Opstella Reference Architecture
Standalone Architecture
Use Cases
- Prove of concept for a whole Opstella and DevSecOps Platform.
- Testing or staging platform environment.
Specification
These are specifications of virtual machines that need to be created with the following details
- CPU: Intel Xeon E-2334 (3.4GHz, 4C/8T, 8MB Cache)
- Network Bandwidth: 1Gbps
- Operating System: Ubuntu 24.04.1 (Noble Numbat)
| Number of Nodes | CPU (Core) | Memory (GB) | Disk (GB) | |
|---|---|---|---|---|
| Virtual Machines | ||||
| Bastion Host | 1 | 1 | 2 | 20 |
| HAProxy | 1 | 1 | 2 | 20 |
| NFS Share | 1 | 1 | 2 | 100 |
| GitLab | 1 | 2 | 4 | 40 |
| Kubernetes Cluster | ||||
| Kubernetes Master Nodes | 1 | 2 | 4 | 40 |
| Kubernetes Worker Nodes | 5 | 4 | 10 | 40 |
| Total | 10 | 27 | 64 | 460 |
Network Subnet
| Type | Subnet IP |
|---|---|
| Kubernetes Cluster and Related Virtual Machines Subnet | 192.168.72.0/24 |
| Pod Subnet for each Kubernetes cluster | 172.16.72.0/22 |
| Service Subnet for each Kubernetes cluster | 172.16.76.0/22 |
Domain
You must provide domains. For example, we will use *.devops.example.com and SSL certificates in this reference architecture. These are domains that will be assigned for DevSecOps tools and Opstella.
| Service Name | Ingress Domain |
|---|---|
| Opstella | |
| Opstella UI | opstella.devops.example.com |
| Opstella Core | opstella-backend.devops.example.com |
| Opstella Clear Session | opstella-clear-session.devops.example.com |
| Keycloak | opstella-idp.devops.example.com |
| DevOps Tools | |
| ArgoCD | argocd.devops.example.com |
| DefectDojo | defectdojo.devops.example.com |
| GitLab | gitlab.devops.example.com |
| Headlamp | headlamp.devops.example.com |
| Harbor | harbor.devops.example.com |
| DevSecOps Tools | |
| SonarQube | sonarqube.devops.example.com |
| Vault | vault.devops.example.com |
| Observability Tools | |
| Loki | loki.devops.example.com |
| Grafana Dashboard | grafana.devops.example.com |
| Tempo | tempo.devops.example.com |
| Mimir | mimir.devops.example.com |
| Common Services | |
| MinIO | minio.devops.example.com |
| MinIO API | minio-api.devops.example.com |
Ingress
Firewall
| Policy | Protocol | Direction | Port | Source | Description |
|---|---|---|---|---|---|
| Kubernetes Master Nodes | |||||
| Allow | TCP | Inbound | 6443 | Any | Kubernetes API |
| Allow | TCP | Inbound | 6443 | HAProxy | Kubernetes API |
| Allow | TCP | Inbound | 6443 | RKE2 Worker Nodes | Kubernetes API |
| Allow | TCP | Inbound | 9345 | RKE2 Master Nodes | RKE2 Supervisor API |
| Allow | Inbound | 9345 | RKE2 Worker Nodes | RKE2 Supervisor API | |
| Allow | TCP | Inbound | 2379 | RKE2 Master Nodes | etcd Client Port |
| Allow | TCP | Inbound | 2380 | RKE2 Master Nodes | etcd Peer Port |
| Allow | TCP | Inbound | 2381 | RKE2 Master Nodes | etcd Metrics Port |
| Kubernetes Worker Nodes | |||||
| Allow | TCP | Inbound | 30080;30443 | HAProxy | NodePort Ingress Service |
| Kubernetes Master & Worker Nodes | |||||
| Allow | TCP | Inbound | 10250 | Any | kubelet Metrics |
| Allow | TCP | Inbound | 179 | All RKE2 Nodes | Calico CNI with BGP |
| Allow | Inbound | 4789 | All RKE2 Nodes | Calico CNI with VXLAN | |
| Allow | TCP | Inbound | 5473 | All RKE2 Nodes | Calico CNI with BGP |
| Allow | TCP | Inbound | 9098 | All RKE2 Nodes | Calico Typha health checks |
| Allow | TCP | Inbound | 9099 | All RKE2 Nodes | Calico health checks |
| GitLab | |||||
| Allow | Inbound | 80, 443 | Any | Web Services | |
| Allow | TCP | Inbound | 22 | Any | Git SSH |
| Allow | TCP | Inbound | 9090 | Any | GitLab Prometheus Metrics |
| NFS | |||||
| Allow | TCP/UDP | Inbound | 2049 | RKE2 Worker Nodes | NFSd |
| Allow | TCP/UDP | Inbound | 111 | RKE2 Worker Nodes | PortMapper |
| Allow | TCP/UDP | Inbound | 33333 | RKE2 Worker Nodes | MountD |
| HAProxy | |||||
| Allow | TCP | Inbound | 80;443 | Any | HTTP/HTTPS Inbound |
Multi-Clusters Architecture
Use Cases
Scalable deployments for production environments.
