Forte/launchpad
6
0
Fork 0
Code Issues Pull Requests Actions Packages Wiki Activity
Files
gitea-pages
launchpad/GITOPS-ARCHITECTURE/index.html
gitea-actions 8812b02458 Deploy docs
2026-04-18 18:39:51 +00:00

1969 lines
95 KiB
HTML
Raw Permalink Blame History

<!doctype html>
<html lang="en" class="no-js">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta name="description" content="Documentation for the GitOps-managed Kubernetes cluster">
<link rel="prev" href="..">
<link rel="next" href="../DEVELOPER-GUIDE/">
<link rel="icon" href="../assets/images/favicon.png">
<meta name="generator" content="mkdocs-1.6.1, mkdocs-material-9.7.6">
<title>GitOps Architecture - K8s Launchpad</title>
<link rel="stylesheet" href="../assets/stylesheets/main.484c7ddc.min.css">
<link rel="stylesheet" href="../assets/stylesheets/palette.ab4e12ef.min.css">
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,300i,400,400i,700,700i%7CRoboto+Mono:400,400i,700,700i&display=fallback">
<style>:root{--md-text-font:"Roboto";--md-code-font:"Roboto Mono"}</style>
<script>__md_scope=new URL("..",location),__md_hash=e=>[...e].reduce(((e,_)=>(e<<5)-e+_.charCodeAt(0)),0),__md_get=(e,_=localStorage,t=__md_scope)=>JSON.parse(_.getItem(t.pathname+"."+e)),__md_set=(e,_,t=localStorage,a=__md_scope)=>{try{t.setItem(a.pathname+"."+e,JSON.stringify(_))}catch(e){}}</script>
</head>
<body dir="ltr" data-md-color-scheme="default" data-md-color-primary="indigo" data-md-color-accent="indigo">
<input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off">
<input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
<label class="md-overlay" for="__drawer"></label>
<div data-md-component="skip">
<a href="#gitops-architecture-repository-guide" class="md-skip">
Skip to content
</a>
</div>
<div data-md-component="announce">
</div>
<header class="md-header md-header--shadow" data-md-component="header">
<nav class="md-header__inner md-grid" aria-label="Header">
<a href=".." title="K8s Launchpad" class="md-header__button md-logo" aria-label="K8s Launchpad" data-md-component="logo">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54"/></svg>
</a>
<label class="md-header__button md-icon" for="__drawer">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3zm0 5h18v2H3zm0 5h18v2H3z"/></svg>
</label>
<div class="md-header__title" data-md-component="header-title">
<div class="md-header__ellipsis">
<div class="md-header__topic">
<span class="md-ellipsis">
K8s Launchpad
</span>
</div>
<div class="md-header__topic" data-md-component="header-topic">
<span class="md-ellipsis">
GitOps Architecture
</span>
</div>
</div>
</div>
<form class="md-header__option" data-md-component="palette">
<input class="md-option" data-md-color-media="" data-md-color-scheme="default" data-md-color-primary="indigo" data-md-color-accent="indigo" aria-label="Switch to dark mode" type="radio" name="__palette" id="__palette_0">
<label class="md-header__button md-icon" title="Switch to dark mode" for="__palette_1" hidden>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a4 4 0 0 0-4 4 4 4 0 0 0 4 4 4 4 0 0 0 4-4 4 4 0 0 0-4-4m0 10a6 6 0 0 1-6-6 6 6 0 0 1 6-6 6 6 0 0 1 6 6 6 6 0 0 1-6 6m8-9.31V4h-4.69L12 .69 8.69 4H4v4.69L.69 12 4 15.31V20h4.69L12 23.31 15.31 20H20v-4.69L23.31 12z"/></svg>
</label>
<input class="md-option" data-md-color-media="" data-md-color-scheme="slate" data-md-color-primary="indigo" data-md-color-accent="indigo" aria-label="Switch to light mode" type="radio" name="__palette" id="__palette_1">
<label class="md-header__button md-icon" title="Switch to light mode" for="__palette_0" hidden>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 18c-.89 0-1.74-.2-2.5-.55C11.56 16.5 13 14.42 13 12s-1.44-4.5-3.5-5.45C10.26 6.2 11.11 6 12 6a6 6 0 0 1 6 6 6 6 0 0 1-6 6m8-9.31V4h-4.69L12 .69 8.69 4H4v4.69L.69 12 4 15.31V20h4.69L12 23.31 15.31 20H20v-4.69L23.31 12z"/></svg>
</label>
</form>
<script>var palette=__md_get("__palette");if(palette&&palette.color){if("(prefers-color-scheme)"===palette.color.media){var media=matchMedia("(prefers-color-scheme: light)"),input=document.querySelector(media.matches?"[data-md-color-media='(prefers-color-scheme: light)']":"[data-md-color-media='(prefers-color-scheme: dark)']");palette.color.media=input.getAttribute("data-md-color-media"),palette.color.scheme=input.getAttribute("data-md-color-scheme"),palette.color.primary=input.getAttribute("data-md-color-primary"),palette.color.accent=input.getAttribute("data-md-color-accent")}for(var[key,value]of Object.entries(palette.color))document.body.setAttribute("data-md-color-"+key,value)}</script>
<label class="md-header__button md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.52 6.52 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5"/></svg>
</label>
<div class="md-search" data-md-component="search" role="dialog">
<label class="md-search__overlay" for="__search"></label>
<div class="md-search__inner" role="search">
<form class="md-search__form" name="search">
<input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" required>
<label class="md-search__icon md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.52 6.52 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5"/></svg>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11z"/></svg>
</label>
<nav class="md-search__options" aria-label="Search">
<button type="reset" class="md-search__icon md-icon" title="Clear" aria-label="Clear" tabindex="-1">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12z"/></svg>
</button>
</nav>
</form>
<div class="md-search__output">
<div class="md-search__scrollwrap" tabindex="0" data-md-scrollfix>
<div class="md-search-result" data-md-component="search-result">
<div class="md-search-result__meta">
Initializing search
</div>
<ol class="md-search-result__list" role="presentation"></ol>
</div>
</div>
</div>
</div>
</div>
<div class="md-header__source">
<a href="https://git.forteapps.net/Forte/launchpad" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><!--! Font Awesome Free 7.1.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2025 Fonticons, Inc.--><path d="M439.6 236.1 244 40.5c-5.4-5.5-12.8-8.5-20.4-8.5s-15 3-20.4 8.4L162.5 81l51.5 51.5c27.1-9.1 52.7 16.8 43.4 43.7l49.7 49.7c34.2-11.8 61.2 31 35.5 56.7-26.5 26.5-70.2-2.9-56-37.3L240.3 199v121.9c25.3 12.5 22.3 41.8 9.1 55-6.4 6.4-15.2 10.1-24.3 10.1s-17.8-3.6-24.3-10.1c-17.6-17.6-11.1-46.9 11.2-56v-123c-20.8-8.5-24.6-30.7-18.6-45L142.6 101 8.5 235.1C3 240.6 0 247.9 0 255.5s3 15 8.5 20.4l195.6 195.7c5.4 5.4 12.7 8.4 20.4 8.4s15-3 20.4-8.4l194.7-194.7c5.4-5.4 8.4-12.8 8.4-20.4s-3-15-8.4-20.4"/></svg>
</div>
<div class="md-source__repository">
Forte/launchpad
</div>
</a>
</div>
</nav>
</header>
<div class="md-container" data-md-component="container">
<main class="md-main" data-md-component="main">
<div class="md-main__inner md-grid">
<div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--primary" aria-label="Navigation" data-md-level="0">
<label class="md-nav__title" for="__drawer">
<a href=".." title="K8s Launchpad" class="md-nav__button md-logo" aria-label="K8s Launchpad" data-md-component="logo">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54"/></svg>
</a>
K8s Launchpad
</label>
<div class="md-nav__source">
<a href="https://git.forteapps.net/Forte/launchpad" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><!--! Font Awesome Free 7.1.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2025 Fonticons, Inc.--><path d="M439.6 236.1 244 40.5c-5.4-5.5-12.8-8.5-20.4-8.5s-15 3-20.4 8.4L162.5 81l51.5 51.5c27.1-9.1 52.7 16.8 43.4 43.7l49.7 49.7c34.2-11.8 61.2 31 35.5 56.7-26.5 26.5-70.2-2.9-56-37.3L240.3 199v121.9c25.3 12.5 22.3 41.8 9.1 55-6.4 6.4-15.2 10.1-24.3 10.1s-17.8-3.6-24.3-10.1c-17.6-17.6-11.1-46.9 11.2-56v-123c-20.8-8.5-24.6-30.7-18.6-45L142.6 101 8.5 235.1C3 240.6 0 247.9 0 255.5s3 15 8.5 20.4l195.6 195.7c5.4 5.4 12.7 8.4 20.4 8.4s15-3 20.4-8.4l194.7-194.7c5.4-5.4 8.4-12.8 8.4-20.4s-3-15-8.4-20.4"/></svg>
</div>
<div class="md-source__repository">
Forte/launchpad
</div>
</a>
</div>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href=".." class="md-nav__link">
<span class="md-ellipsis">
Home
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--active">
<input class="md-nav__toggle md-toggle" type="checkbox" id="__toc">
<label class="md-nav__link md-nav__link--active" for="__toc">
<span class="md-ellipsis">
GitOps Architecture
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<a href="./" class="md-nav__link md-nav__link--active">
<span class="md-ellipsis">
GitOps Architecture
</span>
</a>
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#table-of-contents" class="md-nav__link">
<span class="md-ellipsis">
Table of Contents
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#overview" class="md-nav__link">
<span class="md-ellipsis">
Overview
</span>
</a>
<nav class="md-nav" aria-label="Overview">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#key-characteristics" class="md-nav__link">
<span class="md-ellipsis">
Key Characteristics
