The latest articles on DEV Community by Woulf (@woulf). https://dev.to/woulf https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2908107%2Fbcc2feee-9008-4787-8908-f55037a155a7.jpg https://dev.to/woulf en Woulf Mon, 07 Jul 2025 12:51:43 +0000 https://dev.to/woulf/from-craftsmanship-to-industrialization-multi-environment-gitops-with-argo-cd-and-kustomize-on-205 https://dev.to/woulf/from-craftsmanship-to-industrialization-multi-environment-gitops-with-argo-cd-and-kustomize-on-205 <p><em>Setting up a self-hosted multi-environment GitOps workflow using Argo CD, Kustomize, and cert-manager on MicroK8s: architecture, challenges, mistakes, and Kubernetes deployment automation.</em></p> <h2> 🌍 Context: Why this project? </h2> <p>This project is the logical continuation of a process started several months earlier. Initially, my infrastructure was managed manually: a few Kubernetes files stored in a repo, an Ingress to manage incoming traffic, a Let’s Encrypt certificate, a deployment exposed internally via a ClusterIP service, and a NodePort for external access.</p> <p>But this approach quickly showed its limits:</p> <ul> <li>No multi-environment management </li> <li>No overall view of the cluster's state </li> <li>Updates via pipelines were limited (only resource creation or update, with the rest done manually), and no clear history </li> </ul> <p>I wanted a more robust setup, closer to what’s done in real companies: full infrastructure versioning, multi-env deployment, GitOps, more complete monitoring (traces, logs), and security.</p> <h2> 🚀 Technical Goals </h2> <p>This new project aims to build a solid and maintainable foundation to deploy any application in a self-hosted Kubernetes cluster. The pillars:</p> <ul> <li> <strong>GitOps</strong> with Argo CD for declarative deployments </li> <li> <strong>Multi-environment</strong> (dev, staging, prod...) using kustomize </li> <li> <strong>TLS Certificates</strong> automatically managed by cert-manager </li> <li> <strong>NGINX Ingress</strong> for public HTTPS exposure </li> <li> <strong>Full infra versioning</strong>: Ingress, Cert-Manager, and Argo CD are installed via Helm, but managed with Kustomize </li> <li><strong>One namespace per environment</strong></li> </ul> <h2> 📊 Tech Stack </h2> <ul> <li> <strong>MicroK8s</strong>: lightweight single-node Kubernetes distribution </li> <li> <strong>Helm</strong>: chart manager for installing tools like Argo CD, cert-manager, ingress-nginx </li> <li> <strong>Kustomize</strong>: overlays for different environments (dev, prod) </li> <li> <strong>Argo CD</strong>: GitOps engine for continuous deployment </li> <li> <strong>cert-manager + ClusterIssuer Let’s Encrypt</strong>: public TLS certificates</li> </ul> <h2> 📂 Repo Structure </h2> <p>The repository is structured as follows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">.</span> ├── environments/ │ ├── dev/ <span class="c"># Development environment</span> │ ├── staging/ <span class="c"># Pre-production environment</span> │ └── prod/ <span class="c"># Simulated production</span> ├── base/ <span class="c"># K8s components common to all environments</span> </code></pre> </div> <p>Each tool is installed via Helm with a versioned <code>values.yaml</code>, and the <code>dev/</code>, <code>staging/</code>, and <code>prod/</code> environments are Kustomize overlays with targeted patches.</p> <p>Repo available here: <a href="https://github.com/Wooulf/devops-bootcamp-ippon" rel="noopener noreferrer">github.com/Wooulf/devops-bootcamp-ippon</a></p> <h2> 📦 Multi-Environment Management with Kustomize </h2> <p><code>Kustomize</code> is the tool I use to cleanly manage different environments (<code>dev</code>, <code>staging</code>, <code>prod</code>) from a shared base of Kubernetes resources. Unlike Helm, it doesn’t rely on an external templating engine. It’s about composing declarative files rather than generating them dynamically.</p> <p>Each environment inherits common resources from <code>base/</code>, and applies environment-specific patches (e.g., domain name, Docker image, namespace...).</p> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>. ├── base/ │ └── portfolio/ │ ├── kustomization.yaml │ ├── deployment.yaml │ ├── service.yaml │ └── ingress.yaml ├── environments/ │ ├── dev/ │ │ ├── kustomization.yaml │ │ └── patch-ingress-host.json │ ├── staging/ │ └── prod/ </code></pre> </div> <p>Each directory (<code>base</code> or environment-specific like <code>dev</code>, <code>staging</code>, or <code>prod</code>) contains a mandatory <code>kustomization.yaml</code> file. This file defines which Kubernetes resources to compose and which environment-specific modifications to apply (e.g., a JSON patch to change the Ingress host).</p> <p>Example:<br><br> <code>environments/dev/kustomization.yaml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">namespace</span><span class="pi">:</span> <span class="s">dev</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">../../base/portfolio</span> <span class="na">patches</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="s">patch-ingress-host.json</span> <span class="na">target</span><span class="pi">:</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Ingress</span> <span class="na">name</span><span class="pi">:</span> <span class="s">portfolio-ingress</span> </code></pre> </div> <p><code>patch-ingress-host.json</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"op"</span><span class="p">:</span><span class="w"> </span><span class="s2">"replace"</span><span class="p">,</span><span class="w"> </span><span class="nl">"path"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/spec/tls/0/hosts/0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"dev.woulf.fr"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"op"</span><span class="p">:</span><span class="w"> </span><span class="s2">"replace"</span><span class="p">,</span><span class="w"> </span><span class="nl">"path"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/spec/rules/0/host"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"dev.woulf.fr"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span></code></pre> </div> <p>👉 With this structure, I can deploy the same project in multiple environments by only changing context and a few target variables.</p> <blockquote> <p>🔍 Quick tip: to validate the local Kustomize output before handing over to Argo CD:<br><br> <code>kubectl kustomize environments/dev</code><br><br> This generates the final YAML as it would be applied in the cluster. </p> <p>You can then apply it using:<br><br> <code>kubectl apply -k environments/dev</code></p> </blockquote> <h3> 🚀 Why I Use Argo CD </h3> <p>Argo CD is the heart of my GitOps strategy: it ensures the actual Kubernetes cluster state always matches the manifests in Git.</p> <p>What I like about Argo CD:</p> <ul> <li>Clear visual interface of deployment states </li> <li>Automatic (pull-based) deployment on commit </li> <li>History tracking, rollback support </li> <li>Automatic drift detection </li> <li>Easy targeting of specific environments/namespaces</li> </ul> <h2> ⚙️ Installing Argo CD with HTTPS </h2> <p>Argo CD was installed via Helm in the <code>argocd</code> namespace, with this configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">global</span><span class="pi">:</span> <span class="na">domain</span><span class="pi">:</span> <span class="s">argocd.woulf.fr</span> <span class="na">configs</span><span class="pi">:</span> <span class="na">params</span><span class="pi">:</span> <span class="na">server.insecure</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="na">server</span><span class="pi">:</span> <span class="na">certificate</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">secretName</span><span class="pi">:</span> <span class="s">argocd-tls</span> <span class="na">domain</span><span class="pi">:</span> <span class="s">argocd.woulf.fr</span> <span class="na">issuer</span><span class="pi">:</span> <span class="na">group</span><span class="pi">:</span> <span class="s">cert-manager.io</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterIssuer</span> <span class="na">name</span><span class="pi">:</span> <span class="s">letsencrypt-prod</span> <span class="na">ingress</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">ingressClassName</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">nginx.ingress.kubernetes.io/backend-protocol</span><span class="pi">:</span> <span class="s2">"</span><span class="s">HTTP"</span> <span class="na">hosts</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">argocd.woulf.fr</span> <span class="na">tls</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">hosts</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">argocd.woulf.fr</span> <span class="na">secretName</span><span class="pi">:</span> <span class="s">argocd-tls</span> </code></pre> </div> <p>Why <code>server.insecure: true</code>? Because TLS termination is handled at the Ingress level. Internal traffic remains HTTP, which is acceptable in a local or single-tenant VPS cluster.</p> <h2> 🌐 Public Access via Ingress </h2> <p>The TLS certificate is automatically generated by cert-manager from the <code>letsencrypt-prod</code> ClusterIssuer. Argo CD is now publicly available at <a href="https://argocd.woulf.fr" rel="noopener noreferrer">https://argocd.woulf.fr</a>.</p> <h2> 📌 Defining a GitOps Deployment with Argo CD </h2> <p>To connect Argo CD to my Git repo and define what to sync, I created an <code>Application</code> Kubernetes resource:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Application</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">portfolio-dev</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">argocd</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">project</span><span class="pi">:</span> <span class="s">default</span> <span class="na">source</span><span class="pi">:</span> <span class="na">repoURL</span><span class="pi">:</span> <span class="s">https://github.com/Wooulf/devops-bootcamp-ippon</span> <span class="na">targetRevision</span><span class="pi">:</span> <span class="s">HEAD</span> <span class="na">path</span><span class="pi">:</span> <span class="s">environments/dev</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">server</span><span class="pi">:</span> <span class="s">https://kubernetes.default.svc</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">dev</span> <span class="na">syncPolicy</span><span class="pi">:</span> <span class="na">automated</span><span class="pi">:</span> <span class="na">prune</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">selfHeal</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">syncOptions</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">CreateNamespace=true</span> </code></pre> </div> <p>👉 The Argo CD Application file is also versioned in my Git repo: <a href="https://github.com/Wooulf/devops-bootcamp-ippon/blob/main/argocd/applications/portfolio-dev.yaml" rel="noopener noreferrer">argocd/applications/portfolio-dev.yaml</a></p> <h3> 🔍 How It Works </h3> <ol> <li><p><strong>source.repoURL + path + targetRevision</strong><br><br> Argo CD watches the <code>environments/dev</code> directory of the repo <code>https://github.com/Wooulf/devops-bootcamp-ippon</code>. Any modification triggers an automatic sync.</p></li> <li><p><strong>destination</strong><br><br> The app is deployed in the local cluster (MicroK8s) using <code>https://kubernetes.default.svc</code>, in the <code>dev</code> namespace.</p></li> <li> <p><strong>syncPolicy.automated</strong> </p> <ul> <li> <code>automated</code>: syncs automatically without manual actions </li> <li> <code>prune</code>: removes resources no longer defined in Git </li> <li> <code>selfHeal</code>: restores resources changed manually in the cluster</li> </ul> </li> <li><p><strong>syncOptions.CreateNamespace=true</strong><br><br> Automatically creates the <code>dev</code> namespace if it doesn’t exist, making the deployment autonomous and idempotent.</p></li> </ol> <h3> 🔁 Final Result </h3> <ul> <li>Fully automated GitOps deployment in <code>dev</code> environment </li> <li>Continuous compliance between Git and the cluster </li> <li>Resource updates and deletions only controlled via Git </li> <li>Dynamic namespace creation without manual preconfiguration</li> </ul> <p>The <code>dev</code> portfolio is now auto-deployed with the latest Docker image tagged <code>latest</code>, and publicly accessible at <a href="https://dev.woulf.fr" rel="noopener noreferrer">https://dev.woulf.fr</a>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgrdu8ym9bdzfo7vwcn3m.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgrdu8ym9bdzfo7vwcn3m.png" alt="Argo CD view showing three deployed apps: portfolio-dev, portfolio-staging, and portfolio-prod — all Healthy and Synced, with their Git paths, namespaces, and sync info." width="800" height="576"></a></p> <blockquote> <p>🎯 Argo CD interface: deployment state and sync across dev, staging, and prod environments.</p> </blockquote> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgivei7dqsoeem4195wyz.