Reference Architecture
Standalone Architecture
Section titled “Standalone Architecture”
Use Cases
Section titled “Use Cases”-
Prove of concept for a whole Opstella and DevSecOps Platform.
-
Testing or staging platform environment.
Specification
Section titled “Specification”These are specifications of virtual machines that need to be created with the following details
Compute and Storage
Section titled “Compute and Storage”| Number of Nodes | CPU (Core) | Memory (GB) | Disk (GB) | |
|---|---|---|---|---|
| Virtual Machines | ||||
| Bastion Host | 1 | 1 | 2 | 20 |
| HAProxy | 1 | 1 | 2 | 20 |
| NFS Share | 1 | 1 | 2 | 100 |
| GitLab | 1 | 2 | 4 | 40 |
| Kubernetes Cluster | ||||
| Kubernetes Master Nodes | 1 | 2 | 4 | 40 |
| Kubernetes Worker Nodes | 5 | 4 | 10 | 40 |
| Total | 10 | 27 | 64 | 460 |
Network Subnets
Section titled “Network Subnets”| Type | Subnet IP |
|---|---|
| Kubernetes Cluster and Related Virtual Machines Subnet | 192.168.72.0/24 |
| Pod Subnet for each Kubernetes cluster | 172.16.72.0/22 |
| Service Subnet for each Kubernetes cluster | 172.16.76.0/22 |
Domain Names
Section titled “Domain Names”You must provide domains. For example, we will use *.devops.example.com and SSL certificates in this reference architecture. These are domains that will be assigned for DevSecOps tools and Opstella.
Service Name | Ingress Domain |
|---|---|
Opstella | |
| Opstella UI | opstella.devops.example.com |
| Opstella Core | opstella-backend.devops.example.com |
| Opstella Clear Session | opstella-clear-session.devops.example.com |
| Keycloak | opstella-idp.devops.example.com |
DevOps Tools | |
| ArgoCD | argocd.devops.example.com |
| GitLab | gitlab.devops.example.com |
| Headlamp | headlamp.devops.example.com |
| Harbor | harbor.devops.example.com |
DevSecOps Tools | |
| SonarQube | sonarqube.devops.example.com |
| Vault | vault.devops.example.com |
| DefectDojo | defectdojo.devops.example.com |
Observability Tools | |
| Grafana Dashboard | grafana.devops.example.com |
| Grafana Mimir | mimir.devops.example.com |
| Grafana Loki | loki.devops.example.com |
| Grafana Tempo | tempo.devops.example.com |
Common Services | |
| MinIO | minio.devops.example.com |
| MinIO API | minio-api.devops.example.com |
Ingress
Section titled “Ingress”
Firewall
Section titled “Firewall”| Policy | Protocol | Direction | Port | Source | Description |
|---|---|---|---|---|---|
| Kubernetes Master Nodes | |||||
| Allow | TCP | Inbound | 6443 | Any | Kubernetes API |
| Allow | TCP | Inbound | 6443 | HAProxy | Kubernetes API |
| Allow | TCP | Inbound | 6443 | RKE2 Worker Nodes | Kubernetes API |
| Allow | TCP | Inbound | 9345 | RKE2 Master Nodes | RKE2 Supervisor API |
| Allow | Inbound | 9345 | RKE2 Worker Nodes | RKE2 Supervisor API | |
| Allow | TCP | Inbound | 2379 | RKE2 Master Nodes | etcd Client Port |
| Allow | TCP | Inbound | 2380 | RKE2 Master Nodes | etcd Peer Port |
| Allow | TCP | Inbound | 2381 | RKE2 Master Nodes | etcd Metrics Port |
| Kubernetes Worker Nodes | |||||
| Allow | TCP | Inbound | 30080;30443 | HAProxy | NodePort Ingress Service |
| Kubernetes Master & Worker Nodes | |||||
| Allow | TCP | Inbound | 10250 | Any | kubelet Metrics |
| Allow | TCP | Inbound | 179 | All RKE2 Nodes | Calico CNI with BGP |
| Allow | Inbound | 4789 | All RKE2 Nodes | Calico CNI with VXLAN | |
| Allow | TCP | Inbound | 5473 | All RKE2 Nodes | Calico CNI with BGP |
| Allow | TCP | Inbound | 9098 | All RKE2 Nodes | Calico Typha health checks |
| Allow | TCP | Inbound | 9099 | All RKE2 Nodes | Calico health checks |
| GitLab | |||||
| Allow | Inbound | 80, 443 | Any | Web Services | |
| Allow | TCP | Inbound | 22 | Any | Git SSH |
| Allow | TCP | Inbound | 9090 | Any | GitLab Prometheus Metrics |
| NFS | |||||
| Allow | TCP/UDP | Inbound | 2049 | RKE2 Worker Nodes | NFSd |
| Allow | TCP/UDP | Inbound | 111 | RKE2 Worker Nodes | PortMapper |
| Allow | TCP/UDP | Inbound | 33333 | RKE2 Worker Nodes | MountD |
| HAProxy | |||||
| Allow | TCP | Inbound | 80;443 | Any | HTTP/HTTPS Inbound |
Multi-Cluster Architecture
Section titled “Multi-Cluster Architecture”
Use Cases
Section titled “Use Cases”- Scalable deployments for production environments.
Specification
Section titled “Specification”These are specifications of virtual machines that need to be created with the following details
Compute and Storage
Section titled “Compute and Storage”| Number of Nodes | CPU (Core) | Memory (GB) | Disk (GB) | |
|---|---|---|---|---|
Virtual Machines | ||||
| Bastion Host | 1 | 1 | 2 | 20 |
| HAProxy | 3 | 1 | 2 | 20 |
| NFS Share | 3 | 1 | 2 | 100 |
| GitLab | 1 | 2 | 4 | 40 |
Management Kubernetes Cluster | ||||
| Kubernetes Master Nodes | 3 | 2 | 4 | 40 |
| Kubernetes Worker Nodes | 5 | 4 | 10 | 40 |
| Total | 10 | 27 | 64 | 460 |
Non-Production Kubernetes Cluster | ||||
| Kubernetes Master Nodes | 3 | 2 | 4 | 40 |
| Kubernetes Worker Nodes | 5 | 4 | 10 | 40 |
Production Kubernetes Cluster | ||||
| Kubernetes Master Nodes | 3 | 2 | 4 | 40 |
| Kubernetes Worker Nodes | 5 | 4 | 10 | 40 |
| Total | 10 | 27 | 64 | 460 |
Network Subnet
Section titled “Network Subnet”| Type | Subnet IP |
|---|---|
| Kubernetes DevSecOps Cluster and Related Virtual Machines Subnet | 192.168.72.0/24 |
| Kubernetes Observability Cluster and Related Virtual Machines Subnet | 192.168.73.0/24 |
| Kubernetes Non-Production Workload Cluster and Related Virtual Machines Subnet | 192.168.74.0/24 |
| Kubernetes Production Workload Cluster and Related Virtual Machines Subnet | 192.168.75.0/24 |
| Pod Subnet for each Kubernetes cluster | 172.16.72.0/22 |
| Service Subnet for each Kubernetes cluster | 172.16.76.0/22 |
Ingress
Section titled “Ingress”
Domain Names
Section titled “Domain Names”You must provide domains. For example, we will use *.devops.example.com and SSL certificates in this reference architecture. These are domains that will be assigned for DevSecOps tools and Opstella.
| Service Name | Ingress Domain |
|---|---|
| Opstella | |
| Opstella UI | opstella.devops.example.com |
| Opstella Core | opstella-backend.devops.example.com |
| Opstella Clear Session | opstella-clear-session.devops.example.com |
| Keycloak | opstella-idp.devops.example.com |
| DevOps Tools | |
| ArgoCD (DEV) | argocd-dev.devops.example.com |
| ArgoCD (PRD) | argocd-prd.devops.example.com |
| DefectDojo | defectdojo.devops.example.com |
| GitLab | gitlab.devops.example.com |
| Headlamp | headlamp.devops.example.com |
| Harbor | harbor.devops.example.com |
| DevSecOps Tools | |
| SonarQube | sonarqube.devops.example.com |
| Vault | vault.devops.example.com |
| Observability Tools | |
| Loki | loki.devops.example.com |
| Grafana Dashboard | grafana.devops.example.com |
| Tempo | tempo.devops.example.com |
| Mimir | mimir.devops.example.com |
| Common Services | |
| MinIO (DevSecOps) | minio-dso.devops.example.com |
| MinIO API (DevSecOps) | minio-dso-api.devops.example.com |
| MinIO (Observability) | minio-obs.devops.example.com |
| MinIO API (Observability) | minio-obs-api.devops.example.com |
Firewall
Section titled “Firewall”| Policy | Protocol | Direction | Port | Source | Description |
|---|---|---|---|---|---|
| Kubernetes Master Nodes | |||||
| Allow | TCP | Inbound | 6443 | HAProxy | Kubernetes API |
| Allow | TCP | Inbound | 6443 | RKE2 Worker Nodes | Kubernetes API |
| Allow | TCP | Inbound | 9345 | RKE2 Master Nodes | RKE2 Supervisor API |
| Allow | TCP | Inbound | 9345 | RKE2 Worker Nodes | RKE2 Supervisor API |
| Allow | Inbound | 2379 | RKE2 Master Nodes | etcd Client Port | |
| Allow | TCP | Inbound | 2380 | RKE2 Master Nodes | etcd Peer Port |
| Allow | TCP | Inbound | 2381 | RKE2 Master Nodes | etcd Metrics Port |
| Kubernetes Worker Nodes | |||||
| Allow | TCP | Inbound | 30080, 30443 | HAProxy | NodePort Ingress Service |
| Kubernetes Master & Worker Nodes | |||||
| Allow | TCP | Inbound | 10250 | Any | kubelet Metrics |
| Allow | Inbound | 179 | All RKE2 Nodes | Calico CNI with BGP | |
| Allow | TCP | Inbound | 4789 | All RKE2 Nodes | Calico CNI with VXLAN |
| Allow | TCP | Inbound | 5473 | All RKE2 Nodes | Calico CNI with Typha |
| Allow | Inbound | 9098 | All RKE2 Nodes | Calico Typha health checks | |
| Allow | TCP | Inbound | 9099 | All RKE2 Nodes | Calico health checks |
| GitLab | |||||
| Allow | TCP | Inbound | 80, 443 | Any | Web Service |
| Allow | TCP | Inbound | 22 | Any | SSH |
| Allow | Inbound | 9090 | Any | GitLab Prometheus Metrics | |
| NFS | |||||
| Allow | TCP | Inbound | 2049 | RKE2 Worker Nodes | NFSd |
| Allow | TCP | Inbound | 111 | RKE2 Worker Nodes | PortMapper |
| Allow | TCP | Inbound | 33333 | RKE2 Worker Nodes | MountD |
| HAProxy | |||||
| Allow | TCP | Inbound | 80, 443 | Any | HTTP/HTTPS Inbound |
Finished?
Use the below navigation to proceed