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#architecture-diagram" class="md-nav__link">
<span class="md-ellipsis">
Architecture Diagram
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#repository-structure" class="md-nav__link">
<span class="md-ellipsis">
Repository Structure
</span>
</a>
<nav class="md-nav" aria-label="Repository Structure">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#1-config-repository-current-repo" class="md-nav__link">
<span class="md-ellipsis">
1. Config Repository (Current Repo)
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#2-helm-charts-repository" class="md-nav__link">
<span class="md-ellipsis">
2. Helm Charts Repository
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#3-helm-values-repository" class="md-nav__link">
<span class="md-ellipsis">
3. Helm Values Repository
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#4-application-source-code-repositories" class="md-nav__link">
<span class="md-ellipsis">
4. Application Source Code Repositories
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#gitops-workflow" class="md-nav__link">
<span class="md-ellipsis">
GitOps Workflow
</span>
</a>
<nav class="md-nav" aria-label="GitOps Workflow">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#the-app-of-apps-pattern" class="md-nav__link">
<span class="md-ellipsis">
The App-of-Apps Pattern
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#sync-waves-ordering" class="md-nav__link">
<span class="md-ellipsis">
Sync Waves &amp; Ordering
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#multi-source-pattern" class="md-nav__link">
<span class="md-ellipsis">
Multi-Source Pattern
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#multi-cluster-pattern" class="md-nav__link">
<span class="md-ellipsis">
Multi-Cluster Pattern
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#cicd-pipeline" class="md-nav__link">
<span class="md-ellipsis">
CI/CD Pipeline
</span>
</a>
<nav class="md-nav" aria-label="CI/CD Pipeline">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#continuous-integration" class="md-nav__link">
<span class="md-ellipsis">
Continuous Integration
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#continuous-deployment" class="md-nav__link">
<span class="md-ellipsis">
Continuous Deployment
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#deployment-validation" class="md-nav__link">
<span class="md-ellipsis">
Deployment Validation
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#security-model" class="md-nav__link">
<span class="md-ellipsis">
Security Model
</span>
</a>
<nav class="md-nav" aria-label="Security Model">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#secret-management" class="md-nav__link">
<span class="md-ellipsis">
Secret Management
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#kyverno-policies" class="md-nav__link">
<span class="md-ellipsis">
Kyverno Policies
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#repository-access" class="md-nav__link">
<span class="md-ellipsis">
Repository Access
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#network-security" class="md-nav__link">
<span class="md-ellipsis">
Network Security
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#authentication" class="md-nav__link">
<span class="md-ellipsis">
Authentication
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#monitoring-observability" class="md-nav__link">
<span class="md-ellipsis">
Monitoring &amp; Observability
</span>
</a>
<nav class="md-nav" aria-label="Monitoring &amp; Observability">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#stack-components" class="md-nav__link">
<span class="md-ellipsis">
Stack Components
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#slack-notifications" class="md-nav__link">
<span class="md-ellipsis">
Slack Notifications
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#disaster-recovery" class="md-nav__link">
<span class="md-ellipsis">
Disaster Recovery
</span>
</a>
<nav class="md-nav" aria-label="Disaster Recovery">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#cluster-rebuild" class="md-nav__link">
<span class="md-ellipsis">
Cluster Rebuild
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#gitops-advantages-for-dr" class="md-nav__link">
<span class="md-ellipsis">
GitOps Advantages for DR
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#best-practices" class="md-nav__link">
<span class="md-ellipsis">
Best Practices
</span>
</a>
<nav class="md-nav" aria-label="Best Practices">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#repository-organization" class="md-nav__link">
<span class="md-ellipsis">
Repository Organization
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#gitops-workflow_1" class="md-nav__link">
<span class="md-ellipsis">
GitOps Workflow
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#application-development" class="md-nav__link">
<span class="md-ellipsis">
Application Development
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#next-steps" class="md-nav__link">
<span class="md-ellipsis">
Next Steps
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../DEVELOPER-GUIDE/" class="md-nav__link">
<span class="md-ellipsis">
Developer Guide
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../OPERATIONS-RUNBOOK/" class="md-nav__link">
<span class="md-ellipsis">
Operations Runbook
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../REFERENCE/" class="md-nav__link">
<span class="md-ellipsis">
Technical Reference
</span>
</a>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#table-of-contents" class="md-nav__link">
<span class="md-ellipsis">
Table of Contents
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#overview" class="md-nav__link">
<span class="md-ellipsis">
Overview
</span>
</a>
<nav class="md-nav" aria-label="Overview">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#key-characteristics" class="md-nav__link">
<span class="md-ellipsis">
Key Characteristics
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#architecture-diagram" class="md-nav__link">
<span class="md-ellipsis">
Architecture Diagram
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#repository-structure" class="md-nav__link">
<span class="md-ellipsis">
Repository Structure
</span>
</a>
<nav class="md-nav" aria-label="Repository Structure">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#1-config-repository-current-repo" class="md-nav__link">
<span class="md-ellipsis">
1. Config Repository (Current Repo)
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#2-helm-charts-repository" class="md-nav__link">
<span class="md-ellipsis">
2. Helm Charts Repository
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#3-helm-values-repository" class="md-nav__link">
<span class="md-ellipsis">
3. Helm Values Repository
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#4-application-source-code-repositories" class="md-nav__link">
<span class="md-ellipsis">
4. Application Source Code Repositories
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#gitops-workflow" class="md-nav__link">
<span class="md-ellipsis">
GitOps Workflow
</span>
</a>
<nav class="md-nav" aria-label="GitOps Workflow">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#the-app-of-apps-pattern" class="md-nav__link">
<span class="md-ellipsis">
The App-of-Apps Pattern
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#sync-waves-ordering" class="md-nav__link">
<span class="md-ellipsis">
Sync Waves &amp; Ordering
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#multi-source-pattern" class="md-nav__link">
<span class="md-ellipsis">
Multi-Source Pattern
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#multi-cluster-pattern" class="md-nav__link">
<span class="md-ellipsis">
Multi-Cluster Pattern
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#cicd-pipeline" class="md-nav__link">
<span class="md-ellipsis">
CI/CD Pipeline
</span>
</a>
<nav class="md-nav" aria-label="CI/CD Pipeline">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#continuous-integration" class="md-nav__link">
<span class="md-ellipsis">
Continuous Integration
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#continuous-deployment" class="md-nav__link">
<span class="md-ellipsis">
Continuous Deployment
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#deployment-validation" class="md-nav__link">
<span class="md-ellipsis">
Deployment Validation
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#security-model" class="md-nav__link">
<span class="md-ellipsis">
Security Model
</span>
</a>
<nav class="md-nav" aria-label="Security Model">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#secret-management" class="md-nav__link">
<span class="md-ellipsis">
Secret Management
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#kyverno-policies" class="md-nav__link">
<span class="md-ellipsis">
Kyverno Policies
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#repository-access" class="md-nav__link">
