Compare commits
2 commits
8d0b67c259
...
7ad4747a08
Author | SHA1 | Date | |
---|---|---|---|
|
7ad4747a08 | ||
|
3fe3805d4a |
2 changed files with 110 additions and 1 deletions
2
Makefile
2
Makefile
|
@ -8,7 +8,7 @@ ARGOCD_APP=$(ARGOCD_HOME)/$(ARGOCD_YAML)
|
||||||
|
|
||||||
IMAGE_NAME=harbor.k8s.ungleich.ch/ungleich-public/ungleich-staticcms
|
IMAGE_NAME=harbor.k8s.ungleich.ch/ungleich-public/ungleich-staticcms
|
||||||
|
|
||||||
all: container
|
all: argocd
|
||||||
|
|
||||||
container: push
|
container: push
|
||||||
docker build -t $(IMAGE_NAME):$(VERSION) .
|
docker build -t $(IMAGE_NAME):$(VERSION) .
|
||||||
|
|
|
@ -0,0 +1,109 @@
|
||||||
|
title: Our staticcms has been moved to kubernetes!
|
||||||
|
---
|
||||||
|
pub_date: 2024-10-13
|
||||||
|
---
|
||||||
|
author: ungleich web team
|
||||||
|
---
|
||||||
|
twitter_handle: ungleich
|
||||||
|
---
|
||||||
|
_hidden: no
|
||||||
|
---
|
||||||
|
_discoverable: yes
|
||||||
|
---
|
||||||
|
abstract:
|
||||||
|
One more service in k8s
|
||||||
|
---
|
||||||
|
body:
|
||||||
|
|
||||||
|
## Moved to kubernetes
|
||||||
|
|
||||||
|
This website and all static content has been moved to Kubernetes as of
|
||||||
|
2024-10-13. The motivation and background is very similar to what
|
||||||
|
[Nico wrote on his
|
||||||
|
blog](https://www.nico.schottelius.org/blog/2024-10-11-moving-into-k8s/)
|
||||||
|
already some days ago.
|
||||||
|
|
||||||
|
## Build system for teams
|
||||||
|
|
||||||
|
Differently to what Nico is doing with his private homepage, this
|
||||||
|
website will be moved into a "fancy build" system. The background is
|
||||||
|
that while for a single person running `make` on the laptop which
|
||||||
|
modifies argocd cluster configurations, for a team of people working
|
||||||
|
on the website, things are a bit more difficult.
|
||||||
|
|
||||||
|
For once, not every computer at ungleich is running Linux, we do have
|
||||||
|
some non-Linux machines and also machines not run by our kubernetes
|
||||||
|
team, so there is no direct argocd access. And neither is docker build
|
||||||
|
available on some machines.
|
||||||
|
|
||||||
|
How the build pipeline will look exactly is still to be defined, but
|
||||||
|
once we have settled on one, you will link the details here - so stay
|
||||||
|
tuned for updates.
|
||||||
|
|
||||||
|
## Static websites pattern
|
||||||
|
|
||||||
|
One thing we would like to share is already the structure of the helm
|
||||||
|
chart we are using for deployment: We have one helm chart that uses a
|
||||||
|
list of containers that should be deployed. Deployed by argocd
|
||||||
|
it essentially looks like this:
|
||||||
|
|
||||||
|
```
|
||||||
|
apiVersion: argoproj.io/v1alpha1
|
||||||
|
kind: Application
|
||||||
|
metadata:
|
||||||
|
name: staticweb-nico
|
||||||
|
namespace: argocd
|
||||||
|
finalizers:
|
||||||
|
- resources-finalizer.argocd.argoproj.io
|
||||||
|
spec:
|
||||||
|
destination:
|
||||||
|
namespace: nico
|
||||||
|
server: 'https://kubernetes.default.svc'
|
||||||
|
source:
|
||||||
|
path: apps/prod/staticweb
|
||||||
|
repoURL: '...'
|
||||||
|
helm:
|
||||||
|
valuesObject:
|
||||||
|
websites:
|
||||||
|
- name: www-nico
|
||||||
|
image:
|
||||||
|
harbor.k8s.ungleich.ch/nico/www.nico.schottelius.org:559c0c45
|
||||||
|
fqdn: www.nico.schottelius.org
|
||||||
|
project: default
|
||||||
|
syncPolicy:
|
||||||
|
automated:
|
||||||
|
prune: true
|
||||||
|
selfHeal: true
|
||||||
|
syncOptions:
|
||||||
|
- CreateNamespace=true
|
||||||
|
```
|
||||||
|
|
||||||
|
The name attribute is used for defining the k8s `Deployment`, the fqdn
|
||||||
|
is passed to the nginx-ingress and the image should be pretty clear.
|
||||||
|
|
||||||
|
You may notice that we use our own image registry based on
|
||||||
|
harbor. Not only is this much faster for pulling images, but it also
|
||||||
|
solves problems with other registries:
|
||||||
|
|
||||||
|
* github (ghrc.io) is legacy IP only and cannot be used from the
|
||||||
|
Internet
|
||||||
|
* docker hub has very strict pull limits, often not allowing us to
|
||||||
|
pull in images. While this can be worked around with using a login
|
||||||
|
token, it add a certain complexity to our infrastructure deploying
|
||||||
|
logins for various registries.
|
||||||
|
|
||||||
|
This brings us to something some of you might have noticed already:
|
||||||
|
|
||||||
|
## Our containers are publicly reachable
|
||||||
|
|
||||||
|
Anyone can download any container hosted on our harbor instance
|
||||||
|
without authentication. This is by design, as containers should only
|
||||||
|
contain public data. All our containers contain public, open source
|
||||||
|
applications only.
|
||||||
|
|
||||||
|
Data is being injected either by an sqldump in the beginning (if it is
|
||||||
|
an existing application) or generated at startup or passed in as a
|
||||||
|
secret independently of the container.
|
||||||
|
|
||||||
|
From our perspective this principle allows easy and strict separation
|
||||||
|
of private vs. public data.
|
Loading…
Reference in a new issue