Create an EKS configuration file
-
Get the
$FLEETCOMMAND_AGENT_TAGfor your target release from the releases page. -
Use environment variables to set some values used by the
ddlctlCLI. This simplifies the commands you’ll run while installing Domino components: -
Generate an EKS configuration file.
For a standard control plane install:
For a data plane install:
-
Gather Terraform values to update your configuration file:
-
If you deployed your infrastructure using the terraform-aws-eks module version v3.0.1 or above, you can use the included tf.sh script:
-
Otherwise use:
-
If you deployed your infrastructure using the terraform-aws-eks module version v3.0.1 or above, you can use the included tf.sh script:
-
For both control plane and data plane installs, open the
domino.ymlfile and edit the attributes as follows:-
name: The name of the deployment. This can’t be changed post-deployment. -
hostname: The hostname for the Domino install (for example,domino.example.com). -
storage_classes.block.parameters.kmsKeyId: KMS key for block storage. -
storage_classes.shared.efs.region: AWS region for the EFS system. -
storage_classes.shared.efs.filesystem_id: EFS file system ID. -
storage_classes.shared.efs.access_point_id: EFS access point ID.
-
autoscaler.auto_discovery.cluster_name: Name of the k8s cluster. -
autoscaler.aws.region: The AWS deployment region.Configure only eitherexternal_docker_registryorinternal_docker_registry. Theexternal_docker_registryshould only be set during new installations. If you are upgrading and have previously configuredinternal_docker_registry, you must continue to use it. -
external_docker_registry: Specifies the ECR Repository URL. -
internal_docker_registry.s3_override.region: AWS region for the S3 registry bucket. -
internal_docker_registry.s3_override.bucket: S3 bucket name for internal Docker registry. -
internal_docker_registry.s3_override.sse_kms_key_id: KMS key for S3 internal Docker registry bucket. -
blob_storage.projects.s3.region: S3 bucket region for projects. -
blob_storage.projects.s3.bucket: S3 bucket name for projects. -
blob_storage.projects.s3.sse_kms_key_id: KMS key for S3 projects bucket. -
blob_storage.logs.s3.region: S3 bucket region for logs. -
blob_storage.logs.s3.bucket: S3 bucket name for logs. -
blob_storage.logs.s3.sse_kms_key_id: KMS key for S3 logs bucket. -
blob_storage.backups.s3.region: S3 bucket region for backups. -
blob_storage.backups.s3.bucket: S3 bucket name for backups. -
blob_storage.backups.s3.sse_kms_key_id: KMS key for S3 backups bucket.
-
-
Configure the load balancer by adding the code below to the end of the file. Replace
<SSL certificate arn>and<Monitoring bucket name>with the values for your installation. Note that the CIDR0.0.0.0/0forloadBalancerSourceRangescan be updated to restrict access to certain CIDR blocks.
Domino’s NGINX ingress now runs a FIPS-validated OpenSSL that no longer supports the static-RSA cipher suites earlier versions of this example listed (
AES128-GCM-SHA256, AES128-SHA256, AES256-GCM-SHA384, AES256-SHA256). The example above uses a Network Load Balancer (service.beta.kubernetes.io/aws-load-balancer-type: nlb), which is unaffected. This only matters if you still front NGINX with an AWS Classic Load Balancer: there, if your ssl-ciphers override includes any of those suites, the installer stops the upgrade with a configuration error until you remove them.The DHE-RSA suites are the ones the Classic Load Balancer can use, and they need Diffie-Hellman parameters. The installer adds the RFC 7919 ffdhe2048 group automatically, so leave dhParam unset; set release_overrides.nginx-ingress.chart_values.dhParam yourself only if you previously opted out with an empty value. Never use openssl dhparam output; FIPS accepts only the published RFC 7919 groups.Install Domino
Use the following command:ingress_controller.install = false, then you need to create a network policy in the Domino platform and compute namespace.
Here is an example of a network policy that allows ingress from the nginx namespace:
Validate your installation
-
Go to
https://<YOUR-DOMAIN>/auth/ -
Login with the username
keycloakand the password from thekeycloak-httpsecret in thedomino-platformnamespace. -
Use the following command to get the password:
- Go to Users in the navigation pane and click Add User.
- Enter the username, first name, last name, and email address, and then click Save.
- Go to the Credentials tab and add a password.
- Optional: Disable Temporary.
- Click Set Password.
- Go to Role Mappings.
- From Client Roles, select domino-play.
- Select the User role and add it to your user.
-
Go to the main page for your Domino deployment (for example,
https://\<YOUR-DOMAIN\>) and sign in with your new Domino user. - Go to Environments > Domino Standard Environment Py3.8 R4.1 > Revisions and make sure the revision is active. If not, use Build Logs to try to solve the problem.
- Go to Projects > Quick-start > Workspaces and launch a new workspace using Jupyter (this can take a while).
-
When the new workspace is created open
main.ipynband confirm that you can execute the script without errors.