§03 — Exo Operator

Connecting to the control plane

Turn on managed mode so the operator phones home: mint a deployment token, mount it as a Secret, and point the manager at your platform over a single outbound WebSocket.

5 min read·Set by Exo Editorial·v0.3.0 Beta

Out of the box the operator is fully local. To make a cluster show up in the Exo dashboard — with its agents, sessions, runtime statuses, and audit — you enable managed mode and give it a deployment token. It then opens one outbound WebSocket to your platform and keeps it alive; nothing inbound is required.

Managed vs unmanaged

Unmanaged (AGENTKUBE_MANAGED=false, default) — the operator reconciles CRs and runs workloads, but never contacts a control plane. Good for dev clusters and fully air-gapped sites.
Managed (AGENTKUBE_MANAGED=true) — the operator connects to AGENTKUBE_BASE_URL and streams CR statuses, memory refs, context summaries, and session events. Requires a deployment token.

Mint a deployment token

In the Exo dashboard, go to Deployments → New, name the deployment (e.g. prod-eu-west-1), and copy the token shown once. It has the form exo_dpl_ + 32 hex chars; the platform stores only its SHA-256 hash. See Tokens & deployments for the full lifecycle.

Store it as a Secret

The manager reads its token from a Secret named agentkube-auth (key token) by default. The Deployment references it as optional: true, so an unmanaged install needs no Secret at all; for managed mode, create it:

●terminal· bash

1kubectl -n agentkube-system create secret generic agentkube-auth \
2  --from-literal=token=exo_dpl_<your-deployment-token>

Operator env vars

●manager env· text

1AGENTKUBE_MANAGED     "true" to phone home (default "false")
2AGENTKUBE_BASE_URL    platform URL (default https://exo.adaptive.live)
3AGENTKUBE_AUTH_TOKEN  deployment token; from Secret agentkube-auth/token
4AGENTKUBE_CLUSTER_ID  stable cluster id (defaults to the pod namespace/hostname)
5AGENTKUBE_TRANSPORT   "ws" (default) or "http" (legacy reporter)

Via Helm these map to chart values:

●terminal· bash

1helm upgrade agentkube ./agentkube/helm/agentkube --reuse-values \
2  --set manager.managed=true \
3  --set manager.baseURL=https://exo.example.com \
4  --set manager.authTokenSecret.name=agentkube-auth \
5  --set manager.authTokenSecret.key=token

Transport

The default ws transport is a single multiplexed WebSocket to <base-url>/api/agentkube/connect carrying the deployment token as a Bearer credential — snapshots, deltas, heartbeats, shell I/O, and session events all ride it. http selects the legacy polling reporter; prefer ws unless a proxy forbids long-lived upgrades (see Networking).

Verifying the connection

After enabling managed mode, the deployment flips to online in the dashboard within a few seconds and its resource lists populate. If it stays pending, check the manager logs:

●terminal· bash

1kubectl -n agentkube-system logs deploy/agentkube-manager --tail=50

The two usual failures are token rejected (rotated/revoked, or a typo in the Secret) and connection refused (egress firewall blocking the platform host on 443).

Previous · Exo OperatorDeploying the manager Next · Exo Operator Tokens & deployments