From 48180e9f298f0ad679edd116e15334d35e56a9e8 Mon Sep 17 00:00:00 2001 From: halilibrahimd27 Date: Sat, 27 Jun 2026 11:06:33 +0300 Subject: [PATCH 01/10] =?UTF-8?q?docs:=20Faz=200=20=E2=80=94=20read-only?= =?UTF-8?q?=20denetim=20raporu=20(AUDIT.md)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit DevOps Notebook reposunun kapsamlı denetimi: envanter (iddia↔gerçek), CLAUDE.md anatomi uyumu, oversized dosyalar, adlandırma tutarsızlıkları, eski klasör stratejisi seçenekleri, bayat/junk, placeholder/kredibilite, SEO ve fazlara eşli önceliklendirilmiş aksiyon listesi. Hiçbir içerik değiştirilmedi (yalnız AUDIT.md eklendi). Karar bekleyen maddeler ❓ KARAR ile işaretli. Co-Authored-By: Claude Opus 4.8 (1M context) --- AUDIT.md | 154 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 154 insertions(+) create mode 100644 AUDIT.md diff --git a/AUDIT.md b/AUDIT.md new file mode 100644 index 0000000..cf926a3 --- /dev/null +++ b/AUDIT.md @@ -0,0 +1,154 @@ +# AUDIT.md — DevOps Notebook Denetim Raporu (Faz 0, read-only) + +> *"Önce ölç, sonra kes."* — Bu rapor hiçbir dosyayı değiştirmeden üretildi. +> Karar bekleyen yerler **❓ KARAR** ile işaretli. + +**Tarih:** 2026-06-27 · **Branch:** `chore/repo-polish` · **Baz commit:** `1fd8299` (origin/main ile eşit) + +> ⚙️ **Önemli ön-bulgu (çözüldü):** Local `main` 10 commit **geride**ydi (`0fa3e1c`); MkDocs site + CI + son içerik commit'leri yereldeki kopyada yoktu. `origin/main`'e fast-forward edildi (temiz ata, içerik kaybı yok) — denetim **kanonik durum** üzerinde yapıldı. Görev tanımındaki `mkdocs.yml`, `scripts/build-docs.sh`, `.github/workflows/*` artık mevcut. + +--- + +## 1. Gerçek Envanter (iddia ↔ gerçek) + +| Metrik | README / mkdocs iddiası | Gerçek | Durum | +|---|---|---|---| +| Ana bölüm (numaralı) | 21 | 21 (00–20) | ✅ | +| Deep-dive | **125+** | **125** (README hariç, 00–15/18/19/20) | 🟡 "+" yanıltıcı — tam 125 | +| Cheatsheet | 9 | 9 (16-Cheatsheets, README hariç) | ✅ | +| Template | **25+** | **19** (17-Templates: 3 Dockerfile, 7 K8s yaml, 3 Kyverno, 3 GH Actions, 1 Prometheus, 2 md şablon) | 🔴 **Aşırı iddia** (~19) | +| Markdown satır | 64.000+ | **66.097** | ✅ (hatta muhafazakâr) | +| "production-tested" | "her biri … production-tested" | **doğrulanamaz** | 🔴 Kredibilite riski (bkz §8) | + +**Klasör dağılımı (md / satır):** 08-Security 10/4204, 10-Databases 9/3284, 02-CI-CD 8/3353 en yoğun; RoadMap 5/**9915** (tek dosya 8568!), System 5/3217, Network 1/1242. Ansible & Terraform: **0 .md** (yalnız uzantısız dosyalar). + +--- + +## 2. CLAUDE.md Anatomi Uyumu + +**Numaralı deep-dive'lar (125 dosya) — çok iyi durumda:** +- Anti-pattern tablosu eksik: **1 / 125** +- Checklist eksik: **1 / 125** + +→ Numaralı içerik anayasaya neredeyse tam uyumlu; Faz 3 burada **minimal**. (1'er sapan dosya Faz 3'te tek tek tespit edilip kapatılacak.) + +**Eski klasörler (RoadMap/System/Network/Ansible/Terraform/Kubectl) — anatomi YOK:** +Bunlar saha notu / uzun rehber formatında; CLAUDE.md deep-dive iskeletini (epigraf, kavram tablosu, anti-pattern tablosu, checklist, kapanış) izlemiyor. Bilinçli mi (saha notu) yoksa dönüştürülecek mi → **§5 kararına bağlı**. + +--- + +## 3. Oversized Dosyalar (>1500 satır / >40KB) + +| Dosya | Satır | Boyut | Öneri | +|---|---|---|---| +| `RoadMap/Advanced RoadMap.md` | **8568** | **217 KB** | 🔴 Bölünmeli → `RoadMap/advanced/` alt-sayfalar + index (örn. AWS/EKS provisioning, networking, CI/CD, security, observability, cost başlıklarına) | + +> Diğer "büyük" sandığım dosyalar aslında <1500 satır: `Network/…Wazuh… (1242)`, `System/Full Production-Ready Repo Layout.md (≈900)` — bölme zorunlu değil, opsiyonel. Tek gerçek dev dosya **Advanced RoadMap.md**. + +--- + +## 4. Adlandırma Tutarsızlığı (boşluk / CAPS → kebab-case) + +11 dosya numaralı taksonomi konvansiyonunu (kebab-case) ihlal ediyor; **5'i uzantısız** (MkDocs render etmez, GitHub vurgulamaz): + +| Mevcut | Önerilen | Not | +|---|---|---| +| `Ansible/Ansible System Preperation` | `ansible-system-preparation.md` | uzantısız + "Preperation" yazım hatası | +| `Ansible/SSH CONNECTIVITY TEST` | `ssh-connectivity-test.md` | uzantısız + CAPS | +| `Network/Network Segmentation and Wazuh SIEM Integration Guide.md` | `network-segmentation-wazuh-siem.md` | | +| `RoadMap/Advanced RoadMap.md` | `advanced-roadmap.md` (+ §3 bölme) | build-docs.sh & RoadMap/.pages referanslı! | +| `System/EXTERNAL ACCESS PROBLEM` | `external-access-problem.md` | uzantısız + CAPS | +| `System/Full Production-Ready Repo Layout.md` | `full-production-ready-repo-layout.md` | | +| `System/GitHub Actions Pipeline Setup Guide.md` | `github-actions-pipeline-setup.md` | | +| `System/Inventory Management Example.md` | `inventory-management-example.md` | | +| `System/Kubernetes Cluster Installation Guide.md` | `kubernetes-cluster-installation.md` | | +| `Terraform/COMPLETE TERRAFORM CONFIGURATION FOR PROXMOX` | `terraform-proxmox-config.md` | uzantısız + CAPS | +| `Terraform/Manuel Terraform Modules Create VM` | `terraform-modules-create-vm.md` | uzantısız + "Manuel" hatası | + +> ⚠️ **Senkron riski:** `scripts/build-docs.sh` (RoadMap/.pages bloğu "Advanced RoadMap.md"yi açıkça nav'a yazıyor) ve klasör kopyalama döngüleri her yeniden adlandırmayla güncellenmeli. `git mv` + script + iç link güncellemesi atomik yapılmalı (Faz 1). + +--- + +## 5. ❓ KARAR — Eski Klasörlerin Kaderi (RoadMap/System/Network/Ansible/Terraform/Kubectl) + +Bu klasörler elle yazılmış, kişisel/yaşanmış, yargılı saha notları (CLAUDE.md'nin korumamı istediği ses). 3 seçenek: + +- **(a) Numaralı taksonomiye entegre et** — örn. Network/Wazuh → `09-Networking/`, Terraform-Proxmox → `03-IaC/`, System/K8s-install → `05-Kubernetes/`. *Artı:* tek tutarlı taksonomi. *Eksi:* saha-notu sesi deep-dive anatomisine zorlanır, en çok iş. +- **(b) Tek bir "Saha Notları / Field Notes" bölümü** (örn. `21-Field-Notes/`) altında topla, kebab-case'le, ama anatomi dayatma. *Artı:* yaşanmış ton korunur + numaralı yapı tutarlı + en az risk. *Eksi:* iki içerik sınıfı (cilalı deep-dive vs ham saha notu). +- **(c) Hibrit** — en güçlü/tamamlanmış olanları (Wazuh, Terraform-Proxmox, K8s-install) ilgili numaralı klasöre taşı; gerisini `21-Field-Notes/` saha notu bırak. + +**🟢 Önerim: (b)** — saha notlarının değeri "ham gerçeklik"; deep-dive'a zorlamak sesi öldürür. `21-Field-Notes/` altında kebab-case + index + placeholder temizliği yeterli; build-docs.sh/nav tek yerde güncellenir. (Sen karar vereceksin.) + +--- + +## 6. Bayat Referanslar / Junk + +| Bulgu | Konum | Aksiyon | +|---|---|---| +| `LAUNCH-PLAN.md` exclude_docs'ta ama **dosya yok** | `mkdocs.yml:27` | Bayat kaydı sil | +| `MARKETING.md` **gitignore'lı + untracked** ama exclude_docs'ta | kök + `mkdocs.yml:28` | Repo'da değil; exclude kaydı zararsız ama gereksiz — sadeleştir | +| 5 uzantısız dosya (mkdocs render etmez) | Ansible/, System/, Terraform/ | §4 ile `.md` uzantısı + kebab-case | +| `.pages` repoda yok (build-docs.sh **dinamik üretiyor**) | — | Sorun değil; not | + +--- + +## 7. Doğruluk / Tazelik / Bakım Yükü + +- **Versiyon pin'leri:** ~15 hardcoded `vX.Y.Z` / `:1.2.3` (CLAUDE.md `` istiyor). → Faz 4: `` placeholder veya tek "Sürümler" referans tablosu. +- **Placeholder konvansiyon sapmaları (KIRMIZI ÇİZGİ — ama gerçek sızıntı DEĞİL):** + - `Network/…Wazuh…` literal `192.168.10/20/30/40.x` (onlarca) — RFC-1918 örnek, **gerçek altyapı değil**, ama CLAUDE.md ``/`` istiyor. → placeholder'a çek. + - `Terraform/…PROXMOX` `cipassword = "ubuntu"` (5×) — zayıf hardcoded örnek parola; `` olmalı (kötü örnek + konvansiyon). + - `System/…Repo Layout.md` `MYSQL_ROOT_PASSWORD: password`, `your-*-password` — illüstratif, yine de `<...>` formuna çekilebilir. + - **Gerçek IP/e-posta/credential/SHA sızıntısı: YOK** (e-postalar `@company.com`/`@yourdomain.com`, `git@github.com` kanonik; 8.8.8.8/1.1.1.1 public DNS). +- **Kırık link:** Otomatik tarama Faz 4/7'de `lychee` (`.lychee.toml` mevcut) ile. Faz 0'da çalıştırılmadı (read-only). +- **Deprecated:** Spot kontrol gerek (eski k8s API sürümleri vb.) — Faz 4. + +--- + +## 8. README & Kredibilite (CLAUDE.md "pazarlama tonu yasak" ile çelişki) + +`README.md` (272 satır) CLAUDE.md §"Yapılması Yasak / Pazarlama Tonu" kuralını ihlal ediyor: +- 🔴 Badge yağmuru (8+ shields + "Awesome" rozeti) +- 🔴 "**Türkiye'nin en kapsamlı** Türkçe DevSecOps kaynağı" +- 🔴 Yıldız dilenme: "⭐ Yıldız bırakırsan repo daha çok kişiye ulaşır" +- 🔴 Rakip-dövme tablosu: "🆚 Diğer Türkçe DevOps Kaynakları ile … Diğerleri (genelde)" +- 🔴 "125+ deep-dive … **production-tested**" — doğrulanamaz iddia +- 🔴 "25+ template" — gerçek 19 + +→ **Faz 5:** kıdemli/inandırıcı tona çek (önce "ne + kim için", sonra içerik haritası); badge'leri 2-3 anlamlıya indir; rakip-karşılaştırmayı kaldır; sayıları gerçeğe eşle (125 deep-dive, 9 cheatsheet, 19 template, 66K satır); "production-tested" → "production için damıtılmış referans" gibi dürüst çerçeve (veya ``). `mkdocs.yml:site_description` de aynı sayılarla güncellenecek. + +--- + +## 9. Keşfedilebilirlik / Okuyucu Deneyimi + +- ✅ İyi: MkDocs Material (palette, search tr+en, instant nav, glightbox, mermaid superfence, social, consent), `assets/` (logo/favicon/css/js), `docs/index.md` hero. +- 🟡 Frontmatter: dosyalarda YAML frontmatter (description/tags) yok → SEO/arama zayıf. → Faz 6. +- 🟡 Bölüm index'leri: numaralı klasörlerde README var; eski klasörlerde index yok. → Faz 6. +- 🟡 Çapraz-link & mermaid: yoğun kavramlarda artırılabilir. → Faz 6. +- 🟡 `mkdocs.yml strict: false` — Faz 7'de `--strict` ile build doğrulanmalı (kırık nav/link build'i kırmasın diye önce düzelt). + +--- + +## 10. Önceliklendirilmiş Aksiyon Listesi (fazlara eşli) + +| Öncelik | İş | Faz | Risk | +|---|---|---|---| +| P0 | Eski klasör kararı (§5) | (karar) | — | +| P1 | Boşluk/CAPS/uzantısız → kebab-case + `.md`; build-docs.sh/nav/iç-link senkron; LAUNCH-PLAN bayat kaydı sil | Faz 1 | Orta (build senkron) | +| P1 | `Advanced RoadMap.md` (217KB) böl + index | Faz 2 | Düşük (içerik korunur) | +| P2 | README pazarlama tonu → kıdemli ton; sayıları gerçeğe eşle; site_description | Faz 5 | Düşük | +| P2 | Placeholder konvansiyonu: 192.168.x → ``, `cipassword` → `` | Faz 4 | Düşük | +| P3 | Versiyon pin → `` / Sürümler tablosu; deprecated kontrol; lychee link-fix | Faz 4 | Düşük | +| P3 | 1 eksik anti-pattern + 1 eksik checklist'i kapat; kod-bloğu dil etiketi taraması | Faz 3 | Düşük | +| P3 | Frontmatter + bölüm index'leri + çapraz-link + mermaid | Faz 6 | Düşük | +| P4 | `mkdocs build --strict` + lychee + markdownlint + leak-scan geçir; CHANGELOG + CHANGES-SUMMARY | Faz 7 | Düşük | + +--- + +## ❓ Onay Beklenen Kararlar + +1. **§5 — Eski klasör stratejisi:** (a) entegre / (b) `21-Field-Notes/` topla / (c) hibrit. **Önerim: (b).** +2. **Hangi fazlar çalışsın?** (Hepsi mi, yoksa belirli sıra mı? Önerim: Faz 1 → 2 → 5 → 4 → 3 → 6 → 7.) +3. **"production-tested" çerçevesi:** dürüst yeniden-çerçeve mi, yoksa `` ile sana mı bırakayım? + +> *"Repo cevheri sağlam — 125 deep-dive, %99 anatomi uyumu. İş, cilada ve eski saha notlarını taksonomiye düzgün oturtmakta; içeriği yeniden yazmakta değil."* From 666176f53cf67ae47dfe2cceb286e707f068aded Mon Sep 17 00:00:00 2001 From: halilibrahimd27 Date: Sun, 28 Jun 2026 00:55:28 +0300 Subject: [PATCH 02/10] =?UTF-8?q?refactor(structure):=20Faz=201=20?= =?UTF-8?q?=E2=80=94=20saha=20notlar=C4=B1n=C4=B1=2021-Field-Notes/=20alt?= =?UTF-8?q?=C4=B1nda=20topla=20+=20kebab-case=20+=20build=20senkron?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Yapısal hijyen (AUDIT.md §4-6): - 5 ad-hoc klasör (System/Network/Ansible/Terraform/Kubectl) → 21-Field-Notes/ alt-klasörlerine git mv; tüm dosyalar kebab-case + .md uzantısı (5 uzantısız + 2 H2-başlangıçlı dosya geçerli markdown'a çevrildi: H1 + ham script'ler ```bash/```hcl fence içine; içerik %100 korundu) - Yazım hataları: Preperation→preparation, Manuel→modules - RoadMap top-level "Yol Haritası" olarak korundu (sitenin hero öğrenme yolu); "Advanced RoadMap.md" → "advanced-roadmap.md" - 21-Field-Notes/README.md index eklendi - İç linkler senkron: Network→21-Field-Notes (08-Security, 07-Observability x4), README + RoadMap/README Advanced linki - scripts/build-docs.sh: numaralı glob 21'i kapsar, eski klasör kopyalama/TITLES/ nav kaldırıldı, 21-Field-Notes + RoadMap alt başlıkları eklendi - mkdocs.yml exclude_docs: bayat LAUNCH-PLAN.md + taşınan Ansible kaydı + gitignore'lı MARKETING.md çıkarıldı; AUDIT/CHANGES-SUMMARY eklendi Co-Authored-By: Claude Opus 4.8 (1M context) --- 07-Observability/Logs-Loki-vs-ELK.md | 4 +- 08-Security/Runtime-Security.md | 4 +- 21-Field-Notes/README.md | 53 +++++++++++++++++++ .../ansible/ssh-connectivity-test.md | 6 +++ .../ansible/system-preparation.md | 6 +++ .../kubectl/cluster-passwords.md | 8 ++- .../kubectl/logging-elasticsearch.md | 2 + .../network-segmentation-wazuh-siem.md | 0 .../system/devops-certification-roadmap.md | 0 .../system/external-access-solutions.md | 6 +++ .../system/github-actions-pipeline-setup.md | 0 .../system/inventory-management-example.md | 2 + .../system/kubernetes-cluster-installation.md | 0 .../system/production-ready-repo-layout.md | 0 .../terraform/modules-create-vm.md | 6 +++ .../terraform/proxmox-configuration.md | 6 +++ README.md | 2 +- RoadMap/README.md | 6 +-- ...dvanced RoadMap.md => advanced-roadmap.md} | 0 mkdocs.yml | 8 +-- scripts/build-docs.sh | 49 +++++++++-------- 21 files changed, 134 insertions(+), 34 deletions(-) create mode 100644 21-Field-Notes/README.md rename Ansible/SSH CONNECTIVITY TEST => 21-Field-Notes/ansible/ssh-connectivity-test.md (91%) rename Ansible/Ansible System Preperation => 21-Field-Notes/ansible/system-preparation.md (98%) rename Kubectl/Password/Pass.md => 21-Field-Notes/kubectl/cluster-passwords.md (88%) rename Kubectl/Logging/Apply.md => 21-Field-Notes/kubectl/logging-elasticsearch.md (99%) rename Network/Network Segmentation and Wazuh SIEM Integration Guide.md => 21-Field-Notes/network/network-segmentation-wazuh-siem.md (100%) rename System/Certified.md => 21-Field-Notes/system/devops-certification-roadmap.md (100%) rename System/EXTERNAL ACCESS PROBLEM => 21-Field-Notes/system/external-access-solutions.md (98%) rename System/GitHub Actions Pipeline Setup Guide.md => 21-Field-Notes/system/github-actions-pipeline-setup.md (100%) rename System/Inventory Management Example.md => 21-Field-Notes/system/inventory-management-example.md (99%) rename System/Kubernetes Cluster Installation Guide.md => 21-Field-Notes/system/kubernetes-cluster-installation.md (100%) rename System/Full Production-Ready Repo Layout.md => 21-Field-Notes/system/production-ready-repo-layout.md (100%) rename Terraform/Manuel Terraform Modules Create VM => 21-Field-Notes/terraform/modules-create-vm.md (96%) rename Terraform/COMPLETE TERRAFORM CONFIGURATION FOR PROXMOX => 21-Field-Notes/terraform/proxmox-configuration.md (98%) rename RoadMap/{Advanced RoadMap.md => advanced-roadmap.md} (100%) diff --git a/07-Observability/Logs-Loki-vs-ELK.md b/07-Observability/Logs-Loki-vs-ELK.md index bfb059a..5bd5a8a 100644 --- a/07-Observability/Logs-Loki-vs-ELK.md +++ b/07-Observability/Logs-Loki-vs-ELK.md @@ -197,7 +197,7 @@ helm install opensearch opensearch/opensearch \ - Log + IDS + file integrity + vulnerability mgmt birleşik - KVKK için audit log + compliance reporting -> Detay: [`Network/Network Segmentation and Wazuh SIEM Integration Guide.md`](../Network/Network%20Segmentation%20and%20Wazuh%20SIEM%20Integration%20Guide.md) +> Detay: [`Network/Network Segmentation and Wazuh SIEM Integration Guide.md`](../21-Field-Notes/network/network-segmentation-wazuh-siem.md) --- @@ -321,7 +321,7 @@ Tasarruf: ~%92 - [`OpenTelemetry-Adoption.md`](OpenTelemetry-Adoption.md) - [`Tracing-with-Tempo.md`](Tracing-with-Tempo.md) - [`Profiling-with-Pyroscope.md`](Profiling-with-Pyroscope.md) -- [`Network/Network Segmentation and Wazuh SIEM Integration Guide.md`](../Network/Network%20Segmentation%20and%20Wazuh%20SIEM%20Integration%20Guide.md) +- [`Network/Network Segmentation and Wazuh SIEM Integration Guide.md`](../21-Field-Notes/network/network-segmentation-wazuh-siem.md) - [`19-Compliance/Audit-Evidence-Automation.md`](../19-Compliance/Audit-Evidence-Automation.md) --- diff --git a/08-Security/Runtime-Security.md b/08-Security/Runtime-Security.md index b33d85e..149a825 100644 --- a/08-Security/Runtime-Security.md +++ b/08-Security/Runtime-Security.md @@ -324,7 +324,7 @@ falcosidekick: ``` -Bkz: [`Network/Network Segmentation and Wazuh SIEM Integration Guide.md`](../Network/Network%20Segmentation%20and%20Wazuh%20SIEM%20Integration%20Guide.md). +Bkz: [`Network/Network Segmentation and Wazuh SIEM Integration Guide.md`](../21-Field-Notes/network/network-segmentation-wazuh-siem.md). --- @@ -431,7 +431,7 @@ cat /etc/shadow - [`Kubernetes-Hardening.md`](Kubernetes-Hardening.md) - [`Threat-Modeling.md`](Threat-Modeling.md) — coverage matrix sahibi - [`11-SRE/Incident-Response.md`](../11-SRE/Incident-Response.md) — alert → IR akışı -- [`Network/Network Segmentation and Wazuh SIEM Integration Guide.md`](../Network/Network%20Segmentation%20and%20Wazuh%20SIEM%20Integration%20Guide.md) +- [`Network/Network Segmentation and Wazuh SIEM Integration Guide.md`](../21-Field-Notes/network/network-segmentation-wazuh-siem.md) --- diff --git a/21-Field-Notes/README.md b/21-Field-Notes/README.md new file mode 100644 index 0000000..972b202 --- /dev/null +++ b/21-Field-Notes/README.md @@ -0,0 +1,53 @@ +# 21 · Saha Notları — Field Notes + +> *"Cilalı deep-dive değil; production'da yaşanıp not düşülmüş ham gerçeklik."