🔄 GITOPS & CI/CD

Git est la source de vérité

Git-driven deployment pipelines with progressive delivery and infrastructure-as-code.

Pattern App-of-Apps

Une Application racine auto-découvre chaque YAML dans src/apps/. Déposez un manifeste, ArgoCD le prend en charge.

app-of-apps.yaml  (root Application → watches src/apps/)
    │
    ├── src/apps/cilium.yaml       → cilium + cilium-configs
    ├── src/apps/keycloak.yaml     → keycloak + keycloak-configs
    ├── src/apps/vault.yaml        → vault (manual sync)
    ├── src/apps/grafana.yaml      → observability stack
    ├── src/apps/harbor.yaml       → harbor (wrapper chart)
    ├── src/apps/supabase.yaml     → supabase (inline configs)
    ├── src/apps/backstage.yaml    → backstage portal
    ├── ... 30+ more ...
    │
    └── src/apps/icebox/           → disabled apps (excluded)
         ├── kyverno.yaml
         └── kubescape.yaml

4 patterns de déploiement

Choisissez le bon pattern selon les besoins de votre application — des charts Helm simples aux manifestes bruts.

Pattern A

Helm + Configs

Two ArgoCD Applications: one for the external Helm chart with local values, one for companion manifests (gateway, external-secret).

Quand utiliser : Deploying a third-party Helm chart with local config overrides.

KeycloakCiliumESOLonghornMailpit

Pattern B

Helm + Inline

Single ArgoCD Application combining Helm chart and directory source with exclusion globs.

Quand utiliser : When you want a single ArgoCD Application instead of two.

SurrealDBQdrantGarageSupabase

Pattern C

Wrapper Chart

Local Chart.yaml wrapping an external chart as a dependency. Full Helm templating power for custom resources.

Quand utiliser : When you need to template K8s manifests alongside the Helm chart (Certificates, ReferenceGrants).

HomepageHarborBackstageFalco

Pattern D

Raw Manifests

Plain Kubernetes YAML files deployed directly. No Helm, no templating — just declarative manifests.

Quand utiliser : Operators, CRDs, or simple deployments that don't need Helm.

ArgoCDDragonflyAIBrixMatomo

Modules Terraform IaC

Tout ce qui ne peut pas être un manifeste Kubernetes est géré par Terraform — secrets, clients OIDC, dashboards.

terraform/vault/

hashicorp/vault

ESO policies, tokens, app secrets, DNS credentials

cert-platform.tf, grafana-mcp.tf, supabase.tf, garage.tf

terraform/keycloak/

mrparkers/keycloak

OIDC realm + 10+ clients for SSO

backstage.tf, apisix.tf, harbor.tf, supabase.tf, affine_client.tf

terraform/grafana/

grafana/grafana

Dashboard provisioning, data sources

dashboards.tf, harbor.tf, n8n_dashboard.tf, affine_dashboard.tf

terraform/harbor/

goharbor/harbor

Registry OIDC auth, robot accounts

main.tf, provider.tf

Tous les composants

Argo CD

production

GitOps continuous delivery tool that reconciles desired state from Git with cluster state.

Rôle : Core GitOps engine with App-of-Apps pattern managing 40+ applications

Terraform

production

Infrastructure as Code for provisioning and managing cloud-agnostic resources.

Rôle : Manages Vault secrets, Keycloak OIDC clients, Grafana dashboards, Harbor config

OneDev

production

Self-hosted Git repository manager with integrated CI/CD pipelines and code review.

Rôle : Private Git hosting with container-based CI runners

Kargo

planned

Progressive delivery engine adding multi-stage promotion workflows on top of Argo CD.

Rôle : Environment promotion pipelines: dev → staging → production

← RETOUR AU STACK COMPLET