NMC Launchpad Installation

Overview

NMC Launchpad provides a centralized landing page that serves as a unified entry point for accessing all NMC components through an intuitive web interface.

Key features include:

• Centralized Access: Provides links to core components:

  • NVIDIA Base Command Manager

  • Run:ai

  • Autonomous Job Recovery

  • Autonomous Hardware Recovery

  • Grafana Dashboards

  Card visibility is controlled through URL configuration. Providing a URL for a component displays its card on the dashboard; omitting the URL hides it.

• Authentication: Features Keycloak-based integration for secure access control, supporting configurable OAuth/OIDC endpoints. Refer to Set Up Keycloak Authentication (Optional) for setup instructions.

• Deployment: Utilizes Helm Charts for Kubernetes deployment configurations with environment-specific values.

Prerequisites

Before installing NMC Launchpad, ensure the following prerequisites are met:

• Assumes k8s-admin exists and is accessible from BCM head node

• Kubernetes cluster is operational and accessible via kubectl

• NGC API key with access to the NMC catalog (see how to generate an NGC API key)

• Necessary permissions to access the NGC registry (nvcr.io) or the Product Information Database (PID) for package download

Note

This project will download and install additional third-party open source software projects. Review the license terms of these open source projects before use.

Set Up Keycloak Authentication (Optional)

NMC Launchpad supports Keycloak-based authentication for secure access control through OAuth/OIDC. This section guides you through setting up a Keycloak instance and configuring it for integration with NMC Launchpad.

Important

The current Keycloak integration provides sign-in authentication only for the NMC Launchpad web interface. Be aware of the following limitations:

• Single-component scope — Authentication applies to NMC Launchpad only and is not yet integrated with other NMC components such as Base Command Manager, Run:ai, or Grafana.

• No authorization controls — Role-based access control (RBAC) and fine-grained permissions are not available in this release. All authenticated users have the same level of access.

These capabilities are planned for future releases.

The overall setup order is:

1. PostgreSQL (via CloudNativePG) — required database backend for Keycloak

2. Keycloak — the identity and access management server

3. keycloak-config-cli (optional) — declarative configuration tool for Keycloak

4. NMC Launchpad — configured with the Keycloak client credentials

Note

NVIDIA provides only the NMC Launchpad Helm chart. All other components in this section are third-party open-source projects. The configurations provided here are recommendations only — adjust them to suit your environment and security requirements.

Install PostgreSQL (Optional)

Keycloak requires a PostgreSQL database. If you already have a PostgreSQL instance available, skip this section and proceed to Install Keycloak. Configure the database connection in the Keycloak values file with your existing PostgreSQL details.

The following steps use CloudNativePG (CNPG) to deploy a PostgreSQL cluster on Kubernetes.

Install the CNPG Operator

The CNPG operator manages PostgreSQL clusters within Kubernetes. For a full list of available configuration options, refer to the default values file.

1. Add the CNPG Helm repository:

   helm repo add cnpg https://cloudnative-pg.github.io/charts
   helm repo update
   

2. Create a values file for the CNPG operator:

   cat <<EOF > values-cnpg-operator.yaml
   resources:
     limits:
       cpu: 100m
       memory: 200Mi
     requests:
       cpu: 100m
       memory: 100Mi
   
   monitoring:
     podMonitorEnabled: false
     grafanaDashboard:
       create: false
   EOF
   

   Note

   Set podMonitorEnabled and grafanaDashboard.create to true if Prometheus Operator and Grafana are installed and you want to enable monitoring.

3. Install the CNPG operator:

   helm upgrade --install cnpg \
     --namespace launchpad \
     --create-namespace \
     cnpg/cloudnative-pg \
     -f values-cnpg-operator.yaml
   

Deploy a PostgreSQL Cluster

After the CNPG operator is running, deploy a PostgreSQL cluster for Keycloak. For a full list of available configuration options, refer to the default values file.