* + +Bu bölüm, numaralı deep-dive'lardan farklı bir içerik sınıfıdır: gerçek +kurulumlardan kalan **ham komut, konfigürasyon ve kurulum rehberleri**. +Bilinçli olarak deep-dive anatomisine (epigraf → kavram tablosu → +anti-pattern → checklist) zorlanmadılar — değerleri "olduğu gibi +çalışan/çalışmış" olmalarında. Kendi ortamına uyarlayarak kullan. + +> ⚠️ Buradaki IP/parola/domain değerleri **örnektir**, placeholder mantığıyla +> okunmalı. Kendi gizli bilgilerini asla doğrudan kopyalama. + +--- + +## 🎯 İçindekiler + +### Ansible +| Dosya | Ne anlatır | +|---|---| +| [Sistem Hazırlığı](ansible/system-preparation.md) | k8s öncesi inventory + node hazırlık komutları | +| [SSH Bağlantı Testi](ansible/ssh-connectivity-test.md) | Node'lara toplu SSH erişim doğrulama | + +### Terraform +| Dosya | Ne anlatır | +|---|---| +| [Proxmox Tam Konfigürasyon](terraform/proxmox-configuration.md) | Proxmox üzerinde uçtan uca VM provisioning | +| [Modüllerle VM Oluşturma](terraform/modules-create-vm.md) | Elle Terraform modülü + VM oluşturma script'i | + +### System Setup +| Dosya | Ne anlatır | +|---|---| +| [Kubernetes Cluster Kurulumu](system/kubernetes-cluster-installation.md) | Proxmox/Ubuntu üzerinde cluster kurulumu | +| [Production-Ready Repo Layout](system/production-ready-repo-layout.md) | Laravel + TS + Flutter + K8s monorepo iskeleti | +| [GitHub Actions Pipeline Kurulumu](system/github-actions-pipeline-setup.md) | CI/CD pipeline adım adım | +| [Envanter Yönetimi Örneği](system/inventory-management-example.md) | DevOps envanter master template | +| [Dış Erişim Çözümleri](system/external-access-solutions.md) | External access / port-forward / ingress çözümleri | +| [DevOps Sertifika Roadmap](system/devops-certification-roadmap.md) | Senior seviye sertifika kariyer rehberi | + +### kubectl +| Dosya | Ne anlatır | +|---|---| +| [Logging (ElasticSearch)](kubectl/logging-elasticsearch.md) | Cluster log toplama notları | +| [Cluster Parolaları](kubectl/cluster-passwords.md) | Servis parolalarını toplama script'i | + +### Network / SIEM +| Dosya | Ne anlatır | +|---|---| +| [Ağ Segmentasyonu + Wazuh SIEM](network/network-segmentation-wazuh-siem.md) | VLAN segmentasyonu + Wazuh entegrasyonu | + +--- + +> *"Saha notu, steril dokümanın söylemediğini söyler: gerçekte ne kırıldı, ne işe yaradı."* diff --git a/Ansible/SSH CONNECTIVITY TEST b/21-Field-Notes/ansible/ssh-connectivity-test.md similarity index 91% rename from Ansible/SSH CONNECTIVITY TEST rename to 21-Field-Notes/ansible/ssh-connectivity-test.md index 188c676..205c35c 100644 --- a/Ansible/SSH CONNECTIVITY TEST +++ b/21-Field-Notes/ansible/ssh-connectivity-test.md @@ -1,3 +1,8 @@ +# SSH Bağlantı Testi + +> 🗒️ **Saha notu** — ham komut/konfigürasyon dökümü. Olduğu gibi korunmuştur; kendi ortamına uyarla. + +```bash # SSH bağlantısını test et echo "🔍 Testing SSH connectivity..." @@ -23,3 +28,4 @@ ssh -i ~/.ssh/k8s-cluster -o ConnectTimeout=5 ubuntu@ 'echo "✅ # Load balancer nodes ssh -i ~/.ssh/k8s-cluster -o ConnectTimeout=5 ubuntu@ 'echo "✅ k8s-lb-1: $(hostname)"' ssh -i ~/.ssh/k8s-cluster -o ConnectTimeout=5 ubuntu@ 'echo "✅ k8s-lb-2: $(hostname)"' +``` diff --git a/Ansible/Ansible System Preperation b/21-Field-Notes/ansible/system-preparation.md similarity index 98% rename from Ansible/Ansible System Preperation rename to 21-Field-Notes/ansible/system-preparation.md index 3f92881..6060bd2 100644 --- a/Ansible/Ansible System Preperation +++ b/21-Field-Notes/ansible/system-preparation.md @@ -1,3 +1,8 @@ +# Ansible ile Sistem Hazırlığı + +> 🗒️ **Saha notu** — ham komut/konfigürasyon dökümü. Olduğu gibi korunmuştur; kendi ortamına uyarla. + +```bash cd /root/k8s-production mkdir -p ansible/inventory @@ -390,3 +395,4 @@ cat > playbooks/04-load-balancer.yml << 'EOF' EOF ansible-playbook -i inventory/production.yml playbooks/04-load-balancer.yml +``` diff --git a/Kubectl/Password/Pass.md b/21-Field-Notes/kubectl/cluster-passwords.md similarity index 88% rename from Kubectl/Password/Pass.md rename to 21-Field-Notes/kubectl/cluster-passwords.md index c10a466..bac790e 100644 --- a/Kubectl/Password/Pass.md +++ b/21-Field-Notes/kubectl/cluster-passwords.md @@ -1,3 +1,8 @@ +# Kubernetes Cluster Parolaları (Toplama Script'i) + +> 🗒️ **Saha notu** — ham komut/konfigürasyon dökümü. Olduğu gibi korunmuştur; kendi ortamına uyarla. + +```bash echo "=== 🔐 KUBERNETES CLUSTER PAROLALARİ ===" echo "" echo "📊 JENKINS:" @@ -17,4 +22,5 @@ echo "📊 Jenkins: http://$(kubectl get svc ingress-nginx-controller -n ingress echo "📈 Grafana: http://$(kubectl get svc prometheus-grafana -n monitoring -o jsonpath='{.spec.clusterIP}'):3000" echo "📊 Kibana: http://$(kubectl get svc kibana -n logging -o jsonpath='{.spec.clusterIP}'):5601" echo "🔍 Elasticsearch: http://$(kubectl get svc elasticsearch -n logging -o jsonpath='{.spec.clusterIP}'):9200" -echo "" \ No newline at end of file +echo "" +``` diff --git a/Kubectl/Logging/Apply.md b/21-Field-Notes/kubectl/logging-elasticsearch.md similarity index 99% rename from Kubectl/Logging/Apply.md rename to 21-Field-Notes/kubectl/logging-elasticsearch.md index ff3bd6d..75bf600 100644 --- a/Kubectl/Logging/Apply.md +++ b/21-Field-Notes/kubectl/logging-elasticsearch.md @@ -1,3 +1,5 @@ +# kubectl — Logging (ElasticSearch) + ## ElasticSearch kubectl apply -f - < 🗒️ **Saha notu** — ham komut/konfigürasyon dökümü. Olduğu gibi korunmuştur; kendi ortamına uyarla. + +```bash # 🌐 EXTERNAL ACCESS İÇİN ÇÖZÜMLER # ══════════════════════════════════════════════════════════════ @@ -326,3 +331,4 @@ echo "kubectl port-forward --address 0.0.0.0 service/admin-frontend-service 8081 echo "kubectl port-forward --address 0.0.0.0 service/backend-service 8082:80 -n development &" echo "" echo "✅ Then access: http://:8080" +``` diff --git a/System/GitHub Actions Pipeline Setup Guide.md b/21-Field-Notes/system/github-actions-pipeline-setup.md similarity index 100% rename from System/GitHub Actions Pipeline Setup Guide.md rename to 21-Field-Notes/system/github-actions-pipeline-setup.md diff --git a/System/Inventory Management Example.md b/21-Field-Notes/system/inventory-management-example.md similarity index 99% rename from System/Inventory Management Example.md rename to 21-Field-Notes/system/inventory-management-example.md index 2ac3acb..48a031d 100644 --- a/System/Inventory Management Example.md +++ b/21-Field-Notes/system/inventory-management-example.md @@ -1,3 +1,5 @@ +# Envanter Yönetimi — Örnek (Master Template) + ## 📂 DEVOPS ENVANTER ANALİZİ — MASTER TEMPLATE --- diff --git a/System/Kubernetes Cluster Installation Guide.md b/21-Field-Notes/system/kubernetes-cluster-installation.md similarity index 100% rename from System/Kubernetes Cluster Installation Guide.md rename to 21-Field-Notes/system/kubernetes-cluster-installation.md diff --git a/System/Full Production-Ready Repo Layout.md b/21-Field-Notes/system/production-ready-repo-layout.md similarity index 100% rename from System/Full Production-Ready Repo Layout.md rename to 21-Field-Notes/system/production-ready-repo-layout.md diff --git a/Terraform/Manuel Terraform Modules Create VM b/21-Field-Notes/terraform/modules-create-vm.md similarity index 96% rename from Terraform/Manuel Terraform Modules Create VM rename to 21-Field-Notes/terraform/modules-create-vm.md index ef12ccd..9dcef7e 100644 --- a/Terraform/Manuel Terraform Modules Create VM +++ b/21-Field-Notes/terraform/modules-create-vm.md @@ -1,3 +1,8 @@ +# Terraform — Modüllerle VM Oluşturma + +> 🗒️ **Saha notu** — ham komut/konfigürasyon dökümü. Olduğu gibi korunmuştur; kendi ortamına uyarla. + +```bash cat > create_vms_fixed.sh << 'EOF' #!/bin/bash set -e @@ -155,3 +160,4 @@ echo "Test: ssh -i ~/.ssh/k8s-cluster ubuntu@" EOF chmod +x create_vms_fixed.sh +``` diff --git a/Terraform/COMPLETE TERRAFORM CONFIGURATION FOR PROXMOX b/21-Field-Notes/terraform/proxmox-configuration.md similarity index 98% rename from Terraform/COMPLETE TERRAFORM CONFIGURATION FOR PROXMOX rename to 21-Field-Notes/terraform/proxmox-configuration.md index b6c283b..0d5b23d 100644 --- a/Terraform/COMPLETE TERRAFORM CONFIGURATION FOR PROXMOX +++ b/21-Field-Notes/terraform/proxmox-configuration.md @@ -1,3 +1,8 @@ +# Terraform — Proxmox Tam Konfigürasyon + +> 🗒️ **Saha notu** — ham komut/konfigürasyon dökümü. Olduğu gibi korunmuştur; kendi ortamına uyarla. + +```hcl # ===================================================== # COMPLETE TERRAFORM CONFIGURATION FOR PROXMOX # ===================================================== @@ -665,3 +670,4 @@ output "cluster_summary" { # base_ip = "192.168.1" # gateway = "192.168.1.1" # dns_servers = "8.8.8.8,8.8.4.4" +``` diff --git a/README.md b/README.md index ae7a081..c321905 100644 --- a/README.md +++ b/README.md @@ -74,7 +74,7 @@ | Sen kim hissediyorsun? | Buradan başla | |---|---| | 🆕 **Yeni başlıyorum, "DevOps nedir?"** | [`RoadMap/Modern-DevOps-2026.md`](RoadMap/Modern-DevOps-2026.md) | -| 🏗️ **Sıfırdan altyapı kuracağım** | [`RoadMap/Advanced RoadMap.md`](RoadMap/Advanced%20RoadMap.md) → [`05-Kubernetes/Production-Checklist.md`](05-Kubernetes/Production-Checklist.md) | +| 🏗️ **Sıfırdan altyapı kuracağım** | [`RoadMap/Advanced RoadMap.md`](RoadMap/advanced-roadmap.md) → [`05-Kubernetes/Production-Checklist.md`](05-Kubernetes/Production-Checklist.md) | | 🔥 **Şu an yangın söndürüyorum** | [`16-Cheatsheets/`](16-Cheatsheets/) → [`11-SRE/Incident-Response.md`](11-SRE/Incident-Response.md) | | 📦 **Yeni servis konteynerleştireceğim** | [`04-Containers/Dockerfile-Best-Practices.md`](04-Containers/Dockerfile-Best-Practices.md) → [`17-Templates/dockerfiles/`](17-Templates/dockerfiles/) | | 🚀 **CI/CD pipeline yazacağım** | [`02-CI-CD/Pipeline-Patterns.md`](02-CI-CD/Pipeline-Patterns.md) → [`17-Templates/github-actions/`](17-Templates/github-actions/) | diff --git a/RoadMap/README.md b/RoadMap/README.md index 54a897a..a95586f 100644 --- a/RoadMap/README.md +++ b/RoadMap/README.md @@ -44,7 +44,7 @@ seçtiğin seviyeden başla. Greenfield bir AWS hesabında EKS + GitOps + observability stack kuracağım. "End-to-end implementation" - [:octicons-arrow-right-24: Implementation guide](Advanced%20RoadMap.md) + [:octicons-arrow-right-24: Implementation guide](advanced-roadmap.md) @@ -56,7 +56,7 @@ seçtiğin seviyeden başla. |---|---|---| | **[Modern-DevOps-2026.md](Modern-DevOps-2026.md)** | **Herkes** — felsefe + 2026 stack | CALMS, DORA, modern tool haritası, 60-90 günlük adoption planı. **Buradan başla.** | | **[RoadMap.md](RoadMap.md)** | Mid+ — GitOps yapanlar | A→Z GitOps uygulama haritası: planlama, IaC, K8s, CI/CD, observability sırası | -| **[Advanced RoadMap.md](Advanced%20RoadMap.md)** | Senior — sıfırdan AWS implementation | Geliştirici makinesi → AWS → Terraform → EKS → ArgoCD → monitoring uçtan uca | +| **[advanced-roadmap.md](advanced-roadmap.md)** | Senior — sıfırdan AWS implementation | Geliştirici makinesi → AWS → Terraform → EKS → ArgoCD → monitoring uçtan uca | | **[Planning.md](Planning.md)** | Tech Lead'ler | Proje planlama şablonu — yeni bir altyapı projesi için checklist | --- @@ -209,7 +209,7 @@ Bu repo'da hangi noktada olduğunu görmek için: - **[Modern-DevOps-2026.md](Modern-DevOps-2026.md)** — DevOps felsefesi, CALMS, DORA, 2026 modern stack haritası, 60-90 günlük adoption planı - **[RoadMap.md](RoadMap.md)** — A'dan Z'ye GitOps uygulama yol haritası (mid+ için) -- **[Advanced RoadMap.md](Advanced%20RoadMap.md)** — Sıfırdan AWS + EKS + Terraform implementation (senior için) +- **[advanced-roadmap.md](advanced-roadmap.md)** — Sıfırdan AWS + EKS + Terraform implementation (senior için) - **[Planning.md](Planning.md)** — Yeni proje planlama şablonu (tech lead için) --- diff --git a/RoadMap/Advanced RoadMap.md b/RoadMap/advanced-roadmap.md similarity index 100% rename from RoadMap/Advanced RoadMap.md rename to RoadMap/advanced-roadmap.md diff --git a/mkdocs.yml b/mkdocs.yml index fcd64b0..a30e1f3 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -17,15 +17,15 @@ edit_uri: edit/main/ docs_dir: site_src site_dir: site -# MkDocs build sırasında dahil edilmeyecek dosyalar +# MkDocs build sırasında dahil edilmeyecek çalışma/meta dosyalar +# (build-docs.sh zaten yalnız içerik klasörlerini site_src'a stage'ler) exclude_docs: | - Ansible/SSH CONNECTIVITY TEST CLAUDE.md CODE_OF_CONDUCT.md SECURITY.md CONTRIBUTING.md - LAUNCH-PLAN.md - MARKETING.md + AUDIT.md + CHANGES-SUMMARY.md theme: name: material diff --git a/scripts/build-docs.sh b/scripts/build-docs.sh index acfa9c9..fd0d564 100644 --- a/scripts/build-docs.sh +++ b/scripts/build-docs.sh @@ -37,16 +37,16 @@ for f in CHANGELOG.md Glossary.md; do fi done -# 3) Numaralı klasörler (00-20) -for d in 0[0-9]-* 1[0-9]-* 20-*; do +# 3) Numaralı klasörler (00-21) +for d in 0[0-9]-* 1[0-9]-* 2[0-9]-*; do if [ -d "$d" ]; then cp -r "$d" "$STAGE/" echo " + $d/" fi done -# 4) Ek klasörler -for d in RoadMap System Ansible Kubectl Terraform Network; do +# 4) Ek klasörler (RoadMap top-level öğrenme yolu; saha notları 21-Field-Notes/ altında) +for d in RoadMap; do if [ -d "$d" ]; then cp -r "$d" "$STAGE/" echo " + $d/" @@ -85,12 +85,8 @@ declare -A TITLES=( ["18-Career"]="18 · Career" ["19-Compliance"]="19 · Compliance" ["20-Soft-Skills"]="20 · Soft Skills" + ["21-Field-Notes"]="21 · Saha Notları" ["RoadMap"]="🗺️ Yol Haritası" - ["System"]="🛠️ System Setup" - ["Ansible"]="Ansible" - ["Kubectl"]="kubectl" - ["Terraform"]="Terraform" - ["Network"]="Network/SIEM" ) for dir in "${!TITLES[@]}"; do @@ -126,11 +122,7 @@ nav: - 18-Career - 19-Compliance - 20-Soft-Skills - - System - - Ansible - - Kubectl - - Terraform - - Network + - 21-Field-Notes - "📖 Sözlük": Glossary.md - "📋 Changelog": CHANGELOG.md PAGES_EOF @@ -144,18 +136,33 @@ nav: - README.md - "Modern DevOps 2026 — Felsefe + 2026 Stack": Modern-DevOps-2026.md - "GitOps A→Z (Mid+)": RoadMap.md - - "Advanced — AWS/EKS Implementation (Senior)": Advanced RoadMap.md + - "Advanced — AWS/EKS Implementation (Senior)": advanced-roadmap.md - "Planning Şablonu (Tech Lead)": Planning.md EOF echo " + RoadMap/.pages (yeniden sıralı, Modern-DevOps-2026 başta)" fi -# 9) System klasörü uzun dosya isimleri kısaltma -if [ -d "$STAGE/System" ]; then - cat > "$STAGE/System/.pages" <<'EOF' -title: 🛠️ System Setup -EOF - echo " + System/.pages" +# RoadMap içindeki büyük "advanced-roadmap" alt-dosyalarına başlık (varsa) +if [ -d "$STAGE/RoadMap/advanced" ]; then + printf "title: Advanced — AWS/EKS\n" > "$STAGE/RoadMap/advanced/.pages" + echo " + RoadMap/advanced/.pages" +fi + +# 9) Saha Notları alt-klasör başlıkları +if [ -d "$STAGE/21-Field-Notes" ]; then + declare -A FN_TITLES=( + ["ansible"]="Ansible" + ["kubectl"]="kubectl" + ["network"]="Network / SIEM" + ["system"]="System Setup" + ["terraform"]="Terraform" + ) + for sub in "${!FN_TITLES[@]}"; do + if [ -d "$STAGE/21-Field-Notes/$sub" ]; then + printf "title: %s\n" "${FN_TITLES[$sub]}" > "$STAGE/21-Field-Notes/$sub/.pages" + fi + done + echo " + 21-Field-Notes/*/.pages" fi # Sayım From 5538fb3335d8c364260d9fb7a39b06ac8da2eb45 Mon Sep 17 00:00:00 2001 From: halilibrahimd27 Date: Sun, 28 Jun 2026 00:59:51 +0300 Subject: [PATCH 03/10] =?UTF-8?q?docs(roadmap):=20Faz=202=20=E2=80=94=20ad?