OpenG2P In a Box
Getting started with OpenG2P
Last updated
Getting started with OpenG2P
Last updated
This document describes a deployment model wherein the infrastructure and components required by OpenG2P modules can be set up on a single node/VM/machine. This will help you to get started with OpenG2P and experience the functionality without having to meet all resource requirements for a production-grade setup. This is based on V4 architecture, but a compact version of the same. The essence of the V4 is preserved so that upgrading the infra is easier when more hardware resources are available.
Do NOT use this deployment model for production/pilots.
Machine with the following configuration
16 vCPU/64GB RAM/256 GB storage
OS: Ubuntu 22.04
To set up the base infrastructure, login to the machine and install the following:
Set up Firewall. Make sure to include K8s Firewall, NFS Firewall, Wireguard Firewall, and LB Firewall, all in the same machine.
Install Kubernetes Cluster (RKE2 Server).
Install Wireguard Bastion servers:
Run this command for each wireguard server/channel:
WG_MODE=k8s ./wg.sh <name for this wireguard server> <client ips subnet mask> <port> <no of peers> <subnet mask of the cluster nodes & lbs>
For example:
WG_MODE=k8s ./wg.sh wireguard_app_users 10.15.0.0/16 51820 254 172.16.0.0/24
WG_MODE=k8s ./wg.sh wireguard_sys_admins 10.16.0.0/16 51821 254 172.16.0.0/24
Check logs of the servers and wait for all servers to finish startup. Example:
kubectl -n wireguard-system logs -f wireguard-sys-admins
Install NFS Server.
Install Kubernetes NFS CSI Driver.
Istio: Setup; from kubernetes/istio directory, run the following:
istioctl operator init
kubectl apply -f istio-operator-no-external-lb.yaml
kubectl apply -f istio-ef-spdy-upgrade.yaml
Set up TLS using the following:
Create SSL Certificate using Letsencrypt for Rancher (Edit hostname below):
certbot certonly --agree-tos --manual \
--preferred-challenges=dns \
-d rancher.your.org
Create Rancher TLS Secret (Edit certificate paths below):
kubectl -n istio-system create secret tls tls-rancher-ingress \
--cert /etc/letsencrypt/live/rancher.your.org/fullchain.pem \
--key /etc/letsencrypt/live/rancher.your.org/privkey.pem
Create SSL Certificate using Letsencrypt for Keycloak (Edit hostname below):
certbot certonly --agree-tos --manual \
--preferred-challenges=dns \
-d keycloak.your.org
Create Keycloak TLS Secret, using (Edit certificate paths below):
kubectl -n istio-system create secret tls tls-keycloak-ingress \
--cert /etc/letsencrypt/live/keycloak.your.org/fullchain.pem \
--key /etc/letsencrypt/live/keycloak.your.org/privkey.pem
Set up DNS for Rancher and Keycloak hostnames to point to the IP of the node.
Rancher Install; from kubernetes/rancher directory, run the following (Edit hostname below):
RANCHER_HOSTNAME=rancher.your.org \
TLS=true \
./install.sh --set replicas=1
Login to Rancher using the above hostname and bootstrap the admin
user according to the instructions. After successfully logging in to Rancher as admin, save the new admin user password in local
cluster, in cattle-system
namespace, under rancher-secret
, with key adminPassword
.
Keycloak Install; from kubernetes/keycloak directory, run the following (Edit hostname below):
KEYCLOAK_HOSTNAME=keycloak.your.org \
TLS=true \
./install.sh --set replicaCount=1
Continue to use the same cluster (local
cluster) for OpenG2P Modules also.
In Rancher, create a Project and Namespace, on which the OpenG2P modules will be installed. The rest of this guide will assume the Namespace to be dev
.
In Rancher -> Namespaces menu, enable "Istio Auto Injection" for dev
namespace.
Follow Istio Namespace setup:
Edit and run this to define the variables:
export NS=dev
export WILDCARD_HOSTNAME='*.dev.your.org'
Run this apply gateways
kubectl create ns $NS
envsubst < istio-gateway-tls.yaml | kubectl apply -f -
Create SSL Certificate using Letsencrypt for the wildcard hostname used above. Example usage:
certbot certonly --agree-tos --manual \
--preferred-challenges=dns \
-d dev.your.org \
-d *.dev.your.org
Add the certificate to K8s.
kubectl -n istio-system create secret tls tls-openg2p-$NS-ingress \
--cert=<certificate path> \
--key=<certificate key path>
Install Prometheus and Monitoring from Rancher
Install Logging and Fluentd. (TODO)