Install Dash Enterprise on a Bare Metal Server

This guide can help you if you are a new Dash Enterprise customer looking to start with a Dash Enterprise 5 installation, or if you are upgrading from Dash Enterprise 4.X.

About the Installation

Installing Dash Enterprise is an automated process. You’ll run a script on your bare metal server that creates a Kubernetes cluster using kURL and installs Dash Enterprise on it.

You’ll be installing Dash Enterprise as the single tenant on the cluster—that is, no other software is installed on the cluster (except mandatory supporting software). Single-tenancy is well-suited for Dash Enterprise because it is a complex platform, organizing resources on the fly when developers perform tasks like deploying Dash apps and creating databases. Multi-tenancy is not currently supported.

You can configure Dash Enterprise to use an HTTP/HTTPS proxy (address like http://my.proxy.url:port) that is already present in your environment. Secure HTTP proxies (addresses like https://my.proxy.url:port) are not supported.

Plotly uses Replicated to package and deliver Dash Enterprise. You’ll be interacting with the KOTS Admin Console, part of the Replicated toolset, in the configuration step of this installation. After the installation, you’ll continue to use the KOTS Admin Console for system administration such as performing Dash Enterprise upgrades.

Before You Install

Here are some important notices and details about supported configurations before you get started.

If your server is in a public network, a TLS certificate is generated for you automatically by default. This automatically generated certificate works as follows:
* The TLS certificate is issued by Let’s Encrypt, a globally-trusted certificate authority (CA), so it is already in the root of trust stores used by major browsers, operating systems, and applications. Internet traffic is authenticated and encrypted with no additional configuration.
* Let’s Encrypt uses the Automatic Certificate Management Environment (ACME) protocol for automated management of the certificate. The certificate is automatically renewed every 90 days.
* Cert Manager, a Kubernetes-native component that is installed with Dash Enterprise, takes care of creating the required ACME client.
* You cannot view or download the automatically generated certificate.


Minimum specifications for the bare metal server change depending on which offering of Dash Enterprise your organization has purchased.

The root certificate can be issued by an external/globally-trusted CA or by a CA internal to your organization. Using multiple certificates or self-signed certificates are not supported.

If you obtained your certificate chain as multiple files, you need to combine them into a single .pem file. You can do this with cat server.pem intermediate.pem trustedroot.pem > fullchain.pem on Linux or copy server.pem+intermediate.pem+trustedroot.pem fullchain.pem on Windows, replacing the file names if yours are different.

You’ll upload the full certificate chain and unencrypted private key during the configuration, and they will be used to terminate TLS/SSL.

Name Type Value
<base-domain> A record <server-ip>
api-<base-domain> CNAME <base-domain>
ws-<base-domain> CNAME <base-domain>
git-<base-domain> CNAME <base-domain>
registry-<base-domain> CNAME <base-domain>
auth-<base-domain> CNAME <base-domain>
admin-<base-domain> CNAME <base-domain>

where <base-domain> is a fully qualified domain name (FQDN) that you want to use as the base domain for your Dash Enterprise instance and <server-ip> is the IP address of your bare metal server.

Preparing Your Installation

Contact our Customer Success team to get started. We’ll ask you the base domain you want for your Dash Enterprise instance (it must be an FQDN), as well as other questions for support purposes.

Important note about your base domain: The base domain that you select for your Dash Enterprise instance can be changed later, but changing it requires support from Plotly. We recommend being certain of the base domain that you want to use before beginning your installation.

Obtaining Your Installation Plan

When we have all the information we need, we’ll send you a zipped folder called your Installation Plan. Your Installation Plan is tailor-made based on your conversation with Customer Success and contains everything you need to install Dash Enterprise for your organization.

Your Installation Plan contains:

Defining Variables in the Script

Unzip your Installation Plan and open the config file. At the top, edit the following variable values:

About storing and resetting this password: We recommend storing this password in your organization’s password manager, and giving access to any other members of your team who will be managing the Dash Enterprise system (notably performing upgrades and obtaining support bundles). This password is not retrievable with a kubectl command. It can be changed in the Admin Console UI by anyone who is able to log in with the current password. If lost, reset it by downloading the KOTS CLI and running kubectl kots reset-password plotly-system.

If your organization uses its own custom CA (with the internal root CA certificate installed on users’ systems), you can add the internal root CA certificate to Dash Enterprise with INTERNAL_CA_CERTIFICATE. It must be a .crt file and contain the root certificate only—not the full chain. Provide it as follows:

Moving Files to Your Server

In this step, you’ll move the files that are required for installation to your bare metal server. One way to do this is to use secure copy protocol (SCP).

To transfer the files to your bare metal server’s home directory using SCP:
sh scp -i path/to/private/key path/to/installation/script path/to/config/file path/to/root/ca <username>@<server-ip>:~
* path/to/private/key is the path to the SSH private key corresponding to the public key you added to your bare metal server
* path/to/installation/script is the path to in your Installation Plan
* path/to/config/file is the path to in your Installation Plan
* path/to/root/ca is the path to your internal root CA certificate, if using
* <username> is the username of your bare metal server
* <server-ip> is the IP of your bare metal server

Configuring the SSH Port

By default, Dash Enterprise expects app deployments over SSH to use port 22. In this step, you’ll map the Linux OpenSSH daemon (sshd) to a different port to free up port 22 for Dash Enterprise.

If you plan to customize the Git SSH port when configuring Dash Enterprise, then you can skip this step.

This procedure differs based on the operating system of your bare metal server.

The next time you SSH into the server, you’ll need to append the new SSH port to the ssh command.