= =?UTF-8?q?vanced-roadmap.md=20(8568=20sat=C4=B1r)=20=E2=86=92=2014=20faz?= =?UTF-8?q?=20sayfas=C4=B1=20+=20index?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit AUDIT.md §3: tek dosya 217KB/8568 satırdı. PHASE sınırlarında bölündü: - RoadMap/advanced/00-prerequisites … 13-quickstart-30min.md (14 sayfa) - advanced-roadmap.md artık 28 günlük planın linkli index'i (orijinal başlık+alt-başlık korundu) - İçerik %100 korundu (Python assertion: satır 6..8568 byte-eksiksiz dağıtıldı; tek değişiklik her sayfanın ilk ## → # H1 promote + quickstart H1 düzeltme) - build-docs.sh RoadMap nav'ına "advanced/" alt-klasörü eklendi - Dosya-içi/dışı anchor link yoktu → kırık link riski sıfır Co-Authored-By: Claude Opus 4.8 (1M context) --- RoadMap/advanced-roadmap.md | 8582 +---------------- RoadMap/advanced/00-prerequisites.md | 83 + RoadMap/advanced/01-aws-account-setup.md | 145 + RoadMap/advanced/02-terraform-iac.md | 1367 +++ RoadMap/advanced/03-containerization.md | 423 + RoadMap/advanced/04-cicd-pipeline.md | 510 + RoadMap/advanced/05-kubernetes-advanced.md | 550 ++ RoadMap/advanced/06-observability.md | 614 ++ RoadMap/advanced/07-secrets-security.md | 563 ++ RoadMap/advanced/08-backup-dr.md | 665 ++ RoadMap/advanced/09-gitops-automation.md | 711 ++ RoadMap/advanced/10-cost-performance.md | 822 ++ .../advanced/11-documentation-processes.md | 1364 +++ RoadMap/advanced/12-final-validation.md | 624 ++ RoadMap/advanced/13-quickstart-30min.md | 113 + scripts/build-docs.sh | 1 + 16 files changed, 8585 insertions(+), 8552 deletions(-) create mode 100644 RoadMap/advanced/00-prerequisites.md create mode 100644 RoadMap/advanced/01-aws-account-setup.md create mode 100644 RoadMap/advanced/02-terraform-iac.md create mode 100644 RoadMap/advanced/03-containerization.md create mode 100644 RoadMap/advanced/04-cicd-pipeline.md create mode 100644 RoadMap/advanced/05-kubernetes-advanced.md create mode 100644 RoadMap/advanced/06-observability.md create mode 100644 RoadMap/advanced/07-secrets-security.md create mode 100644 RoadMap/advanced/08-backup-dr.md create mode 100644 RoadMap/advanced/09-gitops-automation.md create mode 100644 RoadMap/advanced/10-cost-performance.md create mode 100644 RoadMap/advanced/11-documentation-processes.md create mode 100644 RoadMap/advanced/12-final-validation.md create mode 100644 RoadMap/advanced/13-quickstart-30min.md diff --git a/RoadMap/advanced-roadmap.md b/RoadMap/advanced-roadmap.md index 65826ae..ba84f61 100644 --- a/RoadMap/advanced-roadmap.md +++ b/RoadMap/advanced-roadmap.md @@ -3,8566 +3,44 @@ --- -## 📋 **ÖN KOŞULLAR VE HAZIRLIK** +> *"Bir senior'ın ofise gelip 28 günde sıfırdan production-grade AWS/EKS platformu kurma günlüğü."* -### 🖥️ **1. Geliştirici Makine Kurulumu** +Bu rehber, sıfır altyapıdan başlayıp **AWS + Terraform + EKS + ArgoCD + +observability + güvenlik + backup/DR**'a kadar uçtan uca bir kurulumu 28 günlük +plana yayar. Tek dosya 8500+ satıra ulaştığı için **faz faz okunabilir +sayfalara** bölündü; sırayla ya da ihtiyacın olan fazdan ilerleyebilirsin. -```bash -# 1.1 WSL2 kurulumu (Windows kullanıcıları için) -wsl --install -wsl --set-default-version 2 - -# 1.2 Essential tools kurulumu -# Ubuntu/Debian -sudo apt update && sudo apt install -y \ - curl wget git vim nano unzip \ - build-essential software-properties-common \ - apt-transport-https ca-certificates gnupg lsb-release - -# macOS -/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" -brew install curl wget git vim nano unzip -``` - -### 🔧 **1.2 Development Tools Kurulumu** - -```bash -# Docker kurulumu (Ubuntu) -curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg -echo "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null -sudo apt update && sudo apt install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin -sudo usermod -aG docker $USER -newgrp docker - -# Docker kurulumu (macOS) -brew install --cask docker - -# Docker test -docker --version -docker run hello-world - -# kubectl kurulumu -curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" -sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl -kubectl version --client - -# Helm kurulumu -curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash -helm version - -# Terraform kurulumu -wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg -echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list -sudo apt update && sudo apt install terraform -terraform --version - -# AWS CLI kurulumu -curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" -unzip awscliv2.zip -sudo ./aws/install -aws --version -``` - -### 🎯 **1.3 IDE ve Editör Kurulumu** - -```bash -# VS Code kurulumu -# Ubuntu -wget -qO- https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > packages.microsoft.gpg -sudo install -o root -g root -m 644 packages.microsoft.gpg /etc/apt/trusted.gpg.d/ -sudo sh -c 'echo "deb [arch=amd64,arm64,armhf signed-by=/etc/apt/trusted.gpg.d/packages.microsoft.gpg] https://packages.microsoft.com/repos/code stable main" > /etc/apt/sources.list.d/vscode.list' -sudo apt update && sudo apt install code - -# macOS -brew install --cask visual-studio-code - -# Essential VS Code extensions -code --install-extension ms-vscode-remote.remote-wsl -code --install-extension ms-vscode.vscode-docker -code --install-extension hashicorp.terraform -code --install-extension ms-kubernetes-tools.vscode-kubernetes-tools -code --install-extension redhat.vscode-yaml -code --install-extension ms-vscode.azure-account -``` - ---- - -## 🏢 **PHASE 1: AWS HESAP VE İLK KURULUMLAR** (Gün 1-2) - -### ☁️ **2.1 AWS Hesap Kurulumu ve Organization Setup** - -```bash -# 2.1.1 AWS hesabı oluştur (manuel - web üzerinden) -# https://aws.amazon.com/free/ üzerinden hesap oluştur - -# 2.1.2 AWS CLI konfigürasyonu -aws configure -# AWS Access Key ID [None]: YOUR_ACCESS_KEY -# AWS Secret Access Key [None]: YOUR_SECRET_KEY -# Default region name [None]: eu-west-1 -# Default output format [None]: json - -# 2.1.3 AWS hesap doğrulama -aws sts get-caller-identity -aws ec2 describe-regions - -# 2.1.4 AWS Organization setup (Root hesap için) -aws organizations create-organization --feature-set ALL - -# 2.1.5 Organizational Units oluştur -aws organizations create-organizational-unit \ - --parent-id r-xxxx \ - --name "Production" - -aws organizations create-organizational-unit \ - --parent-id r-xxxx \ - --name "Development" - -aws organizations create-organizational-unit \ - --parent-id r-xxxx \ - --name "Security" -``` - -### 🔐 **2.2 IAM Setup ve Security Hardening** - -```bash -# 2.2.1 Admin user oluştur (root user kullanmamak için) -aws iam create-user --user-name devops-admin - -# 2.2.2 Admin user'a AdministratorAccess policy ekle -aws iam attach-user-policy \ - --user-name devops-admin \ - --policy-arn arn:aws:iam::aws:policy/AdministratorAccess - -# 2.2.3 Admin user için programmatic access -aws iam create-access-key --user-name devops-admin -# Output'taki access key ve secret key'i kaydet - -# 2.2.4 Password policy oluştur -cat > password-policy.json << 'EOF' -{ - "MinimumPasswordLength": 12, - "RequireSymbols": true, - "RequireNumbers": true, - "RequireUppercaseCharacters": true, - "RequireLowercaseCharacters": true, - "AllowUsersToChangePassword": true, - "MaxPasswordAge": 90, - "PasswordReusePrevention": 5, - "HardExpiry": false -} -EOF - -aws iam update-account-password-policy --cli-input-json file://password-policy.json - -# 2.2.5 MFA activation (console üzerinden yapılacak) -# https://console.aws.amazon.com/iam/home#/security_credentials -``` - -### 🏗️ **2.3 Project Directory Structure Oluşturma** - -```bash -# 2.3.1 Ana proje dizini oluştur -mkdir -p ~/devops-infrastructure -cd ~/devops-infrastructure - -# 2.3.2 Directory structure oluştur -mkdir -p {terraform/{modules,environments/{dev,staging,prod}},kubernetes/{base,overlays/{dev,staging,prod}},docker,scripts,docs,monitoring,backup} - -# 2.3.3 Git repository initialize -git init -git config user.name "Your Name" -git config user.email "your.email@company.com" - -# 2.3.4 .gitignore oluştur -cat > .gitignore << 'EOF' -# Terraform -*.tfstate -*.tfstate.* -.terraform/ -.terraform.lock.hcl -terraform.tfvars -*.tfplan - -# Docker -.dockerignore - -# IDE -.vscode/ -.idea/ - -# OS -.DS_Store -Thumbs.db - -# Logs -*.log - -# Secrets -secrets/ -*.pem -*.key -!public.key - -# Backup -backup/ -EOF - -# 2.3.5 README.md oluştur -cat > README.md << 'EOF' -# DevOps Infrastructure - -Bu repository şirketimizin DevOps altyapısını içerir. - -## Struktur -- `terraform/` - Infrastructure as Code -- `kubernetes/` - K8s manifests -- `docker/` - Dockerfile'lar -- `scripts/` - Automation scripts -- `docs/` - Dokümantasyon -- `monitoring/` - Monitoring configs -- `backup/` - Backup scripts - -## Kurulum -[Kurulum talimatları buraya] -EOF - -git add . -git commit -m "Initial project structure" -``` - ---- - -## 🛠️ **PHASE 2: TERRAFORM VE INFRASTRUCTURE AS CODE** (Gün 3-5) - -### 🏗️ **3.1 Terraform Backend Setup** - -```bash -# 3.1.1 Terraform backend için S3 bucket ve DynamoDB table oluştur -cd ~/devops-infrastructure/terraform - -# 3.1.2 Backend setup script -cat > setup-backend.sh << 'EOF' -#!/bin/bash - -# Variables -BUCKET_NAME="devops-terraform-state-$(openssl rand -hex 8)" -REGION="eu-west-1" -DYNAMODB_TABLE="terraform-state-lock" - -# S3 bucket oluştur -aws s3 mb s3://$BUCKET_NAME --region $REGION - -# S3 bucket versioning aktifleştir -aws s3api put-bucket-versioning \ - --bucket $BUCKET_NAME \ - --versioning-configuration Status=Enabled - -# S3 bucket encryption aktifleştir -aws s3api put-bucket-encryption \ - --bucket $BUCKET_NAME \ - --server-side-encryption-configuration '{ - "Rules": [ - { - "ApplyServerSideEncryptionByDefault": { - "SSEAlgorithm": "AES256" - } - } - ] - }' - -# DynamoDB table oluştur -aws dynamodb create-table \ - --table-name $DYNAMODB_TABLE \ - --attribute-definitions AttributeName=LockID,AttributeType=S \ - --key-schema AttributeName=LockID,KeyType=HASH \ - --provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5 \ - --region $REGION - -echo "Backend setup completed!" -echo "S3 Bucket: $BUCKET_NAME" -echo "DynamoDB Table: $DYNAMODB_TABLE" -echo "Region: $REGION" - -# .env dosyasına kaydet -cat > ../.env << EOF -export TF_VAR_backend_bucket=$BUCKET_NAME -export TF_VAR_backend_region=$REGION -export TF_VAR_backend_dynamodb_table=$DYNAMODB_TABLE -EOF -EOF - -chmod +x setup-backend.sh -./setup-backend.sh -source ../.env -``` - -### 🗂️ **3.2 Terraform Module Structure** - -```bash -# 3.2.1 Terraform modules dizin yapısı -cd ~/devops-infrastructure/terraform/modules - -# 3.2.2 VPC module -mkdir -p vpc -cat > vpc/main.tf << 'EOF' -variable "vpc_cidr" { - description = "CIDR block for VPC" - type = string - default = "10.0.0.0/16" -} - -variable "availability_zones" { - description = "Availability zones" - type = list(string) - default = ["eu-west-1a", "eu-west-1b", "eu-west-1c"] -} - -variable "environment" { - description = "Environment name" - type = string -} - -variable "project_name" { - description = "Project name" - type = string -} - -# VPC -resource "aws_vpc" "main" { - cidr_block = var.vpc_cidr - enable_dns_hostnames = true - enable_dns_support = true - - tags = { - Name = "${var.project_name}-${var.environment}-vpc" - Environment = var.environment - Project = var.project_name - } -} - -# Internet Gateway -resource "aws_internet_gateway" "main" { - vpc_id = aws_vpc.main.id - - tags = { - Name = "${var.project_name}-${var.environment}-igw" - Environment = var.environment - Project = var.project_name - } -} - -# Public Subnets -resource "aws_subnet" "public" { - count = length(var.availability_zones) - - vpc_id = aws_vpc.main.id - cidr_block = cidrsubnet(var.vpc_cidr, 8, count.index) - availability_zone = var.availability_zones[count.index] - map_public_ip_on_launch = true - - tags = { - Name = "${var.project_name}-${var.environment}-public-${count.index + 1}" - Environment = var.environment - Project = var.project_name - Type = "public" - } -} - -# Private Subnets -resource "aws_subnet" "private" { - count = length(var.availability_zones) - - vpc_id = aws_vpc.main.id - cidr_block = cidrsubnet(var.vpc_cidr, 8, count.index + length(var.availability_zones)) - availability_zone = var.availability_zones[count.index] - - tags = { - Name = "${var.project_name}-${var.environment}-private-${count.index + 1}" - Environment = var.environment - Project = var.project_name - Type = "private" - } -} - -# Elastic IPs for NAT Gateways -resource "aws_eip" "nat" { - count = length(var.availability_zones) - - domain = "vpc" - depends_on = [aws_internet_gateway.main] - - tags = { - Name = "${var.project_name}-${var.environment}-eip-${count.index + 1}" - Environment = var.environment - Project = var.project_name - } -} - -# NAT Gateways -resource "aws_nat_gateway" "main" { - count = length(var.availability_zones) - - allocation_id = aws_eip.nat[count.index].id - subnet_id = aws_subnet.public[count.index].id - - tags = { - Name = "${var.project_name}-${var.environment}-nat-${count.index + 1}" - Environment = var.environment - Project = var.project_name - } - - depends_on = [aws_internet_gateway.main] -} - -# Route table for public subnets -resource "aws_route_table" "public" { - vpc_id = aws_vpc.main.id - - route { - cidr_block = "0.0.0.0/0" - gateway_id = aws_internet_gateway.main.id - } - - tags = { - Name = "${var.project_name}-${var.environment}-public-rt" - Environment = var.environment - Project = var.project_name - } -} - -# Route table associations for public subnets -resource "aws_route_table_association" "public" { - count = length(aws_subnet.public) - - subnet_id = aws_subnet.public[count.index].id - route_table_id = aws_route_table.public.id -} - -# Route tables for private subnets -resource "aws_route_table" "private" { - count = length(var.availability_zones) - - vpc_id = aws_vpc.main.id - - route { - cidr_block = "0.0.0.0/0" - nat_gateway_id = aws_nat_gateway.main[count.index].id - } - - tags = { - Name = "${var.project_name}-${var.environment}-private-rt-${count.index + 1}" - Environment = var.environment - Project = var.project_name - } -} - -# Route table associations for private subnets -resource "aws_route_table_association" "private" { - count = length(aws_subnet.private) - - subnet_id = aws_subnet.private[count.index].id - route_table_id = aws_route_table.private[count.index].id -} - -# VPC Flow Logs -resource "aws_flow_log" "vpc" { - iam_role_arn = aws_iam_role.flow_log.arn - log_destination = aws_cloudwatch_log_group.vpc_flow_log.arn - traffic_type = "ALL" - vpc_id = aws_vpc.main.id -} - -resource "aws_cloudwatch_log_group" "vpc_flow_log" { - name = "/aws/vpc/flow-logs" - retention_in_days = 7 -} - -resource "aws_iam_role" "flow_log" { - name = "${var.project_name}-${var.environment}-flow-log-role" - - assume_role_policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Action = "sts:AssumeRole" - Effect = "Allow" - Principal = { - Service = "vpc-flow-logs.amazonaws.com" - } - } - ] - }) -} - -resource "aws_iam_role_policy" "flow_log" { - name = "${var.project_name}-${var.environment}-flow-log-policy" - role = aws_iam_role.flow_log.id - - policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Action = [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents", - "logs:DescribeLogGroups", - "logs:DescribeLogStreams" - ] - Effect = "Allow" - Resource = "*" - } - ] - }) -} -EOF - -cat > vpc/outputs.tf << 'EOF' -output "vpc_id" { - description = "ID of the VPC" - value = aws_vpc.main.id -} - -output "vpc_cidr_block" { - description = "CIDR block of the VPC" - value = aws_vpc.main.cidr_block -} - -output "public_subnet_ids" { - description = "IDs of the public subnets" - value = aws_subnet.public[*].id -} - -output "private_subnet_ids" { - description = "IDs of the private subnets" - value = aws_subnet.private[*].id -} - -output "internet_gateway_id" { - description = "ID of the Internet Gateway" - value = aws_internet_gateway.main.id -} - -output "nat_gateway_ids" { - description = "IDs of the NAT Gateways" - value = aws_nat_gateway.main[*].id -} -EOF - -cat > vpc/versions.tf << 'EOF' -terraform { - required_version = ">= 1.0" - - required_providers { - aws = { - source = "hashicorp/aws" - version = "~> 5.0" - } - } -} -EOF -``` - -### 🔒 **3.3 Security Groups Module** - -```bash -# 3.3.1 Security Groups module -mkdir -p security-groups -cat > security-groups/main.tf << 'EOF' -variable "vpc_id" { - description = "VPC ID" - type = string -} - -variable "environment" { - description = "Environment name" - type = string -} - -variable "project_name" { - description = "Project name" - type = string -} - -# ALB Security Group -resource "aws_security_group" "alb" { - name_prefix = "${var.project_name}-${var.environment}-alb-" - vpc_id = var.vpc_id - - ingress { - description = "HTTP" - from_port = 80 - to_port = 80 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - } - - ingress { - description = "HTTPS" - from_port = 443 - to_port = 443 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - } - - egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - } - - tags = { - Name = "${var.project_name}-${var.environment}-alb-sg" - Environment = var.environment - Project = var.project_name - } - - lifecycle { - create_before_destroy = true - } -} - -# EKS Cluster Security Group -resource "aws_security_group" "eks_cluster" { - name_prefix = "${var.project_name}-${var.environment}-eks-cluster-" - vpc_id = var.vpc_id - - egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - } - - tags = { - Name = "${var.project_name}-${var.environment}-eks-cluster-sg" - Environment = var.environment - Project = var.project_name - } - - lifecycle { - create_before_destroy = true - } -} - -# EKS Node Group Security Group -resource "aws_security_group" "eks_nodes" { - name_prefix = "${var.project_name}-${var.environment}-eks-nodes-" - vpc_id = var.vpc_id - - ingress { - description = "Allow nodes to communicate with each other" - from_port = 0 - to_port = 65535 - protocol = "tcp" - self = true - } - - ingress { - description = "Allow worker Kubelets and pods to receive communication from the cluster control plane" - from_port = 1025 - to_port = 65535 - protocol = "tcp" - security_groups = [aws_security_group.eks_cluster.id] - } - - ingress { - description = "Allow pods running extension API servers on port 443 to receive communication from cluster control plane" - from_port = 443 - to_port = 443 - protocol = "tcp" - security_groups = [aws_security_group.eks_cluster.id] - } - - egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - } - - tags = { - Name = "${var.project_name}-${var.environment}-eks-nodes-sg" - Environment = var.environment - Project = var.project_name - } - - lifecycle { - create_before_destroy = true - } -} - -# RDS Security Group -resource "aws_security_group" "rds" { - name_prefix = "${var.project_name}-${var.environment}-rds-" - vpc_id = var.vpc_id - - ingress { - description = "MySQL/Aurora" - from_port = 3306 - to_port = 3306 - protocol = "tcp" - security_groups = [aws_security_group.eks_nodes.id] - } - - ingress { - description = "PostgreSQL" - from_port = 5432 - to_port = 5432 - protocol = "tcp" - security_groups = [aws_security_group.eks_nodes.id] - } - - egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - } - - tags = { - Name = "${var.project_name}-${var.environment}-rds-sg" - Environment = var.environment - Project = var.project_name - } - - lifecycle { - create_before_destroy = true - } -} - -# ElastiCache Security Group -resource "aws_security_group" "elasticache" { - name_prefix = "${var.project_name}-${var.environment}-elasticache-" - vpc_id = var.vpc_id - - ingress { - description = "Redis" - from_port = 6379 - to_port = 6379 - protocol = "tcp" - security_groups = [aws_security_group.eks_nodes.id] - } - - egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - } - - tags = { - Name = "${var.project_name}-${var.environment}-elasticache-sg" - Environment = var.environment - Project = var.project_name - } - - lifecycle { - create_before_destroy = true - } -} -EOF - -cat > security-groups/outputs.tf << 'EOF' -output "alb_security_group_id" { - description = "ALB Security Group ID" - value = aws_security_group.alb.id -} - -output "eks_cluster_security_group_id" { - description = "EKS Cluster Security Group ID" - value = aws_security_group.eks_cluster.id -} - -output "eks_nodes_security_group_id" { - description = "EKS Nodes Security Group ID" - value = aws_security_group.eks_nodes.id -} - -output "rds_security_group_id" { - description = "RDS Security Group ID" - value = aws_security_group.rds.id -} - -output "elasticache_security_group_id" { - description = "ElastiCache Security Group ID" - value = aws_security_group.elasticache.id -} -EOF -``` - -### 🔧 **3.4 EKS Module** - -```bash -# 3.4.1 EKS module -mkdir -p eks -cat > eks/main.tf << 'EOF' -variable "cluster_name" { - description = "EKS cluster name" - type = string -} - -variable "cluster_version" { - description = "Kubernetes version" - type = string - default = "1.28" -} - -variable "subnet_ids" { - description = "Subnet IDs for EKS cluster" - type = list(string) -} - -variable "node_subnet_ids" { - description = "Subnet IDs for EKS node groups" - type = list(string) -} - -variable "cluster_security_group_id" { - description = "Security group ID for EKS cluster" - type = string -} - -variable "node_security_group_id" { - description = "Security group ID for EKS nodes" - type = string -} - -variable "environment" { - description = "Environment name" - type = string -} - -variable "project_name" { - description = "Project name" - type = string -} - -# EKS Cluster IAM Role -resource "aws_iam_role" "cluster" { - name = "${var.project_name}-${var.environment}-eks-cluster-role" - - assume_role_policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Action = "sts:AssumeRole" - Effect = "Allow" - Principal = { - Service = "eks.amazonaws.com" - } - } - ] - }) - - tags = { - Environment = var.environment - Project = var.project_name - } -} - -resource "aws_iam_role_policy_attachment" "cluster_AmazonEKSClusterPolicy" { - policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy" - role = aws_iam_role.cluster.name -} - -# EKS Node Group IAM Role -resource "aws_iam_role" "node_group" { - name = "${var.project_name}-${var.environment}-eks-node-group-role" - - assume_role_policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Action = "sts:AssumeRole" - Effect = "Allow" - Principal = { - Service = "ec2.amazonaws.com" - } - } - ] - }) - - tags = { - Environment = var.environment - Project = var.project_name - } -} - -resource "aws_iam_role_policy_attachment" "node_group_AmazonEKSWorkerNodePolicy" { - policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy" - role = aws_iam_role.node_group.name -} - -resource "aws_iam_role_policy_attachment" "node_group_AmazonEKS_CNI_Policy" { - policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy" - role = aws_iam_role.node_group.name -} - -resource "aws_iam_role_policy_attachment" "node_group_AmazonEC2ContainerRegistryReadOnly" { - policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly" - role = aws_iam_role.node_group.name -} - -# EKS Cluster -resource "aws_eks_cluster" "main" { - name = var.cluster_name - role_arn = aws_iam_role.cluster.arn - version = var.cluster_version - - vpc_config { - subnet_ids = var.subnet_ids - security_group_ids = [var.cluster_security_group_id] - endpoint_private_access = true - endpoint_public_access = true - public_access_cidrs = ["0.0.0.0/0"] - } - - enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"] - - encryption_config { - provider { - key_arn = aws_kms_key.eks.arn - } - resources = ["secrets"] - } - - depends_on = [ - aws_iam_role_policy_attachment.cluster_AmazonEKSClusterPolicy, - aws_cloudwatch_log_group.eks - ] - - tags = { - Name = var.cluster_name - Environment = var.environment - Project = var.project_name - } -} - -# CloudWatch Log Group for EKS -resource "aws_cloudwatch_log_group" "eks" { - name = "/aws/eks/${var.cluster_name}/cluster" - retention_in_days = 7 -} - -# KMS Key for EKS encryption -resource "aws_kms_key" "eks" { - description = "EKS Secret Encryption Key" - deletion_window_in_days = 7 - - tags = { - Name = "${var.project_name}-${var.environment}-eks-kms" - Environment = var.environment - Project = var.project_name - } -} - -resource "aws_kms_alias" "eks" { - name = "alias/${var.project_name}-${var.environment}-eks" - target_key_id = aws_kms_key.eks.key_id -} - -# EKS Node Group -resource "aws_eks_node_group" "main" { - cluster_name = aws_eks_cluster.main.name - node_group_name = "${var.cluster_name}-node-group" - node_role_arn = aws_iam_role.node_group.arn - subnet_ids = var.node_subnet_ids - - capacity_type = "ON_DEMAND" - ami_type = "AL2_x86_64" - instance_types = ["t3.medium"] - disk_size = 20 - - scaling_config { - desired_size = 2 - max_size = 10 - min_size = 1 - } - - update_config { - max_unavailable = 1 - } - - # Remote access configuration - remote_access { - ec2_ssh_key = aws_key_pair.eks_nodes.key_name - source_security_group_ids = [var.node_security_group_id] - } - - depends_on = [ - aws_iam_role_policy_attachment.node_group_AmazonEKSWorkerNodePolicy, - aws_iam_role_policy_attachment.node_group_AmazonEKS_CNI_Policy, - aws_iam_role_policy_attachment.node_group_AmazonEC2ContainerRegistryReadOnly, - ] - - tags = { - Name = "${var.cluster_name}-node-group" - Environment = var.environment - Project = var.project_name - } -} - -# SSH Key Pair for EKS nodes -resource "aws_key_pair" "eks_nodes" { - key_name = "${var.cluster_name}-eks-nodes" - public_key = file("~/.ssh/id_rsa.pub") - - tags = { - Name = "${var.cluster_name}-eks-nodes" - Environment = var.environment - Project = var.project_name - } -} - -# EKS Add-ons -resource "aws_eks_addon" "coredns" { - cluster_name = aws_eks_cluster.main.name - addon_name = "coredns" - addon_version = "v1.10.1-eksbuild.5" - resolve_conflicts_on_create = "OVERWRITE" -} - -resource "aws_eks_addon" "kube_proxy" { - cluster_name = aws_eks_cluster.main.name - addon_name = "kube-proxy" - addon_version = "v1.28.2-eksbuild.2" - resolve_conflicts_on_create = "OVERWRITE" -} - -resource "aws_eks_addon" "vpc_cni" { - cluster_name = aws_eks_cluster.main.name - addon_name = "vpc-cni" - addon_version = "v1.15.1-eksbuild.1" - resolve_conflicts_on_create = "OVERWRITE" -} - -resource "aws_eks_addon" "ebs_csi" { - cluster_name = aws_eks_cluster.main.name - addon_name = "aws-ebs-csi-driver" - addon_version = "v1.25.0-eksbuild.1" - resolve_conflicts_on_create = "OVERWRITE" -} -EOF - -cat > eks/outputs.tf << 'EOF' -output "cluster_id" { - description = "EKS cluster ID" - value = aws_eks_cluster.main.id -} - -output "cluster_arn" { - description = "EKS cluster ARN" - value = aws_eks_cluster.main.arn -} - -output "cluster_endpoint" { - description = "EKS cluster endpoint" - value = aws_eks_cluster.main.endpoint -} - -output "cluster_security_group_id" { - description = "EKS cluster security group ID" - value = aws_eks_cluster.main.vpc_config[0].cluster_security_group_id -} - -output "cluster_certificate_authority_data" { - description = "EKS cluster certificate authority data" - value = aws_eks_cluster.main.certificate_authority[0].data -} - -output "cluster_version" { - description = "EKS cluster Kubernetes version" - value = aws_eks_cluster.main.version -} - -output "node_group_arn" { - description = "EKS node group ARN" - value = aws_eks_node_group.main.arn -} - -output "node_group_status" { - description = "EKS node group status" - value = aws_eks_node_group.main.status -} -EOF -``` - -### 🗃️ **3.5 RDS Module** - -```bash -# 3.5.1 RDS module -mkdir -p rds -cat > rds/main.tf << 'EOF' -variable "db_name" { - description = "Database name" - type = string -} - -variable "db_username" { - description = "Database username" - type = string - default = "admin" -} - -variable "db_password" { - description = "Database password" - type = string - sensitive = true -} - -variable "subnet_ids" { - description = "Subnet IDs for RDS" - type = list(string) -} - -variable "security_group_id" { - description = "Security group ID for RDS" - type = string -} - -variable "environment" { - description = "Environment name" - type = string -} - -variable "project_name" { - description = "Project name" - type = string -} - -variable "engine" { - description = "Database engine" - type = string - default = "postgres" -} - -variable "engine_version" { - description = "Database engine version" - type = string - default = "15.4" -} - -variable "instance_class" { - description = "RDS instance class" - type = string - default = "db.t3.micro" -} - -variable "allocated_storage" { - description = "RDS allocated storage" - type = number - default = 20 -} - -variable "backup_retention_period" { - description = "Backup retention period in days" - type = number - default = 7 -} - -# DB Subnet Group -resource "aws_db_subnet_group" "main" { - name = "${var.project_name}-${var.environment}-db-subnet-group" - subnet_ids = var.subnet_ids - - tags = { - Name = "${var.project_name}-${var.environment}-db-subnet-group" - Environment = var.environment - Project = var.project_name - } -} - -# DB Parameter Group -resource "aws_db_parameter_group" "main" { - family = "${var.engine}15" - name = "${var.project_name}-${var.environment}-db-params" - - dynamic "parameter" { - for_each = var.engine == "postgres" ? [ - { - name = "log_statement" - value = "all" - }, - { - name = "log_duration" - value = "1" - }, - { - name = "log_min_duration_statement" - value = "1000" - } - ] : [] - - content { - name = parameter.value.name - value = parameter.value.value - } - } - - tags = { - Name = "${var.project_name}-${var.environment}-db-params" - Environment = var.environment - Project = var.project_name - } -} - -# KMS Key for RDS encryption -resource "aws_kms_key" "rds" { - description = "RDS encryption key" - deletion_window_in_days = 7 - - tags = { - Name = "${var.project_name}-${var.environment}-rds-kms" - Environment = var.environment - Project = var.project_name - } -} - -resource "aws_kms_alias" "rds" { - name = "alias/${var.project_name}-${var.environment}-rds" - target_key_id = aws_kms_key.rds.key_id -} - -# RDS Instance -resource "aws_db_instance" "main" { - identifier = "${var.project_name}-${var.environment}-db" - - # Engine options - engine = var.engine - engine_version = var.engine_version - instance_class = var.instance_class - - # Storage - allocated_storage = var.allocated_storage - max_allocated_storage = var.allocated_storage * 2 - storage_type = "gp3" - storage_encrypted = true - kms_key_id = aws_kms_key.rds.arn - - # Database - db_name = var.db_name - username = var.db_username - password = var.db_password - - # Network & Security - db_subnet_group_name = aws_db_subnet_group.main.name - vpc_security_group_ids = [var.security_group_id] - publicly_accessible = false - - # Backup - backup_retention_period = var.backup_retention_period - backup_window = "03:00-04:00" - maintenance_window = "sun:04:00-sun:05:00" - - # Monitoring - monitoring_interval = 60 - monitoring_role_arn = aws_iam_role.rds_monitoring.arn - - # Performance Insights - performance_insights_enabled = true - performance_insights_kms_key_id = aws_kms_key.rds.arn - - # Parameters - parameter_group_name = aws_db_parameter_group.main.name - - # Deletion protection - deletion_protection = var.environment == "prod" ? true : false - skip_final_snapshot = var.environment == "prod" ? false : true - final_snapshot_identifier = var.environment == "prod" ? "${var.project_name}-${var.environment}-final-snapshot-${formatdate("YYYY-MM-DD-hhmm", timestamp())}" : null - - tags = { - Name = "${var.project_name}-${var.environment}-db" - Environment = var.environment - Project = var.project_name - } -} - -# IAM Role for RDS Enhanced Monitoring -resource "aws_iam_role" "rds_monitoring" { - name = "${var.project_name}-${var.environment}-rds-monitoring-role" - - assume_role_policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Action = "sts:AssumeRole" - Effect = "Allow" - Principal = { - Service = "monitoring.rds.amazonaws.com" - } - } - ] - }) - - tags = { - Environment = var.environment - Project = var.project_name - } -} - -resource "aws_iam_role_policy_attachment" "rds_monitoring" { - role = aws_iam_role.rds_monitoring.name - policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole" -} - -# Read Replica (for production) -resource "aws_db_instance" "read_replica" { - count = var.environment == "prod" ? 