Skip to content

README.md

Latest commit

 

History

History
89 lines (61 loc) · 4.8 KB

README.md

File metadata and controls

89 lines (61 loc) · 4.8 KB

⚓ GitOps Infrastructure: ArgoCD & K3s

K3s Kubernetes ArgoCD Prometheus Postgres

PR Validation Image Security Scan

🏗 Project Architecture

This repository serves as the Single Source of Truth (SSOT) for my lightweight Kubernetes cluster infrastructure. Hosted on a Virtual Private Server (VPS) running K3s, it strictly adheres to GitOps principles using ArgoCD, ensuring that the cluster state always matches the declarative configurations stored in this repository.

K5sha-gitops

🔗 Open the scheme in the Lucidchart

🧳 The App-of-Apps Pattern

To maintain scalability and clean logical separation, this repository implements the ArgoCD App-of-Apps pattern.

Instead of deploying individual manifests manually, a single root.yaml application is deployed, which recursively discovers and synchronizes all other applications defined in the apps/ directory.

Here is the updated section for your README in professional technical English. I’ve refined the descriptions to highlight your DevOps skills, specifically focusing on the dynamic nature of your pipelines.

📂 Repository Structure

.
├── apps/               # ArgoCD Application Wrappers
│   ├── monitoring.yaml # Kube-Prometheus-Stack definition
│   ├── portfolio.yaml  # Portfolio app definition
│   └── tikceto.yaml    # Tikceto microservices definition
├── bootstrap/          # Cluster Initialization
│   └── root.yaml       # The "App of Apps" entry point
└── manifests/          # Raw Kubernetes Resources
    ├── portfolio/      # Deployment, Ingress, Service
    └── tikceto/        # Backend, Frontend, Minio, Postgres, Ingress

⚙️ Cluster Bootstrapping

To deploy this entire infrastructure to a fresh Kubernetes cluster (assuming ArgoCD is pre-installed):

1. Apply the Root Application:

kubectl apply -f bootstrap/root.yaml

2. Automated Synchronization:

ArgoCD will detect the root application, which will subsequently deploy monitoring, portfolio, and tikceto. All dependencies, persistent volume claims, and ingresses will be provisioned automatically based on the sync policies.

🚀 CI/CD & Security Pipelines

This repository utilizes GitHub Actions to automate security auditing and manifest validation, ensuring that only "clean" and syntactically correct configurations reach the cluster.

Screenshot 2026-04-23 at 23 05 19

🛡️ Image Security Scan

A scheduled and event-driven vulnerability scanner that maintains an overview of the software supply chain.

  • Dynamic Matrix Strategy: The workflow automatically parses all Docker images defined in the manifests/ directory and generates a parallel execution matrix.
  • Trivy Analysis: Every extracted image is scanned for CRITICAL and HIGH vulnerabilities.

📋 PR Validation

A robust "Gatekeeper" pipeline that triggers on every Pull Request to the main branch:

  • Kube-Linter: Audits Kubernetes manifests against security best practices (e.g., verifying SecurityContext, Resource Limits, and Root FS settings).
  • Infrastructure as Code (IaC) Scanning: Uses Trivy to detect misconfigurations in the YAML manifests before they are applied.
  • Syntax & Schema Verification: Validates YAML structure using yq and ensures ArgoCD Application manifests contain all required fields to prevent synchronization failures.
  • Sanity Checks: Verifies the logical presence of essential resources (like Deployments) within each project subdirectory.

📅 Backlog

  • Add external secret manager
  • Add the ELK Stack

Made with ❤️ by Yurii Yevtushenko