92 lines
4.8 KiB
TeX
92 lines
4.8 KiB
TeX
|
|
\section{Architekturentwurf} %(18-22 Seiten)
|
|
|
|
\subsection{Systemkontext}
|
|
- **Akteure**: DevOps-Engineer, Security-Team, Kubernetes-Cluster (Online/Air-Gapped)
|
|
- **Fremdsysteme**: GitLab (CI/CD), Harbor (Registry), Vault (Secrets), Prometheus (Monitoring)
|
|
|
|
|
|
\subsection{Komponenten}
|
|
\todox{Modulview umbennenen?}
|
|
**4.2 Bausteinsicht - Ebene 1: Grobarchitektur**
|
|
```
|
|
┌────────────────────────────────────────────────────────────────────┐
|
|
│ GitLab (Quelle der Wahrheit) │
|
|
│ (GitOps Manifeste, Helm Charts, CI/CD Pipelines, Infrastructure) │
|
|
└─────────────────────────┬──────────────────────────────────────────┘
|
|
│
|
|
┌───────────────┴───────────────┐
|
|
│ │
|
|
▼ ▼
|
|
┌──────────────────────┐ ┌──────────────────────────┐
|
|
│ Online-Cluster │ │ Air-Gapped-Cluster │
|
|
│ (Cloud/Datacenter) │ │ (On-Premise/Offline) │
|
|
│ ┌──────────────┐ │ │ ┌──────────────────┐ │
|
|
│ │ Argo CD │ │ │ │ Argo CD (lokal) │ │
|
|
│ │ Harbor │ │ ⇄ │ │ Harbor Mirror │ │
|
|
│ │ Trivy (Scan) │ │ sync │ │ Trivy (lokal) │ │
|
|
│ │ Cosign │ │ │ │ Cosign (verify) │ │
|
|
│ └──────────────┘ │ │ └──────────────────┘ │
|
|
└──────────────────────┘ └──────────────────────────┘
|
|
```
|
|
|
|
**4.3 Bausteinsicht - Ebene 2: CI/CD-Pipeline mit Security Gates**
|
|
| Stage | Tool | Output | Gate |
|
|
|-------|------|--------|------|
|
|
| Build | Kaniko/Buildah | Container Image | — |
|
|
| SBOM | Syft | SBOM (SPDX) | SBOM vorhanden? |
|
|
| Sign | Cosign | Image + Signature | Signierung erfolgreich? |
|
|
| Scan | Trivy | Vulnerability Report | 0 kritische CVEs? |
|
|
| Push | Harbor | Registry | — |
|
|
| Sync | Script/Argo CD | Air-Gapped Mirror | Sync erfolgreich? |
|
|
| Deploy | Argo CD | Pods running | Policy Enforcement? |
|
|
|
|
**4.4 Bausteinsicht - Ebene 3: Air-Gapped-Komponenten**[14][1]
|
|
| Komponente | Verantwortung | Tool |
|
|
|------------|---------------|------|
|
|
| GitLab (lokal) | Versionskontrolle, CI/CD | GitLab CE On-Premise |
|
|
| Harbor Mirror | Container-Registry, Image-Verification | Harbor mit Mirror-Feature |
|
|
| Argo CD (lokal) | GitOps-Controller, Sync | Argo CD |
|
|
| Trivy (lokal) | Vulnerability Scanning | Trivy Server |
|
|
| Vault (lokal) | Secrets Management | HashiCorp Vault |
|
|
| Image-Sync-Script | Pull aus externer Registry, Push lokal | Custom Bash/Python |
|
|
|
|
\subsection{Laufzeit}
|
|
\todox{Laufzeitsicht umbennenen?}
|
|
|
|
**4.5 Laufzeitsicht - Sequenzdiagramme**
|
|
|
|
**Online-Deployment** (5 Schritte):
|
|
```
|
|
1. Developer → git push → GitLab
|
|
2. GitLab → Trigger CI-Pipeline
|
|
3. CI → Build → SBOM → Sign → Scan → Push zu Harbor
|
|
4. Argo CD → Detektiert Änderung → Sync zu Cluster
|
|
5. Pods starten, Health-Checks
|
|
```
|
|
|
|
**Air-Gapped-Deployment** (7 Schritte):[14]
|
|
```
|
|
1-3. Wie Online (extern)
|
|
4. Sync-Script → Pull Images aus externer Harbor
|
|
5. Bastion/USB → Transfer zu Air-Gapped-Netzwerk
|
|
6. Harbor Mirror → Import Images
|
|
7. Argo CD (lokal) → Sync zu Cluster → Pods starten
|
|
```
|
|
|
|
\subsection{Topographie} %verteilungssicht
|
|
- **On-Premise**: Bare Metal oder VMware (3 Nodes: 1 Control Plane + 2 Worker)
|
|
- **Cloud**: AWS EC2 oder Azure VMs (für Online-Cluster)
|
|
- **Network**: Air-Gapped = physische Trennung, Transfer per USB/USB-Drive
|
|
|
|
**4.7 Architekturentscheidungen begründen**
|
|
| Entscheidung | Alternative | Begründung |
|
|
|--------------|-------------|------------|
|
|
| **Argo CD** statt Flux | Flux CD | Bessere UI, Active Community, Multi-Cluster [9][10] |
|
|
| **Harbor** statt Docker Registry | Docker Registry | Enterprise-Features, Image-Verification, Scanning [1] |
|
|
| **Cosign** statt Notary v1 | Notary v1 | Sigstore-Ökosystem, Keyless Signing, aktueller [1] |
|
|
| **Trivy** statt Grype | Grype | Schnellere Scans, CI-Integration, aktiver [1] |
|
|
| **kubeadm** statt Managed K8s | EKS/AKS | Volle Kontrolle für Air-Gapped [7] |
|
|
|
|
***
|