This topic describes how to deploy Domino components on Google Kubernetes Engine (GKE). GKE is hosted on Google Cloud Platform (GCP).
-
Use environment variables to set the values of IDs, names, and labels. This simplifies the commands you’ll run while installing Domino components:
export DOMINO_VER=<The Domino version to deploy> export QUAY_USERNAME=<`quay.io` username provided by Domino> export QUAY_PASSWORD=<`quay.io` password provided by Domino> -
To retrieve the credentials for your Kubernetes cluster, check your local kubeconfig with
export KUBECONFIG=$(pwd)/kubeconfig. -
Run
kubectl create namespace domino-platformto create thedomino-platformnamespace. -
To make your application available through HTTPS, use the certificate for the project’s domain name to create a secret:
kubectl -n domino-platform create secret tls my-cert --key=<path to your private key> --cert=<path to your cert>
Domino components are installed and configured with a component called fleetcommand-agent.
The agent runs as a container.
It uses an installation template to gather the required parameters for the environment and sets them when installing Domino components.
fleetcommand-agent-
If you aren’t already logged into
quay.io, rundocker login -u $QUAY_USERNAME -p $QUAY_PASSWORD quay.io. -
Generate a template configuration file named
domino.ymlin your working directory:
docker run --rm -it \
-v $(pwd):/install \
quay.io/domino/fleetcommand-agent:{fleetcommand-agent-version} \
init --file /install/domino.yml --full --version $DOMINO_VERYou’ll need to reference the Terraform output from the infrastructure deployment described in Provision infrastructure and runtime environment to complete the configuration template.
If you don’t have the output saved, run terraform output to retrieve it.
-
Open the
domino.ymlfile and edit the following attributes:-
name: The name of the deployment. This can’t be changed post-deployment. -
hostname: The hostname for the Domino install (for example,domino.example.com). -
pod_cidr: The default network range is10.0.0.0/8, but this must match the full IP range that your cluster uses. -
ingress_controller.gke_cluster_uuid: Thegoogle_cluster_uuidfrom the Terraform output produced during infrastructure setup. -
storage_class.block.type:gce -
storage_class.shared.type:nfs -
storage_class.shared.nfs.server: Thegoogle_filestore_ip_addressfrom the Terraform output. -
storage_class.shared.nfs.mount_path:/share1(This must match thegoogle_filestore_file_shareTerraform output). -
blob_storage.projects.type:shared -
blob_storage.logs.type:shared -
blob_storage.backups.type:gcs -
blob_storage.backups.gcs.bucket: Thegoogle_bucket_namefrom the Terraform output. -
blob_storage.backups.gcs.service_account_name: Thegoogle_platform_service_accountfrom the Terraform output. -
blob_storage.backups.gcs.project_name: Thegoogle_projectfrom the Terraform output. -
helm.cache_path:/app/charts -
private_docker_registry.username: Yourquay.iousername. -
private_docker_registry.password: Yourquay.iopassword. -
internal_docker_registry.enabled:false -
external_docker_registry: Thegoogle_artifact_registryfrom the Terraform output.
-
-
Replace the
services.nginx_ingress.chart_valuessection:chart_values: controller: kind: Deployment hostNetwork: false service: enabled: true type: LoadBalancer annotations: cloud.google.com/backend-config: '{"ports": {"80":"nginx-ingress-controller","443":"nginx-ingress-controller"}}' extraArgs: default-ssl-certificate: domino-platform/my-cert -
Replace the
forge.chart_valuessection with the following code and update theiam.gke.io/gcp-service-accountvalue:chart_values: config: fullPrivilege: true serviceAccount: annotations: iam.gke.io/gcp-service-account: <google_gcr_service_account from terraform output>
fleetcommand-agentDownload fleetcommand-agent-install.sh.
See Install Script Downloads if you need another version of the install script for your Domino release.
Run the fleetcommand-agent-install.sh script from the same folder where the domino.yml file is located.
Run kubectl -n domino-platform get svc nginx-ingress-controller to get the external IP to access your instance’s Domino management plane.
You can use this to update your DNS records accordingly.
-
Go to
https://<YOUR DOMAIN>/auth/ -
Login with the username
keycloakand the password from thekeycloak-httpsecret in thedomino-platformnamespace. Use the following command to get the password:echo -e "\nyour password is: $(kubectl get secret keycloak-http -n domino-platform --template={{.data.password}} | base64 -d)\n" -
Go to Users in the navigation pane, and click Add User.
-
Enter the username, first name, last name, and email address, and then click Save
-
Go to the Credentials tab and add a password.
-
Optional: Disable Temporary.
-
Go to Role Mappings > Client Roles, and select domino-play.
-
Select the User role and add it to your user.
-
Go to the main page for your Domino deployment (for example,
https://\<YOUR DOMAIN\>) and sign in with your new Domino user. -
Go to Environments > Domino Standard Environment Py3.8 R4.1 > Revisions and make sure the revision is active. If not, use Build Logs to try to solve the problem.
-
Go to Projects > Quick-start > Workspaces and launch a new workspace using Jupyter (this can take a while).
-
When the new workspace is created open
main.ipynband confirm that you can execute the script without errors.
Use Keycloak to enable user registration, so users can access your fresh Domino install. Keycloak is a user authentication service that runs on a pod in your cluster.
-
Sign in to Keycloak on your Domino instance.
-
In the Keycloak sidebar menu, select Realm Settings.
-
Select the Login tab, and toggle User registration to On.
-
Click Save to confirm your changes.