On This Page

A platform, in the context of software development and deployment, can be defined as an integrated environment that provides a wide range of tools, services, and applications to streamline the process of creating, testing, deploying, and maintaining software.

Upon successful installation of the platform via Helm, a package manager for Kubernetes, several Helm charts will be created. These charts represent packages of pre-configured Kubernetes resources, each with a specific role in the overall infrastructure.

In short, it’s a bunch of Helm charts. The level of abstraction for the development team starts here, since this repository it’s only available for platform engineers maintaining the platform.

Let’s see a simplified directory structure to understand more:

├── Chart.yaml (v1.0.0)
├── platform 
│   ├── base
│   │   ├── namespace
│   │   ├── crds
│   │   │   ├── cert-manager
│   │   ├── ingress                           (*.eu-north-1.training.dx-book.com)
│   │   │   ├── argocd
│   │   │   └── grafana
│   │   ├── cronjobs
│   │   │   ├── 
│   │   └── secrets
│   │       ├── aws
│   │       └── github
│   ├── tools
│   │   ├── cert-manager (v0.8.12)
│   │   ├── chartmuseum (v0.15.0)
│   │   ├── cronjobs (custom)
│   │   ├── longhorn (v1.4.0)
│   │   ├── prometheus (v43.1.4)
│   │   ├── redis (v17.3.8)
│   │   ├── tekton
│   │   ├── traefik (v20.8.0)
│   │   └── verdaccio (v5.15.3)
│   ├── tasks
│   │   ├── create-github-resources
│   │   ├── application-deploy
│   │   ├── e2e-test
│   │   ├── git-clone
│   │   ├── helm-package
│   │   ├── identify
│   │   ├── image-build
│   │   ├── kaniko-build
│   │   ├── kube-linter
│   │   ├── npm-build
│   │   └── verify-deployment
│   └── applications

Base

This folder contains crucial base definitions that help structure and facilitate our platform’s operations. Here is a breakdown of what each file or directory represents:

  • Namespace: The default namespace specified in our platform is platform.

  • Ingresses: Ingresses provide HTTP and HTTPS routing to services within the cluster based on hostnames and paths. This directory contains definitions for ingresses that enable access to the various tools provided by the platform. For instance, we have ingresses defined for the ArgoCD and Grafana dashboards, facilitating direct, secure access to these tools.

  • Cronjobs: In the Cronjobs directory, you can define CronJobs, which are the Kubernetes equivalent of cron tasks on a traditional Unix system. CronJobs manage time-based jobs, that is, jobs scheduled to run periodically at fixed times, dates, or intervals. These jobs are typically used for regular, routine tasks such as system backups, clean-up operations, report generation, and email dispatching. All your CronJob definitions should be placed in this folder.

  • Secrets: This directory is designated for storing the secrets used by various tools maintained by our platform. Kubernetes Secrets let you store and manage sensitive information, such as passwords, OAuth tokens, and ssh keys, which you don’t want to expose in your application code. In our case, we store secrets such as AWS credentials for the image registry and backups, and also GitHub credentials.

Tools

The Tools chart folder contain Helm deployments that provide the fundamental building blocks of your Kubernetes environment. These could include elements such as network configuration, security settings, storage classes, resource quotas, and more. The aim is to set up the necessary environment in which your applications will run.

These charts are maintained by the platform team. Here is a brief description of each:

  • ArgoCD: Just for visibility here. We installed it before manually.

  • Cert-manager: Is a native Kubernetes certificate management controller. It can help with issuing certificates from a variety of sources, such as Let’s Encrypt, HashiCorp Vault, Venafi, a simple signing key pair, or self-signed.

  • Traefik: Traefik is a dynamic load balancer designed for ease of configuration, particularly in dynamic environments. It supports automatic discovery of services, metrics, and has comprehensive support for modern protocols.

  • Longhorn: Longhorn provides distributed block storage for Kubernetes. It turns distributed storage and management capabilities of cloud-native development into an intuitive and easy-to-use experience.

  • Prometheus: Designed specifically for numeric time series data, Prometheus is an open-source monitoring and alerting toolkit. It is ideal for collecting metrics from configured targets at specified intervals, evaluating rule expressions, and triggering alerts if a condition is observed to be true.

