Key | Description | Required | Values | ||
---|---|---|---|---|---|
| YAML schema version. | ✓ |
| ||
| Unique deployment name. This must contain the name of the deployment owner. | ✓ |
| ||
| Domino version to install. | ✓ | Supported versions: | ||
| Hostname Domino application will be accessed at. | ✓ | Valid fully qualified domain name (FQDN) | ||
| If network policies are enabled, allow access from this CIDR. This range must cover addresses used by your cluster nodes and pods. | Valid CIDR range, for example, | |||
| Should Domino only be accessible with HTTPS. | ✓ |
| ||
| Should Domino only be accessible with HTTPS. | ✓ |
| ||
| Create Kubernetes resource requests and limits for services. | ✓ |
| ||
| Use network policies for fine-grained service access. | ✓ |
| ||
| Enables pod security policies for locked down system capabilities. | ✓ |
| ||
| Creates pod security policies for locked down system capabilities. | ✓ |
| ||
| Determines resource compatibility with either OpenShift or CNCF Kubernetes | ✓ |
| ||
| A URL to ECR (Amazon Elastic Container Registry), ACR (Azure Container Registry), GCR (Google Container Registry) or GAR (Google Artifact Registry). The node must have permissions to the registry. |
| |||
| ✓ |
This section configures how and if an Istio Service Mesh is deployed by or integrated to Domino. A Domino-deployed Istio is for Domino use only. These configurations must only be installed and/or enabled if intra-cluster encryption in transit is required.
Key | Description | Required | Values |
---|---|---|---|
| Enable Istio in deployment (that is, sidecar injection). | ✓ |
|
| Install Istio service with Domino. | ✓ |
|
| Configures whether Istio installation is done with a CNI.
If | ✓ |
|
This section configures the NGINX ingress controller deployed by the fleetcommand-agent
.
Key | Description | Required | Values |
---|---|---|---|
| Install the NGINX ingress controller. | ✓ |
|
| On Google Cloud Platform (GCP), use a static IP address to expose nginx. | The | |
| Name of the ingress class for Domino. | ✓ |
|
| Include annotations related to Istio. | ✓ |
|
Use Namespaces to virtually segment Kubernetes executions. Domino creates namespaces according to the specifications in this section. The installer requires that these namespaces do not exist at installation.
Key | Description | Required | Values | ||
---|---|---|---|---|---|
| Namespace to place Domino services. | ✓ | |||
| Namespace for user executions. | ✓ |
| ||
| Namespace for deployment metadata. | ✓ | |||
| Namespace for Istio. | ✓ | |||
| Optional annotations to apply to each namespace | ||||
| Optional labels to apply to each namespace |
Storage Classes are a way to abstract the dynamic provisioning of volumes in Kubernetes.
Domino requires the following storage classes:
-
block
storage for Domino services and user executions that need fast I/O. -
shared
storage that can be shared between multiple executions.
Domino supports pre-created storage classes, although the installer can create a shared
storage class backed by NFS or a cloud NFS analog as long as the cluster can access the NFS system for read and write, and the installer can create several types of block
storage classes backed cloud block storage systems like Amazon EBS.
Block
Key | Description | Required | Values | ||
---|---|---|---|---|---|
| Whether to create the block storage class. | ✓ |
| ||
| The block storage class name. | ✓ |
| ||
| Type of the block storage class to use. | ✓ |
| ||
| Base path to use on nodes with | ||||
| Whether to set this storage class as the default. | ✓ |
|
Shared
Key | Description | Required | Values |
---|---|---|---|
| Whether to create the shared storage class. | ✓ |
|
| The shared storage class name. | ✓ | |
| Type of the shared storage class to use. | ✓ |
|
| EFS store AWS region. | For example,
| |
| EFS filesystem ID. | For example,
| |
| Access Point ID | For example,
| |
| NFS server IP or hostname. | ||
| Base path to use on the server when you create shared storage volumes | ||
| YAML List of additional NFS mount options. | For example, | |
| Azure storage account to create file stores. |
Domino can store long-term, unstructured data in blob storage buckets. Only the shared
storage class described previously (NFS and S3) are supported for projects
and logs
. backups
also supports Azure and Google Cloud Storage (GCS) storage.
Azure
Key | Description | Required | Values |
---|---|---|---|
| Azure storage account name. | For example, | |
| Access key for the storage account. | For example, | |
| Name of the container in the storage account. | For example, |
GCS (Google Cloud Storage)
Key | Description | Required | Values |
---|---|---|---|
| The bucket name. | For example, | |
| The service account name with write access to the bucket. | For example, | |
| The service account’s project name. | For example, |
For Kubernetes clusters without native cluster scaling in response to new user executions, Domino supports the use of the cluster autoscaler.
