Skip to content
Documentation

Opstella Core (Back-end) Installation

🟢 Management

Opstella Core is a Backend Service for Opstella to centralize information and orchestrate operations.

Application Dependencies

Section titled “Application Dependencies”
  • 📦PostgreSQL SQL Database ; Deploy external/dedicated instance of Database
  • 📦S3 API-compatible Object Storage ; i.e MinIO
  • 📦Opstella Keycloak ; For Single Sign-on Functionality

Prerequisites

Section titled “Prerequisites”
  • 🛡️TLS Certificate for Opstella Core (Back-end)
    • Opstella Core (Back-end) will be exposed through Web with HTTPS.
  • 🔑 Credentials to Access S3 Bucket: Access Key, Secret Key
    • These credentials should be from the ones you defined in the SeaweedFS (HA) Installation guide (specifically SEAWEEDFS_HA_S3_OPSTELLA_PASSWORD as the secret and opstella as the access key).

Preparation

Section titled “Preparation”

Kubernetes Cluster Preparation

Section titled “Kubernetes Cluster Preparation”

  1. Connect to 🟢 Management Kubernetes Cluster ; i.e w/ Kubeconfig File

    Ensure you have defined and loaded your Global Shell Variables as described in Shell Variables.

    Terminal window
    source $HOME/opstella-installation/shell-values/kubernetes/management_cluster.vars.sh
    Terminal window
    export KUBECONFIG="$HOME/opstella-installation/kubeconfigs/management_cluster.yaml"

  2. Prepare 🟢 Management Kubernetes Cluster Information

    Ensure K8S_INTERNAL_DOMAIN, K8S_INGRESS_TLS_CERTIFICATE_SECRET_NAME, K8S_INGRESSCLASS_NAME are defined as per the Shell Variables guide.

Opstella Core Preparation

Section titled “Opstella Core Preparation”

  1. Create a credentials for Opstella Core Configuration Admin Panel.

    • Admin Username: admin (Cannot be changed)
    • Admin Password: CHANGEME
    export OPSTELLA_CORE_ADMIN_PASSWORD="CHANGEME"
    Terminal window
    kubectl create secret generic opstella-core-init-credentials --namespace opstella-system \
      --from-literal=ADMIN_USER=admin --from-literal=ADMIN_PASSWORD=${OPSTELLA_CORE_ADMIN_PASSWORD}

  2. Prepare Opstella Core Initialisation Script.

    Ensure ORGANIZATION_NAME and BASE_DOMAIN are defined as per the Shell Variables guide.

    Set Opstella Company Admin Email

    💡 It should be the same as opstella user from Keycloak User creation. Opstella Keycloak - Initial Configurations/Setup Opstella Administrator User Account

    Terminal window
    export OPSTELLA_ADMIN_EMAIL="opstella-admin@${BASE_DOMAIN}"

  3. Create Opstella Core Initialisation Script followed to preparations.

    Create a Copy of Opstella Core Initialisation Script.

    Terminal window
    cp $HOME/opstella-installation/assets/scripts/opstella-core-init.sh $HOME/opstella-installation/opstella-configs/opstella-core-init.sh

    Edit the copied file to put your information.

    Terminal window
    sed -i "s#\${OPSTELLA_COMPANY_DOMAIN}#$ORGANIZATION_NAME#g" $HOME/opstella-installation/opstella-configs/opstella-core-init.sh
    sed -i "s#\${OPSTELLA_COMPANY_SLUG}#$ORGANIZATION_NAME#g" $HOME/opstella-installation/opstella-configs/opstella-core-init.sh
    sed -i "s#\${OPSTELLA_ADMIN_EMAIL}#$OPSTELLA_ADMIN_EMAIL#g" $HOME/opstella-installation/opstella-configs/opstella-core-init.sh

    Create Kubernetes ConfigMap

    Terminal window
    kubectl create configmap opstella-core-init-script-cm --namespace opstella-system \
      --from-file=opstella-core-init.sh=$HOME/opstella-installation/opstella-configs/opstella-core-init.sh

  4. Deploy Opstella Initial License New

    Create Kubernetes Secret named opstella-core-init-license

    Make sure that data is ENCODED in Base64

    Terminal window
    kubectl create secret generic opstella-core-init-license --namespace opstella-system \
      --from-literal=config.txt=$(cat $HOME/opstella-installation/opstella-configs/opstella-core-init-license.txt | base64 -w0)

  5. Prepare Helm Values Configurations.

    Please give attention to these values:

