Install Dash Enterprise on a Virtual Machine - Airgapped

This guide can help you if you are a new Dash Enterprise customer looking to start with a Dash Enterprise 5 installation, or if you are upgrading from Dash Enterprise 4.X.

About the Installation

Installing Dash Enterprise is an automated process. You use a bootstrap node to run a Plotly-provided script that creates a Kubernetes cluster using kURL and installs Dash Enterprise on your server. This guide describes how to use your cloud provider’s virtual machine (VM) service to provision a VM that will act as the server, but you can still follow this guide if you already have a VM ready to go.

A bootstrap node is a machine whose only purpose is to run the script. After Dash Enterprise is installed, you can stop or decommission it. Using a fresh VM is the best practice because the script is unlikely to run into errors caused by other installed software. This guide describes how to use your cloud provider’s virtual machine to provision a VM that will serve as your bootstrap node.

You’ll be installing Dash Enterprise as the single tenant on the cluster—that is, no other software is installed on the cluster (except mandatory supporting software). Single-tenancy is well-suited for Dash Enterprise because it is a complex platform, organizing resources on the fly when developers perform tasks like deploying Dash apps and creating databases. Multi-tenancy is not currently supported.

Plotly uses Replicated to package and deliver Dash Enterprise. You’ll be interacting with the KOTS Admin Console, part of the Replicated toolset, in the configuration step of this installation. After the installation, you’ll continue to use the KOTS Admin Console for system administration such as performing Dash Enterprise upgrades.

Before You Install

In order for Dash app developers to use an airgapped Dash Enterprise instance, their apps need to fetch Python package dependencies from an internal index. (If there is no internal index available, developers need to place Python packages individually in their app’s files, which is not recommended for apps that require many packages because it involves additionally managing those packages’ dependencies).

Before committing to an airgapped Dash Enterprise installation, make sure your organization can provide an internal index. Dash Enterprise requires that the index have a TLS/SSL certificate from a globally trusted certificate authority (CA). A common strategy is to create a mirror of

Important: Apps deployed to Dash Enterprise use Python 3.8.16. Be sure that the packages in your internal index are compatible with this version. When Dash Enterprise is airgapped, it is not possible for Dash app developers to change the Python version that their apps use.

Similarly, if Dash app developers plan to deploy apps that depend on APT packages, you’ll need to prepare a custom APT repository with a TLS/SSL certificate from a globally trusted certificate authority (CA).


Important: Stopping and restarting the VM that Dash Enterprise is installed on (often called parking) is not supported. The VM must be left on for Dash Enterprise to remain in a healthy state.

Important: Changing the internal and/or public IP of the VM after installation, such as by moving the VM to a different subnet, is not supported.

Preparing Your Installation

Contact our Customer Success team to get started. We’ll ask you:

Important note about your base domain: The base domain that you select for your Dash Enterprise instance can be changed later, but changing it requires support from Plotly. We recommend being certain of the base domain that you want to use before beginning your installation.

Obtaining Your Installation Plan

When we have this information, we’ll send you a tailor-made installation script as well as a link and password to a download portal from which you’ll need to download airgap bundles. Your Installation Plan is tailor-made based on your conversation with Customer Success and contains everything you need to install Dash Enterprise for your organization.

Downloading Your Airgap Bundle

In this step, you’ll download the airgap bundle required to install Dash Enterprise. Note that the Dash Enterprise airgap bundle is approximately 15 GB.

To download the airgap bundle:

  1. On your workstation, use the link and password provided by our Customer Success team to go to the download portal.
  2. In the left sidebar, make sure Bring my own cluster is selected.
  3. Under dash-enterprise Airgap Bundle, select Download airgap bundle.

Preparing Your Bootstrap Node

Provisioning Your Server

Defining Variables in the Script

Unzip your Installation Plan and open the config file. Edit the following variable values:

About storing and resetting this password: We recommend storing this password in your organization’s password manager, and giving access to any other members of your team who will be managing the Dash Enterprise system (notably performing upgrades and obtaining support bundles). This password is not retrievable with a kubectl command. It can be changed in the Admin Console UI by anyone who is able to log in with the current password. If lost, reset it by downloading the KOTS CLI and running kubectl kots reset-password -n plotly-system.

If your organization uses its own custom CA (with the internal root CA certificate installed on users’ systems), you can add the internal root CA certificate to Dash Enterprise with INTERNAL_CA_CERTIFICATE. It must be a .crt file and contain the root certificate only—not the full chain. Provide it as follows:

Moving Files to Your Bootstrap Node

In this step, you’ll move the files that are required for installation to the bootstrap node. One way to do this is to use secure copy protocol (SCP).

Installation and Configuration

Creating the Cluster and Port-Forwarding the KOTS Admin Console

In this step, you’ll run the installation script from your bootstrap node. This script does the following:

To create the cluster and port-forward the KOTS Admin Console:

  1. In the home directory of your bootstrap node, run the installation script:


  1. If you are prompted for the kots install location by Enter installation path (leave blank for /usr/local/bin), press Enter to accept the default.
  2. If you are prompted to grant write permissions to /usr/local/bin, press y (you will not be prompted for a password).

The script takes several minutes to complete. Continue when you see the message Forwarding from -> 3000 (do not exit yet).

If you exit by mistake, restart the port-forward with kubectl port-forward -n plotly-system svc/kotsadm --address 8800:3000.

