Alexandria EE Deployment Shapes

Note: Quadlet is a distinct SKU from Helm. Features marked No are by design, not a regression.

Alexandria EE ships in two deployment shapes that are intentionally not feature-equivalent. Each shape targets a different customer segment and infrastructure model.

Shape	Target	Binary	Image
Helm (k8s)	Customer's Kubernetes cluster (GKE, EKS, AKS, on-prem)	`alex-api-k8s`	`ee-api-k8s`
Quadlet (single-host)	Single provisioned Linux host (VM, bare metal)	`alex-api-quadlet`	`ee-api-quadlet`

Feature Matrix

Feature	Helm (k8s)	Quadlet (single-host)
OIDC/SAML federation	Yes	No — excluded from build
Vault KV v2 secrets backend	Yes	No — excluded from build
Managed LLM backends (Helm-provisioned)	Yes	No — 400/501 kubernetes-required
Pod log streaming	Yes	No — 400/501 kubernetes-required
Cilium network policy	Yes	No — 400/501 kubernetes-required
Model controller binary (`alex-model-controller-k8s`)	Yes	No — excluded from build
KEDA autoscaling	Yes	No — 400/501 kubernetes-required
Per-tenant Cilium policy	Yes	No — 400/501 kubernetes-required
Multi-tenancy (per-tenant process isolation)	Yes	No — excluded from build
WebAuthn / FIDO2 passkeys	Yes	No — excluded from build
SCIM provisioning	Yes	No — excluded from build
Memcached tool cache	Yes	No — excluded from build
Redis agent cache	Yes	Yes
Changeset tracking	Yes	Yes
Vector index (FAISS sidecar)	Yes	Yes
Core REST API (agents, tools, LLM, audit, MCP)	Yes	Yes
JWT auth + RBAC	Yes	Yes
Postgres storage	Yes	Yes
License enforcement + tier entitlements	Yes	Yes

Shape Details

Helm (Kubernetes)

Full EE feature set: OIDC/SAML, SCIM, multi-tenancy, per-tenant Cilium network policy, Vault transit, KEDA HPA, ServiceMonitor, ExternalSecret.
Compliance-friendly: audit chain, network policy, KMS integration.
Built with -tags k8s_enabled; real k8s.io/* and Cilium CRD clients are linked in.
Image: ee-api-k8s — entry point alex-api-k8s.
Model controller: separate ee-model-controller-k8s image (manages ManagedLLMBackend CRDs).

Quadlet (Single-Host)

Reduced EE: license + core API/orchestrator/dashboard/redis/otelcol on systemd (Quadlet units).
External Postgres assumed. No SSO, no SCIM, no multi-tenancy, no Cilium.
Built without k8s_enabled tag; carries zero k8s.io/* dependencies.
Image: ee-api-quadlet — entry point alex-api-quadlet.
Endpoints that require Kubernetes primitives return 400 Bad Request or 501 Not Implemented with {"error": "kubernetes-required"} when called against a Quadlet deployment.

Build Paths

Images are shared OCI artifacts built from the same source tree. The fork is at deploy-time configuration and build tags, not at the source level.

Context	Path
arm64 macOS	`gcloud builds submit --config cloudbuild.yaml` (Cloud Build; QEMU-free)
native amd64 Linux	`make images-local PROJECT_ID=<project>` (podman; bails on non-amd64)

Both paths produce identical image tags in Artifact Registry. Releases must smoke-test both shapes independently — Helm-green does not imply Quadlet-green.

Feature Matrix​

Shape Details​

Helm (Kubernetes)​

Quadlet (Single-Host)​

Build Paths​

Feature Matrix

Shape Details

Helm (Kubernetes)

Quadlet (Single-Host)

Build Paths