Opstella Reference Architecture
Standalone Architecture
Use Cases
- Prove of concept for a whole Opstella and DevSecOps Platform.
- Testing or staging platform environment.
Specification
These are specifications of virtual machines that need to be created with the following details
- CPU: Intel Xeon E-2334 (3.4GHz, 4C/8T, 8MB Cache)
- Network Bandwidth: 1Gbps
- Operating System: Ubuntu 24.04.1 (Noble Numbat)
Number of Nodes | CPU (Core) | Memory (GB) | Disk (GB) | |
---|---|---|---|---|
Virtual Machines | ||||
Bastion Host | 1 | 1 | 2 | 20 |
HAProxy | 1 | 1 | 2 | 20 |
NFS Share | 1 | 1 | 2 | 100 |
GitLab | 1 | 2 | 4 | 40 |
Kubernetes Cluster | ||||
Kubernetes Master Nodes | 1 | 2 | 4 | 40 |
Kubernetes Worker Nodes | 5 | 4 | 10 | 40 |
Total | 10 | 27 | 64 | 460 |
Network Subnet
Type | Subnet IP |
---|---|
Kubernetes Cluster and Related Virtual Machines Subnet | 192.168.72.0/24 |
Pod Subnet for each Kubernetes cluster | 172.16.72.0/22 |
Service Subnet for each Kubernetes cluster | 172.16.76.0/22 |
Domain
You must provide domains. For example, we will use *.devops.example.com and SSL certificates in this reference architecture. These are domains that will be assigned for DevSecOps tools and Opstella.
Service Name | Ingress Domain |
---|---|
Opstella | |
Opstella UI | opstella.devops.example.com |
Opstella Core | opstella-backend.devops.example.com |
Opstella Clear Session | opstella-clear-session.devops.example.com |
Keycloak | opstella-idp.devops.example.com |
DevOps Tools | |
ArgoCD | argocd.devops.example.com |
DefectDojo | defectdojo.devops.example.com |
GitLab | gitlab.devops.example.com |
Headlamp | headlamp.devops.example.com |
Harbor | harbor.devops.example.com |
DevSecOps Tools | |
SonarQube | sonarqube.devops.example.com |
Vault | vault.devops.example.com |
Observability Tools | |
Loki | loki.devops.example.com |
Grafana Dashboard | grafana.devops.example.com |
Tempo | tempo.devops.example.com |
Mimir | mimir.devops.example.com |
Common Services | |
MinIO | minio.devops.example.com |
MinIO API | minio-api.devops.example.com |
Ingress
Firewall
Policy | Protocol | Direction | Port | Source | Description |
---|---|---|---|---|---|
Kubernetes Master Nodes | |||||
Allow | TCP | Inbound | 6443 | Any | Kubernetes API |
Allow | TCP | Inbound | 6443 | HAProxy | Kubernetes API |
Allow | TCP | Inbound | 6443 | RKE2 Worker Nodes | Kubernetes API |
Allow | TCP | Inbound | 9345 | RKE2 Master Nodes | RKE2 Supervisor API |
Allow | Inbound | 9345 | RKE2 Worker Nodes | RKE2 Supervisor API | |
Allow | TCP | Inbound | 2379 | RKE2 Master Nodes | etcd Client Port |
Allow | TCP | Inbound | 2380 | RKE2 Master Nodes | etcd Peer Port |
Allow | TCP | Inbound | 2381 | RKE2 Master Nodes | etcd Metrics Port |
Kubernetes Worker Nodes | |||||
Allow | TCP | Inbound | 30080;30443 | HAProxy | NodePort Ingress Service |
Kubernetes Master & Worker Nodes | |||||
Allow | TCP | Inbound | 10250 | Any | kubelet Metrics |
Allow | TCP | Inbound | 179 | All RKE2 Nodes | Calico CNI with BGP |
Allow | Inbound | 4789 | All RKE2 Nodes | Calico CNI with VXLAN | |
Allow | TCP | Inbound | 5473 | All RKE2 Nodes | Calico CNI with BGP |
Allow | TCP | Inbound | 9098 | All RKE2 Nodes | Calico Typha health checks |
Allow | TCP | Inbound | 9099 | All RKE2 Nodes | Calico health checks |
GitLab | |||||
Allow | Inbound | 80, 443 | Any | Web Services | |
Allow | TCP | Inbound | 22 | Any | Git SSH |
Allow | TCP | Inbound | 9090 | Any | GitLab Prometheus Metrics |
NFS | |||||
Allow | TCP/UDP | Inbound | 2049 | RKE2 Worker Nodes | NFSd |
Allow | TCP/UDP | Inbound | 111 | RKE2 Worker Nodes | PortMapper |
Allow | TCP/UDP | Inbound | 33333 | RKE2 Worker Nodes | MountD |
HAProxy | |||||
Allow | TCP | Inbound | 80;443 | Any | HTTP/HTTPS Inbound |
Multi-Clusters Architecture
Use Cases
Scalable deployments for production environments.
