Software Lifecycle
In the Shivering-Isles infrastructure a certain pattern for software deployments emerged.
Evaluation
Before starting with deployment of a piece of software there is a lot of reading going on. The documentation and project is examined for certain criteria and options like
- container images,
- Helm Charts,
- Kustomizations,
- integration with existing operators (PostgreSQL and Redis),
- OIDC capability,
- release cycle and
- general community.
Experimenting
With a first examination a PoC is deployed on the K8s cluster. Usually limited to the intranet if not even limited to the namespace itself. The ergonmic of deploying the software is checked and the basic setup is developed.
Going live
After testing the Software, it might be reinstalled or the test deployment get adopted by adding the relevant manifests to the gitops repository and harding the setup with the proper network policies, serviceaccount permissions and restrictions on the namespace.
From here renovate is configured to automate software updates and help with creating Merge Requests that make maintence easy.
Extended lifecycle
When a software is supposed to be replaced but might still provide some important functionality, that isn't fully replaced yet, the software is limited to the intranet and added an oauth2-proxy to prevent unauthorized access from outside. This drastically reduces the risk for the setup and allows to fall behind with updates, while mitigating the easiest attacks.
Removal
At the end, the software is removed from the cluster by deleting the manifests from the gitops repository. This will also delete the namespace. Potentially remaining backups can be manually deleted after a while out of sync with the software.
This completes the software lifecycle.