LogoLogo
1.3
1.3
  • Overview
  • Social Registry
    • Features
      • Individuals and Groups
        • 📔User Guides
          • 📔Create an Individual Registrant
          • 📔Create a Group and Add Individual Registrants to the Group
          • 📔Import CSV file to Social Registry
      • Deduplication
        • 📔User Guides
          • 📔Configure ID Deduplication, Deduplicate, and Save Duplicate Groups/Individuals
        • Deduplicator Service
      • Lock and Unlock
      • Enumerator
        • Enumerator ID
      • Dynamic Updates
      • Document Upload
      • ODK Importer
        • 📔User Guide
          • 📔Configure and Import ODK Form
          • 📔Import Specific ODK Forms using ODK Instance ID
      • Registration Portal
        • 📔User Guides
          • 📔Create a New Household
          • 📔Create a New Individual in Registration Portal
          • 📔Create a New Portal User
          • 📔Configure Portal User to Limit Accessing Location
      • Configurations
        • 📔User Guide
          • 📔Configure ID Types
          • 📔Configure Registrant Tags
          • 📔Configure Gender Types
          • 📔Configure Relationships
          • 📔Configure Group Types
          • 📔Configure Group Membership Kind
      • User Management
        • 📔User Guide
          • 📔Create User
          • 📔Assign a Role to a User
      • Geographic
      • Data Share
      • Languages Support
        • 📔User Guides
          • 📔Set Language Preference
      • API
        • Search APIs
        • Individual APIs
        • Group APIs
      • Privacy and Security
      • Interoperability
      • Monitoring and Reporting
      • ID Integration
        • ID Validation and Tokenisation
        • ID Authentication
          • 📔User Guides
            • 📔Configure eSignet Auth Provider for ID Authentication
            • 📔ID Authentication Process
            • 📔eSignet Client Creation
        • Fayda ID Integration
      • Verifiable Credentials Issuance
        • 📔User Guides
          • 📔Configure Inji to download Social Registry VCs
      • Computed fields
      • Record Revision History
      • SPAR Integration for Account Info
      • Self Service Registration Portal
      • Unique Reference ID
      • Logging
        • Audit Logs
        • System Logs
        • Change log
    • Versions
    • Deployment
      • Domain names and Certificates
      • Install Odoo Modules
    • Developer Zone
      • Technology Stack
      • Repositories
      • Developer Install
        • 📘Developer Install of OpenG2P Package on Linux
      • Packaging
        • 📘Docker Packaging Guide
        • 📘Helm Packaging Guide
      • Odoo Modules
        • ODK App User Mapping
  • PBMS
    • Features
      • Program Management
        • Role of a Program Manager
        • Program Life Cycle
        • 📔User Guides
          • 📔Create Program
          • 📔Create Eligibility Manager under Program
          • 📔Create Program Manager for a Program
          • 📔Create Deduplication Manager under Program
          • 📔Create Manager Type
            • 📔Create Payment Manager Types
              • 📔Create Payment Hub EE Payment Manager
              • 📔Create Payment Interoperability Layer Payment Manager
              • 📔Create Default Payment Manager
              • 📔Create Cash Payment Manager
              • 📔Create File Payment Manager
          • 📔Configure Entitlement Manager under Program
          • 📔Configure Payment Manager in Program
          • 📔Configure Default Program Manager
          • 📔Archive, Delete, End, and Re-activate a Program
      • Program Disbursement Cycles
        • 📔User Guides
          • 📔Create Program Fund
          • 📔Create Cycle Manager for a Program
      • Beneficiary Management
        • Beneficiary Registry
          • 📔User Guides
            • 📔Create an Individual Registrant
            • 📔Create a Group and Add Individual Registrants to the Group
            • 📔Assign a Program to a Group
            • 📔Assign a Program to an Individual
        • Beneficiary Registry Configurations
          • 📔User Guides
            • 📔Configure ID Types
            • 📔Configure Registrant Tags
            • 📔Configure Gender Types
            • 📔Configure Relationships
            • 📔Configure Group Types
            • 📔Configure Group Membership Kind
        • Registration
          • 📔User Guides
            • 📔Import CSV File to Registry Module
      • ID Verification
      • Eligibility
        • Proxy Means Test
        • 📔User Guides
          • 📔Create Eligibility Manager Types
            • 📔Configure Default Eligibility Manager
            • 📔Create ID Document Eligibility Manager
            • 📔Create Phone Number Eligibility Manager
          • 📔Configure Proxy Means Test
          • 📔Verify Eligibility of Enrolled Registrants
      • Deduplication
        • 📔User Guides
          • 📔Deduplicate Registrants
          • 📔Create Deduplication Manager Types
            • 📔Configure Default Deduplication Manager
            • 📔Create ID Deduplication Manager
            • 📔Create Phone Number Deduplication
      • Enrolment
        • 📔User Guides
          • 📔Enroll Registrants into Program
          • 📔Auto-Enroll New Registrants into a Program
          • 📔Enroll Eligible Individual Registrants into a Program
      • Entitlement
        • 📔User Guides
          • 📔Multi-Stage Approval
          • 📔Create Entitlement Manager Type