    • Application Configurations

      • image.repository, image.tag : Set your Opstella Platform Container Image Location, Version

        export OPSTELLA_REGISTRY="asia-southeast1-docker.pkg.dev/opstella/platform/core"
         
        export OPSTELLA_CORE_VERSION="vX.Y.Z"

      • CORS allowance ; Allowed though using base domain with wildcard *.${BASE_DOMAIN}

        (DO NOT CHANGE, unless you understand what it is.)

        export OPSTELLA_CORE_CSRF_TRUSTED_ORIGINS="https://*.${BASE_DOMAIN}"

      • Access to Opstella Core with Domain

        export OPSTELLA_CORE_DOMAIN="opstella-backend.${BASE_DOMAIN}"

    • Database Configurations ; Relate to PostgreSQL for Opstella Platform

      • Pre-populated with default assumptions (using the previously deployed PostgreSQL)

        export OPSTELLA_CORE_DATABASE_PASSWORD="CHANGEME"

        (DO NOT CHANGE, unless you understand what it is.)

        export OPSTELLA_CORE_DATABASE_HOST="opstella-postgres-rw.opstella-system.svc"
        export OPSTELLA_CORE_DATABASE_PORT="5432"
        export OPSTELLA_CORE_DATABASE_DB_NAME="opstella_platform"
        export OPSTELLA_CORE_DATABASE_USERNAME="opstella_platform_user"

    • Opstella Keycloak Service Configurations ; Relate to Keycloak

      • KEYCLOAK_DOMAIN : Domain for access to Keycloak
      • KEYCLOAK_REALM : Keycloak Realm

    Ensure KEYCLOAK_DOMAIN, KEYCLOAK_REALM, BASE_DOMAIN are defined as per the Shell Variables guide.

    • Object Storage Configurations ; Connects to S3(-compatible) Object Storage

      • OPSTELLA_CORE_S3_DOMAIN : Connect to S3(-compatible) Object Storage API Domain

        export OPSTELLA_CORE_S3_DOMAIN="seaweedfs-api.${BASE_DOMAIN}"
        export OPSTELLA_CORE_S3_ADDRESSING_STYLE="path"
        export OPSTELLA_CORE_S3_BUCKET_NAME="opstella-web"
        export OPSTELLA_CORE_S3_BUCKET_REGION="us-east-1"
        export OPSTELLA_CORE_S3_ACCESS_KEY="opstella"
        export OPSTELLA_CORE_S3_ACCESS_SECRET="${SEAWEEDFS_HA_S3_OPSTELLA_PASSWORD}"

    • Opstella License Agent Host

      (DO NOT CHANGE, unless you understand what it is.)

      export OPSTELLA_CORE_LICENSE_SERVICE_HOST="ok8s-integration.opstella-system.svc.${K8S_INTERNAL_DOMAIN}"

  6. Prepare Helm Values Configurations.

    Terminal window
    cat <<EOF > $HOME/opstella-installation/helm-values/opstella-core-full-values.yaml
    image:
      repository: ${OPSTELLA_REGISTRY}
      tag: ${OPSTELLA_CORE_VERSION}
      pullPolicy: Always
    

    nameOverride: opstella-core
    fullnameOverride: opstella-core
    

    serviceAccount:
      name:
    

    imagePullSecrets:
      - name: registry-secret
    

    ingress:
      enabled: true
      className: ${K8S_INGRESSCLASS_NAME}
      annotations:
        nginx.ingress.kubernetes.io/proxy-body-size: 100M
      hosts:
      - host: ${OPSTELLA_CORE_DOMAIN}
        paths:
          - path: /
            pathType: Prefix
            backend:
              servicePort: 8000
      tls:
      - hosts:
        - ${OPSTELLA_CORE_DOMAIN}
        secretName: ${K8S_INGRESS_TLS_CERTIFICATE_SECRET_NAME}
    

    containerPorts: 8000
    

    healthCheck:
      enabled: true
      liveness:
        httpGet:
          path: "/healthcheck"
          port: 8000
        initialDelaySeconds: 180
        periodSeconds: 30
      readiness:
        httpGet:
          path: "/"
          port: 8000
        initialDelaySeconds: 20
        periodSeconds: 10
    

    service:
      port: 8000
    

    env:
      # License System
      - name: LS_URL
        value: http://${OPSTELLA_CORE_LICENSE_SERVICE_HOST}:3000
      - name: LS_NS
        value: opstella-system
      # Django Configurations
      - name: CREATE_OTHER_USER_WITHOUT_OPSTELLA
        value: "true"
      - name: CSRF_TRUSTED_ORIGINS
        value: "${OPSTELLA_CORE_CSRF_TRUSTED_ORIGINS}"
      # PostgreSQL Database
      - name: POSTGRES_HOST
        value: ${OPSTELLA_CORE_DATABASE_HOST}
      - name: POSTGRES_PORT
        value: "${OPSTELLA_CORE_DATABASE_PORT}"
      - name: POSTGRES_NAME
        value: ${OPSTELLA_CORE_DATABASE_DB_NAME}
      - name: POSTGRES_USER
        value: ${OPSTELLA_CORE_DATABASE_USERNAME}
      - name: POSTGRES_PASSWORD
        value: ${OPSTELLA_CORE_DATABASE_PASSWORD}
      # S3(-compatible/MinIO) Object Storage
      - name: AWS_S3_ENDPOINT_URL
        value: https://${OPSTELLA_CORE_S3_DOMAIN}
      - name: AWS_S3_ADDRESSING_STYLE
        value: ${OPSTELLA_CORE_S3_ADDRESSING_STYLE}
      - name: AWS_STORAGE_BUCKET_NAME
        value: ${OPSTELLA_CORE_S3_BUCKET_NAME}
      - name: AWS_S3_REGION_NAME
        value: ${OPSTELLA_CORE_S3_BUCKET_REGION}
      - name: AWS_ACCESS_KEY_ID
        value: ${OPSTELLA_CORE_S3_ACCESS_KEY}
      - name: AWS_SECRET_ACCESS_KEY
        value: ${OPSTELLA_CORE_S3_ACCESS_SECRET}
      # Identity Service
      - name: KEYCLOAK_SERVER_URL
        value: https://${KEYCLOAK_DOMAIN}/
      - name: KEYCLOAK_REALM
        value: ${KEYCLOAK_REALM}
    

    podAnnotations:
      dapr.io/enabled: "true"
      dapr.io/app-id: "opstella-core"
      dapr.io/app-port: "8000"
      dapr.io/enable-api-logging: "true"
      dapr.io/config: "config"
      dapr.io/sidecar-seccomp-profile-type: "RuntimeDefault"
    

    volumes: true
    

    volumesConfigMap:
      - name: init-script
        configMap:
          name: opstella-core-init-script-cm
          defaultMode: "0770"
      - name: gitlab-configs
        configMap:
          name: opstella-core-gitlab-configs
          defaultMode: "0770"
    

    volumesSecret:
      - name: opstella-core-init-license
        secret:
          secretName: opstella-core-init-license
          optional: true
    

    volumeMounts:
      - name: opstella-core-init-license
        mountPath: /usr/src/app/config/config.txt
        subPath: config.txt
      - name: init-script
        mountPath: /docker-entrypoint.d
      - name: gitlab-configs
        mountPath: /usr/src/config/
    

    envFrom:
      secrets:
        - opstella-core-init-credentials
    

    command:
      - /bin/sh
      - -c
      - /docker-entrypoint.d/opstella-core-init.sh && gunicorn opstella.wsgi -b 0.0.0.0:8000 --workers=3 --threads=2 --timeout=300
    

    podSecurityContext:
      fsGroup: 1000
    

    securityContext:
      seccompProfile:
        type: RuntimeDefault
      capabilities:
        drop: ["ALL"]
      runAsNonRoot: true
      privileged: false
      allowPrivilegeEscalation: false
      runAsGroup: 1000
      runAsUser: 1000
    

    EOF

Installation

Section titled “Installation”

  1. Install Opstella Core.

    Install Helm Release using local opstella-platform Helm Chart

    Terminal window
    helm upgrade --install opstella-core \
      $HOME/opstella-installation/helm-charts/opstella-platform-chart \
      --namespace opstella-system \
      -f $HOME/opstella-installation/helm-values/opstella-core-full-values.yaml

Post-Installation

Section titled “Post-Installation”

Opstella Core Testing

Section titled “Opstella Core Testing”

  1. Get Pod Status - Opstella Core

    Terminal window
    kubectl get pods -n opstella-system

    Opstella Core should be Running

    NAME                            READY   STATUS    RESTARTS   AGE
    ... (deducted)
    opstella-core-XXXXXXX-YYYYY     1/1     Running   0          XdXh

Finished?

Use the below navigation to proceed