Install Dash Enterprise on Google Kubernetes Engine (Multi-node) - Airgapped

This guide can help you if you are a new Dash Enterprise customer looking to start with a Dash Enterprise 5 installation, or if you are upgrading from Dash Enterprise 4.X.

About the Installation

Dash Enterprise 5 runs on Kubernetes, an open-source system that automates application lifecycles. Several managed services allow you to get started with Kubernetes-based software quickly. In this guide, you’ll learn how to install Dash Enterprise on Google Kubernetes Engine (GKE), available with a Google Cloud Platform (GCP) account.

In GKE, you work with a GKE cluster, which consists of multiple worker machines that are also called nodes. You host your GKE cluster inside your Virtual Private Cloud (VPC).

View diagram

<img>

Installing Dash Enterprise is an automated process. You use a bootstrap node to run Plotly-provided scripts that provision and prepare the infrastructure. A bootstrap node is a virtual machine (VM) whose only purpose is to run the scripts. After Dash Enterprise is installed, you can decommission it. Using fresh VMs is the best practice because the scripts are unlikely to run into errors caused by other installed software. This guide describes how to use GCP’s Compute Engine service to provision the bootstrap node (please reach out to our Customer Success team if you’re unable to use Compute Engine).

As part of the automated infrastructure provisioning, the private GKE cluster is provisioned inside your VPC network with the Google Cloud CLI gcloud container clusters create command. A network load balancer is created as the main point of entry for all traffic directed towards Dash Enterprise.

Remember that these resources count towards your GCP quotas. Review your billing and quotas if necessary.

The cluster nodes belong to a single availability zone (AZ), and the scripts expect a single subnet. The Dash Enterprise core system isn’t currently configured for high availability; however, as long as the core system is available, Dash app developers can take advantage of features like app replicas to increase the availability of deployed apps. High availability for the core system may be supported in the future.

You’ll be installing Dash Enterprise as the single tenant on the GKE cluster—that is, no other software is installed on the cluster (except mandatory supporting software). Single-tenancy is well-suited for Dash Enterprise because it is a complex platform: Dash Enterprise interacts with the Kubernetes API to organize resources on the fly when developers perform tasks like deploying Dash apps and creating databases. Multi-tenancy is not currently supported.

Plotly uses Replicated to package and deliver Dash Enterprise. You’ll be interacting with the KOTS Admin Console, part of the Replicated toolset, as part of the installation and configuration. After the installation, you’ll continue to use the KOTS Admin Console for system administration such as performing Dash Enterprise upgrades.

Before You Install

In order for Dash app developers to use an airgapped Dash Enterprise instance, their apps need to fetch Python package dependencies from an internal index. (If there is no internal index available, developers need to place Python packages individually in their app’s files, which is not recommended for apps that require many packages because it involves additionally managing those packages’ dependencies).

Before committing to an airgapped Dash Enterprise installation, make sure your organization can provide an internal index. Dash Enterprise requires that the index have a TLS/SSL certificate from a globally trusted certificate authority (CA).

A common strategy is to create a mirror of pypi.org. If your organization is instead building its own custom index, here are the Python packages we recommend making available (note that the version numbers were obtained via pip freeze in May 2023):