            • 📔Create Default Entitlement Manager
            • 📔Create Voucher Entitlement Manager
            • 📔Configure Cash Entitlement Manager
          • 📔Create Entitlement Voucher Template
          • 📔Configure the Payments File with QR Code
          • 📔Configure Default Cycle Managers
          • 📔Export Beneficiaries Approved Entitlement
      • Disbursement
        • Payment Batches
        • In-Kind Transfer
          • 📔User Guides
            • 📔Create a Product in Inventory
            • 📔Configure In-Kind Entitlement Manager
            • 📔Create and Approve Program Cycle
            • 📔Verify Eligibility of Registrants in a Cycle
        • Digital Cash Transfer
        • e-Voucher
        • 📔User Guides
          • Prepare and Send Payment
      • Self Service Portal
        • 📔User Guides
          • 📔Self Register Online
          • 📔Create Self Service Portal Form
          • 📔Map Self Service Portal Form
      • Document Management
      • Multi-tenancy
      • Notifications
        • 📔User Guides
          • 📔Send Notifications to Individual Registrants
          • 📔Create Notification Manager Types
            • 📔Create SMS Notification Manager
            • 📔Create Email Notification Manager
            • 📔Create Fast2SMS Notification Manager
          • 📔Create Notification Manager under Program
      • Accounting
      • Administration
        • RBAC
          • 📔User Guides
            • 📔Create User and Assign Role
            • 📔Configure Keycloak Authentication Provider for User Log in
        • i18n
      • ODK Importer
        • 📔User Guides
          • 📔Configure and Import ODK Form
          • 📔Import Specific ODK Forms using ODK Instance ID
          • 📔Import Social Registry Data into PBMS
      • MTS Connector
        • 📔User Guides
          • 📔Create MTS Connector
            • 📔Create ODK MTS Connector
            • 📔Create OpenG2P Registry MTS Connector
      • Audit Logs
      • Service Provider Portal
        • 📔User Guides
          • 📔Submit Reimbursement Using the Service Provider Portal
          • 📔Reimburse the Service Provider
      • Interoperability
      • Privacy and Security
      • Periodic Biometric Authentication for Beneficiaries
      • Beneficiary Exit Process
      • Verifiable Credential Issuance
        • 📔User Guides
          • 📔Configure Inji to download Beneficiary VCs
      • Deduplication
      • Manual In-Kind Entitlement
      • Print Disbursement Summary
      • Monitoring & Reporting
        • Logging
    • Versions
    • Developer Zone
      • Odoo Modules
        • G2P Enumerator
        • OpenG2P Registry MTS Connector
        • G2P Documents Store
        • MTS Connector
        • G2P Formio
        • G2P Registry: Rest API Extension Demo
        • G2P Registry: Additional Info REST API
        • G2P Registry: Bank Details Rest API
        • G2P Registry: Additional Info
        • G2P Registry: Membership
        • G2P Registry: Groups
        • G2P Registry: Individual
        • G2P Registry: Base
        • G2P Registry: Rest API
        • G2P Registry: Bank Details
        • OpenG2P Program Payment (Payment Hub EE)
        • OpenG2P Program Payments: In Files
        • G2P Program : Program Registrant Info Rest API
        • OpenG2P Entitlement: Differential
        • OpenG2P Program: Approval
        • OpenG2P Program: Assessment
        • G2P Program: Registrant Info
        • OpenG2P Program Payment: Simple Mpesa Payment Manager
        • OpenG2P Programs: Cycleless
        • OpenG2P Entitlement: In-Kind
        • G2P Notifications: Wiserv SMS Service Provider
        • G2P: Proxy Means Test
        • G2P Programs: REST API
        • G2P Program Payment (Payment Interoperability Layer)
        • OpenG2P Entitlement: Voucher
        • OpenG2P Programs: Reimbursement
        • OpenG2P Program Payment: Cash
        • OpenG2P Program: Documents
        • OpenG2P Program Payment: G2P Connect Payment Manager
        • OpenG2P Programs: Autoenrol
        • G2P ODK Importer
        • G2P Service Provider Beneficiary Management
        • OpenID Connect Authentication
        • G2P Auth: OIDC - Reg ID
        • G2P OpenID VCI: Base
        • G2P OpenID VCI: Programs
        • G2P OpenID VCI: Rest API
      • Developer Install on Linux
      • Repositories
        • openg2p-fastapi-common
          • OpenG2P FastAPI Common
          • OpenG2P FastAPI Auth
          • OpenG2P Common: G2P Connect ID Mapper
        • social-payments-account-registry
        • g2p-bridge
        • openg2p-packaging
        • openg2p-security
        • spar-load-test
        • 4sure
        • G2P SelfServicePortal
      • Technology Stack
      • Testing
        • Test Workflow
        • Automation Framework
    • Deployment
      • i18n
      • Installation of Odoo Modules
      • Domain names and Certificates
      • Helm Charts
  • SPAR
    • Features
      • SPAR Mapper
      • SPAR Self Service
      • Privacy & Security
      • Interoperability
      • Monitoring & Reporting
    • Deployment
      • Domain Names and Certificates
      • Helm Charts
    • 📔User Guides
      • 📔Link FA (Self Service)
      • 📔Link FA (Admin)
    • Development
      • Jira Board
      • Testing
        • Unit Testing
        • Functional Testing
        • Performance Testing
          • Mapper
            • Resolve API
            • Link API
            • Unlink API
            • Update API
      • Developer Install
