Skip to content

Installation Guide

This guide takes you from an empty cloud account to a healthy Nexa deployment. It provisions infrastructure with the supplied Terraform/Terragrunt, publishes images to your registry, loads secrets, deploys the services with ArgoCD + Kustomize, and validates the result. Complete the prerequisites first — this guide assumes the checklist is done.

  1. Verify your local tooling resolves:

    Terminal window
    terraform version && kubectl version --client && helm version

    Expected: Terraform ≥ 1.5, a kubectl client on 1.34, and Helm 3.x — no errors.

  2. Authenticate to your cloud and confirm the target account/subscription:

    Terminal window
    aws sts get-caller-identity

    Expected: JSON showing your account ID (e.g. "Account": "930816733209") and role ARN.

Step 2 — Provision infrastructure with IaC

Section titled “Step 2 — Provision infrastructure with IaC”

Clone the IaC repository for your cloud, then apply per environment with Terragrunt. This creates the cluster, registry, DNS, managed Postgres, networking, and identities.

  1. Initialize the state backend (first time only), then apply:

    Terminal window
    cd aws-iac
    terragrunt run-all plan --terragrunt-working-dir . -- -var-file=environments/dev.tfvars
    terragrunt run-all apply --terragrunt-working-dir . -- -var-file=environments/dev.tfvars

    Expected: a plan summary, then Apply complete! per module (network, eks, ecr, rds, route53, IAM/pod-identity).

  2. Wire kubectl to the new cluster:

    Terminal window
    aws eks update-kubeconfig --name aws-iac-dev --region ap-southeast-1
    kubectl get nodes

    Expected: Added new context ..., then a list of nodes in Ready state.

Step 3 — Publish images to your registry

Section titled “Step 3 — Publish images to your registry”

DataReadyAI provides the Nexa images; you host them in your registry. In the reference setup, GitHub Actions builds and pushes to the registry via OIDC (no static keys), producing tags like develop-<sha> in lower environments and semantic versions (v1.0.0) in production.

Terminal window
aws ecr get-login-password --region ap-southeast-1 \
| docker login --username AWS --password-stdin \
930816733209.dkr.ecr.ap-southeast-1.amazonaws.com
aws ecr describe-repositories --region ap-southeast-1 \
--query "repositories[].repositoryName" -o text

Expected: Login Succeeded, then repository names such as aws-iac-nexa-web, aws-iac-nexa-backend, aws-iac-nexa-databricks-api, aws-iac-nexa-agents-api.

Nexa reads its configuration from a shared secret in your cloud secret store, mounted into pods by the Secrets Store CSI driver and synced to a Kubernetes Secret. Populate it before deploying, or pods will crash-loop on missing config.

Required keys include: Postgres connection (PG_HOST, PG_PORT, PG_DATABASE, PG_USERNAME, PG_PASSWORD), warehouse connection (Databricks: DATABRICKS_HOST, DATABRICKS_CLIENT_ID, DATABRICKS_CLIENT_SECRET, DATABRICKS_WAREHOUSE_ID, DATABRICKS_CATALOG; Snowflake: the equivalent account/role/warehouse keys), auth secrets (NEXA_AUTH_JWT_SECRET, NEXA_SERVICE_AUTH_TOKEN), and GITHUB_TOKEN.

Terminal window
aws secretsmanager create-secret --name nexa-shared-secret-dev \
--secret-string file://nexa-shared-secret.dev.json \
--region ap-southeast-1

Expected: JSON with the secret ARN and Name: nexa-shared-secret-dev.

Install Envoy Gateway (ingress), cert-manager (TLS), and ArgoCD (GitOps) from the manifest repository.

  1. Install Envoy Gateway and cert-manager, then apply the DNS-01 ClusterIssuer:

    Terminal window
    kubectl apply -f infrastructure/envoy-gateway/core/
    kubectl apply -f infrastructure/cert-manager/cluster-issuer-dns01.yaml
    kubectl -n envoy-gateway-system get pods
    kubectl -n cert-manager get clusterissuer

    Expected: Envoy Gateway pods Running; the letsencrypt-prod-dns01 ClusterIssuer shows READY: True.

  2. Install ArgoCD and register the app-of-apps (GitOps root):

    Terminal window
    kubectl create namespace argocd
    kubectl apply -n argocd -f argocd/bootstrap/app-of-apps.yaml
    kubectl -n argocd get applications

    Expected: ArgoCD Application objects listed for each Nexa service.

ArgoCD syncs the Kustomize overlay for your environment. You can let it auto-sync or trigger it explicitly.

Terminal window
argocd app sync -l app.kubernetes.io/part-of=nexa
# or, without the ArgoCD CLI:
kubectl apply -k overlays/dev
kubectl get pods -A -l app.kubernetes.io/part-of=nexa

Expected: each Nexa Deployment reaches Running with ready replicas (for example dev-nexa-web, dev-nexa-backend, the warehouse API for your platform, dev-nexa-agents-api, dev-nexa-orchestration-service).

  1. Confirm pods and certificates:

    Terminal window
    kubectl get pods -A -l app.kubernetes.io/part-of=nexa
    kubectl get certificate -A

    Expected: all pods Running/Ready; the gateway certificate (e.g. nexa-gateway-tls-dev) shows READY: True.

  2. Hit a service health endpoint through the gateway:

    Terminal window
    curl -si https://dev.nexa-drai.com/health-check | head -n 1

    Expected: HTTP/2 200. (The warehouse API health path is /health; nexa-agents-api uses /api/v1/health.)

  3. Confirm DNS resolves to your load balancer:

    Terminal window
    dig +short dev.nexa-drai.com

    Expected: the load balancer’s address (an NLB hostname on AWS, a public IP on Azure).

  1. Open the UI at your Nexa hostname (e.g. https://dev.nexa-drai.com/) and sign in.
  2. Confirm the warehouse connection is live by creating a data source and browsing the catalog — see Adding a data source.
  3. Confirm GitHub integration by checking that generated pipeline code can be committed — see GitHub integration.

If any check fails, see the operations guide and configuration reference. Once healthy, hand off day-2 operations to your platform team.