§02 — Exo Control Plane

Manual install · manifests & Helm

When you want raw manifests under GitOps instead of the installer: the platform deploy.yaml, the agentkube Helm chart, and the CRD bundle — and the two edits the stock files need.

5 min read·Set by Exo Editorial·v0.3.0 Beta

exo-install is the fastest path, but if you run everything through Argo CD, Flux, or a reviewed kustomize tree, you'll want the raw manifests. They're the same ones the installer embeds, derived from the operator config and the repo-root deploy.yaml.

When to go manual

You manage cluster state declaratively and don't want a binary mutating it.
You need to diff and review every change to RBAC or the platform Secret.
You install the operator via Helm as part of a larger release.

Manifest layout

The installer's pinned copies live under exo-install/manifests/:

●exo-install/manifests/· text

1crds/         agents.yaml  tools.yaml  mcps.yaml
2              llmgateways.yaml  claws.yaml
3operator/     00-namespace.yaml          (agentkube-system)
4              01-serviceaccount.yaml
5              02-clusterrole.yaml         03-clusterrolebinding.yaml
6              04-manager.yaml             (Deployment + Service)
7              05-admission.yaml           (pods/exec + tool webhook)
8platform/     00-namespace.yaml          01-secret.yaml
9              02-configmap.yaml           03-postgres.yaml (optional)
10              04-app.yaml                 (Deployment + Service)

Apply them in order: crds/ → operator/ → platform/. The operator and platform sources are templated (namespace, image, managed mode, secrets, service type), so prefer exo-install render to materialise a concrete copy:

●terminal· bash

1exo-install render crds     | kubectl apply -f -
2exo-install render operator | kubectl apply -f -
3exo-install render platform | kubectl apply -f -

Platform · deploy.yaml

The repo root ships a standalone deploy.yaml for the control plane (Namespace, Secret exo-secrets, ConfigMap exo-config, Service + Deployment exo-app on port 9092, 2 replicas with a rolling update). Two edits are required before it's production-usable:

●exo-secrets · stringData· yaml

1stringData:
2  EXO_JWT_SECRET:     "<openssl rand -base64 48>"
3  EXO_ENCRYPTION_KEY: "<openssl rand -hex 16>"   # exactly 32 bytes
4  EXO_DATABASE_DSN:   "host=db user=exo dbname=exo sslmode=require"
5  EXO_CLAUDE_API_KEY: ""                          # optional, base64-encoded

●terminal· bash

1kubectl apply -f deploy.yaml
2kubectl -n exo rollout status deploy/exo-app

Operator · Helm chart

The operator ships a Helm chart at agentkube/helm/agentkube. CRDs sit in the chart's native crds/ directory (installed on helm install, never touched on upgrade/uninstall).

●terminal· bash

1helm install agentkube ./agentkube/helm/agentkube \
2  --namespace agentkube-system --create-namespace \
3  --set manager.managed=true \
4  --set manager.baseURL=https://exo.example.com

●values.yaml (key knobs)· yaml

1namespace:
2  name: agentkube-system
3  create: true
4image:
5  manager:
6    repository: docker.io/adaptivelive/agentkube-manager
7    tag: ""            # empty → chart appVersion
8    pullPolicy: IfNotPresent
9  pullSecrets: []      # for private registries
10manager:
11  replicas: 1
12  args: [--leader-elect]
13  managed: false                       # phone home to baseURL when true
14  baseURL: https://exo.adaptive.live
15  authTokenSecret:                     # read when managed=true
16    name: agentkube-auth
17    key: token
18webhook:
19  enabled: true        # pods/exec admission webhook
20  failurePolicy: Fail
21crds:
22  install: true

CRDs

If you manage CRDs out-of-band, the generated definitions live at agentkube/config/crd-generated/*.yaml (the verbatim source for the installer's crds/ bundle). Apply them directly and set crds.install=false in Helm or skip exo-install crds. See CRD overview.

Previous · Exo Control PlaneInstall with exo-install Next · Exo Control Plane Control-plane config & secrets