Deploying on Jetstream

The CHEESE project uses cloud resources provided by NSF XSEDE Jetstream. This document describes how to configure a Jetstream project for use with CHEESEhub.

Apply for an allocation

Jestream allocations are available for research and education applications. See XSEDE Resource Allocation System for more information.

Jetstream Project Setup

CHEESE uses the Jetstream OpenStack user interface (UI) and API for platform deployment. New Jetstream allocations require a few preliminary steps to setup project network, subnet, and router. See the Jetstream’s Setup+for+Horizon+API+User+Instances.

The basic steps include:

  • Create network (named [project]-net)

  • Create subnet

  • Create router, attached to public network

  • Add interface from router to project network

  • Add security groups including remote SSH/HTTPS

Consider restricting SSH ingress to known CIDR ranges.

Upload Base OS Image

The CHEESE platform is currently based on Ubuntu LTS images. It is necessary to upload your own image to Jetstream. This can be done via the Horizon UI or via the OpenStack CLI.

Download the image from and upload using the OpenStack CLI:

openstack image create --disk-format qcow2 --container-format bare \
           --file bionic-server-cloudimg-amd64.img "Ubuntu 18.04 LTS"

Create VM Instance

At this point you can create a VM instance based on the uploaded image and install CHEESEhub either as a single-node or multi-node installation.

Provision Kubernetes Cluster

CHEESEhub uses the kubeadm-terraform to provision Kubernetes clusters on OpenStack.

git clone

Setup Wildcard DNS

CHEESEhub requires wildcard DNS support for * If you do not have access to manage your own domain, contact us.

Setup Wildcard TLS

CHEESEHub requires a valid wildcard TLS certificate for * Free wildcard certificates are available from Let’s Encrypt.

Follow these instructions to generate a valid certificate for your domain:

The certificate and key should be used in your Workbench configuration below.

NGINX Ingress Controller

The kubeadm-terraform installs an older version of the NGINX controller.

Delete the old controller:

helm delete --purge support

Create values.yaml:

  hostNetwork: true
  kind: DaemonSet
    default-ssl-certificate: workbench/ndslabs-tls-secret
    proxy-connect-timeout: "300"
    proxy-read-timeout: "300"
    proxy-send-imeout: "300"
    body-size: "64m"
    worker-shutdown-timeout: "900s"

Install the new controller:

sudo helm upgrade \
  --install support stable/nginx-ingress \
  --namespace=support \
  --version=1.17.0 \
  -f values.yaml

Install Workbench Helm Chart

CHEESEHub uses the following values:

name: "CHEESEHub"
domain: ""
support_email: <your email address>
repo: ""
cert: <See above>
key: <See above> <Your smtp host>
smtp.port: <Your smtp port>

Install the Helm chart:

helm install . --name=workbench --namespace=workbench

Access your instance

Use kubectl to confirm your workbench instance is running:

kubectl get pods -n workbench
NAME                         READY     STATUS    RESTARTS   AGE
workbench-7cb876c6b5-tmf8m   4/4       Running   0          5h

Access your instance at