Prepare Opstella Software Resources

Resources for Opstella are necessary components that you need for installation and need to be done before perform installation which are,

• Request Opstella UI Container Image Built Specifically for your Organisation
• Determine List of Opstella Workers
• Gather Opstella Container Images
• Gather Opstella Helm Chart(s)
• Gather Opstella Standard GitLab CI/CD Pipelines Installation
• Gather Opstella Project Templates

Request Opstella UI Container Image Built Specifically for your Organisation

Opstella UI Frontend requires building Container Image specifically for each of Organisation (or Site)

You need to Request Opstella Sales/Product Manager for building the Container Image by giving these values.

For example,

• Your Opstella Core (Backend) Domain opstella-backend.CHANGEME.com

  NEXT_PUBLIC_RELAY_ENDPOINT=https://opstella-backend.CHANGEME.com/graphql

• Your Opstella Keycloak Domain idp.CHANGEME.com

  NEXT_PUBLIC_KEYCLOAK_URL=https://idp.CHANGEME.com/

• Your Opstella Keycloak Realm foobar-opstella

  NEXT_PUBLIC_KEYCLOAK_REALM=foobar-opstella

• Choose ONLY ONE Opstella Edition

  Container Operation Edition

  NEXT_PUBLIC_EDITION="CONTAINER"

  DevSecOps Edition

  NEXT_PUBLIC_EDITION="DEVSECOPS,CONTAINER"

After you have provided these values, will provide you the Container Image Name to pull and push to your Container Registry.

Determine List of Opstella Workers

Opstella Workers are Microservices to integrate with Opstella dependencies which are DevSecOps Tools, Observability Tools, Opstella Keycloak, and Kubernetes Cluster(s).

Caution

As you have planned from Determine Opstella Edition and Tools in Planning and Prerequisites, and have a list of Software and Components listed.

The list that you have prepared will be factored in this topic.

Number of Opstella Workers will depend on the list.

For starter, Opstella need to work with Opstella Keycloak which Strictly Required

Opstella Worker Keycloak: worker-keycloak 🔒

DevSecOps Tools, that depends on what you are eligible:

GitLab: worker-gitlab

Harbor: worker-harbor

SonarQube: worker-sonarqube

DefectDojo: worker-defectdojo

Vault: worker-vault

Headlamp: worker-headlamp

Observability Tools, that enabled by your choice:

Grafana LGTM Stack: Install worker-grafana, worker-loki, worker-tempo

Application Deployment and Management, :

As Opstella supports ONLY Kubernetes and will manage any required Kubernetes Resources on Kubernetes Cluster(s), thus its Worker is Strictly Required.

Kubernetes: worker-kubernetes 🔒

Opstella will manage application on Kubernetes Cluster(s) with ArgoCD, thus you will need

ArgoCD: worker-argocd

Multiple Worker Instances

As you have defined the number of Environment(s) and may also follow the practice of separating infrastructure by Environment(s).

For Opstella to integrate with infrastructure that scaled, its coresponding Opstella Worker will scale with the infrastructure.

These are the list of Opstella Workers that can have multiple instances.

• worker-argocd
• worker-headlamp

For instance, if you have multiple Kubernetes Clusters.

Example Workload Clusters:

• 🟦 Non-Production Workload Kubernetes Cluster
• 🟥 Production Workload Kubernetes Cluster

You will need to have multiple worker-argocd and worker-headlamp Opstella Workers for each of Kubernetes Clusters.

1. Add these into workers list with a segregated name.

   Add - with Environment Name

2. With exception that they share the same kind of container image while deploy them. You also need to specify the correct image too.

