CI/CD Pipeline
Every service in the Vecton platform follows the same CI/CD workflow: build, push, and deploy via GitOps.
Pipeline Flow
┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐
│ git push│────▶│ GitHub │────▶│ Docker │────▶│ DevOps │────▶│ ArgoCD │
│ to main │ │ Actions │ │ Build │ │ API │ │ Sync │
└──────────┘ └──────────┘ └──────────┘ └──────────┘ └──────────┘
Step 1: GitHub Actions Trigger
On push to main branch, the workflow triggers:
on:
push:
branches: [ "main" ]
Step 2: Docker Build & Push
The image is built and pushed to Harbor with two tags:
latest— Rolling tag for conveniencesha-<short-hash>— Immutable tag for GitOps tracking
tags: |
type=raw,value=latest
type=sha,format=short
Registry: harbor.mng.vecton.hu
Step 3: GitOps PR via DevOps API
The CI/CD calls the DevOps API to create a pull request updating the image tag:
curl -X POST "$DEVOPS_API_URL/deployments/image-versions" \
-H "Authorization: Bearer $DEVOPS_API_TOKEN" \
-d '{
"updates": [{
"projectType": "vecton-app",
"identifier": "vecton-admin",
"component": "backend",
"tag": "sha-abc1234"
}],
"prTitle": "Deploy vecton-admin backend (sha-abc1234)"
}'
The API updates two files in the devops repo:
image-versions.yaml— ConfigMap with all image tagskustomization.yaml— Kustomize image override
Step 4: Auto-Merge
The CI/CD immediately merges the PR via squash merge:
curl -X POST "$DEVOPS_API_URL/deployments/pull-requests/$PR_NUMBER/merge" \
-H "Authorization: Bearer $DEVOPS_API_TOKEN" \
-d '{"mergeMethod": "squash"}'
Step 5: ArgoCD Sync
ArgoCD polls the devops repo (or receives a webhook) and detects the image tag change. It then syncs the application, rolling out the new image.
DevOps API
The DevOps API (devops-api) is a Node.js/TypeScript service that automates GitOps operations:
Endpoints
| Method | Endpoint | Description |
|---|---|---|
| POST | /deployments/image-versions | Create PR to update image tags |
| POST | /deployments/pull-requests/{id}/merge | Merge a GitOps PR |
| GET | /health | Health check |
| POST | /tenants | Create new tenant (generates K8s manifests) |
| DELETE | /tenants/{name} | Delete tenant |
| GET | /s3/buckets | List S3 buckets |
| POST | /s3/buckets | Create S3 bucket for tenant |
Authentication
All API calls require a Bearer token:
Authorization: Bearer <DEVOPS_API_TOKEN>
The token is stored as a GitHub Actions secret in each repository.
GitHub Actions Secrets
Each repository needs these secrets configured:
| Secret | Description |
|---|---|
HARBOR_USERNAME | Harbor registry username |
HARBOR_PASSWORD | Harbor registry password |
DEVOPS_API_TOKEN | Authentication token for DevOps API |
Image Naming Convention
| Project | Harbor Path |
|---|---|
| Admin Backend | harbor.mng.vecton.hu/vecton-main/main-backend |
| Admin Frontend | harbor.mng.vecton.hu/vecton-main/main-frontend |
| Identity Backend | harbor.mng.vecton.hu/vecton-main/main-identity-backend |
| Identity Frontend | harbor.mng.vecton.hu/vecton-main/main-identity-frontend |
| Tenant services | harbor.mng.vecton.hu/tenants/{service-name} |
| DevOps API | harbor.mng.vecton.hu/vecton-devops/devops-api |
| Documentations | harbor.mng.vecton.hu/vecton-website/documentations |