  • Chart-museum: ChartMuseum is an open-source Helm Chart Repository server, enabling developers to easily host and share Helm packages within their organization or team.

  • Tekton: This is a powerful and flexible open-source framework for creating continuous integration and delivery (CI/CD) systems. It allows developers to build, test, and deploy code in a Kubernetes environment, following modern CI/CD best practices.

  • Redis: Redis is an open-source, in-memory data structure store, used as a database, cache and message broker. It supports various data structures such as strings, hashes, lists, sets, sorted sets with range queries, bitmaps, hyperloglogs, geospatial indexes with radius queries and streams.

  • Verdaccio: Verdaccio is a lightweight, open-source private npm proxy registry. It is fully compatible with the npm registry and can be used to locally store necessary npm packages, reducing network reliance and increasing development speed.

Permissions

To prevent privilege escalation on the platform, for instance, where attackers could:

  • Establish a ClusterRoleBinding that provides us with cluster-admin privileges
  • Set up a RoleBinding that assigns us administrative rights over another namespace
  • Launch a Pod that utilizes resources belonging to others

We’ll employ ArgoCD Projects to specify certain projects and corresponding permissions:

  • Platform: Grants complete access, including to CRDs.
  • Pipelines: Prohibits access to Namespaces, ResourceQuota, LimitRange, and NetworkPolicy.
  • Dependencies: Permits the creation of Namespaces, but blocks everything else at the cluster scope. Also, restricts access to ResourceQuota, LimitRange, and NetworkPolicies.
  • Applications: Prevents access to namespaces, CRDs, and so on at the Cluster scope level. Also, it limits access to ResourceQuotas, LimitRange, and NetworkPolicies.

Here are the whitelisted repositories:

  • https://github.com/dx-book/*
  • http://chartmuseum.platform.svc.cluster.local:8080/

Tasks (Tekton Pipelines)

Besides that, we provide a suite of custom tasks, also known as ‘cluster-tasks’. They were designed to extend the capabilities of your platform in a structured way. These tasks integrate with the Tekton CI/CD pipeline, significantly reducing the time it takes to get your product teams up and running. Here are some of the key tasks that come bundled with this package:

  • GitHub Resources Task: This task automates the creation of GitHub resources such as access keys and webhooks. By managing these programmatically, your teams can seamlessly integrate their work with GitHub without the need for manual intervention.

  • Runtime Version Detection Task: This task can detect runtime versions such as NodeJS package.json, as well as retrieve application version. This information is often crucial for debugging and version management.

  • NPM Package Installation Task: For NodeJS applications, this task installs npm packages using Verdaccio as a proxy and runs unit tests. This speeds up the installation process and provides a way to test code before it gets deployed.

  • Kubernetes Resource Linting Task: This task uses kube-linter to lint Kubernetes resources in the CI/CD pipeline, enforcing best practices and coding standards. This helps maintain high code quality and avoid common pitfalls.

  • Kaniko Image Building Task: This task automates the process of building images with Kaniko, a tool for building container images from a Dockerfile, inside a container or Kubernetes cluster. It supports package manager proxies and image registry pushing.

  • Helm Packaging Task: This task automates the packaging of Helm charts. It supports versioning, main and feature branches, linting, dependency management, and uploading to the Chart Museum.

  • ArgoCD Deployment Task: With this task, you can deploy applications via ArgoCD with Helm. This task supports workflows for both main branches and feature branches, allowing a flexible approach to continuous deployment.

  • E2E Testing Task: An end-to-end task that enables the running of integration tests within the Tekton CI/CD pipeline. This allows you to ensure that all the different parts of your system work together as expected.

  • Rollback Deployment Task: If a deployment fails, this task rolls back the deployment to ensure system stability. It provides a safety net that keeps the last known good state of the application in case of a deployment failure.

These cluster tasks serve to automate and streamline various facets of your development workflows, creating a more efficient, productive, and reliable process. They represent a broad base of common operations, reducing the manual work required to manage these tasks and ensuring they’re performed consistently.

After the platform installation, these applications will help form a robust infrastructure for managing your project, automating CI/CD pipelines, handling data, balancing load, storing packages, providing storage solutions, scheduling jobs, managing cluster-tasks, and hosting Helm charts.

Now let’s move on how to install the platform.