<span class="md-ellipsis">
Repository Access
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#network-security" class="md-nav__link">
<span class="md-ellipsis">
Network Security
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#authentication" class="md-nav__link">
<span class="md-ellipsis">
Authentication
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#monitoring-observability" class="md-nav__link">
<span class="md-ellipsis">
Monitoring &amp; Observability
</span>
</a>
<nav class="md-nav" aria-label="Monitoring &amp; Observability">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#stack-components" class="md-nav__link">
<span class="md-ellipsis">
Stack Components
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#slack-notifications" class="md-nav__link">
<span class="md-ellipsis">
Slack Notifications
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#disaster-recovery" class="md-nav__link">
<span class="md-ellipsis">
Disaster Recovery
</span>
</a>
<nav class="md-nav" aria-label="Disaster Recovery">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#cluster-rebuild" class="md-nav__link">
<span class="md-ellipsis">
Cluster Rebuild
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#gitops-advantages-for-dr" class="md-nav__link">
<span class="md-ellipsis">
GitOps Advantages for DR
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#best-practices" class="md-nav__link">
<span class="md-ellipsis">
Best Practices
</span>
</a>
<nav class="md-nav" aria-label="Best Practices">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#repository-organization" class="md-nav__link">
<span class="md-ellipsis">
Repository Organization
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#gitops-workflow_1" class="md-nav__link">
<span class="md-ellipsis">
GitOps Workflow
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#application-development" class="md-nav__link">
<span class="md-ellipsis">
Application Development
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#next-steps" class="md-nav__link">
<span class="md-ellipsis">
Next Steps
</span>
</a>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-content" data-md-component="content">
<article class="md-content__inner md-typeset">
<h1 id="gitops-architecture-repository-guide">GitOps Architecture &amp; Repository Guide<a class="headerlink" href="#gitops-architecture-repository-guide" title="Permanent link">&para;</a></h1>
<h2 id="table-of-contents">Table of Contents<a class="headerlink" href="#table-of-contents" title="Permanent link">&para;</a></h2>
<ul>
<li><a href="#overview">Overview</a></li>
<li><a href="#architecture-diagram">Architecture Diagram</a></li>
<li><a href="#repository-structure">Repository Structure</a></li>
<li><a href="#gitops-workflow">GitOps Workflow</a></li>
<li><a href="#cicd-pipeline">CI/CD Pipeline</a></li>
<li><a href="#security-model">Security Model</a></li>
</ul>
<hr />
<h2 id="overview">Overview<a class="headerlink" href="#overview" title="Permanent link">&para;</a></h2>
<p>This Kubernetes cluster uses a <strong>GitOps approach</strong> powered by <strong>ArgoCD</strong>, where Git repositories serve as the single source of truth for both infrastructure and application deployments. The cluster is running on <strong>UpCloud Managed Kubernetes</strong> but is designed to be cloud-agnostic.</p>
<h3 id="key-characteristics">Key Characteristics<a class="headerlink" href="#key-characteristics" title="Permanent link">&para;</a></h3>
<ul>
<li><strong>Environment</strong>: Production (internal use only)</li>
<li><strong>Cluster Type</strong>: Multi-cluster (upc-dev, upc-prod) via Kustomize overlays</li>
<li><strong>GitOps Tool</strong>: ArgoCD</li>
<li><strong>Deployment Pattern</strong>: App-of-Apps</li>
<li><strong>Secret Management</strong>: Sealed Secrets (kubeseal)</li>
<li><strong>Ingress</strong>: Traefik with Let's Encrypt TLS</li>
<li><strong>Monitoring</strong>: Prometheus + Grafana + Loki + Tempo + Fluent-Bit</li>
<li><strong>Policy Engine</strong>: Kyverno</li>
<li><strong>Notifications</strong>: Slack integration for sync status</li>
</ul>
<hr />
<h2 id="architecture-diagram">Architecture Diagram<a class="headerlink" href="#architecture-diagram" title="Permanent link">&para;</a></h2>
<div class="highlight"><pre><span></span><code><a id="__codelineno-0-1" name="__codelineno-0-1" href="#__codelineno-0-1"></a>┌─────────────────────────────────────────────────────────────────────────┐
<a id="__codelineno-0-2" name="__codelineno-0-2" href="#__codelineno-0-2"></a>│ Developer Workflow │
<a id="__codelineno-0-3" name="__codelineno-0-3" href="#__codelineno-0-3"></a>└─────────────────────────────────────────────────────────────────────────┘
<a id="__codelineno-0-4" name="__codelineno-0-4" href="#__codelineno-0-4"></a>
<a id="__codelineno-0-5" name="__codelineno-0-5" href="#__codelineno-0-5"></a>
<a id="__codelineno-0-6" name="__codelineno-0-6" href="#__codelineno-0-6"></a>┌─────────────────────┐ ┌──────────────────┐ ┌─────────────────┐
<a id="__codelineno-0-7" name="__codelineno-0-7" href="#__codelineno-0-7"></a>│ Application Code │ │ Helm Charts │ │ Helm Values │
<a id="__codelineno-0-8" name="__codelineno-0-8" href="#__codelineno-0-8"></a>│ Repositories │──────│ Repository │──────│ Repository │
<a id="__codelineno-0-9" name="__codelineno-0-9" href="#__codelineno-0-9"></a>│ (Source Code) │ │ (Templates) │ │ (Config/Env) │
<a id="__codelineno-0-10" name="__codelineno-0-10" href="#__codelineno-0-10"></a>└─────────────────────┘ └──────────────────┘ └─────────────────┘
<a id="__codelineno-0-11" name="__codelineno-0-11" href="#__codelineno-0-11"></a> │ │ │
<a id="__codelineno-0-12" name="__codelineno-0-12" href="#__codelineno-0-12"></a> │ │ │
<a id="__codelineno-0-13" name="__codelineno-0-13" href="#__codelineno-0-13"></a> GitHub Actions │ │
<a id="__codelineno-0-14" name="__codelineno-0-14" href="#__codelineno-0-14"></a> Build &amp; Push Image │ │
<a id="__codelineno-0-15" name="__codelineno-0-15" href="#__codelineno-0-15"></a> │ │ │
<a id="__codelineno-0-16" name="__codelineno-0-16" href="#__codelineno-0-16"></a> │ │ │
<a id="__codelineno-0-17" name="__codelineno-0-17" href="#__codelineno-0-17"></a> └────────► Update image tag ─┴──────────────────────────┘
<a id="__codelineno-0-18" name="__codelineno-0-18" href="#__codelineno-0-18"></a> in helm-values │
<a id="__codelineno-0-19" name="__codelineno-0-19" href="#__codelineno-0-19"></a>
<a id="__codelineno-0-20" name="__codelineno-0-20" href="#__codelineno-0-20"></a>
<a id="__codelineno-0-21" name="__codelineno-0-21" href="#__codelineno-0-21"></a> ┌────────────────────────────────┐
<a id="__codelineno-0-22" name="__codelineno-0-22" href="#__codelineno-0-22"></a> │ Config Repository │
<a id="__codelineno-0-23" name="__codelineno-0-23" href="#__codelineno-0-23"></a> │ (ArgoCD Applications) │
<a id="__codelineno-0-24" name="__codelineno-0-24" href="#__codelineno-0-24"></a> │ git.forteapps.net/Forte/ │
<a id="__codelineno-0-25" name="__codelineno-0-25" href="#__codelineno-0-25"></a> │ launchpad │
<a id="__codelineno-0-26" name="__codelineno-0-26" href="#__codelineno-0-26"></a> └────────────────────────────────┘
<a id="__codelineno-0-27" name="__codelineno-0-27" href="#__codelineno-0-27"></a>
<a id="__codelineno-0-28" name="__codelineno-0-28" href="#__codelineno-0-28"></a>
<a id="__codelineno-0-29" name="__codelineno-0-29" href="#__codelineno-0-29"></a> ArgoCD monitors &amp; syncs
<a id="__codelineno-0-30" name="__codelineno-0-30" href="#__codelineno-0-30"></a>
<a id="__codelineno-0-31" name="__codelineno-0-31" href="#__codelineno-0-31"></a>
<a id="__codelineno-0-32" name="__codelineno-0-32" href="#__codelineno-0-32"></a> ┌────────────────────────────────┐
<a id="__codelineno-0-33" name="__codelineno-0-33" href="#__codelineno-0-33"></a> │ Kubernetes Clusters │
<a id="__codelineno-0-34" name="__codelineno-0-34" href="#__codelineno-0-34"></a> │ (UpCloud: upc-dev, upc-prod) │
<a id="__codelineno-0-35" name="__codelineno-0-35" href="#__codelineno-0-35"></a> │ │
<a id="__codelineno-0-36" name="__codelineno-0-36" href="#__codelineno-0-36"></a> │ ┌──────────────────────────┐ │
<a id="__codelineno-0-37" name="__codelineno-0-37" href="#__codelineno-0-37"></a> │ │ ArgoCD │ │
<a id="__codelineno-0-38" name="__codelineno-0-38" href="#__codelineno-0-38"></a> │ │ (GitOps Controller) │ │
<a id="__codelineno-0-39" name="__codelineno-0-39" href="#__codelineno-0-39"></a> │ └──────────────────────────┘ │
<a id="__codelineno-0-40" name="__codelineno-0-40" href="#__codelineno-0-40"></a> │ │
<a id="__codelineno-0-41" name="__codelineno-0-41" href="#__codelineno-0-41"></a> │ ┌──────────────────────────┐ │
<a id="__codelineno-0-42" name="__codelineno-0-42" href="#__codelineno-0-42"></a> │ │ Infrastructure Layer │ │
<a id="__codelineno-0-43" name="__codelineno-0-43" href="#__codelineno-0-43"></a> │ │ - Traefik (Ingress) │ │
<a id="__codelineno-0-44" name="__codelineno-0-44" href="#__codelineno-0-44"></a> │ │ - Cert-Manager (TLS) │ │