Key | Description | Required | Values |
---|---|---|---|
| Cloud provider Domino is deployed with. |
| |
| AWS region Domino is deployed into. | For example, | |
| Azure resource group Domino is deployed into. | ||
| Azure subscription ID Domino is deployed with. |
AWS Auto Discovery
The cluster autoscaler supports Auto Discovery on AWS. Without any explicit configuration of specific autoscaling groups, it detects all ASGs that have the appropriate tags and refreshes them if their settings are updated directly. All ASGs must be listed with accurate min/max settings (or not listed at all) is not required as referenced below in the Groups section. ASG settings can be updated directly in AWS. The cluster-autoscaler configuration doesn’t need to be updated, and you don’t need to rerun the installer.
Key | Description | Required | Values |
---|---|---|---|
| K8s Cluster Name. | exactly match the name in AWS | |
| Optional: If filled in, | For example, | |
| Must be set to |
By default, if no autoscaler.groups
and autoscaler.auto_discovery.tags
are specified, the cluster_name
will be used to look for the following AWS tags:
-
k8s.io/cluster-autoscaler/enabled
-
k8s.io/cluster-autoscaler/{{ cluster_name }}
The tags
setting can be used to explicitly specify which resource tags the autoscaler service must look for.
To disable auto-discovery and use specific groups
, ensure that auto_discovery.cluster_name
is an empty value.
Groups
Autoscaling groups are not dynamically discovered. Each autoscaling group must be individually specified, along with the minimum and maximum scaling size.
Key | Description | Required | Values |
---|---|---|---|
| Autoscaling group name. | Must exactly match the name in the cloud provider | |
| Minimum scaling size. | For example, | |
| Maximum scaling size. | For example, |
Domino can automatically configure your cloud DNS provider. See external-dns for more information.
Key | Description | Required | Values |
---|---|---|---|
| Cloud DNS provider. | For example, | |
| Only allow access to domains that match this filter. | For example, | |
| Only allow updates to specific hosted zones. | ||
| The owner ID in the TXT record. |
Domino supports SMTP to send email notifications in response to user actions and run results.
Key | Description | Required | Values |
---|---|---|---|
| Whether Domino must send email notifications. | ✓ |
|
| SMTP server hostname or IP. | ||
| SMTP server port. | ||
| Whether the SMTP server uses SSL encryption. | ✓ |
|
| Email address to send emails from Domino with. | For example, | |
| If you use SMTP authentication, the username. | ||
| If you use SMTP authentication, the password. |
Domino supports in-cluster monitoring with Prometheus as well as more detailed, external monitoring through New Relic APM and Infrastructure.
Key | Description | Required | Values |
---|---|---|---|
| Install Prometheus monitoring. | ✓ |
|
| Enable New Relic APM. | ✓ |
|
| Enable New Relic Infrastructure. | ✓ |
|
| New Relic account license key. |
Configuration for the Helm repository that stores Domino’s charts.
Key | Description | Required | Values |
---|---|---|---|
| Which version of Helm to use. | ✓ |
|
| Hostname of the chart repository. | ✓ | For Helm 2 this must be |
| Namespace to find charts in the repository. | Helm
repo namespace. When you use official Domino repositories this must be
| |
| Username for chart repository if authentication is
required. When you use Helm 3 with charts hosted in GCR this must be
| Username | |
| Password for chart repository if authentication is required. | For Helm 3 this is the base64 encoded JSON key that was provided by Domino. |
Image registries
List of Docker registries for Domino components.
Key | Description | Required | Values |
---|---|---|---|
| Docker registry host. | ✓ |
|
| Docker registry username. | ✓ | |
| Docker registry password. | ✓ |
The recommended configuration for the internal Docker registry deployed with Domino.
Use override values to allow the registry to use S3, GCS, or Azure blob store as a backend store.
GCS requires a service account already be bound into the Kubernetes cluster with configuration to ensure the docker-registry
service account is properly mapped.
Note
|
Either internal_docker_registry or external_docker_registry must be configured.
|
Key | Description | Required | Values |
---|---|---|---|
| AWS region of the S3 bucket store. | For example, | |
| S3 bucket name. | For example, | |
| KMS Key ID. | For example, | |
| GCS bucket name. | For example, | |
| GCS service account with access to the bucket. | ||
| GCP project name that Domino is deployed into. | ||
| Azure blobstore account name. | ||
| Azure blobstore account key. | ||
| Azure blobstore container name. |
Domino supports user telemetry data to help improve the product.