   • 🟦 worker-argocd-nonprod
   • 🟥 worker-argocd-prod
     • Using worker-argocd Container Image
   • 🟦 worker-headlamp-nonprod
   • 🟥 worker-headlamp-prod
     • Using worker-headlamp Container Image

In conclusion, the list of Opstella Workers that required to install are:

• worker-keycloak 🔒
• worker-kubernetes 🔒
• worker-defectdojo
• worker-gitlab
• worker-harbor
• worker-sonarqube
• worker-vault
• worker-grafana
• worker-loki
• worker-tempo
• worker-argocd-nonprod
• worker-argocd-prod
• worker-headlamp-nonprod
• worker-headlamp-prod

Make a list of Opstella Workers and append to your Global Shell Variables for easier iteration while performing installation.

cat <<EOF >> $HOME/opstella-installation/shell-values/global.vars.sh
export OPSTELLA_ENABLED_INSTRUMENTS=( \
  keycloak kubernetes \
  argocd-nonprod argocd-prod \
  headlamp-nonprod headlamp-prod \
  defectdojo gitlab harbor sonarqube vault \
  grafana loki tempo \
)
EOF

Note that Worker Name will be pair with name of tools exactly, but some may not. As due to Opstella architecture.

• For instance, there is NO worker-mimir but this can be integrated with LGTM (Loki, Grafana Dashboard, Tempo, Mimir) without issue.

Request GCP Access Token from Opstella Team

Before gathering software resources, you need to request a GCP Access Token from the Opstella Team.

This token provides authenticated access to the Google Cloud Artifact Registry where Opstella’s container images and Helm charts are hosted. You will receive the token in a JSON format.

Example Token JSON Structure:

{
  "type": "service_account",
  "client_id": "...",
  "private_key": "...",
  "universe_domain": "googleapis.com",
  ...
}

Save this token securely as you will need it during the installation process.

Gather Opstella Container Images

Air-gapped Environment

For standard installations with internet access, you do not need to pull these images manually. The Opstella installer will automatically pull the necessary images from the registry using your GCP Access Token.

Manual gathering is ONLY required for Air-gapped Environment installations.

Pull directly from Release Channel Registry

💡 Before proceed, Make sure you are connected to Bastion Host in any way possible, i.e SSH, Privileged Access Management Console, etc.

asia-southeast1-docker.pkg.dev/opstella/platform/<opstella-component>:<version>

• <opstella-component> represents which of Opstella Services Components
• <version> represents the version of Opstella Services Components, you may receive different version from the guide.

Opstella Components:

• Opstella UI (Frontend): asia-southeast1-docker.pkg.dev/opstella/platform/ui:<version>

• Opstella Core (Backend): asia-southeast1-docker.pkg.dev/opstella/platform/core:<version>

• Opstella Clear Session Utility: asia-southeast1-docker.pkg.dev/opstella/platform/clear-session:<version>

• All Opstella Workers: asia-southeast1-docker.pkg.dev/opstella/platform/worker-XYZ:<version>

In case of Opstella Workers will represent with worker-XYZ where XYZ is the component name that Opstella integrates with, for example,

• Opstella Workers for Kubernetes: asia-southeast1-docker.pkg.dev/opstella/platform/worker-kubernetes:<version>
• Opstella Workers for ArgoCD: asia-southeast1-docker.pkg.dev/opstella/platform/worker-argocd:<version>
• Opstella Workers for Harbor: asia-southeast1-docker.pkg.dev/opstella/platform/worker-harbor:<version>
• etc.

Gather Opstella System Helm Chart

Air-gapped Environment

For standard installations, the Helm charts are fetched automatically by the installer. You do not need to gather them manually unless you are performing an air-gapped installation.

Pull directly from Release Channel Registry and save to $HOME/opstella-installation/helm-charts/opstella-system.tar.gz

Gather Opstella Standard GitLab CI/CD Pipelines

Visit Opstella Standard GitLab CI/CD Pipelines on git.opsta.io Repository.

You will be cloning the repository to your own GitLab Instance that your will be provisioned.

You will be followed instructions on GitLab with Opstella Integration in Opstella Resources Installation.

Instructions will be guided on TODO

Gather Opstella Project Templates

Visit Opstella Project Templates on git.opsta.io Project Group.

You will be cloning repositories to your own GitLab Instance that your will be provisioned.

You will be followed instructions on GitLab with Opstella Integration in Opstella Resources Installation.

Instructions will be guided on TODO