Installing Hex in a private cloud requires at a bare minimum:
Kubernetes 1.16+
kots - https://kots.io/​
An S3 bucket and accompanying IAM credentials
A Postgres 11 database
Optional dependencies
ALB ingress controller
For automatically exposing Hex behind an HTTPS load balancer
(Highly recommended) Calico or other similar network controller
Kubernetes defines the API for specifying Network Security Policies, but by default it has no built-in capability to enforce these.
Hex comes out of the box with some network policies to add additional security layers onto kernel security, but these will not work without a network controller
Deploying a controller like Calico will make these work
If you are missing any of the above, Hex provides a few getting started templates for AWS that you can mix and match as well as a complete bundled: https://github.com/hex-inc/cloud-templates/tree/master/aws​
An overview of the templates are:
​VPC - Provision the VPC, public+private+database subnets, nat gateways and more
​EKS - Provision a new EKS cluster with EC2 auto-scaling worker groups of a given number + size
​S3 - Create a new encrypted S3 Bucket with corresponding IAM user role to access it stored in AWS SSM
​RDS - Create a new encrypted RDS Postgres 11 database and store the credentials in AWS SSM
​ALB - Automatically deploy the ALB Ingress Controller into EKS
​Calico - Automatically deploy Calico into a kubernetes cluster
​Complete Bundle - Combines and automatically deploys all of the above for you
Using the above Terraform templates requires setting up Terraform and AWS to work together. Instructions on how to set them are below:
Terraform or Terraform Cloud
Terraform Cloud is recommended
Appropriate AWS access keys to provision the resources
Hex provides a sample policy that can be used to provision the resources in policy.json
(Optional) Generate and activate the kubeconfig for your kubernetes cluster
aws eks --region us-east-2 update-kubeconfig --name hex-main
Test that it works kubectl get -n kube-system pods
Install Hex using Kots​
kubectl kots install hex
Choose or leave the default namespace of hex
Create a new password and remember it for later
Navigate to http://localhost:8800/ and enter the password from the previous step
Install license file you received from Hex, this will be a .yaml
file
Configure the installation
Hex
You can leave replicas at 1, or increase to 2 or 3 to increase redundancy
Choose a name/email/password for the admin account
You can add more Admins in the UI later
(Optional) Choose whether or not you want to use the AWS ALB to expose your app
See Exposing Hex to your Org​
(Optional) Set up custom python kernel images
See Using custom kernel images​
S3
Add the name of the S3 bucket you created for Hex
Add in the IAM access and secret keys that have access to upload/get and delete from the bucket
Postgres
Add in the Postgres connection details of an existing database, or the one you created using the Hex templates
Deploy the installation in the "Version History" tab
Check that the install worked correctly
Run kubectl get -n hex pods
to verify that the pods spun up correctly
Initialize and unseal Vault
See Setting up Vault​
Set up a port forward to test the install worked
Run kubectl -n hex port-forward [hex-pod-name] 5000
Navigate to https://localhost:5000/ and you should see and be able to log into Hex!
Now you are ready to expose Hex to your organization
See Exposing Hex to your Org​