Skip to content

Infrastructure Apps setup and Configuration #3

Description

@Sinless777

Reviewers: Sinless777
Labels: infrastructure, provisioning, kubernetes, observability, security, sso
Milestone:
Projects:

Virtual Machines Setup and Configuration

  • HA PostgresSQL cluster setup and configuration using Patroni, etcd, HAProxy, and Keepalived
  • HA Vault cluster setup and configuration using Vault's integrated storage and HAProxy
  • Technitium DNS cluster setup and configuration using Technitium DNS
  • 1 influx db vm

Kubernetes Clusters Setup

  • K8S Development cluster
    • 1 control plane node
    • 2 worker nodes
  • K8S Staging cluster
    • 3 control plane nodes
    • 3 worker nodes
  • K8S Production cluster
    • 5 control plane nodes
    • 4 worker nodes

Kubernetes Cluster Applications Setup and Configuration

seperated by cluster:

K8S Development Cluster

  • RKE2 installed and configured (Flatcar nodes)
  • Cilium installed and validated
  • NGINX Ingress Controller installed
  • cert-manager installed and configured
  • ExternalDNS (Technitium) configured for dev ingress records
  • Vault integration for Kubernetes (auth method + policies + roles)
  • External Secrets (Vault-backed) installed and configured
  • Prometheus (kube-prometheus-stack) installed (dev-local scrape + alerts)
  • Remote-write configured to Mimir (central)
  • Loki log shipping configured to central Loki (Alloy/Promtail)
  • Beyla deployed as DaemonSet (app/runtime telemetry)
  • Istio installed (dev cluster member) + sidecar injection policy
  • Istio east-west gateway configured (multicluster)
  • Baseline NetworkPolicies (Cilium) applied for default-deny + required allows
  • Cluster baseline: metrics/logs dashboards visible in Grafana (tagged cluster=dev)

K8S Staging Cluster

  • RKE2 installed and configured (Flatcar nodes)
  • Cilium installed and validated
  • NGINX Ingress Controller installed
  • cert-manager installed and configured
  • ExternalDNS (Technitium) configured for staging ingress records
  • Vault integration for Kubernetes (auth method + policies + roles)
  • External Secrets (Vault-backed) installed and configured
  • Prometheus (kube-prometheus-stack) installed (staging-local scrape + alerts)
  • Remote-write configured to Mimir (central)
  • Loki log shipping configured to central Loki (Alloy/Promtail)
  • Beyla deployed as DaemonSet (app/runtime telemetry)
  • Istio installed (staging cluster member) + sidecar injection policy
  • Istio east-west gateway configured (multicluster)
  • Baseline NetworkPolicies (Cilium) applied for default-deny + required allows
  • Cluster baseline: metrics/logs dashboards visible in Grafana (tagged cluster=staging)

K8S Production Cluster

  • RKE2 installed and configured (Flatcar nodes)
  • Cilium installed and validated
  • NGINX Ingress Controller installed
  • cert-manager installed and configured
  • ExternalDNS (Technitium) configured for prod ingress records
  • Vault integration for Kubernetes (auth method + policies + roles)
  • External Secrets (Vault-backed) installed and configured
  • Prometheus (kube-prometheus-stack) installed (prod-local scrape + alerts)
  • Remote-write configured to Mimir (central)
  • Loki log shipping configured to central Loki (Alloy/Promtail)
  • Beyla deployed as DaemonSet (app/runtime telemetry)
  • Istio installed (prod cluster member) + sidecar injection policy
  • Istio east-west gateway configured (multicluster)
  • Baseline NetworkPolicies (Cilium) applied for default-deny + required allows
  • Cluster baseline: metrics/logs dashboards visible in Grafana (tagged cluster=prod)

Metadata

Metadata

Labels

No labels
No labels

Type

No type

Fields

Priority

None yet

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions