back home
thumbnail

Stack 2023 - Going cheaper with self-hosted services fail

blogk8sranchergitlabCI runnersCDDevOpsGitOps
written: 2023-05-25
Series:
NOTE:
I went thru quite a wild journey here and am publishing this post months after the struggle I have had with the whole situation.
Maybe some of you are smart enough to learn just from reading about it. I definitely had to experience it on my own just to end up somewhere else.

#the idea

Having a balanced shared environment with the idea of containers in k8s that won't make your system "dirty" with the time of playing around, it seemed like a good idea to containerize everything from source code management to deployer, CI builds, automatic hostings and push to deploy automation based on the branches, etc.

#definition of a plan

  • an instance of Gitlab for source code for all projects
  • reusable CI builds for all the projects
  • automatic builds and deploys on git push
  • all other actions should be project / k8s namespaced
  • per project (k8s namespace) Gitlab workers
  • per project (namespace) docker registry
  • per project "production" and "development" hosting namespaces
  • production deploy for pre-defined domain on manual request or based on some (release/master) branch
  • automatic hostings (dev subdomains) and deploys for every feature branch or set of branches based on some rule

#expectations

with time it should be:

  • easy to start new projects
  • easy to spawn project hostings
  • easy to (automatically available) spawn development/staging hostings
  • easy to monitor and restrict resources per project
  • easy to scale/move a project to a cluster with better hardware when needed

#why didn't I use existing solutions

Any popular service gets hacked sooner or later, and with the latest service I was looking into just announcing a breach, I didn't want to expose another public thing that is not under my control.

I am no expert on security, don't understand me wrong. I am "just" a developer and learned things with time and fails that production experience brings.

And I am aware I can not do things better, but in reality, the "obscurity over security" still wins in the end, at least until your service becomes popular.

#reality

Oh boy, was I wrong on everything ...

#installing Gitlab (security nightmare)

Not knowing enough about Kubernetes and self-hosted GitLab at that point, I followed one of the really old tutorials for days to come. The biggest pain was that Gitlab persisted data only till the first restart (volume issues). Finally dropping out of the idea of doing it manually, I used Helm and realized I wasnt even close to the end solution. It worked, but the risk of losing all the project source code just because I would make another mistake in the future was simply too big.

The next plan was to do it on a dedicated server and go thru all the configs and possible risks. Again, it worked as intended but did not solve any of the performance issues I planned to solve. Bottleneck it with workers was not an acceptable solution.

Starting with workers sounds all legit in idea, but in reality, having a dynamically scaled set of workers becomes its own risk. Having them in the cluster with a bit too much access level opened countless new blog posts I had to read on security in k8s.

...

#conclusion

I failed successfully big time in so many ways on so many levels!

Why successfully?

  • I believe the idea for that kind of tool is the right one
  • I learned a lot about Gitlab on-premise and got even more respect for the sys guys
  • learned something new about workers, security issues, and limitations
  • deeper dive into k8s security, bottlenecks of GitOps, single source of truth, and the risk of putting all into a single point of failure system design
  • understanding why there are not a lot of solutions like that and why only big companies who are host providers and enterprise ones offer solutions on a level like that

What to do next?

The whole idea sounded like a great SaaS to make, just to realize weeks later how big of a project and market you should have for it to support the paychecks of involved people. The risk of responsibility simply wasnt worth it to continue.

I am so glad I went thru that whole story from a "simple idea" to reality, back to the idea of creating a SaaS and dropping out of it before even more time and money would be involved. A lifecycle of a project idea was done in weeks instead of months like it usually happened. I call that a total victory!

Till next time, stay sexy and hydrated.

Stack 2023 - going cheaper fail
Stack 2023 - going cheaper fail
blogk8sranchergitlabCI runnersCDDevOpsGitOps
A-Frame Cabin - review
A-Frame Cabin - review
legolego ideas
Stack 2023 - kubernetes with Rancher
Stack 2023 - kubernetes with Rancher
blogstackcontabokubernetesk8srancher
Volkswagen T2 Camper Van - review
Volkswagen T2 Camper Van - review
legolego creator
Laracon EU Lisbon 2023
Laracon EU Lisbon 2023
bloglaravellaracon eu lisbon 2023
Stack 2023 - review the old way
Stack 2023 - review the old way
bloglaravelvuestackforgedocker
Going stateless
Going stateless
learningwebsitestatelessstatick8snextjsreactdocker
Self calling resolve function with return type hint
Self calling resolve function with return type hint
bitsidephpLaravel
harry-potter-express - Hogwarts™ Express
harry-potter-express - Hogwarts™ Express
legoharry potter
Volkswagen T2 Camper Van - pending
Volkswagen T2 Camper Van - pending
legolego creator
Snowboarding again - on the slopes
Snowboarding again - on the slopes
lifesnowboard
Snowboarding again - a gift to me
Snowboarding again - a gift to me
lifesnowboard
PhpStorm UI 2023
PhpStorm UI 2023
bitsphpstormide
Starting with k8s
Starting with k8s
learningk8sk3srancherhosting