Deploy on DigitalOcean / Linode

The guide below configure the app with a custom domain and a free SSL certificate from Let's Encrypt. If you want to use a custom issuer, adjust Step 4.

Create Kubernetes Cluster

Create Kubernetes Cluster with 3 nodes - be sure to use a minimum of Premium CPU node type (Dedicated 8 GB). If you wish to use Linode CLI:

linode-cli lke cluster-create \
  --label opensecurity \
  --region  \
  --k8s_version 1.31 \
  --control_plane.high_availability false \
  --node_pools.type g6-dedicated-4 \
  --node_pools.count 3 \
  --tags opencomply

Create Kubernetes Cluster with 3 nodes - use Dedicated CPU / Premium instances with 10Gbps (such as g-4vcpu-16gb-intel). If you are using DigitalOcean CLI, use the following command.

doctl kubernetes cluster create opensecurity --region  --node-pool "name=main-pool;size=g-4vcpu-16gb-intel;count=3" --wait

Install with Helm

a. Set Your Domain Name as an Environment Variable (replace the URL with your host):

export DOMAIN=""

b. Run Helm install

helm repo add opensecurity https://charts.opensecurity.sh --force-update
helm install opensecurity opensecurity/opensecurity \
  --namespace opensecurity \
  --create-namespace \
  --timeout 10m \
  --set global.domain="$DOMAIN" \
  --set dex.config.issuer="https://$DOMAIN/dex"

Setup Load Balancer

a. Install Ingress Controller

helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx 
helm repo update
helm install ingress-nginx ingress-nginx/ingress-nginx \
  --namespace opensecurity \
  --create-namespace \
  --set controller.replicaCount=2 \
  --set controller.resources.requests.cpu=100m \
  --set controller.resources.requests.memory=90Mi

Monitor the Load Balancer IP; wait until the EXTERNAL-IP field is populated with an IP address. It might take a few mins to get this issued.

kubectl get service --namespace opensecurity ingress-nginx-controller --output wide --watch

b. Create DNS Records

After EXTERNAL-IP is issued, create a DNS A Record. Use your actual domain name instead of your.domain.com.

Setup Certificate Manager

a. Set Email for Let's Encrypt

🔺 Note: Ensure you use a valid email when obtaining Let's Encrypt certificates for successful issuance.

export EMAIL="[email protected]"

b. Install Cert Manager

helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --create-namespace \
  --set crds.enabled=true \
  --set prometheus.enabled=false

c. Create Issuer in Kubernetes Cluster

kubectl apply -f - <<EOF
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt-nginx
  namespace: opensecurity
spec:
  acme:
    email: ${EMAIL}
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-nginx-private-key
    solvers:
      - http01:
          ingress:
            class: nginx
EOF

Check if the Issuer is ready by running the following command:

kubectl get issuer -n opensecurity

Expected Output:

NAME               READY   AGE
letsencrypt-nginx  True    2m

Note: It may take a few minutes for the Issuer to transition to the Ready state. If it’s not ready initially, re-run the command.

Update App Configuration

a. Create and Apply the Ingress Manifest:

kubectl apply -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: opensecurity-ingress
  namespace: opensecurity
  annotations:
    cert-manager.io/issuer: letsencrypt-nginx
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
spec:
  tls:
    - hosts:
        - ${DOMAIN}
      secretName: letsencrypt-nginx
  ingressClassName: nginx
  rules:
    - host: ${DOMAIN}
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: nginx-proxy
                port:
                  number: 80
EOF

b. Verify the Ingress Resource:

kubectl get ingress -n opensecurity

Expected Output:

NAME                      CLASS    HOSTS                   ADDRESS        PORTS   AGE
opensecurity-ingress    <none>   demo.example.com   192.0.2.123    80      5m

Open your browser and login in with [email protected] as the username and password as the password.

Troubleshooting

Ingress Not Accessible:
- Verify that the DNS A record points correctly to the Ingress Controller's external IP.
- Ensure that the Ingress resource is correctly configured with the appropriate host and paths.
Certificate Issues:
- Check the status of cert-manager Issuer:
  kubectl describe issuer letsencrypt-nginx -n opensecurity
- Ensure that the EMAIL environment variable is correctly set and that Let's Encrypt can reach your Ingress.
Pod Failures:
- Inspect pod logs for any errors:
  kubectl logs <pod-name> -n opensecurity
- Ensure that all required services are running and properly configured.
Helm Deployment Issues:
- Verify Helm release status:
  helm list -n opensecurity helm status opensecurity -n opensecurity
- Reinstall or upgrade Helm charts as necessary.

Useful Commands

List All Namespaces:
```
kubectl get namespaces
```
List All Services in a Namespace:
```
kubectl get services -n opensecurity
```

Watch Pod Status:

kubectl get pods -n opensecurity --watch

Note: Always adhere to your organization's security policies when handling credentials and configuring access. Ensure that all sensitive information is stored securely and that only authorized personnel have access to critical configurations.

PreviousProduct Architecture NextDeploy to AWS

Last updated 3 months ago