Production-grade installation guide for Red Hat OpenShift 4.18 & newer. All snippets are idempotent and tested on OCP 4.18 (Kubernetes 1.31).
Table of Contents
1 – Overview
Dynamiq is a low-code GenAI operating platform .
This guide deploys it as fully private, TLS-only, auto-upgradeable workloads on an OpenShift 4.18+ cluster.
Key building blocks:
CloudNativePG (Crunchy Data) for HA PostgreSQL
Object storage – AWS S3, MinIO, or OpenShift Data Foundation
External Secrets Operator for secret sync
Fission for serverless logic
Helm for application lifecycle
2 – Prerequisites
Kubernetes 1.31, cluster-admin rights
≥ 2 × vCPU / 8 GiB (m5.large-class)
Optional – G5/A10G for model inference
oc 4.18+, helm 3.14+, jq, openssl, envsubst
Root/sub-domain delegated in DNS
Pull container images & reach S3/MinIO
3 – Quick-Start Variables
Edit the first block only, then paste the rest as one .
Copy # ---------- BEGIN USER CONFIG ----------
export BASE_DOMAIN="example.com" # root or delegated sub-domain
export CLUSTER_NAME="dynamiq" # DNS-safe
export PROJECT="dynamiq" # OpenShift namespace
export REGION="us-east-1" # for AWS snippets
# ---------- END USER CONFIG ------------
export OCP_VERSION="4.18"
export K8S_VERSION="1.31"
export STORAGE_S3_BUCKET="${CLUSTER_NAME}-data-$(openssl rand -hex 4)"
export DYNAMIQ_CHART_REPO="oci://709825985650.dkr.ecr.us-east-1.amazonaws.com/dynamiq/enterprise/dynamiq"
Copy # OpenShift CLI
curl -LO "https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/${OCP_VERSION}/openshift-client-linux.tar.gz"
tar -xzvf openshift-client-linux.tar.gz -C /usr/local/bin oc kubectl
# Helm
curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
# Verify
oc version --client
helm version 5 – OpenShift Cluster Preparation
Log in
Copy oc login https://api.${CLUSTER_NAME}.${BASE_DOMAIN}:6443 \
--username kubeadmin --password <REDACTED> Create / select project
Copy oc new-project ${PROJECT} || oc project ${PROJECT} (Optional) Create a fresh IPI cluster
Copy openshift-install create cluster --dir ./install --log-level=info 6 – Install Cluster Add-ons
6.1 External Secrets Operator
Copy oc apply -f https://raw.githubusercontent.com/external-secrets/external-secrets/v0.9.4/deploy/crds/bundle.yaml
helm repo add external-secrets https://charts.external-secrets.io
helm upgrade --install external-secrets external-secrets/external-secrets \
--namespace external-secrets --create-namespace \
--set installCRDs=false \
--wait Create a ClusterSecretStore pointing at AWS Secrets Manager (swap provider if required):
Copy cat <<EOF | envsubst | oc apply -f -
apiVersion: external-secrets.io/v1
kind: ClusterSecretStore
metadata:
name: dynamiq
spec:
provider:
aws:
service: SecretsManager
region: $REGION
EOF 6.2 Fission Serverless Engine
Copy kubectl create -k "github.com/fission/fission/crds/v1?ref=v1.20.5"
helm repo add fission https://fission.github.io/fission-charts/
helm upgrade --install fission fission/fission-all \
--namespace dynamiq-fission --create-namespace \
--set routerServiceType=ClusterIP \
--set defaultNamespace=${PROJECT} \
--set analytics=false \
--wait 6.3 GPU MachineSets (optional)
Copy oc adm machine-sets create-gpu \
--accelerator-type nvidia-g5 \
--name gpu-g5 \
--replicas 1 \
--cluster ${CLUSTER_NAME} 7 – Provision PostgreSQL (CloudNativePG)
Copy oc apply -f https://get.crunchydata.com/postgres-operator/crunchy-postgres-operator.yaml
# Wait for operator to be Ready
cat <<EOF | oc apply -f -
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
name: dynamiq-pg
namespace: ${PROJECT}
spec:
instances: 2
imageName: registry.developers.crunchydata.com/crunchydata/crunchy-postgres:16
storage:
size: 50Gi
EOF Extract connection details:
Copy export DATABASE_HOST="dynamiq-pg-rw.${PROJECT}.svc.cluster.local"
export DATABASE_PORT="5432"
export DATABASE_NAME="postgres"
