Deploy Agent Atlas with Helm

Prerequisites

• Kubernetes 1.25+
• Helm 3.x
• kubectl configured

Install

helm install agent-atlas ./helm/agent-atlas \
  --namespace agent-atlas \
  --create-namespace \
  --set image.repository=ghcr.io/rebeccapowell/agent-atlas \
  --set oidc.issuer=https://your-idp.example.com \
  --set oidc.audience=api://agent-atlas

Production tip: Pin to a specific image tag for reproducible deployments: --set image.tag=1.2.3 When image.tag is not set, the chart defaults to the appVersion in Chart.yaml.

Configuration

See helm/agent-atlas/values.yaml for all configurable values.

Required values

oidc:
  issuer: "https://your-idp.example.com"
  audience: "api://agent-atlas"

Catalog mount

The catalog (data-plane repo) must be mounted into the Atlas pod. Two strategies are supported:

Option 1: ConfigMap (small catalogs)

catalog:
  useConfigMap: true
  configMapName: atlas-catalog

Create the ConfigMap from your data-plane repo:

kubectl create configmap atlas-catalog \
  --from-file=./catalog/ \
  -n agent-atlas

Option 2: Git-sync sidecar (recommended for production)

catalog:
  gitSync:
    enabled: true
    repo: "https://github.com/your-org/your-data-plane-repo.git"
    branch: "main"
    period: "60s"

AKS + GitLab + Calico + KeyVault Profile

Calico Network Policies

Apply default-deny and allow-from-runner policies:

# default-deny.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-ingress
  namespace: agent-atlas
spec:
  podSelector: {}
  policyTypes:
    - Ingress
    - Egress
---
# allow-atlas-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-atlas-ingress
  namespace: agent-atlas
spec:
  podSelector:
    matchLabels:
      app: agent-atlas
  policyTypes:
    - Ingress
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              name: gitlab-runners
      ports:
        - port: 8080

Azure Key Vault (CSI Driver)

# values-aks.yaml
secrets:
  provider: azure-keyvault
  keyVaultName: "your-keyvault-name"
  tenantId: "your-tenant-id"
  clientId: "your-managed-identity-client-id"

GitLab CI pipeline for redeploy on merge

# .gitlab-ci.yml in your data-plane repo
deploy-atlas:
  stage: deploy
  script:
    - helm upgrade agent-atlas ./helm/agent-atlas
        --namespace agent-atlas
        --reuse-values
        --set image.tag=$CI_COMMIT_SHA
  only:
    - main