<a id="__codelineno-0-45" name="__codelineno-0-45" href="#__codelineno-0-45"></a> │ │ - Kyverno (Policies) │ │
<a id="__codelineno-0-46" name="__codelineno-0-46" href="#__codelineno-0-46"></a> │ │ - Sealed Secrets │ │
<a id="__codelineno-0-47" name="__codelineno-0-47" href="#__codelineno-0-47"></a> │ └──────────────────────────┘ │
<a id="__codelineno-0-48" name="__codelineno-0-48" href="#__codelineno-0-48"></a> │ │
<a id="__codelineno-0-49" name="__codelineno-0-49" href="#__codelineno-0-49"></a> │ ┌──────────────────────────┐ │
<a id="__codelineno-0-50" name="__codelineno-0-50" href="#__codelineno-0-50"></a> │ │ Monitoring Stack │ │
<a id="__codelineno-0-51" name="__codelineno-0-51" href="#__codelineno-0-51"></a> │ │ - Prometheus │ │
<a id="__codelineno-0-52" name="__codelineno-0-52" href="#__codelineno-0-52"></a> │ │ - Grafana │ │
<a id="__codelineno-0-53" name="__codelineno-0-53" href="#__codelineno-0-53"></a> │ │ - Loki │ │
<a id="__codelineno-0-54" name="__codelineno-0-54" href="#__codelineno-0-54"></a> │ │ - Tempo │ │
<a id="__codelineno-0-55" name="__codelineno-0-55" href="#__codelineno-0-55"></a> │ │ - Fluent-Bit │ │
<a id="__codelineno-0-56" name="__codelineno-0-56" href="#__codelineno-0-56"></a> │ └──────────────────────────┘ │
<a id="__codelineno-0-57" name="__codelineno-0-57" href="#__codelineno-0-57"></a> │ │
<a id="__codelineno-0-58" name="__codelineno-0-58" href="#__codelineno-0-58"></a> │ ┌──────────────────────────┐ │
<a id="__codelineno-0-59" name="__codelineno-0-59" href="#__codelineno-0-59"></a> │ │ Application Layer │ │
<a id="__codelineno-0-60" name="__codelineno-0-60" href="#__codelineno-0-60"></a> │ │ - mcp10x │ │
<a id="__codelineno-0-61" name="__codelineno-0-61" href="#__codelineno-0-61"></a> │ │ - musicman │ │
<a id="__codelineno-0-62" name="__codelineno-0-62" href="#__codelineno-0-62"></a> │ │ - dot-ai-stack │ │
<a id="__codelineno-0-63" name="__codelineno-0-63" href="#__codelineno-0-63"></a> │ │ - argo-mcp │ │
<a id="__codelineno-0-64" name="__codelineno-0-64" href="#__codelineno-0-64"></a> │ └──────────────────────────┘ │
<a id="__codelineno-0-65" name="__codelineno-0-65" href="#__codelineno-0-65"></a> └────────────────────────────────┘
<a id="__codelineno-0-66" name="__codelineno-0-66" href="#__codelineno-0-66"></a>
<a id="__codelineno-0-67" name="__codelineno-0-67" href="#__codelineno-0-67"></a>
<a id="__codelineno-0-68" name="__codelineno-0-68" href="#__codelineno-0-68"></a>
<a id="__codelineno-0-69" name="__codelineno-0-69" href="#__codelineno-0-69"></a> ┌──────────────────┐
<a id="__codelineno-0-70" name="__codelineno-0-70" href="#__codelineno-0-70"></a> │ Slack Channel │
<a id="__codelineno-0-71" name="__codelineno-0-71" href="#__codelineno-0-71"></a> │ (Notifications) │
<a id="__codelineno-0-72" name="__codelineno-0-72" href="#__codelineno-0-72"></a> └──────────────────┘
</code></pre></div>
<hr />
<h2 id="repository-structure">Repository Structure<a class="headerlink" href="#repository-structure" title="Permanent link">&para;</a></h2>
<h3 id="1-config-repository-current-repo">1. <strong>Config Repository</strong> (Current Repo)<a class="headerlink" href="#1-config-repository-current-repo" title="Permanent link">&para;</a></h3>
<p><strong>Repository</strong>: <code>https://git.forteapps.net/Forte/launchpad</code>
<strong>Purpose</strong>: GitOps configuration - ArgoCD Applications and cluster resources
<strong>Location</strong>: <code>C:\dev\k8s\launchpad</code></p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-1-1" name="__codelineno-1-1" href="#__codelineno-1-1"></a>launchpad/
<a id="__codelineno-1-2" name="__codelineno-1-2" href="#__codelineno-1-2"></a>├── bootstrap.sh # Cluster initialization script
<a id="__codelineno-1-3" name="__codelineno-1-3" href="#__codelineno-1-3"></a>├── _app-of-apps-upc-dev.yaml # Root ArgoCD Application (upc-dev cluster)
<a id="__codelineno-1-4" name="__codelineno-1-4" href="#__codelineno-1-4"></a>├── _app-of-apps-upc-prod.yaml # Root ArgoCD Application (upc-prod cluster)
<a id="__codelineno-1-5" name="__codelineno-1-5" href="#__codelineno-1-5"></a>
<a id="__codelineno-1-6" name="__codelineno-1-6" href="#__codelineno-1-6"></a>├── infra/ # Infrastructure ArgoCD Applications (Kustomize)
<a id="__codelineno-1-7" name="__codelineno-1-7" href="#__codelineno-1-7"></a>│ ├── base/ # Base Application manifests (upc-dev defaults)
<a id="__codelineno-1-8" name="__codelineno-1-8" href="#__codelineno-1-8"></a>│ │ ├── kustomization.yaml
<a id="__codelineno-1-9" name="__codelineno-1-9" href="#__codelineno-1-9"></a>│ │ ├── traefik-application.yaml
<a id="__codelineno-1-10" name="__codelineno-1-10" href="#__codelineno-1-10"></a>│ │ ├── keycloak.yaml
<a id="__codelineno-1-11" name="__codelineno-1-11" href="#__codelineno-1-11"></a>│ │ ├── grafana.yaml
<a id="__codelineno-1-12" name="__codelineno-1-12" href="#__codelineno-1-12"></a>│ │ ├── gitea.yaml
<a id="__codelineno-1-13" name="__codelineno-1-13" href="#__codelineno-1-13"></a>│ │ ├── gitea-actions.yaml
<a id="__codelineno-1-14" name="__codelineno-1-14" href="#__codelineno-1-14"></a>│ │ ├── tempo.yaml
<a id="__codelineno-1-15" name="__codelineno-1-15" href="#__codelineno-1-15"></a>│ │ ├── renovate.yaml
<a id="__codelineno-1-16" name="__codelineno-1-16" href="#__codelineno-1-16"></a>│ │ ├── ... # All other Application manifests
<a id="__codelineno-1-17" name="__codelineno-1-17" href="#__codelineno-1-17"></a>│ │ └── secrets.yaml
<a id="__codelineno-1-18" name="__codelineno-1-18" href="#__codelineno-1-18"></a>│ ├── overlays/ # Per-cluster overrides
<a id="__codelineno-1-19" name="__codelineno-1-19" href="#__codelineno-1-19"></a>│ │ ├── upc-dev/ # UpCloud Dev (uses base as-is)
<a id="__codelineno-1-20" name="__codelineno-1-20" href="#__codelineno-1-20"></a>│ │ └── upc-prod/ # UpCloud Prod (patches value paths)
<a id="__codelineno-1-21" name="__codelineno-1-21" href="#__codelineno-1-21"></a>│ ├── dashboards/ # Grafana dashboard ConfigMaps
<a id="__codelineno-1-22" name="__codelineno-1-22" href="#__codelineno-1-22"></a>│ └── values/ # Helm value overrides for infra
<a id="__codelineno-1-23" name="__codelineno-1-23" href="#__codelineno-1-23"></a>│ ├── base/ # Shared values (all clusters)
<a id="__codelineno-1-24" name="__codelineno-1-24" href="#__codelineno-1-24"></a>│ │ ├── traefik-values.yaml
<a id="__codelineno-1-25" name="__codelineno-1-25" href="#__codelineno-1-25"></a>│ │ ├── keycloak-values.yaml
<a id="__codelineno-1-26" name="__codelineno-1-26" href="#__codelineno-1-26"></a>│ │ ├── grafana-values.yaml
<a id="__codelineno-1-27" name="__codelineno-1-27" href="#__codelineno-1-27"></a>│ │ ├── prometheus-values.yaml
<a id="__codelineno-1-28" name="__codelineno-1-28" href="#__codelineno-1-28"></a>│ │ ├── gitea-values.yaml
<a id="__codelineno-1-29" name="__codelineno-1-29" href="#__codelineno-1-29"></a>│ │ └── ...
<a id="__codelineno-1-30" name="__codelineno-1-30" href="#__codelineno-1-30"></a>│ ├── upc-dev/ # upc-dev cluster-specific values
<a id="__codelineno-1-31" name="__codelineno-1-31" href="#__codelineno-1-31"></a>│ │ ├── traefik-values.yaml
<a id="__codelineno-1-32" name="__codelineno-1-32" href="#__codelineno-1-32"></a>│ │ ├── keycloak-values.yaml
<a id="__codelineno-1-33" name="__codelineno-1-33" href="#__codelineno-1-33"></a>│ │ └── grafana-values.yaml
<a id="__codelineno-1-34" name="__codelineno-1-34" href="#__codelineno-1-34"></a>│ └── upc-prod/ # upc-prod cluster-specific values
<a id="__codelineno-1-35" name="__codelineno-1-35" href="#__codelineno-1-35"></a>│ ├── traefik-values.yaml
<a id="__codelineno-1-36" name="__codelineno-1-36" href="#__codelineno-1-36"></a>│ ├── keycloak-values.yaml
<a id="__codelineno-1-37" name="__codelineno-1-37" href="#__codelineno-1-37"></a>│ └── grafana-values.yaml
<a id="__codelineno-1-38" name="__codelineno-1-38" href="#__codelineno-1-38"></a>
<a id="__codelineno-1-39" name="__codelineno-1-39" href="#__codelineno-1-39"></a>├── apps/ # Business Application ArgoCD manifests (Kustomize)
<a id="__codelineno-1-40" name="__codelineno-1-40" href="#__codelineno-1-40"></a>│ ├── base/ # Base app manifests
<a id="__codelineno-1-41" name="__codelineno-1-41" href="#__codelineno-1-41"></a>│ │ ├── kustomization.yaml
<a id="__codelineno-1-42" name="__codelineno-1-42" href="#__codelineno-1-42"></a>│ │ ├── dot-ai-stack.yaml
<a id="__codelineno-1-43" name="__codelineno-1-43" href="#__codelineno-1-43"></a>│ │ └── ...
<a id="__codelineno-1-44" name="__codelineno-1-44" href="#__codelineno-1-44"></a>│ └── overlays/
<a id="__codelineno-1-45" name="__codelineno-1-45" href="#__codelineno-1-45"></a>│ ├── upc-dev/ # Uses base as-is
<a id="__codelineno-1-46" name="__codelineno-1-46" href="#__codelineno-1-46"></a>│ └── upc-prod/ # Patches value paths
<a id="__codelineno-1-47" name="__codelineno-1-47" href="#__codelineno-1-47"></a>
<a id="__codelineno-1-48" name="__codelineno-1-48" href="#__codelineno-1-48"></a>├── cluster-resources/ # Cluster-wide Kubernetes resources
<a id="__codelineno-1-49" name="__codelineno-1-49" href="#__codelineno-1-49"></a>│ ├── ...
