OpenG2P In a Box
Getting started with OpenG2P
Last updated
Was this helpful?
Getting started with OpenG2P
Last updated
Was this helpful?
This document describes a deployment model wherein the infrastructure and components required by OpenG2P modules can be set up on a single node/VM/machine. This will help you to get started with OpenG2P and experience the functionality without having to meet all r for a production-grade setup. This is based on , but a compact version of the same. The essence of the V4 is preserved so that upgrading the infra is easier when more hardware resources are available.
Do NOT use this deployment model for production/pilots.
Take Machine with the following configuration.
Wireguard Bastion / NFS Server / Rancher Cluster / OpenG2P Cluster / Nginx Server
16vCPU / 64 GB RAM /
256 GB storage / OS:Ubuntu 22.04
All the components mentioned will be installed on a single node.
Before proceeding with the deployment, review the following topics to better understand each infrastructure component required for a successful setup:
To set up the base infrastructure, log in to the machine and install the following. Make sure to follow each verification step to ensure that everything is installed correctly and the setup is progressing smoothly. Note: Perform all necessary installations on a single node as this configuration is designed to operate completely.
Ensure that all the listed tools are installed on the node. After installation, verify the version of each tool to confirm that they have been installed correctly.
Tools: wget
, curl
, kubectl
, istioctl
, helm
, jq
🔍 Verification Checkpoint:
Run the following commands and verify that each returns the version information:
✅ You should see version details for each tool without any errors.
Follow the below steps to Setup Kubernetes Cluster (RKE2 Server) as a root user.
Create the rke2 config directory - mkdir -p /etc/rancher/rke2
Edit the above config.yaml
file with the appropriate names, IPs, and tokens.
Run the following commands to set the RKE2 version and download and start RKE2 server:
To export KUBECONFIG, run:
Note:Download the Kubeconfig file rke2.yaml
and keep it securely.
🔍 Verification Checkpoint:
Run the below command to check the status of rke2 server shown in the screenshot below.
Install Wireguard Bastion servers for secure VPN access:
Run this command to install wireguard server/channel with root user:
For example:
Check logs of the servers and wait for all servers to finish startup. Example:
Once it finishes, navigate to /etc/wireguard-app-users
. You will find multiple peer configuration files and cd in to peer1
folder and copy peer1.conf
to your notepad.
On you local machine:
Once WireGuard is running and setup on your local machine, you can easily set up kubectl locally and access the cluster from your machine. (Optional)
Install NFS Server to provide persistent storage volumes to Kubernetes Cluster:
To install an NFS server, run the following command as root user:
For every sandbox/namespace, create a new folder in /srv/nfs
folder on the server node. Suggested folder structure: /srv/nfs/<cluster name>
.
Example:
Run this command to provide full accces for nfs folder sudo chmod -R 777 /srv/nfs
🔍 Verification Checkpoint:
Make sure the NFS server is running and the setup is completed on your local machine. You can refer to the screenshots below for guidance.
Install the Kubernetes NFS CSI driver and the NFS client provisioner on the cluster as follows:
🔍 Verification Checkpoint: Make sure the NFS CSI driver and client provisioner is running and the setup is completed on your local machine. You can refer to the screenshots below for guidance.
Wait for istiod
and ingressgateway
pods to start on istio-system namespace.
🔍 Verification Checkpoint:
Check whether all the Istio pods have come up; refer to the screenshot below.
Set up Transport Layer Security (TLS) for secure communication by following the steps outlined below. This will ensure that data transmitted between services is encrypted and protected from unauthorized access:
Install letsencrypt and certbot using below command:
Since the preferred challenge is DNS type, the below command asks for _acme-challenge.
Create the _acme-challenge
TXT DNS record accordingly using a Public DNS Provider (e.g., AWS Route 53, Cloudflare, GoDaddy), and continue with the prompt to generate certs.
