Installation Guide
This guide takes you from an empty cloud account to a healthy Nexa deployment. It provisions infrastructure with the supplied Terraform/Terragrunt, publishes images to your registry, loads secrets, deploys the services with ArgoCD + Kustomize, and validates the result. Complete the prerequisites first — this guide assumes the checklist is done.
Step 1 — Confirm prerequisites
Section titled “Step 1 — Confirm prerequisites”-
Verify your local tooling resolves:
Terminal window terraform version && kubectl version --client && helm versionExpected: Terraform ≥ 1.5, a kubectl client on 1.34, and Helm 3.x — no errors.
-
Authenticate to your cloud and confirm the target account/subscription:
Terminal window aws sts get-caller-identityExpected: JSON showing your account ID (e.g.
"Account": "930816733209") and role ARN.Terminal window az account show --query "{sub:id, tenant:tenantId, name:name}" -o tableExpected: a row with your subscription ID and tenant — the intended target.
Step 2 — Provision infrastructure with IaC
Section titled “Step 2 — Provision infrastructure with IaC”Clone the IaC repository for your cloud, then apply per environment with Terragrunt. This creates the cluster, registry, DNS, managed Postgres, networking, and identities.
-
Initialize the state backend (first time only), then apply:
Terminal window cd aws-iacterragrunt run-all plan --terragrunt-working-dir . -- -var-file=environments/dev.tfvarsterragrunt run-all apply --terragrunt-working-dir . -- -var-file=environments/dev.tfvarsExpected: a plan summary, then
Apply complete!per module (network, eks, ecr, rds, route53, IAM/pod-identity). -
Wire
kubectlto the new cluster:Terminal window aws eks update-kubeconfig --name aws-iac-dev --region ap-southeast-1kubectl get nodesExpected:
Added new context ..., then a list of nodes inReadystate.
-
Apply the numbered stacks in order (00-bootstrap first for state, then 02→09):
Terminal window cd nexa-azure-app-iac# bootstrap state storage (run once, plain terraform)terraform -chdir=stacks/00-bootstrap init && terraform -chdir=stacks/00-bootstrap apply# remaining stacks via terragruntterragrunt run-all apply --terragrunt-working-dir . -- -var-file=environments/dev.tfvarsExpected:
Apply complete!per stack (identity, network, acr, aks, data, databricks, observability, dns, workload-identities). -
Wire
kubectlto the new cluster:Terminal window az aks get-credentials --resource-group rg-nexa-dev --name nexa-dev-akskubectl get nodesExpected:
Merged ... as current context, then nodes inReadystate.
Step 3 — Publish images to your registry
Section titled “Step 3 — Publish images to your registry”DataReadyAI provides the Nexa images; you host them in your registry. In the reference setup, GitHub Actions builds and pushes to the registry via OIDC (no static keys), producing tags like develop-<sha> in lower environments and semantic versions (v1.0.0) in production.
aws ecr get-login-password --region ap-southeast-1 \ | docker login --username AWS --password-stdin \ 930816733209.dkr.ecr.ap-southeast-1.amazonaws.comaws ecr describe-repositories --region ap-southeast-1 \ --query "repositories[].repositoryName" -o textExpected: Login Succeeded, then repository names such as aws-iac-nexa-web, aws-iac-nexa-backend, aws-iac-nexa-databricks-api, aws-iac-nexa-agents-api.
az acr login --name acrnexadev001az acr repository list --name acrnexadev001 -o tableExpected: Login Succeeded, then the Nexa repositories (nexa-web, nexa-backend, warehouse API, nexa-agents-api, …).
Step 4 — Load secrets
Section titled “Step 4 — Load secrets”Nexa reads its configuration from a shared secret in your cloud secret store, mounted into pods by the Secrets Store CSI driver and synced to a Kubernetes Secret. Populate it before deploying, or pods will crash-loop on missing config.
Required keys include: Postgres connection (PG_HOST, PG_PORT, PG_DATABASE, PG_USERNAME, PG_PASSWORD), warehouse connection (Databricks: DATABRICKS_HOST, DATABRICKS_CLIENT_ID, DATABRICKS_CLIENT_SECRET, DATABRICKS_WAREHOUSE_ID, DATABRICKS_CATALOG; Snowflake: the equivalent account/role/warehouse keys), auth secrets (NEXA_AUTH_JWT_SECRET, NEXA_SERVICE_AUTH_TOKEN), and GITHUB_TOKEN.
aws secretsmanager create-secret --name nexa-shared-secret-dev \ --secret-string file://nexa-shared-secret.dev.json \ --region ap-southeast-1Expected: JSON with the secret ARN and Name: nexa-shared-secret-dev.
az keyvault secret set --vault-name kv-nexa-dev \ --name nexa-shared-secret-dev \ --file nexa-shared-secret.dev.jsonExpected: JSON describing the created secret version.
Step 5 — Install platform components
Section titled “Step 5 — Install platform components”Install Envoy Gateway (ingress), cert-manager (TLS), and ArgoCD (GitOps) from the manifest repository.
-
Install Envoy Gateway and cert-manager, then apply the DNS-01 ClusterIssuer:
Terminal window kubectl apply -f infrastructure/envoy-gateway/core/kubectl apply -f infrastructure/cert-manager/cluster-issuer-dns01.yamlkubectl -n envoy-gateway-system get podskubectl -n cert-manager get clusterissuerExpected: Envoy Gateway pods
Running; theletsencrypt-prod-dns01ClusterIssuer showsREADY: True. -
Install ArgoCD and register the app-of-apps (GitOps root):
Terminal window kubectl create namespace argocdkubectl apply -n argocd -f argocd/bootstrap/app-of-apps.yamlkubectl -n argocd get applicationsExpected: ArgoCD
Applicationobjects listed for each Nexa service.
Step 6 — Deploy Nexa services
Section titled “Step 6 — Deploy Nexa services”ArgoCD syncs the Kustomize overlay for your environment. You can let it auto-sync or trigger it explicitly.
argocd app sync -l app.kubernetes.io/part-of=nexa# or, without the ArgoCD CLI:kubectl apply -k overlays/devkubectl get pods -A -l app.kubernetes.io/part-of=nexaExpected: each Nexa Deployment reaches Running with ready replicas (for example dev-nexa-web, dev-nexa-backend, the warehouse API for your platform, dev-nexa-agents-api, dev-nexa-orchestration-service).
Step 7 — Validate health
Section titled “Step 7 — Validate health”-
Confirm pods and certificates:
Terminal window kubectl get pods -A -l app.kubernetes.io/part-of=nexakubectl get certificate -AExpected: all pods
Running/Ready; the gateway certificate (e.g.nexa-gateway-tls-dev) showsREADY: True. -
Hit a service health endpoint through the gateway:
Terminal window curl -si https://dev.nexa-drai.com/health-check | head -n 1Expected:
HTTP/2 200. (The warehouse API health path is/health;nexa-agents-apiuses/api/v1/health.) -
Confirm DNS resolves to your load balancer:
Terminal window dig +short dev.nexa-drai.comExpected: the load balancer’s address (an NLB hostname on AWS, a public IP on Azure).
Step 8 — First-use smoke test
Section titled “Step 8 — First-use smoke test”- Open the UI at your Nexa hostname (e.g.
https://dev.nexa-drai.com/) and sign in. - Confirm the warehouse connection is live by creating a data source and browsing the catalog — see Adding a data source.
- Confirm GitHub integration by checking that generated pipeline code can be committed — see GitHub integration.
If any check fails, see the operations guide and configuration reference. Once healthy, hand off day-2 operations to your platform team.