To install Dash Enterprise:

  1. If you aren’t already, SSH into your bare metal:
    sh ssh -i path/to/private/key <username>@<server-ip> -p <new-ssh-port>
    where path/to/private/key is the path to the SSH private key corresponding to the public key you added to your bare metal server, <username> is the username of your bare metal server, and <server-ip> is the IP of your bare metal server. Omit -p <new-ssh-port> if you did not remap the SSH port, or use the appropriate port if you did.

  2. In the home directory of your bare metal server, run the installation script:
    sudo bash

The script takes several minutes to complete. Continue when you see the message Forwarding from -> 3000 (do not exit yet).

If you exit by mistake, restart the port-forward with kubectl port-forward -n plotly-system svc/kotsadm --address 8800:3000.


Now that your single-node cluster is created and Dash Enterprise is installed on it, you’re ready for configuration. The KOTS Admin Console will take you through several configuration options.

To access the KOTS Admin Console and configure Dash Enterprise:

  1. On your workstation, go to http://<server-ip>:8800, where <server-ip> is the IP of your bare metal server.
  2. Enter the password that you set for ADMIN_PASSWORD in Defining Variables in the Script; then select Log in. You are prompted to upload your license.
  3. Drag or browse to the license file in your Installation Plan; then select Upload license. The Admin Console opens to the Configure Dash Enterprise page.
  4. In TLS Settings, do one of the following:
    * Select Upload TLS Certificate and Key and then upload your TLS/SSL certificate and key.
    * Leave Upload TLS Certificate and Key cleared to let the system generate a certificate (supported if your server is in a public network only).
  5. In Git Settings, review the Git SSH Port. The Git SSH port is set to 22 by default. If you change this port, consider the following carefully:
    * App developers will need to modify their SSH config in order to deploy over SSH from their workstations.
    * You don’t need to open your chosen port to any IPs; it just needs to be available (not bound to any other service).
    * You cannot use ports 80 or 443 for the Git SSH port.
    * After changing the default Git SSH port, you can close or restrict port 22.
  6. If applicable, in PIP_EXTRA_INDEX_URL, enter the URL of your organization’s private Python package index (recommended when Dash Enterprise does not have network access to This will cause all apps and workspaces on Dash Enterprise to be able to fetch dependencies from this index.
  7. Select Continue. The Admin Console runs preflight checks, which can take up to a few minutes.
  8. Wait for the preflight checks to complete. If the results are all successful, select Deploy. If you encounter an error, contact Customer Success.
    The Admin Console opens to the dashboard, where the status of the system is displayed.
  9. Wait for the status to change to Ready. This can take up to a few minutes.


  1. On your bare metal server, press Ctrl+C to disconnect from the Admin Console.

You can now access the Admin Console using its sub-domain: https://admin-&lt;your-dash-enterprise-server&gt;.

Accessing Dash Enterprise

Before you can log in to Dash Enterprise at https://&lt;your-dash-enterprise-server&gt;, you’ll need to create a Dash Enterprise user in Keycloak. Keycloak is the identity and access management solution for Dash Enterprise.

Obtaining and Storing the Keycloak Password

In this step, you’ll retrieve the Keycloak password that is stored as a secret in your cluster and save it according to your organization’s best practices.

To obtain and store the Keycloak password:

  1. On your bare metal server, retrieve the password to Keycloak (this displays the password in plain text):

sh kubectl get secret keycloak-secrets -n plotly-system -o jsonpath='{.data.KEYCLOAK_PASSWORD}' | base64 -d && echo

Important: Dash Enterprise does not currently support rotating this password. Keep this password as is to avoid anomalous behavior.

  1. Copy the password.
  2. Add the password to your organization’s password manager or other secure storage, along with the username admin. You can share these credentials with other members in your organization who need to access Keycloak.

Creating Your Dash Enterprise Admin User

In this step, you’ll log in to Keycloak using the stored credentials and create a new user with the admin role. The admin role grants access to the Admin section of the Dash Enterprise App Manager, which you’ll use to configure system limits
in a later step. Learn more about the admin role.

To access Keycloak and create your admin user:

  1. Go to https://auth-&lt;your-dash-enterprise-server&gt;
  2. Select Administration Console.
  3. Enter the Keycloak credentials that you obtained and stored.


  1. Select Sign In.
  2. Make sure dash is selected in the realm list in the top left corner.

    Dash realm

  3. Select Users > Add User.

  4. In Username, enter the username you want to use.
  5. Select Create. Additional settings become available.
  6. Go to Credentials.
  7. In Password and Password Confirmation, enter the password you want to use.
  8. Select Set Password; then set password again to confirm.
  9. Assign the admin role:
    1. Go to Role mapping.
    2. Select Assign role.
    3. Change the filter to Filter by clients.
    4. Find and select the role called “dash admin”. Note that if you intend on deploying apps, you’ll also need the “dash licensed_user” role, and assigning this role consumes a license seat.
    5. Select Assign.

To log into Dash Enterprise with this user, go to https://&lt;your-dash-enterprise-server&gt; and enter the credentials that you saved in Keycloak. Dash Enterprise opens to the Portal. Go to the App Manager by selecting Apps > App Manager.


Setting System Limits

In this step, you’ll safeguard Dash Enterprise against usage that would cause the Kubernetes cluster to exceed the resources it can support. Specifically, you’ll add limits to the amount of pods and volumes (PVC) that can exist, temporarily preventing app developers from performing actions that would create more pods and volumes on the cluster when the limit is reached. To do so, you’ll use the System Limits setting in the Admin section of the App Manager. To learn how to calculate and set limits that are appropriate for your cluster, go to Pod and Volume Limits.