        • SPAR Mapper API
        • SPAR Self Service API
        • SPAR Self Service UI
      • Repositories
      • API Reference
      • Tech Guides
    • Releases
      • 1.0.0
      • 1.1.0 - WIP
    • Roadmap
  • G2P Bridge
    • Features
      • Privacy & Security
      • Interoperability
      • Monitoring & Reporting
    • Deployment
    • Development
      • Design
        • IN APIs from PBMS
          • create_disbursement_envelope
          • cancel_disbursement_envelope
          • create_disbursements
          • cancel_disbursements
          • get_disbursement_envelope_status
          • get_disbursement_status
        • OUT APIs to Mapper
          • resolve
        • OUT APIs to Bank
          • check_funds_with_bank
          • block_funds_with_bank
          • disburse_funds_from_bank
        • IN APIs from Bank
          • upload_mt940
        • Helper Tables
          • benefit_program_configuration
        • Configuration parameters
        • Interfaces
        • Physical Organization
        • Example Bank
          • example-bank-models
          • example-bank-api
          • example-bank-celery
      • Testing
        • Unit Testing
        • Functional Testing
        • Performance Testing
      • Repositories
    • Tech Guides
    • 📔User Guides
      • 📔Configure G2P Connect Payment Manager
    • Releases
  • Utilities and Tools
    • ODK
      • 📔User Guides
        • 📔Create a Project for a Program
        • 📔Create a Form
        • 📔Upload a Form
        • 📔Upload revised Form
        • 📔Test a Form
        • 📔Publish a Form
        • 📔Provide Form Access to Field Agent
        • 📔Download a Form on ODK Collect
        • 📔Delete a Form
        • 📔Register Offline
    • 4Sure Verifier App
      • Installation Guide for 4Sure Application
      • 📔User Guides
        • 📔Verify Digital Credentials using 4Sure Application
        • 📔Verify and Populate the form in ODK Collect using 4Sure Application
      • 4Sure Test Summary
    • Smartscanner
      • 📔User Guides
    • Registration Tool Kit
  • Monitoring and Reporting
    • Apache Superset
    • Reporting Framework
      • 📔User Guides
        • 📔Connector Creation Guide
        • 📔Dashboards Creation Guide
        • 📔Installation & Troubleshooting
        • Page 1
      • Kafka Connect Transform Reference
    • System Logging
    • System Health
  • Privacy and Security
    • Key Manager
  • Interoperability
  • Integrations
    • eSignet Integration
    • M-Pesa Integration
    • Mojaloop Integration
    • 📔User Guides
  • Deployment
    • Base Infrastructure
      • Wireguard Bastion
        • Install WireGuard Client on Android Device
        • Wireguard Access to Users
        • Install WireGuard Client on Desktop
      • NFS Server
      • Rancher Cluster
      • OpenG2P Cluster
        • Kubernetes
          • Firewall
          • Istio
          • Adding Nodes to Cluster
          • Deleting Nodes from Cluster
        • Prometheus & Grafana
        • Fluentd & OpenSearch
          • DEPRECATED - OpenSearch
      • Load Balancer
        • Nginx
        • AWS
    • Resource Requirements
    • Helm Charts
    • Upgrades
    • Production
    • OpenG2P In a Box
    • Packaging
    • Versioning
    • Additional Guides
      • Automatic Build and Upload of Private Dockers
      • Generate SSL Certificates using Letsencrypt
      • Packaging Odoo based Docker
      • AWS
        • Create ACM Certificate on AWS
        • Create Security Group on AWS
        • Domain mapping on AWS Route53
        • Make Environment Publicly Accessible using AWS LB Configuration
      • Private Access Channel
      • Odoo Post Install Configuration
      • Pulling Docker from Private Repository on Docker Hub
      • Keycloak Client Creation
      • Troubleshooting: "fsnotify watcher" warning
      • Uninstalling Applications from Rancher UI
      • Access a Database from Outside the Cluster
      • Configure External Database to Connect OpenG2P Environment
      • Configure IPSec VPN Gateway to Connect to External Systems using Strongswan
      • Troubleshooting
        • PostgreSQL Database not Starting due to Replication Checkpoint Error
        • No Space Left on the Device Warning
      • Restart Deployment or StatefulSets to Redistribute Pods across Nodes
      • Rerun Jobs in Kubernetes Cluster
      • Finding URLs in the System
      • Transitioning PostgreSQL From Docker on K8s to Standalone PostgreSQL
      • Restore a PVC from an NFS Folder and Attach it to a Pod
      • View System Logs on the OpenSearch Dashboard
    • Persistent Storage
      • Resizing Persistent Volume Claim in Kubernetes Cluster
  • Documentation Guides
    • Documentation Guidelines
      • Embed a Miro diagram
      • Set an Image for a Start View
    • OpenG2P Module Doc Template
  • Use Cases
    • Technology for Inclusion
      • Registration in Low Connectivity Areas
      • Registration using Self Service Portal
    • Digital Cash Transfer Program
    • Create Social Registry
    • Case Studies
      • Immediate Assistance on Demand
      • Service Provider Reimbursement
      • Customise ODK Form - Add Ethiopian Calendar
  • Releases
    • 1.1.0
      • Release Notes
  • License
    • OpenG2P Support Policy
  • Community
    • Contributing
    • Code of Conduct
  • Blogs
    • OpenG2P and SDG Goals
    • OpenG2P - A Building Block for DPI
Powered by GitBook
LogoLogo

