OpenG2P In a Box
Getting started with OpenG2P
This document describes a deployment model wherein the infrastructure and components required by OpenG2P modules can be set up on a single node/VM/machine. This will help you to get started with OpenG2P and experience the functionality without having to meet all resource requirements for a production-grade setup. This is based on V4 architecture, but a compact version of the same. The essence of the V4 is preserved so that upgrading the infra is easier when more hardware resources are available.
Deployment architecture
Do NOT use this deployment model for production/pilots.
Installation
Prerequisites
Machine with the following configuration
16 vCPU/64GB RAM/256 GB storage
OS: Ubuntu 22.04
Base infrastructure setup
To set up the base infrastructure, login to the machine and install the following:
Set up Firewall. Make sure to include K8s Firewall, NFS Firewall, Wireguard Firewall, and LB Firewall, all in the same machine.
Install Kubernetes Cluster (RKE2 Server).
Install Wireguard Bastion servers:
Run this command for each wireguard server/channel:
For example:
Check logs of the servers and wait for all servers to finish startup. Example:
Install NFS Server.
Install Kubernetes NFS CSI Driver.
Istio: Setup; from kubernetes/istio directory, run the following:
Set up TLS using the following:
Create SSL Certificate using Letsencrypt for Rancher (Edit hostname below):
Create Rancher TLS Secret (Edit certificate paths below):
Create SSL Certificate using Letsencrypt for Keycloak (Edit hostname below):
Create Keycloak TLS Secret, using (Edit certificate paths below):
Set up DNS for Rancher and Keycloak hostnames to point to the IP of the node.
Rancher Install; from kubernetes/rancher directory, run the following (Edit hostname below):
Login to Rancher using the above hostname and bootstrap the
admin
user according to the instructions. After successfully logging in to Rancher as admin, save the new admin user password inlocal
cluster, incattle-system
namespace, underrancher-secret
, with keyadminPassword
.
Keycloak Install; from kubernetes/keycloak directory, run the following (Edit hostname below):
Continue to use the same cluster (
local
cluster) for OpenG2P Modules also.In Rancher, create a Project and Namespace, on which the OpenG2P modules will be installed. The rest of this guide will assume the Namespace to be
dev
.In Rancher -> Namespaces menu, enable "Istio Auto Injection" for
dev
namespace.
Follow Istio Namespace setup:
Edit and run this to define the variables:
Run this apply gateways
Create SSL Certificate using Letsencrypt for the wildcard hostname used above. Example usage:
Add the certificate to K8s.
Install Prometheus and Monitoring from Rancher
Install Logging and Fluentd. (TODO)
OpenG2P modules' installation
Install OpenG2P modules via Rancher.
How is "In a Box" different from V4? Why should this not be used for production?
In-a-box does not use the Nginx Load Balancer. The HTTPS traffic directly terminates on the Istio gateway via Wireguard. However, Nginx is required in production as described here.
The SSL certificates are loaded on the Istio gateway while in V4 the certificates are loaded on the Nginx server.
The Wireguard bastion runs inside the Kubernetes cluster itself as a pod. This is not recommended in production where Wireguard must run on a separate node.
A single private access channel is enabled (via Wireguard). In production, you will typically need several channels for access control.
In-a-box does not offer high availability as the node is a single point of failure.
NFS runs inside the box. In production, NFS must run on a separate node with its access control, allocated resources and backups.
Last updated