Skip to content
Janus Janus

App hinzufügen

Schritt-für-Schritt-Anleitung zum Hinzufügen einer neuen App auf Janus.

Workflow

Section titled “Workflow”
graph TB
    subgraph GitLab ["GitLab"]
        direction LR
        Code["1. Quellcode"]
        CI["2. CI/CD<br/>Image build"]
        Registry["3. Container Registry"]
    end

    subgraph Flux ["Flux Konfiguration"]
        Manifest["4. K8s Manifeste<br/>(flux repo)"]
        Sync["5. Flux sync"]
    end

    subgraph K8s ["K3s Cluster"]
        NS["6. Namespace"]
        Deploy["7. Deployment"]
        Svc["8. Service"]
        Ingress["9. Ingress + TLS"]
    end

    Code --> CI --> Registry
    Manifest --> Sync
    Registry -->|"pullt"| Deploy
    Sync --> NS
    NS --> Deploy --> Svc --> Ingress

Schritte

Section titled “Schritte”

1. GitLab-Repository erstellen

Section titled “1. GitLab-Repository erstellen”

Neues Repository unter gitlab.ciss.de/ciss/janus/<app-name>.

2. CI/CD konfigurieren

Section titled “2. CI/CD konfigurieren”

.gitlab-ci.yml für Container-Build:

build:
  image: docker:24
  services:
    - docker:24-dind
  script:
    - docker build -t $CI_REGISTRY_IMAGE:$CI_COMMIT_SHORT_SHA .
    - docker push $CI_REGISTRY_IMAGE:$CI_COMMIT_SHORT_SHA
  tags:
    - arm64

3. K8s-Manifeste erstellen

Section titled “3. K8s-Manifeste erstellen”
k8s/
├── namespace-<app>.yaml    # Namespace mit PSS
├── deployment-<app>.yaml   # Deployment
├── service-<app>.yaml      # ClusterIP Service
└── ingress-<app>.yaml      # Ingress + TLS

4. Namespace (mit Pod Security Standards)

Section titled “4. Namespace (mit Pod Security Standards)”
apiVersion: v1
kind: Namespace
metadata:
  name: myapp
  labels:
    app.kubernetes.io/name: myapp
    pod-security.kubernetes.io/enforce: restricted
    pod-security.kubernetes.io/audit: restricted
    pod-security.kubernetes.io/warn: restricted

5. Deployment

Section titled “5. Deployment”
apiVersion: apps/v1
kind: Deployment
metadata:
  name: myapp
  namespace: myapp
  labels:
    app.kubernetes.io/name: myapp
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: myapp
  template:
    metadata:
      labels:
        app.kubernetes.io/name: myapp
    spec:
      securityContext:
        runAsNonRoot: true
        seccompProfile:
          type: RuntimeDefault
      containers:
        - name: myapp
          image: registry.gitlab.ciss.de/ciss/janus/myapp:latest
          ports:
            - containerPort: 8080
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true

6. Ingress mit TLS

Section titled “6. Ingress mit TLS”
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: myapp
  namespace: myapp
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
  ingressClassName: nginx
  tls:
    - hosts:
        - myapp.janus.ciss.digital
      secretName: myapp-tls
  rules:
    - host: myapp.janus.ciss.digital
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: myapp
                port:
                  number: 8080

7. Verifizieren

Section titled “7. Verifizieren”
Terminal window
# Deployment prüfen
k3s kubectl -n myapp get all


# Ingress prüfen
k3s kubectl -n myapp get ingress


# Zertifikat prüfen
k3s kubectl describe certificate myapp-tls -n myapp


# HTTPS testen
curl -vI https://myapp.janus.ciss.digital

Checkliste

Section titled “Checkliste”
  • Repository erstellt unter ciss/janus/<app>
  • CI/CD baut ARM64-Image
  • Namespace mit Pod Security Standards
  • Deployment mit Security Context
  • ClusterIP Service
  • Ingress mit letsencrypt-prod
  • DNS *.janus.ciss.digital deckt Subdomain ab
  • HTTPS-Verbindung verifiziert
Seite bearbeiten auf GitLab