Expand list of packages

alembic==1.10.4
amqp==5.1.1
ansi2html==1.8.0
anyio==3.6.2
aplus==0.11.0
argon2-cffi==21.3.0
argon2-cffi-bindings==21.2.0
arrow==1.2.3
asn1crypto==1.5.1
astor==0.8.1
asttokens==2.2.1
attrs==23.1.0
autograd==1.5
autograd-gamma==0.5.0
backcall==0.2.0
beautifulsoup4==4.12.2
billiard==3.6.4.0
blake3==0.3.3
bleach==6.0.0
blinker==1.6.2
boto3==1.26.129
botocore==1.29.129
Brotli==1.0.9
cachetools==5.3.0
celery==5.2.7
certifi==2023.5.7
cffi==1.15.1
chardet==5.1.0
charset-normalizer==3.1.0
click==8.1.3
click-didyoumean==0.3.0
click-plugins==1.1.1
click-repl==0.2.0
cloudpickle==2.2.1
colorcet==3.0.1
comm==0.1.3
contourpy==1.0.7
cryptography==40.0.2
cx-Oracle==8.3.0
cycler==0.11.0
dash==2.9.3
dash-ag-grid==2.0.0
dash-bootstrap-components==1.4.1
dash-core-components==2.0.0
dash-html-components==2.0.0
dash-renderer==1.9.1
dash-table==5.0.0
dask==2023.4.1
databricks-sql-connector==2.5.1
datashader==0.14.4
datashape==0.5.2
debugpy==1.6.7
decorator==5.1.1
defusedxml==0.7.1
diskcache==5.6.1
distributed==2023.4.1
et-xmlfile==1.1.0
executing==1.2.0
fakeredis==1.0.3
fastjsonschema==2.16.3
filelock==3.12.0
Flask==2.2.2
Flask-Compress==1.13
Flask-Cors==3.0.10
flask-request-id==0.1
Flask-SQLAlchemy==2.5.1
fonttools==4.39.3
formulaic==0.6.1
fqdn==1.5.1
frozendict==2.3.8
fsspec==2023.5.0
future==0.18.3
graphlib-backport==1.0.3
greenlet==2.0.2
gunicorn==20.1.0
h5py==3.8.0
humanize==4.6.0
idna==3.4
importlib-metadata==6.6.0
importlib-resources==5.12.0
interface-meta==1.3.0
ipykernel==6.23.0
ipython==8.12.2
ipython-genutils==0.2.0
ipywidgets==8.0.6
isoduration==20.11.0
itsdangerous==2.1.2
jedi==0.18.2
Jinja2==3.1.2
jmespath==1.0.1
joblib==1.2.0
jsonpointer==2.3
jsonschema==4.17.3
jupyter==1.0.0
jupyter-client==8.2.0
jupyter-console==6.6.3
jupyter-core==5.3.0
jupyter-dash==0.4.2
jupyter-events==0.6.3
jupyter-server==2.5.0
jupyter-server-terminals==0.4.4
jupyterlab-pygments==0.2.2
jupyterlab-widgets==3.0.7
jwt==1.3.1
kiwisolver==1.4.4
kombu==5.2.4
lifelines==0.27.7
llvmlite==0.40.0
locket==1.0.0
lorem==0.1.1
lz4==4.3.2
Mako==1.2.4
markdown-it-py==2.2.0
MarkupSafe==2.1.2
matplotlib==3.7.1
matplotlib-inline==0.1.6
mdurl==0.1.2
mistune==2.0.5
msgpack==1.0.5
multipledispatch==0.6.0
nbclassic==1.0.0
nbclient==0.7.4
nbconvert==7.4.0
nbformat==5.8.0
nest-asyncio==1.5.6
nested-lookup==0.2.22
notebook==6.5.4
notebook-shim==0.2.3
numba==0.57.0
numpy==1.24.3
oauthlib==3.2.2
openpyxl==3.1.2
packaging==20.9
pandas==1.5.3
pandocfilters==1.5.0
param==1.13.0
parso==0.8.3
partd==1.4.0
pexpect==4.8.0
pg8000==1.29.4
pickleshare==0.7.5
Pillow==9.5.0
pkgutil-resolve-name==1.3.10
platformdirs==3.5.0
plotly==5.14.1
progressbar2==4.2.0
prometheus-client==0.16.0
prompt-toolkit==3.0.38
psutil==5.9.5
psycopg2-binary==2.9.6
ptyprocess==0.7.0
pure-eval==0.2.2
pyarrow==12.0.0
pycparser==2.21
pyct==0.5.0
pydantic==1.10.7
Pygments==2.15.1
PyJWT==2.6.0
PyMySQL==1.0.3
pyodbc==4.0.39
pyOpenSSL==23.1.1
pyparsing==3.0.9
pyrsistent==0.19.3
python-dateutil==2.8.2
python-dotenv==1.0.0
python-json-logger==2.0.7
python-utils==3.5.2
pytz==2023.3
PyYAML==6.0
pyzmq==25.0.2
qtconsole==5.4.3
QtPy==2.3.1
redis==3.5.3
regex==2023.5.5
requests==2.30.0
retrying==1.3.4
rfc3339-validator==0.1.4
rfc3986-validator==0.1.1
rich==13.3.5
s3transfer==0.6.1
scikit-learn==1.2.2
scipy==1.10.1
scramp==1.4.4
Send2Trash==1.8.2
six==1.16.0
sniffio==1.3.0
sortedcontainers==2.4.0
soupsieve==2.4.1
SQLAlchemy==1.4.48
stack-data==0.6.2
tabulate==0.9.0
tblib==1.7.0
tenacity==8.2.2
terminado==0.17.1
threadpoolctl==3.1.0
thrift==0.16.0
tinycss2==1.2.1
toolz==0.12.0
tornado==6.3.1
traitlets==5.9.0
typing-extensions==4.5.0
uri-template==1.2.0
urllib3==1.26.15
vaex-core==4.16.1
vaex-hdf5==0.12.3
vine==5.0.0
wcwidth==0.2.6
webcolors==1.13
webencodings==0.5.1
websocket-client==1.5.1
Werkzeug==2.2.2
widgetsnbextension==4.0.7
wrapt==1.15.0
wsgi-request-id==0.2
xarray==2022.9.0
zict==3.0.0
zipp==3.15.0

