Skip to content

Opstella Reference Architecture

Standalone Architecture

Opstella Standalone Architecture!

Use Cases

  1. Prove of concept for a whole Opstella and DevSecOps Platform.
  2. Testing or staging platform environment.

Specification

These are specifications of virtual machines that need to be created with the following details

  • CPU: Intel Xeon E-2334 (3.4GHz, 4C/8T, 8MB Cache)
  • Network Bandwidth: 1Gbps
  • Operating System: Ubuntu 24.04.1 (Noble Numbat)
Number of NodesCPU (Core)Memory (GB)Disk (GB)
Virtual Machines
Bastion Host11220
HAProxy11220
NFS Share112100
GitLab12440
Kubernetes Cluster
Kubernetes Master Nodes12440
Kubernetes Worker Nodes541040
Total102764460

Network Subnet

TypeSubnet IP
Kubernetes Cluster and Related Virtual Machines Subnet192.168.72.0/24
Pod Subnet for each Kubernetes cluster172.16.72.0/22
Service Subnet for each Kubernetes cluster172.16.76.0/22

Domain

You must provide domains. For example, we will use *.devops.example.com and SSL certificates in this reference architecture. These are domains that will be assigned for DevSecOps tools and Opstella.

Service NameIngress Domain
Opstella
Opstella UIopstella.devops.example.com
Opstella Coreopstella-backend.devops.example.com
Opstella Clear Sessionopstella-clear-session.devops.example.com
Keycloakopstella-idp.devops.example.com
DevOps Tools
ArgoCDargocd.devops.example.com
DefectDojodefectdojo.devops.example.com
GitLabgitlab.devops.example.com
Headlampheadlamp.devops.example.com
Harborharbor.devops.example.com
DevSecOps Tools
SonarQubesonarqube.devops.example.com
Vaultvault.devops.example.com
Observability Tools
Lokiloki.devops.example.com
Grafana Dashboardgrafana.devops.example.com
Tempotempo.devops.example.com
Mimirmimir.devops.example.com
Common Services
MinIOminio.devops.example.com
MinIO APIminio-api.devops.example.com

Ingress

Opstella Kubernetes Ingress Traffic Flow!

Firewall

PolicyProtocolDirectionPortSourceDescription
Kubernetes Master Nodes
AllowTCPInbound6443AnyKubernetes API
AllowTCPInbound6443HAProxyKubernetes API
AllowTCPInbound6443RKE2 Worker NodesKubernetes API
AllowTCPInbound9345RKE2 Master NodesRKE2 Supervisor API
AllowInbound9345RKE2 Worker NodesRKE2 Supervisor API
AllowTCPInbound2379RKE2 Master Nodesetcd Client Port
AllowTCPInbound2380RKE2 Master Nodesetcd Peer Port
AllowTCPInbound2381RKE2 Master Nodesetcd Metrics Port
Kubernetes Worker Nodes
AllowTCPInbound30080;30443HAProxyNodePort Ingress Service
Kubernetes Master & Worker Nodes
AllowTCPInbound10250Anykubelet Metrics
AllowTCPInbound179All RKE2 NodesCalico CNI with BGP
AllowInbound4789All RKE2 NodesCalico CNI with VXLAN
AllowTCPInbound5473All RKE2 NodesCalico CNI with BGP
AllowTCPInbound9098All RKE2 NodesCalico Typha health checks
AllowTCPInbound9099All RKE2 NodesCalico health checks
GitLab
AllowInbound80, 443AnyWeb Services
AllowTCPInbound22AnyGit SSH
AllowTCPInbound9090AnyGitLab Prometheus Metrics
NFS
AllowTCP/UDPInbound2049RKE2 Worker NodesNFSd
AllowTCP/UDPInbound111RKE2 Worker NodesPortMapper
AllowTCP/UDPInbound33333RKE2 Worker NodesMountD
HAProxy
AllowTCPInbound80;443AnyHTTP/HTTPS Inbound


Multi-Clusters Architecture

Opstella Multi-Clusters Architecture!

Use Cases

Scalable deployments for production environments.

