deniskachar.com

NENMP Platform Overview

This page documents the full solution in this repository: Terraform infrastructure, application packaging, Kubernetes deployment, Cert-Manager TLS setup, and CI/CD delivery.

Back to Home View Repository
Container build time (your local time) Loading...

Cloud Base

Terraform provisions GKE and IAM foundations.

App Delivery

Pipeline builds and pushes a new container image, then rolls it out.

Secure Access

Short-lived identity and managed secrets keep credentials out of source code.

Infrastructure

Cloud setup is automated and repeatable.

Terraform creates the core cloud baseline for this platform.

Infrastructure diagram showing Terraform creating IAM and GKE resources in Google Cloud.
Terraform to GKE infrastructure map.
gke.tf main.tf outputs.tf

Application

A lightweight static site runs inside an NGINX container.

Built from nginx:alpine. Build metadata is injected at image build time.

Application diagram showing static pages served by an NGINX container.
NGINX static app layout.
Dockerfile index.html app folder

Kubernetes

Kubernetes keeps service uptime and routes traffic.

Deployment and pods run behind a ClusterIP service, with ingress handling HTTPS routing.

Kubernetes diagram showing ingress, service, and replicated pods.
Ingress routes traffic to the service, then to pods.
deployment.yaml service.yaml ingress.yaml

Cert-Manager

HTTPS certificates are issued and renewed automatically.

Let's Encrypt ACME uses a Cloudflare DNS challenge. The resulting certificate is stored in the deniskachar-com-tls Kubernetes Secret.

Certificate management diagram showing Cert-Manager, Let's Encrypt, and Cloudflare DNS challenge.
Automated certificate issuance flow.
clusterissuer.yaml certificate.yaml cloudflare-secret.yaml

CI/CD

Each code update can publish a new container and deploy it automatically.

The workflow builds the image, pushes it, authenticates to GCP, and updates the Kubernetes deployment.

CI/CD diagram showing GitHub Actions building and deploying to Kubernetes.
From commit to rollout automation.
deploy.yml deployment target

Identity and Secrets

Access is short-lived, scoped, and keyless by design.

GitHub OIDC exchanges for temporary Google credentials. Docker and Cloudflare values stay in managed secret stores.

Identity diagram showing GitHub OIDC tokens exchanged for short-lived Google credentials.
Keyless auth and secret boundaries.
sa.tf auth in workflow

Release Flow

A code update triggers the pipeline, publishes a new image, and updates the running deployment.

Release flow diagram from code update to verified deployment.
Release lifecycle from update to verification.

Health is confirmed by Kubernetes during rollout, while GitHub Actions waits on kubectl rollout status before marking the job successful.

deployment guide deploy workflow k8s manifests

NENMP architecture summary for business and engineering readers.