Skip to content

Design for ACP v2

Jump to bottom Edit New page
Jay Keshur edited this page Jul 4, 2017 · 2 revisions

This page outlines the design and decisions made for the new London based Application Container Platform.

We will have 4 clusters - NotProd, Prod, CI and Ops (details below).

Clusters will be built with Keto, the decision was made based on the factors from #357, although this may change once kops supports etcdv3.

We will use Kubernetes 1.7.

Clusters will have calico installed as a CNI plugin. This currently only supports ingress, not egress, and cannot be used to provide node segregation.

The notes below have been taken from #345

NotProd:

  • Masters
  • External ELB for ingress
  • Ingress-external NP tainted to only run things in the ingress-external (class separation) namespace
  • Liberal NP for services that don't require auth, generally forms for public etc.
  • Strict NP for services that probably have auth infront of them, small user base, high security requirements
  • Backend NP which will host:
    • Vault?
  • Peered with CI, Ops

Prod:

  • Masters
  • External ELB for ingress
  • Ingress-external NP tainted to only run things in the ingress-external (class separation) namespace
  • Liberal NP for services that don't require auth, generally forms for public etc.
  • Strict NP for services that probably have auth infront of them, small user base, high security requirements
  • Backend NP which will host:
    • Vault?
  • Peered with CI, Ops (UK)

CI:

  • Masters
  • Drone-Agent NP
  • Internal ELB for ingress
  • Ingress-internal NP tainted to only run things in the ingress-internal (class separation) namespace
  • Liberal NP for services that don't require auth, generally forms for public etc.
  • Strict NP for services that probably have auth infront of them, small user base, high security requirements
  • Backend NP which will host:
    • Vault?
  • Peered with everything (UK)

Ops:

  • Masters
  • Internal ELB for ingress
  • External ELB for ingress
  • Ingress-external NP tainted to only run things in the ingress-external (class separation) namespace
  • Ingress-internal NP tainted to only run things in the ingress-internal (class separation) namespace
  • Strict NP which will host the following:
    • Artifactory
      • As this is available on the internet, it can be migrated from Ireland -> London (with downtime), keeping current domain name
      • If its made internal before we have UK up and running, we should set up a new deployment with a new domain name
    • Sysdig API
      • Do we need historical data?
    • Sysdig collectors
    • Kibana
      • Do we need historical data?
    • Gitlab
      • As this is available on the internet, it can be migrated from Ireland -> London (with downtime), keeping current domain name
      • If its made internal before we have UK up and running, we should set up a new deployment with a new domain name
    • Drone Gitlab
    • Drone Github
    • Sonarqube
      • Do we need historical data?
    • Keycloak
      • As this is available on the internet, it can be migrated from Ireland -> London (with downtime), keeping current domain name
    • Platform Hub
  • Backend NP which will host the following:
    • Elasticsearch
    • Sysdig workers
    • Sysdig elasticsearch
    • Sysdig cassandra
    • Sysdig redis
    • Vault?
  • Peered with everything (UK)

VPN:

  • Masters
  • Strict NP which will host:
    • AuthD/VPN
  • Peered with everything (UK)
Add a custom footer
Add a custom sidebar

Clone this wiki locally