Below, we walk through how to deploy Opal Self-Host on Google Cloud GKE.

There are 3 steps to deploying Opal:

1. Infrastructure setup: GKE cluster, Cloud SQL Postgres instance, and TLS certificate
2. Deploy Opal admin console: deployed on the GKE cluster and used to configure your Opal deployment and manage updates
3. Configure and deploy Opal: deployed on the GKE cluster.

1. Infrastructure Setup

Deployment checklist

The following is an overview to help plan for the deployment. We expand on each item below.

• GKE cluster is provisioned.
• SQL database is provisioned.
• The hostname to reach Opal has to be decided. This cannot be updated later.
• The TLS certificate matching the desired hostname is available in the Load balancing components.

Create a Kubernetes cluster

Opal installs into an existing Kubernetes cluster. This cluster must meet the following requirements:

• Min nodes: 2
• Min total CPU: 4 cores
• Min total RAM: 16 GB
• Kubernetes version: 1.27+

Your cluster must have outbound access to pull Docker containers and verify your license. If you do not want to provide open outbound access, see our list of ports that need access.

Provision Cloud SQL database

For production deployments, we strongly recommend that you use an external PostgreSQL database provisioned in Cloud SQL, in order to have automatic backups.

Your SQL instance should meet the following requirements:

• Minimum PostgreSQL version: 15
• Minimum storage: 50 GB
• Minimum instance size: 2 cores / 8 GB (if more than 1,000 users: 4 cores / 16 GB)
• Recommended: enable multiple zones for high availability

🚧

Embedded vs external database

For production use cases, we recommend running a managed PostgreSQL database. This is easy to configure with Opal's setup process.

Alternatively, you can store all of Opal's data on the virtual machine it's deployed on. This is great for testing out the product, but accidents are more likely to cause data loss.

TLS certificate

Opal must be used with TLS. To create a Google-managed certificate, follow the steps below:

• Go to Load balancing from the search bar
• Click the load balancing components view
• Click Certificates
• Click Create SSL Certificate, then fill out the form like so and click Create:

Static IP address

We're going to create a static IP address so that traffic can be routed through the load balancer.

• Go to IP addresses from the search bar
• Click Reserve external static address
• Fill out the form like so, then click Reserve:

2. Deploy Opal admin console

ℹ️

Note

These instructions will setup your cluster in a configuration that requires pulling images from Replicated's image repo (proxy.replicated.com).

If you would prefer an airgapped installation that uses your own image repo, you should follow Replicated's instructions for that here. Once you've finished with those instructions, resume with Step 3 in out instructions below.

We use Kots to package and monitor private cluster deployments of Opal. In particular, it helps us provide an admin console for configuring your Opal deployment and managing updates. To install Kots, run the following command:

curl https://kots.io/install | bash

Next, install the Opal admin console. The installation should take 5-10 minutes, and you'll be prompted to set a password for accessing your admin console (which you can reset using these instructions).

kubectl kots install opal-onprem --strict-security-context

The Opal admin console is deployed as a set of kotsadm-* pods. Once installed, you should see the following pods deployed as well as a URL for accessing the Opal admin console via port-forwarding.

📘

Useful kots commands

If you kill your port-forwarding to the admin console, you can set it up again using this command:

kubectl kots admin-console --namespace opal-onprem

The admin console password may be reset with this command:

kubectl kots reset-password opal-onprem

3. Configure and deploy Opal

When you access your admin console, you'll be prompted to upload a license. This should have been provided by your Opal representative.

Next, you'll be asked to configure your Opal deployment:

The below recommendations assume you've followed the steps above to setup your infrastructure:

• Hostname: Enter the hostname used to access the Opal application. This cannot be updated later.
• Ingress: If using the pre-packaged ingress, enter the desired annotations. Here is an example using the names of the TLS certificate and the static IP address created above:- Custom annotations:

ingress.gcp.kubernetes.io/pre-shared-cert: opal-replicated
kubernetes.io/ingress.global-static-ip-name: opal-replicated

• Postgres: Select External Postgres and point it to your RDS instance.
• Redis: Select Embedded Redis.
• Database encryption key: Generate a 32-character string for encrypting sensitive data, like 3rd party API tokens, in your database.
• Opal API encryption key: Generate a 32-character string for encrypting generated Opal API tokens.

🚧

Encryption keys used by the application should be stored securely in a password manager to enable restoring Opal in a disaster recovery event.

• Email settings: You may enable SMTP for sending email notifications. Currently, Google Workspace's SMTP is supported and requires whitelisting the public IP addresses of the Kubernetes nodes.

Click Continue. You can run or skip the pre-flight checks. After you deploy, you expect to see the following additional Opal pods running on the cluster:

Provision DNS record

Once the Opal pods are up and running and the load balancer has been provisioned, you can create an A DNS record for the selected hostname. This should point to the load balancer IP address.

At this time, Google cloud will finish the DNS validation process and provision a managed certificate. This process can take at least 10 minutes.

Once your DNS record is created, you should now be able to access Opal at your desired hostname. Log in and invite your team!

Optional: Access via VPN (e.g. Cloudflare Access, Twingate)

If your users will be accessing your Opal instance via a VPN, please ensure that you've configured it to point to the load balancer.