<a id="__codelineno-1-50" name="__codelineno-1-50" href="#__codelineno-1-50"></a>│ └── policies/ # Kyverno policies
<a id="__codelineno-1-51" name="__codelineno-1-51" href="#__codelineno-1-51"></a>
<a id="__codelineno-1-52" name="__codelineno-1-52" href="#__codelineno-1-52"></a>├── secrets/ # Application secrets (sealed, per-cluster)
<a id="__codelineno-1-53" name="__codelineno-1-53" href="#__codelineno-1-53"></a>│ └── upc-dev/ # Secrets for upc-dev cluster
<a id="__codelineno-1-54" name="__codelineno-1-54" href="#__codelineno-1-54"></a>
<a id="__codelineno-1-55" name="__codelineno-1-55" href="#__codelineno-1-55"></a>├── private/ # Local-only files (NOT in Git)
<a id="__codelineno-1-56" name="__codelineno-1-56" href="#__codelineno-1-56"></a>
<a id="__codelineno-1-57" name="__codelineno-1-57" href="#__codelineno-1-57"></a>└── docs/ # Documentation
</code></pre></div>
<p><strong>Key Points</strong>:
- <code>_app-of-apps-upc-dev.yaml</code> and <code>_app-of-apps-upc-prod.yaml</code> are the per-cluster root Applications
- Kustomize overlays in <code>infra/overlays/</code> render base Applications with per-cluster patches
- Helm values are split: <code>values/base/</code> (shared) + <code>values/upc-dev/</code> or <code>values/upc-prod/</code> (cluster-specific)
- <code>apps/</code> follows the same base/overlays pattern for business applications
- Changes pushed to this repo trigger automatic syncs in ArgoCD
- <code>private/</code> folder contains local-only files (Git-ignored)</p>
<hr />
<h3 id="2-helm-charts-repository">2. <strong>Helm Charts Repository</strong><a class="headerlink" href="#2-helm-charts-repository" title="Permanent link">&para;</a></h3>
<p><strong>Repository</strong>: <code>https://github.com/fortedigital/forte-helm</code>
<strong>Purpose</strong>: Reusable Helm chart templates for Forte applications
<strong>Location</strong>: <code>C:\dev\k8s\forte-helm</code></p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-2-1" name="__codelineno-2-1" href="#__codelineno-2-1"></a>forte-helm/
<a id="__codelineno-2-2" name="__codelineno-2-2" href="#__codelineno-2-2"></a>└── forteapp/ # Generic Forte application chart
<a id="__codelineno-2-3" name="__codelineno-2-3" href="#__codelineno-2-3"></a> ├── Chart.yaml # Chart metadata (v0.1.0)
<a id="__codelineno-2-4" name="__codelineno-2-4" href="#__codelineno-2-4"></a> ├── values.yaml # Default values (base template)
<a id="__codelineno-2-5" name="__codelineno-2-5" href="#__codelineno-2-5"></a> ├── templates/
<a id="__codelineno-2-6" name="__codelineno-2-6" href="#__codelineno-2-6"></a> │ ├── _helpers.tpl # Template helpers
<a id="__codelineno-2-7" name="__codelineno-2-7" href="#__codelineno-2-7"></a> │ ├── namespace.yaml
<a id="__codelineno-2-8" name="__codelineno-2-8" href="#__codelineno-2-8"></a> │ ├── deployment.yaml # Main app deployment
<a id="__codelineno-2-9" name="__codelineno-2-9" href="#__codelineno-2-9"></a> │ ├── service.yaml
<a id="__codelineno-2-10" name="__codelineno-2-10" href="#__codelineno-2-10"></a> │ ├── ingressroute.yaml # Traefik IngressRoute
<a id="__codelineno-2-11" name="__codelineno-2-11" href="#__codelineno-2-11"></a> │ ├── certificate.yaml # Cert-Manager Certificate
<a id="__codelineno-2-12" name="__codelineno-2-12" href="#__codelineno-2-12"></a> │ ├── configmap.yaml
<a id="__codelineno-2-13" name="__codelineno-2-13" href="#__codelineno-2-13"></a> │ ├── secret-auth-tokens.yaml
<a id="__codelineno-2-14" name="__codelineno-2-14" href="#__codelineno-2-14"></a> │ ├── hpa.yaml # Horizontal Pod Autoscaler
<a id="__codelineno-2-15" name="__codelineno-2-15" href="#__codelineno-2-15"></a> │ ├── database-statefulset.yaml # Optional PostgreSQL DB
<a id="__codelineno-2-16" name="__codelineno-2-16" href="#__codelineno-2-16"></a> │ └── database-service.yaml
<a id="__codelineno-2-17" name="__codelineno-2-17" href="#__codelineno-2-17"></a> └── README.md
</code></pre></div>
<p><strong>Key Points</strong>:
- Single generic chart (<code>forteapp</code>) used by all Forte applications
- Supports optional PostgreSQL database (StatefulSet)
- Configurable authentication (token-based or OIDC)
- Traefik IngressRoute with automatic TLS via Cert-Manager
- Designed for microservices with similar patterns</p>
<hr />
<h3 id="3-helm-values-repository">3. <strong>Helm Values Repository</strong><a class="headerlink" href="#3-helm-values-repository" title="Permanent link">&para;</a></h3>
<p><strong>Repository</strong>: <code>git@github.com:fortedigital/helm-values.git</code>
<strong>Purpose</strong>: Environment-specific configuration for each application
<strong>Location</strong>: <code>C:\dev\k8s\helm-prod-values</code></p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-3-1" name="__codelineno-3-1" href="#__codelineno-3-1"></a>helm-prod-values/
<a id="__codelineno-3-2" name="__codelineno-3-2" href="#__codelineno-3-2"></a>├── mcp10x/
<a id="__codelineno-3-3" name="__codelineno-3-3" href="#__codelineno-3-3"></a>│ └── values.yaml # MCP 10X configuration
<a id="__codelineno-3-4" name="__codelineno-3-4" href="#__codelineno-3-4"></a>├── musicman/
<a id="__codelineno-3-5" name="__codelineno-3-5" href="#__codelineno-3-5"></a>│ └── values.yaml # Music Man configuration
<a id="__codelineno-3-6" name="__codelineno-3-6" href="#__codelineno-3-6"></a>├── mcpcoder/
<a id="__codelineno-3-7" name="__codelineno-3-7" href="#__codelineno-3-7"></a>│ └── values.yaml # MCP Coder configuration
<a id="__codelineno-3-8" name="__codelineno-3-8" href="#__codelineno-3-8"></a>└── argocd-mcp/
<a id="__codelineno-3-9" name="__codelineno-3-9" href="#__codelineno-3-9"></a> └── values.yaml # ArgoCD MCP configuration
</code></pre></div>
<p><strong>Key Points</strong>:
- Each app has its own folder with <code>values.yaml</code>
- Contains environment-specific settings (image tags, env vars, resources, etc.)
- Referenced by ArgoCD Applications using multi-source pattern
- Image tags are updated here by CI/CD pipelines
- Secrets are referenced by name (actual secrets stored as SealedSecrets)</p>
<p><strong>Example</strong> (<code>mcp10x/values.yaml</code>):
<div class="highlight"><pre><span></span><code><a id="__codelineno-4-1" name="__codelineno-4-1" href="#__codelineno-4-1"></a><span class="nt">app</span><span class="p">:</span>
<a id="__codelineno-4-2" name="__codelineno-4-2" href="#__codelineno-4-2"></a><span class="w"> </span><span class="nt">image</span><span class="p">:</span>
<a id="__codelineno-4-3" name="__codelineno-4-3" href="#__codelineno-4-3"></a><span class="w"> </span><span class="nt">repository</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ghcr.io/fortedigital/10x</span>
<a id="__codelineno-4-4" name="__codelineno-4-4" href="#__codelineno-4-4"></a><span class="w"> </span><span class="nt">tag</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">2.0.4</span><span class="w"> </span><span class="c1"># Updated by CI/CD</span>
<a id="__codelineno-4-5" name="__codelineno-4-5" href="#__codelineno-4-5"></a><span class="w"> </span><span class="nt">extraEnv</span><span class="p">:</span>
<a id="__codelineno-4-6" name="__codelineno-4-6" href="#__codelineno-4-6"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">PORT</span>
<a id="__codelineno-4-7" name="__codelineno-4-7" href="#__codelineno-4-7"></a><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;3000&quot;</span>
<a id="__codelineno-4-8" name="__codelineno-4-8" href="#__codelineno-4-8"></a><span class="w"> </span><span class="nt">envSecretName</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;app-credentials&quot;</span><span class="w"> </span><span class="c1"># References SealedSecret</span>
<a id="__codelineno-4-9" name="__codelineno-4-9" href="#__codelineno-4-9"></a>
<a id="__codelineno-4-10" name="__codelineno-4-10" href="#__codelineno-4-10"></a><span class="nt">ingress</span><span class="p">:</span>
<a id="__codelineno-4-11" name="__codelineno-4-11" href="#__codelineno-4-11"></a><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">true</span>
<a id="__codelineno-4-12" name="__codelineno-4-12" href="#__codelineno-4-12"></a><span class="w"> </span><span class="nt">host</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">mcp10x.forteapps.net</span><span class="w"> </span><span class="c1"># Public domain</span>
</code></pre></div></p>
<hr />
<h3 id="4-application-source-code-repositories">4. <strong>Application Source Code Repositories</strong><a class="headerlink" href="#4-application-source-code-repositories" title="Permanent link">&para;</a></h3>
<p><strong>Purpose</strong>: Application source code with CI/CD pipelines
<strong>Examples</strong>: Various private repositories</p>
<p><strong>Typical Structure</strong>:
<div class="highlight"><pre><span></span><code><a id="__codelineno-5-1" name="__codelineno-5-1" href="#__codelineno-5-1"></a>app-repository/
<a id="__codelineno-5-2" name="__codelineno-5-2" href="#__codelineno-5-2"></a>├── src/ # Application source code
<a id="__codelineno-5-3" name="__codelineno-5-3" href="#__codelineno-5-3"></a>├── Dockerfile # Container build definition
<a id="__codelineno-5-4" name="__codelineno-5-4" href="#__codelineno-5-4"></a>├── .github/
<a id="__codelineno-5-5" name="__codelineno-5-5" href="#__codelineno-5-5"></a>│ └── workflows/
<a id="__codelineno-5-6" name="__codelineno-5-6" href="#__codelineno-5-6"></a>│ └── build-and-deploy.yml # GitHub Actions workflow
<a id="__codelineno-5-7" name="__codelineno-5-7" href="#__codelineno-5-7"></a>└── package.json / requirements.txt # Dependencies
</code></pre></div></p>
<p><strong>CI/CD Workflow</strong> (GitHub Actions):