Specification
These are specifications of virtual machines that need to be created with the following details
- CPU: Intel Xeon Silver 4310 (2.1GHz, 12C/24T, 18MB Cache)
- Network Bandwidth: 10Gbps
- Operating System: Ubuntu 24.04.1 (Noble Numbat)
| Number of Nodes | CPU (Core) | Memory (GB) | Disk (GB) | |
|---|---|---|---|---|
| Virtual Machines | ||||
| Bastion Host | 1 | 1 | 2 | 20 |
| HAProxy | 4 | 1 | 2 | 20 |
| NFS Share (DevSecOps) | 1 | 1 | 2 | 500 |
| NFS Share (Observability) | 1 | 1 | 2 | 500 |
| NFS Share (DEV) | 1 | 1 | 2 | 100 |
| NFS Share (PRD) | 1 | 1 | 2 | 100 |
| GitLab | 1 | 4 | 8 | 40 |
| Kubernetes DevSecOps Cluster | ||||
| Kubernetes Master Nodes | 3 | 2 | 4 | 20 |
| Kubernetes Worker Nodes | 3 | 4 | 8 | 40 |
| Kubernetes Observability Cluster | ||||
| Kubernetes Master Nodes | 3 | 2 | 4 | 20 |
| Kubernetes Worker Nodes | 3 | 4 | 8 | 40 |
| Kubernetes Non-Production Workload Cluster | ||||
| Kubernetes Master Nodes | 3 | 2 | 4 | 20 |
| Kubernetes Worker Nodes | 3 | 4 | 8 | 40 |
| Kubernetes Production Workload Cluster | ||||
| Kubernetes Master Nodes | 3 | 2 | 4 | 20 |
| Kubernetes Worker Nodes | 5 | 6 | 8 | 40 |
| Total | 36 | 103 | 186 | 2140 |
Network Subnet
| Type | Subnet IP |
|---|---|
| Kubernetes DevSecOps Cluster and Related Virtual Machines Subnet | 192.168.72.0/24 |
| Kubernetes Observability Cluster and Related Virtual Machines Subnet | 192.168.73.0/24 |
| Kubernetes Non-Production Workload Cluster and Related Virtual Machines Subnet | 192.168.74.0/24 |
| Kubernetes Production Workload Cluster and Related Virtual Machines Subnet | 192.168.75.0/24 |
| Pod Subnet for each Kubernetes cluster | 172.16.72.0/22 |
| Service Subnet for each Kubernetes cluster | 172.16.76.0/22 |
Domain
You must provide domains. For example, we will use *.devops.example.com and SSL certificates in this reference architecture. These are domains that will be assigned for DevSecOps tools and Opstella.
| Service Name | Ingress Domain |
|---|---|
| Opstella | |
| Opstella UI | opstella.devops.example.com |
| Opstella Core | opstella-backend.devops.example.com |
| Opstella Clear Session | opstella-clear-session.devops.example.com |
| Keycloak | opstella-idp.devops.example.com |
| DevOps Tools | |
| ArgoCD (DEV) | argocd-dev.devops.example.com |
| ArgoCD (PRD) | argocd-prd.devops.example.com |
| DefectDojo | defectdojo.devops.example.com |
| GitLab | gitlab.devops.example.com |
| Headlamp | headlamp.devops.example.com |
| Harbor | harbor.devops.example.com |
| DevSecOps Tools | |
| SonarQube | sonarqube.devops.example.com |
| Vault | vault.devops.example.com |
| Observability Tools | |
| Loki | loki.devops.example.com |
| Grafana Dashboard | grafana.devops.example.com |
| Tempo | tempo.devops.example.com |
| Mimir | mimir.devops.example.com |
| Common Services | |
| MinIO (DevSecOps) | minio-dso.devops.example.com |
| MinIO API (DevSecOps) | minio-dso-api.devops.example.com |
| MinIO (Observability) | minio-obs.devops.example.com |
| MinIO API (Observability) | minio-obs-api.devops.example.com |
Ingress
Firewall
| Policy | Protocol | Direction | Port | Source | Description |
|---|---|---|---|---|---|
| Kubernetes Master Nodes | |||||
| Allow | TCP | Inbound | 6443 | HAProxy | Kubernetes API |
| Allow | TCP | Inbound | 6443 | RKE2 Worker Nodes | Kubernetes API |
| Allow | TCP | Inbound | 9345 | RKE2 Master Nodes | RKE2 Supervisor API |
| Allow | TCP | Inbound | 9345 | RKE2 Worker Nodes | RKE2 Supervisor API |
| Allow | Inbound | 2379 | RKE2 Master Nodes | etcd Client Port | |
| Allow | TCP | Inbound | 2380 | RKE2 Master Nodes | etcd Peer Port |
| Allow | TCP | Inbound | 2381 | RKE2 Master Nodes | etcd Metrics Port |
| Kubernetes Worker Nodes | |||||
| Allow | TCP | Inbound | 30080, 30443 | HAProxy | NodePort Ingress Service |
| Kubernetes Master & Worker Nodes | |||||
| Allow | TCP | Inbound | 10250 | Any | kubelet Metrics |
| Allow | Inbound | 179 | All RKE2 Nodes | Calico CNI with BGP | |
| Allow | TCP | Inbound | 4789 | All RKE2 Nodes | Calico CNI with VXLAN |
| Allow | TCP | Inbound | 5473 | All RKE2 Nodes | Calico CNI with Typha |
| Allow | Inbound | 9098 | All RKE2 Nodes | Calico Typha health checks | |
| Allow | TCP | Inbound | 9099 | All RKE2 Nodes | Calico health checks |
| GitLab | |||||
| Allow | TCP | Inbound | 80, 443 | Any | Web Service |
| Allow | TCP | Inbound | 22 | Any | SSH |
| Allow | Inbound | 9090 | Any | GitLab Prometheus Metrics | |
| NFS | |||||
| Allow | TCP | Inbound | 2049 | RKE2 Worker Nodes | NFSd |
| Allow | TCP | Inbound | 111 | RKE2 Worker Nodes | PortMapper |
| Allow | TCP | Inbound | 33333 | RKE2 Worker Nodes | MountD |
| HAProxy | |||||
| Allow | TCP | Inbound | 80, 443 | Any | HTTP/HTTPS Inbound |