  1. Now that is it secure to do so, go back to your server’s networking settings and change the source for the port 22 rule to add the IP addresses of users who will be deploying Dash apps to Dash Enterprise. Alternatively, if you plan to customize the Git SSH port, then you can close or restrict port 22.

The next time you SSH into your Dash Enterprise server, you’ll need to append the new SSH port to the ssh command.

Uploading the License and Airgap Bundle

Now that your cluster is created, you’re ready to install Dash Enterprise on it. The KOTS Admin Console will take you through uploading your Dash Enterprise license and airgap bundle.

When the upload is complete, the KOTS Admin Console opens to the Configure Dash Enterprise page.

Uploading the Certificate and Running Preflight Checks

Now that Dash Enterprise is installed, you’re ready for configuration. The KOTS Admin Console will take you through several configuration options.

On the Configure Dash Enterprise page, do the following:

  1. In TLS Settings, make sure that Upload TLS Certificate and Key is selected, and then upload your TLS/SSL certificate and key.
  2. In Git Settings, review the Git SSH Port. The Git SSH port is set to 22 by default. If you change this port, consider the following carefully:
    * App developers will need to modify their SSH config in order to deploy over SSH from their workstations.
    * You don’t need to open your chosen port to any IPs; it just needs to be available (not bound to any other service).
    * You cannot use ports 80 or 443 for the Git SSH port.
    * After changing the default Git SSH port, you can close or restrict port 22.
  3. In PIP_EXTRA_INDEX_URL, enter the URL of your organization’s private Python package index (you can also configure it later). This will cause all apps and workspaces on Dash Enterprise to be able to fetch dependencies from this index.
  4. Select Continue. The Admin Console runs preflight checks, which can take up to a few minutes.
  5. Wait for the preflight checks to complete. If the results are all successful, select Deploy. If you encounter an error, contact Customer Success.
    The Admin Console opens to the dashboard, where the status of the system is displayed.
  6. Wait for the status to change to Ready. This can take up to a few minutes.


  1. On your bootstrap node, press Ctrl+C to disconnect from the Admin Console.

You can now access the Admin Console using its sub-domain: https://admin-&lt;your-dash-enterprise-server&gt;.

Accessing Dash Enterprise

Before you can log in to Dash Enterprise at https://&lt;your-dash-enterprise-server&gt;, you’ll need to create a Dash Enterprise user in Keycloak. Keycloak is the identity and access management solution for Dash Enterprise.

Obtaining and Storing the Keycloak Password

In this step, you’ll retrieve the Keycloak password that is stored as a secret in your cluster and save it according to your organization’s best practices.

To obtain and store the Keycloak password:

  1. On your bootstrap node, retrieve the password to Keycloak (this displays the password in plain text):

sh kubectl get secret keycloak-secrets -n plotly-system -o jsonpath='{.data.KEYCLOAK_PASSWORD}' | base64 -d && echo

Note about recovering the Keycloak password: If you change this password via the Keycloak interface, it will no longer correspond to what is
stored in your cluster. We recommend keeping it as is so that you can always recover it with this kubectl get secret command.

  1. Copy the password.
  2. Add the password to your organization’s password manager or other secure storage, along with the username admin. You can share these credentials with other members in your organization who need to access Keycloak.

Creating Your Dash Enterprise Admin User

In this step, you’ll log in to Keycloak using the stored credentials and create a new user with the admin role. The admin role grants access to the Admin section of the Dash Enterprise App Manager, which you’ll use to configure system limits
in a later step. Learn more about the admin role.

To access Keycloak and create your admin user:

  1. Go to https://auth-&lt;your-dash-enterprise-server&gt;
  2. Select Administration Console.
  3. Enter the Keycloak credentials that you obtained and stored.


  1. Select Sign In.
  2. Make sure Dash is selected in the realm list in the top left corner.

    Dash realm

  3. Select Users > Add User.

  4. In Username, enter the username you want to use.
  5. Select Create. Additional settings become available.
  6. Go to Credentials.
  7. In Password and Password Confirmation, enter the password you want to use.
  8. Select Set Password; then set password again to confirm.
  9. Assign the admin role:
    1. Go to Role Mappings.
    2. In Client Roles, select dash.
    3. In Available Roles, select admin; then select Add selected. Note that if you intend on deploying Dash apps, you’ll also need the licensed_user role, and assigning this role consumes a license seat.

To log into Dash Enterprise with this user, go to https://&lt;your-dash-enterprise-server&gt; and enter the credentials that you saved in Keycloak. Dash Enterprise opens to the Portal. Go to the App Manager by selecting Apps > App Manager.


Setting System Limits

In this step, you’ll safeguard Dash Enterprise against usage that would cause the Kubernetes cluster to exceed the resources it can support. Specifically, you’ll add limits to the amount of pods and volumes (PVC) that can exist, temporarily preventing Dash app developers from performing actions that would create more pods and volumes on the cluster when the limit is reached. To do so, you’ll use the System Limits setting in the Admin section of the App Manager. To learn how to calculate and set limits that are appropriate for your cluster, go to Pod and Volume Limits.

Post-Install Bootstrap Node Considerations

In order to upgrade Dash Enterprise, you’ll need a VM with internet access from which to run Plotly-provided, kubectl-based scripts. The bootstrap node that you provisioned as part of the installation already meets these requirements, so while it is safe to delete it, your organization may want to reuse it for upgrades. If reusing the bootstrap node, be sure to leave your config file on it, as upgrade scripts will source it.

If you’re deleting the bootstrap node, keep a copy of your config file that you can move to a new VM when performing upgrades.