Opstella Clear Session Utility Installation

🟢 Management 🟦 Non-Production Workload 🟥 Production Workload

Opstella Clear Session Utility is a Service in Opstella that facilitate Single Sign-On operations.

Prerequisites

• 🛡️TLS Certificate for Opstella Clear Session Utility
  • Opstella Clear Session Utility will be exposed through Web with HTTPS.

Preparation

Kubernetes Cluster Preparation

🟢 Management Kubernetes Cluster

1. Connect to 🟢 Management Kubernetes Cluster ; i.e w/ Kubeconfig File

   Ensure you have defined and loaded your Global Shell Variables as described in Shell Variables.

   source $HOME/opstella-installation/shell-values/kubernetes/management_cluster.vars.sh

   export KUBECONFIG="$HOME/opstella-installation/kubeconfigs/management_cluster.yaml"

2. Prepare 🟢 Management Kubernetes Cluster Information

   Ensure K8S_INGRESSCLASS_NAME, K8S_INGRESS_TLS_CERTIFICATE_SECRET_NAME, BASE_DOMAIN, OPSTELLA_UI_DOMAIN are defined as per the Shell Variables guide.

🟦 Non-Production Workload Kubernetes Cluster

1. Connect to 🟦 Non-Production Workload Kubernetes Cluster ; i.e w/ Kubeconfig File

   Ensure you have defined and loaded your Global Shell Variables as described in Shell Variables.

   source $HOME/opstella-installation/shell-values/kubernetes/nonprod_cluster.vars.sh

   export KUBECONFIG="$HOME/opstella-installation/kubeconfigs/nonprod_cluster.yaml"

2. Prepare 🟦 Non-Production Workload Kubernetes Cluster Information

   Ensure K8S_INGRESSCLASS_NAME, K8S_INGRESS_TLS_CERTIFICATE_SECRET_NAME, BASE_DOMAIN, ARGOCD_DOMAIN, HEADLAMP_DOMAIN are defined as per the Shell Variables guide.

🟥 Production Workload Kubernetes Cluster

1. Connect to 🟥 Production Workload Kubernetes Cluster ; i.e w/ Kubeconfig File

   Ensure you have defined and loaded your Global Shell Variables as described in Shell Variables.

   source $HOME/opstella-installation/shell-values/kubernetes/prod_cluster.vars.sh

   export KUBECONFIG="$HOME/opstella-installation/kubeconfigs/prod_cluster.yaml"

2. Prepare 🟥 Production Workload Kubernetes Cluster Information

   Ensure K8S_INGRESSCLASS_NAME, K8S_INGRESS_TLS_CERTIFICATE_SECRET_NAME, BASE_DOMAIN, ARGOCD_DOMAIN, HEADLAMP_DOMAIN are defined as per the Shell Variables guide.

Opstella Platform Clear Session Utility Preparation

1. Prepare Helm Values Configurations for Common Configurations

   • image.repository, image.tag : Set your Opstella Platform Container Image Location, Version

     Online Installation

     export OPSTELLA_REGISTRY="asia-southeast1-docker.pkg.dev/opstella/platform/clear-session"

     Air-gapped / Local Registry

     Note

     Ensure HARBOR_DOMAIN is defined as per the Shell Variables guide.

     export OPSTELLA_REGISTRY="${HARBOR_DOMAIN}/opstella-platform/clear-session"

     export OPSTELLA_CLEAR_SESSION_VERSION="vX.Y.Z"

   • OPSTELLA_CLEAR_SESSION_ALLOWED_ORIGINS : Set your Domain for Opstella UI (Frontend)

   export OPSTELLA_UI_DOMAIN="opstella.${BASE_DOMAIN}"

   export OPSTELLA_CLEAR_SESSION_ALLOWED_ORIGINS="https://${OPSTELLA_UI_DOMAIN}"

2. Prepare Helm Values Configurations for 🟢 Management Kuberenetes Cluster

   Ensure K8S_INGRESS_TLS_CERTIFICATE_SECRET_NAME, K8S_INGRESSCLASS_NAME, GITLAB_DOMAIN, HARBOR_DOMAIN, SONARQUBE_DOMAIN, DEFECTDOJO_DOMAIN, VAULT_DOMAIN, OPSTELLA_UI_DOMAIN are defined as per the Shell Variables guide.

