App-Configuration
graph TD;
%%{init:{
'theme':'base',
'themeVariables': {
'lineColor':'#6A7FABCC',
'fontSize':'16px'
}
}}%%
p1(pull Request and review)
pub1(publish test results)
pub2(publish test results)
cronjob
subgraph local_infra
base
dcworkshop1
dcworkshop2
style base fill:#f9d5e5,stroke:#b6a7a8,stroke-width:2px
style dcworkshop1 fill:#f9d5e5,stroke:#b6a7a8,stroke-width:2px
style dcworkshop2 fill:#f9d5e5,stroke:#b6a7a8,stroke-width:2px
end
subgraph Jenkins
c1(CodeQuality And Linting)
t1(testing plans)
d1(Deployment)
style c1 fill:#FFAF87,stroke:#377771,stroke-width:2px, primaryTextColor:#4C6085
style t1 fill:#FFAF87,stroke:#377771,stroke-width:2px, primaryTextColor':'#4C6085'
style d1 fill:#FFAF87,stroke:#377771,stroke-width:2px, primaryTextColor:#4C6085
style Jenkins fill:#,stroke:#4C6085,stroke-width:2px font: #6A7FABCC
end
subgraph PublicRepo
Main
Development
style Main fill:#FFE66D,stroke:#000,stroke-width:2px
style Development fill:#FFE66D,stroke:#000,stroke-width:2px
style PublicRepo #FF6B6B,stroke:#4C6085,stroke-width:2px
end
subgraph PrivateRepo
Main2[Main]
Development2[Development]
style Main2 fill:#D4ADCF,stroke:#C1CAD6,stroke-width:2px
style Development2 fill:#D4ADCF,stroke:#C1CAD6,stroke-width:2px
style PrivateRepo C1CAD6:#856084,stroke:#856084,stroke-width:2px
end
Development --> c1
c1-->pub1
pub1-->p1
p1-->Development
Development2 -.-> Main2
Main2 -.-> Development
Main -->cronjob
cronjob-->t1
t1-->pub2
pub2-->Main
Development -.-> Main
d1-->local_infra
Main-->d1
- i have created an anisble galaxy-collection that automatically starts the server and waits till its bootet up, so ssh wont fail in an ansible script.
- it is not yet production ready though.
- i noticed that either need to debug the plugin locally or, build and push, so i thought i should build a workflow that automatically does that for me, while upgrading the version etc. no problem, but it takes ages on the github runner,
- so my next step is to use docker and gh actions cache, to build an image and cache it every time the requirements change that are listed in the plugin_requirements.json:
python: redfish: latest pyyaml: latest pandas: latest matplotlib: latest apt: ansible: latest
- deploy the base infra (proxmox-cluster, github-server/Gitea/ArgoCD & Vaul-HA) to dc-workshop1&2 using ansible
- set the vault secrets and variables generically
- deploy k8s node on proxmox using terraform
- deploy and set up Argo-CD using Terraform
- decided to use prereceive hooks and a second private repo to seal my code before review
- bot will then automatically sync with main repo but unseal if all checks pass
- therefore a few changes where required
- github server will be deployed using ansible
- proxmox cluster will also be getting deployed using ansible and further controlled trough terraform
- i also added a new file structure using modules
so we are currently trying to setup a git proxy that pushes the commit to a private repo, to get tested before any code/sensible data even be visible in our public repo. the reason was that i noticed that terraform and vault provider is kinda stupid and i dont want to leak any sensible data, so i decided to choose a zero trust approach for this....
-
pre commit hook seals the code, sets up a pr and sends code to a private repo
-
pull request and its sealed code awaits status check
-
another hook pushes back into the pr including test results
-
another review is required to unseal code in public pr
-
added credentials to sign intoo private repo and process iac configuration checks in a private repo before pushing to publlic
created automatic iac checks, pull request rules for status check approve and test result publishing integration
at the moment i use vault for key/val secrets. the thing with secrets is that you cant read/get gh actions secrets and i need at least one secret to access vault, to read all the other secrets.
the vault approle token secret either needs to be stored in credentials.auto.tfvar, or as gh-actions secret
i want to keep my project as flexibel as possible so i decided to keep my terraform project structure and run it in gh actions, but dont put all the code in the workflow file
- this is somehow problematic because the project needs to be aware of how its deployed(manually, or via gh actions).
- therefore we need to check if the credentiuals.auto.tfvars file is existing, or if we need to get the vault secret via gitub
- but terraform allows us to pass values via constructor like this:
$ terraform apply -var='vault_key=mein_sicherer_vault_key' -var='db_password=sicheres_passwort'so we dont need to check if the credentifals file is existing.
Do i need a vault gh actions workflow?
no!
we deploy via tailscale, so we dont. this is kinda tricky, but as i mentioned before:
I want to keep my project as flexible as possible
Do I need jenkins? im not really sure, but we can actually do our iac deployment without jenkins, but testing plans can profit from jenkins.
- it actually doesnt matter because you can migrate from jenkins to git.