Logo image

Cluster Provisioning

Laralord automates the provisioning of Kubernetes clusters using default OpenTofu (Terraform) templates, streamlining the setup of infrastructure for Laravel applications. The provisioning process includes cluster creation, service installation, and secure access configuration, enabling you to deploy and manage your applications efficiently. This page outlines the provisioning stages, supported services, and security features, including Single Sign-On and mTLS encryption.

Provisioning Stages

Laralord uses OpenTofu (an open-source fork of Terraform) to provision Kubernetes clusters with pre-defined templates. The process consists of the following stages:

  1. Cluster Creation on Cloud Provider: Currently, Laralord supports Digital Ocean for cluster creation, with plans to add support for other providers like AWS, Azure, and Google Cloud soon.
  2. Services Provisioning: Installs user-defined services into the cluster, including default and optional services, along with necessary configurations for secure access and ingress.
  3. Other Resources Provisioning: Laralord provide the provisioning of following resource: AWS S3 Bucket, Cert Manager Certificate Issuers, TLS(SSL)/mTLS Certificates, GitLab runner - CI for GitLab, BuildKit - docker image builds tool, Argo CD Applications (used for deployment your application).

Default Services

Laralord automatically installs the following default services to provide core functionality for your Kubernetes cluster:

  • Argo CD: Enables GitOps workflows for continuous delivery and application deployment.
  • Argo Workflows: Manages and automates complex workflows for CI/CD and data processing.
  • Apisix Gateway: Handles ingress traffic with Apisix Ingress Controller, providing routing, load balancing, and TLS management.
  • Cert Manager: Issues and renews TLS/SSL certificates using Let’s Encrypt, ensuring secure communication.
  • Metrics Server: Collects resource usage metrics for monitoring and scaling decisions.
  • Vault HashiCorp: Manages secrets and encrypted data, integrating seamlessly with Kubernetes.

These services enable key functionalities like deploying Laravel applications, processing ingress via Apisix, issuing and renewing TLS certificates, and automating TLS secrets integration with Apisix Gateway.

Optional Services

Laralord supports additional optional services based on your needs, which can be installed during provisioning:

  • PostgreSQL: Advanced relational database for robust data management.
  • MySQL: Reliable relational database for Laravel applications.
  • OpenSearch: Elasticsearch fork for powerful search and analytics capabilities.
  • Redis (Valkey Fork): Efficient caching and real-time data processing.
  • Hubble: Network observability tool for monitoring cluster traffic.
  • Prometheus with Grafana: Monitoring and visualization for cluster metrics.
  • Fluent: Stores logs from all containers in OpenSearch for centralized logging.
  • Websocket Pusher-like Microservice: Enables real-time communication for your Laravel app.

Note: Services that don’t support the HTTP protocol (e.g., MySQL, PostgreSQL, Redis) are exposed using the NodePort service approach, utilizing random ports in the range of 32000 to 32767 (the default Kubernetes NodePort range).

Why Apisix Gateway?

Apisix Gateway is a Kubernetes-native ingress controller that simplifies traffic management for Laravel applications. Key benefits include:

  • Kubernetes-native configuration via declarative definitions.
  • Automatic TLS key management for secure communication.
  • Rich and powerful API with a wide range of plugins and community support.
  • User-friendly UI to manage routes, reducing complexity for beginners by avoiding intricate Kubernetes structures.

Why Vault HashiCorp?

Vault HashiCorp is an industry-standard solution for managing encrypted data and secrets in Kubernetes. Its advantages include:

  • Kubernetes-native integration, syncing secrets directly to Kubernetes.
  • Rich API for advanced secret management workflows.
  • Intuitive UI, allowing users to manually specify secrets without deep technical knowledge.
  • Robust security features, making it a trusted choice for secret management.

Other Services Overview

During provisioning, Laralord also sets up UI components and tools for secure access and management:

  • OpenSearch UI: Visualize and manage OpenSearch data.
  • PostgreSQL Admin: Web-based administration for PostgreSQL databases.
  • phpMyAdmin: Manage MySQL databases with an easy-to-use interface.
  • Vault UI: Access Vault HashiCorp for secret management.
  • mTLS Certificates: Enable mutual TLS for secure internal communication.
  • Ingress (Apisix Routes): Configure routing for internal and external traffic.

Single Sign-On and Security

Laralord implements Single Sign-On (SSO) for secure access to internal services, integrated with the Laralord frontend. This approach enhances security by:

  • Routing all internal service traffic through Apisix Gateway using Laralord’s internal DNS with unique hosts.
  • Encrypting all traffic with mTLS, requiring a client mTLS key to establish connections.
  • Using a proxy with client mTLS on the Laralord side, where connections are only established after Laravel signs requests and bypasses SSO authorization.

This setup dramatically reduces the attack surface on your server by ensuring secure, authenticated access to all services.

Additional Configurations

During provisioning, Laralord configures the following to ensure a fully operational cluster:

  • Load Balancer: Points to Apisix Gateway on ports 80 and 443 for external traffic.
  • Self-Signed Certificate with nip.io: A self-signed certificate is created for a nip.io domain (e.g., your-ip>nip.io). nip.io is a dynamic DNS service that provides free DNS records based on your public IP address, allowing you to start working without a custom domain. Use this for webhooks or development environments.

Once provisioning is complete, you can deploy your Laravel application, manage tenants, and scale your infrastructure with ease.

Laralord © 2024UI Build: 0.1.0-rc1-42-g4cde