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgivei7dqsoeem4195wyz.png" alt="Detailed view of Argo CD app portfolio-dev: tree view of created Kubernetes resources (Deployment, Service, Ingress, Certificate, Pod), all Healthy and synced with Git." width="800" height="389"></a></p> <blockquote> <p>🔍 Detailed view of the portfolio-dev app in the dev namespace — every resource is tracked, versioned, and synced to Git.</p> </blockquote> <h3> 🧨 Problems Encountered (and Solved) </h3> <ul> <li> <strong>Persistent self-signed certificates</strong> I had persistent invalid certificates due to <strong>two simultaneous creation mechanisms</strong>: an annotation <code>cert-manager.io/cluster-issuer</code> on the Ingress <em>and</em> a <code>server.certificate</code> config in Helm's <code>values.yaml</code>. 👉 <strong>Solution</strong>: keep only one source of truth, Helm config with <code>server.certificate</code> in this case.</li> </ul> <p> </p> <ul> <li> <strong>Temporary certificate active after Let’s Encrypt provisioning</strong> Cert-manager sometimes installs a temporary cert before Let’s Encrypt issues the final one. 👉 Just wait, this is expected behavior.</li> </ul> <p> </p> <ul> <li> <strong>MicroK8s “losing” add-ons (Helm, DNS, etc.) after reboot</strong> Some MicroK8s add-ons were disabled after reboot. 👉 Required to manually restart certain services.</li> </ul> <p> </p> <ul> <li> <strong>ClusterIssuer missing after cluster reboot</strong> After reboot, my ClusterIssuer wasn’t recognized, I had forgotten to version it in GitOps at the beginning. 👉 Solved by adding it explicitly in the Argo CD-managed manifests.</li> </ul> <p> </p> <ul> <li> <strong>HTTPS access errors despite seemingly correct config</strong> In my case, caused by an <strong>active temporary certificate</strong>, or bad <strong>TLS termination on Ingress</strong>. 👉 Solved by handling TLS only at the Ingress level.</li> </ul> <h2> 🧾 Summary </h2> <p>In this article, I started transitioning toward a multi-environment GitOps infrastructure, with:</p> <ul> <li>Installing Argo CD via Helm in a dedicated namespace </li> <li>Managing HTTPS with cert-manager and a Let’s Encrypt ClusterIssuer </li> <li>Resolving common certificate issues (self-signed, temporary, double creation) </li> <li>Exposing Argo CD via HTTPS using NGINX Ingress </li> <li>First GitOps deployment of an app (<code>portfolio</code>) in the <code>dev</code> environment, dynamically patched via <code>kustomize</code> </li> </ul> <p>This technical foundation now allows me to test, version, and secure deployments just like in production, while keeping maximum infrastructure control.</p> <h2> 🔜 Coming in the Next Article </h2> <p>We’ll move forward by integrating <strong>Argo CD Image Updater</strong> to automatically update deployed images, adding a <strong>security layer with SealedSecrets</strong> to protect the API token used to interact with Argo CD, and making the system fully autonomous in true GitOps fashion.</p> kubernetes argocd gitops devops Woulf Mon, 07 Jul 2025 12:33:06 +0000 https://dev.to/woulf/article-6-minimalist-monitoring-with-prometheus-grafana-m2a https://dev.to/woulf/article-6-minimalist-monitoring-with-prometheus-grafana-m2a <p><em>Integrating Prometheus &amp; Grafana to monitor my self-hosted Kubernetes cluster with public HTTPS access, a customized default dashboard, and maintained security, all in an MVP GitOps logic.</em></p> <p>In this sixth step, I’m integrating a monitoring system to supervise my Kubernetes cluster, keeping things minimalist, self-hosted, and avoiding unnecessary complexity.</p> <h3> Objective: simple and effective visibility </h3> <p>I want to view the state of my cluster at a glance: CPU, memory, pods, network. No over-engineering, no email alerts, just a clear dashboard.</p> <p>I’m using the Helm chart <a href="https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack" rel="noopener noreferrer">kube-prometheus-stack</a>, widely used in production, even though I’m underutilizing it here for educational purposes.</p> <h3> Installation with Helm </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>helm repo add prometheus-community https://prometheus-community.github.io/helm-charts helm repo update helm upgrade --install monitoring prometheus-community/kube-prometheus-stack \ --namespace monitoring \ --create-namespace \ --values prometheus-stack-values.yaml </code></pre> </div> <p>I disabled <code>alertmanager</code> in the <code>values.yaml</code> file, since I don’t want to manage alerts for this MVP:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">alertmanager</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">false</span> </code></pre> </div> <h3> Why not use the MicroK8s Prometheus module? </h3> <p>MicroK8s offers a <code>prometheus</code> module that can be enabled in one line:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>microk8s enable prometheus </code></pre> </div> <p>But this module is a <strong>black box</strong> and hard to integrate into a GitOps workflow:</p> <ul> <li>It’s <strong>not versioned</strong> in your Git repo</li> <li>It offers <strong>almost no control</strong> over configuration or versions</li> <li>It doesn’t separate Grafana and Prometheus cleanly</li> </ul> <p>By choosing the Helm chart <code>kube-prometheus-stack</code>, I keep <strong>full control</strong> over configuration via my <code>values.yaml</code>, can <strong>version my infrastructure</strong>, and make my setup <strong>portable</strong> to any cloud or local Kubernetes cluster.</p> <h3> Grafana access </h3> <p>I created an Ingress at <code>grafana.woulf.fr</code> with an HTTPS certificate managed by <code>cert-manager</code>.</p> <p>Admin access is protected by a Kubernetes <code>Secret</code> (not committed), defined like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">grafana</span><span class="pi">:</span> <span class="na">admin</span><span class="pi">:</span> <span class="na">existingSecret</span><span class="pi">:</span> <span class="s">monitoring-grafana</span> </code></pre> </div> <blockquote> <p>Secret creation</p> <pre class="highlight plaintext"><code>kubectl -n monitoring create secret generic monitoring-grafana \ --from-literal=admin-user=admin \ --from-literal=admin-password=******** </code></pre> </blockquote> <p>To enable easy public access, I allowed <strong>anonymous</strong> access with the <code>Viewer</code> role (read-only):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">grafana</span><span class="pi">:</span> <span class="na">grafana.ini</span><span class="pi">:</span> <span class="na">auth.anonymous</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">org_name</span><span class="pi">:</span> <span class="s">Main Org.</span> <span class="na">org_role</span><span class="pi">:</span> <span class="s">Viewer</span> <span class="na">hide_version</span><span class="pi">:</span> <span class="kc">true</span> </code></pre> </div> <h3> Default dashboard </h3> <p>I chose the built-in <code>Kubernetes / Compute Resources / Cluster</code> dashboard, then exported and versioned it into a <code>ConfigMap</code>, mounting it as the home dashboard:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">grafana</span><span class="pi">:</span> <span class="na">grafana.ini</span><span class="pi">:</span> <span class="na">dashboards</span><span class="pi">:</span> <span class="na">default_home_dashboard_path</span><span class="pi">:</span> <span class="s">/var/lib/grafana/dashboards/grafana-dashboard-home/default.json</span> <span class="na">dashboardsConfigMaps</span><span class="pi">:</span> <span class="na">grafana-dashboard-home</span><span class="pi">:</span> <span class="s">grafana-dashboard-home</span> <span class="na">sidecar</span><span class="pi">:</span> <span class="na">dashboards</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">label</span><span class="pi">:</span> <span class="s">grafana_dashboard</span> <span class="na">searchNamespace</span><span class="pi">:</span> <span class="s">ALL</span> </code></pre> </div> <p>The related <code>ConfigMap</code> is versioned in my infra repo and labeled with <code>grafana_dashboard: "1"</code> to be auto-loaded by Grafana’s sidecar.</p> <blockquote> <p>📁 A <code>ConfigMap</code> is a Kubernetes resource that lets you mount non-sensitive files into a pod.<br> It is automatically reloaded when modified.</p> </blockquote> <h3> Result </h3> <ul> <li>Grafana is publicly accessible over HTTPS</li> <li>Default dashboard is readable and useful</li> <li>No login required to monitor the cluster</li> <li>Admin account is secured via a Kubernetes Secret</li> </ul> <p>This approach follows DevOps best practices while staying simple and understandable for a visitor or recruiter.</p> <h2> 🧠 What about production? </h2> <p>This setup is intentionally minimalist and educational, but in a production context, several aspects would be hardened:</p> <ul> <li> <strong>Alertmanager</strong> would be enabled with alert routing to services (email, Slack, etc.) to notify when components fail.</li> <li> <strong>Grafana access</strong> wouldn’t be anonymous: it would be IP-restricted, proxied, or SSO/LDAP-protected.</li> <li> <strong>Admin passwords</strong> wouldn’t be handled via static Secrets, but through Vault or a secrets manager (SealedSecrets, ExternalSecrets).</li> <li> <strong>Dashboards</strong> would be provisioned via API or dedicated files with more modular versioning strategies.</li> <li> <strong>TLS certificates</strong> would be managed via larger-scale automatic rotation mechanisms (wildcard DNS, ACME DNS challenge, etc.)</li> </ul> <p>But for this MVP, the setup offers a great balance between simplicity, readability, baseline security, and GitOps maintainability.</p> <p>⚡ Next step: adding <code>loki</code> for centralized log collection? Or testing ArgoCD for advanced GitOps?</p> <p>Stay tuned!</p> prometheus grafana monitoring devops Woulf Mon, 07 Jul 2025 12:25:58 +0000 https://dev.to/woulf/article-5-https-setup-and-future-improvements-ki https://dev.to/woulf/article-5-https-setup-and-future-improvements-ki <p><em>Setting up HTTPS certificates using Let’s Encrypt and cert-manager, with challenge configuration and security annotations in the Kubernetes Ingress.</em></p> <p>In this fifth step, I’ll go over how I enabled an SSL/TLS certificate to secure <strong>woulf.fr</strong>, still within a DevOps mindset. We'll cover:</p> <ol> <li> <strong>Why Let’s Encrypt</strong> </li> <li> <strong>Why cert-manager</strong> </li> <li> <strong>Essential annotations</strong> (<code>ssl-redirect</code>, <code>hsts-max-age</code>)</li> </ol> <h2> Project context </h2> <p>Throughout the previous articles, I’ve:</p> <ul> <li>Deployed a Kubernetes cluster using <strong>MicroK8s</strong> on a VPS </li> <li>Containerized my application with <strong>Docker</strong> </li> <li>Set up a <strong>GitHub Actions CI/CD</strong> pipeline to automatically build and publish the Docker image </li> <li>Split <strong>app code</strong> and <strong>infrastructure</strong> into separate Git repositories </li> <li>Deployed everything to Kubernetes using a <strong>GitOps</strong> approach </li> </ul> <p>The final step was to <strong>secure the site with HTTPS</strong>.</p> <h2> Why Let’s Encrypt? </h2> <p><a href="https://letsencrypt.org" rel="noopener noreferrer">Let’s Encrypt</a> is a free, automated, and open certificate authority. It’s the go-to solution for obtaining a valid SSL/TLS certificate easily.</p> <h3> Advantages: </h3> <ul> <li> <strong>Free</strong>: no cost for issuing or renewing certificates </li> <li> <strong>Automated</strong>: works well with DevOps tools and Kubernetes </li> <li> <strong>Trusted</strong>: certificates are valid in all modern browsers</li> </ul> <h2> Why cert-manager? </h2> <p><strong>cert-manager</strong> is a Kubernetes operator built to automate certificate lifecycle management (issuing, renewal, rotation...).</p> <p>It allows you to:</p> <ul> <li> <strong>Create SSL/TLS certificates</strong> using Kubernetes <code>Certificate</code> resources </li> <li> <strong>Handle validation challenges</strong> automatically with Let’s Encrypt </li> <li> <strong>Manage renewals</strong> with no manual intervention</li> </ul> <p>It fits naturally into a GitOps workflow: certificates and their configuration can be versioned in the infra repo.</p> <h2> How the HTTP-01 challenge works </h2> <p>To verify domain ownership, Let’s Encrypt uses <strong>HTTP-based validation</strong>:</p> <ol> <li>cert-manager creates a <code>Challenge</code> at a special URL: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>http://woulf.fr/.well-known/acme-challenge/&lt;token&gt; </code></pre> </div> <ol> <li>It spins up a temporary <strong><code>acmesolver</code> pod</strong> that responds with a key </li> <li>Let’s Encrypt queries the URL: <ul> <li>If the correct key is returned, the certificate is issued </li> <li>If not, validation fails</li> </ul> </li> </ol> <p>By adding this annotation to the Ingress:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>acme.cert-manager.io/http01-edit-in-place: "true" </code></pre> </div> <p>the HTTP challenge is integrated directly into the main Ingress, avoiding conflicts (which I had with separate solver pods/Ingresses).</p> <h2> Adding annotations for extra security </h2> <h3> <code>nginx.ingress.kubernetes.io/ssl-redirect</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>nginx.ingress.kubernetes.io/ssl-redirect: "true" </code></pre> </div> <blockquote> <p>Automatically redirects HTTP traffic to HTTPS.</p> </blockquote> <p>Once the certificate is active, this ensures users always connect over HTTPS.</p> <h3> <code>nginx.ingress.kubernetes.io/hsts-max-age</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>nginx.ingress.kubernetes.io/hsts-max-age: "31536000" </code></pre> </div> <blockquote> <p>Adds an HSTS (HTTP Strict Transport Security) header, telling browsers to <strong>refuse HTTP</strong> for 1 year (31,536,000 seconds).</p> </blockquote> <p>⚠️ Enable this <strong>only after HTTPS is confirmed working</strong>, as it prevents fallback to HTTP.</p> <h2> Final configuration example </h2> <p>Here’s a snippet of the final <code>Ingress</code> configuration with all best practices included:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Ingress</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">woulf-ingress</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">cert-manager.io/cluster-issuer</span><span class="pi">:</span> <span class="s">letsencrypt-prod</span> <span class="na">acme.cert-manager.io/http01-edit-in-place</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="na">nginx.ingress.kubernetes.io/ssl-redirect</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="na">nginx.ingress.kubernetes.io/hsts-max-age</span><span class="pi">:</span> <span class="s2">"</span><span class="s">31536000"</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">ingressClassName</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">tls</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">hosts</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">woulf.fr</span> <span class="na">secretName</span><span class="pi">:</span> <span class="s">woulf-fr-tls</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">host</span><span class="pi">:</span> <span class="s">woulf.fr</span> <span class="na">http</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/</span> <span class="na">pathType</span><span class="pi">:</span> <span class="s">Prefix</span> <span class="na">backend</span><span class="pi">:</span> <span class="na">service</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">portfolio</span> <span class="na">port</span><span class="pi">:</span> <span class="na">number</span><span class="pi">:</span> <span class="m">3000</span> </code></pre> </div> <h2> What’s next? </h2> <p>✅ The site is now accessible via HTTPS, with a <strong>Let’s Encrypt</strong> certificate fully managed by <strong>cert-manager</strong>.<br><br> Here’s what I’m planning next:</p> <ul> <li> <strong>Monitoring</strong>: set up Prometheus / Grafana stack </li> <li> <strong>Centralized logging</strong>: using Loki or EFK </li> <li> <strong>Advanced GitOps</strong>: try out ArgoCD or Flux to continuously observe and reconcile cluster state</li> </ul> <p>This project is my first step toward a fully automated and maintainable infrastructure. And it’s only the beginning 👨‍🚀</p> kubernetes certmanager https devops Woulf Mon, 07 Jul 2025 12:21:25 +0000 https://dev.to/woulf/article-4-kubernetes-deployment-with-gitops-5gl0 https://dev.to/woulf/article-4-kubernetes-deployment-with-gitops-5gl0 <p><em>Deploying my version-controlled Kubernetes infrastructure using GitOps, with automated application via a dedicated pipeline and public exposure of my portfolio.</em></p> <p>After setting up the build and push of my Docker image, it’s time to take it further: <strong>versioning and automating the deployment of my Kubernetes infrastructure</strong>.</p> <h2> Separation of concerns: code vs infra </h2> <p>To maintain a clean architecture and GitOps logic, I split the infrastructure from the application code into two separate Git repositories:</p> <ul> <li> <a href="https://github.com/Wooulf/forkfolio" rel="noopener noreferrer"><code>Wooulf/forkfolio</code></a>: contains the website’s source code (Next.js), the <code>Dockerfile</code>, and a CI pipeline for building and pushing the Docker image.</li> <li> <a href="https://github.com/Wooulf/infra-k8s-terraform" rel="noopener noreferrer"><code>Wooulf/infra-k8s-terraform</code></a>: contains <strong>all Kubernetes configuration files</strong> (<code>deployment.yaml</code>, <code>service.yaml</code>, etc.), and a <strong>separate CI/CD pipeline</strong> for applying them to the cluster.</li> </ul> <p>🎯 This structure decouples application code from infrastructure, making it easier to maintain, review, and evolve both parts independently.</p> <h2> Deploying the application on MicroK8s </h2> <p>To run my app on the cluster and expose it cleanly to the public, I’ve configured the following components:</p> <ul> <li>A <strong>Deployment</strong>: handles pod lifecycle (updates, resilience, etc.)</li> <li>A <strong>ClusterIP Service</strong>: stabilizes internal communication to the pod</li> <li>An <strong>Ingress</strong>: routes incoming HTTP traffic to the correct app</li> <li>A <strong>NodePort Service</strong>: exposes the Ingress Controller to the outside world</li> </ul> <h2> One request, one path </h2> <p>Together, these components route an incoming HTTP request through the cluster as follows:</p> <blockquote> <p>🌐 <code>Client</code> → <code>VPS</code> (port 80) → <code>NodePort</code> → <code>Ingress</code> → <code>ClusterIP</code> → <code>Pod</code></p> </blockquote> <p>Here’s a visual diagram of the flow:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fabuijcwf91jng0eyr5mf.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fabuijcwf91jng0eyr5mf.jpg" alt="Kubernetes routing diagram to my portfolio app" width="800" height="344"></a></p> <h2> Kubernetes manifest files </h2> <p>These are the versioned files in the infra repo:</p> <h3> 🧱 Deployment </h3> <p>Handles container deployment, updates, and redundancy.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">portfolio</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">1</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">portfolio</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">portfolio</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">portfolio</span> <span class="na">image</span><span class="pi">:</span> <span class="s">woulf/portfolio:latest</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">3000</span> </code></pre> </div> <h3> 🌐 ClusterIP Service </h3> <p>Exposes the pod within the cluster via a stable internal IP.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">portfolio</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">portfolio</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="m">80</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">3000</span> </code></pre> </div> <h3> 🌍 Ingress </h3> <p>Links the domain name (<code>woulf.fr</code>) to the correct internal service.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Ingress</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">woulf-ingress</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">nginx.ingress.kubernetes.io/rewrite-target</span><span class="pi">:</span> <span class="s">/</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">host</span><span class="pi">:</span> <span class="s">woulf.fr</span> <span class="na">http</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/</span> <span class="na">pathType</span><span class="pi">:</span> <span class="s">Prefix</span> <span class="na">backend</span><span class="pi">:</span> <span class="na">service</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">portfolio</span> <span class="na">port</span><span class="pi">:</span> <span class="na">number</span><span class="pi">:</span> <span class="m">3000</span> <span class="na">ingressClassName</span><span class="pi">:</span> <span class="s">nginx</span> </code></pre> </div> <h3> 🛣️ NodePort Service to expose the Ingress Controller </h3> <p>This service exposes the NGINX Ingress Controller pod to the public by opening a port on the VPS.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx-ingress-microk8s-controller</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">ingress</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">NodePort</span> <span class="na">externalIPs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">185.216.27.229</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx-ingress-microk8s</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="m">80</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">80</span> <span class="na">nodePort</span><span class="pi">:</span> <span class="m">32180</span> </code></pre> </div> <p>💡 <code>externalIPs</code> allows manual exposure of a service on a VPS’s public IP. It’s a functional approach for self-hosted setups, but in a cloud context, we’d use a LoadBalancer service, which integrates with the provider’s networking. On bare-metal clusters, MetalLB can simulate this behavior.</p> <h2> GitHub Actions pipeline in the infra repo </h2> <p>Once versioned, the files are applied to my cluster automatically using a <strong>second CI/CD pipeline</strong> in the <code>infra-k8s-terraform</code> repository.</p> <p>It triggers on changes to the <code>k8s/</code> folder:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">k8s/**'</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">apply_k8s_configs</span><span class="pi">:</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">azure/k8s-set-context@v3</span> <span class="na">with</span><span class="pi">:</span> <span class="na">kubeconfig</span><span class="pi">:</span> <span class="s">\${{ secrets.KUBECONFIG }}</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">kubectl apply -f k8s/</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">kubectl get all</span> </code></pre> </div> <p>✅ Result: with every config commit, <strong>the cluster is automatically synced</strong>.</p> <h2> What’s next? </h2> <p>I could go further with a <strong>fully-fledged GitOps tool</strong> like <strong>ArgoCD</strong> or <strong>Flux</strong>. These tools continuously monitor the Git repository and update the cluster <strong>without relying on a manual pipeline</strong>.</p> <p>⚠️ This setup is minimalistic: it doesn’t include high availability or dynamic traffic management. Still, it’s more than enough for a self-hosted portfolio in MVP mode.</p> <p>🔄 This setup gives me fast feedback between commits and production, while keeping my infra code versioned and clean. It’s not quite GitOps-as-a-Service, but it’s close.</p> <p>💡 In the next article, I’ll talk about <strong>secret management</strong>, the upcoming <strong>HTTPS setup</strong>, some <strong>monitoring ideas</strong>, and possible future improvements to my infrastructure.</p> kubernetes gitops devops infrastructureascode Woulf Mon, 07 Jul 2025 12:16:00 +0000 https://dev.to/woulf/article-3-docker-github-actions-4mj8 https://dev.to/woulf/article-3-docker-github-actions-4mj8 <p><em>Automating the Docker build of my portfolio with GitHub Actions, publishing to Docker Hub, and seamless redeployment on Kubernetes.</em></p> <h2> Automating the build and push of a Node.js app </h2> <p>In this third step, I tackle the <strong>containerization of my Next.js application</strong> (personal portfolio), and the creation of a <strong>CI/CD pipeline</strong> to automate the Docker image build, its push to Docker Hub, and the automatic redeployment to Kubernetes.</p> <h2> CI/CD: Building the Docker image </h2> <p>The goal is to:</p> <ul> <li>Produce a lightweight, optimized Docker image </li> <li>Automatically publish it to <strong>Docker Hub</strong> </li> <li>Restart the deployment on the cluster <strong>with zero downtime</strong> </li> </ul> <p>Everything is defined in a GitHub Actions pipeline located in the application repository, under <code>.github/workflows/deploy.yml</code>.</p> <h2> Building the Docker image </h2> <p>Here is the <code>Dockerfile</code> used:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="c"># Step 1: Base image for build and run</span> <span class="k">FROM</span><span class="w"> </span><span class="s">node:23-alpine</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="s">base</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="k">ENV</span><span class="s"> NEXT_TELEMETRY_DISABLED=1</span> <span class="c"># Step 2: Install dependencies</span> <span class="k">FROM</span><span class="w"> </span><span class="s">base</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="s">deps</span> <span class="k">COPY</span><span class="s"> package.json package-lock.json ./</span> <span class="k">RUN </span>npm ci <span class="c"># Step 3: Build and fetch Dev.to articles securely</span> <span class="k">FROM</span><span class="w"> </span><span class="s">base</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="s">builder</span> <span class="k">COPY</span><span class="s"> --from=deps /app/node_modules ./node_modules</span> <span class="k">COPY</span><span class="s"> . .