Preparing AWS infrastructure for installing DevOps Loop on AWS

You must set up the required AWS infrastructure, including Amazon Elastic Kubernetes Service (EKS), storage, and load balancers, before installing DevOps Loop.

Prerequisites

You must have ensured that the following tasks are completed:
  • Installed the following AWS tools on the deployment machine:
    • AWS CLI
    • kubectl
    • Helm v3.10 or later
    • eksctl
  • Verified cluster access by running the following command:
    kubectl get nodes
  • Created a VPC with public and private subnets in at least 2 availability zones. Recommended CIDR ­ for example, VPC CIDR: 10.x.x.x/22
    Subnet usage:
    • Public subnets: Used for Application Load Balancer (ALB)
    • Private subnets: Used for worker nodes
    • Private subnets: Used for EFS mount targets
  • Tagged the subnets correctly for Kubernetes and AWS Load Balancer Controller by using the following values:
    • Public subnets
      kubernetes.io/cluster/<cluster-name> = shared
      kubernetes.io/role/elb = 1
    • Private subnets
      kubernetes.io/cluster/<cluster-name> = shared
      kubernetes.io/role/internal-elb = 1
      Note: These tags allow the AWS Load Balancer Controller to automatically discover the correct subnets when creating Application Load Balancers (ALB) and Network Load Balancers (NLB). Without these tags, the load balancer provisioning fails.

About this task

Set up the Amazon EKS cluster

  1. Create an Amazon EKS cluster with the following recommended configuration:
    • Node capacity: 8 vCPU, 32 GB memory

    • Multiple worker nodes for high availability

  2. Create an IAM role for worker nodes and attach the following AWS managed policies:
    • AmazonEKSWorkerNodePolicy
    • AmazonEC2ContainerRegistryReadOnly
    • AmazonEKS_CNI_Policy
  3. Create a security group to allow traffic within the VPC for communication between:
    • Load balancers
    • Worker nodes
    • Internal Kubernetes services
    • Storage (EFS, EBS)
    Note: Ensure that you deploy worker nodes in private subnets, and use public subnets only for internet-facing load balancers.
  4. Enable IAM roles for Service Accounts (IRSA) by enabling the OpenID Connect (OIDC) provider for the cluster by running the following command:
    eksctl utils associate-iam-oidc-provider \
      --cluster <cluster-name> \
      --approve
    Note: IRSA is required for components such as the EFS CSI Driver, EBS CSI Driver, and AWS Load Balancer Controller.

Configure storage (EBS and EFS)

  1. Perform the following steps to install the Amazon EBS CSI Driver (RWO Storage):
    1. Create an IAM role for EBS CSI Driver:
      • Attach the AWS managed policy: AmazonEBSCSIDriverPolicy.
      • Trust Relationship: The role must trust the EKS OIDC provider and allow the service account: kube-system:ebs-csi-controller-sa.
    2. Enable the EBS CSI Driver Add-on.
      During installation, select the IAM role created in the previous step and enable the add-on. This action installs the CSI controller in the kube-system namespace.
    3. Verify the installation by running the following command:
      kubectl get pods -n kube-system | grep ebs
    4. Configure the default StorageClass:
      The cluster uses the gp3 storage class backed by Amazon EBS.
      apiVersion: storage.k8s.io/v1
      kind: StorageClass
      metadata:
        name: gp3
        annotations:
          storageclass.kubernetes.io/is-default-class: "true"
      provisioner: ebs.csi.aws.com
      parameters:
        type: gp3
        fsType: ext4
      reclaimPolicy: Delete
      volumeBindingMode: WaitForFirstConsumer
      allowVolumeExpansion: true

      This storage class is used for workloads requiring ReadWriteOnce (RWO) volumes.