1. Trigger on push to <code>main</code> branch
2. Build Docker image
3. Tag with version (e.g., <code>v2.0.4</code>)
4. Push to container registry (GHCR, Docker Hub, etc.)
5. Update image tag in <code>helm-values</code> repository
6. ArgoCD detects change and syncs automatically</p>
<hr />
<h2 id="gitops-workflow">GitOps Workflow<a class="headerlink" href="#gitops-workflow" title="Permanent link">&para;</a></h2>
<h3 id="the-app-of-apps-pattern">The App-of-Apps Pattern<a class="headerlink" href="#the-app-of-apps-pattern" title="Permanent link">&para;</a></h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-6-1" name="__codelineno-6-1" href="#__codelineno-6-1"></a>_app-of-apps-{upc-dev,upc-prod}.yaml (Root, per cluster)
<a id="__codelineno-6-2" name="__codelineno-6-2" href="#__codelineno-6-2"></a>
<a id="__codelineno-6-3" name="__codelineno-6-3" href="#__codelineno-6-3"></a> ├── infrastructure-apps (manages infra/)
<a id="__codelineno-6-4" name="__codelineno-6-4" href="#__codelineno-6-4"></a> │ ├── cluster-resources-application
<a id="__codelineno-6-5" name="__codelineno-6-5" href="#__codelineno-6-5"></a> │ ├── traefik-application
<a id="__codelineno-6-6" name="__codelineno-6-6" href="#__codelineno-6-6"></a> │ ├── cert-manager-application
<a id="__codelineno-6-7" name="__codelineno-6-7" href="#__codelineno-6-7"></a> │ ├── kyverno
<a id="__codelineno-6-8" name="__codelineno-6-8" href="#__codelineno-6-8"></a> │ ├── prometheus
<a id="__codelineno-6-9" name="__codelineno-6-9" href="#__codelineno-6-9"></a> │ ├── grafana
<a id="__codelineno-6-10" name="__codelineno-6-10" href="#__codelineno-6-10"></a> │ ├── tempo
<a id="__codelineno-6-11" name="__codelineno-6-11" href="#__codelineno-6-11"></a> │ └── ... (other infra apps)
<a id="__codelineno-6-12" name="__codelineno-6-12" href="#__codelineno-6-12"></a>
<a id="__codelineno-6-13" name="__codelineno-6-13" href="#__codelineno-6-13"></a> └── enterprise-apps (manages apps/)
<a id="__codelineno-6-14" name="__codelineno-6-14" href="#__codelineno-6-14"></a> ├── mcp10x
<a id="__codelineno-6-15" name="__codelineno-6-15" href="#__codelineno-6-15"></a> ├── musicman
<a id="__codelineno-6-16" name="__codelineno-6-16" href="#__codelineno-6-16"></a> ├── dot-ai-stack
<a id="__codelineno-6-17" name="__codelineno-6-17" href="#__codelineno-6-17"></a> └── argo-mcp
</code></pre></div>
<p><strong>How It Works</strong>:
1. Bootstrap script installs ArgoCD and applies <code>_app-of-apps-upc-dev.yaml</code> (or <code>upc-prod</code>)
2. ArgoCD creates the root Application which monitors the appropriate <code>infra/overlays/</code> folder
3. Kustomize renders base Applications with cluster-specific patches
4. <code>enterprise-apps</code> Application monitors the cluster's <code>apps/overlays/</code> folder
5. ArgoCD continuously syncs (every 60s) and auto-heals drift</p>
<h3 id="sync-waves-ordering">Sync Waves &amp; Ordering<a class="headerlink" href="#sync-waves-ordering" title="Permanent link">&para;</a></h3>
<p>Applications deploy in order using <code>argocd.argoproj.io/sync-wave</code> annotations:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-7-1" name="__codelineno-7-1" href="#__codelineno-7-1"></a>Wave -1: Namespaces (created first)
<a id="__codelineno-7-2" name="__codelineno-7-2" href="#__codelineno-7-2"></a>Wave 0: Kyverno (policies ready before resources)
<a id="__codelineno-7-3" name="__codelineno-7-3" href="#__codelineno-7-3"></a>Wave 1: Cluster resources, infrastructure apps
<a id="__codelineno-7-4" name="__codelineno-7-4" href="#__codelineno-7-4"></a>Wave 2+: Business applications
</code></pre></div>
<p>Example:
<div class="highlight"><pre><span></span><code><a id="__codelineno-8-1" name="__codelineno-8-1" href="#__codelineno-8-1"></a><span class="nt">metadata</span><span class="p">:</span>
<a id="__codelineno-8-2" name="__codelineno-8-2" href="#__codelineno-8-2"></a><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span>
<a id="__codelineno-8-3" name="__codelineno-8-3" href="#__codelineno-8-3"></a><span class="w"> </span><span class="nt">argocd.argoproj.io/sync-wave</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;1&quot;</span>
</code></pre></div></p>
<h3 id="multi-source-pattern">Multi-Source Pattern<a class="headerlink" href="#multi-source-pattern" title="Permanent link">&para;</a></h3>
<p>Applications like <code>mcp10x</code> and <code>musicman</code> use multiple sources:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-9-1" name="__codelineno-9-1" href="#__codelineno-9-1"></a><span class="nt">spec</span><span class="p">:</span>
<a id="__codelineno-9-2" name="__codelineno-9-2" href="#__codelineno-9-2"></a><span class="w"> </span><span class="nt">sources</span><span class="p">:</span>
<a id="__codelineno-9-3" name="__codelineno-9-3" href="#__codelineno-9-3"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">repoURL</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">https://github.com/fortedigital/forte-helm</span>
<a id="__codelineno-9-4" name="__codelineno-9-4" href="#__codelineno-9-4"></a><span class="w"> </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">forteapp</span><span class="w"> </span><span class="c1"># Helm chart templates</span>
<a id="__codelineno-9-5" name="__codelineno-9-5" href="#__codelineno-9-5"></a><span class="w"> </span><span class="nt">helm</span><span class="p">:</span>
<a id="__codelineno-9-6" name="__codelineno-9-6" href="#__codelineno-9-6"></a><span class="w"> </span><span class="nt">valueFiles</span><span class="p">:</span>
<a id="__codelineno-9-7" name="__codelineno-9-7" href="#__codelineno-9-7"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">$values/mcp10x/values.yaml</span><span class="w"> </span><span class="c1"># Reference to second source</span>
<a id="__codelineno-9-8" name="__codelineno-9-8" href="#__codelineno-9-8"></a>
<a id="__codelineno-9-9" name="__codelineno-9-9" href="#__codelineno-9-9"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">repoURL</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">git@github.com:fortedigital/helm-values.git</span>
<a id="__codelineno-9-10" name="__codelineno-9-10" href="#__codelineno-9-10"></a><span class="w"> </span><span class="nt">targetRevision</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">HEAD</span>
<a id="__codelineno-9-11" name="__codelineno-9-11" href="#__codelineno-9-11"></a><span class="w"> </span><span class="nt">ref</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">values</span><span class="w"> </span><span class="c1"># Named reference</span>
</code></pre></div>
<p><strong>Benefits</strong>:
- Chart templates separated from configuration
- Single chart reused across all apps
- Easy to update all apps by changing the chart
- Environment-specific values isolated in separate repo</p>
<h3 id="multi-cluster-pattern">Multi-Cluster Pattern<a class="headerlink" href="#multi-cluster-pattern" title="Permanent link">&para;</a></h3>
<p>Kustomize overlays enable deploying the same Applications across clusters with different configurations:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-10-1" name="__codelineno-10-1" href="#__codelineno-10-1"></a><span class="c1"># infra/base/ contains default (upc-dev) Applications</span>
<a id="__codelineno-10-2" name="__codelineno-10-2" href="#__codelineno-10-2"></a><span class="c1"># Helm values are layered: base + cluster-specific</span>
<a id="__codelineno-10-3" name="__codelineno-10-3" href="#__codelineno-10-3"></a><span class="nt">valueFiles</span><span class="p">:</span>
<a id="__codelineno-10-4" name="__codelineno-10-4" href="#__codelineno-10-4"></a><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">$values/infra/values/base/traefik-values.yaml</span><span class="w"> </span><span class="c1"># Shared config</span>
<a id="__codelineno-10-5" name="__codelineno-10-5" href="#__codelineno-10-5"></a><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">$values/infra/values/upc-dev/traefik-values.yaml</span><span class="w"> </span><span class="c1"># Cluster-specific</span>
<a id="__codelineno-10-6" name="__codelineno-10-6" href="#__codelineno-10-6"></a>
<a id="__codelineno-10-7" name="__codelineno-10-7" href="#__codelineno-10-7"></a><span class="c1"># infra/overlays/upc-prod/kustomization.yaml patches the second valueFile</span>
<a id="__codelineno-10-8" name="__codelineno-10-8" href="#__codelineno-10-8"></a><span class="nt">patches</span><span class="p">:</span>
<a id="__codelineno-10-9" name="__codelineno-10-9" href="#__codelineno-10-9"></a><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">target</span><span class="p">:</span>
<a id="__codelineno-10-10" name="__codelineno-10-10" href="#__codelineno-10-10"></a><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Application</span>
<a id="__codelineno-10-11" name="__codelineno-10-11" href="#__codelineno-10-11"></a><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">traefik</span>
<a id="__codelineno-10-12" name="__codelineno-10-12" href="#__codelineno-10-12"></a><span class="w"> </span><span class="nt">patch</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">|</span>
<a id="__codelineno-10-13" name="__codelineno-10-13" href="#__codelineno-10-13"></a><span class="w"> </span><span class="no">- op: replace</span>
<a id="__codelineno-10-14" name="__codelineno-10-14" href="#__codelineno-10-14"></a><span class="w"> </span><span class="no">path: /spec/sources/0/helm/valueFiles/1</span>
<a id="__codelineno-10-15" name="__codelineno-10-15" href="#__codelineno-10-15"></a><span class="w"> </span><span class="no">value: $values/infra/values/upc-prod/traefik-values.yaml</span>
</code></pre></div>
<p><strong>Benefits</strong>:
- Single source of truth for Application definitions
- Cluster-specific values isolated per overlay
- Easy to add new clusters by creating a new overlay
- Base values shared across all clusters reduce duplication</p>
<hr />
<h2 id="cicd-pipeline">CI/CD Pipeline<a class="headerlink" href="#cicd-pipeline" title="Permanent link">&para;</a></h2>
<h3 id="continuous-integration">Continuous Integration<a class="headerlink" href="#continuous-integration" title="Permanent link">&para;</a></h3>
<p><strong>Application Repositories</strong> contain GitHub Actions workflows:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-11-1" name="__codelineno-11-1" href="#__codelineno-11-1"></a><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Build and Deploy</span>
<a id="__codelineno-11-2" name="__codelineno-11-2" href="#__codelineno-11-2"></a>
<a id="__codelineno-11-3" name="__codelineno-11-3" href="#__codelineno-11-3"></a><span class="nt">on</span><span class="p">:</span>
<a id="__codelineno-11-4" name="__codelineno-11-4" href="#__codelineno-11-4"></a><span class="w"> </span><span class="nt">push</span><span class="p">:</span>
<a id="__codelineno-11-5" name="__codelineno-11-5" href="#__codelineno-11-5"></a><span class="w"> </span><span class="nt">branches</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">[</span><span class="w"> </span><span class="nv">main</span><span class="w"> </span><span class="p p-Indicator">]</span>
<a id="__codelineno-11-6" name="__codelineno-11-6" href="#__codelineno-11-6"></a>
<a id="__codelineno-11-7" name="__codelineno-11-7" href="#__codelineno-11-7"></a><span class="nt">jobs</span><span class="p">:</span>
