Setup in Amazon Kubernetes Services (EKS)
This guide walks through deploying Capacity Private Cloud on Amazon Elastic Kubernetes Service (EKS). It covers EKS cluster creation, node group configuration, persistent storage with EFS, AWS CLI and kubectl setup, service mesh installation, ingress configuration, TLS setup, and Helm chart deployment. The instructions are intended for administrators provisioning a production or test environment in AWS and assume familiarity with the AWS Management Console and basic Kubernetes concepts.
Create EKS Cluster
Begin by creating a new EKS cluster in the AWS Management Console. Provide a cluster name and configure networking options (for example, whether the cluster will be publicly accessible). Kubernetes version 1.35 is currently recommended; refer to the lumenvox/helm-charts GitHub repository for the latest minimum version requirements.
On the first screen, select Custom configuration and work through each section below.
Cluster configuration
- Select Use EKS Auto Mode.
- Provide a name for the cluster.
- Select myAmazonEKSClusterRole from the cluster service role dropdown.
- Set the Upgrade policy according to your organizationโs policies.
Kubernetes version settings
Version 1.35 is the current recommended version.
Control plane scaling tier
Select this option based on your organizationโs policies.
Cluster access
- Select the default option:
- Allow cluster administrator access
- EKS API
Envelope encryption
Select the default option.
ARC zonal shift
Select the default option.
Deletion protection
This must be turned off if you want to be able to delete the cluster later.
Tags
Optionally create tags to help manage your Amazon EKS clusters.
Click Next to continue.
EKS Cluster Networking
Specify the VPC, select the subnets, and add the relevant security groups. The default VPC security group is suitable for most deployments. If a VPC does not already exist, create one before proceeding.
Cluster endpoint access
Select Public and private.
Configure observability
Select the logging and monitoring options according to your organizationโs policies.
Networking Add-ons
Review and accept the recommended networking add-on settings. These provide the core networking capabilities required by the cluster:
- Kube-proxy
- CoreDNS
- Amazon VPC CNI
- Node monitoring agent
- Metrics Server
Review and create
Review the cluster configuration and make any edits if necessary, then create the cluster.
Creating the cluster can take a few minutes to complete. You will be able to add a node group once the cluster is active.
Configure Node Group
The default values shown in the console are a reasonable starting point but should be adjusted to meet your specific requirements. Select Add node group.
Set compute and scaling configuration
The default values below are recommended but should be changed to suit your organizationโs requirements. Select the operating system that best suits your operational needs. The recommended instance type is m6a.2xlarge. Scaling parameters can be adjusted based on your expected call volumes and workload requirements.
Review and create the node group
Review the node group configuration and create it.
Creating the node group can take several minutes to complete.
Create EFS Instance
Amazon Elastic File System (EFS) is required as the persistent storage device for the platform. Configure the EFS instance according to your storage and performance requirements.
Configure EFS Network Access
Ensure you select the same VPC as the EKS cluster. Add both the default security group and the eks-cluster-sg-* security group that was automatically created by the cluster.
After creating the EFS instance:
- Click Access points, then Create access point.
- Accept the defaults and click Create.
- Click Attach to associate the access point with the file system.
Create IAM Access Keys
Before installing kubectl, you need AWS access keys to authenticate CLI operations.
- Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
- In the navigation pane, choose Users.
- Choose the name of the user whose access keys you want to create, then choose the Security credentials tab.
- In the Access keys section, choose Create access key.
- Choose Show to view the new key pair. Your credentials will look similar to the following:
| Access key ID: AKIAIOSFODNN7EXAMPLE Secret access key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY |
Choose Download .csv file to save the keys, and store them in a secure location.
Important: You will not be able to view the secret access key again after closing this dialog. Keep the keys confidential, never share them via email, and do not share them outside your organization.
Install AWS CLI
Install the AWS CLI by following the official guide: AWS CLI installation instructions.
Verify the installation and your current identity:
| aws --version aws sts get-caller-identity |
If you need to configure or change the active identity:
| aws configure AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY Default region name [None]: us-east-1 Default output format [None]: json |
Update kubeconfig
Configure kubectl to communicate with your EKS cluster. Replace <region> and <cluster-name> with your values:
| aws eks --region <region> update-kubeconfig --name <cluster-name> |
Install Helm
Install Helm using the official installer script:
| curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 chmod 700 get_helm.sh ./get_helm.sh |
Install Linkerd CLI
Linkerd is the supported service mesh for Capacity Private Cloud. Only versions up to Linkerd edge-24.5.5 are supported.
| curl --proto '=https' --tlsv1.2 -sSfL https://run.linkerd.io/install | sh |
Add the Linkerd CLI to Your Path
| export PATH=$PATH:$HOME/.linkerd2/bin |
Install Linkerd
Validate the cluster, install the Linkerd CRDs and control plane, then verify the installation:
| linkerd check --pre linkerd install --crds | kubectl apply -f - linkerd install --set proxyInit.runAsRoot=true | kubectl apply -f - linkerd check |
Note: The EKS installation uses --set proxyInit.runAsRoot=true on the Linkerd install command. This is required for EKS environments, where the proxy init container needs root privileges to configure networking.
Install Jaeger
Install the Linkerd Jaeger extension to enable distributed tracing:
| linkerd jaeger install | kubectl apply -f - |
Install Linkerd Dashboard
Install the Linkerd Viz extension to enable the web dashboard:
| linkerd viz install | kubectl apply -f - |
Uninstall Linkerd
If you need to uninstall Linkerd for troubleshooting purposes (for example, resolving issues with Linkerd sidecars or decommissioning a cluster), run the following commands in order:
| linkerd viz uninstall | kubectl delete -f - linkerd jaeger uninstall | kubectl delete -f - linkerd uninstall | kubectl delete -f - |
Install nginx Ingress
Add the ingress-nginx Helm repository and install the controller:
| helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx helm repo update kubectl create ns ingress-nginx helm upgrade --install ingress-nginx ingress-nginx \ --repo https://kubernetes.github.io/ingress-nginx \ -n ingress-nginx \ --create-namespace \ --set controller.hostNetwork=true \ --set controller.allowSnippetAnnotations=true |
Create the Namespace
| kubectl create namespace lumenvox |
Set the Active Namespace
| kubectl config set-context --current --namespace=lumenvox |
Set Up TLS for Ingress
Generate a self-signed TLS certificate for the ingress controller. Replace <hostnameSuffix> with the value configured in your Helm chartโs values.yaml.
| openssl genrsa -out server.key 2048 openssl req -new -x509 -sha256 -key server.key -out server.crt -days 3650 \ -addext "subjectAltName = DNS:lumenvox-api.<hostnameSuffix>, \ DNS:biometric-api.<hostnameSuffix>, \ DNS:management-api.<hostnameSuffix>, \ DNS:reporting-api.<hostnameSuffix>, \ DNS:admin-portal.<hostnameSuffix>, \ DNS:deployment-portal.<hostnameSuffix>" kubectl create secret tls speech-tls-secret --key server.key --cert server.crt |
Apply Secrets File
| kubectl apply -f lumenvox-secrets.yaml |
Configure Helm Repository
| helm repo add lumenvox https://lumenvox.github.io/helm-charts helm repo update |
Deploy the Helm Chart
| helm install lumenvox lumenvox/lumenvox -f aws-speech-values-internal-resources.yaml -n lumenvox |
Complete the Installation
After the Helm chart has been deployed, proceed to set up your deployment configuration. See Setting up a Deployment for the final steps required to complete the installation.
