Advanced ArgoCD Deployment Patterns and Best Practices

Progressive Delivery with ArgoCD Blue-Green Deployments apiVersion: argoproj.io/v1alpha1 kind: Application metadata: name: blue-green-app spec: source: plugin: name: argocd-rollouts repoURL: https://github.com/org/app.git targetRevision: HEAD path: rollouts/ destination: server: https://kubernetes.default.svc namespace: production --- apiVersion: argoproj.io/v1alpha1 kind: Rollout metadata: name: blue-green-rollout spec: replicas: 3 strategy: blueGreen: activeService: active-service previewService: preview-service autoPromotionEnabled: false template: spec: containers: - name: app image: app:1.0 Multi-Cluster Management Cluster Configuration apiVersion: argoproj.io/v1alpha1 kind: ApplicationSet metadata: name: multi-cluster-apps spec: generators: - clusters: {} template: metadata: name: '{{name}}-app' spec: project: default source: repoURL: https://github.com/org/app-configs.git targetRevision: HEAD path: environments/{{name}} destination: server: '{{server}}' namespace: production Sync Strategies Selective Sync apiVersion: argoproj.io/v1alpha1 kind: Application metadata: name: selective-sync-app annotations: argocd.argoproj.io/sync-wave: "5" spec: syncPolicy: automated: prune: true selfHeal: true syncOptions: - CreateNamespace=true - PruneLast=true - ApplyOutOfSyncOnly=true source: directory: recurse: true exclude: 'excluded-patterns/**' Production Example # Complete production deployment setup apiVersion: argoproj.io/v1alpha1 kind: Application metadata: name: production-deployment annotations: notifications.argoproj.io/subscribe.on-sync-succeeded.slack: production-deploys spec: project: production source: repoURL: https://github.com/org/production-config.git targetRevision: main path: overlays/production directory: recurse: true jsonnet: extVars: - name: environment value: production destination: server: https://kubernetes.default.svc namespace: production syncPolicy: automated: prune: true selfHeal: true syncOptions: - CreateNamespace=true - ServerSideApply=true retry: limit: 5 backoff: duration: 5s factor: 2 maxDuration: 3m ignoreDifferences: - group: apps kind: Deployment jsonPointers: - /spec/replicas

1 min · Me

Advanced Kubernetes Ingress Patterns and Best Practices

Core Ingress Patterns Basic HTTPS Configuration apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: secure-ingress annotations: nginx.ingress.kubernetes.io/ssl-redirect: "true" spec: tls: - hosts: - app.example.com secretName: tls-secret rules: - host: app.example.com http: paths: - path: / pathType: Prefix backend: service: name: app-service port: number: 80 Advanced Configurations 1. Path-Based Routing apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: path-based-ingress spec: rules: - host: api.example.com http: paths: - path: /v1 pathType: Prefix backend: service: name: api-v1-service port: number: 80 - path: /v2 pathType: Prefix backend: service: name: api-v2-service port: number: 80 2. Rate Limiting metadata: annotations: nginx.ingress.kubernetes.io/limit-rps: "10" nginx.ingress.kubernetes.io/limit-connections: "5" Best Practices SSL Configuration ...

1 min · Me

CDN Architecture: Design Patterns for Global Scale

Content Delivery Networks (CDNs) are fundamental to modern web architecture. Let’s explore key design patterns and implementation strategies for optimal content delivery. CDN Architecture Fundamentals Edge Location Strategy Effective CDN implementation requires careful planning of edge locations: Geographic Distribution Place edge nodes near user concentrations Consider regional traffic patterns Account for network topology Cache Strategy Static content: Aggressive caching Dynamic content: TTL-based invalidation API responses: Selective caching Implementation Patterns 1. Origin Shield Configuration # Nginx origin shield configuration location / { proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504; proxy_cache_valid 200 302 1h; proxy_cache_valid 404 1m; proxy_cache my_cache_zone; proxy_cache_key $scheme$proxy_host$request_uri; } 2. Cache Control Headers Implement proper cache control headers: ...