</span> <span class="k">ENV</span><span class="s"> NEXT_PUBLIC_URL=https://woulf.fr</span> <span class="k">ENV</span><span class="s"> NEXT_PUBLIC_EMAIL=corentinboucardpro@gmail.com</span> <span class="c"># Secure token injection via BuildKit</span> <span class="k">RUN </span><span class="nt">--mount</span><span class="o">=</span><span class="nb">type</span><span class="o">=</span>secret,id<span class="o">=</span>devto_token <span class="se">\\</span> DEVTO_API_KEY=\$(cat /run/secrets/devto_token) node scripts/fetchDevtoArticles.js &amp;&amp; npm run build <span class="c"># Step 4: Final runtime image</span> <span class="k">FROM</span><span class="w"> </span><span class="s">base</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="s">runner</span> <span class="k">ENV</span><span class="s"> NODE_ENV=production</span> <span class="k">ENV</span><span class="s"> PORT=3000</span> <span class="c"># Create non-root user</span> <span class="k">RUN </span>addgroup <span class="nt">-S</span> nodejs <span class="nt">-g</span> 1001 <span class="o">&amp;&amp;</span> <span class="se">\\</span> adduser -S nextjs -u 1001 -G nodejs &amp;&amp; \\ mkdir .next &amp;&amp; chown nextjs:nodejs .next <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="k">COPY</span><span class="s"> --from=builder /app/public ./public</span> <span class="k">COPY</span><span class="s"> --from=builder --chown=nextjs:nodejs /app/.next/standalone ./</span> <span class="k">COPY</span><span class="s"> --from=builder --chown=nextjs:nodejs /app/.next/static ./.next/static</span> <span class="k">USER</span><span class="s"> nextjs</span> <span class="k">EXPOSE</span><span class="s"> 3000</span> <span class="k">CMD</span><span class="s"> ["node", "server.js"]</span> </code></pre> </div> <p>🧠 Notes on the Dockerfile:</p> <ul> <li> <strong>Multi-stage build</strong>: separates base, dependencies, build, and runtime phases results in a clean and minimal image. </li> <li> <strong>Alpine base (node:23-alpine)</strong>: lightweight, fast to pull, smaller attack surface (more secure). </li> <li> <strong>Copying <code>package*.json</code> first</strong>: leverages Docker cache when dependencies don’t change → drastically speeds up builds. </li> <li> <strong>Using <code>npm ci</code></strong>: ensures a clean install based on <code>package-lock.json</code> without re-resolving versions. </li> <li> <strong>Secure token injection via BuildKit</strong>: avoids exposing secrets in the image or logs. Token is available only during the build. </li> <li> <strong>Dev.to article fetching during build</strong>: keeps content updated without committing it to the repo. </li> <li> <strong>Non-root user (<code>nextjs</code>)</strong>: improves runtime security. </li> <li> <strong>Copying only required folders</strong> (<code>.next/standalone</code>, <code>.next/static</code>): recommended by Next.js for Docker deployments. </li> <li> <strong><code>EXPOSE 3000</code></strong>: informative for docs and some tools.</li> </ul> <p>🔐 Result: a lightweight, secure, fast-to-build Docker image ready for production.</p> <h2> Pipeline in the application repository </h2> <p>The <code>deploy.yml</code> pipeline contains two jobs: </p> <ol> <li> <strong>Build &amp; push</strong> the image </li> <li> <strong>Redeploy to the Kubernetes cluster</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Deploy Website</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">main</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">docker</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout repository</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Set up QEMU</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">docker/setup-qemu-action@v3</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Set up Docker Buildx</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">docker/setup-buildx-action@v3</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Login to Docker Hub</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">docker/login-action@v3</span> <span class="na">with</span><span class="pi">:</span> <span class="na">username</span><span class="pi">:</span> <span class="s">\${{ secrets.DOCKER_USERNAME }}</span> <span class="na">password</span><span class="pi">:</span> <span class="s">\${{ secrets.DOCKER_PASSWORD }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build and push</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">docker/build-push-action@v5</span> <span class="na">with</span><span class="pi">:</span> <span class="na">context</span><span class="pi">:</span> <span class="s">.</span> <span class="na">push</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">tags</span><span class="pi">:</span> <span class="s">woulf/portfolio:latest</span> <span class="na">secrets</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">"devto_token=\${{ secrets.DEVTO_TOKEN }}"</span> <span class="na">rollout_k8s</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">docker</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Set up Kubernetes context</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">azure/k8s-set-context@v3</span> <span class="na">with</span><span class="pi">:</span> <span class="na">kubeconfig</span><span class="pi">:</span> <span class="s">\${{ secrets.KUBECONFIG }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Restart Deployment</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">kubectl rollout restart deployment/portfolio -n default</span> <span class="s">kubectl rollout status deployment/portfolio -n default</span> </code></pre> </div> <p>🧠 Notes on the pipeline:</p> <ul> <li> <strong>Auto-trigger on <code>push</code> to <code>main</code></strong>: deploys automatically on merge, great for rolling releases. </li> <li> <strong>Modular workflow</strong>: two isolated jobs (<code>docker</code>, <code>rollout_k8s</code>) for clarity and maintainability. </li> <li> <strong>Official Docker action with BuildKit</strong>: handles cache, secrets, multi-platform builds. </li> <li> <strong>Secrets via <code>secrets.*</code></strong>: no credentials in code, tokens injected at build time only. </li> <li> <strong><code>--mount=type=secret</code></strong>: ensures temporary use of secrets without exposing them in the final image. </li> <li> <strong>Pushes to Docker Hub</strong> (<code>woulf/portfolio:latest</code>): versioned and publicly accessible. </li> <li> <strong>Kubernetes redeploy with zero downtime</strong>: <code>kubectl rollout restart</code> updates the pod smoothly. </li> <li> <strong>Deployment status check</strong>: prevents continuing if deployment fails. </li> <li> <strong><code>needs: docker</code></strong>: guarantees the image is pushed before attempting redeploy.</li> </ul> <p>🔄 Result: a robust, fully automated CI/CD pipeline that updates content, rebuilds your Docker image, and redeploys to Kubernetes, all from a single push.</p> <h2> Secret management </h2> <p>No credentials are hardcoded. Everything is securely stored via <strong>GitHub Secrets</strong>:</p> <ul> <li> <code>DOCKER_USERNAME</code> / <code>DOCKER_PASSWORD</code> → for Docker Hub </li> <li> <code>KUBECONFIG</code> → to connect to the MicroK8s cluster remotely </li> <li> <code>DEVTO_TOKEN</code> → to fetch Dev.to articles automatically during build</li> </ul> <h2> Result </h2> <p>✅ On every push:</p> <ul> <li>Dev.to articles are fetched </li> <li>Docker image is rebuilt and pushed </li> <li>App is redeployed <strong>with no interruption</strong> </li> </ul> <p>💡 Next steps:</p> <ul> <li>Add Trivy scan </li> <li>Add a <code>HEALTHCHECK</code> </li> <li>Reduce production dependencies</li> </ul> <p>➡️ In the next article, I’ll explain how I versioned the <strong>Kubernetes infrastructure</strong> in a separate repository and set up a <strong>GitOps pipeline</strong> to keep the cluster in sync.</p> docker githubactions cicd devops Woulf Thu, 26 Jun 2025 09:57:00 +0000 https://dev.to/woulf/article-2-installing-and-configuring-microk8s-3oo7 https://dev.to/woulf/article-2-installing-and-configuring-microk8s-3oo7 <p><em>Setting up my local Kubernetes cluster with MicroK8s – installation, network configuration, activation of key modules, and secure access through UFW.</em></p> <p>Now that the project foundation is laid, it’s time to set up the Kubernetes infrastructure on my VPS using MicroK8s.<br><br> This will be the technical base on which I’ll deploy my portfolio.</p> <h2> Step 1 - Installing MicroK8s </h2> <p>I start by installing MicroK8s using the <code>snap</code> package manager (already present on Ubuntu):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>sudo snap install microk8s --classic </code></pre> </div> <h2> Step 2 - Adding My User </h2> <p>By default, all <code>microk8s</code> commands require <code>sudo</code>.<br><br> To get rid of that, I add my user to the <code>microk8s</code> group:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>sudo usermod -a -G microk8s $USER newgrp microk8s </code></pre> </div> <h2> Step 3 - Verifying Installation </h2> <p>I check that the cluster is properly installed and ready:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>microk8s status --wait-ready </code></pre> </div> <h2> Step 4 - Enabling Essential Modules </h2> <p>I enable the following components:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>microk8s enable dns ingress storage </code></pre> </div> <p>Quick explanations:</p> <ul> <li> <code>dns</code>: internal name resolution within the cluster </li> <li> <code>ingress</code>: Ingress Controller (nginx reverse proxy) </li> <li> <code>storage</code>: management of persistent volumes</li> </ul> <h2> Step 5 - Testing the Cluster </h2> <p>I verify everything is working with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>microk8s kubectl get all -A </code></pre> </div> <h2> Step 6 - Using kubectl Without microk8s Prefix </h2> <p>To use <code>kubectl</code> directly without prefix, I export the config:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>microk8s config &gt; ~/.kube/config </code></pre> </div> <h2> Step 7 - Opening Ports with UFW </h2> <p>I configure the firewall (<code>ufw</code>) to allow necessary connections:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>sudo ufw allow 22/tcp # SSH sudo ufw allow 80,443/tcp # HTTP / HTTPS (Ingress) sudo ufw allow 16443/tcp # Kubernetes API sudo ufw enable </code></pre> </div> <h2> Cluster Ready 🚀 </h2> <p>The Kubernetes cluster is now ready to host my upcoming deployments.</p> <p>In the next article, I’ll focus on <strong>building the Docker image</strong> for my site and <strong>setting up the first CI/CD pipeline</strong> to automatically publish it.</p> kubernetes microk8s selfhosted devops Woulf Thu, 26 Jun 2025 09:23:32 +0000 https://dev.to/woulf/article-1-setting-up-a-minimalist-gitops-deployment-8ci https://dev.to/woulf/article-1-setting-up-a-minimalist-gitops-deployment-8ci <p><em>An introduction to my GitOps approach for self-hosting my portfolio, with code/infrastructure separation, Kubernetes deployment, and automated CI/CD.</em></p> <h2> Project Context </h2> <p>As part of my shift towards <strong>DevOps</strong>, I decided to automate the deployment of my personal website.</p> <p>The project follows a <strong>GitOps</strong> model: in other words, the Git repository (hosted on GitHub) serves as the <strong>single source of truth</strong>. Any change merged into the repository should be automatically reflected in the production environment.</p> <h2> Repository Structure </h2> <p>To follow this GitOps logic, I chose to <strong>separate the application code</strong> from the <strong>infrastructure configuration</strong> in two distinct Git repositories:</p> <ul> <li>An <strong>application repository</strong>: <a href="https://github.com/Wooulf/forkfolio" rel="noopener noreferrer"><code>Wooulf/forkfolio</code></a>, which contains the website’s source code (Next.js), the <code>Dockerfile</code>, and a CI pipeline to build and deploy the Docker image.</li> <li>An <strong>infrastructure repository</strong>: <a href="https://github.com/Wooulf/infra-k8s-terraform" rel="noopener noreferrer"><code>Wooulf/infra-k8s-terraform</code></a>, which includes all Kubernetes configuration files (<code>deployment.yaml</code>, <code>service.yaml</code>, <code>ingress.yaml</code>, etc.), along with another pipeline that automatically applies changes to the cluster.</li> </ul> <p>🔁 This separation improves maintainability, clarifies responsibilities, and follows GitOps best practices.</p> <h2> Project Goals </h2> <p>The aim is to build a <strong>Minimum Viable Product (MVP)</strong> with an agile mindset, focusing first on the essential features:</p> <ol> <li>A minimalist Kubernetes cluster using <strong>MicroK8s</strong> </li> <li>Deployment of my portfolio as a <strong>Docker container</strong> </li> <li>Public exposure via a <strong>custom domain name</strong> </li> <li>A <strong>CI/CD pipeline</strong> to automate updates</li> <li> <strong>Basic monitoring</strong> to observe cluster health</li> </ol> <h2> Why MicroK8s? </h2> <p>I chose <strong>MicroK8s</strong> for its simplicity and lightweight setup.<br><br> It’s an ideal solution for testing environments, proof-of-concept setups, or personal projects like this one.</p> <p>Other options like <strong>K3s</strong>, <strong>kind</strong>, or <strong>minikube</strong> may be considered later as the project evolves.