Important: Apps deployed to Dash Enterprise use Python 3.8.12, so be sure that the packages in your internal index are compatible with this version. When Dash Enterprise is airgapped, it is not possible for Dash app developers to change the Python version
that their apps use.

Similarly, if Dash app developers plan to deploy apps that depend on APT packages, you’ll need to prepare a custom APT repository with a TLS/SSL certificate from a globally trusted certificate authority (CA).

Prerequisites

Here’s what you’ll need to start your airgapped Dash Enterprise installation:

The internal Python package index detailed above (and custom APT repository, if using).
A private container registry to host the Dash Enterprise images. This container registry cannot have an authentication layer—it must be reachable with anonymous read access. (In the future, Dash Enterprise may be compatible with authenticated private container registries). The following registries are supported:
Docker Hub
Quay
Amazon Elastic Container Registry (ECR)
Google Container Registry (GCR)
Harbor
Sonatype Nexus
A workstation with internet access, a web browser, and 20 GB of free disk space.
An SSH key pair.
A wildcard or multi-domain TLS/SSL full certificate chain and unencrypted private key obtained from a globally trusted certificate authority (CA). The full certificate chain must be a .pem file in the following format:
txt -----BEGIN CERTIFICATE----- <Your> -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- <Your> -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- <Your> -----END CERTIFICATE-----

Self-signed certificates, internally signed certificates, and using multiple certificates are not supported. If you obtained your certificate as multiple files, you need to combine them into a single .pem file. You can do this with cat server.pem intermediate.pem trustedroot.pem > fullchain.pem on Linux or copy server.pem+intermediate.pem+trustedroot.pem fullchain.pem on Windows, replacing the file names if yours are different.

You’ll upload the full certificate chain and unencrypted private key during the configuration, and they will be used to terminate TLS/SSL. If you need to preview the required DNS entries, go to Creating DNS Entries, but note that you’ll only be able to create them after the installation.