Specification
These are specifications of virtual machines that need to be created with the following details
- CPU: Intel Xeon Silver 4310 (2.1GHz, 12C/24T, 18MB Cache)
- Network Bandwidth: 10Gbps
- Operating System: Ubuntu 24.04.1 (Noble Numbat)
Number of Nodes | CPU (Core) | Memory (GB) | Disk (GB) | |
---|---|---|---|---|
Virtual Machines | ||||
Bastion Host | 1 | 1 | 2 | 20 |
HAProxy | 4 | 1 | 2 | 20 |
NFS Share (DevSecOps) | 1 | 1 | 2 | 500 |
NFS Share (Observability) | 1 | 1 | 2 | 500 |
NFS Share (DEV) | 1 | 1 | 2 | 100 |
NFS Share (PRD) | 1 | 1 | 2 | 100 |
GitLab | 1 | 4 | 8 | 40 |
Kubernetes DevSecOps Cluster | ||||
Kubernetes Master Nodes | 3 | 2 | 4 | 20 |
Kubernetes Worker Nodes | 3 | 4 | 8 | 40 |
Kubernetes Observability Cluster | ||||
Kubernetes Master Nodes | 3 | 2 | 4 | 20 |
Kubernetes Worker Nodes | 3 | 4 | 8 | 40 |
Kubernetes Non-Production Workload Cluster | ||||
Kubernetes Master Nodes | 3 | 2 | 4 | 20 |
Kubernetes Worker Nodes | 3 | 4 | 8 | 40 |
Kubernetes Production Workload Cluster | ||||
Kubernetes Master Nodes | 3 | 2 | 4 | 20 |
Kubernetes Worker Nodes | 5 | 6 | 8 | 40 |
Total | 36 | 103 | 186 | 2140 |
Network Subnet
Type | Subnet IP |
---|---|
Kubernetes DevSecOps Cluster and Related Virtual Machines Subnet | 192.168.72.0/24 |
Kubernetes Observability Cluster and Related Virtual Machines Subnet | 192.168.73.0/24 |
Kubernetes Non-Production Workload Cluster and Related Virtual Machines Subnet | 192.168.74.0/24 |
Kubernetes Production Workload Cluster and Related Virtual Machines Subnet | 192.168.75.0/24 |
Pod Subnet for each Kubernetes cluster | 172.16.72.0/22 |
Service Subnet for each Kubernetes cluster | 172.16.76.0/22 |
Domain
You must provide domains. For example, we will use *.devops.example.com and SSL certificates in this reference architecture. These are domains that will be assigned for DevSecOps tools and Opstella.
Service Name | Ingress Domain |
---|---|
Opstella | |
Opstella UI | opstella.devops.example.com |
Opstella Core | opstella-backend.devops.example.com |
Opstella Clear Session | opstella-clear-session.devops.example.com |
Keycloak | opstella-idp.devops.example.com |
DevOps Tools | |
ArgoCD (DEV) | argocd-dev.devops.example.com |
ArgoCD (PRD) | argocd-prd.devops.example.com |
DefectDojo | defectdojo.devops.example.com |
GitLab | gitlab.devops.example.com |
Headlamp | headlamp.devops.example.com |
Harbor | harbor.devops.example.com |
DevSecOps Tools | |
SonarQube | sonarqube.devops.example.com |
Vault | vault.devops.example.com |
Observability Tools | |
Loki | loki.devops.example.com |
Grafana Dashboard | grafana.devops.example.com |
Tempo | tempo.devops.example.com |
Mimir | mimir.devops.example.com |
Common Services | |
MinIO (DevSecOps) | minio-dso.devops.example.com |
MinIO API (DevSecOps) | minio-dso-api.devops.example.com |
MinIO (Observability) | minio-obs.devops.example.com |
MinIO API (Observability) | minio-obs-api.devops.example.com |
Ingress
Firewall
Policy | Protocol | Direction | Port | Source | Description |
---|---|---|---|---|---|
Kubernetes Master Nodes | |||||
Allow | TCP | Inbound | 6443 | HAProxy | Kubernetes API |
Allow | TCP | Inbound | 6443 | RKE2 Worker Nodes | Kubernetes API |
Allow | TCP | Inbound | 9345 | RKE2 Master Nodes | RKE2 Supervisor API |
Allow | TCP | Inbound | 9345 | RKE2 Worker Nodes | RKE2 Supervisor API |
Allow | Inbound | 2379 | RKE2 Master Nodes | etcd Client Port | |
Allow | TCP | Inbound | 2380 | RKE2 Master Nodes | etcd Peer Port |
Allow | TCP | Inbound | 2381 | RKE2 Master Nodes | etcd Metrics Port |
Kubernetes Worker Nodes | |||||
Allow | TCP | Inbound | 30080, 30443 | HAProxy | NodePort Ingress Service |
Kubernetes Master & Worker Nodes | |||||
Allow | TCP | Inbound | 10250 | Any | kubelet Metrics |
Allow | Inbound | 179 | All RKE2 Nodes | Calico CNI with BGP | |
Allow | TCP | Inbound | 4789 | All RKE2 Nodes | Calico CNI with VXLAN |
Allow | TCP | Inbound | 5473 | All RKE2 Nodes | Calico CNI with Typha |
Allow | Inbound | 9098 | All RKE2 Nodes | Calico Typha health checks | |
Allow | TCP | Inbound | 9099 | All RKE2 Nodes | Calico health checks |
GitLab | |||||
Allow | TCP | Inbound | 80, 443 | Any | Web Service |
Allow | TCP | Inbound | 22 | Any | SSH |
Allow | Inbound | 9090 | Any | GitLab Prometheus Metrics | |
NFS | |||||
Allow | TCP | Inbound | 2049 | RKE2 Worker Nodes | NFSd |
Allow | TCP | Inbound | 111 | RKE2 Worker Nodes | PortMapper |
Allow | TCP | Inbound | 33333 | RKE2 Worker Nodes | MountD |
HAProxy | |||||
Allow | TCP | Inbound | 80, 443 | Any | HTTP/HTTPS Inbound |