   2.1 Prepare Domains on 🟢 Management Kubernetes Cluster

   • OPSTELLA_CLEAR_SESSION_DOMAIN : Set your Domain for Opstella Platform Clear Session

   export OPSTELLA_CLEAR_SESSION_DOMAIN="clear-session.${BASE_DOMAIN}"

   2.3 Create Helm Values Configurations

   cat <<EOF > $HOME/opstella-installation/helm-values/opstella-clear-session-devsecops-full-values.yaml
   image:
     repository:  ${OPSTELLA_REGISTRY}
     tag: ${OPSTELLA_CLEAR_SESSION_VERSION}
     pullPolicy: Always
   
   nameOverride: opstella-clear-session
   fullnameOverride: opstella-clear-session
   
   imagePullSecrets:
     - name: registry-secret
   
   serviceAccount:
     name:
   
   ingress:
     enabled: true
     className: ${K8S_INGRESSCLASS_NAME}
     annotations:
       nginx.ingress.kubernetes.io/rewrite-target: /\$2
     hosts:
       - host: ${OPSTELLA_CLEAR_SESSION_DOMAIN}
         paths:
           - path: /
             pathType: ImplementationSpecific
       - host: ${OPSTELLA_UI_DOMAIN}
         paths:
           - path: /clear-session(/|$)(.*)
             pathType: ImplementationSpecific
       - host: ${GITLAB_DOMAIN}
         paths:
           - path: /clear-session(/|$)(.*)
             pathType: ImplementationSpecific
       - host: ${HARBOR_DOMAIN}
         paths:
           - path: /clear-session(/|$)(.*)
             pathType: ImplementationSpecific
       - host: ${SONARQUBE_DOMAIN}
         paths:
           - path: /clear-session(/|$)(.*)
             pathType: ImplementationSpecific
       - host: ${VAULT_DOMAIN}
         paths:
           - path: /clear-session(/|$)(.*)
             pathType: ImplementationSpecific
       - host: ${DEFECTDOJO_DOMAIN}
         paths:
           - path: /clear-session(/|$)(.*)
             pathType: ImplementationSpecific
     tls:
       - secretName: ${K8S_INGRESS_TLS_CERTIFICATE_SECRET_NAME}
         hosts:
           - ${OPSTELLA_CLEAR_SESSION_DOMAIN}
           - ${OPSTELLA_UI_DOMAIN}
           - ${GITLAB_DOMAIN}
           - ${HARBOR_DOMAIN}
           - ${SONARQUBE_DOMAIN}
           - ${VAULT_DOMAIN}
           - ${DEFECTDOJO_DOMAIN}
   
   containerPorts: 8000
   
   env:
     - name: URL_ORIGIN
       value: '[${OPSTELLA_CLEAR_SESSION_ALLOWED_ORIGINS}]'
   
   podSecurityContext:
     fsGroup: 1000
   
   securityContext:
     seccompProfile:
       type: RuntimeDefault
     capabilities:
       drop: ["ALL"]
     runAsNonRoot: true
     privileged: false
     allowPrivilegeEscalation: false
     runAsGroup: 1000
     runAsUser: 1000
   
   EOF

3. Prepare Helm Values Configurations for 🟢 Management Kuberenetes Cluster

   Ensure K8S_INGRESS_TLS_CERTIFICATE_SECRET_NAME, K8S_INGRESSCLASS_NAME, GRAFANA_DASHBOARD_DOMAIN are defined as per the Shell Variables guide.