Key | Description | Required | Values |
---|---|---|---|
| Enable Intercom onboarding. | ✓ |
|
| Enable MixPanel. | ✓ |
|
| MixPanel API token. | ✓ |
If using GPU compute nodes, enable the following configuration setting to install the required components.
Key | Description | Required | Values |
---|---|---|---|
| Enable GPU support. | ✓ |
|
Domino supports minor patch upgrades through an internal tool named Fleetcommand. To learn more about the telemetry being sent back to Domino, see Deployments Telemetry.
Key | Description | Required | Values |
---|---|---|---|
| Enable ability for Domino staff to apply minor patches. | ✓ |
|
| The URL to fleetcommand, Domino staff will provide this. | ||
| Deployment-specific API token (Domino staff will provide this). |
Domino will by default deploy some DaemonSets on all available nodes in the host cluster.
When you run Domino in a multi-tenant Kubernetes cluster, where some nodes must not be used by Domino, you can label nodes for Domino with a single, consistent label.
Then, provide that label to fleetcommand-agent
with the below configuration to apply a selector to all Domino resources for that label.
Key | Description | Required | Values |
---|---|---|---|
| List of key/value pairs to use as the label for the selector. | Optional | Example
This example applies a selector for |
Global pod configuration that applies to all pods which Domino deploys.
Key | Description | Required | Values |
---|---|---|---|
| List of key and value pairs to use as annotations that apply to all pods. | Optional | Example
This example adds an annotation |
| List of key and value pairs to use as labels that apply to all pods. | Optional | Example
This example adds a label |
| List of name and value pairs to use as environment variables that apply to all pods. | Optional | Example
This example adds an environment variable |
These settings control the Domino image caching service, which runs as a privileged pod and uses the host Docker socket to pre-pull popular Domino environment images onto compute workers. It can be disabled.
Key | Description | Required | Values |
---|---|---|---|
| Whether or not to deploy the image caching service. | ✓ |
|
Key | Description | Required | Values |
---|---|---|---|
| Whether to install cert-manager. Domino requires cert-manager, but only one instance of cert-manager can be installed in any given Kubernetes cluster. If your Kubernetes cluster already has cert-manager installed, this should be false. | ✓ |
|
Note
|
If cert-manager is already installed, you must add the following configuration override for image building (hephaestus):
|
No teleport support is installed if teleport_kube_agent is not present.
Key | Description | Required | Values |
---|---|---|---|
| The teleport address. | ✓ | |
| The authentication token for Teleport. | ✓ |
Key | Description | Required | Values |
---|---|---|---|
| To disable the | ✓ |
|
A builder will use a storage cache as large as the amount specified by the cache_storage_size
.
When a build completes, the storage cache is reduced to the cache_storage_retention
amount.
The cache_storage_retention
value must not be greater than the cache_storage_size
.
When the underlying OS does not support user namespace mapping, like EKS, you might have to disable rootless building for deployment targets. Running rootless in an environment that does not support it defaults to using the native filesystem snapshotter and causes image building performance to drop significantly.
Key | Description | Required | Values |
---|---|---|---|
| Enable verbose logging. | ✓ |
|
| Run as a non-root user. | ✓ |
|
| Maximum number of concurrent image builds. | ||
| Size of each image builder’s cache. | ||
| Amount of storage to keep during garbage collection. | ||
| List of key/value pairs to use as the label for the selector. | ||
| Duration after which builder cluster is inspected for idle pods. | Examples: 1h, 5m, 30s | |
| Duration after which idle build pods are terminated. | Examples: 1h, 5m, 30s | |
| Duration the build waits to fetch and extract the remote Docker context. | Examples: 1h, 5m, 30s | |
| Number of seconds the worker pool waits for a buildkit pod to become ready for traffic. |
Registries
Configures buildkit/hephaestus to support HTTP-only and/or self-signed registries.
Key | Description | Required | Values |
---|---|---|---|
| Registry only supports HTTP. | ✓ |
|
| Registry uses a self-signed certificate and is considedred insecure. | ✓ |
|
Cloud registry authentication
Set up cloud authentication so that the image builder can pull images from and push images to cloud container registries.
Azure
Key | Description | Required | Values |
---|---|---|---|
| Azure AD Directory (tenant) ID. | ✓ | |
| Azure AD Application (client) ID. | ✓ | |
| Azure AD Application secret, required when using a Service Principal. |