Copyright © OpenG2P. This work is licensed under Creative Common Attribution (CC-BY-4.0) International license unless otherwise noted.

On this page
  • Deployment architecture
  • Installation
  • Prerequisites
  • Base infrastructure setup
  • OpenG2P modules' installation
  1. Deployment

OpenG2P In a Box

Getting started with OpenG2P

PreviousProductionNextPackaging

Last updated 7 months ago

This document describes a deployment model wherein the infrastructure and components required by OpenG2P modules can be set up on a single node/VM/machine. This will help you to get started with OpenG2P and experience the functionality without having to meet all r for a production-grade setup. This is based on , but a compact version of the same. The essence of the V4 is preserved so that upgrading the infra is easier when more hardware resources are available.

Deployment architecture

Do NOT use this deployment model for production/pilots.

Installation

Prerequisites

  • Machine with the following configuration

    • 16 vCPU/64GB RAM/256 GB storage

    • OS: Ubuntu 22.04

Base infrastructure setup

To set up the base infrastructure, login to the machine and install the following:

    • Run this command for each wireguard server/channel:

      WG_MODE=k8s ./wg.sh <name for this wireguard server> <client ips subnet mask> <port> <no of peers> <subnet mask of the cluster nodes & lbs>

    • For example:

      WG_MODE=k8s ./wg.sh wireguard_app_users 10.15.0.0/16 51820 254 172.16.0.0/24
WG_MODE=k8s ./wg.sh wireguard_sys_admins 10.16.0.0/16 51821 254 172.16.0.0/24