1 : 0 - - identifier = "${var.project_name}-${var.environment}-db-read-replica" - - replicate_source_db = aws_db_instance.main.identifier - instance_class = var.instance_class - - # Network & Security - vpc_security_group_ids = [var.security_group_id] - publicly_accessible = false - - # Monitoring - monitoring_interval = 60 - monitoring_role_arn = aws_iam_role.rds_monitoring.arn - - # Performance Insights - performance_insights_enabled = true - performance_insights_kms_key_id = aws_kms_key.rds.arn - - skip_final_snapshot = true - - tags = { - Name = "${var.project_name}-${var.environment}-db-read-replica" - Environment = var.environment - Project = var.project_name - } -} -EOF - -cat > rds/outputs.tf << 'EOF' -output "db_instance_endpoint" { - description = "RDS instance endpoint" - value = aws_db_instance.main.endpoint -} - -output "db_instance_id" { - description = "RDS instance ID" - value = aws_db_instance.main.id -} - -output "db_instance_arn" { - description = "RDS instance ARN" - value = aws_db_instance.main.arn -} - -output "db_instance_port" { - description = "RDS instance port" - value = aws_db_instance.main.port -} - -output "db_subnet_group_id" { - description = "DB subnet group ID" - value = aws_db_subnet_group.main.id -} - -output "db_parameter_group_id" { - description = "DB parameter group ID" - value = aws_db_parameter_group.main.id -} - -output "read_replica_endpoint" { - description = "Read replica endpoint" - value = var.environment == "prod" ? aws_db_instance.read_replica[0].endpoint : null -} -EOF -``` - -### 🎯 **3.6 Environment-Specific Configurations** - -```bash -# 3.6.1 Development environment -cd ~/devops-infrastructure/terraform/environments/dev - -# SSH key pair oluştur -ssh-keygen -t rsa -b 4096 -C "devops@company.com" -f ~/.ssh/id_rsa -N "" - -cat > main.tf << 'EOF' -terraform { - required_version = ">= 1.0" - - required_providers { - aws = { - source = "hashicorp/aws" - version = "~> 5.0" - } - } - - backend "s3" { - # Backend configuration will be provided via backend config file - } -} - -provider "aws" { - region = var.aws_region - - default_tags { - tags = { - Environment = var.environment - Project = var.project_name - ManagedBy = "Terraform" - } - } -} - -# Local values -locals { - cluster_name = "${var.project_name}-${var.environment}-eks" -} - -# VPC Module -module "vpc" { - source = "../../modules/vpc" - - vpc_cidr = var.vpc_cidr - availability_zones = var.availability_zones - environment = var.environment - project_name = var.project_name -} - -# Security Groups Module -module "security_groups" { - source = "../../modules/security-groups" - - vpc_id = module.vpc.vpc_id - environment = var.environment - project_name = var.project_name -} - -# EKS Module -module "eks" { - source = "../../modules/eks" - - cluster_name = local.cluster_name - cluster_version = var.kubernetes_version - subnet_ids = concat(module.vpc.public_subnet_ids, module.vpc.private_subnet_ids) - node_subnet_ids = module.vpc.private_subnet_ids - cluster_security_group_id = module.security_groups.eks_cluster_security_group_id - node_security_group_id = module.security_groups.eks_nodes_security_group_id - environment = var.environment - project_name = var.project_name -} - -# RDS Module -module "rds" { - source = "../../modules/rds" - - db_name = var.db_name - db_username = var.db_username - db_password = var.db_password - subnet_ids = module.vpc.private_subnet_ids - security_group_id = module.security_groups.rds_security_group_id - environment = var.environment - project_name = var.project_name - engine = "postgres" - engine_version = "15.4" - instance_class = "db.t3.micro" - allocated_storage = 20 -} -EOF - -cat > variables.tf << 'EOF' -variable "aws_region" { - description = "AWS region" - type = string - default = "eu-west-1" -} - -variable "environment" { - description = "Environment name" - type = string - default = "dev" -} - -variable "project_name" { - description = "Project name" - type = string - default = "mycompany" -} - -variable "vpc_cidr" { - description = "CIDR block for VPC" - type = string - default = "10.0.0.0/16" -} - -variable "availability_zones" { - description = "Availability zones" - type = list(string) - default = ["eu-west-1a", "eu-west-1b", "eu-west-1c"] -} - -variable "kubernetes_version" { - description = "Kubernetes version" - type = string - default = "1.28" -} - -variable "db_name" { - description = "Database name" - type = string - default = "mycompanydb" -} - -variable "db_username" { - description = "Database username" - type = string - default = "admin" -} - -variable "db_password" { - description = "Database password" - type = string - sensitive = true -} -EOF - -cat > terraform.tfvars << 'EOF' -aws_region = "eu-west-1" -environment = "dev" -project_name = "mycompany" -vpc_cidr = "10.0.0.0/16" -availability_zones = ["eu-west-1a", "eu-west-1b", "eu-west-1c"] -kubernetes_version = "1.28" -db_name = "mycompanydb" -db_username = "admin" -db_password = "SuperSecurePassword123!" -EOF - -cat > outputs.tf << 'EOF' -output "vpc_id" { - description = "VPC ID" - value = module.vpc.vpc_id -} - -output "eks_cluster_endpoint" { - description = "EKS cluster endpoint" - value = module.eks.cluster_endpoint -} - -output "eks_cluster_name" { - description = "EKS cluster name" - value = module.eks.cluster_id -} - -output "rds_endpoint" { - description = "RDS endpoint" - value = module.rds.db_instance_endpoint -} - -output "configure_kubectl" { - description = "Configure kubectl command" - value = "aws eks update-kubeconfig --region ${var.aws_region} --name ${module.eks.cluster_id}" -} -EOF - -# Backend configuration -cat > backend.conf << EOF -bucket = "$TF_VAR_backend_bucket" -key = "dev/terraform.tfstate" -region = "$TF_VAR_backend_region" -dynamodb_table = "$TF_VAR_backend_dynamodb_table" -encrypt = true -EOF -``` - -### 🚀 **3.7 Terraform Initialize ve Deploy** - -```bash -# 3.7.1 Terraform initialize -cd ~/devops-infrastructure/terraform/environments/dev -terraform init -backend-config=backend.conf - -# 3.7.2 Terraform plan -terraform plan -out=tfplan - -# 3.7.3 Terraform apply -terraform apply tfplan - -# 3.7.4 kubectl konfigürasyonu -aws eks update-kubeconfig --region eu-west-1 --name $(terraform output -raw eks_cluster_name) - -# 3.7.5 Cluster bağlantısını test et -kubectl get nodes -kubectl get pods --all-namespaces - -# 3.7.6 Terraform outputs -terraform output -``` - ---- - -## 🐳 **PHASE 3: CONTAINERIZATION VE REGISTRY** (Gün 6-7) - -### 📦 **4.1 GitHub Container Registry Setup** - -```bash -# 4.1.1 GitHub Personal Access Token oluştur -# GitHub -> Settings -> Developer settings -> Personal access tokens -> Tokens (classic) -# Permissions: write:packages, read:packages, delete:packages - -# 4.1.2 GitHub Container Registry'ye login -echo $GITHUB_TOKEN | docker login ghcr.io -u USERNAME --password-stdin - -# 4.1.3 Test image push -docker pull hello-world -docker tag hello-world ghcr.io/yourusername/hello-world:latest -docker push ghcr.io/yourusername/hello-world:latest -``` - -### 🏗️ **4.2 Docker Multi-Stage Build Templates** - -```bash -# 4.2.1 Docker templates dizini -cd ~/devops-infrastructure/docker -mkdir -p {nodejs,python,golang,java,nginx} - -# 4.2.2 Node.js Dockerfile template -cat > nodejs/Dockerfile << 'EOF' -# Multi-stage build for Node.js applications -FROM node:18-alpine AS builder - -# Set working directory -WORKDIR /app - -# Copy package files -COPY package*.json ./ - -# Install dependencies -RUN npm ci --only=production && npm cache clean --force - -# Copy source code -COPY . . - -# Build application -RUN npm run build - -# Production stage -FROM node:18-alpine AS production - -# Install dumb-init for proper signal handling -RUN apk add --no-cache dumb-init - -# Create non-root user -RUN addgroup -g 1001 -S nodejs && \ - adduser -S nodejs -u 1001 - -# Set working directory -WORKDIR /app - -# Copy package files -COPY package*.json ./ - -# Install only production dependencies -RUN npm ci --only=production && npm cache clean --force - -# Copy built application from builder stage -COPY --from=builder --chown=nodejs:nodejs /app/dist ./dist -COPY --from=builder --chown=nodejs:nodejs /app/node_modules ./node_modules - -# Switch to non-root user -USER nodejs - -# Expose port -EXPOSE 3000 - -# Health check -HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \ - CMD node healthcheck.js - -# Use dumb-init to handle signals properly -ENTRYPOINT ["dumb-init", "--"] - -# Start application -CMD ["node", "dist/index.js"] -EOF - -# 4.2.3 Python Dockerfile template -cat > python/Dockerfile << 'EOF' -# Multi-stage build for Python applications -FROM python:3.11-slim AS builder - -# Set environment variables -ENV PYTHONDONTWRITEBYTECODE=1 \ - PYTHONUNBUFFERED=1 \ - PIP_NO_CACHE_DIR=1 \ - PIP_DISABLE_PIP_VERSION_CHECK=1 - -# Install system dependencies -RUN apt-get update && apt-get install -y --no-install-recommends \ - build-essential \ - && rm -rf /var/lib/apt/lists/* - -# Create virtual environment -RUN python -m venv /opt/venv -ENV PATH="/opt/venv/bin:$PATH" - -# Copy requirements -COPY requirements.txt . - -# Install Python dependencies -RUN pip install --no-cache-dir -r requirements.txt - -# Production stage -FROM python:3.11-slim AS production - -# Set environment variables -ENV PYTHONDONTWRITEBYTECODE=1 \ - PYTHONUNBUFFERED=1 \ - PATH="/opt/venv/bin:$PATH" - -# Install runtime dependencies -RUN apt-get update && apt-get install -y --no-install-recommends \ - dumb-init \ - && rm -rf /var/lib/apt/lists/* - -# Create non-root user -RUN groupadd -r appuser && useradd -r -g appuser appuser - -# Copy virtual environment from builder -COPY --from=builder /opt/venv /opt/venv - -# Set working directory -WORKDIR /app - -# Copy application code -COPY --chown=appuser:appuser . . - -# Switch to non-root user -USER appuser - -# Expose port -EXPOSE 8000 - -# Health check -HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \ - CMD python healthcheck.py - -# Use dumb-init to handle signals properly -ENTRYPOINT ["dumb-init", "--"] - -# Start application -CMD ["python", "app.py"] -EOF - -# 4.2.4 Golang Dockerfile template -cat > golang/Dockerfile << 'EOF' -# Multi-stage build for Go applications -FROM golang:1.21-alpine AS builder - -# Install git for go modules -RUN apk add --no-cache git - -# Set working directory -WORKDIR /app - -# Copy go mod files -COPY go.mod go.sum ./ - -# Download dependencies -RUN go mod download - -# Copy source code -COPY . . - -# Build application with optimizations -RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build \ - -ldflags='-w -s -extldflags "-static"' \ - -a -installsuffix cgo \ - -o main . - -# Production stage -FROM scratch AS production - -# Add ca-certificates for HTTPS -COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ - -# Copy binary from builder -COPY --from=builder /app/main /main - -# Expose port -EXPOSE 8080 - -# Health check (for scratch images, implement in Go) -HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \ - CMD ["/main", "-health"] - -# Start application -ENTRYPOINT ["/main"] -EOF - -# 4.2.5 Docker Compose template -cat > docker-compose.yml << 'EOF' -version: '3.8' - -services: - web: - build: - context: . - dockerfile: Dockerfile - target: production - ports: - - "3000:3000" - environment: - - NODE_ENV=production - - DATABASE_URL=postgresql://user:password@db:5432/myapp - - REDIS_URL=redis://redis:6379 - depends_on: - - db - - redis - networks: - - app-network - restart: unless-stopped - healthcheck: - test: ["CMD", "curl", "-f", "http://localhost:3000/health"] - interval: 30s - timeout: 10s - retries: 3 - - db: - image: postgres:15-alpine - environment: - - POSTGRES_DB=myapp - - POSTGRES_USER=user - - POSTGRES_PASSWORD=password - volumes: - - postgres_data:/var/lib/postgresql/data - - ./init.sql:/docker-entrypoint-initdb.d/init.sql - networks: - - app-network - restart: unless-stopped - healthcheck: - test: ["CMD-SHELL", "pg_isready -U user -d myapp"] - interval: 30s - timeout: 5s - retries: 3 - - redis: - image: redis:7-alpine - command: redis-server --appendonly yes - volumes: - - redis_data:/data - networks: - - app-network - restart: unless-stopped - healthcheck: - test: ["CMD", "redis-cli", "ping"] - interval: 30s - timeout: 5s - retries: 3 - -volumes: - postgres_data: - redis_data: - -networks: - app-network: - driver: bridge -EOF - -# 4.2.6 .dockerignore -cat > .dockerignore << 'EOF' -# Git -.git -.gitignore - -# Documentation -README.md -CHANGELOG.md -docs/ - -# Dependencies -node_modules/ -vendor/ -__pycache__/ -*.pyc -target/ - -# Build artifacts -dist/ -build/ -*.log - -# IDE -.vscode/ -.idea/ -*.swp -*.swo - -# OS -.DS_Store -Thumbs.db - -# Environment -.env -.env.local -.env.*.local - -# Testing -coverage/ -.nyc_output/ -test-results/ - -# Terraform -*.tfstate -*.tfstate.* -.terraform/ - -# Docker -Dockerfile* -docker-compose* -EOF -``` - -### 🔒 **4.3 Container Security Scanning Setup** - -```bash -# 4.3.1 Trivy kurulumu (vulnerability scanner) -# Ubuntu/Debian -wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add - -echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list -sudo apt-get update && sudo apt-get install trivy - -# macOS -brew install trivy - -# 4.3.2 Hadolint kurulumu (Dockerfile linter) -# Ubuntu/Debian -wget -O hadolint https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64 -chmod +x hadolint -sudo mv hadolint /usr/local/bin/ - -# macOS -brew install hadolint - -# 4.3.3 Container security scanning script -cat > ~/devops-infrastructure/scripts/container-security-scan.sh << 'EOF' -#!