DevSecOps Installation Overview

DevSecOps System that you need to provision and integrate with Opstella which are

1. GitLab: A source code version control and CI/CD.

2. ArgoCD: A declarative, GitOps continuous delivery tool for Kubernetes applications.

3. Harbor: A cloud-native container registry that secures and manages container images.

4. Headlamp: A user-friendly web-based GUI for managing Kubernetes clusters.

5. HashiCorp Vault: Securely manages secrets, credentials, and access to sensitive data.

6. SonarQube: Analyzes code quality and security to detect bugs, vulnerabilities, and code smells.

7. DefectDojo: A tool to centralize and manage application security vulnerabilities.

Prerequisites

Kubernetes Cluster

Entire DevSecOps Solution or Tools that will be installed and served to users and integrate with Opstella, called DevSecOps System.

Various Supported DevSecOps Solution or Tools that act as Server Services will be installed on

• 🟢 Management Kubernetes Cluster.

Where Various Supported DevSecOps Solution or Tools that act as Agent Services are span across Workload Kubernetes Cluster(s) which are

• 🟦 Non-Production Workload
• 🟥 Production Workload

Provisioning Summary

Once finished everything, these are systems that up and running.

* Not Including any of application dependencies.

No.	Tool	Description	Agent Service	Kubernetes Namespace	Kubernetes Cluster
1.	DefectDojo	Centralised Vulnerability Management	❌	devsecops-system	🟢 Management
2.	SonarQube	Static Application Security Testing (SAST)	❌	devsecops-system	🟢 Management
3.	Vault	Centralised Secret Management	❌	devsecops-system	🟢 Management
4.	ArgoCD	GitOps & Deployment Management	✅	devsecops-system	🟦 Non-Production Workload 🟥 Production Workload
5.	Headlamp	Kubernetes Operations/Dashboard	✅	devsecops-system	🟦 Non-Production Workload 🟥 Production Workload
6.	External Secret Operator	Secret Syncing from Vault to Kubernetes Cluster Utility	✅	devsecops-system	🟦 Non-Production Workload 🟥 Production Workload
7.	Reloader	Secret Re-injection into Pods Utility	✅	devsecops-system	🟦 Non-Production Workload 🟥 Production Workload

Complete Prerequisites

Create Namespace across Kubernetes Clusters

🟢 Management Kubernetes Cluster

1. Connect to 🟢 Management Kubernetes Cluster ; i.e w/ Kubeconfig File

   Set Kubeconfig File

   Ensure you have defined and loaded your Global Shell Variables as described in Shell Variables.

   source $HOME/opstella-installation/shell-values/kubernetes/management_cluster.vars.sh

   export KUBECONFIG="$HOME/opstella-installation/kubeconfigs/management_cluster.yaml"

2. Create Kubernetes Namespace devsecops-system

   2.1 Create Kubernetes Namespace

   kubectl create namespace devsecops-system

   2.1 Add Label for devsecops-system namespace for PSA Exception

   AS OF SEP 2024: DefectDojo is not yet fully compliant to PSA restricted profile, and require to make an exception

   kubectl label namespace/devsecops-system pod-security.kubernetes.io/enforce=baseline
   kubectl label namespace/devsecops-system pod-security.kubernetes.io/enforce-version=latest

---

🟦 Non-Production Workload Kubernetes Cluster

1. Connect to 🟦 Non-Production Workload Kubernetes Cluster ; i.e w/ Kubeconfig File

   1.1 Set Kubeconfig File

   Ensure you have defined and loaded your Global Shell Variables as described in Shell Variables.

   source $HOME/opstella-installation/shell-values/kubernetes/nonprod_cluster.vars.sh

   export KUBECONFIG="$HOME/opstella-installation/kubeconfigs/nonprod_cluster.yaml"

2. Create Kubernetes Namespace devsecops-system

   kubectl create namespace devsecops-system

🟥 Production Workload Kubernetes Cluster

1. Connect to 🟥 Production Workload Kubernetes Cluster ; i.e w/ Kubeconfig File

   1.1 Set Kubeconfig File

   Ensure you have defined and loaded your Global Shell Variables as described in Shell Variables.

   source $HOME/opstella-installation/shell-values/kubernetes/prod_cluster.vars.sh

   export KUBECONFIG="$HOME/opstella-installation/kubeconfigs/prod_cluster.yaml"

2. Create Kubernetes Namespace devsecops-system

   kubectl create namespace devsecops-system