</p> <h2> Environment Used </h2> <p>I’m using a <strong>VPS</strong> already set up at <strong>PulseHeberg</strong>, with the following specs:</p> <ul> <li> <strong>Processor</strong>: Intel Xeon E5-2680v4 </li> <li> <strong>RAM</strong>: 8 GB DDR4 </li> <li> <strong>Storage</strong>: 1 TB RAID 10 </li> <li> <strong>Connection</strong>: 750 Mbps </li> <li> <strong>System</strong>: Ubuntu 22.04 LTS</li> </ul> <p>This VPS easily exceeds MicroK8s requirements:</p> <blockquote> <p><em>“MicroK8s runs in as little as 540MB of memory, but to accommodate workloads, we recommend a system with at least 20G of disk space and 4G of memory.”</em><br><br> - <em>Official documentation</em></p> </blockquote> <h2> What’s Next? </h2> <p>In the next article, I’ll walk through the initial configuration of the MicroK8s cluster on this VPS, including:</p> <ul> <li>Installing MicroK8s</li> <li>Enabling required modules (DNS, ingress…)</li> <li>Setting up the firewall</li> </ul> <p>🔧 The idea is to lay the technical foundations on which the entire project will be built.</p> kubernetes gitops devops portfolio Woulf Fri, 30 May 2025 15:15:17 +0000 https://dev.to/woulf/de-lartisanat-a-lindustrialisation-gitops-multi-env-avec-argo-cd-sur-microk8s-12kn https://dev.to/woulf/de-lartisanat-a-lindustrialisation-gitops-multi-env-avec-argo-cd-sur-microk8s-12kn <p><em>Mise en place d’un GitOps multi-environnement auto-hébergé avec Argo CD, Kustomize et cert-manager sur MicroK8s : architecture, défis, erreurs, et automatisation des déploiements Kubernetes.</em></p> <h2> 🌍 Contexte : Pourquoi ce projet ? </h2> <p>Ce projet est le prolongement logique d'une démarche amorcée plusieurs mois auparavant. Initialement, mon infrastructure était gérée de façon artisanale : quelques fichiers Kubernetes posés dans un repository, un Ingress pour gérer le trafic entrant, un certificat Let’s Encrypt, un déploiement de mon app exposée en interne via un service ClusterIP, ainsi qu'un NodePort pour l'exposition externe.</p> <p>Mais rapidement, cette approche a montré ses limites :</p> <ul> <li><p>Pas de gestion multi-environnement</p></li> <li><p>Pas de vision d'ensemble de l'état du cluster</p></li> <li><p>Mises à jour via pipelines mais limitées (uniquement création ou mise à jour de ressources, le reste devant se faire manuellement), sans historique clair</p></li> </ul> <p>Je voulais un setup plus robuste, plus proche de ce qui se fait en entreprise : versionnement complet de l'infrastructure, déploiement multi-env, GitOps, monitoring plus complet (traces, logs) et sécurité.</p> <h2> 🚀 Objectifs techniques </h2> <p>Ce nouveau projet vise à construire une base solide et maintenable pour déployer n'importe quelle application dans un cluster Kubernetes auto-hébergé. Les piliers :</p> <ul> <li><p><strong>GitOps</strong> avec Argo CD pour des déploiements déclaratifs</p></li> <li><p><strong>Multi-environnement</strong> (dev, staging, prod...) via kustomize</p></li> <li><p><strong>Certificats TLS</strong> gérés automatiquement par cert-manager</p></li> <li><p><strong>Ingress NGINX</strong> pour l'exposition publique en HTTPS</p></li> <li><p><strong>Versionnement complet de l'infra</strong> : Ingress, Cert-Manager, Argo CD sont installés via Helm, mais pilotés via Kustomize</p></li> <li><p><strong>Namespace</strong> par environnement</p></li> </ul> <h2> 📊 Stack technique </h2> <ul> <li><p><strong>MicroK8s</strong> : distribution légère de Kubernetes, mono-nœud</p></li> <li><p><strong>Helm</strong> : gestionnaire de chart pour l'installation d'outils comme Argo CD, cert-manager, ingress-nginx</p></li> <li><p><strong>Kustomize</strong> : overlay d'environnements (dev, prod)</p></li> <li><p><strong>Argo CD</strong> : moteur GitOps pour le déploiement continu</p></li> <li><p><strong>cert-manager + ClusterIssuer Let's Encrypt</strong> : certificats TLS publics</p></li> </ul> <h2> 📂 Organisation du repo </h2> <p>Le repository est structuré comme suit :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">.</span> ├── environments/ │ ├── dev/ <span class="c"># Déploiement dédié au développement</span> │ ├── staging/ <span class="c"># Environnement de préproduction</span> │ └── prod/ <span class="c"># Production simulée</span> ├── base/ <span class="c"># Composants K8s communs à tous les environnements</span> </code></pre> </div> <p>Chaque outil est installé via Helm avec un values.yaml versionné, et les environnements dev/, staging/ et prod/ sont des overlays Kustomize avec des patchs ciblés.</p> <p>Le repo est disponible ici : <a href="https://github.com/Wooulf/devops-bootcamp-ippon" rel="noopener noreferrer">github.com/Wooulf/devops-bootcamp-ippon</a>.</p> <h2> 📦 Gestion multi-environnement avec Kustomize </h2> <p><code>Kustomize</code> est l’outil que j’utilise pour gérer proprement mes différents environnements (<code>dev</code>, <code>staging</code>, <code>prod</code>) à partir d’une base commune de ressources Kubernetes. Contrairement à Helm, il ne nécessite pas de moteur de templating externe. On parle ici de composition de fichiers déclaratifs plutôt que de génération dynamique.</p> <p>Chaque environnement hérite des ressources communes de <code>base/</code>, et vient appliquer des patches spécifiques (ex : nom de domaine, image Docker, namespace...).</p> <p>Exemple :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>. ├── base/ │ └── portfolio/ │ ├── kustomization.yaml │ ├── deployment.yaml │ ├── service.yaml │ └── ingress.yaml ├── environments/ │ ├── dev/ │ │ ├── kustomization.yaml │ │ └── patch-ingress-host.json │ ├── staging/ │ └── prod/ </code></pre> </div> <p>Chaque répertoire (qu’il s’agisse de <code>base</code> ou d’un environnement comme <code>dev</code>, <code>staging</code> ou <code>prod</code>) contient un fichier <code>kustomization.yaml</code> obligatoire. Ce fichier décrit les ressources Kubernetes à assembler ainsi que les éventuelles modifications spécifiques à l’environnement (comme un patch JSON pour changer le host de l’Ingress).</p> <p>Cette approche permet une composition claire et modulaire des ressources, tout en gardant un contrôle précis sur les différences entre environnements.</p> <p>Exemple :<br> <code>environments/dev/kustomization.yaml</code> :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">namespace</span><span class="pi">:</span> <span class="s">dev</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">../../base/portfolio</span> <span class="na">patches</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="s">patch-ingress-host.json</span> <span class="na">target</span><span class="pi">:</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Ingress</span> <span class="na">name</span><span class="pi">:</span> <span class="s">portfolio-ingress</span> </code></pre> </div> <p><code>patch-ingress-host.json</code> :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"op"</span><span class="p">:</span><span class="w"> </span><span class="s2">"replace"</span><span class="p">,</span><span class="w"> </span><span class="nl">"path"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/spec/tls/0/hosts/0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"dev.woulf.fr"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"op"</span><span class="p">:</span><span class="w"> </span><span class="s2">"replace"</span><span class="p">,</span><span class="w"> </span><span class="nl">"path"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/spec/rules/0/host"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"dev.woulf.fr"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span></code></pre> </div> <p>👉 Avec cette structure, je peux déployer le même projet dans plusieurs environnements en changeant uniquement le contexte et quelques variables cibles.</p> <blockquote> <p>🔍 Petit tip : pour valider la sortie Kustomize en local avant de confier le déploiement à Argo CD, on peut utiliser :<br> <code>kubectl kustomize environments/dev</code><br> Cela génère le YAML final tel qu’il sera appliqué dans le cluster.</p> <p>Et on peut l'appliquer comme ça :<br> <code>kubectl apply -k environments/dev</code></p> </blockquote> <h3> 🚀 Pourquoi j’utilise Argo CD ? </h3> <p>Argo CD est le cœur de ma stratégie GitOps : c’est lui qui veille à ce que l’état réel du cluster Kubernetes soit toujours synchronisé avec les manifests Git.</p> <p>Ce que j’apprécie dans Argo CD :</p> <ul> <li>Interface visuelle claire de l’état des déploiements</li> <li>Déploiement automatique (pull-based) dès qu’un commit est détecté</li> <li>Historique des modifications, gestion des rollback</li> <li>Vérification automatique de la dérive de configuration</li> <li>Facilité de ciblage d’environnements/namespaces spécifiques</li> </ul> <h2> ⚙️ Installation d'Argo CD avec HTTPS </h2> <p>Argo CD a été installé via Helm dans le namespace <code>argocd</code>, avec cette configuration :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">global</span><span class="pi">:</span> <span class="na">domain</span><span class="pi">:</span> <span class="s">argocd.woulf.fr</span> <span class="na">configs</span><span class="pi">:</span> <span class="na">params</span><span class="pi">:</span> <span class="na">server.insecure</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="na">server</span><span class="pi">:</span> <span class="na">certificate</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">secretName</span><span class="pi">:</span> <span class="s">argocd-tls</span> <span class="na">domain</span><span class="pi">:</span> <span class="s">argocd.woulf.fr</span> <span class="na">issuer</span><span class="pi">:</span> <span class="na">group</span><span class="pi">:</span> <span class="s">cert-manager.io</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterIssuer</span> <span class="na">name</span><span class="pi">:</span> <span class="s">letsencrypt-prod</span> <span class="na">ingress</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">ingressClassName</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">nginx.ingress.kubernetes.io/backend-protocol</span><span class="pi">:</span> <span class="s2">"</span><span class="s">HTTP"</span> <span class="na">hosts</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">argocd.woulf.fr</span> <span class="na">tls</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">hosts</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">argocd.woulf.fr</span> <span class="na">secretName</span><span class="pi">:</span> <span class="s">argocd-tls</span> </code></pre> </div> <p>Pourquoi <code>server.insecure: true</code> ? Car la terminaison TLS est gérée au niveau de l'Ingress. Le trafic interne reste en HTTP, ce qui est acceptable dans un cluster local/VPS non mutualisé.</p> <h2> 🌐 Accès public via Ingress </h2> <p>Le certificat TLS est généré automatiquement par cert-manager à partir du ClusterIssuer <code>letsencrypt-prod</code>. Argo CD est maintenant accessible publiquement via <a href="https://argocd.woulf.fr" rel="noopener noreferrer">https://argocd.woulf.fr</a>.</p> <h2> 📌 Définir un déploiement GitOps avec Argo CD </h2> <p>Pour connecter Argo CD à mon dépôt Git et lui indiquer quoi synchroniser dans le cluster, j'ai créé une ressource Kubernetes de type <code>Application</code> :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Application</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">portfolio-dev</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">argocd</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">project</span><span class="pi">:</span> <span class="s">default</span> <span class="na">source</span><span class="pi">:</span> <span class="na">repoURL</span><span class="pi">:</span> <span class="s">https://github.com/Wooulf/devops-bootcamp-ippon</span> <span class="na">targetRevision</span><span class="pi">:</span> <span class="s">HEAD</span> <span class="na">path</span><span class="pi">:</span> <span class="s">environments/dev</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">server</span><span class="pi">:</span> <span class="s">https://kubernetes.default.svc</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">dev</span> <span class="na">syncPolicy</span><span class="pi">:</span> <span class="na">automated</span><span class="pi">:</span> <span class="na">prune</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">selfHeal</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">syncOptions</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">CreateNamespace=true</span> </code></pre> </div> <p>👉 Le fichier Application Argo CD est également versionné dans mon dépôt Git, visible ici : <a href="https://github.com/Wooulf/devops-bootcamp-ippon/blob/main/argocd/applications/portfolio-dev.yaml" rel="noopener noreferrer">argocd/applications/portfolio-dev.yaml</a>.</p> <h3> 🔍 Comment ça fonctionne </h3> <ol> <li><p><strong>source.repoURL + path + targetRevision</strong><br><br> Argo CD surveille le répertoire <code>environments/dev</code> du dépôt Git <code>https://github.com/Wooulf/devops-bootcamp-ippon</code>. Toute modification (commit, push) dans ce dossier déclenche une synchronisation automatique.</p></li> <li><p><strong>destination</strong><br><br> L’application est déployée dans le cluster local (MicroK8s) via l’URL <code>https://kubernetes.default.svc</code>, dans le namespace <code>dev</code>.