This is the Experimental version (Latest). It is under active development and may change. For the most reliable documentation, use the version selector in the top-right to switch to Stable, or click here to go to the Stable version's homepage.

Opstella Core (Back-end) Installation

Last updated: Mar 13, 2026

🟢 Management

Opstella Core is a Backend Service for Opstella to centralize information and orchestrate operations.

Application Dependencies

📦PostgreSQL SQL Database ; Deploy external/dedicated instance of Database
📦S3 API-compatible Object Storage ; i.e MinIO
📦Opstella Keycloak ; For Single Sign-on Functionality

Prerequisites

🛡️TLS Certificate for Opstella Core (Back-end)
- Opstella Core (Back-end) will be exposed through Web with HTTPS.
🔑 Credentials to Access S3 Bucket: Access Key, Secret Key
- These credentials should be from the ones you defined in the SeaweedFS (HA) Installation guide (specifically SEAWEEDFS_HA_S3_OPSTELLA_PASSWORD as the secret and opstella as the access key).

Preparation

Kubernetes Cluster Preparation

Connect to 🟢 Management Kubernetes Cluster ; i.e w/ Kubeconfig File

Ensure you have defined and loaded your Global Shell Variables as described in Shell Variables.
Terminal window
```
source $BASE_WORKING_DIR/shell-values/kubernetes/management_cluster.vars.sh
```
Prepare 🟢 Management Kubernetes Cluster Information

Ensure K8S_INTERNAL_DOMAIN, K8S_INGRESS_TLS_CERTIFICATE_SECRET_NAME, K8S_INGRESSCLASS_NAME are defined as per the Shell Variables guide.

Opstella Core Preparation

Create a credentials for Opstella Core Configuration Admin Panel.

Admin Username: admin (Cannot be changed)
Admin Password: (Loaded from opstella-platform.vars.sh)

kubectl create secret generic opstella-core-init-credentials --namespace opstella-system \
  --from-literal=ADMIN_USER=admin --from-literal=ADMIN_PASSWORD=${OPSTELLA_CORE_ADMIN_PASSWORD}

Prepare Opstella Core Initialisation Script.

Ensure ORGANIZATION_NAME and BASE_DOMAIN are defined as per the Shell Variables guide.

Set Opstella Company Admin Email

💡 It should be the same as opstella user from Keycloak User creation. Opstella Keycloak - Initial Configurations/Setup Opstella Administrator User Account

(Ensure KEYCLOAK_REALM_ADMIN_EMAIL is loaded from your variables)

Create Opstella Core Initialisation Script followed to preparations.

Create a Copy of Opstella Core Initialisation Script.

cp $BASE_WORKING_DIR/assets/scripts/opstella-core-init.sh $BASE_WORKING_DIR/assets/opstella-configs/opstella-core-init.sh

Edit the copied file to put your information.

sed -i "s#\${OPSTELLA_COMPANY_DOMAIN}#$ORGANIZATION_NAME#g" $BASE_WORKING_DIR/assets/opstella-configs/opstella-core-init.sh
sed -i "s#\${OPSTELLA_COMPANY_SLUG}#$ORGANIZATION_NAME#g" $BASE_WORKING_DIR/assets/opstella-configs/opstella-core-init.sh
sed -i "s#\${OPSTELLA_ADMIN_EMAIL}#$KEYCLOAK_REALM_ADMIN_EMAIL#g" $BASE_WORKING_DIR/assets/opstella-configs/opstella-core-init.sh

You can check the file before create Kubernetes ConfigMap with the following command:

cat $BASE_WORKING_DIR/assets/opstella-configs/opstella-core-init.sh | head

The output should be.

#!/bin/sh

COMPANY_DOMAIN="foobar"
COMPANY_SLUG="foobar"
ADMIN_EMAIL=\"opstella-admin@${BASE_DOMAIN}\"
ADMIN_USER=\"$ADMIN_USER\"
ADMIN_PASSWORD=\"$ADMIN_PASSWORD\"
...

