2
0
Files
bachelor/Chapters/04-Architekturentwurf.tex
2026-06-30 10:11:35 +02:00

88 lines
3.6 KiB
TeX

\chapter{Architekturentwurf} %(18-22 Seiten)
\section{Systemkontext}
- **Akteure**: DevOps-Engineer, Security-Team, Kubernetes-Cluster (Online/Air-Gapped)
- **Fremdsysteme**: GitLab (CI/CD), Harbor (Registry), Vault (Secrets), Prometheus (Monitoring)
\section{Komponenten}
\todox{Modulview umbennenen?}
**4.2 Bausteinsicht - Ebene 1: Grobarchitektur**
```
GitLab (Quelle der Wahrheit)
(GitOps Manifeste, Helm Charts, CI/CD Pipelines, Infrastructure)
Online-Cluster Air-Gapped-Cluster
(Cloud/Datacenter) (On-Premise/Offline)
Argo CD Argo CD (lokal)
Harbor Harbor Mirror
Trivy (Scan) sync Trivy (lokal)
Cosign Cosign (verify)
```
**4.3 Bausteinsicht - Ebene 2: CI/CD-Pipeline mit Security Gates**
| Stage | Tool | Output | Gate |
|-------|------|--------|------|
| Build | Kaniko/Buildah | Container Image | — |
| SBOM | Syft | SBOM (SPDX) | SBOM vorhanden? |
| Sign | Cosign | Image + Signature | Signierung erfolgreich? |
| Scan | Trivy | Vulnerability Report | 0 kritische CVEs? |
| Push | Harbor | Registry | — |
| Sync | Script/Argo CD | Air-Gapped Mirror | Sync erfolgreich? |
| Deploy | Argo CD | Pods running | Policy Enforcement? |
**4.4 Bausteinsicht - Ebene 3: Air-Gapped-Komponenten**[14][1]
| Komponente | Verantwortung | Tool |
|------------|---------------|------|
| GitLab (lokal) | Versionskontrolle, CI/CD | GitLab CE On-Premise |
| Harbor Mirror | Container-Registry, Image-Verification | Harbor mit Mirror-Feature |
| Argo CD (lokal) | GitOps-Controller, Sync | Argo CD |
| Trivy (lokal) | Vulnerability Scanning | Trivy Server |
| Vault (lokal) | Secrets Management | HashiCorp Vault |
| Image-Sync-Script | Pull aus externer Registry, Push lokal | Custom Bash/Python |
\section{Laufzeit}
\todox{Laufzeitsicht umbennenen?}
**4.5 Laufzeitsicht - Sequenzdiagramme**
**Online-Deployment** (5 Schritte):
```
1. Developer $\rightarrow$ git push $\rightarrow$ GitLab
2. GitLab $\rightarrow$ Trigger CI-Pipeline
3. CI $\rightarrow$ Build $\rightarrow$ SBOM $\rightarrow$ Sign $\rightarrow$ Scan $\rightarrow$ Push zu Harbor
4. Argo CD $\rightarrow$ Detektiert Änderung $\rightarrow$ Sync zu Cluster
5. Pods starten, Health-Checks
```
**Air-Gapped-Deployment** (7 Schritte):[14]
```
1-3. Wie Online (extern)
4. Sync-Script $\rightarrow$ Pull Images aus externer Harbor
5. Bastion/USB $\rightarrow$ Transfer zu Air-Gapped-Netzwerk
6. Harbor Mirror $\rightarrow$ Import Images
7. Argo CD (lokal) $\rightarrow$ Sync zu Cluster $\rightarrow$ Pods starten
```
\section{Topographie} %verteilungssicht
- **On-Premise**: Bare Metal oder VMware (3 Nodes: 1 Control Plane + 2 Worker)
- **Cloud**: AWS EC2 oder Azure VMs (für Online-Cluster)
- **Network**: Air-Gapped = physische Trennung, Transfer per USB/USB-Drive
**4.7 Architekturentscheidungen begründen**
| Entscheidung | Alternative | Begründung |
|--------------|-------------|------------|
| **Argo CD** statt Flux | Flux CD | Bessere UI, Active Community, Multi-Cluster [9][10] |
| **Harbor** statt Docker Registry | Docker Registry | Enterprise-Features, Image-Verification, Scanning [1] |
| **Cosign** statt Notary v1 | Notary v1 | Sigstore-Ökosystem, Keyless Signing, aktueller [1] |
| **Trivy** statt Grype | Grype | Schnellere Scans, CI-Integration, aktiver [1] |
| **kubeadm** statt Managed K8s | EKS/AKS | Volle Kontrolle für Air-Gapped [7] |
***