Skip to content

Installation Planning and Prerequisites

As from the product purposal,

You will need to determine the characteristic of underlining system that Opstella manages and characteristic the Opstella itself.

  1. Choose for SINGLE Edition that you are eligible.

    Read on Platform Offerings to See what has offered.

    💡 This affects how you would provision the entire platform.

  2. Prepare List of Software and Components to be used.

    List of Software and Components should followed the Edition that you are eligible.

    This also affects with Preparation and Installation of Opstella Microservices Components, will be explained more in Opstella Software Preparations.

    In the other hand, if eligible for Container Operation Edition, which will opt-out from tools that don’t required as per edition specification.

    So, you need to skip installation and integration of

    • GitLab Standard CI/CD Pipelines
    • Gitlab Project Templates
    • SonarQube
    • DefectDojo
    • Its corresponding Opstella Microservices Components.

Determine Opstella Company/Organisation Name

Section titled “Determine Opstella Company/Organisation Name”

Opstella has designed to give you an entire organisation view (could be actual organisation or team) of Application(s). See the Organisation Lane.

These Application(s) (Platform) will have an indicator that they are under a Global Group (Organisation) and you have to prepare the name before installation and will be use in Opstella initialisation process.


As Opstella utilizing Keycloak as its Identity and Access Management System.

It is require you to install and setup Keycloak with a dedicated Keycloak Realm for Opstella.

  • This is done to follow Keycloak Setup Best Practices to leave “master” realm, the default Realm from installation, for Administrative purposes only.

The Dedicated Keycloak Realm requires naming, you need to determine the name to use,

  • Keycloak Realm name should indicate your organisation name and relation to Opstella.
  • Recommended name pattern is <Company-Short-Name>-opstella
    • This will leave an expansion for the Keycloak for Opstella data if you decided to use this as a centralized user management for your organisation, or use the existing Keycloak.

You will be guided while installing Keycloak on how to setup but this requires your decision for naming before installation.

As from the product purposal,

You will need to determine the underlining system that Opstella manages and the Opstella itself.

This can be seen as The Three Parts:

  • The underlining system that Opstella manages for
    • Part 1: Determine DevSecOps and Observability Deployment
    • Part 2: Determine Kubernetes Cluster(s) that will deploy Opstella-managed Application Workload
  • Part 3: The underlining system that Opstella will be running.

Part 1: Determine DevSecOps and Observability Deployment

Section titled “Part 1: Determine DevSecOps and Observability Deployment”

As you have determined the list of DevSecOps and Observability Software but they are considered “Third-party Software” and can be deployed in many different ways.

💡 Please check out on each of tool’s documentation.

This determination affects in Infrastructure Provisioning for these deployments.

For example,

SonarQube:

  • SonarQube Server Installation and Setup ↗: Setup a Server to be a SonarQube server by running necessary binary and expose service through network.
    • If you go with Binary Deployment, you may only need a Server to run. *
    • If you go with Helm Deployment, you need to have Kubernetes Cluster.

Grafana Mimir:

  • Deployment Modes ↗: Various modes that Grafana Mimir can be deploy. i.e Running all Grafana Mimir sub-components with a Single Binary
  • Deploy Mimir with Helm ↗: When you choose to deploy Grafana Mimir on Kubernetes Cluster
    • If you go with Binary Deployment, you may only need a Server to run. *
    • If you go with Helm Deployment, you need to have Kubernetes Cluster.

* Not counting necessary dependencies that needed.

ℹ️ Some of the tools/instruments may exclusively run and only on Kubernetes Cluster.

Ultimately, the target goal is to have a collective of DevSecOps and Observability Tools up an running, exposed service with network, accessible by Opstella, to complete the platform.

💡 As a recommendation from Opstella, we recommend you to follow Reference Architecture.

Part 2: Determine Kubernetes Cluster(s) that will deploy Opstella-managed Application Workload

Section titled “Part 2: Determine Kubernetes Cluster(s) that will deploy Opstella-managed Application Workload”

Your application will be managed with Opstella and deployed on an infrastructure that integrated with Opstella, once your application has gone through onboarding process.

The ONLY infrastructure that Opstella support is Kubernetes.

💡 You need to have Kubernetes Cluster(s) setup and ready to use.

Often that Your Application(s) will have separated instances for different purposes in DevSecOps cycle, and allow for separation of different processes such as various testing or staging your application.

This is depends on your requirements and meaning of managing applications but Opstella by default, will embrace the separation.

It is also a good practice that for the application separation, should also separate the underlying infrastructure that running the application as well.

You need to determine the number of Environments that you designated.

Apart from that, you NEED to separate into 2 groups of

  • Non-Production Group
  • Production Group.

For instance, 5 Environments

Non-Production GroupProduction Group
🟦 DEV: Development Environment for Developers⬜ PRE: Pre-Production Environment for Compatibility Testing Before Go Live
🟨 SIT: System Integration Test Environment for Tester🟥 PRD: Production Environment for Go Live/Use by Actual External Users
🟪 UAT: User Acceptance Test Environment for QAs, Beta Users Tester

After that, determine the number of Kubernetes Cluster(s).

However, Environment(s) can be either shared or dedicated on the Kubernetes Cluster(s). (🤔 What does it mean?)

Shared or Dedicated on the Kubernetes Cluster(s)
Section titled “Shared or Dedicated on the Kubernetes Cluster(s)”
  • Applications managed by Opstella will be separated by Kubernetes Namespace with Environment suffix on Namespace naming.
    • This opens for flexibility that may constrained by your infrastructure limitation.

For instance, From 5 Environments you can have one of the following example scenarios.

Scenario #1 - Entirely Consolidated

  • Utilized 1 Kubernetes Cluster
Kubernetes #1 (Consolidated)
🟦 DEV 🟨 SIT 🟪 UAT ⬜ PRE 🟥 PRD

Scenario #2 - Separate by Group (Non-Production/Production)

  • Utilized 2 Kubernetes Clusters
Kubernetes #1 (Non-Production)Kubernetes #2 (Production)
🟦 DEV 🟨 SIT 🟪 UAT⬜ PRE 🟥 PRD

Scenario #3 - Entirely Dedicated

  • Utilized 5 Kubernetes Clusters
Kubernetes #1Kubernetes #2Kubernetes #3Kubernetes #4Kubernetes #5
🟦 DEV🟨 SIT🟪 UAT⬜ PRE🟥 PRD

Please have this strategy determined and you will know how would you provision Kubernetes Cluster(s) for Application Workload follow to your Environment(s) designation and match to your infrastructure constrains.

💡 It is recommended to use Reference Architecture as a starting point to plan your infrastructure.


  • Opstella and its dependencies has designed as Microservices, Container-based, Cloud-Native, and exclusively run and ONLY on Kubernetes Cluster.

    Please read more on Platform Architecture.

    • 💡 You explicitly need to have a Kubernetes Cluster to run Opstella.
      • For better resources utilization, Opstella can be counted and deployed on the same infrastructure as DevSecOps and Observability Tools.

  • Either Physical or Virtualization.
    • All Machines are provisioned within the number of instances required, supported Operating System, Compute Specifications, ready to use, and ready to install the corresponding software and its dependencies.
  • Usually Kubernetes Cluster(s) are multiple Server Machines.
    • Either Physical or Virtualization.
    • Kubernetes Cluster(s) should be provisioned within the supported Version, Specifications.
    • All Machines for Kubernetes Cluster(s) are provisioned within the number of instances required, supported Operating System, Compute Specifications, ready to use, and ready to install the corresponding software and its dependencies.

It is a good practice that you have a dedicated machine for managing infrastructure and perform installation.

  • 🟫 Bastion Host: Bastion Host for Centralized Infrastructure Management Entrypoint

You need to provide Persistence Storage to Kubernetes Cluster(s) and Machines that providing compute infrastructure for the platform.

Opstella and some of components/tools requires an S3-compatible Object Storage Service.