<a id="__codelineno-11-8" name="__codelineno-11-8" href="#__codelineno-11-8"></a><span class="w"> </span><span class="nt">build</span><span class="p">:</span>
<a id="__codelineno-11-9" name="__codelineno-11-9" href="#__codelineno-11-9"></a><span class="w"> </span><span class="nt">runs-on</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ubuntu-latest</span>
<a id="__codelineno-11-10" name="__codelineno-11-10" href="#__codelineno-11-10"></a><span class="w"> </span><span class="nt">steps</span><span class="p">:</span>
<a id="__codelineno-11-11" name="__codelineno-11-11" href="#__codelineno-11-11"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">actions/checkout@v3</span>
<a id="__codelineno-11-12" name="__codelineno-11-12" href="#__codelineno-11-12"></a>
<a id="__codelineno-11-13" name="__codelineno-11-13" href="#__codelineno-11-13"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Build Docker image</span>
<a id="__codelineno-11-14" name="__codelineno-11-14" href="#__codelineno-11-14"></a><span class="w"> </span><span class="nt">run</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">docker build -t ghcr.io/fortedigital/app:$VERSION .</span>
<a id="__codelineno-11-15" name="__codelineno-11-15" href="#__codelineno-11-15"></a>
<a id="__codelineno-11-16" name="__codelineno-11-16" href="#__codelineno-11-16"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Push to registry</span>
<a id="__codelineno-11-17" name="__codelineno-11-17" href="#__codelineno-11-17"></a><span class="w"> </span><span class="nt">run</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">docker push ghcr.io/fortedigital/app:$VERSION</span>
<a id="__codelineno-11-18" name="__codelineno-11-18" href="#__codelineno-11-18"></a>
<a id="__codelineno-11-19" name="__codelineno-11-19" href="#__codelineno-11-19"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Update Helm values</span>
<a id="__codelineno-11-20" name="__codelineno-11-20" href="#__codelineno-11-20"></a><span class="w"> </span><span class="nt">run</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">|</span>
<a id="__codelineno-11-21" name="__codelineno-11-21" href="#__codelineno-11-21"></a><span class="w"> </span><span class="no">git clone git@github.com:fortedigital/helm-values.git</span>
<a id="__codelineno-11-22" name="__codelineno-11-22" href="#__codelineno-11-22"></a><span class="w"> </span><span class="no">cd helm-values/app</span>
<a id="__codelineno-11-23" name="__codelineno-11-23" href="#__codelineno-11-23"></a><span class="w"> </span><span class="no">sed -i &quot;s/tag: .*/tag: $VERSION/&quot; values.yaml</span>
<a id="__codelineno-11-24" name="__codelineno-11-24" href="#__codelineno-11-24"></a><span class="w"> </span><span class="no">git commit -am &quot;Update app to $VERSION&quot;</span>
<a id="__codelineno-11-25" name="__codelineno-11-25" href="#__codelineno-11-25"></a><span class="w"> </span><span class="no">git push</span>
</code></pre></div>
<h3 id="continuous-deployment">Continuous Deployment<a class="headerlink" href="#continuous-deployment" title="Permanent link">&para;</a></h3>
<p><strong>ArgoCD</strong> automatically syncs when changes are detected:</p>
<ol>
<li><strong>Config Repo Change</strong>:</li>
<li>Developer updates <code>apps/myapp.yaml</code></li>
<li>Pushes to <code>launchpad</code> repo</li>
<li>ArgoCD detects change (60s reconciliation)</li>
<li>
<p>Syncs application to cluster</p>
</li>
<li>
<p><strong>Helm Values Change</strong>:</p>
</li>
<li>CI/CD updates <code>helm-values/myapp/values.yaml</code></li>
<li>ArgoCD detects change</li>
<li>Pulls new Helm chart with updated values</li>
<li>
<p>Applies to cluster</p>
</li>
<li>
<p><strong>Sync Policy</strong>:
<div class="highlight"><pre><span></span><code><a id="__codelineno-12-1" name="__codelineno-12-1" href="#__codelineno-12-1"></a><span class="nt">syncPolicy</span><span class="p">:</span>
<a id="__codelineno-12-2" name="__codelineno-12-2" href="#__codelineno-12-2"></a><span class="w"> </span><span class="nt">automated</span><span class="p">:</span>
<a id="__codelineno-12-3" name="__codelineno-12-3" href="#__codelineno-12-3"></a><span class="w"> </span><span class="nt">prune</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">true</span><span class="w"> </span><span class="c1"># Remove deleted resources</span>
<a id="__codelineno-12-4" name="__codelineno-12-4" href="#__codelineno-12-4"></a><span class="w"> </span><span class="nt">selfHeal</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">true</span><span class="w"> </span><span class="c1"># Revert manual changes</span>
<a id="__codelineno-12-5" name="__codelineno-12-5" href="#__codelineno-12-5"></a><span class="w"> </span><span class="nt">retry</span><span class="p">:</span>
<a id="__codelineno-12-6" name="__codelineno-12-6" href="#__codelineno-12-6"></a><span class="w"> </span><span class="nt">limit</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">5</span><span class="w"> </span><span class="c1"># Retry up to 5 times</span>
<a id="__codelineno-12-7" name="__codelineno-12-7" href="#__codelineno-12-7"></a><span class="w"> </span><span class="nt">backoff</span><span class="p">:</span>
<a id="__codelineno-12-8" name="__codelineno-12-8" href="#__codelineno-12-8"></a><span class="w"> </span><span class="nt">duration</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">5s</span>
<a id="__codelineno-12-9" name="__codelineno-12-9" href="#__codelineno-12-9"></a><span class="w"> </span><span class="nt">maxDuration</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">3m</span>
</code></pre></div></p>
</li>
</ol>
<h3 id="deployment-validation">Deployment Validation<a class="headerlink" href="#deployment-validation" title="Permanent link">&para;</a></h3>
<p>Before applying, ArgoCD:
- ✅ Validates YAML syntax
- ✅ Checks Kubernetes schema
- ✅ Runs server-side dry-run
- ✅ Verifies resource quotas
- ✅ Applies Kyverno policies</p>
<p>After applying:
- ✅ Waits for resources to become healthy
- ✅ Sends Slack notification (success/failure)
- ✅ Tracks sync status in UI</p>
<hr />
<h2 id="security-model">Security Model<a class="headerlink" href="#security-model" title="Permanent link">&para;</a></h2>
<h3 id="secret-management">Secret Management<a class="headerlink" href="#secret-management" title="Permanent link">&para;</a></h3>
<p><strong>Sealed Secrets</strong> encrypt secrets for safe Git storage:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-13-1" name="__codelineno-13-1" href="#__codelineno-13-1"></a><span class="c1"># Developer creates plain secret locally</span>
<a id="__codelineno-13-2" name="__codelineno-13-2" href="#__codelineno-13-2"></a>kubectl<span class="w"> </span>create<span class="w"> </span>secret<span class="w"> </span>generic<span class="w"> </span>app-creds<span class="w"> </span><span class="se">\</span>
<a id="__codelineno-13-3" name="__codelineno-13-3" href="#__codelineno-13-3"></a><span class="w"> </span>--from-literal<span class="o">=</span><span class="nv">API_KEY</span><span class="o">=</span>secret123<span class="w"> </span><span class="se">\</span>
<a id="__codelineno-13-4" name="__codelineno-13-4" href="#__codelineno-13-4"></a><span class="w"> </span>--dry-run<span class="o">=</span>client<span class="w"> </span>-o<span class="w"> </span>yaml<span class="w"> </span>&gt;<span class="w"> </span>private/app-creds.yaml
<a id="__codelineno-13-5" name="__codelineno-13-5" href="#__codelineno-13-5"></a>
<a id="__codelineno-13-6" name="__codelineno-13-6" href="#__codelineno-13-6"></a><span class="c1"># Seal the secret using kubeseal</span>
<a id="__codelineno-13-7" name="__codelineno-13-7" href="#__codelineno-13-7"></a>kubeseal<span class="w"> </span>--format<span class="o">=</span>yaml<span class="w"> </span><span class="se">\</span>
<a id="__codelineno-13-8" name="__codelineno-13-8" href="#__codelineno-13-8"></a><span class="w"> </span>--cert<span class="o">=</span>pub-cert.pem<span class="w"> </span><span class="se">\</span>
<a id="__codelineno-13-9" name="__codelineno-13-9" href="#__codelineno-13-9"></a><span class="w"> </span>&lt;<span class="w"> </span>private/app-creds.yaml<span class="w"> </span><span class="se">\</span>
<a id="__codelineno-13-10" name="__codelineno-13-10" href="#__codelineno-13-10"></a><span class="w"> </span>&gt;<span class="w"> </span>secrets/app-creds-sealed.yaml
<a id="__codelineno-13-11" name="__codelineno-13-11" href="#__codelineno-13-11"></a>
<a id="__codelineno-13-12" name="__codelineno-13-12" href="#__codelineno-13-12"></a><span class="c1"># Commit sealed secret to Git</span>
<a id="__codelineno-13-13" name="__codelineno-13-13" href="#__codelineno-13-13"></a>git<span class="w"> </span>add<span class="w"> </span>secrets/app-creds-sealed.yaml
<a id="__codelineno-13-14" name="__codelineno-13-14" href="#__codelineno-13-14"></a>git<span class="w"> </span>commit<span class="w"> </span>-m<span class="w"> </span><span class="s2">&quot;Add app credentials&quot;</span>
</code></pre></div>
<p><strong>Storage</strong>:
- ✅ Sealed secrets committed to Git
- ❌ Plain secrets kept in <code>private/</code> (Git-ignored) or discarded
- ⚠️ Secret rotation process not yet established</p>
<h3 id="kyverno-policies">Kyverno Policies<a class="headerlink" href="#kyverno-policies" title="Permanent link">&para;</a></h3>
<p><strong>Policy Engine</strong> enforces security rules:</p>
<ol>
<li>
<p><strong>Secret Cloning</strong>: Automatically clones secrets to new namespaces
<div class="highlight"><pre><span></span><code><a id="__codelineno-14-1" name="__codelineno-14-1" href="#__codelineno-14-1"></a><span class="c1"># cluster-resources/policies/secret-cloner.yaml</span>
<a id="__codelineno-14-2" name="__codelineno-14-2" href="#__codelineno-14-2"></a><span class="c1"># Secrets labeled &quot;allowedToBeCloned: true&quot; are synced</span>
</code></pre></div></p>
</li>
<li>
<p><strong>Default Namespace Blocker</strong>: Prevents use of <code>default</code> namespace</p>
</li>
<li><strong>Bare Pod Cleaner</strong>: Removes pods without controllers (Deployments/StatefulSets)</li>
<li><strong>Deployment Verifier</strong>: Ensures pods have proper controllers</li>
<li><strong>Auth Sidecar Injector</strong>: Injects authentication proxy based on annotations</li>
</ol>
<h3 id="repository-access">Repository Access<a class="headerlink" href="#repository-access" title="Permanent link">&para;</a></h3>
<p><strong>Private Repository Credentials</strong> stored as SealedSecrets:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-15-1" name="__codelineno-15-1" href="#__codelineno-15-1"></a><span class="c1"># cluster-resources/forte10x-repo-credentials-sealed.yaml</span>
</code></pre></div>
<p>ArgoCD uses these to access private Helm values repositories.</p>
<h3 id="network-security">Network Security<a class="headerlink" href="#network-security" title="Permanent link">&para;</a></h3>
<p><strong>Traefik Ingress</strong> with TLS:
- All HTTP traffic redirects to HTTPS
- Let's Encrypt automatic certificate renewal
- Cert-Manager manages certificate lifecycle
- Per-application IngressRoutes with dedicated certificates</p>
<h3 id="authentication">Authentication<a class="headerlink" href="#authentication" title="Permanent link">&para;</a></h3>
<p><strong>Application-Level Auth</strong> (optional):
- Token-based authentication (static tokens)
- OIDC integration (Keycloak, Okta, etc.)
- Auth sidecar injected via Kyverno policy
- Tokens stored in SealedSecrets</p>
<p>Example:
<div class="highlight"><pre><span></span><code><a id="__codelineno-16-1" name="__codelineno-16-1" href="#__codelineno-16-1"></a><span class="c1"># In deployment.yaml template</span>
<a id="__codelineno-16-2" name="__codelineno-16-2" href="#__codelineno-16-2"></a><span class="nt">annotations</span><span class="p">:</span>
<a id="__codelineno-16-3" name="__codelineno-16-3" href="#__codelineno-16-3"></a><span class="w"> </span><span class="nt">policies.forteapps.io/auth</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;true&quot;</span>
<a id="__codelineno-16-4" name="__codelineno-16-4" href="#__codelineno-16-4"></a><span class="w"> </span><span class="nt">policies.forteapps.io/auth-token-secret-name</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;app-tokens&quot;</span>
</code></pre></div></p>
<hr />
<h2 id="monitoring-observability">Monitoring &amp; Observability<a class="headerlink" href="#monitoring-observability" title="Permanent link">&para;</a></h2>
<h3 id="stack-components">Stack Components<a class="headerlink" href="#stack-components" title="Permanent link">&para;</a></h3>
<ol>
<li><strong>Prometheus</strong>: Metrics collection and storage</li>
<li><strong>Grafana</strong>: Metrics visualization and dashboards</li>
<li><strong>Loki</strong>: Log aggregation</li>
<li><strong>Tempo</strong>: Distributed tracing (OTLP)</li>
<li><strong>Fluent-Bit</strong>: Log shipping from pods to Loki</li>
<li><strong>Trivy</strong>: Container vulnerability scanning</li>
</ol>
<h3 id="slack-notifications">Slack Notifications<a class="headerlink" href="#slack-notifications" title="Permanent link">&para;</a></h3>
<p>All ArgoCD applications send notifications to shared Slack channel:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-17-1" name="__codelineno-17-1" href="#__codelineno-17-1"></a><span class="nt">metadata</span><span class="p">:</span>
<a id="__codelineno-17-2" name="__codelineno-17-2" href="#__codelineno-17-2"></a><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span>
<a id="__codelineno-17-3" name="__codelineno-17-3" href="#__codelineno-17-3"></a><span class="w"> </span><span class="nt">notifications.argoproj.io/subscribe.on-sync-succeeded.slack</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;&quot;</span>
<a id="__codelineno-17-4" name="__codelineno-17-4" href="#__codelineno-17-4"></a><span class="w"> </span><span class="nt">notifications.argoproj.io/subscribe.on-sync-failed.slack</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;&quot;</span>
<a id="__codelineno-17-5" name="__codelineno-17-5" href="#__codelineno-17-5"></a><span class="w"> </span><span class="nt">notifications.argoproj.io/subscribe.on-degraded.slack</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;&quot;</span>
</code></pre></div>
<p>Notifications include:
- ✅ Sync succeeded
- ❌ Sync failed
- ⚠️ Application degraded</p>
<hr />
<h2 id="disaster-recovery">Disaster Recovery<a class="headerlink" href="#disaster-recovery" title="Permanent link">&para;</a></h2>
<h3 id="cluster-rebuild">Cluster Rebuild<a class="headerlink" href="#cluster-rebuild" title="Permanent link">&para;</a></h3>
<p><strong>Current State</strong>: No backup routines exist yet. Cluster can be rebuilt from Git.</p>
<p><strong>Rebuild Process</strong>:
1. Provision new Kubernetes cluster
2. Clone <code>launchpad</code> repository
3. Run <code>./bootstrap.sh</code>
4. ArgoCD installs and syncs all applications
5. Manually recreate unsealed secrets and seal them</p>
<p><strong>Data Loss</strong>:
- Currently: Data loss is acceptable (internal use)
- Future: One stateful application may require backup strategy</p>
<h3 id="gitops-advantages-for-dr">GitOps Advantages for DR<a class="headerlink" href="#gitops-advantages-for-dr" title="Permanent link">&para;</a></h3>
<p><strong>Infrastructure as Code</strong>: Entire cluster defined in Git
<strong>Reproducible</strong>: Cluster can be rebuilt identically
<strong>Auditable</strong>: All changes tracked in Git history
<strong>Rollback</strong>: Easy to revert to previous Git commit
<strong>Multi-Cluster</strong>: Same config can deploy to multiple clusters</p>
<hr />
<h2 id="best-practices">Best Practices<a class="headerlink" href="#best-practices" title="Permanent link">&para;</a></h2>
<h3 id="repository-organization">Repository Organization<a class="headerlink" href="#repository-organization" title="Permanent link">&para;</a></h3>
<p><strong>DO</strong>:
- Separate infrastructure (<code>infra/</code>) from applications (<code>apps/</code>)
- Use sync waves to control deployment order
- Keep secrets in <code>private/</code> folder (Git-ignored)
- Commit only sealed secrets to Git
- Use multi-source pattern for chart/values separation</p>
<p><strong>DON'T</strong>:
- Commit plain secrets to Git
- Mix infrastructure and application configs
- Hard-code environment-specific values in charts
- Manually modify resources in cluster (use Git)</p>
<h3 id="gitops-workflow_1">GitOps Workflow<a class="headerlink" href="#gitops-workflow_1" title="Permanent link">&para;</a></h3>
<p><strong>DO</strong>:
- All changes through Git (single source of truth)
- Use PR reviews for production changes
- Test changes in isolated namespaces first
- Monitor ArgoCD sync status
- Respond to Slack notifications</p>
<p><strong>DON'T</strong>:
- Use <code>kubectl apply</code> directly (breaks GitOps)
- Ignore sync failures
- Bypass ArgoCD for "quick fixes"
- Edit resources in place (<code>kubectl edit</code>)</p>
<h3 id="application-development">Application Development<a class="headerlink" href="#application-development" title="Permanent link">&para;</a></h3>
<p><strong>DO</strong>:
- Follow the <code>forteapp</code> chart pattern
- Use semantic versioning for image tags
- Update helm-values via CI/CD
- Test locally with Docker Compose
- Document environment variables</p>
<p><strong>DON'T</strong>:
- Use <code>latest</code> image tag
- Hard-code configuration in code
- Skip local testing
- Deploy untested images to production</p>
<hr />
<h2 id="next-steps">Next Steps<a class="headerlink" href="#next-steps" title="Permanent link">&para;</a></h2>
<p>📖 Continue to:
- <strong><a href="../DEVELOPER-GUIDE/">Developer Guide</a></strong> - Learn how to deploy and manage applications
- <strong><a href="../OPERATIONS-RUNBOOK/">Operations Runbook</a></strong> - Common operational tasks
- <strong><a href="../REFERENCE/">Technical Reference</a></strong> - Detailed component documentation</p>
<hr />
<p><strong>Last Updated</strong>: 2026-03-16
<strong>Maintained By</strong>: Platform Team
<strong>Questions?</strong>: Contact #platform-support on Slack</p>
</article>
</div>
<script>var target=document.getElementById(location.hash.slice(1));target&&target.name&&(target.checked=target.name.startsWith("__tabbed_"))</script>
</div>
<button type="button" class="md-top md-icon" data-md-component="top" hidden>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M13 20h-2V8l-5.5 5.5-1.42-1.42L12 4.16l7.92 7.92-1.42 1.42L13 8z"/></svg>
Back to top
</button>
</main>
<footer class="md-footer">
<div class="md-footer-meta md-typeset">
<div class="md-footer-meta__inner md-grid">
<div class="md-copyright">
Made with
<a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener">
Material for MkDocs
</a>
</div>
</div>
</div>
</footer>
</div>
<div class="md-dialog" data-md-component="dialog">
<div class="md-dialog__inner md-typeset"></div>
</div>
<script id="__config" type="application/json">{"annotate": null, "base": "..", "features": ["navigation.instant", "navigation.sections", "navigation.top", "search.highlight", "content.code.copy"], "search": "../assets/javascripts/workers/search.2c215733.min.js", "tags": null, "translations": {"clipboard.copied": "Copied to clipboard", "clipboard.copy": "Copy to clipboard", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.placeholder": "Type to start searching", "search.result.term.missing": "Missing", "select.version": "Select version"}, "version": null}</script>
<script src="../assets/javascripts/bundle.79ae519e.min.js"></script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink