Opstella Installation Overview
This content is not available in your language yet.
Opstella will be on 🟢 Management Kubernetes Cluster.
Certain Services will be installed across Kuberenetes Clusters
🟢 ManagementKubernetes Cluster🟦 Non-Production WorkloadKubernetes Cluster🟥 Production WorkloadKubernetes Cluster
Application Dependencies
Section titled “Application Dependencies”- 📦
PostgreSQLSQL Database - 📦
RedisPub/Sub Service and In-Memory Cache - 📦
DaprMicroservices Backing Service
Prerequisites
Section titled “Prerequisites”- 🔑 Google Service Account Key (JSON)
- Download the JSON key file provided by Opstella Support.
- This key will be used to authenticate with Google Artifact Registry.
- 🔑Pull Credentials from Registry (Harbor, For Air-Gapped Environment).
Summary
Section titled “Summary”Opstella compose of multiple services which can be summarise by the following
| No. | Tool | Description | Kubernetes Namespace | Kubernetes Cluster |
|---|---|---|---|---|
| 1. | PostgreSQL | Database Service | opstella-system | 🟢 Management |
| 2. | Redis | Pub/Sub Service and In-Memory Cache | opstella-system | 🟢 Management |
| 3. | Dapr | Opstella Platform Microservices Backing Service | dapr-system | 🟢 Management |
| 4. | Dapr Configuration | Configuration for Opstella Platform | opstella-system | 🟢 Management |
| 5. | Opstella UI | Frontend Service | opstella-system | 🟢 Management |
| 6. | Opstella Core | Backend Service | opstella-system | 🟢 Management |
| 7. | Opstella Clear Session | Microservice - Clear User Session with Single Sign-On Process | opstella-system | 🟢 Management 🟢 Management 🟦 Non-Production Workload 🟥 Production Workload |
| 8. | Opstella Worker-GitLab | Microservice - GitLab Management | opstella-system | 🟢 Management |
| 9. | Opstella Worker-Grafana | Microservice - Grafana Management | opstella-system | 🟢 Management |
| 10. | Opstella Worker-Harbor | Microservice - Harbor Management | opstella-system | 🟢 Management |
| 11. | Opstella Worker-Kubernetes | Microservice - Kubernetes Management | opstella-system | 🟢 Management |
| 12. | Opstella Worker-Keycloak | Microservice - Keycloak Management | opstella-system | 🟢 Management |
| 13. | Opstella Worker-Sonarqube | Microservice - Sonarqube Management | opstella-system | 🟢 Management |
| 14. | Opstella Worker-Vault | Microservice - Vault Management | opstella-system | 🟢 Management |
| 15. | Opstella Worker-ArgoCD | Microservice - ArgoCD Management | opstella-system | 🟢 Management |
| 16. | Opstella Worker-DefectDojo | Microservice - DefectDojo Management | opstella-system | 🟢 Management |
| 17. | Opstella Worker-Headlamp | Microservice - Headlamp Management | opstella-system | 🟢 Management |
| 18. | New Opstella Kubernetes Integration (ok8s-integration) | Opstella Kubernetes Integration System | opstella-system | 🟢 Management |
Preparation
Section titled “Preparation”Create Namespace across Kubernetes Clusters
Section titled “Create Namespace across Kubernetes Clusters”🟢 Management Kubernetes Cluster
Section titled “🟢 Management Kubernetes Cluster”-
Connect to
🟢 ManagementKubernetes Cluster ; i.e w/ Kubeconfig FileSet Kubeconfig File
Ensure you have defined and loaded your Global Shell Variables as described in Shell Variables.
Terminal window source $HOME/opstella-installation/shell-values/kubernetes/management_cluster.vars.shTerminal window export KUBECONFIG="$HOME/opstella-installation/kubeconfigs/management_cluster.yaml" -
Create Kubernetes Namespace
dapr-system2.1 Create Kubernetes Namespace
Terminal window kubectl create namespace dapr-system2.2 Add Label for
dapr-systemnamespace for PSA ExceptionAS OF SEP 2024: Dapr is not yet fully compliant to PSA
restrictedprofile, and require to make an exceptionTerminal window kubectl label namespace/dapr-system pod-security.kubernetes.io/enforce=baselinekubectl label namespace/dapr-system pod-security.kubernetes.io/enforce-version=latest -
Create Kubernetes Namespace
opstella-systemTerminal window kubectl create namespace opstella-system -
Create Kubernetes Namespace
opstella-shared-runner4.1 Create Kubernetes Namespace
Terminal window kubectl create namespace opstella-shared-runner4.2 Add Label for
opstella-shared-runnernamespace for PSA ExceptionTerminal window kubectl label namespace/opstella-shared-runner pod-security.kubernetes.io/enforce=privilegedkubectl label namespace/opstella-shared-runner pod-security.kubernetes.io/enforce-version=latest -
Create Kubernetes Secret for TLS Certificate in Namespace
opstella-system, before you proceed (if you not have it done).
