Hardware requirements

For sandbox setups

For staging setups

For production setups

TBD

Networking requirements

• All the machines in the same network.

• Public IP assigned to the Wireguard machine.

DNS requirements

The following domain names and mappings will be required. Examples:

Certificate requirements

One wildcard certificate is required at least, depending on the above domain names used. This can also be generated using letsencrypt.

Generate certificates

• Install letsencrypt and certbot.

sudo apt install letsencrypt certbot

• Generate Certificate.

sudo certbot certonly --agree-tos --manual --preferred-challenges=dns -d *openg2p.sandbox.net -d openg2p.sandbox.net

• The above command will ask for _acme-challenge, since the chosen challenge is of type DNS. Create the _acme-challenge TXT DNS record accordingly, and continue with the above prompt to certs generation.

• The generated certs should be present in /etc/letsencrypt directory.

Renew certificates

• Run the same generate certs command to renew certs.

sudo certbot certonly --agree-tos --manual --preferred-challenges=dns -d *openg2p.sandbox.net -d openg2p.sandbox.net

• The above command will generate new pair of certificates. The DNS challenge needs to be performed again, as prompted.

• Run the following to upload new certs back to Kubernetes Cluster. Adjust the certs path in the below command.

kubectl delete secret tls-openg2p-ingress -n istio-system
kubectl create secret tls tls-openg2p-ingress -n istio-system \
  --cert=/etc/letsencrypt/live/openg2p.sandbox.net-renewed/fullchain.pem \
  --key=/etc/letsencrypt/live/openg2p.sandbox.net-renewed/privkey.pem

Introduction

NFS-based storage is recommended for backing up DB and other data in developer/UAT/pilot environments.

Introduction

To deploy OpenG2P for sandbox, staging and production environments refer to the Deployment on Kubernetes guide.

To install OpenG2P on your work machine for development refer to the Getting Started guide in the Developer Zone.

Post-install configuration

• Once the Odoo server is up, log in as admin. And enter debug mode on odoo.

• Go to Settings -> Technical -> System Parameters.

  • Configure web.base.url to your required base URL.

  • Create another system parameter, with the name web.base.url.freeze, and value True.

  • Create another system parameter, with the name auth_oauth.authorization_header, and value True.

• Go to the Apps sections on UI, and click on the Update Apps List action on top.

• Search through and install required G2P Apps & Modules.

• After all, apps are installed, proceed to create users and assign roles.

• Do not use the admin user after this step. Log back in as a regular user.

• Configure ID Types on Registry -> Configuration.

• WIP.

Introduction

Rancher is used to managing multiple clusters. Being a critical component of cluster administration it is highly recommended that Rancher itself runs on a Kubernetes cluster with sufficient replication for high availability and avoiding a single point of failure.

Kubernetes cluster setup

• Set up a new RKE2 cluster. Refer to the guide.

  • Do not remove the stock ingress controller in the server config.

  • No need to install Istio.

Rancher installation

• To install Rancher use this (hostname to be edited in the below command):

  • Configure/Create TLS secret accordingly.

Longhorn Setup

Keycloak setup

Integrate Rancher and Keycloak

This page contains steps to be performed for packaging different components and addons, of OpenG2P and similar, into a docker image.

Instructions

• Clone the and go to directory

• Create text file, example my-package.txt . This signifies a package. This file should include all openg2p modules (repositories) to be packaged into a new docker. Each line describes one repository to include, and the structure of each line looks like this.

  • Any underscore in the repository name will be converted to hyphen during installation. For example:

    This is internally converted to repo-name.

• The above configuration can be made via environment variables also.

  • Any variable with the prefix G2P_PACKAGE_my_package_ will be considered as repository to install i.e., G2P_PACKAGE_<package_name>_<repo_name>. For example;

  • These env variables can be added in .env file (in the same folder). The .env file will automatically be considered.

  • If same package is available in my-package.txt, .env and environment variable, then this will be the preference order in which they are considered (highest to lowest).

    • .env file

    • Environment variable.

    • my-package.txt

  • Use the .env to overload packages from my-package.txt

• Run the following to download all packages:

• After downloading packages, run the following to build docker image:

• Then push the image.

• Notes:

  • The above uses bitnami's odoo image as base.

  • This script also pulls in any OCA dependencies configured, in oca_dependencies.txt inside each package. Use this env variable to change the version of OCA dependencies to be pulled, OCA_DEPENDENCY_VERSION (defaults to 15.0).

  • This also installs any python requirements configured in requirements.txt inside each package.

  • Reference packages can be found in packages directory inside packaging directory.

Introduction

The table below enumerates various admin/user access to the entire deployment. This includes access to machines, Rancher, Kubernetes cluster as well as OpenG2P application.

Access matrix

Wireguard access to users

The guide below provides steps to provide Wireguard access to users' devices (called peers). Note that the access must be provided to each unique device (like a desktop, laptop, mobile phone etc). Multiple logins with same conf file is not possible.

Steps

1. Login to the Wireguard node via SSH.

2. Navigate to Wireguard conf folder

3. You will see several pre-created peer config files. You may assign any one of the file (not assigned before) to a new peer/user.

4. Editassigned.txt file to assign a new the peer (client/user). Make sure a conf file is assigned to a unique user, already assigned file is never re-assigned to another user.

5. Add the peers with name as mentioned below. Example:

6. Share the conf file with the peer/user securely. Example: peer1/peer1.conf

Wireguard client installation

Introduction

The guide here provides instructions to deploy OpenG2P on Kubernetes (K8s) cluster.

Pre-requisites

• K8s cluster is set up as given .

Installation of OpenG2P

• This section assumes the OpenG2P docker is already packaged. See Packaging Instructions.

• Clone the and go to directory

  • Run, (This installs the ref-impl dockers):

  • If use different docker image or tag use:

Installation of ODK

• Post installation:

  • Exec into the service pod, and create user (and promote if required).
• Uninstallation:

  • To uninstall, just delete the helm installation of odk-central. Example:

Introduction

The following guide uses to set up the Kubernetes (K8s) cluster.

Prerequisites

• The requirements for setting up the cluster are met as given .

• The following tools are installed on all the nodes and the client machine.

  • ufw , wget , curl , kubectl , istioctl , helm , jq

Firewall setup

• Set up firewall rules on each node. The following uses ufw to setup firewall.

  • SSH into each node, and change to superuser.

  • Run the following command for each rule in the following table

  • Example

  • Enable ufw.

  • Additional Reference:

K8s setup

• The following setup has to be done for each cluster node.

• Choose odd number of server nodes. Example if there are 3 nodes, choose 1 server node and two agent nodes. If there are 7 nodes, choose 3 server nodes and 4 agent nodes.

• For the first server node:

  • Configure rke2-server.conf.primary.template,

  • SSH into the node. Place the file to this path: /etc/rancher/rke2/config.yaml. Create the directory if not present already. mkdir -p /etc/rancher/rke2 .

  • Run this to download rke2.
  • Run this to start rke2 server:
• For subsequent server and agent nodes:

  • Configure rke2-server.conf.subsequent.template or rke2-agent.conf.template, with relevant ips for each node.

  • SSH into each node place the relevant file to this path: /etc/rancher/rke2/config.yaml, based on whether its a worker node, or control-plane node. (If worker use agent file. If control-plane use server file).

  • Run this to get download rke2.
  • To start rke2, use this

    or, based on server or agent.
• Execute these commands on a server node.

Cluster import into Rancher.

• Navigate to Cluster Management section in Rancher.

• Click on Import Existing cluster. And follow the steps to import the newly created cluster.

• After Rancher import, do not use the the kubeconfig from server anymore. Use it only via downloading kubeconfig from rancher.

Longhorn setup

Istio setup

• The following setup can be done from the client machine. This install Istio Operator, Istio Service Mesh, Istio Ingressgateway components.

• Gather Wildcard TLS certificate and key and run;
• Create istio gateway for all hosts using this command:

Adding new nodes

• Configure the the config.yaml with relevant values.

• Run this to download rke2.
• Run this to start rke2 node: