Panoramica
Questa guida ti accompagna attraverso la distribuzione di CaseBender su DigitalOcean utilizzando immagini Docker precostruite con Kubernetes (DOKS) e servizi gestiti.
Prerequisiti
- Account DigitalOcean
- doctl CLI installato
- kubectl installato
- Docker installato
Passo 1: Configurazione Iniziale
Installa e Configura doctl
Passo 2: Crea Cluster Kubernetes
# Crea cluster DOKS
doctl kubernetes cluster create casebender \
--region nyc1 \
--size s-2vcpu-4gb \
--count 3 \
--version latest
# Ottieni kubeconfig
doctl kubernetes cluster kubeconfig save casebender
Passo 3: Configura Servizi Gestiti
Crea Spaces per Storage Oggetti
# Crea bucket Spaces
doctl spaces create casebender-storage \
--region nyc3
# Crea chiave di accesso Spaces
doctl spaces access-key create
# Nota: Salva la chiave di accesso e la chiave segreta in modo sicuro
# Saranno necessarie per la configurazione dell'applicazione
Crea PostgreSQL Gestito
# Crea cluster database
doctl databases create \
--engine pg \
--name casebender-db \
--region nyc1 \
--size db-s-2vcpu-4gb \
--version 14 \
--num-nodes 1
# Crea database
doctl databases db create casebender-db casebender
# Ottieni dettagli connessione
doctl databases connection casebender-db --format ConnectionString
Crea Redis Gestito
# Crea cluster Redis
doctl databases create \
--engine redis \
--name casebender-redis \
--region nyc1 \
--size db-s-1vcpu-2gb \
--version 7
# Ottieni dettagli connessione
doctl databases connection casebender-redis --format ConnectionString
Passo 4: Configura Container Registry
# Crea container registry
doctl registry create casebender-registry
# Ottieni endpoint registry
REGISTRY_ENDPOINT=$(doctl registry get-endpoint)
# Scarica immagini CaseBender
docker pull casebender/casebender:latest
docker pull casebender/workflow-processor:latest
docker pull casebender/misp-processor:latest
# Tagga immagini per registry
docker tag casebender/casebender:latest registry.digitalocean.com/casebender-registry/app:latest
docker tag casebender/workflow-processor:latest registry.digitalocean.com/casebender-registry/workflow-processor:latest
docker tag casebender/misp-processor:latest registry.digitalocean.com/casebender-registry/misp-processor:latest
# Carica immagini
docker push registry.digitalocean.com/casebender-registry/app:latest
docker push registry.digitalocean.com/casebender-registry/workflow-processor:latest
docker push registry.digitalocean.com/casebender-registry/misp-processor:latest
# Aggiungi registry al cluster Kubernetes
doctl kubernetes cluster registry add casebender
Passo 5: Distribuisci su Kubernetes
Crea Namespace
kubectl create namespace casebender
Crea Segreti
# Crea segreti per database e Redis
kubectl create secret generic db-credentials \
--namespace casebender \
--from-literal=postgres-url="postgresql://doadmin:password@casebender-db-do-user-1234567-0.b.db.ondigitalocean.com:25060/casebender?sslmode=require" \
--from-literal=redis-url="rediss://default:password@casebender-redis-do-user-1234567-0.b.db.ondigitalocean.com:25061"
# Crea segreti per applicazione
kubectl create secret generic app-secrets \
--namespace casebender \
--from-literal=auth-secret="your-auth-secret" \
--from-literal=auth-salt="your-auth-salt"
Distribuisci Applicazioni
Crea deployment.yaml:
apiVersion: apps/v1
kind: Deployment
metadata:
name: casebender-app
namespace: casebender
spec:
replicas: 2
selector:
matchLabels:
app: casebender-app
template:
metadata:
labels:
app: casebender-app
spec:
containers:
- name: app
image: registry.digitalocean.com/casebender-registry/app:latest
ports:
- containerPort: 3000
env:
- name: AUTH_SECRET
valueFrom:
secretKeyRef:
name: app-secrets
key: auth-secret
- name: AUTH_SALT
valueFrom:
secretKeyRef:
name: app-secrets
key: auth-salt
- name: POSTGRES_PRISMA_URL
valueFrom:
secretKeyRef:
name: db-credentials
key: postgres-url
- name: REDIS_URL
valueFrom:
secretKeyRef:
name: db-credentials
key: redis-url
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: workflow-processor
namespace: casebender
spec:
replicas: 1
selector:
matchLabels:
app: workflow-processor
template:
metadata:
labels:
app: workflow-processor
spec:
containers:
- name: processor
image: registry.digitalocean.com/casebender-registry/workflow-processor:latest
env:
- name: POSTGRES_PRISMA_URL
valueFrom:
secretKeyRef:
name: db-credentials
key: postgres-url
- name: REDIS_URL
valueFrom:
secretKeyRef:
name: db-credentials
key: redis-url
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: misp-processor
namespace: casebender
spec:
replicas: 1
selector:
matchLabels:
app: misp-processor
template:
metadata:
labels:
app: misp-processor
spec:
containers:
- name: processor
image: registry.digitalocean.com/casebender-registry/misp-processor:latest
env:
- name: POSTGRES_PRISMA_URL
valueFrom:
secretKeyRef:
name: db-credentials
key: postgres-url
- name: REDIS_URL
valueFrom:
secretKeyRef:
name: db-credentials
key: redis-url
Applica i deployment:
kubectl apply -f deployment.yaml
Crea Servizi
Crea service.yaml:
apiVersion: v1
kind: Service
metadata:
name: casebender-app
namespace: casebender
spec:
type: ClusterIP
ports:
- port: 80
targetPort: 3000
selector:
app: casebender-app
Applica il servizio:
kubectl apply -f service.yaml
Passo 7: Configura Ingress
Installa Controller NGINX Ingress
# Aggiungi repository Helm
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update
# Installa Controller NGINX Ingress
helm install nginx-ingress ingress-nginx/ingress-nginx \
--namespace casebender \
--set controller.publishService.enabled=true
Configura Ingress
Crea ingress.yaml:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: casebender-ingress
namespace: casebender
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
tls:
- hosts:
- your-domain.com
secretName: casebender-tls
rules:
- host: your-domain.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: casebender-app
port:
number: 80
Applica l’ingress:
kubectl apply -f ingress.yaml
Passo 8: Configura SSL con cert-manager
# Installa cert-manager
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.8.0/cert-manager.yaml
# Crea ClusterIssuer
cat <<EOF | kubectl apply -f -
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: your-email@domain.com
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- http01:
ingress:
class: nginx
EOF
Passo 9: Configura Scalabilità Automatica
Crea hpa.yaml:
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: casebender-app-hpa
namespace: casebender
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: casebender-app
minReplicas: 2
maxReplicas: 10
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 80
Applica l’HPA:
kubectl apply -f hpa.yaml
Backup e Disaster Recovery
Backup Database
I database gestiti DigitalOcean gestiscono automaticamente i backup. Puoi anche:
# Crea backup manuale
doctl databases backup casebender-db
Configura Failover Database
# Abilita failover automatico
doctl databases replica casebender-db create \
--region sfo2
Migliori Pratiche di Sicurezza
- Abilita DigitalOcean Cloud Firewall
- Usa rete privata
- Implementa policy di rete
- Aggiornamenti di sicurezza regolari
- Abilita logging di audit
Ottimizzazione dei Costi
- Usa dimensioni nodo appropriate
- Implementa scalabilità automatica
- Usa storage a blocchi con saggezza
- Monitora utilizzo risorse
- Considera droplet riservati
Prossimi Passi
- Configura pipeline CI/CD
- Configura avvisi monitoraggio
- Implementa soluzione logging
- Rivedi misure di sicurezza