export DATABASE_USERNAME="postgres"
export DATABASE_PASSWORD="$(oc -n ${PROJECT} get secret dynamiq-pg-superuser -o jsonpath='{.data.password}' | base64 -d)" 8 – Provision Object Storage
Option A – AWS S3
Copy aws s3api create-bucket \
--bucket "${STORAGE_S3_BUCKET}" \
--region "${REGION}" \
--create-bucket-configuration LocationConstraint="${REGION}"
export STORAGE_SERVICE="s3" Option B – Internal MinIO
Copy helm repo add minio https://charts.min.io
helm upgrade --install minio minio/minio \
--namespace storage --create-namespace \
--set accessKey=minio --set secretKey=minio123 \
--set buckets[0].name=${STORAGE_S3_BUCKET} \
--wait
export STORAGE_SERVICE="minio" 9 – Create Dynamiq Secrets
Copy export AUTH_ACCESS_TOKEN_KEY=$(openssl rand -base64 48 | tr -d '\n')
export AUTH_REFRESH_TOKEN_KEY=$(openssl rand -base64 48 | tr -d '\n')
export AUTH_VERIFICATION_TOKEN_KEY=$(openssl rand -base64 48 | tr -d '\n')
cat <<EOF | envsubst | oc apply -f -
apiVersion: v1
kind: Secret
metadata:
name: nexus-secret
namespace: ${PROJECT}
type: Opaque
stringData:
DATABASE_HOST: "$DATABASE_HOST"
DATABASE_PORT: "$DATABASE_PORT"
DATABASE_SSLMODE: "require"
DATABASE_NAME: "$DATABASE_NAME"
DATABASE_USERNAME: "$DATABASE_USERNAME"
DATABASE_PASSWORD: "$DATABASE_PASSWORD"
STORAGE_SERVICE: "$STORAGE_SERVICE"
STORAGE_S3_BUCKET: "$STORAGE_S3_BUCKET"
AUTH_ACCESS_TOKEN_KEY: "$AUTH_ACCESS_TOKEN_KEY"
AUTH_REFRESH_TOKEN_KEY: "$AUTH_REFRESH_TOKEN_KEY"
AUTH_VERIFICATION_TOKEN_KEY: "$AUTH_VERIFICATION_TOKEN_KEY"
# --- OPTIONAL TOKENS ---
HUGGING_FACE_ACCESS_TOKEN: "<HF_TOKEN>"
OPENAI_API_KEY: "<OPENAI_KEY>"
SMTP_HOST: "<SMTP_HOST>"
SMTP_USERNAME: "<SMTP_USER>"
SMTP_PASSWORD: "<SMTP_PASS>"
EOF 10 – Prepare Helm Values
Copy cat <<EOF > values-ocp.yaml
dynamiq:
domain: ${BASE_DOMAIN}
nexus:
image:
repository: 709825985650.dkr.ecr.us-east-1.amazonaws.com/dynamiq/enterprise/nexus
ingress:
enabled: true
externalSecrets:
enabled: false
appSecret: nexus-secret
configMapData:
STORAGE_SERVICE: ${STORAGE_SERVICE}
STORAGE_S3_BUCKET: ${STORAGE_S3_BUCKET}
synapse:
image:
repository: 709825985650.dkr.ecr.us-east-1.amazonaws.com/dynamiq/enterprise/synapse
ingress:
enabled: true
configMapData:
STORAGE_SERVICE: ${STORAGE_SERVICE}
STORAGE_S3_BUCKET: ${STORAGE_S3_BUCKET}
catalyst:
image:
repository: 709825985650.dkr.ecr.us-east-1.amazonaws.com/dynamiq/enterprise/catalyst
configMapData:
STORAGE_SERVICE: ${STORAGE_SERVICE}
STORAGE_S3_BUCKET: ${STORAGE_S3_BUCKET}
ui:
image:
repository: 709825985650.dkr.ecr.us-east-1.amazonaws.com/dynamiq/enterprise/ui
ingress:
enabled: true
EOF 11 – Deploy Dynamiq
Copy # Authenticate to ECR
aws ecr get-login-password --region us-east-1 | \
helm registry login --username AWS --password-stdin 709825985650.dkr.ecr.us-east-1.amazonaws.com
# Install / upgrade Dynamiq
helm upgrade --install dynamiq ${DYNAMIQ_CHART_REPO} \
--namespace ${PROJECT} \
--values values-ocp.yaml \
--wait 12 – Validate & Smoke-Test
Copy oc -n ${PROJECT} get route Create CNAME records (app, api, etc.) pointing to the OpenShift router host.
https://app.${BASE_DOMAIN} → Dynamiq UI
https://api.${BASE_DOMAIN} → Dynamiq API
First registered user gains Admin rights.
13 – Upgrade Workflow
Copy helm repo update
helm upgrade dynamiq ${DYNAMIQ_CHART_REPO} \
--namespace ${PROJECT} \
--reuse-values \
--wait Provided each component runs ≥ 2 replicas, OpenShift performs zero-downtime rolling updates.
14 – Cleanup
Copy helm uninstall dynamiq -n ${PROJECT} || true
helm uninstall fission -n dynamiq-fission || true
oc delete project ${PROJECT} dynamiq-fission external-secrets || true
aws s3 rb s3://${STORAGE_S3_BUCKET} --force # if you used AWS S3
# If you created the cluster via step 5:
openshift-install destroy cluster --dir ./install 15 – Appendix A – values-ocp.yaml Reference
Need help? Reach out to us - support@getdynamiq.ai
Happy shipping Dynamiq on OpenShift! 🚀
