104 lines
2.4 KiB
Markdown
104 lines
2.4 KiB
Markdown
---
|
|
sidebar_position: 2
|
|
---
|
|
|
|
# Architecture
|
|
|
|
## System Architecture
|
|
|
|
Our infrastructure follows modern DevOps practices with GitOps at its core.
|
|
|
|
### GitOps Workflow
|
|
|
|
```mermaid
|
|
graph LR
|
|
A[Developer] -->|Git Push| B[Gitea]
|
|
B -->|Webhook| C[ArgoCD]
|
|
C -->|Deploy| D[Kubernetes]
|
|
D -->|Metrics| E[Prometheus]
|
|
E -->|Visualize| F[Grafana]
|
|
```
|
|
|
|
### Network Architecture
|
|
|
|
#### Ingress Layer
|
|
- **nginx-ingress-controller**: Routes external traffic
|
|
- **cert-manager**: Manages SSL certificates via Let's Encrypt
|
|
- **DNS**: kro.kr domain with wildcard support
|
|
|
|
#### Application Layer
|
|
- Each service runs in its own namespace
|
|
- Resource limits and requests defined
|
|
- Health checks and readiness probes
|
|
|
|
#### Data Layer
|
|
- **PostgreSQL**: Primary database for Gitea, Grafana
|
|
- **Persistent Volumes**: Using local-path provisioner
|
|
- **Backup**: Automated backups to S3-compatible storage (MinIO)
|
|
|
|
### Security Architecture
|
|
|
|
```yaml
|
|
Security Layers:
|
|
1. Network Level:
|
|
- Ingress with TLS termination
|
|
- Network policies between namespaces
|
|
|
|
2. Application Level:
|
|
- External Secrets for sensitive data
|
|
- HashiCorp Vault integration
|
|
- Secret rotation policies
|
|
|
|
3. Access Control:
|
|
- RBAC for Kubernetes
|
|
- SSO integration (future)
|
|
- Audit logging
|
|
```
|
|
|
|
## Design Principles
|
|
|
|
### 1. Everything as Code
|
|
- Infrastructure: Kubernetes YAML
|
|
- Configuration: Kustomize
|
|
- Secrets: External Secrets Operator
|
|
- Monitoring: Prometheus rules as code
|
|
|
|
### 2. GitOps First
|
|
- Single source of truth: Git repository
|
|
- Automatic synchronization via ArgoCD
|
|
- Rollback capability through Git history
|
|
|
|
### 3. Observability
|
|
- Metrics: Prometheus
|
|
- Logs: Loki
|
|
- Traces: (Future: Jaeger/Tempo)
|
|
- Dashboards: Grafana
|
|
|
|
### 4. High Availability
|
|
- Multi-node Kubernetes cluster
|
|
- Replicated stateful services
|
|
- Automated failover
|
|
|
|
## Technology Stack
|
|
|
|
| Layer | Technology |
|
|
|-------|-----------|
|
|
| Container Orchestration | Kubernetes (K3s) |
|
|
| GitOps | ArgoCD |
|
|
| Service Mesh | (Future: Istio/Linkerd) |
|
|
| Ingress | nginx-ingress |
|
|
| Certificate Management | cert-manager |
|
|
| Secrets Management | External Secrets + Vault |
|
|
| Monitoring | Prometheus + Grafana |
|
|
| Logging | Loki + Promtail |
|
|
| Storage | local-path, MinIO |
|
|
| Database | PostgreSQL |
|
|
| Git | Gitea |
|
|
| Documentation | Docusaurus |
|
|
|
|
## Further Reading
|
|
|
|
- [Kubernetes Setup Details](../services/kubernetes)
|
|
- [ArgoCD Configuration](../services/argocd)
|
|
- [Monitoring Stack](../services/monitoring)
|