# OpenG2P In a Box This document describes a deployment model wherein the infrastructure and components required by OpenG2P modules can be set up on a single node/VM/machine. This will help you to get started with OpenG2P and experience the functionality without having to meet all r[esource requirements](/1.3/deployment/hardware-requirements.md) for a production-grade setup. This is based on [V4 architecture](/1.3/deployment.md#deployment-architecture), but a compact version of the same. The essence of the V4 is preserved so that upgrading the infra is easier when more hardware resources are available. ## Deployment architecture {% embed url="" %} {% hint style="danger" %} Do NOT use this deployment model for production/pilots. {% endhint %} ## Installation ### Prerequisites * Machine with the following configuration * 16 vCPU/64GB RAM/256 GB storage * OS: Ubuntu 22.04 ### Base infrastructure setup To set up the base infrastructure, login to the machine and install the following: 1. Set up [Firewall](/1.3/deployment/base-infrastructure/openg2p-cluster/cluster-setup/firewall.md). Make sure to include [K8s Firewall](/1.3/deployment/base-infrastructure/openg2p-cluster/cluster-setup/firewall.md#firewall-rules-for-kubernetes-node), [NFS Firewall](/1.3/deployment/base-infrastructure/openg2p-cluster/cluster-setup/firewall.md#firewall-rules-for-nfs), [Wireguard Firewall](/1.3/deployment/base-infrastructure/openg2p-cluster/cluster-setup/firewall.md#firewall-rules-for-wireguard), and [LB Firewall](/1.3/deployment/base-infrastructure/openg2p-cluster/cluster-setup/firewall.md#firewall-rules-for-load-balancer), all in the same machine. 2. Install [Kubernetes Cluster (RKE2 Server)](/1.3/deployment/base-infrastructure/openg2p-cluster/cluster-setup.md#cluster-installation). 3. Install [Wireguard Bastion](/1.3/deployment/base-infrastructure/wireguard-bastion.md#installation) servers: * Run this command for each wireguard server/channel: ```bash WG_MODE=k8s ./wg.sh ``` * For example: ```bash WG_MODE=k8s ./wg.sh wireguard_app_users 10.15.0.0/16 51820 254 172.16.0.0/24 WG_MODE=k8s ./wg.sh wireguard_sys_admins 10.16.0.0/16 51821 254 172.16.0.0/24 ``` * Check logs of the servers and wait for all servers to finish startup. Example: ```bash kubectl -n wireguard-system logs -f wireguard-sys-admins ``` 4. Install [NFS Server](/1.3/deployment/base-infrastructure/nfs-server.md#installation). 5. Install [Kubernetes NFS CSI Driver](/1.3/deployment/base-infrastructure/openg2p-cluster/cluster-setup.md#nfs-client-provisioner). 6. Istio: Setup; from [kubernetes/istio](https://github.com/OpenG2P/openg2p-deployment/tree/main/kubernetes/istio) directory, run the following: ```bash istioctl operator init kubectl apply -f istio-operator-no-external-lb.yaml kubectl apply -f istio-ef-spdy-upgrade.yaml ``` 7. Set up TLS using the following: * Create [SSL Certificate using Letsencrypt](/1.3/deployment/deployment-guide/ssl-certificates-using-letsencrypt.md) for Rancher (Edit hostname below): ```bash certbot certonly --agree-tos --manual \ --preferred-challenges=dns \ -d rancher.your.org ``` * Create Rancher TLS Secret (Edit certificate paths below): ```bash kubectl -n istio-system create secret tls tls-rancher-ingress \ --cert /etc/letsencrypt/live/rancher.your.org/fullchain.pem \ --key /etc/letsencrypt/live/rancher.your.org/privkey.pem ``` * Create [SSL Certificate using Letsencrypt](/1.3/deployment/deployment-guide/ssl-certificates-using-letsencrypt.md) for Keycloak (Edit hostname below): ```bash certbot certonly --agree-tos --manual \ --preferred-challenges=dns \ -d keycloak.your.org ``` * Create Keycloak TLS Secret, using (Edit certificate paths below): ```bash kubectl -n istio-system create secret tls tls-keycloak-ingress \ --cert /etc/letsencrypt/live/keycloak.your.org/fullchain.pem \ --key /etc/letsencrypt/live/keycloak.your.org/privkey.pem ``` 8. Set up DNS for Rancher and Keycloak hostnames to point to the IP of the node. 9. Rancher Install; from [kubernetes/rancher](https://github.com/OpenG2P/openg2p-deployment/tree/main/kubernetes/rancher) directory, run the following (Edit hostname below): ```bash RANCHER_HOSTNAME=rancher.your.org \ TLS=true \ ./install.sh --set replicas=1 ``` * Login to Rancher using the above hostname and bootstrap the `admin` user according to the instructions. After successfully logging in to Rancher as admin, save the new admin user password in `local` cluster, in `cattle-system` namespace, under `rancher-secret`, with key `adminPassword`. 10. Keycloak Install; from [kubernetes/keycloak](https://github.com/OpenG2P/openg2p-deployment/tree/main/kubernetes/keycloak) directory, run the following (Edit hostname below): ```bash KEYCLOAK_HOSTNAME=keycloak.your.org \ TLS=true \ ./install.sh --set replicaCount=1 ``` 11. [Integrate Rancher & Keycloak](/1.3/deployment/base-infrastructure/rancher.md#rancher-keycloak-integration). 12. Continue to use the same cluster (`local` cluster) for OpenG2P Modules also. * In Rancher, create a Project and Namespace, on which the OpenG2P modules will be installed. The rest of this guide will assume the Namespace to be `dev` . * In Rancher -> Namespaces menu, enable "Istio Auto Injection" for `dev` namespace. 13. Follow [Istio Namespace setup](/1.3/deployment/base-infrastructure/openg2p-cluster/cluster-setup/istio.md#namespace-setup): 1. Edit and run this to define the variables: ``` export NS=dev export WILDCARD_HOSTNAME='*.dev.your.org' ``` 2. Run this apply gateways ```bash kubectl create ns $NS envsubst < istio-gateway-tls.yaml | kubectl apply -f - ``` 3. Create [SSL Certificate using Letsencrypt](/1.3/deployment/deployment-guide/ssl-certificates-using-letsencrypt.md) for the wildcard hostname used above. Example usage: ```bash certbot certonly --agree-tos --manual \ --preferred-challenges=dns \ -d dev.your.org \ -d *.dev.your.org ``` 4. Add the certificate to K8s. ```bash kubectl -n istio-system create secret tls tls-openg2p-$NS-ingress \ --cert= \ --key= ``` 14. Install [Prometheus and Monitoring](/1.3/deployment/base-infrastructure/openg2p-cluster/prometheus-and-grafana.md) from Rancher 15. Install Logging and Fluentd. (TODO) ### OpenG2P modules' installation [Install OpenG2P modules via Rancher](/1.3/spar/deployment.md#installation-using-rancher-ui). {% hint style="info" %} **How is "In a Box" different from** [**V4**](/1.3/deployment.md#deployment-architecture-v4)**? Why should this not be used for production?** * In-a-box does not use the Nginx Load Balancer. The HTTPS traffic directly terminates on the Istio gateway via Wireguard. However, Nginx is required in production as described [here](/1.3/deployment/base-infrastructure/load-balancer/nginx.md). * The SSL certificates are loaded on the Istio gateway while in V4 the certificates are loaded on the Nginx server. * The Wireguard bastion runs inside the Kubernetes cluster itself as a pod. This is not recommended in production where Wireguard must run on a separate node. * A single private[ access channel](/1.3/deployment/deployment-guide/private-access-channel.md) is enabled (via Wireguard). In production, you will typically need several channels for access control. * In-a-box **does not offer high availability** as the node is a single point of failure. * NFS runs inside the box. In production, NFS must run on a separate node with its access control, allocated resources and backups. {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.openg2p.org/1.3/deployment/openg2p-in-a-box.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.