (S3 + KMS + DynamoDB lock recommended).
# manual-only example command -v terraform command -v kubectl command -v helm terraform version | head -n 1
Quickstart with Public Registry Module
Use the public module source and pin an explicit version. Keep mutating steps operator-only.
# manual-only example
mkdir -p infra/aegis-terraform && cd infra/aegis-terraform
cat > main.tf <<'HCL'
terraform {
required_version = ">= 1.5.0"
required_providers {
helm = {
source = "hashicorp/helm"
version = "~> 2.13"
}
}
}
provider "helm" {
kubernetes {
config_path = pathexpand("~/.kube/config")
}
}
module "aegis" {
source = "sgreysond/aegis/kubernetes"
version = "0.1.1"
release_name = "velikey-aegis"
namespace = "velikey-aegis"
chart_repository = "oci://ghcr.io/sgreysond/charts"
chart_name = "aegis"
chart_version = "0.1.1"
control_plane = {
replicas = 1
resources = {
requests = { cpu = "100m", memory = "128Mi" }
limits = { cpu = "500m", memory = "512Mi" }
}
service = {
type = "ClusterIP"
port = 8443
}
}
agent = {
enabled = true
resources = {
requests = { cpu = "100m", memory = "128Mi" }
limits = { cpu = "500m", memory = "512Mi" }
}
}
helm_values = {
"controlPlane.enabled" = "false"
"agent.controlPlaneUrl" = "https://axis.velikey.com"
"agent.secret.create" = "false"
"agent.secret.existingSecretName" = "velikey-aegis-agent-secret"
}
}
HCL
terraform init
terraform validate
terraform plan -out=tfplan
terraform apply tfplan
Production Profile and Secret Handling
- Pin module version and chart version for reproducible rollouts.
- Set image digests through
helm_valuesfor strict supply-chain control. - Never store tokens in
terraform.tfvarsor state output values. - Load bootstrap/control-plane credentials from AWS Secrets Manager or SSM and render to Kubernetes Secret out-of-band.
# illustrative example aws secretsmanager get-secret-value \ --secret-id "velikey/aegis/bootstrap" \ --query SecretString \ --output text kubectl -n velikey-aegis create secret generic velikey-aegis-agent-secret \ --from-literal=AEGIS_BOOTSTRAP_TOKEN='REDACTED' \ --from-literal=AEGIS_CP_BEARER='REDACTED' \ --dry-run=client -o yaml | kubectl apply -f -
Enterprise Wrapper Pattern
Standardize allowed override surfaces in a wrapper module and keep environment deltas in small overlay files.
# illustrative example
cat > modules/aegis-wrapper/main.tf <<'HCL'
variable "namespace" { type = string }
variable "release_name" { type = string }
variable "control_plane_url" { type = string }
module "aegis" {
source = "sgreysond/aegis/kubernetes"
version = "0.1.1"
namespace = var.namespace
release_name = var.release_name
chart_repository = "oci://ghcr.io/sgreysond/charts"
chart_name = "aegis"
chart_version = "0.1.1"
helm_values = {
"controlPlane.enabled" = "false"
"agent.controlPlaneUrl" = var.control_plane_url
"agent.secret.create" = "false"
"agent.secret.existingSecretName" = "velikey-aegis-agent-secret"
}
}
HCL
Rollback Procedure
Rollback should be version-based and auditable. Keep prior known-good module/chart versions documented per environment.
# manual-only example # 1) Set the prior known-good module/chart versions in your environment overlay. # 2) Re-run plan/apply and verify DaemonSet health. terraform plan -out=tfplan.rollback terraform apply tfplan.rollback kubectl -n velikey-aegis rollout status ds/velikey-aegis-agent --timeout=300s helm -n velikey-aegis history velikey-aegis
Validation Checks (Last Step)
# manual-only example terraform fmt -check terraform validate helm show chart oci://ghcr.io/sgreysond/charts/aegis --version 0.1.1 | head -n 10
Run these checks in CI for every Terraform/docs change touching install instructions.
Navigate Docs
Docs Index • Aegis Install on Kubernetes • Aegis Install with Helm • Public Endpoints