LogoLogo
CommunityBlogLicense
latest
latest
  • Overview
  • Social Registry
    • Features
      • Individuals and Households
        • 📔User Guides
          • 📔Create an Individual Registrant
          • 📔Create a Group and Add Individual Registrants to the Group
          • 📔Import CSV file to Social Registry
      • Offline Capabilities
        • ODK Importer
          • 📔User Guide
            • 📔Configure and Import ODK Form
            • 📔Import Specific ODK Forms using ODK Instance ID
        • Enumerator ID
      • Online Self Registration
      • Online Assisted Registration
        • 📔User Guides
          • 📔Create a New Household
          • 📔Create a New Individual in Registration Portal
          • 📔Create a New Portal User
          • 📔Configure Portal User to Limit Accessing Location
      • Deduplication
        • 📔User Guides
          • 📔Configure ID Deduplication, Deduplicate, and Save Duplicate Groups/Individuals
        • Deduplicator Service
      • Locking of Records
      • Dynamic Registry
      • Document Storage
      • Configurability
        • 📔User Guide
          • 📔Configure ID Types
          • 📔Configure Registrant Tags
          • 📔Configure Gender Types
          • 📔Configure Relationships
          • 📔Configure Group Types
          • 📔Configure Group Membership Kind
      • Role Based Access Control
        • 📔User Guide
          • 📔Create User
          • 📔Assign a Role to a User
      • Geo Targeting
      • Data Sharing
      • Multi-language Support
        • 📔User Guides
          • 📔Set Language Preference
      • Privacy and Security
      • Interoperability
      • Real-time Reporting
      • Monitoring and Reporting
      • ID Integration
        • ID Validation and Tokenisation
        • ID Authentication
          • 📔User Guides
            • 📔Configure eSignet Auth Provider for ID Authentication
            • 📔ID Authentication Process
            • 📔eSignet Client Creation
        • eSignet Integration
        • Fayda ID Integration
      • Verifiable Credentials Issuance
        • 📔User Guides
          • 📔Configure Inji to download Social Registry VCs
      • Automatic Computation of PMT
      • Record Revision History
      • SPAR Integration for Account Info
      • Unique Social ID
      • Audit Logs
      • Rapid Deployment Framework
      • Performance & Scale
      • Draft and Publish
      • Claim and Attest
    • Versions
    • Deployment
      • Domain names and Certificates
      • Install Odoo Modules
      • Packaging
        • 📘Docker Packaging Guide
        • 📘Helm Packaging Guide
    • Developer Zone
      • Technology Stack
      • API Reference
        • Search APIs
        • Individual APIs
        • Group APIs
      • Repositories
      • Background Tasks
      • Developer Install
        • 📘Developer Install of OpenG2P Package on Linux
      • Design Notes
        • Data Sharing
      • Odoo Modules
        • G2P Registry Datashare: RabbitMQ
        • ODK App User Mapping
      • Performance Testing
  • PBMS
    • Features
      • Program Management
        • Role of a Program Manager
        • Program Life Cycle
      • Program Disbursement Cycles
        • 📔User Guides
          • 📔Create Program Fund
          • 📔Create Cycle Manager for a Program
      • Beneficiary Management
        • Beneficiary Registry
          • 📔User Guides
            • 📔Create an Individual Registrant
            • 📔Create a Group and Add Individual Registrants to the Group
            • 📔Assign a Program to a Group
            • 📔Assign a Program to an Individual
        • Beneficiary Registry Configurations
          • 📔User Guides
            • 📔Configure ID Types
            • 📔Configure Registrant Tags
            • 📔Configure Gender Types
            • 📔Configure Relationships
            • 📔Configure Group Types
            • 📔Configure Group Membership Kind
        • Registration
          • 📔User Guides
            • 📔Import CSV File to Registry Module
      • ID Verification
      • Eligibility
        • Proxy Means Test
        • 📔User Guides
          • 📔Create Eligibility Manager Types
            • 📔Configure Default Eligibility Manager
            • 📔Create ID Document Eligibility Manager
            • 📔Create Phone Number Eligibility Manager
          • 📔Configure Proxy Means Test