🟢 Management Kubernetes Cluster
Section titled “🟢 Management Kubernetes Cluster”-
Connect to
🟢 ManagementKubernetes Cluster ; i.e w/ Kubeconfig FileEnsure you have defined and loaded your Global Shell Variables as described in Shell Variables.
Terminal window source $HOME/opstella-installation/shell-values/kubernetes/management_cluster.vars.shTerminal window export KUBECONFIG="$HOME/opstella-installation/kubeconfigs/management_cluster.yaml" -
Create Kubernetes Namespace
opstella-systemTerminal window kubectl create namespace opstella-system
🟦 Non-Production Workload Kubernetes Cluster
Section titled “🟦 Non-Production Workload Kubernetes Cluster”-
Connect to
🟦 Non-Production WorkloadKubernetes Cluster ; i.e w/ Kubeconfig FileEnsure you have defined and loaded your Global Shell Variables as described in Shell Variables.
Terminal window source $HOME/opstella-installation/shell-values/kubernetes/nonprod_cluster.vars.shTerminal window export KUBECONFIG="$HOME/opstella-installation/kubeconfigs/nonprod_cluster.yaml" -
Create Kubernetes Namespace
opstella-systemTerminal window kubectl create namespace opstella-system
🟥 Production Workload Kubernetes Cluster
Section titled “🟥 Production Workload Kubernetes Cluster”-
Connect to
🟥 Production WorkloadKubernetes Cluster ; i.e w/ Kubeconfig FileEnsure you have defined and loaded your Global Shell Variables as described in Shell Variables.
Terminal window source $HOME/opstella-installation/shell-values/kubernetes/prod_cluster.vars.shTerminal window export KUBECONFIG="$HOME/opstella-installation/kubeconfigs/prod_cluster.yaml" -
Create Kubernetes Namespace
opstella-systemTerminal window kubectl create namespace opstella-system
Create Image Pull Secret for Pulling Opstella Container Images across Kubernetes Cluster (For online installation)
Section titled “Create Image Pull Secret for Pulling Opstella Container Images across Kubernetes Cluster (For online installation)”-
Store Pull Credentials as Kubernetes Secret
Set the environment variables for your registry location and key file path.
Terminal window export ARTIFACT_REGISTRY_DOMAIN="asia-southeast1-docker.pkg.dev"## The path to the JSON key file you downloadedexport GCP_CREDENTIALS="./path/to/your-service-account-key.json"Create Kubernetes Secret
You will be creating a Kubernetes Secret named
registry-secretin theopstella-systemnamespace.Terminal window # Create the secret using the JSON file content as the passwordkubectl create secret docker-registry registry-secret -n opstella-system \--docker-server=${ARTIFACT_REGISTRY_DOMAIN} \--docker-username=_json_key \--docker-password="$(cat ${GCP_CREDENTIALS})"
Create Image Pull Secret for Pulling Opstella Container Images across Kubernetes Cluster (For Air-gapped installation)
Section titled “Create Image Pull Secret for Pulling Opstella Container Images across Kubernetes Cluster (For Air-gapped installation)”-
Store Pull Credentials as Kubernetes Secret
Ensure
HARBOR_DOMAINis defined as per the Shell Variables guide.Terminal window ## For security reasons turn off bash history momentarilyset +o historyexport REGISTRY_USERNAME='robot$opstella-deploy'export REGISTRY_PASSWORD="CHANGEME"Create Kubernetes Secret
You will be creating Kubernetes Secret named
registry-secretTerminal window # Create .dockerconfig JSON filekubectl create secret docker-registry registry-secret -n opstella-system \--docker-server=${HARBOR_DOMAIN} \--docker-username=${REGISTRY_USERNAME} \--docker-password=${REGISTRY_PASSWORD}set -o history
Finished?
Use the below navigation to proceed