</p></li> <li> <p><strong>syncPolicy.automated</strong></p> <ul> <li> <code>automated</code>: synchronisation automatique sans action manuelle.</li> <li> <code>prune</code>: suppression des ressources obsolètes qui ne sont plus déclarées dans Git.</li> <li> <code>selfHeal</code>: restauration automatique si une ressource est modifiée manuellement dans le cluster.</li> </ul> </li> <li><p><strong>syncOptions.CreateNamespace=true</strong><br><br> Le namespace <code>dev</code> est créé automatiquement s’il n’existe pas encore, rendant le déploiement autonome et idempotent.</p></li> </ol> <h3> 🔁 Résultat final </h3> <ul> <li>Déploiement GitOps complet et automatique dans l’environnement <code>dev</code> </li> <li>Conformité assurée en permanence entre Git et le cluster</li> <li>Mise à jour ou suppression de ressources pilotée uniquement depuis le dépôt Git</li> <li>Namespace <code>dev</code> créé dynamiquement sans préconfiguration manuelle</li> </ul> <p>Le portfolio <code>dev</code> est maintenant déployé automatiquement avec la dernière image Docker taggée <code>latest</code>, et accessible via <a href="https://dev.woulf.fr" rel="noopener noreferrer">https://dev.woulf.fr</a>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgrdu8ym9bdzfo7vwcn3m.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgrdu8ym9bdzfo7vwcn3m.png" alt="Vue Argo CD listant trois applications déployées : portfolio-dev, portfolio-staging et portfolio-prod. Chacune est en état Healthy et Synced, avec leurs chemins Git, namespaces et dernières synchronisations visibles." width="800" height="576"></a></p> <blockquote> <p>🎯 Interface Argo CD : état de santé et synchronisation des environnements dev, staging et prod.</p> </blockquote> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgivei7dqsoeem4195wyz.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgivei7dqsoeem4195wyz.png" alt="Vue détaillée de l'application Argo CD portfolio-dev : affichage arborescent des ressources Kubernetes créées (Deployment, Service, Ingress, Certificate, Pod), toutes en état Healthy et synchronisées avec Git." width="800" height="389"></a></p> <blockquote> <p>🔍 Vue détaillée de l'application portfolio-dev déployée dans le namespace dev — chaque ressource est traquée, versionnée, et synchronisée à Git.</p> </blockquote> <h3> 🧨 Problèmes rencontrés (et résolus) </h3> <ul> <li> <strong>Certificats auto-signés persistants</strong> J’ai eu des certificats non valides persistants (auto-signés) à cause de <strong>deux mécanismes de création simultanés</strong> : une annotation <code>cert-manager.io/cluster-issuer</code> sur l’Ingress <em>et</em> une configuration <code>server.certificate</code> dans les <code>values.yaml</code> de Helm. 👉 <strong>Solution</strong> : ne conserver qu’une seule source de vérité. Ici, la configuration Helm via <code>server.certificate</code>.</li> </ul> <p> </p> <ul> <li> <strong>Certificat temporaire actif après provisionnement Let's Encrypt</strong> Cert-manager installe parfois un certificat temporaire avant que Let's Encrypt émette le définitif. 👉 Il suffit d’attendre la mise à jour, c’est un comportement normal.</li> </ul> <p> </p> <ul> <li> <strong>MicroK8s qui "perd" des add-ons (Helm, DNS, etc.) après redémarrage</strong> J’ai constaté que certains add-ons de MicroK8s se désactivaient au reboot. 👉 Nécessité de relancer manuellement certains services.</li> </ul> <p> </p> <ul> <li> <strong>ClusterIssuer manquant après reboot du cluster</strong> Après redémarrage, mon ClusterIssuer n’était plus reconnu. Cela venait d’un oubli de le versionner dans mon GitOps au début. 👉 Résolu en l’ajoutant explicitement dans les manifests surveillés par Argo CD.</li> </ul> <p> </p> <ul> <li> <strong>Erreurs d’accès HTTPS malgré une config a priori correcte</strong> Liées dans mon cas à un <strong>certificat temporaire encore actif</strong>, ou à une mauvaise <strong>terminaison TLS côté Ingress</strong>. 👉 En fixant la gestion TLS uniquement au niveau Ingress, le problème a disparu.</li> </ul> <h2> 🧾 En résumé </h2> <p>Dans cet article, j’ai amorcé la transition vers une infrastructure GitOps multi-environnement, avec :</p> <ul> <li><p>L’installation d’Argo CD via Helm dans un namespace dédié</p></li> <li><p>La gestion du HTTPS avec cert-manager et un ClusterIssuer Let’s Encrypt</p></li> <li><p>La résolution de problèmes classiques liés aux certificats (self-signed, temporaires, double création de certificat)</p></li> <li><p>L’exposition d’Argo CD en HTTPS via Ingress NGINX</p></li> <li><p>Le premier déploiement GitOps d’une application (<code>portfolio</code>) dans l’environnement <code>dev</code>, patché dynamiquement via <code>kustomize</code></p></li> </ul> <p>Ce socle technique me permet désormais de tester, versionner et sécuriser mes déploiements comme en production, tout en gardant un maximum de contrôle sur l'infrastructure.</p> <h2> 🔜 À venir dans le prochain article </h2> <p>On poursuivra en intégrant <strong>Argo CD Image Updater</strong> pour assurer la mise à jour automatique des images déployées, en ajoutant une couche de <strong>sécurité avec SealedSecrets</strong> pour protéger le token d'API permettant d'interagir avec Argo CD. On verra aussi comment rendre ce système autonome, sans intervention manuelle, toujours dans une logique GitOps.</p> kubernetes argocd gitops devops Woulf Sun, 18 May 2025 14:21:04 +0000 https://dev.to/woulf/article-6-monitoring-minimaliste-avec-prometheus-grafana-kdn https://dev.to/woulf/article-6-monitoring-minimaliste-avec-prometheus-grafana-kdn <p><em>Intégration de Prometheus &amp; Grafana pour monitorer mon cluster Kubernetes auto-hébergé, avec accès HTTPS public, dashboard par défaut personnalisé et sécurité maintenue, le tout dans une logique MVP GitOps.</em></p> <p>Dans cette sixième étape, j'intègre un système de monitoring pour superviser mon cluster Kubernetes, toujours dans une logique MVP, auto-hébergée, et sans complexité inutile.</p> <h3> Objectif : visibilité simple et efficace </h3> <p>Je veux pouvoir visualiser l'état de mon cluster en un coup d’œil : CPU, mémoire, pods, réseau. Pas de sur-ingénierie, pas d’alerts emails, juste un dashboard clair.</p> <p>J'utilise le chart Helm <a href="https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack" rel="noopener noreferrer">kube-prometheus-stack</a>, largement adopté en prod, même s’il est ici sous-utilisé dans un but pédagogique.</p> <h3> Installation via Helm </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>helm repo add prometheus-community https://prometheus-community.github.io/helm-charts helm repo update helm upgrade --install monitoring prometheus-community/kube-prometheus-stack \ --namespace monitoring \ --create-namespace \ --values prometheus-stack-values.yaml </code></pre> </div> <p>J'ai désactivé <code>alertmanager</code> dans le <code>values.yaml</code>, car je ne souhaite pas gérer d'alertes pour ce MVP :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">alertmanager</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">false</span> </code></pre> </div> <h3> Pourquoi ne pas utiliser le module Prometheus de MicroK8s ? </h3> <p>MicroK8s propose un module <code>prometheus</code> activable en une ligne :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>microk8s enable prometheus </code></pre> </div> <p>Mais ce module reste une <strong>boîte noire</strong> difficile à intégrer dans un workflow GitOps :</p> <ul> <li>Il n'est <strong>pas versionné</strong> dans le dépôt Git</li> <li>Il n'offre <strong>quasiment aucun contrôle</strong> sur la configuration ou les versions</li> <li>Il ne permet pas de séparer proprement Grafana et Prometheus</li> </ul> <p>En choisissant le chart Helm <code>kube-prometheus-stack</code>, je garde la <strong>maîtrise complète de la configuration</strong> via mon <code>values.yaml</code>, je peux <strong>versionner mon infrastructure</strong>, et je rends mon setup <strong>portatif</strong> sur n'importe quel autre cluster Kubernetes cloud ou local.</p> <h3> Accès à Grafana </h3> <p>J'ai créé un Ingress à <code>grafana.woulf.fr</code> avec certificat HTTPS géré par <code>cert-manager</code>.</p> <p>L'accès admin est protégé par un <code>Secret</code> Kubernetes (non committé) défini comme :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">grafana</span><span class="pi">:</span> <span class="na">admin</span><span class="pi">:</span> <span class="na">existingSecret</span><span class="pi">:</span> <span class="s">monitoring-grafana</span> </code></pre> </div> <blockquote> <p>Création du Secret</p> <pre class="highlight plaintext"><code>kubectl -n monitoring create secret generic monitoring-grafana \ --from-literal=admin-user=admin \ --from-literal=admin-password=******** </code></pre> </blockquote> <p>Et pour permettre un accès public simple, j’ai activé l'accès <strong>anonyme</strong> avec le rôle <code>Viewer</code> (lecture seule) :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">grafana</span><span class="pi">:</span> <span class="na">grafana.ini</span><span class="pi">:</span> <span class="na">auth.anonymous</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">org_name</span><span class="pi">:</span> <span class="s">Main Org.</span> <span class="na">org_role</span><span class="pi">:</span> <span class="s">Viewer</span> <span class="na">hide_version</span><span class="pi">:</span> <span class="kc">true</span> </code></pre> </div> <h3> Dashboard par défaut </h3> <p>J'ai choisi le dashboard <code>Kubernetes / Compute Resources / Cluster</code> fourni par défaut dans le chart, puis je l’ai exporté, versionné dans un <code>ConfigMap</code>, et monté comme dashboard d’accueil :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">grafana</span><span class="pi">:</span> <span class="na">grafana.ini</span><span class="pi">:</span> <span class="na">dashboards</span><span class="pi">:</span> <span class="na">default_home_dashboard_path</span><span class="pi">:</span> <span class="s">/var/lib/grafana/dashboards/grafana-dashboard-home/default.json</span> <span class="na">dashboardsConfigMaps</span><span class="pi">:</span> <span class="na">grafana-dashboard-home</span><span class="pi">:</span> <span class="s">grafana-dashboard-home</span> <span class="na">sidecar</span><span class="pi">:</span> <span class="na">dashboards</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">label</span><span class="pi">:</span> <span class="s">grafana_dashboard</span> <span class="na">searchNamespace</span><span class="pi">:</span> <span class="s">ALL</span> </code></pre> </div> <p>Le <code>ConfigMap</code> correspondant est versionné dans le repo d’infra, et porte le label <code>grafana_dashboard: "1"</code> pour être pris en compte automatiquement par le sidecar Grafana.</p> <blockquote> <p>📁 Un <code>ConfigMap</code> est une ressource Kubernetes qui permet de monter des fichiers non sensibles dans un pod.<br> Il est rechargé automatiquement en cas de modification.</p> </blockquote> <h3> Résultat </h3> <ul> <li>Grafana accessible publiquement, en HTTPS</li> <li>Dashboard par défaut lisible et utile</li> <li>Aucun login requis pour consulter l’état du cluster</li> <li>Compte admin sécurisé via Secret Kubernetes</li> </ul> <p>Cette approche respecte les bonnes pratiques DevOps, tout en restant simple et facilement compréhensible pour un visiteur ou un recruteur.</p> <h2> 🧠 Et en production ? </h2> <p>Ce setup est volontairement minimaliste et pédagogique, mais plusieurs aspects seraient renforcés dans un contexte de production :</p> <ul> <li> <strong>Alertmanager</strong> serait activé, avec des routes d’alerte vers des services externes (email, Slack, etc.), pour être notifié dès qu’un composant tombe.</li> <li> <strong>L’accès Grafana</strong> ne serait pas ouvert en anonyme : il serait restreint par IP, protégé par un proxy ou connecté à un SSO/LDAP.</li> <li> <strong>Le mot de passe admin</strong> ne serait pas géré via un <code>Secret</code> statique, mais externalisé via Vault ou une solution de gestion de secrets (SealedSecrets, ExternalSecrets).</li> <li> <strong>Les dashboards</strong> seraient provisionnés via API ou fichiers dédiés, avec une stratégie de gestion de version plus modulaire.</li> <li> <strong>Le certificat TLS</strong> serait géré via des mécanismes de rotation automatique à plus grande échelle (wildcard DNS, ACME DNS challenge...).</li> </ul> <p>Mais dans le cadre de ce MVP, cette configuration me donne un bon équilibre entre simplicité, lisibilité, sécurité de base et maintenabilité GitOps.</p> <p>⚡ Prochaine étape : ajout de <code>loki</code> pour la collecte de logs centralisée ? Ou test d’ArgoCD pour GitOps avancé ?</p> <p>C'est ouvert !</p> prometheus grafana monitoring devops Woulf Wed, 16 Apr 2025 08:58:00 +0000 https://dev.to/woulf/article-5-finalisation-de-lhttps-et-perspectives-devolution-54e2 https://dev.to/woulf/article-5-finalisation-de-lhttps-et-perspectives-devolution-54e2 <p><em>Mise en place d’un certificat HTTPS via Let’s Encrypt et cert-manager, avec configuration des challenges et annotations de sécurité dans l’Ingress Kubernetes.