   3.3 Create Helm Values Configurations

   cat <<EOF > $HOME/opstella-installation/helm-values/opstella-clear-session-observability-full-values.yaml
   image:
     repository:  ${OPSTELLA_REGISTRY}
     tag: ${OPSTELLA_CLEAR_SESSION_VERSION}
     pullPolicy: Always
   
   nameOverride: opstella-clear-session
   fullnameOverride: opstella-clear-session
   
   imagePullSecrets:
     - name: registry-secret
   
   serviceAccount:
     name:
   
   ingress:
     enabled: true
     className: ${K8S_INGRESSCLASS_NAME}
     annotations:
       nginx.ingress.kubernetes.io/rewrite-target: /\$2
     hosts:
       - host: ${GRAFANA_DASHBOARD_DOMAIN}
         paths:
           - path: /clear-session(/|$)(.*)
             pathType: ImplementationSpecific
     tls:
       - secretName: ${K8S_INGRESS_TLS_CERTIFICATE_SECRET_NAME}
         hosts:
           - ${GRAFANA_DASHBOARD_DOMAIN}
   
   containerPorts: 8000
   
   env:
     - name: URL_ORIGIN
       value: '[${OPSTELLA_CLEAR_SESSION_ALLOWED_ORIGINS}]'
   
   podSecurityContext:
     fsGroup: 1000
   
   securityContext:
     seccompProfile:
       type: RuntimeDefault
     capabilities:
       drop: ["ALL"]
     runAsNonRoot: true
     privileged: false
     allowPrivilegeEscalation: false
     runAsGroup: 1000
     runAsUser: 1000
   
   EOF

4. Prepare Helm Values Configurations for 🟦 Non-Production Workload Kuberenetes Cluster

   Ensure K8S_INGRESS_TLS_CERTIFICATE_SECRET_NAME, K8S_INGRESSCLASS_NAME, ARGOCD_DOMAIN, HEADLAMP_DOMAIN are defined as per the Shell Variables guide.

   4.3 Create Helm Values Configurations

   cat <<EOF > $HOME/opstella-installation/helm-values/opstella-clear-session-nonprod-full-values.yaml
   image:
     repository:  ${OPSTELLA_REGISTRY}
     tag: ${OPSTELLA_CLEAR_SESSION_VERSION}
     pullPolicy: Always
   
   nameOverride: opstella-clear-session
   fullnameOverride: opstella-clear-session
   
   imagePullSecrets:
     - name: registry-secret
   
   serviceAccount:
     name:
   
   ingress:
     enabled: true
     className: ${K8S_INGRESSCLASS_NAME}
     annotations:
       nginx.ingress.kubernetes.io/rewrite-target: /\$2
     hosts:
       - host: ${ARGOCD_DOMAIN}
         paths:
           - path: /clear-session(/|$)(.*)
             pathType: ImplementationSpecific
       - host: ${HEADLAMP_DOMAIN}
         paths:
           - path: /clear-session(/|$)(.*)
             pathType: ImplementationSpecific
     tls:
       - secretName: ${K8S_INGRESS_TLS_CERTIFICATE_SECRET_NAME}
         hosts:
           - ${ARGOCD_DOMAIN}
           - ${HEADLAMP_DOMAIN}
   
   containerPorts: 8000
   
   env:
     - name: URL_ORIGIN
       value: '[${OPSTELLA_CLEAR_SESSION_ALLOWED_ORIGINS}]'
   
   podSecurityContext:
     fsGroup: 1000
   
   securityContext:
     seccompProfile:
       type: RuntimeDefault
     capabilities:
       drop: ["ALL"]
     runAsNonRoot: true
     privileged: false
     allowPrivilegeEscalation: false
     runAsGroup: 1000
     runAsUser: 1000
   
   EOF

5. Prepare Helm Values Configurations for 🟥 Production Workload Kuberenetes Cluster

   Ensure K8S_INGRESS_TLS_CERTIFICATE_SECRET_NAME, K8S_INGRESSCLASS_NAME, ARGOCD_DOMAIN, HEADLAMP_DOMAIN are defined as per the Shell Variables guide.