1. Create a values file for the PostgreSQL cluster:

   cat <<EOF > values-cnpg-cluster.yaml
   cluster:
     instances: 2
     storage:
       size: 2Gi
   
     monitoring:
       enabled: false
   
     initdb:
       database: keycloak
       secret:
         name: ""
   EOF
   

   Key parameters:

   • cluster.instances: Number of PostgreSQL replicas. Set to 2 or higher for high availability.

   • cluster.storage.size: Storage size for each instance.

   • cluster.initdb.database: Name of the database to create. Must be keycloak.

   • cluster.initdb.secret.name: Name of an existing Kubernetes secret containing database credentials. Leave empty to let CNPG generate credentials automatically.

2. Install the PostgreSQL cluster:

   helm upgrade --install keycloak-cnpg \
     --namespace launchpad \
     cnpg/cluster \
     -f values-cnpg-cluster.yaml
   

3. Wait for the PostgreSQL pods to become ready:

   kubectl get pods -n launchpad -l cnpg.io/cluster=keycloak-cnpg-cluster
   

4. Retrieve the auto-generated database password for use in the Keycloak configuration:

   kubectl get secret keycloak-cnpg-cluster-app -n launchpad \
     -o jsonpath='{.data.password}' | base64 -d
   

   Note this password. You need it when configuring the Keycloak database connection.

   The PostgreSQL service is accessible within the cluster at:

   • Host: keycloak-cnpg-cluster-rw.launchpad.svc.cluster.local

   • Port: 5432

   • Database: keycloak

   • Username: keycloak

Install Keycloak

This section uses the codecentric Keycloak Helm chart to deploy Keycloak on Kubernetes. For a full list of available configuration options, refer to the default values file.

1. Add the Helm repository:

   helm repo add codecentric https://codecentric.github.io/helm-charts
   helm repo update
   

2. Create a values file for Keycloak:

   cat <<EOF > values-keycloakx.yaml
   image:
     repository: quay.io/keycloak/keycloak
     tag: "26.5.1"
   
   command:
     - "/opt/keycloak/bin/kc.sh"
     - "start"
   
   extraEnv: |
     - name: KEYCLOAK_ADMIN
       value: admin
     - name: KEYCLOAK_ADMIN_PASSWORD
       value: "<your-admin-password>"
     - name: KC_HEALTH_ENABLED
       value: "true"
     - name: KC_METRICS_ENABLED
       value: "true"
     - name: KC_HTTP_MANAGEMENT_ENABLED
       value: "true"
     - name: KC_HTTP_MANAGEMENT_RELATIVE_PATH
       value: "/"
     - name: KC_HTTP_RELATIVE_PATH
       value: "/"
     - name: KC_HOSTNAME
       value: "https://<your-keycloak-domain>/"
     - name: KC_HOSTNAME_STRICT
       value: "false"
     - name: KC_HOSTNAME_STRICT_HTTPS
       value: "true"
     - name: KC_HOSTNAME_STRICT_BACKCHANNEL
       value: "false"
     - name: KC_HOSTNAME_BACKCHANNEL_DYNAMIC
       value: "true"
     - name: KC_PROXY_HEADERS
       value: "xforwarded"
     - name: KC_HTTP_ENABLED
       value: "true"
   
   resources:
     limits:
       cpu: 2
       memory: 1024Mi
     requests:
       cpu: 200m
       memory: 512Mi
   
   serviceMonitor:
     enabled: false
   
   health:
     enabled: true
   
   http:
     relativePath: "/"
     internalPort: http-internal
     internalScheme: HTTP
   
   ingress:
     enabled: true
     ingressClassName: nginx
     servicePort: http
     annotations:
       nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
       nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
     rules:
       - host: "<your-keycloak-domain>"
         paths:
           - path: /
             pathType: Prefix
     tls:
       - hosts:
           - "<your-keycloak-domain>"
         secretName: "<your-tls-secret-name>"
   
   database:
     vendor: postgres
     hostname: keycloak-cnpg-cluster-rw.launchpad.svc.cluster.local
     port: 5432
     database: keycloak
     username: keycloak
     password: "<your-database-password>"
   EOF
   

   Replace the following placeholders:

   • <your-admin-password>: Password for the Keycloak admin account. Change from the default for production environments.

   • <your-keycloak-domain>: The fully qualified domain name where Keycloak is accessible (for example, keycloak.example.com).

   • <your-tls-secret-name>: Name of the Kubernetes TLS secret for HTTPS. If you have a TLS certificate and key for your domain, create a Kubernetes secret:

     kubectl create secret tls keycloak-tls-secret \
       --cert=path/to/tls.crt \
       --key=path/to/tls.key \
       -n launchpad
     

     Then use keycloak-tls-secret (or your chosen name) as the value.

     Note

     A TLS secret is optional. If the secret does not exist or is not provided, Keycloak is still accessible over HTTPS through the ingress controller’s default certificate, but the browser displays a “Your connection is not private” warning.

   • <your-database-password>: The PostgreSQL password. If you used CNPG, retrieve it with the command shown in the previous section.

   Note

   If you are using your own PostgreSQL instance instead of CNPG, update the database section with your database host, port, database name, username, and password.

3. Install Keycloak:

   helm upgrade --install keycloakx \
     --namespace launchpad \
     codecentric/keycloakx \
     -f values-keycloakx.yaml
   

4. Verify that the Keycloak pod is running:

   kubectl get pods -n launchpad -l app.kubernetes.io/name=keycloakx
   

5. Access the Keycloak Admin Console at https://<your-keycloak-domain>/ and sign in with the admin credentials configured in the values file.

Configure Keycloak (Optional)

After Keycloak is running, you can configure realms, clients, and identity providers either programmatically using keycloak-config-cli or manually through the Keycloak Admin Console.

Option 1: Use keycloak-config-cli

keycloak-config-cli provides declarative, idempotent configuration for Keycloak through YAML/JSON files. This approach is recommended for repeatable, version-controlled configuration in CI/CD workflows. For a full list of available configuration options, refer to the default values file.

1. Add the Helm repository:

   helm repo add jkroepke https://jkroepke.github.io/helm-charts/
   helm repo update
   

2. Create a values file:

   cat <<EOF > values-keycloak-config-cli.yaml
   image:
     repository: quay.io/adorsys/keycloak-config-cli
     tag: "6.4.1-26.1.0"
   
   env:
     KEYCLOAK_URL: "http://keycloakx-http.launchpad.svc.cluster.local/"
     KEYCLOAK_USER: "admin"
     IMPORT_FILES_LOCATIONS: "/config/*"
     IMPORT_VARSUBSTITUTION_ENABLED: "true"
   
   secrets:
     KEYCLOAK_PASSWORD: "<your-keycloak-admin-password>"
   
   # Define your realm configuration below.
   # Refer to the keycloak-config-cli documentation for the configuration format:
   # https://github.com/adorsys/keycloak-config-cli
   config: {}
   
   resources:
     limits:
       cpu: 500m
       memory: 512Mi
     requests:
       cpu: 100m
       memory: 256Mi
   EOF
   

   The config section is where you define your Keycloak realm configuration. Refer to the keycloak-config-cli documentation for the full configuration format and available options.

   Note

   The KEYCLOAK_URL value keycloakx-http is derived from the Helm release name used when installing Keycloak (keycloakx). If you used a different release name, update this value accordingly.

3. Install keycloak-config-cli:

   helm upgrade --install keycloak-config-cli \
     --namespace launchpad \
     jkroepke/keycloak-config-cli \
     -f values-keycloak-config-cli.yaml
   

Option 2: Manual Configuration

You can configure Keycloak manually through the Admin Console. Refer to the Keycloak Server Administration Guide for comprehensive instructions on managing realms, clients, users, and identity providers.

Create a Client for NMC Launchpad

To integrate Keycloak with NMC Launchpad, create an OpenID Connect (OIDC) client in Keycloak and obtain the client ID and client secret.

