About Domino
Domino Data LabKnowledge BaseData Science BlogTraining

Deploy Domino on AKS

Use the information in this section to deploy Domino components in the Azure infrastructure.

  1. Use the environment variables to set the values of IDs, names, and labels in your Azure environment. This simplifies the commands that you will use when installing the Domino components.

    export SUB_ID=<ID of the subscription where AKS was deployed>
export RG_NAME=<Name of the resource group where AKS was deployed>
export CLUSTER_NAME=<AKS cluster name>
export DOMINO_VER=<Domino version to deploy>
export QUAY_USERNAME=<quay.io username provided by Domino>
export QUAY_PASSWORD=<quay.io password provided by Domino>
    Note

    Gather the required parameters which you will add to the domino.yaml file when you enter the environment parameters in the configuration template.

    • TENANT_ID: ID of the tenant where AKS was deployed.

    • IMAGE_BUILD_CLIENT_ID: The image building client id created by terraform.

    • IMAGE_BUILD_WORKLOAD_IDENTITY: Whether the image build client id is a workload identity.

    • REG_DNS_NAME: The DNS name of the container registry created by terraform in the AKS resource group.

    • STORAGE_ACCOUNT_NAME: The name of the storage account created by terraform in the AKS resource group.

    • STORAGE_ACCOUNT_KEY: The key of the storage account created by terraform in the AKS resource group.

    • STORAGE_ACCOUNT_CONTAINER_NAME: The name of the container in the storage account created by terraform in the AKS resource group.

  2. To retrieve credentials for the Kubernetes cluster, run the following command to add the AKS credentials to your kubectl config file:

    az aks get-credentials --subscription $SUB_ID --resource-group $RG_NAME --name $CLUSTER_NAME

  3. To create the domino-platform namespace, run:

    kubectl create namespace domino-platform

  4. To set up your HTTPS certificate, run the following command to create a secret that uses the certificate for the domain name. This domain name allows the Domino management plane to be accessible through HTTPS:

    kubectl -n domino-platform create secret tls my-cert --key=<path to your private key> --cert=<path to your cert>

The fleetcommand-agent runs as a container. It installs and configures Domino components. The fleetcommand-agent uses an installation template to gather the required parameters for the environment and sets them when installing Domino components.

The installation process with fleetcommand-agent generates a blank installation template where you enter your environment parameters and then provide them to fleetcommand-agent to perform the installation tasks.

Generate a blank installation template with fleetcommand-agent:

  1. If you aren’t logged into quay.io, execute: docker login -u $QUAY_USERNAME -p $QUAY_PASSWORD quay.io

  2. Run the following command to generate a domino.yml template configuration file in the current working directory.

    Note
    		 This overwrites any existing domino.yml file. 
    docker run --rm -it
  -v $(pwd):/install
  quay.io/domino/fleetcommand-agent:v65
  init --file /install/domino.yml --version $DOMINO_VER --preset aks
    Note
    		 Changing the defaults in domino.yml can affect the deployment. If you must adjust its parameters, contact a Domino representative.
Enter your environment parameters into the configuration template

  1. Open the domino.yml file and edit the attributes as follows:

    • name: The name of the deployment. This can’t be changed post-deployment.

    • hostname: The hostname for the Domino install (for example, domino.example.com).

    • storage_classes.block.type: azure-disk

    • storage_classes.shared.type: azure-file

    • storage_classes.shared.azure_file.storage_account: ""

      Important
      		 storage_classes.shared.azure_file.storage_account must be an empty string to correctly default to the AKS cluster’s default file store.

    • blob_storage.projects.azure.account_name: STORAGE_ACCOUNT_NAME value

    • blob_storage.projects.azure.account_key: STORAGE_ACCOUNT_KEY value

    • blob_storage.projects.azure.container: STORAGE_ACCOUNT_CONTAINER_NAME value

    • blob_storage.logs.type: shared

    • blob_storage.backups.type: shared

    • blob_storage.backups.azure.account_name: STORAGE_ACCOUNT_NAME value

    • blob_storage.backups.azure.account_key: STORAGE_ACCOUNT_KEY value

    • blob_storage.backups.azure.container: STORAGE_ACCOUNT_CONTAINER_NAME value

    • helm.image_registries.*.username: Your quay.io username.

    • helm.image_registries.*.password: Your quay.io password.

    • image_building.cloud_registry_auth.azure.tenant_id: TENANT_ID value

    • image_building.cloud_registry_auth.azure.client_id: IMAGE_BUILD_CLIENT_ID value

    • image_building.cloud_registry_auth.azure.workload_identity: IMAGE_BUILD_WORKLOAD_IDENTITY value

    • image_building.cloud_registry_auth.azure.client_secret: optional CLIENT_SECRET value

    • internal_docker_registry : null

    • external_docker_registry: The container registry DNS name.

    Note
    		 If you have DFS project files stored in Azure File Storage, you can contact Domino’s Customer Success team for assistance migrating that data to an Azure Blob Storage deployment.

  2. Add the following code to the end of the file.

    release_overrides: nginx-ingress: chart_values: controller: kind: Deployment hostNetwork: false service: enabled: true type: LoadBalancer annotations: service.beta.kubernetes.io/azure-load-balancer-health-probe-request-path: "/healthz" extraArgs: default-ssl-certificate: domino-platform/my-cert
    release_overrides:
  nginx-ingress:
    chart_values:
      controller:
        kind: Deployment
        hostNetwork: false
        service:
          enabled: true
          type: LoadBalancer
          annotations:
            service.beta.kubernetes.io/azure-load-balancer-health-probe-request-path: "/healthz"
        extraArgs:
          default-ssl-certificate: domino-platform/my-cert
    Note
    		 Domino recommends that you back up your final configuration file for future reference. To do this, use the following command: cp domino.yml{,.backup-$( date %s )}
Install Domino with fleetcommand-agent

fleetcommand-agent installs and configures Domino components. It uses the installation template to gather the required parameters for the environment and sets them when installing Domino components.

To install Domino on the infrastructure you prepared, run the following:

curl -o fleetcommand-agent-install.sh https://docs.dominodatalab.com/attachments/fleetcommand-agent-install.sh
bash fleetcommand-agent-install.sh $DOMINO_VER

See fleetcommand-agent-install.sh Downloads for more information.

Tip
 If you encounter errors, investigate and resolve the root cause before you run fleetcommand-agent-sh again. Failures are often related to resource quotas and limits. Contact a Domino representative for assistance.
Create a network policy if you use your own ingress controller

If you use your own NGINX ingress controller by specifying ingress_controller.install = false, then you need to create a network policy in the Domino platform and compute namespace.

Here is an example of a network policy that allows ingress from the nginx namespace:

kubectl -n <domino-namespace> apply -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: external-nginx
spec:
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: nginx
  podSelector: {}
  policyTypes:
  - Ingress
EOF
Set up DNS

Run the following to get the external IP to access your instance’s Domino management plane:

kubectl -n domino-platform get svc nginx-ingress-controller

You can use this to update your DNS records accordingly.

Note
 You must enable WebSockets so Domino can sync files and workspaces. In most cases, WebSockets are enabled by default. However, some content delivery networks (CDNs) don’t support WebSockets.

If you use Azure Front Door or a similar CDN that doesn’t support WebSockets, you must route incoming traffic so that it skips the CDN.

As an alternative, Application Gateway has native WebSocket support.

Validate your installation

  1. Go to https://<YOUR-DOMAIN>/auth/

  2. Login with the username keycloak and the password from the keycloak-http secret in the domino-platform namespace.

  3. Use the following command to get the password:

    echo -e "\nyour password is: $(kubectl get secret keycloak-http  -n domino-platform --template={{.data.password}} | base64 -d)\n"

  4. Go to Users in the navigation pane and click Add User.

  5. Enter the username, first name, last name, and email address, and then click Save.

  6. Go to the Credentials tab and add a password.

  7. Optional: Disable Temporary.

  8. Click Set Password.

  9. Go to Role Mappings.

  10. From Client Roles, select domino-play.

  11. Select the User role and add it to your user.

  12. Go to the main page for your Domino deployment (for example, https://\<YOUR-DOMAIN\>) and sign in with your new Domino user.

  13. Go to Environments > Domino Standard Environment Py3.8 R4.1 > Revisions and make sure the revision is active. If not, use Build Logs to try to solve the problem.

  14. Go to Projects > Quick-start > Workspaces and launch a new workspace using Jupyter (this can take a while).

  15. When the new workspace is created open main.ipynb and confirm that you can execute the script without errors.

Enable user registration

Use Keycloak to enable user registration, so users can access your fresh Domino install. Keycloak is a user authentication service that runs on a pod in your cluster.