-
better secrets handling - current way ... well
-
getting 200 on bitbucket with tunnel (actually two tunnels ...) - bitbucket-source has to provide correct external url to bitbucket payload - most likely all works well but error is a bit missleading (atlasian 400 bad request)
-
refactor knative module -> knative module + submodules + crd
-
move all sources too niv
-
cli to run shell with persistent config
-
SSL (nginx) -> hydra -> ssl -> ec2a - doing
-
add nix tests
-
minikube localhost ssl -> works (add knative routes to ssl cert)
-
building image -> https://github.com/NixOS/nixpkgs/blob/master/nixos/maintainers/scripts/ec2/create-amis.sh
-
argo - issues with password
-
check knative hosts on eks (modules/kubernetes/knative-serve)
-
map virtual services from eks to nip.io
-
ability to export binary cache store key (best would be to define it upfront for everything and distribute it to the boxes - easier automation)
-
hydra & kubevirt & nixos -> thinking
-
when deploying nixos and rebooting wait for ssh
-
consider
tekton
- in progress -
build on target host - source is there -> s3 ec2 will be faster than local ec2
-
ability to filter namespace and files when applying kubernetes resources
-
add depends_on to bootstrap - changing instance should rerun bootstrap
-
config generation
-
expose kibana - separate chart - test on eks
-
not sure why aws secret patch is shouting ...
-
fix apply-aws-credenitials-secret -> required by brigade
-
validate before saving yaml resource - fail quickly
-
think about keeping pipeline close to project itself -> allow to inject module from function pespective
-
consider to use kubernetes patches like this https://www.diycode.cc/projects/Azure/kubernetes-policy-controller
-
spinup binary cache - after building go packages it takes time ... -> need to have hydra instance
-
add metadata.env
-
add namespace for functions
-
istio faul-injection as mocks
- setup bastion on nixos -> restic, velero, kubectl
- kubernetes/autoscaler#2246 - waiting for september
- shell for infra is necessary - nix shell infra first to bootstrap env and export outputs from terraform after that ... nix with resources
- tests and functions should be run in spot instances
- istio / autscaller run on main instance -> nodeSelector / nodeAffinity
- enum for fs types - aws-efs
- create autoscalling groups (https://github.com/terraform-aws-modules/terraform-aws-eks/blob/master/docs/autoscaling.md) - done
- https://github.com/rook/rook/tree/master/cluster/examples/kubernetes/ceph
- add taints - think about best strategy for testing and app perfomance
- make PR to brigade to be able to select nodeSelector - required to spawn tests on spot instances
- finish minikube regression and do some smoke tests on eks
- SSL with istio and EKS - aws_route_53 - partially done
- refactor env -> should be more like dev, staging, qa, prod - local and current usage is a bit unclear (i.e. it would be handy to use for ssl -> certificate -> lets encrypt)
- change integration-modules to configuration-modules, and kubenix-modules to kubernetes-modules, prepare virtual-services for local and cloud env (hosts related)
- build go packages instead of using binaries - required by targeting linux within bastion - all go packages are built thru nix
- (kubernetes.target (minikube/eks/aks), environement.runtime (local, ci), environement.type 'dev','staging','prod')
- prometheus metrics and grafana dashboard for ceph
- velero - backups - auto at least before resources to rollback quickly
- spin up bitbucket gateway with AWS LB - virtual service and SSL is there
- virtual-services does not work
- rook-ceph with dashboard
- task to generate kubeconfig from terraform (
terraform apply -target module.cluster.module.eks.local_file.kubeconfig) -
tf-nix-exporter
- Terraform eks cluster [
- create aws role to attach for KMS and BinaryStore + kms generation from nixops or terraform
- create eks cluster
- trying to keep terraform dry - autogenerating varfiles and variables json to avoid duplicating code related to vars - tf-project bash command + var generator
- docker images -> EKS (https://kubernetes.io/docs/concepts/containers/images/#using-amazon-elastic-container-registry)
- virtual services works - one LB will sufice
- pvc for brigade project - done -> rook ceph
-
nix copy-sigs - brigade
-
integration-modules -> run cluster on virtualbox with integration-modules attached
-
allow to define virtual services within environement config
-
refactoring -> create
kubectl-helpers
-> createbootstrap-module
- (shape is there) -
remove errors found by argo (zipkin 2x, local-infra ns 2x, functions 2x) - test -> should be ok
- define brigade project within config/environement-setup rather that in brigade module
- move git commands from shell to nix module
- enable kashti
- add ability to handle secrets in similar manner as other kubenretes resources but with extra script - patch phase
- move nix stuff to module pattern
- brigade setup -> running nix tests
- think about getting rid of eval minikube docker-env
- improve readability what is going on when starting cluster
- introduce better control over granularity related to kubernetes resources
- introduce more distinctive parts for kubernetes resources (cluster, monitoring, faas, application, etc.) - move argo to separate resource to avoid chicken egg problem
- minikube and pvc and SC for brigade
- export aws variables - do not keep them within secret
- generate resources to file and check --local --watch
argocd app diff my-app
->argocd app diff $PROJECT_NAME --local ./resources
- portmapping for monitoring is done, do the same for istio (port-forwarding will be unnecessary and all environment will have the same way of exposing external ports)
- create argo startup scripts
- figure out better invalidation -> nix is doing a hash from directory, so move baking the image to some other place
- integrate
istioctl
- create derivation - each time dockerTools.buildImage is run even if contents won't change it is invoked - in case of development it is a bit painful
WHY it was needed: keeping secrets and improving granularity to not kill the argo
research -> https://gist.github.com/damianbaar/7194251de2b6f64af459ac861d34a323
- populate docker registry or nixos docker repository
- align ec2 deployment to
machine.json
descriptor - run example tests agains artifact in brigade
- watch github hooks when approving the pull request
- define argo waves - order of deployment
- improve docs - wip
- provide hooks for
nixops
infra updates - running cluster in
brigade
worker to test release -dind
- virtual kublet integration
- make brigade responsible for a
k8s
resources update withgit commit
,infra
updates withnixops
- optimize docker images
- push local store to s3
- provision
s3
bucket for cache inaws-cdk
ornixops
- ability to define test for infrastructure and cluster, more here
- https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/programs/ccache.nix
- setup
nix-channel
- formatting
- add skip flag for resources like secrets [
- think about detecting empty resources during generation - minor - filter them out?
-
Error from server: error decoding from json: illegal base64 data at input byte 0
- don't apply secrets - module is referencing generated secret - but secret does not need to be applied - skip when applying would be enough ]
- think about detecting empty resources during generation - minor - filter them out?
-
- apply scripts from local shell to
nixos
cluster - done - gitignore - https://nixos.org/nixpkgs/manual/#sec-pkgs-nix-gitignore
- setup brigade (serviceaccount) to be able to operate on kubernetes cluster (partially done - custom binding is there)
- use private docker registry for local development - to make things faster (kind 0.3 > does not play well with images from os x) (wip)
- forward
kubenix
results to brigade workers - create repository for infra code
- architecture diagram v0.0.1
- make diffing of resources possible - argo is doing that
- argo ingress to avoid issue with https - passhtrough from istio
- deploy
https://knative.dev/docs/serving/samples/hello-world/helloworld-nodejs/
- I need to have something to work withknative
as a project sounds good - spin up
distributed build cache
- to make building and provisioning super fast - spin up
brigade.js
to not using anyCI
solution - architecture should be event driven - spin up
k8s cluster
onec2
noteks
- just to try alternative solution which has less assumptions from vendor - make infrastructure testable, ...more
- why there are 2 CI systems - hydra and
brigade
I was playing only with brigade and it assumes to many custom scripts related to updating the binary store, number of plugins is growing fast and it is painful to build it every time, this is where
hydra
comes in - gives ability to create a channel which can be latter used by other person - it will save tons of build time.hydra
also allows buildtar
which can be helpful in case ofpackages
as well as be abinary-store
. Brigade is great to response to events with CI flavour, building artifacts is okey, but in case of integration withnix
and heavy load it is not a best fit, also brigade run within cluster,hydra
outside. Another point is related to disk usage - sometimes cache can grow so no point to keep it locally.