Deploy Domino on AKS

Set up an HTTPS certificate

  1. Run the following to create the domino-platform namespace:

    kubectl create namespace domino-platform

  2. To make your application available through HTTPS, use the certificate for the project’s domain name to create a secret:

    kubectl -n domino-platform create secret tls my-cert --key=<path to your private key> --cert=<path to your cert>

Create an AKS configuration file

  1. Get the $FLEETCOMMAND_AGENT_TAG for your target release from the releases page.

  2. Use environment variables to set some values used by the ddlctl CLI. This simplifies the commands you’ll run while installing Domino components:

    unset HISTFILE
export QUAY_USERNAME=<`quay.io` username provided by Domino>
export QUAY_PASSWORD=<`quay.io` password provided by Domino>
export FLEETCOMMAND_AGENT_TAG=<Tag that corresponds to the version of Domino deployed>

  3. Generate an AKS configuration file.

    • Gather the required parameters which you will add to the generated configuration file when you enter the environment parameters in the configuration template:

      • TENANT_ID: ID of the tenant where AKS was deployed.

      • IMAGE_BUILD_CLIENT_ID: The image building client id created by terraform.

      • IMAGE_BUILD_WORKLOAD_IDENTITY: Whether the image build client id is a workload identity.

      • REG_DNS_NAME: The DNS name of the container registry created by terraform in the AKS resource group.

      • STORAGE_ACCOUNT_NAME: The name of the storage account created by terraform in the AKS resource group.

      • STORAGE_ACCOUNT_KEY: The key of the storage account created by terraform in the AKS resource group.

      • STORAGE_ACCOUNT_CONTAINER_NAME: The name of the container in the storage account created by terraform in the AKS resource group.

    • Run the following:

      ddlctl create config --agent-version $FLEETCOMMAND_AGENT_TAG --preset aks
      Important
      		 Changing the defaults in the generated configuration can affect the deployment. If you must adjust its parameters, contact a Domino representative.

  4. Review your generated configuration file and edit the attributes as follows, referencing the environment variables you collected earlier.

    • name: The name of the deployment. This can’t be changed post-deployment.

    • hostname: The hostname for the Domino install (for example, domino.example.com).

    • storage_classes.block.type: azure-disk

    • storage_classes.shared.type: azure-file

    • storage_classes.shared.azure_file.storage_account: ""

      Important
      		 storage_classes.shared.azure_file.storage_account must be an empty string to correctly default to the AKS cluster’s default file store.

    • blob_storage.projects.azure.account_name: STORAGE_ACCOUNT_NAME value.

    • blob_storage.projects.azure.account_key: STORAGE_ACCOUNT_KEY value.

    • blob_storage.projects.azure.container: STORAGE_ACCOUNT_CONTAINER_NAME value.

    • blob_storage.logs.type: shared

    • blob_storage.backups.type: shared

    • blob_storage.backups.azure.account_name: STORAGE_ACCOUNT_NAME value.

    • blob_storage.backups.azure.account_key: STORAGE_ACCOUNT_KEY value.

    • blob_storage.backups.azure.container: STORAGE_ACCOUNT_CONTAINER_NAME value.

    • helm.image_registries.*.username: Your quay.io username.

    • helm.image_registries.*.password: Your quay.io password.

    • image_building.cloud_registry_auth.azure.tenant_id: TENANT_ID value.

    • image_building.cloud_registry_auth.azure.client_id: IMAGE_BUILD_CLIENT_ID value.

    • image_building.cloud_registry_auth.azure.workload_identity: IMAGE_BUILD_WORKLOAD_IDENTITY value.

    • image_building.cloud_registry_auth.azure.client_secret: optional CLIENT_SECRET value.

    • internal_docker_registry : null

    • external_docker_registry: The container registry DNS name.

      Note
      		 If you have DFS project files stored in Azure File Storage, you can contact Domino’s Customer Success team for assistance migrating that data to an Azure Blob Storage deployment.

  5. Add the following code to the end of the file:

    release_overrides:
  nginx-ingress:
    chart_values:
      controller:
        kind: Deployment
        hostNetwork: false
        service:
          enabled: true
          type: LoadBalancer
          annotations:
            service.beta.kubernetes.io/azure-load-balancer-health-probe-request-path: "/healthz"
        extraArgs:
          default-ssl-certificate: domino-platform/my-cert

Install

With your configuration file ready, you can create a Domino custom resource using ddlctl:

$ ddlctl create domino --config {path-to-config-yaml} --agent-version $FLEETCOMMAND_AGENT_TAG

If you would prefer to just generate the Domino custom resource YAML, you can supply the --export flag and pipe the result to a file.

When the installation completes successfully, you should see a message that says:

2019-11-26 21:20:20,214 - INFO - fleetcommand_agent.Application - Deployment complete.
Domino is accessible at $YOUR_FQDN
Create a network policy if you use your own ingress controller

If you use your own NGINX ingress controller by specifying ingress_controller.install = false, then you need to create a network policy in the Domino platform and compute namespace.

Here is an example of a network policy that allows ingress from the nginx namespace:

kubectl -n <domino-namespace> apply -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: external-nginx
spec:
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: nginx
  podSelector: {}
  policyTypes:
  - Ingress
EOF
Set up DNS

Run the following to get the external IP to access your instance’s Domino management plane:

kubectl -n domino-platform get svc nginx-ingress-controller

You can use this to update your DNS records accordingly.

Note

  • You must enable WebSockets so Domino can sync files and workspaces. In most cases, WebSockets are enabled by default. However, some content delivery networks (CDNs) don’t support WebSockets.

  • If you use Azure Front Door or a similar CDN that doesn’t support WebSockets, you must route incoming traffic so that it skips the CDN.

  • As an alternative, Application Gateway has native WebSocket support.

Validate your installation

  1. Go to https://<YOUR-DOMAIN>/auth/

  2. Login with the username keycloak and the password from the keycloak-http secret in the domino-platform namespace.

  3. Use the following command to get the password:

    echo -e "\nyour password is: $(kubectl get secret keycloak-http  -n domino-platform --template={{.data.password}} | base64 -d)\n"

  4. Go to Users in the navigation pane and click Add User.

  5. Enter the username, first name, last name, and email address, and then click Save.

  6. Go to the Credentials tab and add a password.

  7. Optional: Disable Temporary.

  8. Click Set Password.

  9. Go to Role Mappings.

  10. From Client Roles, select domino-play.

  11. Select the User role and add it to your user.

  12. Go to the main page for your Domino deployment (for example, https://\<YOUR-DOMAIN\>) and sign in with your new Domino user.

  13. Go to Environments > Domino Standard Environment Py3.8 R4.1 > Revisions and make sure the revision is active. If not, use Build Logs to try to solve the problem.

  14. Go to Projects > Quick-start > Workspaces and launch a new workspace using Jupyter (this can take a while).

  15. When the new workspace is created open main.ipynb and confirm that you can execute the script without errors.

Enable user registration

Use Keycloak to enable user registration, so users can access your fresh Domino install. Keycloak is a user authentication service that runs on a pod in your cluster.