   5.3 Create Helm Values Configurations

   cat <<EOF > $HOME/opstella-installation/helm-values/opstella-clear-session-prod-full-values.yaml
   image:
     repository:  ${OPSTELLA_REGISTRY}
     tag: ${OPSTELLA_CLEAR_SESSION_VERSION}
     pullPolicy: Always
   
   nameOverride: opstella-clear-session
   fullnameOverride: opstella-clear-session
   
   imagePullSecrets:
     - name: registry-secret
   
   serviceAccount:
     name:
   
   ingress:
     enabled: true
     className: ${K8S_INGRESSCLASS_NAME}
     annotations:
       nginx.ingress.kubernetes.io/rewrite-target: /\$2
     hosts:
       - host: ${ARGOCD_DOMAIN}
         paths:
           - path: /clear-session(/|$)(.*)
             pathType: ImplementationSpecific
       - host: ${HEADLAMP_DOMAIN}
         paths:
           - path: /clear-session(/|$)(.*)
             pathType: ImplementationSpecific
     tls:
       - secretName: ${K8S_INGRESS_TLS_CERTIFICATE_SECRET_NAME}
         hosts:
           - ${ARGOCD_DOMAIN}
           - ${HEADLAMP_DOMAIN}
   
   containerPorts: 8000
   
   env:
     - name: URL_ORIGIN
       value: '[${OPSTELLA_CLEAR_SESSION_ALLOWED_ORIGINS}]'
   
   podSecurityContext:
     fsGroup: 1000
   
   securityContext:
     seccompProfile:
       type: RuntimeDefault
     capabilities:
       drop: ["ALL"]
     runAsNonRoot: true
     privileged: false
     allowPrivilegeEscalation: false
     runAsGroup: 1000
     runAsUser: 1000
   
   EOF

Installation

1. Install Opstella Clear Session for 🟢 Management Kuberenetes Cluster

   1.1 Connect to 🟢 Management Kubernetes Cluster ; i.e w/ Kubeconfig File

   Ensure you have defined and loaded your Global Shell Variables as described in Shell Variables.

   source $HOME/opstella-installation/shell-values/kubernetes/management_cluster.vars.sh

   export KUBECONFIG="$HOME/opstella-installation/kubeconfigs/management_cluster.yaml"

   1.2 Install Using local opstella-platform Helm Chart

   helm install clear-session \
     $HOME/opstella-installation/helm-charts/opstella-platform-chart \
     --namespace opstella-system \
     -f $HOME/opstella-installation/helm-values/opstella-clear-session-devsecops-full-values.yaml

2. Install Opstella Clear Session for 🟦 Non-Production Workload Kuberenetes Cluster

   2.1 Connect to 🟦 Non-Production Workload Kubernetes Cluster ; i.e w/ Kubeconfig File

   Ensure you have defined and loaded your Global Shell Variables as described in Shell Variables.

   source $HOME/opstella-installation/shell-values/kubernetes/nonprod_cluster.vars.sh

   export KUBECONFIG="$HOME/opstella-installation/kubeconfigs/nonprod_cluster.yaml"

   2.2 Install Using local opstella-platform Helm Chart

   helm install clear-session \
     $HOME/opstella-installation/helm-charts/opstella-platform-chart \
     --namespace opstella-system \
     -f $HOME/opstella-installation/helm-values/opstella-clear-session-nonprod-full-values.yaml

3. Install Opstella Clear Session for 🟥 Production Workload Kuberenetes Cluster

   3.1 Connect to 🟥 Production Workload Kubernetes Cluster ; i.e w/ Kubeconfig File

   Ensure you have defined and loaded your Global Shell Variables as described in Shell Variables.

   source $HOME/opstella-installation/shell-values/kubernetes/prod_cluster.vars.sh

   export KUBECONFIG="$HOME/opstella-installation/kubeconfigs/prod_cluster.yaml"

   3.2 Install Using local opstella-platform Helm Chart

   helm install clear-session \
     $HOME/opstella-installation/helm-charts/opstella-platform-chart \
     --namespace opstella-system \
     -f $HOME/opstella-installation/helm-values/opstella-clear-session-prod-full-values.yaml

Post-Installation

Opstella Clear Session Testing

1. Get Pod Status - Opstella Clear Session

   kubectl get pods -n opstella-system

   Opstella Clear Session should be Running

   NAME                                     READY   STATUS    RESTARTS   AGE
   ... (deducted)
   opstella-clear-session-XXXXXXX-YYYYY     1/1     Running   0          XdXh