The following GCP resources:
A GCP project.
A service account with the predefined Kubernetes Engine Admin IAM role (roles/container.admin) and Service Account User role (roles/iam.serviceAccountUser) whose credentials you’ll use to provision the GKE cluster. Learn how to create a service account.
A key file for the service account in JSON format that you’ll use to authenticate as the service account. Learn how to create a service account key.
A user account with the Service Account User role (roles/iam.serviceAccountUser), required to manage the service account, and the Compute Instance Admin v1 (roles/compute.instanceAdmin.v1) role, required to create and manage the bootstrap node.
The Google Cloud CLI is installed on your workstation and you are logged in with your user account.
A private VPC network that the cluster nodes will run on. This network must allow communication to:
- The internal Python package index (and custom APT repository, if using).
- The private container registry.
- Your Dash Enterprise base domain.
Sufficient IP addresses available for Kubernetes to use internally. As a rule of thumb, we recommend 60 IP addresses times the number of nodes in your cluster. This corresponds to 240 IP addresses if your organization purchased the Standard offering of Dash Enterprise, or 600 IP addresses for Premium.

Calculating a more accurate IP requirement: Kubernetes needs one IP address for each service or pod. The Dash Enterprise core system uses 46 services and 105 (Standard) or 151 (Premium) pods. In addition, pods are created when Dash app developers perform certain actions. If you know about your organization’s intended usage of Dash Enterprise, such as how many apps and workspaces developers plan to create, you can calculate a more accurate IP requirement than the rule of thumb above.

Preparing Your Installation

Contact our Customer Success team to get started. We’ll ask you:

The base domain you want for your Dash Enterprise instance. It must be a fully qualified domain name (FQDN).
Whether your environment has any requirements (if your environment requires advanced configuration, an additional Support and Services Engagement may be required).
How your organization plans to use Dash Enterprise and whether you need changes to the default gcloud container clusters create command, which defines the GKE cluster to be provisioned. Note that not all options for this command are supported by Plotly.
The zone you want for the GKE cluster.
The name you want for the GKE cluster.
The scheme you want for your load balancer (internal or internet-facing). Airgapped installations typically use internal load balancers.
Whether you want to retrieve the Dash Enterprise images (and third-party images) in your private container registry before the installation (for instance, to perform a security scan).

Obtaining Your Installation Plan

When we have this information, we’ll send you a tailor-made installation script as well as a link and password to a download portal from which you’ll need to download airgap bundles. Your Installation Plan is tailor-made based on your conversation with Customer Success and contains everything you need to install Dash Enterprise for your organization.

Your Installation Plan contains:

Your infrastructure provisioning script, provision_infra_gcp.sh, containing the commands for provisioning the GKE cluster. The gcloud container clusters create command looks similar to the examples below:

Your cluster preparation script, prepare_cluster_gcp_airgapped.sh, which installs supporting software and prepares for the Dash Enterprise installation.
Your config file, config.sh which contains variables used by the scripts. You’ll define some of these valuables as part of the install preparation.

Defining Variables in the Scripts

Unzip your Installation Plan and open the config file. At the top, edit the following variable values:

ADMIN_PASSWORD: The password you want to set for the KOTS Admin Console.

About storing and resetting this password: We recommend storing this password in your organization’s password manager, and giving access to any other members of your team who will be managing the Dash Enterprise system (notably performing upgrades and obtaining support bundles). This password is not retrievable with a kubectl command. It can be changed in the Admin Console UI by anyone who is able to log in with the current password. If lost, reset it by downloading the KOTS CLI and running kubectl kots reset-password plotly-system.

HOST_INTERNAL_REGISTRY: The URL to the private container registry you are using for Dash Enterprise images.
DCK_REGISTRY_USER: The username for the account you’ll use to push images to your private container registry.
DCK_REGISTRY_PASSWORD: The password for the account you’ll use to push images to your private container registry.
PROJECT_ID: The name of the GCP project you are using.
SERVICE_ACCOUNT_KEYFILE: The path to the service account key file on the bootstrap node. You’ll move this key file to the home directory of the bootstrap node in a later step, so set this to /home/<username>/<file-name>, where <username> is the username in your SSH public key (comes before the @ in your email address) and <file-name> is the full name of the key file, including the .json extension.
K8S_MASTER_CIDR: The IP range you want to use for the Kubernetes control plane. For example, 172.16.1.16/28.
PRIVATE_NETWORK: The name of the private VPC network that you want to use.
PRIVATE_SUBNET: The name of the subnet that you want to use.
SKIP_PUSH_IMAGES: Set to true if you have retrieved the Dash Enterprise images into your private container registry before the installation. Otherwise, leave false.
SKIP_REGISTRY_CHECK: Set to true if you have retrieved the Dash Enterprise images into your private container registry before the installation. Otherwise, leave false.

