Deploy on DigitalOcean / Linode
1
Create Kubernetes Cluster
linode-cli lke cluster-create \
--label opensecurity \
--region us-east \
--k8s_version 1.31 \
--control_plane.high_availability false \
--node_pools.type g6-dedicated-4 \
--node_pools.count 3 \
--tags opencomplydoctl kubernetes cluster create opensecurity --region nyc3 --node-pool "name=main-pool;size=g-4vcpu-16gb-intel;count=3" --wait2
Install with Helm
a. Set Your Domain Name as an Environment Variable (replace the URL with your host):
export DOMAIN="demo.example.com"helm repo add opensecurity https://charts.opensecurity.sh --force-update
helm install opensecurity opensecurity/opensecurity \
--namespace opensecurity \
--create-namespace \
--timeout 10m \
--set global.domain="$DOMAIN" \
--set dex.config.issuer="https://$DOMAIN/dex"3
Setup Load Balancer
a. Install Ingress Controller
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update
helm install ingress-nginx ingress-nginx/ingress-nginx \
--namespace opensecurity \
--create-namespace \
--set controller.replicaCount=2 \
--set controller.resources.requests.cpu=100m \
--set controller.resources.requests.memory=90Mikubectl get service --namespace opensecurity ingress-nginx-controller --output wide --watchb. Create DNS Records
4
Setup Certificate Manager
export EMAIL="[email protected]"helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
--set crds.enabled=true \
--set prometheus.enabled=falsekubectl apply -f - <<EOF
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt-nginx
namespace: opensecurity
spec:
acme:
email: ${EMAIL}
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-nginx-private-key
solvers:
- http01:
ingress:
class: nginx
EOFkubectl get issuer -n opensecurityNAME READY AGE letsencrypt-nginx True 2m
5
Update App Configuration
a. Create and Apply the Ingress Manifest:
kubectl apply -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: opensecurity-ingress
namespace: opensecurity
annotations:
cert-manager.io/issuer: letsencrypt-nginx
nginx.ingress.kubernetes.io/ssl-redirect: "true"
spec:
tls:
- hosts:
- ${DOMAIN}
secretName: letsencrypt-nginx
ingressClassName: nginx
rules:
- host: ${DOMAIN}
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: nginx-proxy
port:
number: 80
EOFb. Verify the Ingress Resource:
kubectl get ingress -n opensecurityNAME CLASS HOSTS ADDRESS PORTS AGE
opensecurity-ingress <none> demo.example.com 192.0.2.123 80 5mTroubleshooting
kubectl describe issuer letsencrypt-nginx -n opensecurity
kubectl logs <pod-name> -n opensecurity
helm list -n opensecurity helm status opensecurity -n opensecurity
Useful Commands
Last updated