micro-infra is a lightweight, cloud-native infrastructure designed to manage and deploy microservices.
micro-infra/
├── docs/ # Documentation files
├── gitops/ # GitOps resources for ArgoCD
├── iac/ # Infrastructure-as-Code with Terragrunt
├── meta-charts/ # Meta Helm charts for for gitops
├── repo-operator/ # Submode repository operator for managing and automating workflows
├── runbooks # Runbooks for operations and alerts
└── scripts # Automation scripts for repo scopeThe infrastructure is organized into distinct namespaces, each serving a specific purpose. Below is the architecture diagram illustrating the components and their interactions:
-
Terragrunt Operated:
- Remote state management with Remote Bucket.
- DRY State and providers management across different assets
- Automated security scanning using Trivy, with hooks
- Centralized variable management with project and location-specific configuration files in /iac
- Managing ArgoCD
-
GitOps Managed:
- ArgoCD Apps linked to HEAD, defined in /gitops, using /meta-charts.
pullRequestgenerators for products CI/CD, upon PRs with GitHub label "preview"
- Prometheus ServiceMonitors
- OpenTelemetry to Prometheus and Tempo
Grafana, with datasources from telemetry backends
- Tempo
- Prometheus
AlertManager
Pyroscope TBD
sloth or OpenSLO TBD OpenCost
Core components that support the cluster's operations.
- Cert-Manager: Automates the management and issuance of TLS certificates with LetsEncrypt
- Cluster Autoscaler: Automatically adjusts the number of nodes in the cluster based on resource utilization.
- Ingress NGINX: Manages external HTTP/S traffic and load balancing within the cluster.
This namespace is reserved for deploying user-defined microservices and applications.
Trivy Terraform scanning with Terragrunt After Hook
Falco TBD
{"transaction":{"client_ip":"X.X.X.X","time_stamp":"Tue Nov 26 14:42:00 2024","server_id":"XXXX","client_port":34769,"host_ip":"X.X.X.X","host_port":80,"unique_id":"XXX.XXX","request":{"method":"GET","http_version":1.1,"uri":"/geoserver/web/","headers":{"Host":"X.X.X.X","User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36","Accept":"*/*","Accept-Encoding":"gzip"}},"response":{"body":"<html>\r\n<head><title>404 Not Found</title></head>\r\n<body>\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>nginx</center>\r\n</body>\r\n</html>\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n","http_code":404,"headers":{"Server":"","Server":"","Date":"Tue, 26 Nov 2024 14:42:00 GMT","Content-Length":"548","Content-Type":"text/html","Connection":"keep-alive"}},"producer":{"modsecurity":"ModSecurity v3.0.12 (Linux)","connector":"ModSecurity-nginx v1.0.3","secrules_engine":"Enabled","components":["OWASP_CRS/4.4.0\""]},"messages":[{"message":"Host header is a numeric IP address","details":{"match":"Matched \"Operator `Rx' with parameter `(?:^([\\d.]+|\\[[\\da-f:]+\\]|[\\da-f:]+)(:[\\d]+)?$)' against variable `REQUEST_HEADERS:Host' (Value: `X.X.X.X' )","reference":"o0,13o0,13v35,13","ruleId":"920350","file":"/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf","lineNumber":"772","data":"X.X.X.X","severity":"4","ver":"OWASP_CRS/4.4.0","rev":"","tags":["application-multi","language-multi","platform-multi","attack-protocol","paranoia-level/1","OWASP_CRS","capec/1000/210/272","PCI/6.5.10"],"maturity":"0","accuracy":"0"}}]}}Hardening Ingress Controller with official NGINX Hardening Guide
- Rate limiting annotations for public exposed Ingresses
- mTLS support for private access, like grafana ing.
TBD, route to /runbooks dir