DevOps Overview
The Vecton platform runs on a self-managed bare-metal Kubernetes cluster with a fully automated GitOps deployment pipeline. This section covers the infrastructure, deployment workflows, and operational tooling.
Infrastructure
Cluster Topology
┌─────────────────────────────────────────────────────────────┐
│ Kubernetes Cluster │
│ (kubeadm, 4 nodes) │
│ │
│ ┌──────────────┐ ┌────────────┐ ┌────────────┐ │
│ │ Master Node │ │ Worker 1 │ │ Worker 2 │ Worker 3│
│ │ API Server │ │ Workloads │ │ Workloads │ Workloads│
│ │ etcd │ │ Ceph OSD │ │ Ceph OSD │ Ceph OSD │
│ │ Scheduler │ │ │ │ │ │
│ └──────────────┘ └────────────┘ └────────────┘ │
│ │
│ ┌─────────────────────────────────────────────────────────┐│
│ │ Platform Services ││
│ │ ArgoCD │ Traefik │ MetalLB │ cert-manager │ Harbor ││
│ │ CNPG │ RabbitMQ│ KEDA │ Rook-Ceph │ SOPS ││
│ └─────────────────────────────────────────────────────────┘│
└─────────────────────────────────────────────────────────────┘
Platform Components
| Component | Version | Purpose |
|---|---|---|
| Kubernetes | 1.29+ | Container orchestration (kubeadm) |
| CloudNativePG | Latest | PostgreSQL 16, 3-node HA cluster |
| RabbitMQ Operator | Latest | 3-node RabbitMQ cluster |
| Rook-Ceph | Latest | Distributed storage (S3 + block) |
| Traefik | v3 | Ingress controller with Let's Encrypt |
| MetalLB | Latest | L2 load balancer for bare-metal |
| cert-manager | Latest | TLS certificates (Cloudflare DNS-01) |
| ArgoCD | Latest | GitOps continuous delivery |
| KEDA | Latest | Event-driven autoscaling (scale-to-zero) |
| Harbor | Latest | Container registry (harbor.mng.vecton.hu) |
| SOPS + age | Latest | Secret encryption in git |
GitOps Workflow
Developer ──push──▶ GitHub ──webhook──▶ GitHub Actions
│
┌─────────▼─────────┐
│ Build & Push to │
│ Harbor Registry │
└─────────┬─────────┘
│
┌─────────▼─────────┐
│ DevOps API: │
│ Create GitOps PR │
└─────────┬─────────┘
│
┌─────────▼─────────┐
│ Auto-merge PR │
│ (devops repo) │
└─────────┬─────────┘
│
┌─────────▼─────────┐
│ ArgoCD detects │
│ change and syncs │
└───────────────────┘
Repositories
| Repository | Purpose |
|---|---|
devops | Kubernetes manifests, Kustomize overlays, GitOps config |
devops-api | REST API for automated deployments and tenant management |
init | Developer environment setup scripts |
documentations | This documentation site (Docusaurus) |
Namespace Organization
| Namespace | Contents |
|---|---|
argocd | ArgoCD server and application controller |
postgresql | CloudNativePG cluster (shared across all apps) |
rabbitmq-system | RabbitMQ cluster operator and instances |
rook-ceph | Ceph storage cluster |
traefik | Ingress controller |
metallb-system | Load balancer |
cert-manager | TLS certificate management |
keda | Autoscaler |
vecton-admin | Admin service |
vecton-identity | Identity service |
{tenant-name} | Per-tenant namespace (e.g., mugli, demo) |
ArgoCD App-of-Apps
ArgoCD uses the App-of-Apps pattern:
Root Application
├── Platform Apps
│ ├── postgresql
│ ├── rabbitmq
│ ├── rook-ceph
│ ├── traefik
│ ├── metallb
│ ├── cert-manager
│ ├── keda
│ └── harbor
├── Vecton Apps
│ ├── vecton-admin
│ └── vecton-identity
└── Tenant Apps
├── mugli
├── demo
└── ...
Each application has sync waves to ensure correct deployment order. See the Sync Waves documentation for details.
Secret Management
Secrets are encrypted with SOPS using age keys:
# Encrypt a secret
sops --encrypt --age <public-key> secret.yaml > secret.enc.yaml
# ArgoCD has the age private key to decrypt at sync time
# Configured via KSOPS (Kustomize Secret Generator)
Secrets are never stored in plaintext in git. The age private key is stored only in the ArgoCD namespace.