Finally, note the value for KOTS_VERSION. You’ll need this version number in a later step.

Downloading Your License and Airgap Bundles

In this step, you’ll download your Dash Enterprise license file as well as the airgap bundles required to install Dash Enterprise and the KOTS Admin Console. Note that the Dash Enterprise airgap bundle is approximately 15 GB, and
the KOTS airgap bundle is approximately 1 GB.

To download the Dash Enterprise license and airgap bundles:

On your workstation, use the link and password provided by our Customer Success team to go to the download portal.
In the left sidebar, make sure Bring my own cluster is selected.
Under License, select Download license.
Under dash-enterprise Airgap Bundle, select Download airgap bundle.
Under KOTS Airgap Bundle, select the airgap bundle corresponding to the version number for KOTS_VERSION in your config file; then select Download bundle. You’ll use this bundle to install the KOTS Admin Console in a later step.

Preparing Your Bootstrap Node

In this step, you’ll use GCP’s Compute Engine service to provision a VM that runs on Ubuntu 20. This VM will serve as your bootstrap node.

To create a VM:

In the Google Cloud console, select the project you want to use for your GKE cluster.
Go to Compute Engine.
Go to VM Instances; then select Create instance.
In Name, enter a name for your VM.
In Machine type, select e2-medium (2 vCPU, 4 GB memory).

<img>

Configure the boot disk:
Under Boot disk, select Change. The Boot disk pane opens.
In Operating System, select Ubuntu.
In Version, select Ubuntu 20.04 LTS (x86).
In Size (GB), enter 50.

<img>

Select Select.
In Service account, select the service account you want to use.
Review the network interface:
Expand Advanced options.
Expand Networking.
Under Network interfaces, make sure the selected network has access to the internet (required by the cluster provisioning and preparation scripts that you’ll run on the bootstrap node). You’ll also need
to open firewall rules on this network in step 12, so change the network to a more appropriate one if needed.
Use the default settings for everything else or adjust them to your preference; then select Create.
Add your public SSH key to the bootstrap node:
1. Select your newly created VM; then select Edit.
2. Under Security and access, select Add item.
3. In SSH key 1, enter your SSH public key.
4. Select Save. The username and key are displayed under SSH keys. You’ll use this username when SSHing into the VM in a later step.

<img>

Review your network and bootstrap node settings to allow your bootstrap node to access your private VPC network (required by the cluster preparation script when pushing supporting software images to your private container registry).
There are a few ways to accomplish this, such as adding the bootstrap node to your organization’s VPN. If you opt to add your private VPC network as a secondary interface on the bootstrap node (not recommended unless you have precautions in place), make sure the private subnet has Private Google Access set to On.
Configure the firewall rules:

Under Network interfaces, select the Network used by your VM instance.
In the Firewalls tab, add an ingress firewall rule for port 8800 (required to port-forward the KOTS Admin Console) and, if not already present, an inbound port rule for port 22 (required to SSH into the VM).
Go back to the list of VM instances. Next to your newly created VM, select More actions <img> > View network details.
In the Firewall and routes details section, select the Firewall tab and check that ports 22 and 8800 are open. In the example below, we’ve named our rule for port 8800 “replicated-manager”.

