Panoramica

Questa guida ti accompagna attraverso la distribuzione di CaseBender su DigitalOcean utilizzando immagini Docker precostruite con Kubernetes (DOKS) e servizi gestiti.

Prerequisiti

  1. Account DigitalOcean
  2. doctl CLI installato
  3. kubectl installato
  4. Docker installato

Passo 1: Configurazione Iniziale

Installa e Configura doctl

# Usando Homebrew
brew install doctl

# Autentica con token API
doctl auth init

# Configura Docker per Container Registry
doctl registry login

Passo 2: Crea Cluster Kubernetes

# Crea cluster DOKS
doctl kubernetes cluster create casebender \
  --region nyc1 \
  --size s-2vcpu-4gb \
  --count 3 \
  --version latest

# Ottieni kubeconfig
doctl kubernetes cluster kubeconfig save casebender

Passo 3: Configura Servizi Gestiti

Crea Spaces per Storage Oggetti

# Crea bucket Spaces
doctl spaces create casebender-storage \
  --region nyc3

# Crea chiave di accesso Spaces
doctl spaces access-key create

# Nota: Salva la chiave di accesso e la chiave segreta in modo sicuro
# Saranno necessarie per la configurazione dell'applicazione

Crea PostgreSQL Gestito

# Crea cluster database
doctl databases create \
  --engine pg \
  --name casebender-db \
  --region nyc1 \
  --size db-s-2vcpu-4gb \
  --version 14 \
  --num-nodes 1

# Crea database
doctl databases db create casebender-db casebender

# Ottieni dettagli connessione
doctl databases connection casebender-db --format ConnectionString

Crea Redis Gestito

# Crea cluster Redis
doctl databases create \
  --engine redis \
  --name casebender-redis \
  --region nyc1 \
  --size db-s-1vcpu-2gb \
  --version 7

# Ottieni dettagli connessione
doctl databases connection casebender-redis --format ConnectionString

Passo 4: Configura Container Registry

# Crea container registry
doctl registry create casebender-registry

# Ottieni endpoint registry
REGISTRY_ENDPOINT=$(doctl registry get-endpoint)

# Scarica immagini CaseBender
docker pull casebender/casebender:latest
docker pull casebender/workflow-processor:latest
docker pull casebender/misp-processor:latest

# Tagga immagini per registry
docker tag casebender/casebender:latest registry.digitalocean.com/casebender-registry/app:latest
docker tag casebender/workflow-processor:latest registry.digitalocean.com/casebender-registry/workflow-processor:latest
docker tag casebender/misp-processor:latest registry.digitalocean.com/casebender-registry/misp-processor:latest

# Carica immagini
docker push registry.digitalocean.com/casebender-registry/app:latest
docker push registry.digitalocean.com/casebender-registry/workflow-processor:latest
docker push registry.digitalocean.com/casebender-registry/misp-processor:latest

# Aggiungi registry al cluster Kubernetes
doctl kubernetes cluster registry add casebender

Passo 5: Distribuisci su Kubernetes

Crea Namespace

kubectl create namespace casebender

Crea Segreti

# Crea segreti per database e Redis
kubectl create secret generic db-credentials \
  --namespace casebender \
  --from-literal=postgres-url="postgresql://doadmin:password@casebender-db-do-user-1234567-0.b.db.ondigitalocean.com:25060/casebender?sslmode=require" \
  --from-literal=redis-url="rediss://default:password@casebender-redis-do-user-1234567-0.b.db.ondigitalocean.com:25061"

# Crea segreti per applicazione
kubectl create secret generic app-secrets \
  --namespace casebender \
  --from-literal=auth-secret="your-auth-secret" \
  --from-literal=auth-salt="your-auth-salt"

Distribuisci Applicazioni

Crea deployment.yaml: 
apiVersion: apps/v1
kind: Deployment
metadata:
  name: casebender-app
  namespace: casebender
spec:
  replicas: 2
  selector:
    matchLabels:
      app: casebender-app
  template:
    metadata:
      labels:
        app: casebender-app
    spec:
      containers:
        - name: app
          image: registry.digitalocean.com/casebender-registry/app:latest
          ports:
            - containerPort: 3000
          env:
            - name: AUTH_SECRET
              valueFrom:
                secretKeyRef:
                  name: app-secrets
                  key: auth-secret
            - name: AUTH_SALT
              valueFrom:
                secretKeyRef:
                  name: app-secrets
                  key: auth-salt
            - name: POSTGRES_PRISMA_URL
              valueFrom:
                secretKeyRef:
                  name: db-credentials
                  key: postgres-url
            - name: REDIS_URL
              valueFrom:
                secretKeyRef:
                  name: db-credentials
                  key: redis-url
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: workflow-processor
  namespace: casebender
spec:
  replicas: 1
  selector:
    matchLabels:
      app: workflow-processor
  template:
    metadata:
      labels:
        app: workflow-processor
    spec:
      containers:
        - name: processor
          image: registry.digitalocean.com/casebender-registry/workflow-processor:latest
          env:
            - name: POSTGRES_PRISMA_URL
              valueFrom:
                secretKeyRef:
                  name: db-credentials
                  key: postgres-url
            - name: REDIS_URL
              valueFrom:
                secretKeyRef:
                  name: db-credentials
                  key: redis-url
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: misp-processor
  namespace: casebender
spec:
  replicas: 1
  selector:
    matchLabels:
      app: misp-processor
  template:
    metadata:
      labels:
        app: misp-processor
    spec:
      containers:
        - name: processor
          image: registry.digitalocean.com/casebender-registry/misp-processor:latest
          env:
            - name: POSTGRES_PRISMA_URL
              valueFrom:
                secretKeyRef:
                  name: db-credentials
                  key: postgres-url
            - name: REDIS_URL
              valueFrom:
                secretKeyRef:
                  name: db-credentials
                  key: redis-url
Applica i deployment: 
kubectl apply -f deployment.yaml

Crea Servizi

Crea service.yaml: 
apiVersion: v1
kind: Service
metadata:
  name: casebender-app
  namespace: casebender
spec:
  type: ClusterIP
  ports:
    - port: 80
      targetPort: 3000
  selector:
    app: casebender-app
Applica il servizio: 
kubectl apply -f service.yaml

Passo 7: Configura Ingress

Installa Controller NGINX Ingress

# Aggiungi repository Helm
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update

# Installa Controller NGINX Ingress
helm install nginx-ingress ingress-nginx/ingress-nginx \
  --namespace casebender \
  --set controller.publishService.enabled=true

Configura Ingress

Crea ingress.yaml: 
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: casebender-ingress
  namespace: casebender
  annotations:
    kubernetes.io/ingress.class: nginx
    cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
  tls:
    - hosts:
        - your-domain.com
      secretName: casebender-tls
  rules:
    - host: your-domain.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: casebender-app
                port:
                  number: 80
Applica l’ingress: 
kubectl apply -f ingress.yaml

Passo 8: Configura SSL con cert-manager

# Installa cert-manager
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.8.0/cert-manager.yaml

# Crea ClusterIssuer
cat <<EOF | kubectl apply -f -
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: your-email@domain.com
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
    - http01:
        ingress:
          class: nginx
EOF

Passo 9: Configura Scalabilità Automatica

Crea hpa.yaml: 
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
  name: casebender-app-hpa
  namespace: casebender
spec:
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: casebender-app
  minReplicas: 2
  maxReplicas: 10
  metrics:
    - type: Resource
      resource:
        name: cpu
        target:
          type: Utilization
          averageUtilization: 80
Applica l’HPA: 
kubectl apply -f hpa.yaml

Backup e Disaster Recovery

Backup Database

I database gestiti DigitalOcean gestiscono automaticamente i backup. Puoi anche: 
# Crea backup manuale
doctl databases backup casebender-db

Configura Failover Database

# Abilita failover automatico
doctl databases replica casebender-db create \
  --region sfo2

Migliori Pratiche di Sicurezza

  1. Abilita DigitalOcean Cloud Firewall
  2. Usa rete privata
  3. Implementa policy di rete
  4. Aggiornamenti di sicurezza regolari
  5. Abilita logging di audit

Ottimizzazione dei Costi

  1. Usa dimensioni nodo appropriate
  2. Implementa scalabilità automatica
  3. Usa storage a blocchi con saggezza
  4. Monitora utilizzo risorse
  5. Considera droplet riservati

Prossimi Passi

  • Configura pipeline CI/CD
  • Configura avvisi monitoraggio
  • Implementa soluzione logging
  • Rivedi misure di sicurezza