/bin/bash - -# Container Security Scanning Script -set -e - -IMAGE_NAME=$1 -if [ -z "$IMAGE_NAME" ]; then - echo "Usage: $0 " - exit 1 -fi - -echo "🔍 Starting security scan for $IMAGE_NAME..." - -# 1. Dockerfile linting -echo "📋 Running Dockerfile lint..." -if [ -f "Dockerfile" ]; then - hadolint Dockerfile || echo "⚠️ Dockerfile linting issues found" -else - echo "❌ Dockerfile not found" -fi - -# 2. Image vulnerability scanning -echo "🛡️ Running vulnerability scan..." -trivy image --exit-code 1 --severity HIGH,CRITICAL $IMAGE_NAME - -# 3. Configuration scanning -echo "⚙️ Running configuration scan..." -trivy config --exit-code 1 . - -# 4. Secret scanning -echo "🔐 Running secret scan..." -trivy fs --exit-code 1 --scanners secret . - -echo "✅ Security scan completed for $IMAGE_NAME" -EOF - -chmod +x ~/devops-infrastructure/scripts/container-security-scan.sh - -# 4.3.4 Pre-commit hooks için security scanning -cat > ~/devops-infrastructure/.pre-commit-config.yaml << 'EOF' -repos: - - repo: https://github.com/hadolint/hadolint - rev: v2.12.0 - hooks: - - id: hadolint-docker - args: [--config, .hadolint.yaml] - - - repo: https://github.com/aquasecurity/trivy - rev: v0.48.0 - hooks: - - id: trivy-docker - args: [--exit-code, "1", --severity, "HIGH,CRITICAL"] - - - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.4.0 - hooks: - - id: trailing-whitespace - - id: end-of-file-fixer - - id: check-yaml - - id: check-added-large-files - - id: check-merge-conflict -EOF - -# Hadolint config -cat > ~/devops-infrastructure/.hadolint.yaml << 'EOF' -ignored: - - DL3008 # Pin versions in apt get install - - DL3009 # Delete the apt-get lists after installing something - - DL3015 # Avoid additional packages by specifying --no-install-recommends - -trusted-registries: - - docker.io - - ghcr.io - - quay.io -EOF -``` - ---- - -## 🔄 **PHASE 4: CI/CD PIPELINE KURULUMU** (Gün 8-10) - -### 🛠️ **5.1 Jenkins on Kubernetes Setup** - -```bash -# 5.1.1 Jenkins namespace ve RBAC oluştur -cd ~/devops-infrastructure/kubernetes/base -mkdir -p jenkins - -cat > jenkins/namespace.yaml << 'EOF' -apiVersion: v1 -kind: Namespace -metadata: - name: jenkins - labels: - name: jenkins -EOF - -cat > jenkins/serviceaccount.yaml << 'EOF' -apiVersion: v1 -kind: ServiceAccount -metadata: - name: jenkins - namespace: jenkins ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: jenkins -rules: -- apiGroups: [""] - resources: ["pods"] - verbs: ["create","delete","get","list","patch","update","watch"] -- apiGroups: [""] - resources: ["pods/exec"] - verbs: ["create","delete","get","list","patch","update","watch"] -- apiGroups: [""] - resources: ["pods/log"] - verbs: ["get","list","watch"] -- apiGroups: [""] - resources: ["secrets"] - verbs: ["get"] -- apiGroups: [""] - resources: ["events"] - verbs: ["get","list","watch"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: jenkins -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: jenkins -subjects: -- kind: ServiceAccount - name: jenkins - namespace: jenkins -EOF - -cat > jenkins/pvc.yaml << 'EOF' -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: jenkins-pvc - namespace: jenkins -spec: - accessModes: - - ReadWriteOnce - storageClassName: gp3 - resources: - requests: - storage: 10Gi -EOF - -cat > jenkins/deployment.yaml << 'EOF' -apiVersion: apps/v1 -kind: Deployment -metadata: - name: jenkins - namespace: jenkins -spec: - replicas: 1 - selector: - matchLabels: - app: jenkins - template: - metadata: - labels: - app: jenkins - spec: - serviceAccountName: jenkins - containers: - - name: jenkins - image: jenkins/jenkins:2.414.1-lts-jdk11 - ports: - - containerPort: 8080 - - containerPort: 50000 - env: - - name: JAVA_OPTS - value: "-Xmx2048m -Dhudson.slaves.NodeProvisioner.MARGIN=50 -Dhudson.slaves.NodeProvisioner.MARGIN0=0.85" - - name: JENKINS_OPTS - value: "--httpPort=8080" - volumeMounts: - - name: jenkins-home - mountPath: /var/jenkins_home - - name: docker-sock - mountPath: /var/run/docker.sock - resources: - requests: - memory: "1Gi" - cpu: "500m" - limits: - memory: "2Gi" - cpu: "1000m" - livenessProbe: - httpGet: - path: /login - port: 8080 - initialDelaySeconds: 60 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 5 - readinessProbe: - httpGet: - path: /login - port: 8080 - initialDelaySeconds: 60 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 3 - volumes: - - name: jenkins-home - persistentVolumeClaim: - claimName: jenkins-pvc - - name: docker-sock - hostPath: - path: /var/run/docker.sock - securityContext: - fsGroup: 1000 - runAsUser: 1000 -EOF - -cat > jenkins/service.yaml << 'EOF' -apiVersion: v1 -kind: Service -metadata: - name: jenkins - namespace: jenkins -spec: - ports: - - name: http - port: 8080 - targetPort: 8080 - - name: jnlp - port: 50000 - targetPort: 50000 - selector: - app: jenkins - type: ClusterIP -EOF - -cat > jenkins/ingress.yaml << 'EOF' -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: jenkins - namespace: jenkins - annotations: - kubernetes.io/ingress.class: nginx - nginx.ingress.kubernetes.io/ssl-redirect: "true" - nginx.ingress.kubernetes.io/proxy-body-size: "50m" - nginx.ingress.kubernetes.io/proxy-request-buffering: "off" - cert-manager.io/cluster-issuer: "letsencrypt-prod" -spec: - tls: - - hosts: - - jenkins.yourdomain.com - secretName: jenkins-tls - rules: - - host: jenkins.yourdomain.com - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: jenkins - port: - number: 8080 -EOF - -# 5.1.2 Jenkins deploy -kubectl apply -f jenkins/ -kubectl get pods -n jenkins -kubectl logs -f deployment/jenkins -n jenkins -``` - -### 🌐 **5.2 NGINX Ingress Controller Setup** - -```bash -# 5.2.1 NGINX Ingress Controller kurulumu -helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx -helm repo update - -helm install ingress-nginx ingress-nginx/ingress-nginx \ - --namespace ingress-nginx \ - --create-namespace \ - --set controller.service.type=LoadBalancer \ - --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-type"="nlb" \ - --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-cross-zone-load-balancing-enabled"="true" - -# 5.2.2 Ingress controller durumunu kontrol et -kubectl get pods -n ingress-nginx -kubectl get svc -n ingress-nginx - -# 5.2.3 External IP'yi al -EXTERNAL_IP=$(kubectl get svc ingress-nginx-controller -n ingress-nginx -o jsonpath='{.status.loadBalancer.ingress[0].hostname}') -echo "External LoadBalancer: $EXTERNAL_IP" -``` - -### 🔐 **5.3 Cert-Manager Setup (SSL/TLS)** - -```bash -# 5.3.1 Cert-Manager kurulumu -helm repo add jetstack https://charts.jetstack.io -helm repo update - -kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.0/cert-manager.crds.yaml - -helm install cert-manager jetstack/cert-manager \ - --namespace cert-manager \ - --create-namespace \ - --version v1.13.0 - -# 5.3.2 Let's Encrypt ClusterIssuer -cat > ~/devops-infrastructure/kubernetes/base/cert-manager-issuer.yaml << 'EOF' -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - name: letsencrypt-staging -spec: - acme: - server: https://acme-staging-v02.api.letsencrypt.org/directory - email: admin@yourdomain.com - privateKeySecretRef: - name: letsencrypt-staging - solvers: - - http01: - ingress: - class: nginx ---- -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - name: letsencrypt-prod -spec: - acme: - server: https://acme-v02.api.letsencrypt.org/directory - email: admin@yourdomain.com - privateKeySecretRef: - name: letsencrypt-prod - solvers: - - http01: - ingress: - class: nginx -EOF - -kubectl apply -f ~/devops-infrastructure/kubernetes/base/cert-manager-issuer.yaml - -# 5.3.3 Cert-manager durumunu kontrol et -kubectl get pods -n cert-manager -kubectl get clusterissuers -``` - -### 🔧 **5.4 Jenkins Initial Setup** - -```bash -# 5.4.1 Jenkins admin password'unu al -kubectl exec -n jenkins -it deployment/jenkins -- cat /var/jenkins_home/secrets/initialAdminPassword - -# 5.4.2 Jenkins URL'sine eriş (port-forward ile) -kubectl port-forward -n jenkins svc/jenkins 8080:8080 - -# 5.4.3 Jenkins Initial Setup (Browser üzerinden) -# http://localhost:8080 -# - Initial password gir -# - Suggested plugins install et -# - Admin user oluştur -# - Jenkins URL'yi ayarla - -# 5.4.4 Essential Jenkins plugins kurulumu (Browser üzerinden) -# Manage Jenkins -> Manage Plugins -> Available -# - Blue Ocean -# - Pipeline -# - Git Pipeline for Blue Ocean -# - Docker Pipeline -# - Kubernetes CLI -# - GitHub Integration -# - Slack Notification -# - Build Timestamp -# - AnsiColor -# - Workspace Cleanup -``` - -### 📝 **5.5 Jenkins Pipeline as Code** - -```bash -# 5.5.1 Shared Pipeline Library oluştur -mkdir -p ~/devops-infrastructure/jenkins/shared-library/{vars,src,resources} - -cat > ~/devops-infrastructure/jenkins/shared-library/vars/buildAndPush.groovy << 'EOF' -def call(Map config) { - pipeline { - agent { - kubernetes { - yaml """ - apiVersion: v1 - kind: Pod - spec: - containers: - - name: docker - image: docker:latest - command: - - cat - tty: true - volumeMounts: - - mountPath: /var/run/docker.sock - name: docker-sock - - name: kubectl - image: bitnami/kubectl:latest - command: - - cat - tty: true - - name: helm - image: alpine/helm:latest - command: - - cat - tty: true - volumes: - - name: docker-sock - hostPath: - path: /var/run/docker.sock - """ - } - } - - environment { - DOCKER_REGISTRY = 'ghcr.io' - IMAGE_NAME = "${config.imageName}" - GIT_COMMIT_SHORT = sh(script: "git rev-parse --short HEAD", returnStdout: true).trim() - BUILD_VERSION = "${env.BUILD_NUMBER}-${GIT_COMMIT_SHORT}" - } - - stages { - stage('Checkout') { - steps { - checkout scm - } - } - - stage('Build Info') { - steps { - script { - currentBuild.displayName = "#${env.BUILD_NUMBER} - ${BUILD_VERSION}" - currentBuild.description = "Branch: ${env.BRANCH_NAME}" - } - } - } - - stage('Lint Dockerfile') { - steps { - container('docker') { - sh ''' - echo "🔍 Linting Dockerfile..." - # Dockerfile linting would go here - ''' - } - } - } - - stage('Build Docker Image') { - steps { - container('docker') { - script { - def image = docker.build("${DOCKER_REGISTRY}/${IMAGE_NAME}:${BUILD_VERSION}") - docker.withRegistry("https://${DOCKER_REGISTRY}", 'github-registry-credentials') { - image.push() - image.push("latest") - } - } - } - } - } - - stage('Security Scan') { - steps { - container('docker') { - sh ''' - echo "🛡️ Running security scan..." - # Trivy scanning would go here - ''' - } - } - } - - stage('Deploy to Dev') { - when { - branch 'develop' - } - steps { - container('kubectl') { - sh ''' - echo "🚀 Deploying to development..." - kubectl set image deployment/${IMAGE_NAME} ${IMAGE_NAME}=${DOCKER_REGISTRY}/${IMAGE_NAME}:${BUILD_VERSION} -n dev - kubectl rollout status deployment/${IMAGE_NAME} -n dev - ''' - } - } - } - - stage('Deploy to Staging') { - when { - branch 'main' - } - steps { - container('kubectl') { - sh ''' - echo "🚀 Deploying to staging..." - kubectl set image deployment/${IMAGE_NAME} ${IMAGE_NAME}=${DOCKER_REGISTRY}/${IMAGE_NAME}:${BUILD_VERSION} -n staging - kubectl rollout status deployment/${IMAGE_NAME} -n staging - ''' - } - } - } - - stage('Deploy to Production') { - when { - buildingTag() - } - steps { - script { - timeout(time: 5, unit: 'MINUTES') { - input message: 'Deploy to production?', ok: 'Deploy' - } - } - container('kubectl') { - sh ''' - echo "🚀 Deploying to production..." - kubectl set image deployment/${IMAGE_NAME} ${IMAGE_NAME}=${DOCKER_REGISTRY}/${IMAGE_NAME}:${BUILD_VERSION} -n production - kubectl rollout status deployment/${IMAGE_NAME} -n production - ''' - } - } - } - } - - post { - success { - slackSend( - channel: '#deployments', - color: 'good', - message: "✅ ${IMAGE_NAME} v${BUILD_VERSION} deployed successfully to ${env.BRANCH_NAME}" - ) - } - failure { - slackSend( - channel: '#deployments', - color: 'danger', - message: "❌ ${IMAGE_NAME} v${BUILD_VERSION} deployment failed on ${env.BRANCH_NAME}" - ) - } - } - } -} -EOF - -# 5.5.2 Sample application Jenkinsfile -cat > ~/devops-infrastructure/jenkins/sample-Jenkinsfile << 'EOF' -@Library('shared-library') _ - -buildAndPush([ - imageName: 'mycompany/sample-app' -]) -EOF -``` - -### 🔐 **5.6 Jenkins Credentials Setup** - -```bash -# 5.6.1 GitHub credentials secret oluştur -kubectl create secret generic github-registry-credentials \ - --from-literal=username=YOUR_GITHUB_USERNAME \ - --from-literal=password=YOUR_GITHUB_TOKEN \ - --namespace=jenkins - -# 5.6.2 AWS credentials secret oluştur -kubectl create secret generic aws-credentials \ - --from-literal=access-key-id=YOUR_AWS_ACCESS_KEY \ - --from-literal=secret-access-key=YOUR_AWS_SECRET_KEY \ - --namespace=jenkins - -# 5.6.3 Jenkins'te credentials ekle (Browser üzerinden) -# Manage Jenkins -> Manage Credentials -> Global -> Add Credentials -# - GitHub Token: Kind=Username with password, ID=github-registry-credentials -# - AWS Credentials: Kind=AWS Credentials, ID=aws-credentials -# - Kubeconfig: Kind=Secret file, ID=kubeconfig -``` - ---- - -## ☸️ **PHASE 5: KUBERNETES ADVANCED SETUP** (Gün 11-13) - -### 🏷️ **6.1 Namespace ve RBAC Setup** - -```bash -# 6.1.1 Environment namespaces oluştur -cd ~/devops-infrastructure/kubernetes/base - -cat > namespaces.yaml << 'EOF' -apiVersion: v1 -kind: Namespace -metadata: - name: dev - labels: - environment: dev - istio-injection: enabled ---- -apiVersion: v1 -kind: Namespace -metadata: - name: staging - labels: - environment: staging - istio-injection: enabled ---- -apiVersion: v1 -kind: Namespace -metadata: - name: production - labels: - environment: production - istio-injection: enabled ---- -apiVersion: v1 -kind: Namespace -metadata: - name: monitoring - labels: - environment: monitoring - istio-injection: disabled ---- -apiVersion: v1 -kind: Namespace -metadata: - name: logging - labels: - environment: logging - istio-injection: disabled -EOF - -kubectl apply -f namespaces.yaml - -# 6.1.2 RBAC setup -cat > rbac.yaml << 'EOF' -# Developer Role - dev namespace -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - namespace: dev - name: developer -rules: -- apiGroups: [""] - resources: ["pods", "services", "configmaps", "secrets"] - verbs: ["get", "list", "create", "update", "patch", "delete"] -- apiGroups: ["apps"] - resources: ["deployments", "replicasets"] - verbs: ["get", "list", "create", "update", "patch", "delete"] -- apiGroups: [""] - resources: ["pods/log"] - verbs: ["get", "list"] -- apiGroups: [""] - resources: ["pods/exec"] - verbs: ["create"] ---- -# Staging Role - staging namespace -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - namespace: staging - name: staging-deployer -rules: -- apiGroups: [""] - resources: ["pods", "services", "configmaps"] - verbs: ["get", "list"] -- apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "list", "update", "patch"] -- apiGroups: [""] - resources: ["pods/log"] - verbs: ["get", "list"] ---- -# Production Role - production namespace (read-only + deploy) -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - namespace: production - name: production-deployer -rules: -- apiGroups: [""] - resources: ["pods", "services", "configmaps"] - verbs: ["get", "list"] -- apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "list", "update", "patch"] -- apiGroups: [""] - resources: ["pods/log"] - verbs: ["get", "list"] ---- -# ServiceAccount for developers -apiVersion: v1 -kind: ServiceAccount -metadata: - name: developer - namespace: dev ---- -# ServiceAccount for staging -apiVersion: v1 -kind: ServiceAccount -metadata: - name: staging-deployer - namespace: staging ---- -# ServiceAccount for production -apiVersion: v1 -kind: ServiceAccount -metadata: - name: production-deployer - namespace: production ---- -# RoleBinding for developers -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: developer-binding - namespace: dev -subjects: -- kind: ServiceAccount - name: developer - namespace: dev -roleRef: - kind: Role - name: developer - apiGroup: rbac.authorization.k8s.io ---- -# RoleBinding for staging -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: staging-deployer-binding - namespace: staging -subjects: -- kind: ServiceAccount - name: staging-deployer - namespace: staging -roleRef: - kind: Role - name: staging-deployer - apiGroup: rbac.authorization.k8s.io ---- -# RoleBinding for production -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: production-deployer-binding - namespace: production -subjects: -- kind: ServiceAccount - name: production-deployer - namespace: production -roleRef: - kind: Role - name: production-deployer - apiGroup: rbac.authorization.k8s.io -EOF - -kubectl apply -f rbac.yaml -``` - -### 📦 **6.2 StorageClass ve Persistent Volumes** - -```bash -# 6.2.1 StorageClass definitions -cat > storage-classes.yaml << 'EOF' -# GP3 StorageClass (default) -apiVersion: storage.k8s.io/v1 -kind: StorageClass -metadata: - name: gp3 - annotations: - storageclass.kubernetes.io/is-default-class: "true" -provisioner: ebs.csi.aws.com -parameters: - type: gp3 - fsType: ext4 - encrypted: "true" -volumeBindingMode: WaitForFirstConsumer -allowVolumeExpansion: true ---- -# GP3 Fast StorageClass -apiVersion: storage.k8s.io/v1 -kind: StorageClass -metadata: - name: gp3-fast -provisioner: ebs.csi.aws.com -parameters: - type: gp3 - fsType: ext4 - encrypted: "true" - iops: "4000" - throughput: "250" -volumeBindingMode: WaitForFirstConsumer -allowVolumeExpansion: true ---- -# IO1 StorageClass (high performance) -apiVersion: storage.k8s.io/v1 -kind: StorageClass -metadata: - name: io1 -provisioner: ebs.csi.aws.com -parameters: - type: io1 - fsType: ext4 - encrypted: "true" - iops: "1000" -volumeBindingMode: WaitForFirstConsumer -allowVolumeExpansion: true -EOF - -kubectl apply -f storage-classes.yaml -kubectl get storageclass -``` - -### 🔧 **6.3 Horizontal Pod Autoscaler (HPA) Setup** - -```bash -# 6.3.1 Metrics Server kurulumu -kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml - -# Metrics server düzeltmesi (EKS için) -kubectl patch deployment metrics-server -n kube-system --type='json' -p='[ - { - "op": "add", - "path": "/spec/template/spec/containers/0/args/-", - "value": "--kubelet-insecure-tls" - } -]' - -# 6.3.2 HPA template -cat > hpa-template.yaml << 'EOF' -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler -metadata: - name: sample-app-hpa - namespace: dev -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: sample-app - minReplicas: 2 - maxReplicas: 10 - metrics: - - type: Resource - resource: - name: cpu - target: - type: Utilization - averageUtilization: 70 - - type: Resource - resource: - name: memory - target: - type: Utilization - averageUtilization: 80 - behavior: - scaleDown: - stabilizationWindowSeconds: 300 - policies: - - type: Percent - value: 50 - periodSeconds: 60 - scaleUp: - stabilizationWindowSeconds: 60 - policies: - - type: Percent - value: 100 - periodSeconds: 30 -EOF -``` - -### 🔄 **6.4 Cluster Autoscaler Setup** - -```bash -# 6.4.1 Cluster Autoscaler kurulumu -cat > cluster-autoscaler.yaml << 'EOF' -apiVersion: apps/v1 -kind: Deployment -metadata: - name: cluster-autoscaler - namespace: kube-system - labels: - app: cluster-autoscaler -spec: - selector: - matchLabels: - app: cluster-autoscaler - template: - metadata: - labels: - app: cluster-autoscaler - annotations: - prometheus.io/scrape: 'true' - prometheus.io/port: '8085' - spec: - serviceAccountName: cluster-autoscaler - containers: - - image: k8s.gcr.io/autoscaling/cluster-autoscaler:v1.28.0 - name: cluster-autoscaler - resources: - limits: - cpu: 100m - memory: 300Mi - requests: - cpu: 100m - memory: 300Mi - command: - - ./cluster-autoscaler - - --v=4 - - --stderrthreshold=info - - --cloud-provider=aws - - --skip-nodes-with-local-storage=false - - --expander=least-waste - - --node-group-auto-discovery=asg:tag=k8s.io/cluster-autoscaler/enabled,k8s.io/cluster-autoscaler/CLUSTER_NAME - env: - - name: AWS_REGION - value: eu-west-1 - volumeMounts: - - name: ssl-certs - mountPath: /etc/ssl/certs/ca-certificates.crt - readOnly: true - imagePullPolicy: "Always" - volumes: - - name: ssl-certs - hostPath: - path: "/etc/ssl/certs/ca-bundle.crt" ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - k8s-addon: cluster-autoscaler.addons.k8s.io - k8s-app: cluster-autoscaler - name: cluster-autoscaler - namespace: kube-system - annotations: - eks.amazonaws.com/role-arn: arn:aws:iam::ACCOUNT_ID:role/cluster-autoscaler ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: cluster-autoscaler - labels: - k8s-addon: cluster-autoscaler.addons.k8s.io - k8s-app: cluster-autoscaler -rules: -- apiGroups: [""] - resources: ["events", "endpoints"] - verbs: ["create", "patch"] -- apiGroups: [""] - resources: ["pods/eviction"] - verbs: ["create"] -- apiGroups: [""] - resources: ["pods/status"] - verbs: ["update"] -- apiGroups: [""] - resources: ["endpoints"] - resourceNames: ["cluster-autoscaler"] - verbs: ["get", "update"] -- apiGroups: [""] - resources: ["nodes"] - verbs: ["watch", "list", "get", "update"] -- apiGroups: [""] - resources: ["pods", "services", "replicationcontrollers", "persistentvolumeclaims", "persistentvolumes"] - verbs: ["watch", "list", "get"] -- apiGroups: ["extensions"] - resources: ["replicasets", "daemonsets"] - verbs: ["watch", "list", "get"] -- apiGroups: ["policy"] - resources: ["poddisruptionbudgets"] - verbs: ["watch", "list"] -- apiGroups: ["apps"] - resources: ["statefulsets", "replicasets", "daemonsets"] - verbs: ["watch", "list", "get"] -- apiGroups: ["storage.k8s.io"] - resources: ["storageclasses", "csinodes", "csidrivers", "csistoragecapacities"] - verbs: ["watch", "list", "get"] -- apiGroups: ["batch", "extensions"] - resources: ["jobs"] - verbs: ["get", "list", "watch", "patch"] -- apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["create"] -- apiGroups: ["coordination.k8s.io"] - resourceNames: ["cluster-autoscaler"] - resources: ["leases"] - verbs: ["get", "update"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: cluster-autoscaler - labels: - k8s-addon: cluster-autoscaler.addons.k8s.io - k8s-app: cluster-autoscaler -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-autoscaler -subjects: -- kind: ServiceAccount - name: cluster-autoscaler - namespace: kube-system -EOF - -# CLUSTER_NAME'i gerçek cluster ismiyle değiştir -sed -i 's/CLUSTER_NAME/mycompany-dev-eks/g' cluster-autoscaler.yaml -kubectl apply -f cluster-autoscaler.yaml -``` - -### 🔒 **6.5 Network Policies** - -```bash -# 6.5.1 Calico CNI kurulumu (Network Policies için) -kubectl apply -f https://raw.githubusercontent.com/projectcalico/calico/v3.26.1/manifests/tigera-operator.yaml - -# Calico configuration -cat > calico-config.yaml << 'EOF' -apiVersion: operator.tigera.io/v1 -kind: Installation -metadata: - name: default -spec: - calicoNetwork: - ipPools: - - blockSize: 26 - cidr: 192.168.0.0/16 - encapsulation: VXLANCrossSubnet - natOutgoing: Enabled - nodeSelector: all() -EOF - -kubectl apply -f calico-config.yaml - -# 6.5.2 Network Policy templates -cat > network-policies.yaml << 'EOF' -# Default deny all ingress traffic -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: default-deny-ingress - namespace: dev -spec: - podSelector: {} - policyTypes: - - Ingress ---- -# Allow ingress from same namespace -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: allow-same-namespace - namespace: dev -spec: - podSelector: {} - policyTypes: - - Ingress - ingress: - - from: - - namespaceSelector: - matchLabels: - name: dev ---- -# Allow ingress from ingress-nginx -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: allow-ingress-nginx - namespace: dev -spec: - podSelector: - matchLabels: - app: frontend - policyTypes: - - Ingress - ingress: - - from: - - namespaceSelector: - matchLabels: - name: ingress-nginx - ports: - - protocol: TCP - port: 8080 ---- -# Allow database access only from backend -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: database-access - namespace: dev -spec: - podSelector: - matchLabels: - app: database - policyTypes: - - Ingress - ingress: - - from: - - podSelector: - matchLabels: - app: backend - ports: - - protocol: TCP - port: 5432 ---- -# Allow monitoring namespace access -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: allow-monitoring - namespace: dev -spec: - podSelector: {} - policyTypes: - - Ingress - ingress: - - from: - - namespaceSelector: - matchLabels: - name: monitoring - ports: - - protocol: TCP - port: 8080 - - protocol: TCP - port: 9090 -EOF - -kubectl apply -f network-policies.yaml -``` - ---- - -## 📊 **PHASE 6: OBSERVABILITY STACK** (Gün 14-16) - -### 📈 **7.1 Prometheus & Grafana Setup** - -```bash -# 7.1.1 kube-prometheus-stack kurulumu -helm repo add prometheus-community https://prometheus-community.github.io/helm-charts -helm repo update - -# Custom values.yaml oluştur -cat > monitoring-values.yaml << 'EOF' -prometheus: - prometheusSpec: - storageSpec: - volumeClaimTemplate: - spec: - storageClassName: gp3 - accessModes: ["ReadWriteOnce"] - resources: - requests: - storage: 20Gi - retention: 15d - resources: - requests: - memory: 2Gi - cpu: 1000m - limits: - memory: 4Gi - cpu: 2000m - additionalScrapeConfigs: | - - job_name: 'kubernetes-pods' - kubernetes_sd_configs: - - role: pod - relabel_configs: - - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape] - action: keep - regex: true - - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path] - action: replace - target_label: __metrics_path__ - regex: (.+) - - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] - action: replace - regex: ([^:]+)(?::\d+)?;(\d+) - replacement: $1:$2 - target_label: __address__ - -alertmanager: - alertmanagerSpec: - storage: - volumeClaimTemplate: - spec: - storageClassName: gp3 - accessModes: ["ReadWriteOnce"] - resources: - requests: - storage: 5Gi - resources: - requests: - memory: 256Mi - cpu: 100m - limits: - memory: 512Mi - cpu: 200m - config: - global: - slack_api_url: 'YOUR_SLACK_WEBHOOK_URL' - route: - group_by: ['alertname'] - group_wait: 10s - group_interval: 10s - repeat_interval: 1h - receiver: 'web.hook' - routes: - - match: - alertname: DeadMansSwitch - receiver: 'null' - - match_re: - severity: critical|warning - receiver: 'slack-notifications' - receivers: - - name: 'null' - - name: 'web.hook' - webhook_configs: - - url: 'http://127.0.0.1:5001/' - - name: 'slack-notifications' - slack_configs: - - channel: '#alerts' - title: 'Cluster Alert - {{ .GroupLabels.alertname }}' - text: '{{ range .Alerts }}{{ .Annotations.summary }}{{ end }}' - send_resolved: true - -grafana: - adminPassword: 'AdminPassword123!' - persistence: - enabled: true - storageClassName: gp3 - size: 10Gi - resources: - requests: - memory: 256Mi - cpu: 100m - limits: - memory: 512Mi - cpu: 200m - dashboardProviders: - dashboardproviders.yaml: - apiVersion: 1 - providers: - - name: 'default' - orgId: 1 - folder: '' - type: file - disableDeletion: false - editable: true - options: - path: /var/lib/grafana/dashboards/default - dashboards: - default: - kubernetes-cluster-overview: - gnetId: 7249 - revision: 1 - datasource: Prometheus - kubernetes-pod-overview: - gnetId: 6417 - revision: 1 - datasource: Prometheus - nginx-ingress-controller: - gnetId: 9614 - revision: 1 - datasource: Prometheus - node-exporter: - gnetId: 1860 - revision: 31 - datasource: Prometheus - -nodeExporter: - enabled: true - -kubeStateMetrics: - enabled: true - -defaultRules: - create: true - rules: - alertmanager: true - etcd: true - configReloaders: true - general: true - k8s: true - kubeApiserverAvailability: true - kubeApiserverBurnrate: true - kubeApiserverHistogram: true - kubeApiserverSlos: true - kubelet: true - kubeProxy: true - kubePrometheusGeneral: true - kubePrometheusNodeRecording: true - kubernetesApps: true - kubernetesResources: true - kubernetesStorage: true - kubernetesSystem: true - network: true - node: true - nodeExporterAlerting: true - nodeExporterRecording: true - prometheus: true - prometheusOperator: true -EOF - -# Monitoring namespace'i oluştur ve kube-prometheus-stack'i kur -kubectl create namespace monitoring -helm install kube-prometheus-stack prometheus-community/kube-prometheus-stack \ - --namespace monitoring \ - --values monitoring-values.yaml - -# 7.1.2 Monitoring durumunu kontrol et -kubectl get pods -n monitoring -kubectl get svc -n monitoring - -# 7.1.3 Grafana ingress -cat > grafana-ingress.yaml << 'EOF' -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: grafana - namespace: monitoring - annotations: - kubernetes.io/ingress.class: nginx - nginx.ingress.kubernetes.io/ssl-redirect: "true" - cert-manager.io/cluster-issuer: "letsencrypt-prod" -spec: - tls: - - hosts: - - grafana.yourdomain.com - secretName: grafana-tls - rules: - - host: grafana.yourdomain.com - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: kube-prometheus-stack-grafana - port: - number: 80 -EOF - -kubectl apply -f grafana-ingress.yaml -``` - -### 📝 **7.2 Centralized Logging Setup** - -```bash -# 7.2.1 OpenSearch (Elasticsearch alternative) kurulumu -helm repo add opensearch https://opensearch-project.github.io/helm-charts/ -helm repo update - -cat > opensearch-values.yaml << 'EOF' -clusterName: "opensearch-cluster" -nodeGroup: "master" - -roles: - - master - - ingest - - data - -replicas: 3 - -opensearchJavaOpts: "-Xmx1g -Xms1g" - -resources: - requests: - cpu: "500m" - memory: "1Gi" - limits: - cpu: "1000m" - memory: "2Gi" - -persistence: - enabled: true - size: 30Gi - storageClass: gp3 - -config: - opensearch.yml: | - cluster.name: opensearch-cluster - network.host: 0.0.0.0 - plugins: - security: - ssl: - transport: - pemcert_filepath: esnode.pem - pemkey_filepath: esnode-key.pem - pemtrustedcas_filepath: root-ca.pem - enforce_hostname_verification: false - http: - enabled: false - allow_unsafe_democertificates: true - allow_default_init_securityindex: true - authcz: - admin_dn: - - CN=kirk,OU=client,O=client,L=test,C=de - audit.type: internal_opensearch - enable_snapshot_restore_privilege: true - check_snapshot_restore_write_privileges: true - restapi: - roles_enabled: ["all_access", "security_rest_api_access"] - system_indices: - enabled: true - indices: - [ - ".opendistro-alerting-config", - ".opendistro-alerting-alert*", - ".opendistro-anomaly-results*", - ".opendistro-anomaly-detector*", - ".opendistro-anomaly-checkpoints", - ".opendistro-anomaly-detection-state", - ".opendistro-reports-*", - ".opendistro-notifications-*", - ".opendistro-notebooks", - ".opendistro-asynchronous-search-response*", - ] -EOF - -kubectl create namespace logging -helm install opensearch opensearch/opensearch \ - --namespace logging \ - --values opensearch-values.yaml - -# 7.2.2 OpenSearch Dashboards kurulumu -cat > opensearch-dashboards-values.yaml << 'EOF' -replicaCount: 1 - -opensearchHosts: "https://opensearch-cluster-master:9200" - -resources: - requests: - cpu: "250m" - memory: "512Mi" - limits: - cpu: "500m" - memory: "1Gi" - -config: - opensearch_dashboards.yml: | - server.name: opensearch-dashboards - server.host: 0.0.0.0 - opensearch.hosts: [https://opensearch-cluster-master:9200] - opensearch.ssl.verificationMode: none - opensearch.username: admin - opensearch.password: admin - opensearch.requestHeadersAllowlist: [authorization, securitytenant] - opensearch_security.multitenancy.enabled: true - opensearch_security.multitenancy.tenants.preferred: [Private, Global] - opensearch_security.readonly_mode.roles: [kibana_read_only] - opensearch_security.cookie.secure: false -EOF - -helm install opensearch-dashboards opensearch/opensearch-dashboards \ - --namespace logging \ - --values opensearch-dashboards-values.yaml - -# 7.2.3 Fluent Bit kurulumu -cat > fluent-bit-values.yaml << 'EOF' -daemonSetVolumes: - - name: varlog - hostPath: - path: /var/log - - name: varlibdockercontainers - hostPath: - path: /var/lib/docker/containers - - name: etcmachineid - hostPath: - path: /etc/machine-id - type: File - -daemonSetVolumeMounts: - - name: varlog - mountPath: /var/log - readOnly: true - - name: varlibdockercontainers - mountPath: /var/lib/docker/containers - readOnly: true - - name: etcmachineid - mountPath: /etc/machine-id - readOnly: true - -config: - service: | - [SERVICE] - Daemon Off - Flush {{ .Values.flush }} - Log_Level {{ .Values.logLevel }} - Parsers_File parsers.conf - Parsers_File custom_parsers.conf - HTTP_Server On - HTTP_Listen 0.0.0.0 - HTTP_Port {{ .Values.metricsPort }} - Health_Check On - - inputs: | - [INPUT] - Name tail - Path /var/log/containers/*.log - multiline.parser docker, cri - Tag kube.