IBM

IBM Cloud Catalog Installation Guide

Provision all required IBM Cloud services and install Dynamiq via Helm so that the platform is production‑ready, fully private, and upgradeable through IBM Cloud Schematics.

Table of contents

  1. Prerequisites

  2. Quick‑start variables

  3. Install CLI & plugins

  4. Authenticate & target a resource group

  5. Create networking (VPC + Subnet + Gateway)

  6. Provision the VPC‑Gen2 Kubernetes cluster

  7. Provision PostgreSQL

  8. Provision Object Storage

  9. Install Dynamiq platform (Helm)

  10. Create production secrets

  11. Verify installation

  12. Upgrade

  13. Uninstall

Prerequisites

Requirement
Notes

IBM Cloud account

Billing enabled & quota for VPC, Kubernetes, Databases for PostgreSQL, and Cloud Object Storage

Access

Manager and Administrator roles on the destination Kubernetes cluster service citeibm_roles_doc

Local tooling

bash, curl, IBM Cloud CLI v2.20+, kubectl v1.31+, Helm v3.13+, jq, openssl

Kubernetes version

1.31 (latest LTS)

Outbound network

Port 22 (SSH), 443 (HTTPS) open to IBM Cloud APIs

Tip If you prefer containerised tooling, grab the official 💡 ibmcloud‑tools image: docker run --rm -it ibmcom/ibmcloud-tools:latest.

Quick‑start variables

Export once and reuse everywhere:

# ====== Edit me ======
export REGION="us-south"              #  <REGION>  e.g. us-south, eu-de
export RG_NAME="dynamiq"              #  <RESOURCE_GROUP_NAME>
export VPC_NAME="dynamiq"             #  <VPC_NAME>
export SUBNET_NAME="public"           #  <SUBNET_NAME>
export GW_NAME="dynamiq-gateway"      #  <PUBLIC_GATEWAY_NAME>
export ZONE="${REGION}-1"             #  Keep default or pick another zone
export CLUSTER_NAME="dynamiq-cluster" #  <CLUSTER_NAME>
export K8S_VERSION="1.31"             #  Align with supported versions
export FLAVOR="bx2.2x8"               #  2 vCPU / 8 GB each worker
export WORKERS="2"                    #  Adjust for your workload
export DB_INSTANCE_NAME="db-dynamiq"  #  <POSTGRES_INSTANCE_NAME>
export COS_INSTANCE_NAME="cos-dynamiq"#  <COS_INSTANCE_NAME>
export COS_BUCKET="dynamiqai"         #  <BUCKET_NAME>
# =======================

1 – Install CLI & plugins

curl -sL https://ibm.biz/idt-installer | bash
ibmcloud plugin install infrastructure-service
ibmcloud plugin install kubernetes-service
ibmcloud plugin install cos

Verify:

ibmcloud -v  # should be ≥ 2.20
helm version
kubectl version --client

2 – Authenticate & target a resource group

ibmcloud login -r $REGION --sso  # or remove --sso for API‑key login
ibmcloud resource group-create $RG_NAME || true
ibmcloud target -g $RG_NAME

3 – Create networking (VPC + Subnet + Gateway)

ibmcloud is vpc-create $VPC_NAME --resource-group-name $RG_NAME
ibmcloud is public-gateway-create $GW_NAME $VPC_NAME $ZONE --resource-group-name $RG_NAME
ibmcloud is subnet-create $SUBNET_NAME $VPC_NAME --zone $ZONE \
  --ipv4-address-count 256 --pgw $GW_NAME --resource-group-name $RG_NAME

Grab IDs for automation:

export VPC_ID=$(ibmcloud is vpcs --json | jq -r '.[] | select(.name=="'$VPC_NAME'") | .id')
export SUBNET_ID=$(ibmcloud is subnets --json | jq -r '.[] | select(.name=="'$SUBNET_NAME'") | .id')

4 – Provision the Kubernetes cluster

ibmcloud ks cluster create vpc-gen2 \
  --name $CLUSTER_NAME \
  --zone $ZONE \
  --version $K8S_VERSION \
  --flavor $FLAVOR \
  --workers $WORKERS \
  --vpc-id $VPC_ID \
  --subnet-id $SUBNET_ID \
  --disable-outbound-traffic-protection

