This topic describes how to deploy Domino components on Google Kubernetes Engine (GKE). GKE is hosted on Google Cloud Platform (GCP).
-
Run the following to create the
domino-platformnamespace:kubectl create namespace domino-platform -
To make your application available through HTTPS, use the certificate for the project’s domain name to create a secret:
kubectl -n domino-platform create secret tls my-cert --key=<path to your private key> --cert=<path to your cert>
-
Get the
$FLEETCOMMAND_AGENT_TAGfor your target release from the releases page. -
Use environment variables to set some values used by the
ddlctlCLI. This simplifies the commands you’ll run while installing Domino components:unset HISTFILE export QUAY_USERNAME=<`quay.io` username provided by Domino> export QUAY_PASSWORD=<`quay.io` password provided by Domino> export FLEETCOMMAND_AGENT_TAG=<Tag that corresponds to the version of Domino deployed> -
Generate a GKE configuration file:
ddlctl create config --agent-version $FLEETCOMMAND_AGENT_TAG --preset gkeImportantChanging the defaults in the generated configuration can affect the deployment. If you must adjust its parameters, contact a Domino representative. -
You must reference the Terraform output from the infrastructure deployment described in Provision infrastructure and runtime environment to complete the configuration. If you don’t have the output saved, run
terraform outputto retrieve it. -
Open the generated configuration file and edit the following attributes:
-
name: The name of the deployment. This can’t be changed post-deployment. -
hostname: The host name for the Domino install (for example,domino.example.com). -
storage_class.block.type:gce -
storage_class.shared.type:nfs -
storage_class.shared.nfs.server: Thegoogle_filestore_ip_addressfrom the Terraform output. -
storage_class.shared.nfs.mount_path:/share1(This must match thegoogle_filestore_file_shareTerraform output). -
blob_storage.projects.type:shared -
blob_storage.logs.type:shared -
blob_storage.backups.type:gcs -
blob_storage.backups.gcs.bucket: Thegoogle_bucket_namefrom the Terraform output. -
blob_storage.backups.gcs.service_account_name: Thegoogle_platform_service_accountfrom the Terraform output. -
blob_storage.backups.gcs.project_name: Thegoogle_projectfrom the Terraform output. -
helm.image_registries.*.username: Yourquay.iousername. -
helm.image_registries.*.password: Yourquay.iopassword. -
image_building.cloud_registry_auth.gcp.service_account: Thegoogle_gcr_service_accountfrom the Terraform output. -
internal_docker_registry:null -
external_docker_registry: Thegoogle_artifact_registryfrom the Terraform output.
-
-
Add the following code to the end of the file:
release_overrides:
nginx-ingress:
chart_values:
controller:
kind: Deployment
hostNetwork: false
service:
enabled: true
type: LoadBalancer
annotations:
cloud.google.com/backend-config: '{"ports": {"80":"nginx-ingress-controller","443":"nginx-ingress-controller"}}'
extraArgs:
default-ssl-certificate: domino-platform/my-certDomino recommends that you keep a backup copy of your final configuration file. To do this, use the following command:
cp domino.yml{,.backup-$( date +%s )}With your configuration file ready, you can create a Domino custom resource using ddlctl:
$ ddlctl create domino --config {path-to-config-yaml} --agent-version $FLEETCOMMAND_AGENT_TAGIf you would prefer to just generate the Domino custom resource YAML, you can supply the --export flag and pipe the result to a file.
When the installation completes successfully, you should see a message that says:
2019-11-26 21:20:20,214 - INFO - fleetcommand_agent.Application - Deployment complete.
Domino is accessible at $YOUR_FQDNIf you use your own NGINX ingress controller by specifying ingress_controller.install = false, then you need to create a network policy in the Domino platform and compute namespace.
Here is an example of a network policy that allows ingress from the nginx namespace:
kubectl -n <domino-namespace> apply -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: external-nginx
spec:
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: nginx
podSelector: {}
policyTypes:
- Ingress
EOFRun the following to get the external IP to access your instance’s Domino management plane:
kubectl -n domino-platform get svc nginx-ingress-controllerYou can use this to update your DNS records accordingly.
-
Go to
https://<YOUR-DOMAIN>/auth/ -
Login with the username
keycloakand the password from thekeycloak-httpsecret in thedomino-platformnamespace. -
Use the following command to get the password:
echo -e "\nyour password is: $(kubectl get secret keycloak-http -n domino-platform --template={{.data.password}} | base64 -d)\n" -
Go to Users in the navigation pane and click Add User.
-
Enter the username, first name, last name, and email address, and then click Save.
-
Go to the Credentials tab and add a password.
-
Optional: Disable Temporary.
-
Click Set Password.
-
Go to Role Mappings.
-
From Client Roles, select domino-play.
-
Select the User role and add it to your user.
-
Go to the main page for your Domino deployment (for example,
https://\<YOUR-DOMAIN\>) and sign in with your new Domino user. -
Go to Environments > Domino Standard Environment Py3.8 R4.1 > Revisions and make sure the revision is active. If not, use Build Logs to try to solve the problem.
-
Go to Projects > Quick-start > Workspaces and launch a new workspace using Jupyter (this can take a while).
-
When the new workspace is created open
main.ipynband confirm that you can execute the script without errors.
Use Keycloak to enable user registration, so users can access your fresh Domino install. Keycloak is a user authentication service that runs on a pod in your cluster.