    • Check logs of the servers and wait for all servers to finish startup. Example:

      kubectl -n wireguard-system logs -f wireguard-sys-admins
  6. istioctl operator init
kubectl apply -f istio-operator-no-external-lb.yaml
kubectl apply -f istio-ef-spdy-upgrade.yaml

  7. Set up TLS using the following:

    • certbot certonly --agree-tos --manual \
    --preferred-challenges=dns \
    -d rancher.your.org

    • Create Rancher TLS Secret (Edit certificate paths below):

      kubectl -n istio-system create secret tls tls-rancher-ingress \
    --cert /etc/letsencrypt/live/rancher.your.org/fullchain.pem \
    --key /etc/letsencrypt/live/rancher.your.org/privkey.pem
    • certbot certonly --agree-tos --manual \
    --preferred-challenges=dns \
    -d keycloak.your.org

    • Create Keycloak TLS Secret, using (Edit certificate paths below):

      kubectl -n istio-system create secret tls tls-keycloak-ingress \
    --cert /etc/letsencrypt/live/keycloak.your.org/fullchain.pem \
    --key /etc/letsencrypt/live/keycloak.your.org/privkey.pem

  8. Set up DNS for Rancher and Keycloak hostnames to point to the IP of the node.

  9. RANCHER_HOSTNAME=rancher.your.org \
TLS=true \
    ./install.sh --set replicas=1

    • Login to Rancher using the above hostname and bootstrap the admin user according to the instructions. After successfully logging in to Rancher as admin, save the new admin user password in local cluster, in cattle-system namespace, under rancher-secret, with key adminPassword.

  10. KEYCLOAK_HOSTNAME=keycloak.your.org \
TLS=true \
    ./install.sh --set replicaCount=1

  12. Continue to use the same cluster (local cluster) for OpenG2P Modules also.

    • In Rancher, create a Project and Namespace, on which the OpenG2P modules will be installed. The rest of this guide will assume the Namespace to be dev .

    • In Rancher -> Namespaces menu, enable "Istio Auto Injection" for dev namespace.

    1. Edit and run this to define the variables:

      export NS=dev
export WILDCARD_HOSTNAME='*.dev.your.org'

    2. Run this apply gateways

      kubectl create ns $NS
envsubst < istio-gateway-tls.yaml | kubectl apply -f -
    3. certbot certonly --agree-tos --manual \
    --preferred-challenges=dns \
    -d dev.your.org \
    -d *.dev.your.org

    4. Add the certificate to K8s.

      kubectl -n istio-system create secret tls tls-openg2p-$NS-ingress \
    --cert=<certificate path> \
    --key=<certificate key path>

  15. Install Logging and Fluentd. (TODO)

OpenG2P modules' installation

  • The SSL certificates are loaded on the Istio gateway while in V4 the certificates are loaded on the Nginx server.

  • The Wireguard bastion runs inside the Kubernetes cluster itself as a pod. This is not recommended in production where Wireguard must run on a separate node.

  • In-a-box does not offer high availability as the node is a single point of failure.

  • NFS runs inside the box. In production, NFS must run on a separate node with its access control, allocated resources and backups.

Set up . Make sure to include , , , and , all in the same machine.

Install .

Install servers:

Install .

Install .

Istio: Setup; from directory, run the following:

Create for Rancher (Edit hostname below):

Create for Keycloak (Edit hostname below):

Rancher Install; from directory, run the following (Edit hostname below):

Keycloak Install; from directory, run the following (Edit hostname below):

.

Follow :

Create for the wildcard hostname used above. Example usage:

Install from Rancher

.

How is "In a Box" different from ? Why should this not be used for production?

In-a-box does not use the Nginx Load Balancer. The HTTPS traffic directly terminates on the Istio gateway via Wireguard. However, Nginx is required in production as described .

A single private is enabled (via Wireguard). In production, you will typically need several channels for access control.

kubernetes/istio
SSL Certificate using Letsencrypt
SSL Certificate using Letsencrypt
kubernetes/rancher
kubernetes/keycloak
SSL Certificate using Letsencrypt
Prometheus and Monitoring
here
access channel
esource requirements
Firewall
V4
Wireguard Bastion
V4 architecture
Integrate Rancher & Keycloak
K8s Firewall
NFS Firewall
Wireguard Firewall
LB Firewall
Istio Namespace setup
Install OpenG2P modules via Rancher
Kubernetes Cluster (RKE2 Server)
Kubernetes NFS CSI Driver
NFS Server