Installing DevOps Loop on Kubernetes Service (K8S)

You can find information about the tasks that you can perform to install IBM® DevOps Loop on Kubernetes Service (K8S). You can use the Helm chart to perform the installation.

You must have completed the following tasks:

Read and understood System Requirements for DevOps Loop 2025.06 (1.0.2).
Installed the Kubernetes CLI tool, Kubectl.
Installed Helm on the system from which you access the Kubernetes cluster. For more information, refer to Installing Helm.
Set up a Kubernetes cluster. For more information, refer to Kubernetes Documentation.
Read and understood administering a cluster and managing TLS certificates in a cluster. For more information, refer to Administer a Cluster and Manage TLS Certificates in a Cluster.
Set up the cert-manager in your Kubernetes cluster. For more information refer to Kubernetes documentation.

You can select one of the following methods to install DevOps Loop on K8S:

Installing on a K8S cluster that has load balancer resources available
Installing on a K8S cluster with an upstream L7 load balancer
Installing on a K8S cluster that has an upstream L7 load balancer and expects data to be re-encrypted

Installing on a K8S cluster that has load balancer resources available

You must have completed the following tasks:

Ensured your cluster supports L4 load balancer resources.
Ensured that an external fully qualified domain name with a certificate signed by a well-known CA or an intermediary is available.

Associate the kubectl context with your cluster by using the following commands:

kubectl config set-context <context_name> --namespace=<namespace-name> --cluster=<cluster-name> --user=<user-name>
kubectl config use-context <context-name>

Obtain the certificate and key for the domain that you use for DevOps Loop.
Make the certificate and key available as a Kubernetes secret in the Kubernetes namespace that you use for DevOps Loop.
You should use the cert-manager or any standard mechanism to manage the life cycle of the certificate. You must also note down the name of the secret that contains the TLS certificate and key.

Perform the following steps to install Emissary-ingress in your cluster:

Run the following commands to set the Ambassador Edge Stack Helm chart:
```
helm repo add datawire https://app.getambassador.io 
helm repo update
```

Run the following commands to create a namespace and install the Ambassador Edge stack:

kubectl create namespace emissary && \
kubectl apply -f https://app.getambassador.io/yaml/emissary/3.9.1/emissary-crds.yaml
kubectl wait --timeout=90s --for=condition=available deployment emissary-apiext -n emissary-system

Perform the following step to create emissary-ports.yaml:

cat <<EOF > emissary-ports.yaml
service:
  ports:
    - name: https
      port: 443
      targetPort: 8443
      #nodePort: <optional>
    - name: http
      port: 80
      targetPort: 8080
      #nodePort: <optional>
    - name: deploy-wss
      port: 7919
      targetPort: 7919
      #nodePort: <optional>
    - name: build-wss
      port: 7920
      targetPort: 7920
      #nodePort: <optional>
    - name: control-ssh
      port: 9022
      targetPort: 9022
      #nodePort: <optional>
EOF

Install Emissary-ingress:

helm install emissary-ingress --namespace emissary datawire/emissary-ingress -f emissary-ports.yaml && \
kubectl -n emissary wait --for condition=available --timeout=90s deploy -lapp.kubernetes.io/instance=emissary-ingress

Open the ports in your firewall to the external ports and the node ports configured in the previous step.
You can run the following command to determine the node ports if they are configured automatically:
```
kubectl get svc emissary-ingress --namespace emissary -o jsonpath='{range .spec.ports[*]}{.name}: {.nodePort}{"\n"}{end}'
```
Perform the following steps to access the IBM Entitled Registry:
1. Get a key to the IBM Entitled Registry.
2. Log in to My IBM Container Software Library with the IBM ID and password that are associated with the entitled software.
3. Select the Copy key option to copy the entitlement key in the Entitlement keys section to the clipboard.
4. Create a secret in the target namespace with the secret name ibm-entitlement-key to pull images from the IBM Entitled Registry:
```
kubectl create secret docker-registry ibm-entitlement-key \
    --namespace [namespace_name] \
    --docker-username=cp \
    --docker-password=<EntitlementKey> \
    --docker-server=cp.icr.io
```
  Note: Secrets are namespace-specific and they are required to install DevOps Plan.
Run the following command to view the README.md file:
```
helm show readme ibm-helm/ibm-devops-loop
```
Update the following parameters and the other required parameters in the script in the Helm README with the correct values:
- DOMAIN
- TLS_CERT_SECRET_NAME
- RWO_STORAGE_CLASS=ibmc-block-gold
- RWX_STORAGE_CLASS=ibmc-file-gold-gid
For DOMAIN and TLS_CERT_SECRET_NAME, you must provide the values noted down in the previous steps.
Run the script in the Helm README for K8 installation.
Perform the following steps to enable non-HTTP and additional special services:
1. Configure the DNS to route traffic from a second FQDN that is service-<DOMAIN> to the L4 load balancer that you created as a prerequisite.
  The DOMAIN value is the same as the value used in the helm chart.
2. Configure your L4 node balancer to forward the ports configured in 4.c and determined in 5 to your cluster.