1. Sign in to the Keycloak Admin Console at https://<your-keycloak-domain>/.

2. Select or create the realm you want to use for NMC Launchpad authentication.

3. In the left navigation, select Clients and then select Create client.

4. Configure the client:

   1. Set Client type to OpenID Connect.

   2. Enter a Client ID (for example, nmc-launchpad).

   3. Select Next.

   4. Set Client authentication to On. This makes the client confidential and enables a client secret.

   5. Select Save.

5. On the Settings tab, configure the following:

   • Valid redirect URIs: https://<your-launchpad-domain>/api/auth/callback

   • Web origins: https://<your-launchpad-domain>

6. Navigate to the Credentials tab to retrieve the Client secret.

Record the Client ID and Client secret. You need these values when configuring the NMC Launchpad Helm values to enable authentication.

For detailed instructions, refer to the following Keycloak documentation:

• Managing OpenID Connect Clients

• Client Credentials

Download NMC Launchpad Helm Chart

The NMC Launchpad Helm chart (version 0.2.13) can be obtained from two sources:

Option 1: Download from NGC Catalog

To download the Helm chart from NGC Catalog:

# Set your NGC API key
export NGC_API_KEY=<your-ngc-api-key>

# Download the Helm chart
helm pull https://helm.ngc.nvidia.com/nvidia/nv-mission-control/charts/nmc-launchpad-0.2.13.tgz \
  --username='$oauthtoken' \
  --password=$NGC_API_KEY

# Extract the chart
tar xvzf nmc-launchpad-0.2.13.tgz

Option 2: Download from Product Information Database (PID)

Alternatively, download the Helm chart package from the NVIDIA Product Information Database (PID):

1. Navigate to the NMC Launchpad product page: https://apps.nvidia.com/PID/ContentLibraries/Detail?id=1151551

2. Download the nmc-launchpad-0.2.13.tgz package

3. Transfer the package to the BCM head node

4. Extract the chart:

tar xvzf nmc-launchpad-0.2.13.tgz

Prepare Helm Values

Create a launchpad values file to configure NMC Launchpad for your environment:

cat <<EOF > values-launchpad.yaml
# NGC Registry Credentials
ngcImageCredentials:
  registry: nvcr.io
  username: "\$oauthtoken"
  # NGC API key with access to NMC catalog
  password: "<your-ngc-api-key>"

# Component Card URLs
# Providing a URL displays the card on the dashboard.
# Leave empty or omit to hide the card.
cardUrls:
  bcm: ""       # NVIDIA Base Command Manager
  runai: ""     # NVIDIA Run:ai
  ajr: ""       # Autonomous Job Recovery
  ahr: ""       # Autonomous Hardware Recovery
  grafana: ""   # Grafana Dashboards

# Ingress Configuration
ingress:
  enabled: true
  className: nginx
  # Hostname for the NMC Launchpad ingress
  host: "<your-launchpad-domain>"
  path: "/"
  annotations:
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"

# Extra /etc/hosts entries for pods (Optional)
# Use when DNS is not available for Keycloak
# extraHostAliases:
#   - ip: "<headnode-ip>"
#     hostnames:
#       - "<your-keycloak-domain>"

# TLS Configuration (Optional)
# Supported modes: "direct" (provide cert/key), "existing" (reference an existing secret),
# or "external" (fetch from an external secret store).
# Uncomment and configure one of the following modes:
# tls:
#   mode: "existing"
#   secretName: "<your-tls-secret-name>"

# Keycloak Authentication (Optional)
# Enable only if you have set up Keycloak authentication.
# Refer to the "Set Up Keycloak Authentication" section for details.
auth:
  enabled: false
  provider: "keycloak"
  # Keycloak OIDC endpoint URL
  # Format: https://<your-keycloak-domain>/realms/<your-realm>/protocol/openid-connect
  endpoint: ""
  # Client ID created in Keycloak for NMC Launchpad
  clientId: ""
  # Client secret from the Keycloak client credentials
  secret: ""

EOF

Edit the values-launchpad.yaml file and configure the following parameters:

• <your-ngc-api-key>: Your NGC API key with access to the NMC catalog

• image.tag: Container image version

• cardUrls: Set the URLs for each component card you want to display on the dashboard. Leave a value empty to hide its card.