2 min · Me

Cert-Manager in Production: Automated Certificate Management

Core Components ClusterIssuer Configuration apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: letsencrypt-prod spec: acme: server: https://acme-v02.api.letsencrypt.org/directory email: [email protected] privateKeySecretRef: name: letsencrypt-prod-account-key solvers: - http01: ingress: class: nginx - dns01: cloudflare: email: [email protected] apiTokenSecretRef: name: cloudflare-api-token key: api-token Certificate Management Wildcard Certificate apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: wildcard-cert namespace: cert-manager spec: secretName: wildcard-tls commonName: "*.example.com" dnsNames: - "*.example.com" - "example.com" issuerRef: name: letsencrypt-prod kind: ClusterIssuer usages: - digital signature - key encipherment - server auth Production Implementation # Complete cert-manager setup apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: production-certs namespace: production spec: secretName: production-tls duration: 2160h # 90 days renewBefore: 360h # 15 days subject: organizations: - Example Corp commonName: api.example.com dnsNames: - api.example.com - web.example.com - admin.example.com issuerRef: name: letsencrypt-prod kind: ClusterIssuer keystores: jks: create: true passwordSecretRef: name: jks-password key: password --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: secured-ingress annotations: cert-manager.io/cluster-issuer: "letsencrypt-prod" spec: tls: - hosts: - api.example.com - web.example.com secretName: production-tls rules: - host: api.example.com http: paths: - path: / pathType: Prefix backend: service: name: api-service port: number: 80

1 min · Me

Container and Infrastructure Security Scanning: A Comprehensive Guide

Trivy Implementation Container Scanning Pipeline # GitLab CI Pipeline Configuration container_scan: image: aquasec/trivy:latest variables: TRIVY_NO_PROGRESS: "true" TRIVY_CACHE_DIR: ".trivycache/" script: - trivy image --exit-code 1 --severity HIGH,CRITICAL --no-progress --format template --template "@/contrib/sarif.tpl" -o trivy-results.sarif $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA artifacts: reports: security: trivy-results.sarif Kubernetes Manifest Scanning apiVersion: batch/v1 kind: CronJob metadata: name: trivy-cluster-scan spec: schedule: "0 0 * * *" jobTemplate: spec: template: spec: serviceAccountName: trivy-scanner containers: - name: trivy image: aquasec/trivy:latest args: - k8s - --report=summary - --severity=HIGH,CRITICAL - all volumeMounts: - name: results mountPath: /results volumes: - name: results persistentVolumeClaim: claimName: scan-results Snyk Integration GitHub Action Integration name: Snyk Security Scan on: pull_request jobs: security: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 - name: Run Snyk to check for vulnerabilities uses: snyk/actions/node@master env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: args: --severity-threshold=high - name: Container Scan uses: snyk/actions/docker@master env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: image: your-registry/app:latest args: --file=Dockerfile - name: IaC Scan uses: snyk/actions/iac@master env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: args: --severity-threshold=high Wiz Implementation Cloud Configuration Scanning # Terraform configuration for Wiz resource "wiz_automation_rule" "critical_vuln" { name = "Critical Vulnerability Alert" description = "Alert on critical vulnerabilities in production" enabled = true trigger { type = "VULNERABILITY" vulnerabilities { severity = ["CRITICAL"] has_fix = true } } actions { create_issue { provider = "JIRA" project = "SEC" type = "Bug" } send_notification { channels = ["SLACK"] template = "critical-vuln" } } } Production Implementation Multi-Scanner Integration # ArgoCD Application for Security Scanning apiVersion: argoproj.io/v1alpha1 kind: Application metadata: name: security-scanners spec: project: security source: repoURL: https://github.com/org/security-configs.git targetRevision: HEAD path: scanners/ destination: server: https://kubernetes.default.svc namespace: security syncPolicy: automated: prune: true selfHeal: true syncOptions: - CreateNamespace=true --- # Scanner Configuration apiVersion: v1 kind: ConfigMap metadata: name: scanner-config data: trivy.yaml: | severity: CRITICAL,HIGH ignore-unfixed: true timeout: 10m snyk.yaml: | severity-threshold: high fail-on: upgradable wiz.yaml: | scan-interval: 6h alert-threshold: CRITICAL compliance-frameworks: - SOC2 - PCI

2 min · Me