Installing on a K8S cluster with an upstream L7 load balancer

You must have completed the following tasks:

Ensured that the external L7 load balancer and cluster support for L4 load balancer resources are available.
Ensured that an external fully qualified domain name with a certificate signed by a well-known CA or an intermediary is available.

Perform the following steps to install Emissary-ingress in your cluster:

Run the following commands to set the Ambassador Edge Stack Helm chart:
```
helm repo add datawire https://app.getambassador.io 
helm repo update
```

Run the following commands to create a namespace and install the Ambassador Edge stack:

kubectl create namespace emissary && \
kubectl apply -f https://app.getambassador.io/yaml/emissary/3.9.1/emissary-crds.yaml
kubectl wait --timeout=90s --for=condition=available deployment emissary-apiext -n emissary-system

Perform the following step to create emissary-ports.yaml:

cat <<EOF > emissary-ports.yaml
service:
  type: LoadBalancer  #Set to NodePort when using an external L4 load balancer  
  ports:
    - name: http
      port: 80
      targetPort: 8080
      #nodePort: <optional>
    - name: deploy-wss
      port: 7919
      targetPort: 7919
      #nodePort: <optional>
    - name: control-ssh
      port: 9022
      targetPort: 9022
      #nodePort: <optional>
EOF

If the support for load balancer resources is not available in your cluster, edit the emissary-ports.yaml to change the type to NodePort.
An external L4 load balancer is required in this installation scenario.

Install Emissary-ingress:

helm install emissary-ingress --namespace emissary datawire/emissary-ingress -f emissary-ports.yaml && \
kubectl -n emissary wait --for condition=available --timeout=90s deploy -lapp.kubernetes.io/instance=emissary-ingress

Open the ports in your firewall to the node ports configured in the previous step.
You can run the following to determine the node ports if they are configured automatically:
```
kubectl get svc emissary-ingress --namespace emissary -o jsonpath='{range .spec.ports[*]}{.name}: {.nodePort}{"\n"}{end}'
```
Perform the following steps to access the IBM Entitled Registry:
1. Get a key to the IBM Entitled Registry.
2. Log in to My IBM Container Software Library with the IBM ID and password that are associated with the entitled software.
3. Select the Copy key option to copy the entitlement key in the Entitlement keys section to the clipboard.
4. Create a secret in the target namespace with the secret name ibm-entitlement-key to pull images from the IBM Entitled Registry:
```
kubectl create secret docker-registry ibm-entitlement-key \
    --namespace [namespace_name] \
    --docker-username=cp \
    --docker-password=<EntitlementKey> \
    --docker-server=cp.icr.io
```
  Note: Secrets are namespace-specific and they are required to install DevOps Plan.
Run the following command to view the README.md file:
```
helm show readme ibm-helm/ibm-devops-loop
```
Update the following parameters and the other required parameters in the script in the Helm README with the correct values:
- DOMAIN
- RWO_STORAGE_CLASS=ibmc-block-gold
- RWX_STORAGE_CLASS=ibmc-file-gold-gid
For DOMAIN, you must provide the values noted down in the previous steps.
Add the following parameter to the ADDITIONAL_HELM_OPTIONS section:
```
--set platform.emissary.l7Depth=<number_of_hops_to_load_balancer>
```
By default the value is set to 0, which indicates that there is no upstream load balancer. You must set the value to 1 for a single hop to a direct upstream load balancer.
Run the script in the Helm README for K8 installation.
Perform the following steps to enable non-HTTP and additional special services:
1. If the load balancer resources are available in your cluster, then run the following command to determine the IP of the L4 load balancer:
```
kubectl get svc --namespace emissary emissary-ingress -o jsonpath='{.status.loadBalancer.ingress[0].ip}'
```
  If the load balancer resources are not available, then configure an external L4 load balancer to open the non-http/https ports in the emissary-ingress.yaml to direct traffic to your cluster.
2. Configure the DNS to route traffic from a second FQDN that is service-<DOMAIN> to the L4 load balancer that you created as a prerequisite.
  A certificate is not required for this domain. The DOMAIN value is the same as the value used in the helm chart.

