Kubernetes Deployment
Deploy the Wrapd agent to Kubernetes so your cluster-hosted endpoints are always online. The official Helm chart handles credentials, RBAC, and resource limits out of the box.
Quick start
Section titled “Quick start”helm repo add wrapd https://charts.wrapd.shhelm repo update
helm install wrapd-agent wrapd/wrapd-agent \ --set agent.token=wra_YOUR_AGENT_TOKEN \ --set agent.name=production \ --set agent.hubUrl=https://hub.wrapd.shThe agent pod connects to the Wrapd hub over WebSocket and registers its endpoints, just like a local agent.
Values reference
Section titled “Values reference”| Key | Default | Description |
|---|---|---|
image.repository | ghcr.io/wrapd-sh/wrapd-agent | OCI image for the agent |
image.tag | latest | Image tag (pin to a release for stability) |
agent.name | default | Agent name — must match the token name in the dashboard |
agent.token | "" | Agent token (use existingSecret instead for production) |
agent.hubUrl | https://hub.wrapd.sh | Hub WebSocket URL |
existingSecret | "" | Name of an existing Kubernetes Secret containing the token |
existingSecretKey | WRAPD_TOKEN | Key inside the Secret that holds the token value |
resources | {} | CPU/memory requests and limits |
rbac.enabled | false | Create a ServiceAccount, Role, and RoleBinding |
rbac.clusterRole | false | Use ClusterRole instead of namespace-scoped Role |
Using an existing Secret
Section titled “Using an existing Secret”Never commit agent tokens to version control. Create a Secret first, then reference it in the Helm install:
kubectl create secret generic wrapd-agent-token \ --from-literal=WRAPD_TOKEN=wra_YOUR_AGENT_TOKEN
helm install wrapd-agent wrapd/wrapd-agent \ --set agent.name=production \ --set agent.hubUrl=https://hub.wrapd.sh \ --set existingSecret=wrapd-agent-tokenThe chart mounts the Secret as an environment variable. If existingSecret is set, agent.token is ignored.
RBAC setup
Section titled “RBAC setup”If your endpoints run kubectl commands, the agent pod needs Kubernetes API access. Enable RBAC in the chart values:
helm install wrapd-agent wrapd/wrapd-agent \ --set agent.name=production \ --set existingSecret=wrapd-agent-token \ --set rbac.enabled=trueThis creates a ServiceAccount, Role, and RoleBinding scoped to the agent’s namespace. For cluster-wide access (e.g., listing pods across namespaces), enable rbac.clusterRole:
helm install wrapd-agent wrapd/wrapd-agent \ --set agent.name=production \ --set existingSecret=wrapd-agent-token \ --set rbac.enabled=true \ --set rbac.clusterRole=trueMulti-agent deployment
Section titled “Multi-agent deployment”Install multiple Helm releases with different agent names to run separate agents in the same cluster:
# Production agenthelm install wrapd-prod wrapd/wrapd-agent \ --set agent.name=production \ --set existingSecret=wrapd-prod-token
# Staging agenthelm install wrapd-staging wrapd/wrapd-agent \ --set agent.name=staging \ --set existingSecret=wrapd-staging-token \ --namespace stagingEach release gets its own pod, ServiceAccount, and WebSocket connection. Endpoints route to the correct agent by agent_name as usual.
OCI image
Section titled “OCI image”The agent image is published at:
ghcr.io/wrapd-sh/wrapd-agentIt contains the statically linked wrapd-agent binary, runs as non-root, and exposes no ports (outbound WebSocket only). Pin the tag to a specific version for production stability:
image: repository: ghcr.io/wrapd-sh/wrapd-agent tag: "0.9.1"