</em></p> <p>Dans cette cinquième étape, je reviens sur la mise en place d’un certificat SSL/TLS pour sécuriser le site <strong>woulf.fr</strong>, toujours dans une optique DevOps. Nous allons voir :</p> <ol> <li><strong>Pourquoi Let’s Encrypt</strong></li> <li><strong>Pourquoi cert-manager</strong></li> <li> <strong>Les annotations essentielles</strong> (<code>ssl-redirect</code>, <code>hsts-max-age</code>)</li> </ol> <h2> Contexte du projet </h2> <p>Au fil des articles précédents, j’ai :</p> <ul> <li>Déployé un cluster Kubernetes via <strong>MicroK8s</strong> sur un VPS.</li> <li>Conteneurisé mon application avec <strong>Docker</strong>.</li> <li>Mis en place une <strong>CI/CD GitHub Actions</strong> pour builder et publier automatiquement l’image Docker.</li> <li>Séparé <strong>code applicatif</strong> et <strong>infrastructure</strong> dans deux dépôts Git distincts.</li> <li>Déployé le tout sur Kubernetes avec une logique <strong>GitOps</strong>.</li> </ul> <p>La dernière étape consistait à <strong>sécuriser l’accès au site</strong> avec HTTPS.</p> <h2> Pourquoi Let’s Encrypt ? </h2> <p><a href="https://letsencrypt.org" rel="noopener noreferrer">Let’s Encrypt</a> est une autorité de certification gratuite, automatisée et ouverte. C’est aujourd’hui la référence pour obtenir facilement un certificat SSL/TLS valide.</p> <h3> Avantages : </h3> <ul> <li> <strong>Gratuit</strong> : aucun coût d’émission ni de renouvellement.</li> <li> <strong>Automatisé</strong> : compatible avec les outils DevOps et Kubernetes.</li> <li> <strong>Reconnu</strong> : les certificats sont valides pour tous les navigateurs modernes.</li> </ul> <h2> Pourquoi cert-manager ? </h2> <p><strong>cert-manager</strong> est un opérateur Kubernetes développé pour gérer automatiquement les certificats (émission, renouvellement, rotation…).</p> <p>Il permet de :</p> <ul> <li> <strong>Créer un certificat SSL/TLS</strong> via des objets <code>Certificate</code> Kubernetes.</li> <li> <strong>Effectuer la validation (challenge)</strong> automatiquement auprès de Let’s Encrypt.</li> <li> <strong>Gérer les renouvellements</strong> sans aucune intervention manuelle.</li> </ul> <p>Il s’intègre très bien dans un workflow GitOps : on peut versionner les certificats et leur configuration dans le repo d’infra.</p> <h2> Fonctionnement du challenge HTTP-01 </h2> <p>Pour vérifier que je suis bien propriétaire du nom de domaine, Let’s Encrypt effectue une <strong>vérification via HTTP</strong> :</p> <ol> <li>cert-manager crée un <code>Challenge</code> avec une URL spéciale sur le domaine : </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> http://woulf.fr/.well-known/acme-challenge/&lt;token&gt; </code></pre> </div> <ol> <li>Il lance un <strong>pod <code>acmesolver</code></strong> temporaire qui répond à cette URL avec une clé unique.</li> <li>Let’s Encrypt interroge l’URL : <ul> <li>Si la bonne clé est retournée, le certificat est délivré.</li> <li>Sinon, la validation échoue.</li> </ul> </li> </ol> <p>Avec l’ajout de l’annotation suivante dans l’Ingress :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>acme.cert-manager.io/http01-edit-in-place: "true" </code></pre> </div> <p>le challenge HTTP est directement intégré dans l’Ingress principal, ce qui évite des conflits (que j'ai eu avec des Ingress/POD dédiés au solver).</p> <h2> Ajout d'annotations pour une sécurité supplémentaire </h2> <h3> <code>nginx.ingress.kubernetes.io/ssl-redirect</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>nginx.ingress.kubernetes.io/ssl-redirect: "true" </code></pre> </div> <blockquote> <p>Forcer automatiquement la redirection HTTP vers HTTPS.</p> </blockquote> <p>Une fois le certificat valide, on peut s'assurer que les utilisateurs accèdent toujours au site en HTTPS.</p> <h3> <code>nginx.ingress.kubernetes.io/hsts-max-age</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>nginx.ingress.kubernetes.io/hsts-max-age: "31536000" </code></pre> </div> <blockquote> <p>Ajoute un en-tête HSTS (HTTP Strict Transport Security) pour dire aux navigateurs de <strong>refuser toute future connexion en HTTP</strong> pendant 1 an (31 536 000 secondes).</p> </blockquote> <p>⚠️ Attention à ne l’activer <strong>qu’après avoir vérifié que HTTPS fonctionne</strong>, car cela empêche tout retour vers HTTP.</p> <h2> Exemple final de configuration </h2> <p>Voici un extrait du fichier <code>Ingress</code> après intégration des bonnes pratiques :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Ingress</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">woulf-ingress</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">cert-manager.io/cluster-issuer</span><span class="pi">:</span> <span class="s">letsencrypt-prod</span> <span class="na">acme.cert-manager.io/http01-edit-in-place</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="na">nginx.ingress.kubernetes.io/ssl-redirect</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="na">nginx.ingress.kubernetes.io/hsts-max-age</span><span class="pi">:</span> <span class="s2">"</span><span class="s">31536000"</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">ingressClassName</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">tls</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">hosts</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">woulf.fr</span> <span class="na">secretName</span><span class="pi">:</span> <span class="s">woulf-fr-tls</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">host</span><span class="pi">:</span> <span class="s">woulf.fr</span> <span class="na">http</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/</span> <span class="na">pathType</span><span class="pi">:</span> <span class="s">Prefix</span> <span class="na">backend</span><span class="pi">:</span> <span class="na">service</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">portfolio</span> <span class="na">port</span><span class="pi">:</span> <span class="na">number</span><span class="pi">:</span> <span class="m">3000</span> </code></pre> </div> <h2> Ce qu’il reste à faire </h2> <p>✅ Le site est maintenant accessible en HTTPS, avec un certificat <strong>Let’s Encrypt</strong> automatiquement géré par <strong>cert-manager</strong>.<br><br> Voici ce que je prévois pour la suite :</p> <ul> <li> <strong>Monitoring</strong> : mettre en place un stack Prometheus / Grafana.</li> <li> <strong>Logs centralisés</strong> : avec Loki ou EFK.</li> <li> <strong>GitOps avancé</strong> : tester ArgoCD ou Flux pour observer et réconcilier les états du cluster.</li> </ul> <p>Ce projet est un premier pas vers une infrastructure entièrement automatisée et maintenable. Et ce n’est que le début 👨‍🚀</p> kubernetes certmanager https devops Woulf Mon, 07 Apr 2025 12:09:18 +0000 https://dev.to/woulf/article-4-deploiement-kubernetes-avec-gitops-55gf https://dev.to/woulf/article-4-deploiement-kubernetes-avec-gitops-55gf <p><em>Déploiement de mon infrastructure Kubernetes versionnée avec GitOps, avec application automatisée via une pipeline dédiée et exposition publique de mon portfolio.</em></p> <p>Après avoir mis en place le build et le push de mon image Docker, il est temps d’aller plus loin : <strong>versionner et automatiser le déploiement de mon infrastructure Kubernetes</strong>.</p> <h2> Séparation des responsabilités : code vs infra </h2> <p>Pour garder une architecture propre et maintenir une logique GitOps, j’ai séparé l’infrastructure du code applicatif dans deux dépôts Git différents :</p> <ul> <li> <a href="https://github.com/Wooulf/forkfolio" rel="noopener noreferrer"><code>Wooulf/forkfolio</code></a> : contient le code source de mon site (Next.js), le <code>Dockerfile</code> et une pipeline CI pour builder + déployer l’image Docker.</li> <li> <a href="https://github.com/Wooulf/infra-k8s-terraform" rel="noopener noreferrer"><code>Wooulf/infra-k8s-terraform</code></a> : contient <strong>tous les fichiers de configuration Kubernetes</strong> (<code>deployment.yaml</code>, <code>service.yaml</code>, etc.), et une <strong>autre pipeline CI/CD</strong> dédiée à leur application sur le cluster.</li> </ul> <p>🎯 Ce découpage permet de découpler le code applicatif de l'infrastructure, ce qui facilite la maintenance, les revues de code ciblées, et l’évolution des deux parties de manière indépendante.</p> <h2> Déploiement de l'application sur MicroK8s </h2> <p>Pour que mon application tourne sur le cluster et soit exposée proprement au public, j’ai mis en place les éléments suivants :</p> <ul> <li>Un <strong>Deployment</strong> : qui gère le cycle de vie du pod (mises à jour, résilience…)</li> <li>Un <strong>Service ClusterIP</strong> : pour stabiliser la communication interne vers le pod</li> <li>Un <strong>Ingress</strong> : pour router les requêtes HTTP externes vers la bonne application</li> <li>Un <strong>Service NodePort</strong> : pour exposer l’Ingress Controller au monde extérieur</li> </ul> <h2> Une requête, un chemin </h2> <p>L'ensemble de ces composants permet de faire transiter une requête HTTP entrante à travers le cluster, comme ceci :</p> <blockquote> <p>🌐 <code>Client</code> → <code>VPS</code> (port 80) → <code>NodePort</code> → <code>Ingress</code> → <code>ClusterIP</code> → <code>Pod</code></p> </blockquote> <p>Voici un schéma clair et visuel du fonctionnement :</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fabuijcwf91jng0eyr5mf.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fabuijcwf91jng0eyr5mf.jpg" alt="Schéma de routage Kubernetes vers mon app portfolio" width="800" height="344"></a></p> <h2> Fichiers de définition Kubernetes </h2> <p>Voici les fichiers versionnés dans le repo d’infra :</p> <h3> 🧱 Deployment </h3> <p>Gère le déploiement du conteneur, les mises à jour, la redondance.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">portfolio</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">1</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">portfolio</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">portfolio</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">portfolio</span> <span class="na">image</span><span class="pi">:</span> <span class="s">woulf/portfolio:latest</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">3000</span> </code></pre> </div> <h3> 🌐 Service ClusterIP </h3> <p>Expose le pod à l’intérieur du cluster via une IP stable.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">portfolio</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">portfolio</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="m">80</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">3000</span> </code></pre> </div> <h3> 🌍 Ingress </h3> <p>Fait le lien entre un nom de domaine (<code>woulf.fr</code>) et le bon service interne.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Ingress</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">woulf-ingress</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">nginx.ingress.kubernetes.io/rewrite-target</span><span class="pi">:</span> <span class="s">/</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">host</span><span class="pi">:</span> <span class="s">woulf.fr</span> <span class="na">http</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/</span> <span class="na">pathType</span><span class="pi">:</span> <span class="s">Prefix</span> <span class="na">backend</span><span class="pi">:</span> <span class="na">service</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">portfolio</span> <span class="na">port</span><span class="pi">:</span> <span class="na">number</span><span class="pi">:</span> <span class="m">3000</span> <span class="na">ingressClassName</span><span class="pi">:</span> <span class="s">nginx</span> </code></pre> </div> <h3> 🛣️ Service NodePort pour exposer l’Ingress Controller </h3> <p>Ce Service expose le pod NGINX de l’Ingress Controller vers l’extérieur, via un port ouvert sur le VPS.<br> Cela permet aux requêtes HTTP/HTTPS d’atteindre le cluster depuis l’extérieur.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx-ingress-microk8s-controller</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">ingress</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">NodePort</span> <span class="na">externalIPs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">185.216.27.229</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx-ingress-microk8s</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="m">80</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">80</span> <span class="na">nodePort</span><span class="pi">:</span> <span class="m">32180</span> </code></pre> </div> <p>💡 externalIPs permet d’exposer manuellement un service sur l’IP publique d’un VPS. C’est une approche fonctionnelle en environnement auto-hébergé, mais dans un contexte cloud, on privilégiera les Service de type LoadBalancer, qui s’intègrent directement avec l’infrastructure réseau du fournisseur. Pour les clusters sans cloud provider, une solution comme MetalLB permet de simuler ce comportement.</p> <h2> Pipeline GitHub Actions dans le repo infra </h2> <p>Une fois les fichiers versionnés, je les applique automatiquement sur mon cluster grâce à une <strong>deuxième pipeline CI/CD</strong> dans le dépôt <code>infra-k8s-terraform</code>.