Create SSL Certificate using Letsencrypt for Rancher by editing hostname below:
Create Rancher TLS Secret using below command (Edit certificate paths below):
Create SSL Certificate using Letsencrypt for Keycloak by editing hostname below:
Create Keycloak TLS Secret, using (Edit certificate paths below):
🔍 Verification Checkpoint: After creating the certificates, verify that they are present in the /etc/letsencrypt/live/ directory and have been uploaded to the istio-system namespace as a Kubernetes secret. Refer the screenshot below. and use this command to check the secrets.
Set up DNS records for the Rancher and Keycloak hostnames so that they resolve to the public (or private, depending on your setup) IP address of the node where the services are exposed. This can be achieved in the following way:
Using a Public DNS Provider (e.g., AWS Route 53, Cloudflare, GoDaddy):
Create A records (or CNAMEs, if appropriate) for the fully qualified domain names (FQDNs) you plan to use for Rancher and Keycloak (e.g., rancher.example.com and keycloak.example.com).
Point these records to the Internal IP address of node. 🔍 Verification Checkpoint: The screenshot below is an example of DNS mapping using AWS Route 53. You can use any DNS provider as per your requirements, and the domain mapping should be similar to what is shown in the screenshot.
Login to Rancher using the above hostname and bootstrap the admin
user according to the instructions. After successfully logging in to Rancher as admin, save the new admin user password in local
cluster, in cattle-system
namespace, under rancher-secret
, with key adminPassword
.
🔍 Verification Checkpoint:
Use the command below to verify that all Rancher pods are running properly in the cattle-system namespace, and ensure that Rancher is accessible from your browser. Refer the screenshot.
Log in to Keycloak using the configured hostname, and retrieve the admin user credentials from the Rancher UI by checking the Kubernetes secrets in the keycloak namespace. 🔍 Verification Checkpoint: Use the command below to verify that all keycloak pods are running properly in the keycloak-system namespace, and ensure that keycloak is accessible from your browser. Refer the screenshot.
Note: So, this completes the base infrastructure setup for OpenG2P, and you can now begin installing the OpenG2P applications by following the steps below.
Now, continue to use the same cluster (local
cluster) for OpenG2P Modules installation also.
In Rancher, create a Project and Namespace, on which the OpenG2P modules will be installed. The rest of this guide will assume the namespace to be dev
.
In Rancher -> Namespaces menu, enable Istio Auto Injection for dev
namespace.
🔍 Verification Checkpoint:
Refer to the screenshot below for the dev namespace under the dev project, and ensure that Istio injection is enabled.
Set up an Istio gateway on dev namespace for a domain.
Provide your hostname and run this to define the variables:
Create SSL Certificate using Letsencrypt for the wildcard hostname used above. Example usage(provide your hostname):
Create OpenG2P TLS Secret, using (Edit certificate paths below):
You can follow step 9 for DNS record setup. 🔍 Verification Checkpoint: Once you create the gateway, you should be able to see it under the Rancher UI in the Istio > Gateway section for the dev namespace. The SSL certificates will be stored in the /etc/letsencrypt/live directory. Refer to the screenshot below.
Install Logging and Fluentd Installation.
Fluentd is used to collect and parse logs generated by applications within the Kubernetes cluster.
Only one Fluentd installation is required per Kubernetes cluster.
To install Fluentd using Rancher UI:
Navigate to Apps (or Apps & Marketplace) → Charts.
Search for and select the Logging chart.
Install it using the default values.
When prompted, select Project: System to ensure Fluentd runs in the appropriate system namespace. 🔍 Verification Checkpoint: Once logging is installed, verify that all pods in the cattle-logging-system namespace are up and running, and ensure that logs are being collected for each service.
You can follow the below links to install OpenG2P modules via Rancher UI.
🔒 Firewall Rules: Review basic firewall concepts and how to configure rules to allow traffic to and from required services.
📦 Kubernetes Cluster (RKE2 Server): Understand how to set up and configure a lightweight, secure RKE2 Kubernetes cluster.
🔐 WireGuard Bastion: Learn how to configure WireGuard as a secure VPN tunnel to access internal resources in your cluster.
📁 NFS Server: Set up a Network File System to provide shared persistent storage across your Kubernetes workloads.
🔗 Kubernetes NFS CSI Driver: Deploy the CSI driver to enable dynamic NFS volume provisioning in Kubernetes.
🧩 Istio Service Mesh: Use Istio to manage traffic flow, security, and observability between microservices.
🔐 SSL Certificates (Let's Encrypt): Configure Let's Encrypt to automate SSL certificate issuance and renewal for secure access.
🧑💻 Rancher: Use Rancher to manage and monitor your Kubernetes clusters through an intuitive web interface.
🧾 Keycloak: Implement Keycloak for identity, authentication, and authorization management using SSO and OIDC.
📊 Prometheus Monitoring: Set up Prometheus to collect metrics from your Kubernetes services and visualize them via Grafana.
📝 Logging and Fluentd: Collect and centralize application logs using Fluentd for easier debugging and analysis. Read about and
Follow the document linked below to set up the firewall rules required for the deployment.
🔒
Note: Make sure to include K8s Firewall, NFS Firewall, Wireguard Firewall, and LB Firewall.
🔍 Verification Checkpoint:
Run iptables -L
or ufw status
to ensure the rules are active in case you're using on-premises or self-managed native server nodes. If you're deploying on AWS cloud infrastructure, verify or configure the necessary firewall rules within the Security Groups associated with your instances.
Create a config.yaml
file in the above directory, using the following config file template.
Use . The token can be any arbitrary string.
Clone the repo and navigate to the directory
Follow the link provided below to setup a WireGuard on your local system. 🔍 Verification Checkpoint: Make sure the WireGuard server is running and the setup is completed on your local machine. You can refer to the screenshots below for guidance. On server node:
Download/copy the install script from the link provided below into the server machine.
Clone .
From directory, run: (Make sure to replace the <Node Internal IP>
and <cluster name>
parameters appropriately below)
To set up Istio in the cluster, navigate to the directory linked below from the openg2p-deployment repository and run the provided commands to install the Istio Operator, Istio Service Mesh, and Istio Ingress Gateway components. Install Istio from directory:
To Install rancher in the cluster, navigate to the directory linked below from the openg2p-deployment repository and run the provided command to install the rancher (Edit hostname below): Install rancher from directory:
To Install keycloak in the cluster, navigate to the directory linked below from the openg2p-deployment repository and run the provided command to install the rancher (Edit hostname below): Install rancher from directory:
Integrate Rancher with Keycloak for Centralized Authentication. Integrating Rancher with Keycloak allows you to use Keycloak as an identity provider (IdP) for Rancher, enabling centralized authentication and user management. This is especially useful in environments where single sign-on (SSO) and role-based access control (RBAC) are required across multiple services. Refer the link provide below to do the same. 🔍 Verification Checkpoint: Once you attempt to log in using rancher.hostname.org, you will be redirected to authenticate via Keycloak. Log in using your Keycloak credentials. In Rancher, your user status should appear as "Active," as shown in the screenshot.
Go to directory from openg2p-deployment repository and run this to apply gateway.
Install Prometheus and enable cluster monitoring directly from the Rancher UI. Follow the link provided below to complete the deployment. Install on OpenG2P Cluster. 🔍 Verification Checkpoint: Once monitoring is installed in Rancher, navigate to the Monitoring section where you'll see options for Alertmanager and Grafana. You can click on these to access their respective dashboards.
Install Module.
Install Module.
Install Module.
Install . 🔍 Verification Checkpoint: Once you deploy any of the modules mentioned above, you can also deploy the OpenG2P Landing Page. All services should then be accessible from your web browser. Refer to the screenshot for reference.
How is "In a Box" different from ? Why should this not be used for production?
In-a-box does not use the Nginx Load Balancer. The HTTPS traffic directly terminates on the Istio gateway via Wireguard. However, Nginx is required in production as described .
A single private is enabled (via Wireguard). In production, you will typically need several channels for access control.