Skip to content

Latest commit

 

History

History
113 lines (70 loc) · 5.15 KB

README.md

File metadata and controls

113 lines (70 loc) · 5.15 KB

micro-infra

micro-infra is a lightweight, cloud-native infrastructure designed to manage and deploy microservices.

micro-infra/
├── docs/                                 # Documentation files
├── gitops/                               # GitOps resources for ArgoCD
├── iac/                                  # Infrastructure-as-Code with Terragrunt
├── meta-charts/                          # Meta Helm charts for for gitops
├── repo-operator/                        # Submode repository operator for managing and automating workflows
├── runbooks                              # Runbooks for operations and alerts
└── scripts                               # Automation scripts for repo scope

Architecture Overview

The infrastructure is organized into distinct namespaces, each serving a specific purpose. Below is the architecture diagram illustrating the components and their interactions:

Micro-Infra Architecture

Platform

  • Terragrunt Operated:

    • Remote state management with Remote Bucket.
    • DRY State and providers management across different assets
    • Automated security scanning using Trivy, with hooks
    • Centralized variable management with project and location-specific configuration files in /iac
    • Managing ArgoCD
  • GitOps Managed:

    • ArgoCD Apps linked to HEAD, defined in /gitops, using /meta-charts.
    • pullRequest generators for products CI/CD, upon PRs with GitHub label "preview"

Observability

Monitoring

Collectors

  • Prometheus ServiceMonitors
  • OpenTelemetry to Prometheus and Tempo

Visualization

Grafana, with datasources from telemetry backends

Backends

  • Tempo
  • Prometheus

Alerting

AlertManager

Profiling

Pyroscope TBD

Reporting

sloth or OpenSLO TBD OpenCost

Telemetry

Infrastructure

Core components that support the cluster's operations.

  • Cert-Manager: Automates the management and issuance of TLS certificates with LetsEncrypt
  • Cluster Autoscaler: Automatically adjusts the number of nodes in the cluster based on resource utilization.
  • Ingress NGINX: Manages external HTTP/S traffic and load balancing within the cluster.

Products

This namespace is reserved for deploying user-defined microservices and applications.

Security

Operations

Trivy Terraform scanning with Terragrunt After Hook

Runtime

Falco TBD

Network

WAF

ModSecurity Addon

{"transaction":{"client_ip":"X.X.X.X","time_stamp":"Tue Nov 26 14:42:00 2024","server_id":"XXXX","client_port":34769,"host_ip":"X.X.X.X","host_port":80,"unique_id":"XXX.XXX","request":{"method":"GET","http_version":1.1,"uri":"/geoserver/web/","headers":{"Host":"X.X.X.X","User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36","Accept":"*/*","Accept-Encoding":"gzip"}},"response":{"body":"<html>\r\n<head><title>404 Not Found</title></head>\r\n<body>\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>nginx</center>\r\n</body>\r\n</html>\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n","http_code":404,"headers":{"Server":"","Server":"","Date":"Tue, 26 Nov 2024 14:42:00 GMT","Content-Length":"548","Content-Type":"text/html","Connection":"keep-alive"}},"producer":{"modsecurity":"ModSecurity v3.0.12 (Linux)","connector":"ModSecurity-nginx v1.0.3","secrules_engine":"Enabled","components":["OWASP_CRS/4.4.0\""]},"messages":[{"message":"Host header is a numeric IP address","details":{"match":"Matched \"Operator `Rx' with parameter `(?:^([\\d.]+|\\[[\\da-f:]+\\]|[\\da-f:]+)(:[\\d]+)?$)' against variable `REQUEST_HEADERS:Host' (Value: `X.X.X.X' )","reference":"o0,13o0,13v35,13","ruleId":"920350","file":"/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf","lineNumber":"772","data":"X.X.X.X","severity":"4","ver":"OWASP_CRS/4.4.0","rev":"","tags":["application-multi","language-multi","platform-multi","attack-protocol","paranoia-level/1","OWASP_CRS","capec/1000/210/272","PCI/6.5.10"],"maturity":"0","accuracy":"0"}}]}}

Ingress Controller Hardening

Hardening Ingress Controller with official NGINX Hardening Guide

Ingresses

  • Rate limiting annotations for public exposed Ingresses
  • mTLS support for private access, like grafana ing.

How-To Operate

TBD, route to /runbooks dir