Configuration Reference

Key Description Required Values
schema YAML schema version. 1.0
name Unique deployment name. This should contain the name of the deployment owner. [a-zA-Z0-9_-]+
version Domino version to install. Supported versions: 4.1.10, 4.2.0
hostname Hostname Domino application will be accessed at. Valid FQDN
pod_cidr If network policies are enabled, allow access from this CIDR. This range should cover addresses used by your cluster nodes and pods.   Valid CIDR range, e.g.
ssl_enabled Should Domino only be accessible using HTTPS. true, false
ssl_redirect Should Domino only be accessible using HTTPS. true, false
create_ingress_controller Create an NGINX ingress controller. true, false
request_resources Create Kubernetes resource requests and limits for services. true, false
enable_network_policies Use network policies for fine-grained service access. true, false, Note: requires a compatible CNI plugin e.g. Calico
enable_pod_security_policies Enables pod security policies for locked down system capabilities. true, false
create_restricted_pod_security_policy Creates pod security policies for locked down system capabilities. true, false
kubernetes_distribution Determines resource compatibility with either OpenShift or CNCF Kubernetes true cncf or openshift


This section configures how and if an Istio service mesh is deployed by or integrated to Domino. A Domino-deployed Istio is for Domino use only. These configuration should only installed and/or enable if intra-cluster encryption in transit is required.

Key Description Required Values
istio.enabled Enable Istio in deployment (i.e. sidecar injection) true, false
istio.install Install Istio service with Domino true, false
istio.cni Configures whether Istio installation is done with a CNI. If true, the installation is done with a CNI and requires fewer permissions; this is our preferred and recommended setting. If false, the installation will add required capabilities to every pod security policy: NET_ADMIN, NET_BIND_SERVICE, and NET_RAW. true, false
istio.namespace Namespace of the Istio control plane. This field is not meant for a Domino-deployed Istio (i.e. istio.install=true); it is available for integrating with an existing deployed Istio service within the cluster. true, false

NOTE: Domino Model Monitor is incompatible with Istio. If Istio is enabled, the Model Monitor flag should be disabled.

Ingress Controller

This section configures the NGINX ingress controller deployed by the fleetcommand-agent.

Key Description Required Values
ingress_controller.create Whether to create the ingress controller. true, false
ingress_controller.gke_cluster_uuid When running Domino on GKE you should supply the GKE cluster UUID here to configure GCP networking for ingress. Cluster UUID


Namespaces are a way to virtually segment Kubernetes executions. Domino will create namespaces according to the specifications in this section, and the installer requires that these namespaces not already exist at installation time.

Key Description Required Values Namespace to place Domino services Kubernetes Name Namespace for user executions Kubernetes Name Note: may be the same as the platform namespace Namespace for deployment metadata Kubernetes Name
namespaces.*.annotations Optional annotations to apply to each namespace   Kubernetes Annotation

Storage Classes

Storage Classes are a way to abstract the dynamic provisioning of volumes in Kubernetes.

Domino requires two storage classes:

  1. block storage for Domino services and user executions that need fast I/O
  2. shared storage that can be shared between multiple executions

Domino supports pre-created storage classes, although the installer can create a shared storage class backed by NFS or a cloud NFS analog as long as the cluster can access the NFS system for read and write, and the installer can create several types of block storage classes backed cloud block storage systems like Amazon EBS.

Key Description Required Values
storage_classes.block.create Whether to create the block storage class
  • true
  • false   Kubernetes Name Note: always required due to platform limitations, cannot be “” which indicates the default storage class
storage_classes.block.type Name of the block storage class to utilize
  • ebs
  • hostpath
  • gce
  • azure-disk
storage_classes.block.base_path Base path to use on nodes as a base when using hostpath volumes    
storage_classes.block.default Whether to set this storage class as the default
  • true
  • false
storage_classes.shared.create Whether to create the shared storage class
  • true
  • false   Kubernetes Name
storage_classes.shared.type Type of the shared storage class to utilize
  • efs
  • nfs
  • azure-file Note that Azure File requires outbound port 445 to be open from your Azure cluster
storage_classes.shared.efs.region EFS store AWS region   e.g. us-west-2
storage_classes.shared.efs.filesystem_id EFS filesystem ID   e.g. fs-7a535bd1
storage_classes.shared.nfs.server NFS server IP or hostname    
storage_classes.shared.nfs.mount_path Base path to use on the server when creating shared storage volumes    
storage_classes.shared.nfs.mount_options YAML List of additional NFS mount options   e.g. - mfsymlinks
storage_classes.shared.azure_file.storage_account Azure storage account to create filestores    

Blob Storage

Domino can store long-term, unstructed data in “blob storage” buckets. Currently, only the shared storage class described above (NFS) and S3 are supported.

To apply a default S3 bucket or shared storage type to all use-cases of blob storage, it is only necessary to fill out the default setting and make sure enabled is true. Otherwise, all other blob storage uses (projects, logs, and backups) should be filled out.

Key Description Required Values
blob_storage.default.enabled Whether the default configuration should take precedence over individual config keys
  • true
  • false
blob_storage.*.type Which type of blob storage to use
  • shared
  • s3
blob_storage.*.s3.region AWS region of the S3 bucket store   e.g. us-west-2
blob_storage.*.s3.bucket S3 bucket name   e.g. domino-bucket-1


For Kubernetes clusters without native cluster scaling in response to new user executions, Domino supports the use of the cluster autoscaler.

Key Description Required Values
autoscaler.enabled Enable cluster autoscaling
  • true
  • false
autoscaler.cloud_provider Cloud provider Domino is deployed with  
  • aws
  • azure AWS region Domino is deployed into   e.g. us-west-2 Azure resource group Domino is deployed into   Azure resource group Azure subscription ID Domino is deployed with   Azure subscription ID

AWS Auto-Discovery

The cluster autoscaler supports autodiscovery on AWS. Without any explicit configuration of specific autoscaling groups, it will detect all ASGs that have the appropriate tags and refresh them if their settings are updated directly. This means listing all ASGs with accurate min/max settings (or listing them at all) is not required as referenced below in the Groups section. ASG settings can be updated directly in AWS without having to update the cluster-autoscaler configuration or rerun the installer.

Key Description Required Values
autoscaler.auto_discovery.cluster_name K8s Cluster Name   exactly match the name in AWS
autoscaler.auto_discovery.tags Optional. If filled in, cluster_name is ignored   e.g. - my.tag or []
autoscaler.auto_discovery.groups     Must be set to [] if using auto_discovery

By default, if no autoscaler.groups and autoscaler.auto_discovery.tags are specified, the cluster_name will be used to look for the following AWS tags:

  •{{ cluster_name }}

The tags setting can be used to explicitly specify which resource tags the autoscaler service should look for.

If you would like to disable auto-discovery and continue using specific groups, ensure that auto_discovery.cluster_name is an empty value.


Autoscaling groups are not dynamically discovered. Each autoscaling group must be individually specified including the minimum and maximum scaling size.

Key Description Required Values
autoscaler.groups.*.name Autoscaling group name   Must exactly match the name in the cloud provider
autoscaler.groups.*.min_size     e.g. 0
autoscaler.groups.*.max_size     e.g. 10

External DNS

Domino can automatically configure your cloud DNS provider. More extensive documentation can be found on the external-dns homepage.

Key Description Required Values
external_dns.enabled Whether Domino should configure cloud DNS
  • true
  • false
external_dns.provider Cloud DNS provider   e.g. aws
external_dns.domain_filters Only allow access to domains that match this filter   e.g.
external_dns.zone_id_filters Only allow updates to specific Route53 hosted zones    

Email Notifications

Domino supports SMTP for sending email notifications in response to user actions and run results.

Key Description Required Values
email_notifications.enabled Whether Domino should send email notifications
  • true
  • false
email_notifications.server SMTP server hostname or IP    
email_notifications.port SMTP server port    
email_notifications.encryption Whether the SMTP server uses SSL encryption    
email_notifications.from_address Email address to send emails from Domino with   e.g. domino
email_notifications.authentication.username If using SMTP authentication, the username    
email_notifications.authentication.password If using SMTP authentication, the password    


Domino supports in-cluster monitoring with Prometheus as well as more detailed, external monitoring through NewRelic APM and Infrastructure.

Key Description Required Values
monitoring.prometheus_metrics Install Prometheus monitoring
  • true
  • false
monitoring.newrelic.apm Enable NewRelic APM
  • true
  • false
monitoring.newrelic.infrastructure Enable NewRelic Infrastructure
  • true
  • false
monitoring.newrelic.license_key NewRelic account license key    


Configuration for the Helm repository that stores Domino’s charts.

Key Description Required Values
helm.version Which version of Helm to use. 2 or 3 Hostname of the chart repository For Helm 2 this should be or the address of your private appr server. For Helm 3 it should be
helm.namespace Namespace to find charts in the repository.   Helm repo namespace. When using official Domino repositories this should be domino. For Helm 3 with or, use domino-eng-service-artifacts.
helm.prefix Prefix for the chart repository.   Application registry prefix. When using official Domino repositories this should be helm-. For Helm 3 with or, this should be an empty string.
helm.username Username for chart repository if authentication is required. When using Helm 3 with charts hosted in GCR this must be _json_key.   Username
helm.password Password for chart repository if authentication is required.   For Helm 3 this is the base64 encoded JSON key that was provided by Domino.
helm.tiller_image URI of the Docker image for the Tiller service to use when running Helm 2. This must point to a version 2.16.1 Tiller image at or in your private registry.
helm.cache_path Path to cached Helm 3 chart files.   Set to empty string ('') to use online chart data.

Private Docker Registry

Configuration for the Docker repository that stores Domino’s images.

Key Description Required Values
private_docker_registry.server Docker registry host
private_docker_registry.username Docker registry username  
private_docker_registry.password Docker registry password  

Internal Docker Registry

The recommended configuration for the internal Docker registry deployed with Domino. Override values are to allow the registry to use S3, GCS, or Azure blob store as a backend store. GCS requires a service account already be bound into the Kubernetes cluster with configuration to ensure the docker-registry service account is properly mapped.

Key Description Required Values
internal_docker_registry.s3_override.region AWS region of the S3 bucket store   e.g. us-west-2
internal_docker_registry.s3_override.bucket S3 bucket name   e.g. domino-bucket-1
internal_docker_registry.gcs_override.bucket GCS bucket name   e.g. domino-bucket-1
internal_docker_registry.gcs_override.service_account_name GCS service account with access to the bucket    
internal_docker_registry.gcs_override.project_name GCP project name that Domino is deployed into    
internal_docker_registry.azure_blobs_override.account_name Azure blobstore account name    
internal_docker_registry.azure_blobs_override.account_key Azure blobstore account key    
internal_docker_registry.azure_blobs_override.container Azure blobstore container name    


Domino supports user telemetry data to help improve the product.

Key Description Required Values
intercom.enabled Enable Intercom onboarding true|false
mixpanel.enabled Enable MixPanel true|false
mixpanel.token MixPanel API token    


If using GPU compute nodes, enable the following configuration setting to install the required components.

Key Description Required Values
gpu.enabled Enable GPU support true|false


Domino supports upgrading minor patches through an internal tool named Fleetcommand.

Key Description Required Values
fleetcommand.enabled Enable ability for Domino staff to apply minor patches true|false
fleetcommand.api_token Deployment-specific API token (Domino staff will provide this)    

Node selectors

Domino will by default deploy some DaemonSets on all available nodes in the hosting cluster. When running in a multi-tenant Kubernetes cluster, where some nodes are available that should not be used by Domino, you can label nodes for Domino with a single, consistent label, then provide that label to the fleetcommand-agent with the below configuration to apply a selector to all Domino resources for that label.

Key Description Required Values
global_node_selectors List of key/value pairs to use as the label for the selector. Optional See below example


  domino-owned: "true"

This example would apply a selector for domino-owned=true to all Domino deployment resources.

Ingress controller class

The name of the Domino Ingress class can be changed with this setting. This should generally not need to change.

Key Description Required Values
ingress_controller.class_name Name for the Domino Ingress class nginx

Image caching

These settings control the Domino image caching service, which runs as a privileged pod and uses the host Docker socket to pre-pull popular Domino environment images onto compute workers. It can be disabled if desired.

Key Description Required Values
image_caching.enabled Whether or not to deploy the image caching service Boolean

Domino Model Monitor

This setting controls if Domino Model Monitor is installed and enabled along with your Domino installation. Before enabling, ensure the platform node pool requirements for enabling Domino Model Monitor are met. Domino Model Monitor will be available at https://<hostname>/model-monitor once installation is complete. Domino Model Monitor can also be accessed from the “Monitoring” link in the left-hand sidebar.

Key Description Required Values
modelmonitor.enabled Install and enable Domino Model Monitor   Boolean

NOTE: Domino Model Monitor is incompatible with Istio. If Model Monitor is enabled, the Istio flag should be disabled.