  • cardUrls.bcm: URL to your NVIDIA Base Command Manager (for example, http://<cluster-lb-ip>)

  • cardUrls.runai: URL to your Run:ai installation (for example, https://runai.<domain>)

  • cardUrls.ajr: URL to your Autonomous Job Recovery installation

  • cardUrls.ahr: URL to your Autonomous Hardware Recovery installation (for example, https://ahr.<domain>)

  • cardUrls.grafana: URL to your Grafana dashboards (for example, http://<cluster-lb-ip>/grafana)

• ingress.host: The fully qualified domain name for accessing NMC Launchpad (for example, launchpad.example.com)

• ingress.annotations: Additional ingress annotations. The default enables SSL redirect.

• extraHostAliases: (Optional) Extra /etc/hosts entries for pods when DNS is not available for resolving hostnames such as the Keycloak domain.

• tls: TLS configuration for HTTPS. Supports three modes: direct (provide cert and key inline), existing (reference an existing Kubernetes TLS secret), or external (fetch from an external secret store). Refer to the Helm chart’s values.yaml for the full TLS configuration options.

If you have set up Keycloak authentication (refer to Set Up Keycloak Authentication (Optional)), also configure:

• auth.enabled: Set to true to enable Keycloak authentication

• auth.provider: Authentication provider, set to keycloak

• auth.endpoint: Keycloak OIDC endpoint URL, in the format https://<your-keycloak-domain>/realms/<your-realm>/protocol/openid-connect

• auth.clientId: The Client ID from the Keycloak client created for NMC Launchpad

• auth.secret: The Client secret from the Keycloak client Credentials tab

Note

If your Keycloak hostname (for example, <your-keycloak-domain>) is not resolvable inside the cluster, you must set extraHostAliases in values-launchpad.yaml so the Launchpad pod can resolve it. Uncomment and configure the extraHostAliases section:

extraHostAliases:
  - ip: "<headnode-ip>"
    hostnames:
      - "<your-keycloak-domain>"

Install NMC Launchpad

Install NMC Launchpad using Helm on the k8s-admin cluster.

1. Verify Kubernetes cluster access:

   module load kubernetes/k8s-admin/
   kubectl get nodes
   

2. Install NMC Launchpad using Helm:

   helm upgrade --install launchpad ./nmc-launchpad \
     --create-namespace \
     --namespace launchpad \
     -f values-launchpad.yaml
   

Verify Installation

After installation, verify that NMC Launchpad is running correctly.

Check Pod Status

Verify that the NMC Launchpad pod is running, along with Keycloak and PostgreSQL pods if you enabled Keycloak authentication:

kubectl get pods -n launchpad

Example output with Keycloak authentication enabled:

NAME                              READY   STATUS    RESTARTS   AGE
keycloak-cnpg-cluster-1           1/1     Running   0          1h
keycloak-cnpg-cluster-2           1/1     Running   0          1h
keycloakx-0                       1/1     Running   0          1h
launchpad-nmc-launchpad-<id>      1/1     Running   0          1h

All pods should show Running status with READY indicating all containers are ready.

Access NMC Launchpad

1. Open a browser and go to: https://<your-launchpad-domain>

2. You should see the NMC Launchpad interface with links to all configured NMC components.

3. If Keycloak authentication is enabled (auth.enabled: true and auth.provider: "keycloak" in values-launchpad.yaml), verify sign-in by selecting the Login button in the upper-right corner. You are redirected to the Keycloak login page. After signing in with valid credentials, you are redirected back to NMC Launchpad and can see your authenticated identity displayed in the interface.

   Note

   In the current release, authentication verifies user identity only. All authenticated users have the same level of access. Role-based access control and fine-grained permissions are planned for future releases.

Upgrade NMC Launchpad

To upgrade NMC Launchpad to a newer version:

1. Download the new Helm chart version

2. Update your values-launchpad.yaml if needed

3. Run the upgrade command:

   module load kubernetes/k8s-admin/
   helm upgrade launchpad ./nmc-launchpad-<new-version> \
     --namespace launchpad \
     -f values-launchpad.yaml
   

Uninstall NMC Launchpad

To remove NMC Launchpad from your cluster:

module load kubernetes/k8s-admin/
helm uninstall launchpad --namespace launchpad