Specification

These are specifications of virtual machines that need to be created with the following details

  • CPU: Intel Xeon Silver 4310 (2.1GHz, 12C/24T, 18MB Cache)
  • Network Bandwidth: 10Gbps
  • Operating System: Ubuntu 24.04.1 (Noble Numbat)
Number of NodesCPU (Core)Memory (GB)Disk (GB)
Virtual Machines
Bastion Host11220
HAProxy41220
NFS Share (DevSecOps)112500
NFS Share (Observability)112500
NFS Share (DEV)112100
NFS Share (PRD)112100
GitLab14840
Kubernetes DevSecOps Cluster
Kubernetes Master Nodes32420
Kubernetes Worker Nodes34840
Kubernetes Observability Cluster
Kubernetes Master Nodes32420
Kubernetes Worker Nodes34840
Kubernetes Non-Production Workload Cluster
Kubernetes Master Nodes32420
Kubernetes Worker Nodes34840
Kubernetes Production Workload Cluster
Kubernetes Master Nodes32420
Kubernetes Worker Nodes56840
Total361031862140

Network Subnet

TypeSubnet IP
Kubernetes DevSecOps Cluster and Related Virtual Machines Subnet192.168.72.0/24
Kubernetes Observability Cluster and Related Virtual Machines Subnet192.168.73.0/24
Kubernetes Non-Production Workload Cluster and Related Virtual Machines Subnet192.168.74.0/24
Kubernetes Production Workload Cluster and Related Virtual Machines Subnet192.168.75.0/24
Pod Subnet for each Kubernetes cluster172.16.72.0/22
Service Subnet for each Kubernetes cluster172.16.76.0/22

Domain

You must provide domains. For example, we will use *.devops.example.com and SSL certificates in this reference architecture. These are domains that will be assigned for DevSecOps tools and Opstella.

Service NameIngress Domain
Opstella
Opstella UIopstella.devops.example.com
Opstella Coreopstella-backend.devops.example.com
Opstella Clear Sessionopstella-clear-session.devops.example.com
Keycloakopstella-idp.devops.example.com
DevOps Tools
ArgoCD (DEV)argocd-dev.devops.example.com
ArgoCD (PRD)argocd-prd.devops.example.com
DefectDojodefectdojo.devops.example.com
GitLabgitlab.devops.example.com
Headlampheadlamp.devops.example.com
Harborharbor.devops.example.com
DevSecOps Tools
SonarQubesonarqube.devops.example.com
Vaultvault.devops.example.com
Observability Tools
Lokiloki.devops.example.com
Grafana Dashboardgrafana.devops.example.com
Tempotempo.devops.example.com
Mimirmimir.devops.example.com
Common Services
MinIO (DevSecOps)minio-dso.devops.example.com
MinIO API (DevSecOps)minio-dso-api.devops.example.com
MinIO (Observability)minio-obs.devops.example.com
MinIO API (Observability)minio-obs-api.devops.example.com

Ingress

Opstella Kubernetes Ingress Flow!

Firewall

PolicyProtocolDirectionPortSourceDescription
Kubernetes Master Nodes
AllowTCPInbound6443HAProxyKubernetes API
AllowTCPInbound6443RKE2 Worker NodesKubernetes API
AllowTCPInbound9345RKE2 Master NodesRKE2 Supervisor API
AllowTCPInbound9345RKE2 Worker NodesRKE2 Supervisor API
AllowInbound2379RKE2 Master Nodesetcd Client Port
AllowTCPInbound2380RKE2 Master Nodesetcd Peer Port
AllowTCPInbound2381RKE2 Master Nodesetcd Metrics Port
Kubernetes Worker Nodes
AllowTCPInbound30080, 30443HAProxyNodePort Ingress Service
Kubernetes Master & Worker Nodes
AllowTCPInbound10250Anykubelet Metrics
AllowInbound179All RKE2 NodesCalico CNI with BGP
AllowTCPInbound4789All RKE2 NodesCalico CNI with VXLAN
AllowTCPInbound5473All RKE2 NodesCalico CNI with Typha
AllowInbound9098All RKE2 NodesCalico Typha health checks
AllowTCPInbound9099All RKE2 NodesCalico health checks
GitLab
AllowTCPInbound80, 443AnyWeb Service
AllowTCPInbound22AnySSH
AllowInbound9090AnyGitLab Prometheus Metrics
NFS
AllowTCPInbound2049RKE2 Worker NodesNFSd
AllowTCPInbound111RKE2 Worker NodesPortMapper
AllowTCPInbound33333RKE2 Worker NodesMountD
HAProxy
AllowTCPInbound80, 443AnyHTTP/HTTPS Inbound

We build Enterprise Platform Engineering to digitalized transform your organization into a DevSecOps culture.