iklim.co/Environment_Infrastructure
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Environment_Infrastructure/setup/03-test-runner-ve-deploy-onkosullari.md
Murat ÖZDEMİR 720c79d460 Add Hetzner Cloud production infrastructure with multi-node support 
- This commit introduces the Terraform configuration to provision a production environment on Hetzner Cloud, building on the existing test setup.
- Key improvements and new features include:
* **Multi-node clusters:** Scaling to 3-node Swarm application and database clusters for improved resilience.
* **High availability:** Utilizing a Hetzner Floating IP for the application entry point and `spread` placement groups for fault tolerance across physical hosts.
* **Enhanced network security:** Internal management services (RabbitMQ, APISIX, Prometheus, Grafana) are restricted to the application subnet, expected to be accessed via an internal reverse proxy (SWAG).
* **Internal database replication:** New firewall rules enable PostgreSQL replication and MongoDB replica set traffic within the database subnet.
* **Refined test environment:** Updates to align `test` configuration with the new `prod` structure, including a dedicated floating IP and adjusted firewall rules.
* **Configuration standardization:** Environment-specific details moved to `locals.tf` for clarity, with upgraded server types and migration to Rocky Linux as the base image.
- Updates were also made to the latest version of Terraform to ensure consistency in the documentation
2026-05-10 15:43:22 +03:00

118 lines
3.7 KiB
Markdown
Raw Blame History

# 03 - Test Runner ve Deploy On Kosullari
Bu asamanin amaci test ortaminda Gitea Actions runner'i systemd servisi olarak kurmak ve mevcut test CI/CD pipeline'larinin calisabilecegi host on kosullarini hazirlamaktir.
## Runner Yerlesimi
Test ortaminda tek runner yeterlidir:
| Host | Runner |
| --- | --- |
| `iklim-app-01` | `act_runner` systemd servisi |
Runner Docker container olarak calistirilmayacak. `/var/run/docker.sock` bir runner container'ina mount edilmeyecek.
## Neden Systemd Runner
Mevcut CI/CD akisinda Gitea job'lari gerekli hazirliklari kendi icinde yapip deploy komutlarini calistiriyor. Runner'in Docker container olmasi, Docker socket mount edilmesini gerektirir ve bu model ekstra yetki riski uretir. Systemd runner modelinde socket mount yoktur; ancak runner host uzerinde Docker kullanacagi icin runner kullanicisinin Docker erisimi yine yuksek yetki kabul edilir.
Bu nedenle:
- Runner sadece guvenilir Gitea instance/repo icin kullanilir.
- Runner token Ansible Vault veya CI secret olarak saklanir.
- Runner config ve token repo'ya commit edilmez.
## Runner Kullanicisi
Ansible `gitea_runner` role'u:
- `gitea-runner` sistem kullanicisi olusturur.
- Kullanici shell'i ihtiyaca gore `/bin/bash` olabilir.
- Kullanici Docker kullanacaksa `docker` grubuna eklenir.
- Home dizini: `/var/lib/gitea-runner`
- Config dizini: `/etc/gitea-act-runner`
Docker group root seviyesine yakin yetki verdigi icin bu karar bilincli kabul edilir.
## Runner Binary Kurulumu
Kurulum adimlari:
1. `act_runner` Linux amd64 binary indirilir.
2. `/usr/local/bin/act_runner` olarak yerlestirilir.
3. Executable permission verilir.
4. Config uretilir veya template ile yazilir.
5. Runner register edilir.
6. Systemd unit enabled + started edilir.
## Runner Label PolitikasI
Test runner label'lari:
```text
test-runner
iklim-app-01
ubuntu-24.04
docker
swarm-manager
```
Mevcut workflow'larda `runs-on` degeri test icin bu label'lardan biriyle uyumlu hale getirilmelidir. Eski `ubuntu-latest` kullanimi self-hosted Gitea runner eslesmesi icin yeterli olmayabilir; bu durum Gitea Actions label konfigurasyonuna gore netlestirilmelidir.
## Deploy On Kosullari
Test deploy pipeline'lari icin `iklim-app-01` uzerinde bulunmasi gerekenler:
- Docker Engine
- Docker Compose plugin
- Git
- curl
- jq
- gettext/envsubst
- tree
- ssh/scp client
- Harbor registry erisimi
- StorageBox erisimi
- Gitea reposuna erisim
- Swarm manager yetkisi
- `iklimco-net` overlay network
CI/CD DB altyapisini kurmayacak. Test DB node hazir olacak; DB yazilimi ve cluster/manual setup ayridir.
## Deploy Lock Notu
Test ortaminda tek runner oldugu icin runner'lar arasi deploy yarismasi beklenmez.
Yine de ayni branch'e arka arkaya push edilmesi veya manuel yeniden calistirma gibi
durumlarda ayni servis deploy'u ust uste binebilir.
Test icin lock zorunlu degildir; ancak prod ile ayni aliskanligi kazanmak istenirse
StorageBox uzerinde su path kullanilabilir:
```text
test/locks/test-deploy.lock
test/locks/services/<service-name>.lock
```
Lock manuel olusturulmaz. Workflow basinda atomik `mkdir`, bitiste `rmdir` kullanilir.
## Secret Gereksinimleri
Runner kurulumu ve pipeline calismasi icin secret'lar:
- Gitea runner registration token
- Harbor username/password veya token
- StorageBox credential
- SSH deploy key
- Hetzner token gerekmez; Terraform asamasinda kullanilir
Bu secret'lar repo'ya yazilmayacak.
## Kabul Kriterleri
- `systemctl status gitea-act-runner` active gorunur.
- Gitea UI icinde test runner online gorunur.
- Runner label'lari test workflow `runs-on` ile eslesir.
- Basit bir test workflow runner uzerinde calisir.
- Runner job'u Docker komutu calistirabiliyorsa deploy on kosulu saglanmistir.
- `8200/tcp` public internete acik degildir.
Reference in New Issue View Git Blame Copy Permalink