<img>

If your organization uses outbound rules, then you’ll also need the following:

Domain	Purpose	I/O
packages.cloud.google.com	Download the Google Cloud CLI	Outbound
dl.k8s.io	Download `kubectl`	Outbound
github.com	Download Cert Manager and ImageSwap	Outbound
raw.githubusercontent.com	Download ImageSwap	Outbound
quay.io	Download Cert Manager and ImageSwap	Outbound
*.istio.io	Download Istio	Outbound
kots.io	Download the KOTS plug-in	Outbound
ubuntu.com	`apt-get` packages from Ubuntu	Outbound
launchpad.net	`apt-get` packages from Debian	Outbound

Moving Files to Your Bootstrap Node

In this step, you’ll move your infrastructure provisioning script, service account key file, and KOTS airgap bundle to the bootstrap node. One way to do this is to use secure copy protocol (SCP).

To transfer the infrastructure provisioning script, service account key file, and KOTS airgap bundle to your bootstrap node’s home directory using SCP:

sh scp -i path/to/private/key path/to/infra/provisoning/script path/to/service/account/key path/to/kots/airgap/bundle <username>@<bootstrap-ip>:.
where path/to/private/key is the path to the SSH private key corresponding to the public key you added to your bootstrap node, path/to/infra/provisoning/script is the path to your infrastructure provisioning script, path/to/service/account/key is the path to your service account key file, path/to/kots/airgap/bundle is the path to the KOTS airgap bundle, <username> is the username displayed under SSH keys in your bootstrap node information, and <bootstrap-ip> is the external IP address displayed under Network interfaces in your bootstrap node information.

Provisioning and Preparing the GKE Cluster

Provisioning the GKE Cluster

In this step, you’ll run the cluster provisioning script.

To provision the GKE cluster:

SSH into your bootstrap node:
sh ssh -i path/to/private/key <username>@<bootstrap-ip>
where path/to/private/key is the path to the SSH private key corresponding to the public key you added to your bootstrap node, <username> is the username displayed under your bootstrap node’s SSH keys, and <bootstrap-ip> is the external IP address displayed under Network interfaces.
In the home directory of your bootstrap node, run the infrastructure provisioning script:
bash provision_infra_gcp_airgapped.sh

The script takes several minutes to complete. Continue when you are returned to the command prompt.

You can review the cluster in the GCP console by going to Kubernetes Engine > Clusters and selecting it from the list.

Make sure that there are no network settings that would prevent the nodes in your cluster from communicating with one another.

Adding the New Network to Existing Resources

When the script provisioned the GKE cluster, it created a new network for the Kubernetes control plane using the IP range that you specified for K8S_MASTER_CIDR.

In this step, you’ll open communication between the new network created for the Kubernetes control plane and your private network that the nodes run on. You’ll also allow your bootstrap node to reach the new network, which is required for the kubectl commands that you’ll run as part of the cluster preparation script.

To add the new network to your existing resources:

Open the communication between the Kubernetes control plane and the nodes:
In the Google cloud console, go to VPC networks.
Select your private network.
Go to Firewalls.
Add an egress firewall rule where the destination IPv4 ranges is the range you defined for K8S_MASTER_CIDR.
Add an ingress firewall rule where the source IPv4 ranges is the range you defined for K8S_MASTER_CIDR.

For example, if your K8S_MASTER_CIDR is 172.16.1.16/28, your egress and ingress firewall rules look like:

<img>

Allow your bootstrap node to reach the Kubernetes control plane. One way to do this is to add a route to your bootstrap node:
sh sudo ip route add <control-plane-ip-range> via <private-subnet-gateway> dev ens5
where <control-plane-ip-range> is the IP range that you defined for K8S_MASTER_CIDR and <private-subnet-gateway> is your private subnet gateway.
Test the cluster connection from the bootstrap node:
kubectl cluster-info

This command should output information about the Kubernetes cluster you just provisioned. If it doesn’t, more environment-specific adjustments may be needed. Ensure
that you are able to successfully run this command before continuing to the next step.