Configure kubectl:

ibmcloud ks cluster ls
export CLUSTER_ID=$(ibmcloud ks cluster ls --output json --provider vpc-gen2 | jq -r '.[] | select(.name=="'$CLUSTER_NAME'") | .id')
ibmcloud ks cluster config --cluster $CLUSTER_ID

5 – Provision PostgreSQL

ibmcloud resource service-instance-create $DB_INSTANCE_NAME \
  databases-for-postgresql standard $REGION \
  --service-endpoints public --parameters '{"location_hardware":"virtual","version":"16"}'
# Wait until the instance becomes AVAILABLE
ibmcloud resource service-instance $DB_INSTANCE_NAME

Create credentials:

ibmcloud resource service-key-create ${DB_INSTANCE_NAME}-credentials \
  --instance-name $DB_INSTANCE_NAME --parameters '{"HMAC":true}'
export DATABASE_USERNAME=$(ibmcloud resource service-key ${DB_INSTANCE_NAME}-credentials --output json | jq -r '.[0].credentials.connection.postgres.authentication.username')
export DATABASE_PASSWORD=$(ibmcloud resource service-key ${DB_INSTANCE_NAME}-credentials --output json | jq -r '.[0].credentials.connection.postgres.authentication.password')
export DATABASE_HOST=$(ibmcloud resource service-key ${DB_INSTANCE_NAME}-credentials --output json | jq -r '.[0].credentials.connection.postgres.hosts[0].hostname')
export DATABASE_PORT=$(ibmcloud resource service-key ${DB_INSTANCE_NAME}-credentials --output json | jq -r '.[0].credentials.connection.postgres.hosts[0].port')
export DATABASE_NAME=$(ibmcloud resource service-key ${DB_INSTANCE_NAME}-credentials --output json | jq -r '.[0].credentials.connection.postgres.database')

6 – Provision Object Storage

ibmcloud resource service-instance-create $COS_INSTANCE_NAME \
  cloud-object-storage standard global -g $RG_NAME
ibmcloud resource service-key-create ${COS_INSTANCE_NAME}-credentials Writer \
  --instance-name $COS_INSTANCE_NAME --parameters '{"HMAC":true}'
export STORAGE_IBM_COS_API_KEY=$(ibmcloud resource service-key ${COS_INSTANCE_NAME}-credentials --output json | jq -r '.[0].credentials.apikey')
export STORAGE_IBM_COS_SERVICE_INSTANCE_ID=$(ibmcloud resource service-instance $COS_INSTANCE_NAME --output json | jq -r '.[0].id')
export STORAGE_IBM_COS_SERVICE_ENDPOINT="https://s3.${REGION}.cloud-object-storage.appdomain.cloud"
ibmcloud cos bucket-create --bucket $COS_BUCKET --region $REGION --ibm-service-instance-id $STORAGE_IBM_COS_SERVICE_INSTANCE_ID

7 – Install Dynamiq platform

Install Fission CRDs + Dynamiq dependencies:

kubectl create -k "github.com/fission/fission/crds/v1?ref=v1.20.5"
helm upgrade --install fission fission-all \
  --repo https://fission.github.io/fission-charts/ \
  --namespace fission --create-namespace \
  --set routerServiceType=ClusterIP \
  --set defaultNamespace=apps \
  --set analytics=false --wait

8 – Create production secrets

Generate secure keys:

export AUTH_ACCESS_TOKEN_KEY=$(openssl rand -base64 48 | tr -d '\n')
export AUTH_REFRESH_TOKEN_KEY=$(openssl rand -base64 48 | tr -d '\n')
export AUTH_VERIFICATION_TOKEN_KEY=$(openssl rand -base64 48 | tr -d '\n')
# SMTP & HF tokens
export SMTP_HOST="<SMTP_HOST>"
export SMTP_PORT="<SMTP_PORT>"
export SMTP_USERNAME="<SMTP_USERNAME>"
export SMTP_PASSWORD="<SMTP_PASSWORD>"
export HUGGING_FACE_TOKEN="<HF_TOKEN>"

