Aegis Public Endpoint Patterns

Operational patterns for public HTTPS endpoints, trust boundaries, canary rollout, and rapid rollback.

Last updated: February 27, 2026
Source: VeliKey Docs Team
Owner: Aegis + Platform Engineering

Trust Boundary Model

Internet client to Aegis endpoint: always HTTPS and certificate-validated.
Aegis to backend service: internal cluster or private network path with constrained ACLs.
Aegis to control plane: authenticated and pinned trust path.

Prerequisites

Ingress or LoadBalancer ownership model approved for the target environment.
TLS certificate issuance path defined (cert-manager or external certificate workflow).
Rollback and on-call escalation path documented before production changes.

Ingress vs LoadBalancer

Use Ingress when central ingress policy is required. Use LoadBalancer service for simpler edge ownership per environment.

# illustrative example
# Ingress pattern
helm upgrade --install velikey-aegis oci://ghcr.io/sgreysond/charts/aegis \
  --version 0.1.1 \
  --namespace velikey-aegis \
  --create-namespace \
  --set ingress.enabled=true \
  --set ingress.className=nginx \
  --set ingress.hosts[0].host=edge.example.com \
  --set ingress.hosts[0].paths[0].path=/ \
  --set ingress.hosts[0].paths[0].pathType=Prefix

# illustrative example
# LoadBalancer pattern
helm upgrade --install velikey-aegis oci://ghcr.io/sgreysond/charts/aegis \
  --version 0.1.1 \
  --namespace velikey-aegis \
  --create-namespace \
  --set ingress.enabled=false \
  --set agent.service.type=LoadBalancer

TLS and Cipher Expectations

Terminate TLS only where certificate lifecycle and audit controls are owned.
Prefer certificate automation with explicit issuer references.
Validate negotiated protocol/cipher from a client viewpoint during rollout.

# manual-only example
export EDGE_HOST="edge.example.com"

openssl s_client -connect "$EDGE_HOST:443" -servername "$EDGE_HOST" < /dev/null \
  | sed -n '1,30p'

curl -fsSIk "https://$EDGE_HOST/" | sed -n '1,20p'

Canary Rollout and Rollback

Use separate release names/namespaces for canary and primary. Promote only after TLS, traffic, and telemetry checks pass.

# manual-only example
# Deploy canary
helm upgrade --install velikey-aegis-canary oci://ghcr.io/sgreysond/charts/aegis \
  --version 0.1.1 \
  --namespace velikey-aegis-canary \
  --create-namespace \
  --values values-prod.yaml \
  --values values-canary.yaml

kubectl -n velikey-aegis-canary rollout status ds/velikey-aegis-canary-agent --timeout=300s

# Roll back primary quickly if signals degrade
helm -n velikey-aegis rollback velikey-aegis 1
kubectl -n velikey-aegis rollout status ds/velikey-aegis-agent --timeout=300s

Endpoint Validation Checklist

# executable example
command -v openssl
command -v curl
command -v jq
printf 'Endpoint validation tooling present\n'

Confirm TLS handshake and hostname validation.
Confirm successful application responses over HTTPS.
Confirm Aegis metrics show expected connection/byte deltas.
Confirm rollback commands return environment to known-good state.

Navigate Docs

Docs Index • Install with Terraform • Install with Helm • Troubleshooting