Preparing the Cluster and Port-Forwarding the KOTS Admin Console

In this step, you’ll run the cluster preparation script. This script does the following:

Installs Cert Manager and Istio on the cluster.
Authenticates your user to your private container registry.
Renames references to Cert Manager and Istio images, and pushes them to your private container registry.
Creates the plotly-system namespace, in which the core system components of Dash Enterprise will be installed.
Installs the KOTS CLI as well as the KOTS Admin Console (using the KOTS airgap bundle), and then port-forwards the Admin Console so that you can use it to install Dash Enterprise.

To prepare your cluster and port-forward the KOTS Admin Console:

In the home directory of your bootstrap node, run the cluster preparation script:
bash prepare_cluster_gcp_airgapped.sh
When you are prompted for the kots install location by Enter installation path (leave blank for /usr/local/bin), press Enter to accept the default.
When you are prompted to grant write permissions to /usr/local/bin, press y (you will not be prompted for a password).

The script takes several minutes to complete. Continue when you see the message Forwarding from 0.0.0.0:8800 -> 3000 (do not exit yet).

If you exit by mistake, restart the port-forward with kubectl port-forward -n plotly-system svc/kotsadm --address 0.0.0.0 8800:3000.

Installation

Now that your GKE cluster is provisioned, you’re ready to install Dash Enterprise on it. The KOTS Admin Console will take you through uploading your Dash Enterprise license and airgap bundle.

To access the KOTS Admin Console and install Dash Enterprise:

On your workstation, go to http://<bootstrap-ip>:8800, where <bootstrap-ip> is the external IP address of your bootstrap node.
Enter the password that you set for ADMIN_PASSWORD in Defining Variables in the Scripts; then select Log in. You are prompted to upload your license.
Drag or browse to the license file in your Installation Plan; then select Upload license. The Admin Console opens to the Install in airgapped environment page, where your private container registry information is automatically entered.
In the area labelled “Drag your airgap bundle here or choose a bundle to upload,” drag or browse to the Dash Enterprise .airgap file you downloaded earlier.
If you have not retrieved the Dash Enterprise images into your private container registry before the installation (SKIP_PUSH_IMAGES and SKIP_REGISTRY_CHECK are false in your config file), clear the Disable Pushing Images to Registry checkbox. (Note that this setting will be saved and applied when you upgrade Dash Enterprise. Change it in the Admin Console registry settings if you don’t want to keep this workflow for Dash Enterprise upgrades).
Select Upload airgap bundle. The upload can take several minutes.

When the upload is complete, the KOTS Admin Console opens to the Configure Dash Enterprise page.

Uploading the Certificate and Running Preflight Checks

Now that Dash Enterprise is installed, you’re ready for configuration. The KOTS Admin Console will take you through uploading your TLS/SSL certificate and running preflight checks.

On the Configure Dash Enterprise page, do the following:

Upload your TLS/SSL certificate and key.
Select Continue. The Admin Console runs preflight checks, which can take up to a few minutes.
Wait for the preflight checks to complete. If the results are all successful, select Continue. If you encounter an error, contact Customer Success.
The Admin Console opens to the dashboard, where the status of the system is displayed. The system is not ready until DNS entries are created, so it is normal for the status to display “Missing” or “Unavailable”.
On your bootstrap node, press Ctrl+C to disconnect from the Admin Console for now (you can reconnect with kubectl port-forward -n plotly-system svc/kotsadm --address 0.0.0.0 8800:3000).

Creating DNS Entries

In this step, you’ll create the DNS entries according to your organization’s best practices.

To create the DNS entries for Dash Enterprise:

On your bootstrap node, get the load balancer IP:

sh kubectl get service -n plotly-system ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}' && echo

Create the DNS entries according to the table below.

Name	Type	Value
`<base-domain>`	A Record	`<load-balancer-ip>`
api-`<base-domain>`	CNAME	`<base-domain>`
ws-`<base-domain>`	CNAME	`<base-domain>`
git-`<base-domain>`	CNAME	`<base-domain>`
registry-`<base-domain>`	CNAME	`<base-domain>`
auth-`<base-domain>`	CNAME	`<base-domain>`
admin-`<base-domain>`	CNAME	`<base-domain>`

Your base domain is an A record whose value is the IP of the load balancer that you obtained in step 1. The sub-domains required for Dash Enterprise are CNAMES whose values are your base domain.

Once the DNS entries are created and propagated, go to the Admin Console using its sub-domain: https://admin-<your-dash-enterprise-server>.

Continue when the status in the Admin Console is Ready.

<img>

Configuring User Access

Make sure members of your organization who will be using Dash Enterprise have the right accesses. The exact steps look different depending on your environment. If your organization uses a VPN, configuring this access might involve defining and assigning VPN profiles.

Using the load balancer IP you obtained, configure the access as follows:

Port 443 is open for everyone (app users, app developers, and administrators).
(Recommended) Port 22 is open for app developers.

Important: Port 22 is required for app developers to deploy their apps with git push over SSH. Dash Enterprise also supports deployments over HTTPS, but not if you configure authentication using a SAML or OIDC identity provider.
If you plan to use a SAML or OIDC identity provider, make sure port 22 is open to app developers.

Accessing Dash Enterprise

Before you can log in to Dash Enterprise at https://<your-dash-enterprise-server>, you’ll need to create a Dash Enterprise user in Keycloak. Keycloak is the identity and access management solution for Dash Enterprise.

You’ll be returning to Keycloak when you’re ready to configure authentication for Dash Enterprise. To learn about important settings and choose between different identity provider modes, go to Using Keycloak.

Obtaining and Storing the Keycloak Password

In this step, you’ll retrieve the Keycloak password that is stored as a secret in your cluster and save it according to your organization’s best practices.

To obtain and store the Keycloak password:

On your bootstrap node, retrieve the password to Keycloak (this displays the password in plain text):

sh kubectl get secret keycloak-secrets -n plotly-system -o jsonpath='{.data.KEYCLOAK_PASSWORD}' | base64 -d && echo

Note about recovering the Keycloak password: If you change this password via the Keycloak interface, it will no longer correspond to what is
stored in your cluster. We recommend keeping it as is so that you can always recover it with this kubectl get secret command.

Copy the password.
Add the password to your organization’s password manager or other secure storage, along with the username admin. You can share these credentials with other members in your organization who need to access Keycloak.

Creating Your Dash Enterprise Admin User

In this step, you’ll log in to Keycloak using the stored credentials and create a new user with the admin role. The admin role grants access to the Admin section of the Dash Enterprise App Manager, which you’ll use to configure system limits
in a later step. Learn more about the admin role.

To access Keycloak and create your admin user:

Go to https://auth-<your-dash-enterprise-server>
Select Administration Console.
Enter the Keycloak credentials that you obtained and stored.

<img>

Select Sign In.
Make sure Dash is selected in the realm list in the top left corner.
Select Users > Add User.
In Username, enter the username you want to use.
Select Save. Additional settings become available.
Go to Credentials.
In Password and Password Confirmation, enter the password you want to use.
Select Set Password; then set password again to confirm.
Assign the admin role:
1. Go to Role Mappings.
2. In Client Roles, select dash.
3. In Available Roles, select admin; then select Add selected. Note that if you intend on deploying Dash apps, you’ll also need the licensed_user role, and assigning this role consumes a license seat.

To log into Dash Enterprise with this user, go to https://<your-dash-enterprise-server> and enter the credentials that you saved in Keycloak. Dash Enterprise opens to the Portal. Go to the App Manager by selecting Apps > App Manager.

<img>

You can now safely delete the VM that you used as your bootstrap node.

Setting System Limits

In this step, you’ll safeguard Dash Enterprise against usage that would cause the Kubernetes cluster to exceed the resources it can support. Specifically, you’ll add limits to the amount of pods and volumes (PVC) that can exist, temporarily preventing Dash app developers from performing actions that would create more pods and volumes on the cluster when the limit is reached. To do so, you’ll use the System Limits setting in the Admin section of the App Manager. To learn how to calculate and set limits that are appropriate for your cluster, go to Pod and Volume Limits.