Apply secret:

kubectl create namespace dynamiq || true
cat <<EOF | envsubst | kubectl apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: nexus-secret
  namespace: dynamiq
type: Opaque
stringData:
  DATABASE_HOST: "$DATABASE_HOST"
  DATABASE_PORT: "$DATABASE_PORT"
  DATABASE_SSLMODE: "require"
  DATABASE_NAME: "$DATABASE_NAME"
  DATABASE_SCHEMA: "public"
  DATABASE_USERNAME: "$DATABASE_USERNAME"
  DATABASE_PASSWORD: "$DATABASE_PASSWORD"
  STORAGE_IBM_COS_API_KEY: "$STORAGE_IBM_COS_API_KEY"
  STORAGE_IBM_COS_SERVICE_INSTANCE_ID: "$STORAGE_IBM_COS_SERVICE_INSTANCE_ID"
  STORAGE_IBM_COS_SERVICE_ENDPOINT: "$STORAGE_IBM_COS_SERVICE_ENDPOINT"
  SMTP_HOST: "$SMTP_HOST"
  SMTP_PORT: "$SMTP_PORT"
  SMTP_USERNAME: "$SMTP_USERNAME"
  SMTP_PASSWORD: "$SMTP_PASSWORD"
  SMTP_DEFAULT_FROM: "[email protected]"
  AUTH_ACCESS_TOKEN_KEY: "$AUTH_ACCESS_TOKEN_KEY"
  AUTH_REFRESH_TOKEN_KEY: "$AUTH_REFRESH_TOKEN_KEY"
  AUTH_VERIFICATION_TOKEN_KEY: "$AUTH_VERIFICATION_TOKEN_KEY"
  HUGGING_FACE_TOKEN: "$HUGGING_FACE_TOKEN"
EOF

Remember to pass --set nexus.appSecret=nexus-secret (or prefixed name) when you deploy Dynamiq’s Helm chart.

Install Dynamiq:

helm upgrade --install dynamiq getdynamiq/dynamiq \
  --version <CHART_VERSION> \
  --namespace dynamiq \
  --create-namespace \
  --values values-production.yaml \
  --set nexus.appSecret=nexus-secret \
  --wait

9 – Verify installation

kubectl -n dynamiq get all
# Check that pods are RUNNING and the ingress/LoadBalancer endpoints are assigned

Browse to https://<YOUR_DOMAIN> and log in with the initial admin user.

10 – Upgrade

A new chart version appears as an Update inside your IBM Cloud Schematics workspace.

  1. Go to Menu ▸ Schematics → select the workspace.

  2. Click SettingsUpdate.

  3. Pick the desired chart version and confirm. The Dynamiq pods will roll seamlessly with zero‑downtime if you have ≥ 2 replicas per component.

11 – Uninstall

helm -n dynamiq uninstall dynamiq  # removes Dynamiq workloads only
# Optional: destroy workspace to delete infra managed by Schematics
ibmcloud schematics workspace destroy --id <WORKSPACE_ID>

Appendix A – values.yaml reference

Parameter
Description
Default
Required

dynamiq.imageCredentials.username

Container registry username

``

dynamiq.imageCredentials.password

Container registry password

``

nexus.ingress.enabled

Expose Nexus API via ingress

true

nexus.configMapData.DOMAIN

Public FQDN mapped in DNS (e.g. dynamiq.example.com)

``

nexus.appSecret

Name of Kubernetes secret with DB/ObjectStore credentials

nexus-secret

synapse.ingress.enabled

Expose WebSocket gateway

true

ui.ingress.enabled

Expose web UI

true

Appendix B – Security & Compliance controls

  • Network isolation – all components run inside your VPC with no public ingress unless explicitly enabled.

  • TLS‑only – Dynamiq forces HTTPS and uses Cert‑Manager (optional) for automated certificate rotation.

  • IAM separation – each IBM Cloud service instance uses least‑privileged service IDs.

Need help?

Email: [email protected]

PreviousAWSNextRed Hat OpenShift

Last updated