</p> <p>Elle s’exécute dès qu’un fichier est modifié dans le dossier <code>k8s/</code> :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">k8s/**'</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">apply_k8s_configs</span><span class="pi">:</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">azure/k8s-set-context@v3</span> <span class="na">with</span><span class="pi">:</span> <span class="na">kubeconfig</span><span class="pi">:</span> <span class="s">${{ secrets.KUBECONFIG }}</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">kubectl apply -f k8s/</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">kubectl get all</span> </code></pre> </div> <p>✅ Résultat : à chaque commit de config, <strong>le cluster se synchronise automatiquement</strong>.</p> <h2> Et la suite ? </h2> <p>Je pourrais aller encore plus loin avec un <strong>outil GitOps complet</strong> comme <strong>ArgoCD</strong> ou <strong>Flux</strong>. Ces outils se chargeraient de <strong>surveiller le dépôt Git en continu</strong> et de mettre à jour le cluster <strong>sans passer par une pipeline manuelle</strong>.</p> <p>⚠️ Ce setup reste minimaliste : il n'inclut pas de haute disponibilité ni de gestion dynamique du trafic. Il est cependant suffisant pour un portfolio auto-hébergé, dans une logique de MVP.</p> <p>🔄 Ce setup me permet d’avoir une boucle de feedback rapide entre mes commits et le résultat en production, tout en gardant un code d’infra proprement versionné. Ce n’est pas encore du GitOps “as a Service”, mais on s’en approche.</p> <p>💡 Dans le prochain article, je parlerai de la <strong>gestion des secrets</strong>, du futur passage en <strong>HTTPS</strong>, des idées de <strong>monitoring</strong>, et des prochaines évolutions possibles de mon infrastructure.</p> kubernetes gitops devops infrastructureascode Woulf Mon, 07 Apr 2025 12:00:33 +0000 https://dev.to/woulf/article-3-docker-github-actions-4jno https://dev.to/woulf/article-3-docker-github-actions-4jno <p><em>Automatisation du build Docker de mon portfolio avec GitHub Actions, publication sur Docker Hub et redéploiement transparent sur Kubernetes.</em></p> <h2> Automatiser le build et le push d’une app Node.js </h2> <p>Dans cette troisième étape, je m’attaque à la <strong>conteneurisation de mon application</strong> Next.js (portfolio personnel), et à la mise en place d’une <strong>pipeline CI/CD</strong> pour automatiser le build de l’image Docker, son push sur Docker Hub, et le redéploiement automatique sur Kubernetes.</p> <h2> CI/CD : création de l’image Docker </h2> <p>L’objectif est de :</p> <ul> <li>Produire une image Docker légère et optimisée</li> <li>La publier automatiquement sur <strong>Docker Hub</strong> </li> <li>Redémarrer le déploiement sur le cluster <strong>sans downtime</strong> </li> </ul> <p>Tout est défini dans une pipeline GitHub Actions située dans le dépôt de mon application, sous <code>.github/workflows/deploy.yml</code>.</p> <h2> Construction de l’image Docker </h2> <p>Voici le <code>Dockerfile</code> utilisé :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="c"># Étape 1 — Base d’image pour builder et runner</span> <span class="k">FROM</span><span class="w"> </span><span class="s">node:23-alpine</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="s">base</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="k">ENV</span><span class="s"> NEXT_TELEMETRY_DISABLED=1</span> <span class="c"># Étape 2 — Installation des dépendances</span> <span class="k">FROM</span><span class="w"> </span><span class="s">base</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="s">deps</span> <span class="k">COPY</span><span class="s"> package.json package-lock.json ./</span> <span class="k">RUN </span>npm ci <span class="c"># Étape 3 — Build avec récupération sécurisée des articles Dev.to</span> <span class="k">FROM</span><span class="w"> </span><span class="s">base</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="s">builder</span> <span class="k">COPY</span><span class="s"> --from=deps /app/node_modules ./node_modules</span> <span class="k">COPY</span><span class="s"> . .</span> <span class="k">ENV</span><span class="s"> NEXT_PUBLIC_URL=https://woulf.fr</span> <span class="k">ENV</span><span class="s"> NEXT_PUBLIC_EMAIL=corentinboucardpro@gmail.com</span> <span class="c"># Injection sécurisée du token Dev.to via BuildKit</span> <span class="k">RUN </span><span class="nt">--mount</span><span class="o">=</span><span class="nb">type</span><span class="o">=</span>secret,id<span class="o">=</span>devto_token <span class="se">\\</span> DEVTO_API_KEY=\$(cat /run/secrets/devto_token) node scripts/fetchDevtoArticles.js &amp;&amp; npm run build <span class="c"># Étape 4 — Image finale pour l’exécution</span> <span class="k">FROM</span><span class="w"> </span><span class="s">base</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="s">runner</span> <span class="k">ENV</span><span class="s"> NODE_ENV=production</span> <span class="k">ENV</span><span class="s"> PORT=3000</span> <span class="c"># Création d’un utilisateur non-root</span> <span class="k">RUN </span>addgroup <span class="nt">-S</span> nodejs <span class="nt">-g</span> 1001 <span class="o">&amp;&amp;</span> <span class="se">\\</span> adduser -S nextjs -u 1001 -G nodejs &amp;&amp; \\ mkdir .next &amp;&amp; chown nextjs:nodejs .next <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="k">COPY</span><span class="s"> --from=builder /app/public ./public</span> <span class="k">COPY</span><span class="s"> --from=builder --chown=nextjs:nodejs /app/.next/standalone ./</span> <span class="k">COPY</span><span class="s"> --from=builder --chown=nextjs:nodejs /app/.next/static ./.next/static</span> <span class="k">USER</span><span class="s"> nextjs</span> <span class="k">EXPOSE</span><span class="s"> 3000</span> <span class="k">CMD</span><span class="s"> ["node", "server.js"]</span> </code></pre> </div> <p>🧠 Quelques remarques sur le Dockerfile :</p> <ul> <li> <strong>Multi-stage build</strong> : séparation claire entre les étapes de base, d'installation, de build, et de runtime, ce qui permet une image finale propre et minimale.</li> <li> <strong>Base alpine (node:23-alpine)</strong> : image légère, rapide à télécharger, avec une surface d’attaque réduite (bon point pour la sécurité).</li> <li> <strong>Copie du <code>package*.json</code> avant le code source</strong> : permet de <strong>tirer parti du cache Docker</strong> tant que les dépendances ne changent pas → accélère drastiquement les builds.</li> <li> <strong>Utilisation de <code>npm ci</code></strong> : garantit une installation propre et rapide des dépendances en se basant uniquement sur le <code>package-lock.json</code>, sans résoudre les versions à nouveau.</li> <li> <strong>Injection sécurisée du token Dev.to avec BuildKit</strong> : évite d’exposer des secrets sensibles dans l’image ou les logs. Le token est utilisé uniquement le temps du build.</li> <li> <strong>Téléchargement dynamique des articles Dev.to</strong> : via un script exécuté <strong>pendant le build</strong>, ce qui permet de maintenir le contenu à jour sans le committer dans le dépôt.</li> <li> <strong>Création d’un utilisateur non-root (<code>nextjs</code>)</strong> : renforce la sécurité à l’exécution en limitant les permissions du processus Node.js.</li> <li> <strong>Répertoires <code>.next/standalone</code> et <code>.next/static</code></strong> : copiés depuis l'étape de build pour ne garder que le strict nécessaire à l’exécution (selon les recommandations Next.js pour le déploiement Docker).</li> <li> <strong><code>EXPOSE 3000</code></strong> : uniquement informatif, mais utile pour la documentation, certains outils, et la lisibilité du Dockerfile.</li> </ul> <p>🔐 Résultat : une image Docker légère, sécurisée, rapide à builder, et prête à être déployée en prod.</p> <h2> Pipeline dans le dépôt applicatif </h2> <p>La pipeline <code>deploy.yml</code> contient deux jobs : </p> <ol> <li>Le <strong>build &amp; push</strong> de l’image </li> <li>Le <strong>redéploiement sur le cluster Kubernetes</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Deploy Website</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">main</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">docker</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout repository</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Set up QEMU</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">docker/setup-qemu-action@v3</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Set up Docker Buildx</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">docker/setup-buildx-action@v3</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Login to Docker Hub</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">docker/login-action@v3</span> <span class="na">with</span><span class="pi">:</span> <span class="na">username</span><span class="pi">:</span> <span class="s">\${{ secrets.DOCKER_USERNAME }}</span> <span class="na">password</span><span class="pi">:</span> <span class="s">\${{ secrets.DOCKER_PASSWORD }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build and push</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">docker/build-push-action@v5</span> <span class="na">with</span><span class="pi">:</span> <span class="na">context</span><span class="pi">:</span> <span class="s">.</span> <span class="na">push</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">tags</span><span class="pi">:</span> <span class="s">woulf/portfolio:latest</span> <span class="na">secrets</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">"devto_token=\${{ secrets.DEVTO_TOKEN }}"</span> <span class="na">rollout_k8s</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">docker</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Set up Kubernetes context</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">azure/k8s-set-context@v3</span> <span class="na">with</span><span class="pi">:</span> <span class="na">kubeconfig</span><span class="pi">:</span> <span class="s">\${{ secrets.KUBECONFIG }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Restart Deployment</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">kubectl rollout restart deployment/portfolio -n default</span> <span class="s">kubectl rollout status deployment/portfolio -n default</span> </code></pre> </div> <p>🧠 Quelques remarques sur la pipeline :</p> <ul> <li> <strong>Déclencheur automatique sur <code>push</code> sur <code>main</code></strong> : permet de publier les changements dès qu’ils sont mergés, sans action manuelle. Utile en mode rolling release.</li> <li> <strong>Workflow modulaire</strong> : deux jobs bien séparés (<code>docker</code> et <code>rollout_k8s</code>), ce qui isole les responsabilités entre la <strong>construction/push</strong> et le <strong>déploiement</strong>.</li> <li> <strong>Utilisation de <code>docker/build-push-action@v5</code></strong> : outil maintenu par Docker Inc. pour builder efficacement avec <strong>BuildKit</strong>, gérer les caches, secrets, tags, et plateformes.</li> <li> <strong>Secrets gérés par GitHub (<code>secrets.*</code>)</strong> : aucun mot de passe ou token dans le code. Le token Dev.to est passé via <code>secrets</code> en tant que secret mount avec BuildKit.</li> <li> <strong>BuildKit + <code>--mount=type=secret</code></strong> : permet d’injecter un token dans un <code>RUN</code> <strong>temporairement</strong> (jamais exposé dans l'image finale, ni dans les logs).</li> <li> <strong>Push sur Docker Hub</strong> avec tag <code>woulf/portfolio:latest</code> : ton image est automatiquement versionnée et disponible en ligne pour un déploiement rapide sur n’importe quel cluster.</li> <li> <strong>Redéploiement Kubernetes via <code>kubectl rollout restart</code></strong> : déclenche un redéploiement du pod sans downtime (Kubernetes gère le remplacement progressif).</li> <li> <strong>Vérification du statut avec <code>kubectl rollout status</code></strong> : empêche la pipeline de continuer si le déploiement échoue → fiabilise le process.</li> <li> <strong>Utilisation de <code>needs: docker</code> dans le job de déploiement</strong> : garantit que l’image est bien poussée <strong>avant</strong> le restart sur le cluster.</li> </ul> <p>🔄 Résultat : un pipeline CI/CD robuste, 100% automatisé, qui met à jour ton contenu, ton image Docker, et ton déploiement Kubernetes en un seul push.</p> <h2> Gestion des secrets </h2> <p>Aucun identifiant n’est codé en dur. Tout est stocké de manière sécurisée via les <strong>GitHub Secrets</strong> :</p> <ul> <li> <code>DOCKER_USERNAME</code> / <code>DOCKER_PASSWORD</code> → pour Docker Hub</li> <li> <code>KUBECONFIG</code> → pour se connecter à mon cluster MicroK8s à distance</li> <li> <code>DEVTO_TOKEN</code> → pour accéder à l’API Dev.to et télécharger les articles automatiquement pendant le build</li> </ul> <h2> Résultat </h2> <p>✅ À chaque push :</p> <ul> <li>Les articles Dev.to sont récupérés</li> <li>L’image est reconstruite et poussée</li> <li>L’app est redéployée <strong>sans interruption</strong> </li> </ul> <p>💡 Prochaines étapes :</p> <ul> <li>Ajouter scan Trivy</li> <li>Ajout d’un <code>HEALTHCHECK</code> </li> <li>Réduction des dépendances côté prod</li> </ul> <p>➡️ Dans le prochain article, je vous explique comment j’ai versionné <strong>l’infrastructure Kubernetes</strong> dans un second dépôt, et mis en place une <strong>pipeline GitOps</strong> pour garder le cluster synchronisé.</p> docker githubactions cicd devops