  2. Perform the following steps to create an Amazon EFS for shared storage:
    1. Create an EFS filesystem by selecting the same VPC used by EKS.
    2. Configure mount targets in all Availability Zones used by worker nodes.
    3. Create one mount target per Availability Zone where nodes run: AZ-1 → mount target , AZ-2 → mount target, AZ-3 → mount target.
    4. Configure security group - Attach a security group to the EFS mount targets as follows. This allows worker nodes to mount the filesystem.
      Allow NFS access -  Port: 2049 Protocol: TCP Source: EKS node security group
  3. Perform the following steps to install the EFS CSI Driver (RWX storage):
    1. Create an IAM role for EFS CSI Driver (RWX storage)
      • Attach the AWS managed policy: AmazonEFSCSIDriverPolicy.
      • Trust Relationship: The role must trust the EKS OIDC provider and allow Kubernetes the service account: kube-system:efs-csi-controller-sa.
    2. Enable the EFS CSI Driver Add-on from the Amazon EFS CSI Driver console and select the IAM role created for the EFS CSI driver in the Add-on.
    3. Verify the installation by running the following command:
      kubectl get pods -n kube-system | grep efs
    4. Create a StorageClass.
      Note: Reference the EFS filesystem ID in the EFS StorageClass to enable dynamic provisioning using the EFS CSI driver. For example:
      apiVersion: storage.k8s.io/v1
      kind: StorageClass
      metadata:
        name: efs-sc
      provisioner: efs.csi.aws.com
      parameters:
        provisioningMode: efs-ap
        fileSystemId: <EFS-FILESYSTEM-ID>
        directoryPerms: "700"
      reclaimPolicy: Delete
      volumeBindingMode: Immediate
    5. Verify the storage classes by running the following command:
      kubectl get storageclass

      Expected output: gp3 & efs-sc

    6. Confirm the CSI driver pods by running the following command:
      kubectl get pods -n kube-system | grep csi

Install the AWS Load Balancer Controller

Perform the following steps to install the AWS Load Balancer Controller:
  1. Create an IAM policy.
    AWSLoadBalancerControllerIAMPolicy
  2. Create an IAM role associated with the service account:
    kube-system:aws-load-balancer-controller
  3. Install the AWS Load Balancer Controller via Helm:
    helm repo add eks https://aws.github.io/eks-charts
    helm repo update
    helm install aws-load-balancer-controller eks/aws-load-balancer-controller \
      -n kube-system \
      --set clusterName=<cluster-name> \
      --set serviceAccount.create=false \
      --set serviceAccount.name=aws-load-balancer-controller
This controller automatically provisions AWS load balancers based on Kubernetes resources.

Configure DNS and TLS

  1. Create domains by using AWS services
    Note: Use Amazon Route 53 and AWS Certificate Manager (ACM) to configure domains.
  2. Create and configure the following hosted zones in Route 53:
    • A public hosted zone (for example, looptest.xxxx.com)
    This hosted zone is used as the application domain and enables routing through the Application Load Balancer (ALB).
    • A private hosted zone (for example, service-looptest.xxxx.com)
    This hosted zone is used to route traffic to the Network Load Balancer (NLB) for the Loop application.
    Note: Ensure that the domain name includes the service- prefix. Make a note of the domain names, as they are required during DevOps Loop installation.
  3. Request a certificate using the AWS Certificate Manager (ACM) for public domain (for example: looptest.xxxx.com).

    After creating the certificate, make a note of the Certificate ARN, as it is required for configuring the Application Load Balancer (ALB).

Configure ingress and load balancing

  1. Run the following command to download and run the AWS infrastructure setup script:
    (TMP_DIR=$(mktemp -d) && \
    helm pull ibm-helm/ibm-devops-loop --untar --untardir "$TMP_DIR" --version 2.0.200 > /dev/null 2>&1 && \
    sh "$TMP_DIR/ibm-devops-loop/scripts/AWS/AWS_Emissary_LB_TLS_infra_setup.sh" && \
    rm -rf "$TMP_DIR")
    Note: This command downloads the DevOps Loop Helm chart, extracts it to a temporary directory, runs the infrastructure setup script, and removes the temporary files after execution.
  2. Verify the actions performed by the script.
    The AWS_Emissary_LB_TLS_infra_setup.sh script performs the following actions:
    • Creates the Emissary namespace
    • Installs Emissary Ingress using Helm
    • Creates an Application Load Balancer (ALB) for HTTPS traffic
    • Creates an internal Network Load Balancer (NLB) with access restricted to the VPC CIDR range for TCP services
    • Configures the required Kubernetes Ingress resources and Services
    After running the script, AWS might take 5 - 15 minutes to provision the ALB and NLB. You can verify the creation of ingress resources and services by running the following command:
    kubectl get ingress -n emissary-system
    kubectl get svc -n emissary-system

Configure DNS records

  1. Obtain the DNS names of the Application Load Balancer (ALB) and Network Load Balancer (NLB) after running the infrastructure script.
  2. Create A records in Amazon Route 53 to map your domains:
    • Map the application domain (for example: looptest.xxxx.com) to the ALB DNS name.
    • Map the service domain (for example: service-looptest.xxxx.com) to the NLB DNS name.
After completing these steps, the required AWS infrastructure is ready, including the EKS cluster, storage, load balancers, and DNS configuration.
You must now install DevOps Loop. See Installing DevOps Loop on AWS.