          • 📔Verify Eligibility of Enrolled Registrants
      • Deduplication
        • 📔User Guides
          • 📔Deduplicate Registrants
          • 📔Create Deduplication Manager Types
            • 📔Configure Default Deduplication Manager
            • 📔Create ID Deduplication Manager
            • 📔Create Phone Number Deduplication
      • Enrolment
        • 📔User Guides
          • 📔Enroll Registrants into Program
          • 📔Auto-Enroll New Registrants into a Program
          • 📔Enroll Eligible Individual Registrants into a Program
      • Entitlement
        • 📔User Guides
          • 📔Multi-Stage Approval
          • 📔Create Entitlement Manager Type
            • 📔Create Default Entitlement Manager
            • 📔Create Voucher Entitlement Manager
            • 📔Configure Cash Entitlement Manager
          • 📔Create Entitlement Voucher Template
          • 📔Configure the Payments File with QR Code
          • 📔Configure Default Cycle Managers
          • 📔Export Beneficiaries Approved Entitlement
      • Disbursement
        • Payment Batches
        • In-Kind Transfer
          • 📔User Guides
            • 📔Create a Product in Inventory
            • 📔Configure In-Kind Entitlement Manager
            • 📔Create and Approve Program Cycle
            • 📔Verify Eligibility of Registrants in a Cycle
        • Digital Cash Transfer
        • e-Voucher
        • 📔User Guides
          • Prepare and Send Payment
      • Self Service Portal
        • 📔User Guides
          • 📔Create Form and Map with Program
          • 📔Configure Login Providers for Beneficiary Portal
          • 📔Self Register Online
      • Document Management
      • Multi-tenancy
      • Notifications
        • 📔User Guides
          • 📔Send Notifications to Individual Registrants
          • 📔Create Notification Manager Types
            • 📔Create SMS Notification Manager
            • 📔Create Email Notification Manager
            • 📔Create Fast2SMS Notification Manager
          • 📔Create Notification Manager under Program
      • Accounting
      • Administration
        • RBAC
          • 📔User Guides
            • 📔Create User and Assign Role
            • 📔Configure Keycloak Authentication Provider for User Log in
        • i18n
      • ODK Importer
        • 📔User Guides
          • 📔Configure and Import ODK Form
          • 📔Import Specific ODK Forms using ODK Instance ID
          • 📔Import Social Registry Data into PBMS
      • MTS Connector
        • 📔User Guides
          • 📔Create MTS Connector
            • 📔Create ODK MTS Connector
            • 📔Create OpenG2P Registry MTS Connector
      • Audit Logs
      • Service Provider Portal
        • 📔User Guides
          • 📔Submit Reimbursement Using the Service Provider Portal
          • 📔Reimburse the Service Provider
      • Interoperability
      • Privacy and Security
      • Periodic Biometric Authentication for Beneficiaries
      • Beneficiary Exit Process
      • Verifiable Credential Issuance
        • 📔User Guides
          • 📔Configure Inji to download Beneficiary VCs
      • Deduplication
      • Manual In-Kind Entitlement
      • Print Disbursement Summary
      • Monitoring & Reporting
        • Logging
      • Priority List
      • Offline Capabilities
      • Grievance Redress Mechanism
    • Versions
    • Developer Zone
      • Odoo Modules
        • G2P Enumerator
        • OpenG2P Registry MTS Connector
        • G2P Documents Store
        • MTS Connector
        • G2P Formio
        • G2P Registry: Rest API Extension Demo
        • G2P Registry: Additional Info REST API
        • G2P Registry: Bank Details Rest API
        • G2P Registry: Additional Info
        • G2P Registry: Membership
        • G2P Registry: Groups
        • G2P Registry: Individual
        • G2P Registry: Base
        • G2P Registry: Rest API
        • G2P Registry: Bank Details
        • G2P Registry: Security
        • G2P Service Provider Beneficiary Management
        • OpenG2P Program Payment (Payment Hub EE)
        • OpenG2P Program Payments: In Files
        • G2P Program : Program Registrant Info Rest API
        • OpenG2P Entitlement: Differential
        • OpenG2P Program: Approval
        • OpenG2P Program: Assessment
        • G2P Program: Registrant Info
        • OpenG2P Program Payment: Simple Mpesa Payment Manager
        • OpenG2P Programs: Cycleless
        • OpenG2P Entitlement: In-Kind
        • G2P Notifications: Wiserv SMS Service Provider
        • G2P: Proxy Means Test
        • G2P Programs: REST API
        • G2P Program Payment (Payment Interoperability Layer)
        • OpenG2P Entitlement: Voucher
        • OpenG2P Programs: Reimbursement
        • OpenG2P Program Payment: Cash
        • OpenG2P Program: Documents
        • OpenG2P Program Payment: G2P Connect Payment Manager
        • OpenG2P Programs: Autoenrol
        • G2P ODK Importer
        • OpenID Connect Authentication
        • G2P Auth: OIDC - Reg ID
        • G2P OpenID VCI: Base
        • G2P OpenID VCI: Programs
        • G2P OpenID VCI: Rest API
        • G2P Program Datashare: RabbitMQ
      • Developer Install on Linux
      • Repositories
        • openg2p-fastapi-common
          • OpenG2P FastAPI Common
          • OpenG2P FastAPI Auth
          • OpenG2P Common: G2P Connect ID Mapper
        • social-payments-account-registry
        • g2p-bridge
        • openg2p-packaging
        • openg2p-security
        • spar-load-test
        • 4sure
        • G2P SelfServicePortal
      • Technology Stack
    • Deployment
      • i18n
      • Installation of Odoo Modules
      • Domain names and Certificates
      • Helm Charts
  • SPAR
    • Features
      • SPAR Mapper
      • SPAR Self Service
      • Privacy & Security
      • Interoperability
      • Performance & Scale
      • Monitoring & Reporting
    • Deployment
      • Domain Names and Certificates
      • Helm Charts
    • 📔User Guides
      • 📔Link FA (Self Service)
      • 📔Link FA (Admin)
    • Development
      • Jira Board
      • Testing
        • Unit Testing
        • Functional Testing
        • Performance Testing
          • Mapper
            • Resolve API
            • Link API
            • Unlink API
            • Update API
      • Developer Install
        • SPAR Mapper API
        • SPAR Self Service API
        • SPAR Self Service UI
      • Repositories
      • API Reference
      • Tech Guides
    • Releases
      • 1.0.0
      • 1.1.0
  • G2P Bridge
    • Features
      • Extensibility - Connect to Sponsor Banks
      • Account Mapper Resolution
      • Reconciliation with Sponsor Bank
      • Scaling for High Volumes
      • Interoperability
      • Privacy & Security
      • Monitoring & Reporting
    • Deployment
      • Deployment of G2P Bridge
      • Deployment of Example Bank
      • Bank Connector Interface Guide
      • PBMS Configuration
    • Developer Zone
      • Design
        • IN APIs from PBMS
          • create_disbursement_envelope
          • cancel_disbursement_envelope
          • create_disbursements
          • cancel_disbursements
          • get_disbursement_envelope_status
          • get_disbursement_status
        • OUT APIs to Mapper
          • resolve
        • OUT APIs to Bank
          • check_funds_with_bank
          • block_funds_with_bank
          • disburse_funds_from_bank
        • IN APIs from Bank
          • upload_mt940
        • Helper Tables
          • benefit_program_configuration
        • Configuration parameters
        • Bank Connectors
        • Physical Organization
        • Example Bank
          • example-bank-models
          • example-bank-api
          • example-bank-celery
      • Testing
        • Unit Testing
        • Functional Testing
        • Performance Testing
      • Repositories
      • Developer Install
        • G2P Bridge
        • Example Bank
      • API Reference
    • Tech Guides
    • User Guides
    • Releases
      • 1.0.2
  • PBMS-Gen2
    • Developer Zone
      • Design
        • Concept
        • PBMS (Odoo)
  • Utilities and Tools
    • ODK
      • 📔User Guides
        • 📔Create a Project for a Program
        • 📔Create a Form
        • 📔Upload a Form
        • 📔Upload revised Form
        • 📔Test a Form
        • 📔Publish a Form
        • 📔Provide Form Access to Field Agent
        • 📔Download a Form on ODK Collect
        • 📔Delete a Form
        • 📔Register Offline
    • 4Sure Verifier App
      • Installation Guide for 4Sure Application
      • 📔User Guides
        • 📔Verify Digital Credentials using 4Sure Application
        • 📔Verify and Populate the form in ODK Collect using 4Sure Application
      • 4Sure Test Summary
    • Smartscanner
      • 📔User Guides
    • Registration Tool Kit
    • Unified Conversation Agent (UCA)
      • Modal Context Protocol(MCP)
      • Model Context Protocol (MCP) Implementation in UCA
      • Social Benefits Assistant with FastMCP
  • Testing
    • Test Workflow
    • Automation Framework
  • Monitoring and Reporting
    • Apache Superset
    • Reporting Framework
      • 📔User Guides
        • 📔Connector Creation Guide
        • 📔Dashboards Creation Guide
        • 📔Installation & Troubleshooting
      • Kafka Connect Transform Reference
    • System Logging
    • System Health
  • Privacy and Security
    • Key Manager
  • Data Share
    • OpenG2P - IUDX
  • Interoperability
  • Deployment
    • Base Infrastructure
      • Wireguard Bastion
        • Install WireGuard Client on Android Device
        • Wireguard Access to Users
        • Install WireGuard Client on Desktop
      • NFS Server
      • Rancher Cluster
      • OpenG2P Cluster
        • Kubernetes
          • Firewall
          • Istio
          • Adding Nodes to Cluster
          • Deleting Nodes from Cluster
        • Prometheus & Grafana
        • Fluentd & OpenSearch
          • DEPRECATED - OpenSearch
        • Landing Page For OpenG2P
      • Load Balancer
        • Nginx
        • AWS
    • Resource Requirements
    • Helm Charts
    • Upgrades
    • Production
    • OpenG2P In a Box
    • Packaging
    • Versioning
    • Additional Guides
      • Automatic Build and Upload of Private Dockers
      • Generate SSL Certificates using Letsencrypt
      • Packaging Odoo based Docker
      • AWS
        • Create ACM Certificate on AWS
        • Create Security Group on AWS
        • Domain mapping on AWS Route53
        • Make Environment Publicly Accessible using AWS LB Configuration
      • Private Access Channel
      • Odoo Post Install Configuration
      • Pulling Docker from Private Repository on Docker Hub
      • Keycloak Client Creation
      • Troubleshooting: "fsnotify watcher" warning
      • Uninstalling Applications from Rancher UI
      • Access a Database from Outside the Cluster
      • Configure External Database to Connect OpenG2P Environment
      • Configure IPSec VPN Gateway to Connect to External Systems using Strongswan
      • Troubleshooting
        • PostgreSQL Database not Starting due to Replication Checkpoint Error
        • No Space Left on the Device Warning
      • Restart Deployment or StatefulSets to Redistribute Pods across Nodes
      • Rerun Jobs in Kubernetes Cluster
      • Finding URLs in the System
      • Transitioning PostgreSQL From Docker on K8s to Standalone PostgreSQL
      • Restore a PVC from an NFS Folder and Attach it to a Pod
      • View System Logs on the OpenSearch Dashboard
      • Set up Slack alerts for a Kubernetes cluster
      • Importing Dashboards on the Superset UI for OpenG2P Applications
      • Scaling Down an Environment to Optimize Resource Usage
      • Kubernetes Master Nodes
      • Enabling Keycloak User Self-Registration
      • Automating Cache Cleanup on K8s Cluster Nodes with Cron Job
      • Set Up Slack Alerts for a Standalone Node using Netdata
    • Persistent Storage
      • Resizing Persistent Volume Claim in Kubernetes Cluster
  • 📒Guides
    • 📔User Guides
      • PBMS
        • 📔Create Program
        • 📔Configure Payment Manager in Program
        • 📔Create Eligibility Manager under Program
        • 📔Create Program Manager for a Program
        • 📔Create Manager Type
          • 📔Create Payment Manager Types
            • 📔Create Payment Hub EE Payment Manager
            • 📔Create Payment Interoperability Layer Payment Manager
            • 📔Create Default Payment Manager
            • 📔Create Cash Payment Manager
            • 📔Create File Payment Manager
        • 📔Configure Entitlement Manager under Program
        • 📔Archive, Delete, End, and Re-activate a Program
        • 📔Configure Default Program Manager
        • 📔Create Deduplication Manager under Program
    • Documentation Guides
      • Documentation Guidelines
        • Embed a Miro diagram
      • OpenG2P Module Doc Template
  • Use Cases
    • Farmer Registry
      • Reference Design: Farmer Registry
  • Releases
    • 1.1.0
      • Release Notes
  • License
    • OpenG2P Support Policy
  • Community
    • Contributing
    • Code of Conduct
  • Blogs
    • OpenG2P and SDG Goals
Powered by GitBook
LogoLogo

Copyright © 2024 OpenG2P. This work is licensed under Creative Commons Attribution International LicenseCC-BY-4.0 unless otherwise noted.

On this page
  • Deployment architecture
  • Installation
  • Prerequisites
  • Base infrastructure setup
  • OpenG2P module's installation

Was this helpful?

  1. Deployment

OpenG2P In a Box

Getting started with OpenG2P

PreviousProductionNextPackaging

Last updated 14 days ago

Was this helpful?

This document describes a deployment model wherein the infrastructure and components required by OpenG2P modules can be set up on a single node/VM/machine. This will help you to get started with OpenG2P and experience the functionality without having to meet all r for a production-grade setup. This is based on , but a compact version of the same. The essence of the V4 is preserved so that upgrading the infra is easier when more hardware resources are available.

Deployment architecture

Do NOT use this deployment model for production/pilots.

Installation

Prerequisites

  • Take Machine with the following configuration.

    Purpose
    Compute/Memory/Storage
    Note

    Wireguard Bastion / NFS Server / Rancher Cluster / OpenG2P Cluster / Nginx Server

    16vCPU / 64 GB RAM /

    256 GB storage / OS:Ubuntu 22.04

    All the components mentioned will be installed on a single node.

  • Before proceeding with the deployment, review the following topics to better understand each infrastructure component required for a successful setup:

Base infrastructure setup

To set up the base infrastructure, log in to the machine and install the following. Make sure to follow each verification step to ensure that everything is installed correctly and the setup is progressing smoothly. Note: Perform all necessary installations on a single node as this configuration is designed to operate completely.

  1. Ensure that all the listed tools are installed on the node. After installation, verify the version of each tool to confirm that they have been installed correctly. Tools: wget , curl , kubectl , istioctl , helm , jq 🔍 Verification Checkpoint: Run the following commands and verify that each returns the version information:

    wget --version
    curl --version
    kubectl version --client
    istioctl version
    helm version
    jq --version

    ✅ You should see version details for each tool without any errors.

  2. Follow the below steps to Setup Kubernetes Cluster (RKE2 Server) as a root user.

    1. Create the rke2 config directory - mkdir -p /etc/rancher/rke2

    2. Edit the above config.yaml file with the appropriate names, IPs, and tokens.

    3. Run the following commands to set the RKE2 version and download and start RKE2 server:

      export INSTALL_RKE2_VERSION="v1.28.9+rke2r1"
      curl -sfL https://get.rke2.io | sh - 
      systemctl enable rke2-server
      systemctl start rke2-server
    4. To export KUBECONFIG, run:

      echo -e 'export PATH="$PATH:/var/lib/rancher/rke2/bin"\nexport KUBECONFIG="/etc/rancher/rke2/rke2.yaml"' >> ~/.bashrc
      source ~/.bashrc
      kubectl get nodes 

      Note:Download the Kubeconfig file rke2.yaml and keep it securely. 🔍 Verification Checkpoint: Run the below command to check the status of rke2 server shown in the screenshot below.

  3. Install Wireguard Bastion servers for secure VPN access:

    1. Run this command to install wireguard server/channel with root user:

      WG_MODE=k8s ./wg.sh <name for this wireguard server> <client ips subnet mask> <port> <no of peers> <subnet mask of the cluster nodes & lbs>

      For example:

      WG_MODE=k8s ./wg.sh wireguard_app_users 10.15.0.0/16 51820 254 172.16.0.0/24
    2. Check logs of the servers and wait for all servers to finish startup. Example:

      kubectl -n wireguard-system logs -f wireguard-app-users
    3. Once it finishes, navigate to /etc/wireguard-app-users. You will find multiple peer configuration files and cd in to peer1 folder and copy peer1.conf to your notepad.

    4. On you local machine:

    5. Once WireGuard is running and setup on your local machine, you can easily set up kubectl locally and access the cluster from your machine. (Optional)

  4. Install NFS Server to provide persistent storage volumes to Kubernetes Cluster:

    1. To install an NFS server, run the following command as root user:

      ./install-nfs-server.sh
    2. For every sandbox/namespace, create a new folder in /srv/nfs folder on the server node. Suggested folder structure: /srv/nfs/<cluster name>. Example:

      sudo mkdir /srv/nfs/rancher
      sudo mkdir /srv/nfs/openg2p

      Run this command to provide full accces for nfs folder sudo chmod -R 777 /srv/nfs 🔍 Verification Checkpoint: Make sure the NFS server is running and the setup is completed on your local machine. You can refer to the screenshots below for guidance.

  5. Install the Kubernetes NFS CSI driver and the NFS client provisioner on the cluster as follows:

    1. NFS_SERVER=<Node Internal IP> \
      NFS_PATH=/srv/nfs/<cluster_name> \
          ./install-nfs-csi-driver.sh

      🔍 Verification Checkpoint: Make sure the NFS CSI driver and client provisioner is running and the setup is completed on your local machine. You can refer to the screenshots below for guidance.

  6. istioctl install -f istio-operator-no-external-lb.yaml
    kubectl apply -f istio-ef-spdy-upgrade.yaml

    Wait for istiod and ingressgateway pods to start on istio-system namespace. 🔍 Verification Checkpoint: Check whether all the Istio pods have come up; refer to the screenshot below.

  7. Set up Transport Layer Security (TLS) for secure communication by following the steps outlined below. This will ensure that data transmitted between services is encrypted and protected from unauthorized access:

    1. Install letsencrypt and certbot using below command:

      sudo apt install certbot
    2. Since the preferred challenge is DNS type, the below command asks for _acme-challenge. Create the _acme-challenge TXT DNS record accordingly using a Public DNS Provider (e.g., AWS Route 53, Cloudflare, GoDaddy), and continue with the prompt to generate certs.

    3. Create SSL Certificate using Letsencrypt for Rancher by editing hostname below:

      certbot certonly --agree-tos --manual \
          --preferred-challenges=dns \
          -d rancher.your.org

      Create Rancher TLS Secret using below command (Edit certificate paths below):

      kubectl -n istio-system create secret tls tls-rancher-ingress \
          --cert /etc/letsencrypt/live/rancher.your.org/fullchain.pem \
          --key /etc/letsencrypt/live/rancher.your.org/privkey.pem
    4. Create SSL Certificate using Letsencrypt for Keycloak by editing hostname below:

      certbot certonly --agree-tos --manual \
          --preferred-challenges=dns \
          -d keycloak.your.org

      Create Keycloak TLS Secret, using (Edit certificate paths below):

      kubectl -n istio-system create secret tls tls-keycloak-ingress \
          --cert /etc/letsencrypt/live/keycloak.your.org/fullchain.pem \
          --key /etc/letsencrypt/live/keycloak.your.org/privkey.pem

      🔍 Verification Checkpoint: After creating the certificates, verify that they are present in the /etc/letsencrypt/live/ directory and have been uploaded to the istio-system namespace as a Kubernetes secret. Refer the screenshot below. and use this command to check the secrets.

      kubectl get secrets -n istio-system
  8. Set up DNS records for the Rancher and Keycloak hostnames so that they resolve to the public (or private, depending on your setup) IP address of the node where the services are exposed. This can be achieved in the following way:

    Using a Public DNS Provider (e.g., AWS Route 53, Cloudflare, GoDaddy):

    Create A records (or CNAMEs, if appropriate) for the fully qualified domain names (FQDNs) you plan to use for Rancher and Keycloak (e.g., rancher.example.com and keycloak.example.com).

    Point these records to the Internal IP address of node. 🔍 Verification Checkpoint: The screenshot below is an example of DNS mapping using AWS Route 53. You can use any DNS provider as per your requirements, and the domain mapping should be similar to what is shown in the screenshot.

  9. RANCHER_HOSTNAME=rancher.your.org \
    TLS=true \
    ./install.sh --set replicas=1 --version 2.9.3

    Login to Rancher using the above hostname and bootstrap the admin user according to the instructions. After successfully logging in to Rancher as admin, save the new admin user password in local cluster, in cattle-system namespace, under rancher-secret, with key adminPassword. 🔍 Verification Checkpoint: Use the command below to verify that all Rancher pods are running properly in the cattle-system namespace, and ensure that Rancher is accessible from your browser. Refer the screenshot.

  10. KEYCLOAK_HOSTNAME=keycloak.your.org \
    TLS=true \
    ./install.sh --set replicaCount=1

    Log in to Keycloak using the configured hostname, and retrieve the admin user credentials from the Rancher UI by checking the Kubernetes secrets in the keycloak namespace. 🔍 Verification Checkpoint: Use the command below to verify that all keycloak pods are running properly in the keycloak-system namespace, and ensure that keycloak is accessible from your browser. Refer the screenshot.

  11. Note: So, this completes the base infrastructure setup for OpenG2P, and you can now begin installing the OpenG2P applications by following the steps below.

  12. Now, continue to use the same cluster (local cluster) for OpenG2P Modules installation also.

    1. In Rancher, create a Project and Namespace, on which the OpenG2P modules will be installed. The rest of this guide will assume the namespace to be dev.

    2. In Rancher -> Namespaces menu, enable Istio Auto Injection for dev namespace. 🔍 Verification Checkpoint: Refer to the screenshot below for the dev namespace under the dev project, and ensure that Istio injection is enabled.

  13. Set up an Istio gateway on dev namespace for a domain.

    1. Provide your hostname and run this to define the variables:

      export NS=dev
      export WILDCARD_HOSTNAME='*.dev.your.org'
    2. kubectl create ns $NS
      envsubst < istio-gateway-tls.yaml | kubectl apply -f -
    3. Create SSL Certificate using Letsencrypt for the wildcard hostname used above. Example usage(provide your hostname):

      certbot certonly --agree-tos --manual \
          --preferred-challenges=dns \
          -d dev.your.org \
          -d *.dev.your.org

      Create OpenG2P TLS Secret, using (Edit certificate paths below):

      kubectl -n istio-system create secret tls tls-openg2p-$NS-ingress \
          --cert=<certificate path> \
          --key=<certificate key path>
    4. You can follow step 9 for DNS record setup. 🔍 Verification Checkpoint: Once you create the gateway, you should be able to see it under the Rancher UI in the Istio > Gateway section for the dev namespace. The SSL certificates will be stored in the /etc/letsencrypt/live directory. Refer to the screenshot below.

  14. Install Logging and Fluentd Installation.

    Fluentd is used to collect and parse logs generated by applications within the Kubernetes cluster.

    Only one Fluentd installation is required per Kubernetes cluster.

    To install Fluentd using Rancher UI:

    1. Navigate to Apps (or Apps & Marketplace) → Charts.

    2. Search for and select the Logging chart.

    3. Install it using the default values.

    4. When prompted, select Project: System to ensure Fluentd runs in the appropriate system namespace. 🔍 Verification Checkpoint: Once logging is installed, verify that all pods in the cattle-logging-system namespace are up and running, and ensure that logs are being collected for each service.

OpenG2P module's installation

You can follow the below links to install OpenG2P modules via Rancher UI.

  • The SSL certificates are loaded on the Istio gateway while in V4 the certificates are loaded on the Nginx server.

  • The Wireguard bastion runs inside the Kubernetes cluster itself as a pod. This is not recommended in production where Wireguard must run on a separate node.

  • In-a-box does not offer high availability as the node is a single point of failure.

  • NFS runs inside the box. In production, NFS must run on a separate node with its access control, allocated resources and backups.

🔒 Firewall Rules: Review basic firewall concepts and how to configure rules to allow traffic to and from required services.

📦 Kubernetes Cluster (RKE2 Server): Understand how to set up and configure a lightweight, secure RKE2 Kubernetes cluster.

🔐 WireGuard Bastion: Learn how to configure WireGuard as a secure VPN tunnel to access internal resources in your cluster.

📁 NFS Server: Set up a Network File System to provide shared persistent storage across your Kubernetes workloads.

🔗 Kubernetes NFS CSI Driver: Deploy the CSI driver to enable dynamic NFS volume provisioning in Kubernetes.

🧩 Istio Service Mesh: Use Istio to manage traffic flow, security, and observability between microservices.

🔐 SSL Certificates (Let's Encrypt): Configure Let's Encrypt to automate SSL certificate issuance and renewal for secure access.

🧑‍💻 Rancher: Use Rancher to manage and monitor your Kubernetes clusters through an intuitive web interface.