Create Kubernetes ConfigMap

kubectl create configmap opstella-core-init-script-cm --namespace opstella-system \
  --from-file=opstella-core-init.sh=$BASE_WORKING_DIR/assets/opstella-configs/opstella-core-init.sh

Deploy Opstella Initial License New

Create Kubernetes Secret named opstella-core-init-license

Make sure that data is ENCODED in Base64

kubectl create secret generic opstella-core-init-license --namespace opstella-system \
  --from-literal=config.txt=$(cat $BASE_WORKING_DIR/assets/opstella-configs/opstella-core-init-license.txt | base64 -w0)

Prepare Helm Values Configurations.

Please give attention to these values:
- Application Configurations
  - image.repository, image.tag : Set your Opstella Platform Container Image Location, Version
    Online Installation
    Air-gapped / Local Registry
    (Ensure OPSTELLA_REGISTRY is loaded from your variables)
    
    Ensure HARBOR_DOMAIN is defined as per the Shell Variables guide.
    
    (Ensure OPSTELLA_REGISTRY is loaded from your variables)
    (Ensure OPSTELLA_CORE_VERSION, OPSTELLA_CORE_CSRF_TRUSTED_ORIGINS, and OPSTELLA_CORE_DOMAIN are loaded from variables)
- Database Configurations ; Relate to PostgreSQL for Opstella Platform
  - Pre-populated with default assumptions (using the previously deployed PostgreSQL)
    
    (Ensure these database configuration variables are loaded from your vars file)
- Opstella Keycloak Service Configurations ; Relate to Keycloak
  - KEYCLOAK_DOMAIN : Domain for access to Keycloak
  - KEYCLOAK_REALM : Keycloak Realm
Ensure KEYCLOAK_DOMAIN, KEYCLOAK_REALM, BASE_DOMAIN are defined as per the Shell Variables guide.
- Object Storage Configurations ; Connects to S3(-compatible) Object Storage
  - OPSTELLA_CORE_S3_DOMAIN : Connect to S3(-compatible) Object Storage API Domain
    
    (Ensure these S3 configurations are loaded from your variables file)
- Opstella License Agent Host
  
  (DO NOT CHANGE, unless you understand what it is.)
  
  (Ensure OPSTELLA_CORE_LICENSE_SERVICE_HOST is loaded from your variables file)

Prepare Helm Values Configurations.

cat <<EOF > $BASE_WORKING_DIR/helm-values/opstella-core-full-values.yaml
image:
  repository: ${OPSTELLA_CORE_IMAGE_REPOSITORY}
  tag: ${OPSTELLA_CORE_IMAGE_TAG}
  pullPolicy: Always

nameOverride: opstella-core
fullnameOverride: opstella-core

serviceAccount:
  name:

imagePullSecrets:
  - name: registry-secret

ingress:
  enabled: true
  className: ${K8S_INGRESSCLASS_NAME}
  annotations:
    nginx.ingress.kubernetes.io/proxy-body-size: 100M
  hosts:
  - host: ${OPSTELLA_CORE_DOMAIN}
    paths:
      - path: /
        pathType: Prefix
        backend:
          servicePort: 8000
  tls:
  - hosts:
    - ${OPSTELLA_CORE_DOMAIN}
    secretName: ${K8S_INGRESS_TLS_CERTIFICATE_SECRET_NAME}

containerPorts: 8000

healthCheck:
  enabled: true
  liveness:
    httpGet:
      path: "/healthcheck"
      port: 8000
    initialDelaySeconds: 180
    periodSeconds: 30
  readiness:
    httpGet:
      path: "/"
      port: 8000
    initialDelaySeconds: 20
    periodSeconds: 10