Installing on a K8S cluster that has an upstream L7 load balancer and expects data to be re-encrypted

You must have completed the following tasks:

Ensured that the external L7 load balancer, and cluster support for L4 load balancer resources or an external L4 load balancer are available.
Ensured that an external fully qualified domain name with a certificate signed by a well-known CA or a self-signed certificate is available as required.

Obtain a certificate and key that covers all the nodes in your cluster through a Subject Alternative Name (SAN).
Configure your L7 load balancer to trust the certificate for the nodes in your cluster.

Note: A health check endpoint is available at /automation/healthz for your load balancer to reference for health checks.
Make the certificate and key available as a Kubernetes secret in the Kubernetes namespace that you use for DevOps Loop.
You must use the cert-manager or any standard mechanism to manage the life cycle of the certificate. You must also note down the name of the secret that contains the TLS certificate and key.

Perform the following steps to install Emissary-ingress in your cluster:

Run the following commands to set the Ambassador Edge Stack Helm chart:
```
helm repo add datawire https://app.getambassador.io 
helm repo update
```

Run the following commands to create a namespace and install the Ambassador Edge stack:

kubectl create namespace emissary && \
kubectl apply -f https://app.getambassador.io/yaml/emissary/3.9.1/emissary-crds.yaml
kubectl wait --timeout=90s --for=condition=available deployment emissary-apiext -n emissary-system

Perform the following step to create emissary-ports.yaml:

cat <<EOF > emissary-ports.yaml
service:
  type: LoadBalancer # NodePort if no LoadBalancer resources are available in your cluster
  ports:
    - name: https
      port: 443
      targetPort: 8443
      #nodePort: <optional unused if type Nodeport>
    - name: http
      port: 80
      targetPort: 8080
      #nodePort: <optional unused if type Nodeport>
    - name: deploy-wss
      port: 7919
      targetPort: 7919
      #nodePort: <optional unused if type Nodeport>
    - name: control-ssh
      port: 9022
      targetPort: 9022
      #nodePort: <optional unused if type Nodeport>
EOF

If no load balancer resources are available in your cluster, edit the emissary-ports.yaml to change the type to NodePort.
An external L4 load balancer is required in this installation scenario.

Install Emissary-ingress:

helm install emissary-ingress --namespace emissary datawire/emissary-ingress -f emissary-ports.yaml && \
kubectl -n emissary wait --for condition=available --timeout=90s deploy -lapp.kubernetes.io/instance=emissary-ingress

Open the ports in your firewall to the node ports configured in the previous step.
You can run the following to determine the node ports if they are configured automatically:
```
kubectl get svc emissary-ingress --namespace emissary -o jsonpath='{range .spec.ports[*]}{.name}: {.nodePort}{"\n"}{end}'
```
Perform the following steps to access the IBM Entitled Registry:
1. Get a key to the IBM Entitled Registry.
2. Log in to My IBM Container Software Library with the IBM ID and password that are associated with the entitled software.
3. Select the Copy key option to copy the entitlement key in the Entitlement keys section to the clipboard.
4. Create a secret in the target namespace with the secret name ibm-entitlement-key to pull images from the IBM Entitled Registry:
```
kubectl create secret docker-registry ibm-entitlement-key \
    --namespace [namespace_name] \
    --docker-username=cp \
    --docker-password=<EntitlementKey> \
    --docker-server=cp.icr.io
```
  Note: Secrets are namespace-specific and they are required to install DevOps Plan.
Run the following command to view the README.md file:
```
helm show readme ibm-helm/ibm-devops-loop
```
Update the following parameters and the other required parameters in the script in the Helm README with the correct values:
- DOMAIN
- TLS_CERT_SECRET_NAME
- RWO_STORAGE_CLASS=ibmc-block-gold
- RWX_STORAGE_CLASS=ibmc-file-gold-gid
For DOMAIN and TLS_CERT_SECRET_NAME, you must provide the values noted down in the previous steps.
Run the script in the Helm README for K8 installation.
Perform the following steps to enable non-HTTP and additional special services:
1. If the load balancer resources are available in your cluster, then run the following command to determine the IP of the L4 load balancer installed as part of DevOps Loop:
```
kubectl get svc --namespace emissary emissary-ingress -o jsonpath='{.status.loadBalancer.ingress[0].ip}'
```
  If the load balancer resources are not available, then configure an external L4 load balancer to open the non-http/https ports in emissary-ingress.yaml to direct traffic to your cluster.
2. Configure the DNS to route traffic from a second FQDN that is service-<DOMAIN> to the L4 load balancer that you created as a prerequisite.
  A certificate is not required for this domain. The DOMAIN value is the same as the value used in the helm chart.