About Domino
Domino Data LabKnowledge BaseData Science BlogTraining

Deploy Domino on Google Kubernetes Engine (GKE)

This topic describes how to deploy Domino components on Google Kubernetes Engine (GKE). GKE is hosted on Google Cloud Platform (GCP).

Configure the cluster

  1. Use environment variables to set the values of IDs, names, and labels. This simplifies the commands you’ll run while installing Domino components:

    export DOMINO_VER=<The Domino version to deploy>
export QUAY_USERNAME=<`quay.io` username provided by Domino>
export QUAY_PASSWORD=<`quay.io` password provided by Domino>

  2. To retrieve the credentials for your Kubernetes cluster, check your local kubeconfig with:

    export KUBECONFIG=$(pwd)/kubeconfig

  3. Run the following to create the domino-platform namespace:

    kubectl create namespace domino-platform

  4. To make your application available through HTTPS, use the certificate for the project’s domain name to create a secret:

    kubectl -n domino-platform create secret tls my-cert --key=<path to your private key> --cert=<path to your cert>

Prepare the installation template and run the installer

fleetcommand-agent installs and configures Domino components. It uses an installation template to gather the required parameters for the environment and sets them when installing Domino components.

Generate a blank installation template with fleetcommand-agent

  1. If you aren’t already logged into quay.io, run:

    docker login -u $QUAY_USERNAME -p $QUAY_PASSWORD quay.io

  2. Generate a template configuration file named domino.yml in your working directory:

    Caution
    		 This overwrites existing domino.yml files. 
    docker run --rm -it
  -v $(pwd):/install
  quay.io/domino/fleetcommand-agent:{fleetcommand-agent-version}
  init --file /install/domino.yml --version $DOMINO_VER --preset gke
Important
 If you change the defaults in domino.yml, it can affect the stability of your deployment. If you must modify the file, contact a Domino representative.
Enter your environment parameters in the configuration template

You must reference the Terraform output from the infrastructure deployment described in Provision infrastructure and runtime environment to complete the configuration template. If you don’t have the output saved, run terraform output to retrieve it.

  1. Open the domino.yml file and edit the following attributes:

    • name: The name of the deployment. This can’t be changed post-deployment.

    • hostname: The hostname for the Domino install (for example, domino.example.com).

    • storage_class.block.type: gce

    • storage_class.shared.type: nfs

    • storage_class.shared.nfs.server: The google_filestore_ip_address from the Terraform output.

    • storage_class.shared.nfs.mount_path: /share1 (This must match the google_filestore_file_share Terraform output).

    • blob_storage.projects.type: shared

    • blob_storage.logs.type: shared

    • blob_storage.backups.type: gcs

    • blob_storage.backups.gcs.bucket: The google_bucket_name from the Terraform output.

    • blob_storage.backups.gcs.service_account_name: The google_platform_service_account from the Terraform output.

    • blob_storage.backups.gcs.project_name: The google_project from the Terraform output.

    • helm.image_registries.*.username: Your quay.io username.

    • helm.image_registries.*.password: Your quay.io password.

    • image_building.cloud_registry_auth.gcp.service_account: <google_gcr_service_account from terraform output>

    • internal_docker_registry : null

    • external_docker_registry: The google_artifact_registry from the Terraform output.

  2. Add the following code to the end of the file.

    release_overrides:
  nginx-ingress:
    chart_values:
      controller:
        kind: Deployment
        hostNetwork: false
        service:
          enabled: true
          type: LoadBalancer
          annotations:
            cloud.google.com/backend-config: '{"ports": {"80":"nginx-ingress-controller","443":"nginx-ingress-controller"}}'
        extraArgs:
          default-ssl-certificate: domino-platform/my-cert
Tip
 Domino recommends that you keep a backup copy of your final configuration file. To do this, use the following command: cp domino.yml{,.backup-$( date +%s )}
Install Domino with fleetcommand-agent

fleetcommand-agent installs and configures Domino components. It uses the installation template to gather the required parameters for the environment and sets them when installing Domino components.

To install Domino on the infrastructure you prepared, run the following:

curl -o fleetcommand-agent-install.sh https://docs.dominodatalab.com/attachments/fleetcommand-agent-install.sh
bash fleetcommand-agent-install.sh $DOMINO_VER

See fleetcommand-agent-install.sh Downloads for more information.

Tip
 If you encounter errors, investigate and resolve the root cause before you run fleetcommand-agent-sh again. Failures are often related to resource quotas and limits. Contact a Domino representative for assistance.
Create a network policy if you use your own ingress controller

If you use your own NGINX ingress controller by specifying ingress_controller.install = false, then you need to create a network policy in the Domino platform and compute namespace.

Here is an example of a network policy that allows ingress from the nginx namespace:

kubectl -n <domino-namespace> apply -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: external-nginx
spec:
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: nginx
  podSelector: {}
  policyTypes:
  - Ingress
EOF
Set up DNS

Run the following to get the external IP to access your instance’s Domino management plane:

kubectl -n domino-platform get svc nginx-ingress-controller

You can use this to update your DNS records accordingly.

Validate your installation

  1. Go to https://<YOUR-DOMAIN>/auth/

  2. Login with the username keycloak and the password from the keycloak-http secret in the domino-platform namespace.

  3. Use the following command to get the password:

    echo -e "\nyour password is: $(kubectl get secret keycloak-http  -n domino-platform --template={{.data.password}} | base64 -d)\n"

  4. Go to Users in the navigation pane and click Add User.

  5. Enter the username, first name, last name, and email address, and then click Save.

  6. Go to the Credentials tab and add a password.

  7. Optional: Disable Temporary.

  8. Click Set Password.

  9. Go to Role Mappings.

  10. From Client Roles, select domino-play.

  11. Select the User role and add it to your user.

  12. Go to the main page for your Domino deployment (for example, https://\<YOUR-DOMAIN\>) and sign in with your new Domino user.

  13. Go to Environments > Domino Standard Environment Py3.8 R4.1 > Revisions and make sure the revision is active. If not, use Build Logs to try to solve the problem.

  14. Go to Projects > Quick-start > Workspaces and launch a new workspace using Jupyter (this can take a while).

  15. When the new workspace is created open main.ipynb and confirm that you can execute the script without errors.

Enable user registration

Use Keycloak to enable user registration, so users can access your fresh Domino install. Keycloak is a user authentication service that runs on a pod in your cluster.