🧾 Keycloak: Implement Keycloak for identity, authentication, and authorization management using SSO and OIDC.

📊 Prometheus Monitoring: Set up Prometheus to collect metrics from your Kubernetes services and visualize them via Grafana.

📝 Logging and Fluentd: Collect and centralize application logs using Fluentd for easier debugging and analysis. Read about and

Follow the document linked below to set up the firewall rules required for the deployment. 🔒 Note: Make sure to include K8s Firewall, NFS Firewall, Wireguard Firewall, and LB Firewall. 🔍 Verification Checkpoint: Run iptables -L or ufw status to ensure the rules are active in case you're using on-premises or self-managed native server nodes. If you're deploying on AWS cloud infrastructure, verify or configure the necessary firewall rules within the Security Groups associated with your instances.

Create a config.yaml file in the above directory, using the following config file template. Use . The token can be any arbitrary string.

Clone the repo and navigate to the directory

Follow the link provided below to setup a WireGuard on your local system. 🔍 Verification Checkpoint: Make sure the WireGuard server is running and the setup is completed on your local machine. You can refer to the screenshots below for guidance. On server node:

Download/copy the install script from the link provided below into the server machine.

Clone .

From directory, run: (Make sure to replace the <Node Internal IP> and <cluster name> parameters appropriately below)

To set up Istio in the cluster, navigate to the directory linked below from the openg2p-deployment repository and run the provided commands to install the Istio Operator, Istio Service Mesh, and Istio Ingress Gateway components. Install Istio from directory:

To Install rancher in the cluster, navigate to the directory linked below from the openg2p-deployment repository and run the provided command to install the rancher (Edit hostname below): Install rancher from directory:

To Install keycloak in the cluster, navigate to the directory linked below from the openg2p-deployment repository and run the provided command to install the rancher (Edit hostname below): Install rancher from directory:

Integrate Rancher with Keycloak for Centralized Authentication. Integrating Rancher with Keycloak allows you to use Keycloak as an identity provider (IdP) for Rancher, enabling centralized authentication and user management. This is especially useful in environments where single sign-on (SSO) and role-based access control (RBAC) are required across multiple services. Refer the link provide below to do the same. 🔍 Verification Checkpoint: Once you attempt to log in using rancher.hostname.org, you will be redirected to authenticate via Keycloak. Log in using your Keycloak credentials. In Rancher, your user status should appear as "Active," as shown in the screenshot.

Go to directory from openg2p-deployment repository and run this to apply gateway.

Install Prometheus and enable cluster monitoring directly from the Rancher UI. Follow the link provided below to complete the deployment. Install on OpenG2P Cluster. 🔍 Verification Checkpoint: Once monitoring is installed in Rancher, navigate to the Monitoring section where you'll see options for Alertmanager and Grafana. You can click on these to access their respective dashboards.

Install Module.

Install Module.

Install Module.

Install . 🔍 Verification Checkpoint: Once you deploy any of the modules mentioned above, you can also deploy the OpenG2P Landing Page. All services should then be accessible from your web browser. Refer to the screenshot for reference.

How is "In a Box" different from ? Why should this not be used for production?

In-a-box does not use the Nginx Load Balancer. The HTTPS traffic directly terminates on the Istio gateway via Wireguard. However, Nginx is required in production as described .

A single private is enabled (via Wireguard). In production, you will typically need several channels for access control.

Read about Firewall Rules
Read about RKE2 Setup
Read about WireGuard Bastion
Read about NFS Server
Read about NFS CSI Driver
Read about Istio
Read about Let's Encrypt Setup
Read about Rancher
Read about Keycloak
Read about Prometheus and Monitoring
Logging
Fluentd
Set up Firewall rules
rke2-server.conf.primary.template
openg2p-deployment
kubernetes/wireguard
Install WireGuard Client on Desktop
NFS Installation script
https://github.com/OpenG2P/openg2p-deployment
kubernetes/nfs-client
kubernetes/istio
kubernetes/rancher
kubernetes/keycloak
Steps to Integrate Rancher with Keycloak
kubernetes/istio
Prometheus and Monitoring
SocialRegistry
PBMS
SPAR
OpenG2P Landing Page
here
access channel
esource requirements
V4
V4 architecture
OpenG2P In a Box