service:
  port: 8000

env:
  # License System
  - name: LS_URL
    value: http://${OPSTELLA_CORE_LICENSE_SVC}:3000
  - name: LS_NS
    value: opstella-system
  # Django Configurations
  - name: CREATE_OTHER_USER_WITHOUT_OPSTELLA
    value: "true"
  - name: CSRF_TRUSTED_ORIGINS
    value: "${OPSTELLA_CORE_CSRF_TRUSTED_ORIGINS}"
  # PostgreSQL Database
  - name: POSTGRES_HOST
    value: ${OPSTELLA_POSTGRES_HOST}
  - name: POSTGRES_PORT
    value: "${OPSTELLA_POSTGRES_PORT}"
  - name: POSTGRES_NAME
    value: ${OPSTELLA_POSTGRES_DB}
  - name: POSTGRES_USER
    value: ${OPSTELLA_POSTGRES_USER}
  - name: POSTGRES_PASSWORD
    value: ${OPSTELLA_POSTGRES_USER_PASSWORD}
  # S3(-compatible/MinIO) Object Storage
  - name: AWS_S3_ENDPOINT_URL
    value: ${OPSTELLA_CORE_S3_ENDPOINT_URL}
  - name: AWS_S3_ADDRESSING_STYLE
    value: ${OPSTELLA_CORE_S3_ADDRESSING_STYLE}
  - name: AWS_STORAGE_BUCKET_NAME
    value: ${OPSTELLA_CORE_S3_BUCKET_NAME}
  - name: AWS_S3_REGION_NAME
    value: ${OPSTELLA_CORE_S3_REGION}
  - name: AWS_ACCESS_KEY_ID
    value: ${OPSTELLA_CORE_S3_ACCESS_KEY}
  - name: AWS_SECRET_ACCESS_KEY
    value: ${OPSTELLA_CORE_S3_ACCESS_SECRET}
  # Identity Service
  - name: KEYCLOAK_SERVER_URL
    value: https://${KEYCLOAK_DOMAIN}/
  - name: KEYCLOAK_REALM
    value: ${KEYCLOAK_REALM}
  - name: REQUESTS_CA_BUNDLE
    value: /etc/ssl/certs/ca.crt

podAnnotations:
  dapr.io/enabled: "true"
  dapr.io/app-id: "opstella-core"
  dapr.io/app-port: "8000"
  dapr.io/enable-api-logging: "true"
  dapr.io/config: "config"
  dapr.io/sidecar-seccomp-profile-type: "RuntimeDefault"

volumes: true

volumesConfigMap:
  - name: init-script
    configMap:
      name: opstella-core-init-script-cm
      defaultMode: "0770"
  - name: gitlab-configs
    configMap:
      name: opstella-core-gitlab-configs
      defaultMode: "0770"
  - name: custom-trusted-ca
    configMap:
      name: custom-root-ca.crt

volumesSecret:
  - name: opstella-core-init-license
    secret:
      secretName: opstella-core-init-license
      optional: true

volumeMounts:
  - name: opstella-core-init-license
    mountPath: /usr/src/app/config/config.txt
    subPath: config.txt
  - name: init-script
    mountPath: /docker-entrypoint.d
  - name: gitlab-configs
    mountPath: /usr/src/config/
  - name: custom-trusted-ca
    mountPath: /etc/ssl/certs/ca.crt
    subPath: ca.crt

envFrom:
  secrets:
    - opstella-core-init-credentials

command:
  - /bin/sh
  - -c
  - /docker-entrypoint.d/opstella-core-init.sh && gunicorn opstella.wsgi -b 0.0.0.0:8000 --workers=3 --threads=2 --timeout=300

podSecurityContext:
  fsGroup: 1000

securityContext:
  seccompProfile:
    type: RuntimeDefault
  capabilities:
    drop: ["ALL"]
  runAsNonRoot: true
  privileged: false
  allowPrivilegeEscalation: false
  runAsGroup: 1000
  runAsUser: 1000

EOF

Installation

Install Opstella Core.

Install Helm Release using local opstella-platform Helm Chart

helm upgrade --install opstella-core \
  oci://asia-southeast1-docker.pkg.dev/opstella-dev/opstella-charts/generic-deployment \
  --version 0.3.15 \
  --namespace opstella-system \
  -f $BASE_WORKING_DIR/helm-values/opstella-core-full-values.yaml

Post-Installation

Opstella Core Testing

Get Pod Status - Opstella Core

kubectl get pods -n opstella-system

Opstella Core should be Running

NAME                            READY   STATUS    RESTARTS   AGE
... (deducted)
opstella-core-XXXXXXX-YYYYY     1/1     Running   0          XdXh

Finished?

Use the below navigation to proceed

Previous
Opstella Core Additional Resources Next
Opstella UI Console (Front-end)