admin-tools icon indicating copy to clipboard operation
admin-tools copied to clipboard
verified publisher icon hashbang

multiple environments + droneci

Open lrvick opened this issue 8 years ago • 6 comments

Initial stab at droneci deployment for #! in a dedicated VPC.

Most apps should probably end up in a production k8s cluster or similar, but CI is a bit special in that it it will have god rights to manage other environments and peer to all environments/regions.

One of the features of DroneCI is the ability to manage terraform changes so long as droneCI itself is not managed by terraform because... yeah.

Ideally in the end the CI environment should end up the only one we have to maintain by hand, and very seldom so.

In the mean time however I am not really clear how to make the Makefile make sense with multiple environments.

None of this is deployed yet, and we also will need to rename terraform buckets/topics by hand to make this work.

Mostly looking for feedback atm. I did deploy a very similar setup on my personal AWS account and all seems to work as expected.

lrvick avatar May 20 '17 21:05 lrvick

@KellerFuchs I think you may of misunderstood the scope of this.

This is meant to be the single server CI environment and all attempts have been made to keep it as lean as possible.

I could use Vault but then we need to maintain a vault cluster for 2 secrets.

I could use pass but terraform preserves rendered configs in plaintext. KMS is the easiest/cheapest way to bootstrap secrets out-of-band to be made available only to a given AWS instance role JIT.

Once k8s is actually deployed in the production environment/vpc the built in etcd based secret store is probably good enough for all of our services with the exception of this one.

CI is the only machine with god rights so I wanted it to be very much isolated and self-contained away from the production environment.

lrvick avatar May 23 '17 04:05 lrvick

Re vendor lock-in: this is taking advantage of AWS built-ins in order to minimize cost since this is standalone. We could develop alternate more expensive secret handling such as vault and deploy this same cloud-init to most any other provider though. But then vault itself needs to be bootstrapped. The very top of the chain can't avoid having some lock-in, but we can make sure everything down-stream in this case does not know about anything but drone, which is portable.

The production cluster will be k8s and the apps in that environment won't know anything about AWS.

lrvick avatar May 23 '17 04:05 lrvick

I think you may of misunderstood the scope of this.

I indeed did!

KellerFuchs avatar May 23 '17 05:05 KellerFuchs

I'm afraid it's been... nine years. Is this going anywhere?

singlerider avatar Apr 04 '18 21:04 singlerider

nope

mayli avatar Apr 04 '18 22:04 mayli

I don't think anyone but me can test or review this, so it will be blocked for the forseeable future.

I am focused on K8S deployment now and Ansible conversion which will solve a lot of our current blockers and allow things like nginx to ship finally.

Once those are done, I'll follow up with a new version of this which will be much smaller in scope. In particular DroneCI will be handled as a separate scope of work. We will deploy k8s with terraform in the short term.

On Wed, Apr 4, 2018 at 3:28 PM, Mengyang Li [email protected] wrote:

nope

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/hashbang/admin-tools/pull/63#issuecomment-378765013, or mute the thread https://github.com/notifications/unsubscribe-auth/AAEOUKBapGWvBPqRCTU4uQ5V2cngXouhks5tlUj4gaJpZM4NhbPD .

-- Lance R. Vick

Cell - 650.686.8819 IRC - [email protected] Website - http://lrvick.net PGP Key - http://lrvick.net/0x36C8AAA9.asc

lrvick avatar Apr 04 '18 23:04 lrvick