You need to determine whether to host your own S3-Compatible Object Storage Service or Bring your own Service.

S3 is a RESTful API standard used for interacting with object storage and de facto industry standard for cloud-based data storage, used by countless application.

These are the usage within the platform:

  • Opstella: Storing Opstella Web Assets
  • GitLab
    • Backup Location
    • Cache for GitLab Runners
  • Harbor (Artifact Registry): Storing Artifacts (Container Images/Helm Charts/etc.)
  • Vault: Storing Unseal Key, Root Token after initialised
  • Mimir: Metrics Storage
  • Loki: Logs Storage
  • Tempo: Trace Storage
  • Velero: Kubernetes Cluster Backup Location

If you opt for hosting your own S3-Compatible Object Storage, these are preferred services that will include guides in this document.

MinIO is an S3-Compatible Object Storage Service, Open Source Software by MinIO, Inc.

https://github.com/minio/minio

Network Policies (Firewall) are either unrestricted or fully satisfied on all underlying infrastructure (Machines/Machines for Kubernetes Clusters) and any cross-connection with its needs for servicing.

  • If Firewall is required to be configured properly,

    • It must satisfied on all Virtual Machines, with its needs for servicing
    • It must satisfied on all Control Plane/Worker Nodes for Kubernetes, with its needs for servicing
  • Outbound Connection is preferred Open to Internet without Proxies or Highly Restricted Firewall

Opstella and their components will be web services access through web browser so, it requires determining the URLs to be used.

For Example, Your organisation base domain name is CHANGEME.com

You need to use subdomains to differentiate services within Opstella and assume that all tools are enabled.

  • Opstella Services

    • Opstella UI Console (Main Entry to the Platform): opstella.CHANGEME.com
    • Opstella Core (Backend): opstella-backend.CHANGEME.com
    • Opstella Clear Session Service: opstella-clear-session.CHANGEME.com
  • Opstella Keycloak Service idp.CHANGEME.com

  • S3 API-compatible Object Storage - MinIO

    • Frontend minio.CHANGEME.com
    • API minio-api.CHANGEME.com
  • DevSecOps

    • GitLab gitlab.CHANGEME.com
    • Harbor harbor.CHANGEME.com
    • ArgoCD
      • Non-Production argocd-nonprod.CHANGEME.com
      • Production argocd-prod.CHANGEME.com
    • SonarQube sonarqube.CHANGEME.com
    • DefectDojo defectdojo.CHANGEME.com
    • Vault vault.CHANGEME.com
    • Headlamp
      • Non-Production headlamp-nonprod.CHANGEME.com
      • Production headlamp-prod.CHANGEME.com
  • Observability

    • Grafana Observability LGTM Stack
      • Loki loki.CHANGEME.com
      • Grafana Dashboard grafana.CHANGEME.com
      • Tempo tempo.CHANGEME.com
      • Mimir mimir.CHANGEME.com
      • Alloy
        • Non-Production Cluster alloy-nonprod.CHANGEME.com
        • Production Cluster alloy-prod.CHANGEME.com

You need to setup domain resolution with your domain name service (DNS) afterwards on your own.


Opstella with its components and Opstella-managed Application will be secured by utilizing HTTPS Protocol by default.

Thus, TLS Certificate that match with the Domains is required.

TLS Certificate can be in many form:

  • A Wildcard TLS Certificate

  • A Specific Domain TLS Certificate

    A Specific Domain TLS Certificate will valid only if the certificate matches the domain that it pairs with.

Certificate also can be self-signed or signed by widely-known authorities.


Before proceeding to the next steps, ensure you have determined and noted the following information:

InformationYour ValueNote
Organisation Name____________________Short name (e.g., foobar)
Keycloak Realm Name____________________Recommended: <Company-Short-Name>-opstella
Domain Name____________________Base domain (e.g., example.com)
Storage Service____________________S3 compatible storage service
TLS Certificate____________________Wildcard certificate & key for domains

Keep this information handy as you will need it during the installation process.

Finished?

Use the below navigation to proceed