* - Mem_Buf_Limit 50MB - Skip_Long_Lines On - - [INPUT] - Name systemd - Tag host.* - Systemd_Filter _SYSTEMD_UNIT=kubelet.service - Read_From_Tail On - - filters: | - [FILTER] - Name kubernetes - Match kube.* - Kube_URL https://kubernetes.default.svc:443 - Kube_CA_File /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - Kube_Token_File /var/run/secrets/kubernetes.io/serviceaccount/token - Kube_Tag_Prefix kube.var.log.containers. - Merge_Log On - Keep_Log Off - K8S-Logging.Parser On - K8S-Logging.Exclude On - Annotations Off - Labels On - - [FILTER] - Name nest - Match kube.* - Operation lift - Nested_under kubernetes - Add_prefix kubernetes_ - - [FILTER] - Name modify - Match kube.* - Remove kubernetes_pod_id - Remove kubernetes_docker_id - Remove kubernetes_container_hash - - outputs: | - [OUTPUT] - Name opensearch - Match kube.* - Host opensearch-cluster-master.logging.svc.cluster.local - Port 9200 - Index fluentbit - Type _doc - HTTP_User admin - HTTP_Passwd admin - tls On - tls.verify Off - Suppress_Type_Name On - Replace_Dots On - - [OUTPUT] - Name opensearch - Match host.* - Host opensearch-cluster-master.logging.svc.cluster.local - Port 9200 - Index fluentbit-systemd - Type _doc - HTTP_User admin - HTTP_Passwd admin - tls On - tls.verify Off - Suppress_Type_Name On - Replace_Dots On -EOF - -helm repo add fluent https://fluent.github.io/helm-charts -helm install fluent-bit fluent/fluent-bit \ - --namespace logging \ - --values fluent-bit-values.yaml - -# 7.2.4 OpenSearch Dashboards ingress -cat > opensearch-dashboards-ingress.yaml << 'EOF' -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: opensearch-dashboards - namespace: logging - annotations: - kubernetes.io/ingress.class: nginx - nginx.ingress.kubernetes.io/ssl-redirect: "true" - nginx.ingress.kubernetes.io/backend-protocol: "HTTP" - cert-manager.io/cluster-issuer: "letsencrypt-prod" -spec: - tls: - - hosts: - - logs.yourdomain.com - secretName: opensearch-dashboards-tls - rules: - - host: logs.yourdomain.com - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: opensearch-dashboards - port: - number: 5601 -EOF - -kubectl apply -f opensearch-dashboards-ingress.yaml -``` - -### 🔍 **7.3 Distributed Tracing with Jaeger** - -```bash -# 7.3.1 Jaeger Operator kurulumu -kubectl create namespace observability -kubectl apply -f https://github.com/jaegertracing/jaeger-operator/releases/download/v1.47.0/jaeger-operator.yaml -n observability - -# 7.3.2 Jaeger instance -cat > jaeger.yaml << 'EOF' -apiVersion: jaegertracing.io/v1 -kind: Jaeger -metadata: - name: jaeger - namespace: observability -spec: - strategy: production - storage: - type: opensearch - opensearch: - serverUrls: https://opensearch-cluster-master.logging.svc.cluster.local:9200 - username: admin - password: admin - tls: - insecureSkipVerify: true - collector: - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 200m - memory: 256Mi - query: - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 200m - memory: 256Mi - ingress: - enabled: true - annotations: - kubernetes.io/ingress.class: nginx - nginx.ingress.kubernetes.io/ssl-redirect: "true" - cert-manager.io/cluster-issuer: "letsencrypt-prod" - hosts: - - jaeger.yourdomain.com - tls: - - secretName: jaeger-tls - hosts: - - jaeger.yourdomain.com -EOF - -kubectl apply -f jaeger.yaml - -# 7.3.3 OpenTelemetry Collector kurulumu -helm repo add open-telemetry https://open-telemetry.github.io/opentelemetry-helm-charts -helm repo update - -cat > otel-collector-values.yaml << 'EOF' -mode: daemonset - -presets: - logsCollection: - enabled: true - hostMetrics: - enabled: true - kubernetesAttributes: - enabled: true - -config: - receivers: - otlp: - protocols: - grpc: - endpoint: 0.0.0.0:4317 - http: - endpoint: 0.0.0.0:4318 - jaeger: - protocols: - grpc: - endpoint: 0.0.0.0:14250 - thrift_http: - endpoint: 0.0.0.0:14268 - thrift_compact: - endpoint: 0.0.0.0:6831 - zipkin: - endpoint: 0.0.0.0:9411 - - processors: - batch: {} - memory_limiter: - limit_mib: 400 - resource: - attributes: - - key: cluster.name - value: mycompany-dev-eks - action: insert - - exporters: - jaeger: - endpoint: jaeger-collector.observability.svc.cluster.local:14250 - tls: - insecure: true - prometheus: - endpoint: "0.0.0.0:8889" - const_labels: - cluster: mycompany-dev-eks - - service: - pipelines: - traces: - receivers: [otlp, jaeger, zipkin] - processors: [memory_limiter, resource, batch] - exporters: [jaeger] - metrics: - receivers: [otlp] - processors: [memory_limiter, resource, batch] - exporters: [prometheus] - logs: - receivers: [otlp] - processors: [memory_limiter, resource, batch] - exporters: [] - -resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 256m - memory: 512Mi -EOF - -helm install opentelemetry-collector open-telemetry/opentelemetry-collector \ - --namespace observability \ - --values otel-collector-values.yaml -``` - ---- - -## 🔒 **PHASE 7: SECRETS MANAGEMENT & SECURITY** (Gün 17-18) - -### 🔐 **8.1 HashiCorp Vault Setup** - -```bash -# 8.1.1 Vault Helm kurulumu -helm repo add hashicorp https://helm.releases.hashicorp.com -helm repo update - -cat > vault-values.yaml << 'EOF' -global: - enabled: true - tlsDisable: false - -injector: - enabled: true - replicas: 1 - resources: - requests: - memory: 256Mi - cpu: 250m - limits: - memory: 256Mi - cpu: 250m - -server: - image: - repository: "vault" - tag: "1.15.0" - - resources: - requests: - memory: 256Mi - cpu: 250m - limits: - memory: 256Mi - cpu: 250m - - readinessProbe: - enabled: true - path: "/v1/sys/health?standbyok=true&sealedcode=204&uninitcode=204" - livenessProbe: - enabled: true - path: "/v1/sys/health?standbyok=true" - initialDelaySeconds: 60 - - extraEnvironmentVars: - VAULT_CACERT: /vault/userconfig/vault-ha-tls/vault.ca - VAULT_TLSCERT: /vault/userconfig/vault-ha-tls/vault.crt - VAULT_TLSKEY: /vault/userconfig/vault-ha-tls/vault.key - - extraVolumes: - - type: secret - name: vault-ha-tls - path: /vault/userconfig - - standalone: - enabled: false - - ha: - enabled: true - replicas: 3 - raft: - enabled: true - setNodeId: true - config: | - ui = true - - listener "tcp" { - tls_disable = 0 - address = "[::]:8200" - cluster_address = "[::]:8201" - tls_cert_file = "/vault/userconfig/vault-ha-tls/vault.crt" - tls_key_file = "/vault/userconfig/vault-ha-tls/vault.key" - tls_client_ca_file = "/vault/userconfig/vault-ha-tls/vault.ca" - } - - storage "raft" { - path = "/vault/data" - - retry_join { - leader_api_addr = "https://vault-0.vault-internal:8200" - leader_ca_cert_file = "/vault/userconfig/vault-ha-tls/vault.ca" - leader_client_cert_file = "/vault/userconfig/vault-ha-tls/vault.crt" - leader_client_key_file = "/vault/userconfig/vault-ha-tls/vault.key" - } - - retry_join { - leader_api_addr = "https://vault-1.vault-internal:8200" - leader_ca_cert_file = "/vault/userconfig/vault-ha-tls/vault.ca" - leader_client_cert_file = "/vault/userconfig/vault-ha-tls/vault.crt" - leader_client_key_file = "/vault/userconfig/vault-ha-tls/vault.key" - } - - retry_join { - leader_api_addr = "https://vault-2.vault-internal:8200" - leader_ca_cert_file = "/vault/userconfig/vault-ha-tls/vault.ca" - leader_client_cert_file = "/vault/userconfig/vault-ha-tls/vault.crt" - leader_client_key_file = "/vault/userconfig/vault-ha-tls/vault.key" - } - } - - service_registration "kubernetes" {} - - service: - enabled: true - type: ClusterIP - port: 8200 - targetPort: 8200 - - dataStorage: - enabled: true - size: 10Gi - storageClass: gp3 - - auditStorage: - enabled: true - size: 10Gi - storageClass: gp3 - -ui: - enabled: true - serviceType: ClusterIP -EOF - -# 8.1.2 TLS sertifikaları oluştur -mkdir -p vault-tls -cd vault-tls - -# CA private key -openssl genrsa -out vault-ca.key 2048 - -# CA certificate -openssl req -new -x509 -key vault-ca.key -out vault-ca.crt -days 365 \ - -subj "/C=US/ST=CA/L=San Francisco/O=HashiCorp/CN=Vault CA" - -# Vault private key -openssl genrsa -out vault.key 2048 - -# Vault certificate signing request -cat > vault.conf << 'EOF' -[req] -distinguished_name = req_distinguished_name -req_extensions = v3_req -prompt = no - -[req_distinguished_name] -C = US -ST = CA -L = San Francisco -O = HashiCorp -CN = vault - -[v3_req] -keyUsage = keyEncipherment, dataEncipherment -extendedKeyUsage = serverAuth -subjectAltName = @alt_names - -[alt_names] -DNS.1 = vault -DNS.2 = vault.vault -DNS.3 = vault.vault.svc -DNS.4 = vault.vault.svc.cluster.local -DNS.5 = vault-0.vault-internal -DNS.6 = vault-1.vault-internal -DNS.7 = vault-2.vault-internal -DNS.8 = vault-0.vault-internal.vault.svc.cluster.local -DNS.9 = vault-1.vault-internal.vault.svc.cluster.local -DNS.10 = vault-2.vault-internal.vault.svc.cluster.local -DNS.11 = vault.yourdomain.com -IP.1 = 127.0.0.1 -EOF - -openssl req -new -key vault.key -out vault.csr -config vault.conf - -# Vault certificate -openssl x509 -req -in vault.csr -CA vault-ca.crt -CAkey vault-ca.key \ - -CAcreateserial -out vault.crt -days 365 -extensions v3_req -extfile vault.conf - -# 8.1.3 Vault namespace ve TLS secret oluştur -kubectl create namespace vault - -kubectl create secret generic vault-ha-tls \ - --from-file=vault.key=vault.key \ - --from-file=vault.crt=vault.crt \ - --from-file=vault.ca=vault-ca.crt \ - --namespace vault - -cd .. - -# 8.1.4 Vault kurulumu -helm install vault hashicorp/vault \ - --namespace vault \ - --values vault-values.yaml - -# 8.1.5 Vault'u initialize et ve unseal et -kubectl exec vault-0 -n vault -- vault operator init \ - -key-shares=5 \ - -key-threshold=3 \ - -format=json > cluster-keys.json - -# Root token ve unseal key'leri çıkar -VAULT_UNSEAL_KEY_1=$(cat cluster-keys.json | jq -r ".unseal_keys_b64[0]") -VAULT_UNSEAL_KEY_2=$(cat cluster-keys.json | jq -r ".unseal_keys_b64[1]") -VAULT_UNSEAL_KEY_3=$(cat cluster-keys.json | jq -r ".unseal_keys_b64[2]") -CLUSTER_ROOT_TOKEN=$(cat cluster-keys.json | jq -r ".root_token") - -# Vault unseal -kubectl exec vault-0 -n vault -- vault operator unseal $VAULT_UNSEAL_KEY_1 -kubectl exec vault-0 -n vault -- vault operator unseal $VAULT_UNSEAL_KEY_2 -kubectl exec vault-0 -n vault -- vault operator unseal $VAULT_UNSEAL_KEY_3 - -# Diğer node'ları join et -kubectl exec vault-1 -n vault -- vault operator raft join https://vault-0.vault-internal:8200 -kubectl exec vault-1 -n vault -- vault operator unseal $VAULT_UNSEAL_KEY_1 -kubectl exec vault-1 -n vault -- vault operator unseal $VAULT_UNSEAL_KEY_2 -kubectl exec vault-1 -n vault -- vault operator unseal $VAULT_UNSEAL_KEY_3 - -kubectl exec vault-2 -n vault -- vault operator raft join https://vault-0.vault-internal:8200 -kubectl exec vault-2 -n vault -- vault operator unseal $VAULT_UNSEAL_KEY_1 -kubectl exec vault-2 -n vault -- vault operator unseal $VAULT_UNSEAL_KEY_2 -kubectl exec vault-2 -n vault -- vault operator unseal $VAULT_UNSEAL_KEY_3 - -echo "Root Token: $CLUSTER_ROOT_TOKEN" -``` - -### 🔧 **8.2 External Secrets Operator** - -```bash -# 8.2.1 External Secrets Operator kurulumu -helm repo add external-secrets https://charts.external-secrets.io -helm repo update - -helm install external-secrets external-secrets/external-secrets \ - --namespace external-secrets \ - --create-namespace - -# 8.2.2 Vault'ta Kubernetes auth method aktifleştir -kubectl exec vault-0 -n vault -- env VAULT_TOKEN=$CLUSTER_ROOT_TOKEN vault auth enable kubernetes - -# Service account token path'ini al -TOKEN_REVIEW_JWT=$(kubectl get secret \ - $(kubectl get serviceaccount vault -n vault -o jsonpath='{.secrets[0].name}') \ - -n vault -o jsonpath='{.data.token}' | base64 --decode) - -KUBE_CA_CERT=$(kubectl config view --raw --minify --flatten -o jsonpath='{.clusters[].cluster.certificate-authority-data}' | base64 --decode) - -KUBE_HOST=$(kubectl config view --raw --minify --flatten -o jsonpath='{.clusters[].cluster.server}') - -# Kubernetes auth method konfigüre et -kubectl exec vault-0 -n vault -- env VAULT_TOKEN=$CLUSTER_ROOT_TOKEN vault write auth/kubernetes/config \ - token_reviewer_jwt="$TOKEN_REVIEW_JWT" \ - kubernetes_host="$KUBE_HOST" \ - kubernetes_ca_cert="$KUBE_CA_CERT" - -# 8.2.3 Vault policy ve role oluştur -kubectl exec vault-0 -n vault -- env VAULT_TOKEN=$CLUSTER_ROOT_TOKEN vault policy write mycompany-dev - < vault-secret-store.yaml << 'EOF' -apiVersion: external-secrets.io/v1beta1 -kind: SecretStore -metadata: - name: vault-backend - namespace: dev -spec: - provider: - vault: - server: "https://vault.vault.svc.cluster.local:8200" - path: "secret" - version: "v2" - caBundle: "LS0tLS1CRUdJTi..." # Base64 encoded CA cert - auth: - kubernetes: - mountPath: "kubernetes" - role: "mycompany-dev" - serviceAccountRef: - name: "external-secrets" -EOF - -# CA cert'i base64 encode et -CA_BUNDLE=$(cat vault-tls/vault-ca.crt | base64 -w 0) -sed -i "s/LS0tLS1CRUdJTi.../$CA_BUNDLE/g" vault-secret-store.yaml - -kubectl apply -f vault-secret-store.yaml - -# 8.2.6 ExternalSecret oluştur -cat > external-secret-database.yaml << 'EOF' -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: database-credentials - namespace: dev -spec: - refreshInterval: 1m - secretStoreRef: - name: vault-backend - kind: SecretStore - target: - name: database-secret - creationPolicy: Owner - data: - - secretKey: username - remoteRef: - key: secret/dev/database - property: username - - secretKey: password - remoteRef: - key: secret/dev/database - property: password -EOF - -kubectl apply -f external-secret-database.yaml - -# Secret'in oluştuğunu kontrol et -kubectl get secrets -n dev -kubectl describe externalsecret database-credentials -n dev -``` - -### 🛡️ **8.3 Pod Security Standards** - -```bash -# 8.3.1 Pod Security Standards uygula -kubectl label --overwrite namespace dev pod-security.kubernetes.io/enforce=restricted -kubectl label --overwrite namespace dev pod-security.kubernetes.io/audit=restricted -kubectl label --overwrite namespace dev pod-security.kubernetes.io/warn=restricted - -kubectl label --overwrite namespace staging pod-security.kubernetes.io/enforce=restricted -kubectl label --overwrite namespace staging pod-security.kubernetes.io/audit=restricted -kubectl label --overwrite namespace staging pod-security.kubernetes.io/warn=restricted - -kubectl label --overwrite namespace production pod-security.kubernetes.io/enforce=restricted -kubectl label --overwrite namespace production pod-security.kubernetes.io/audit=restricted -kubectl label --overwrite namespace production pod-security.kubernetes.io/warn=restricted - -# 8.3.2 Security context template -cat > security-context-template.yaml << 'EOF' -apiVersion: apps/v1 -kind: Deployment -metadata: - name: secure-app - namespace: dev -spec: - replicas: 1 - selector: - matchLabels: - app: secure-app - template: - metadata: - labels: - app: secure-app - spec: - securityContext: - runAsNonRoot: true - runAsUser: 10001 - runAsGroup: 10001 - fsGroup: 10001 - seccompProfile: - type: RuntimeDefault - containers: - - name: app - image: nginx:alpine - ports: - - containerPort: 8080 - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 10001 - runAsGroup: 10001 - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - resources: - requests: - memory: "128Mi" - cpu: "100m" - limits: - memory: "256Mi" - cpu: "200m" - volumeMounts: - - name: tmp - mountPath: /tmp - - name: var-cache-nginx - mountPath: /var/cache/nginx - - name: var-run - mountPath: /var/run - volumes: - - name: tmp - emptyDir: {} - - name: var-cache-nginx - emptyDir: {} - - name: var-run - emptyDir: {} -EOF -``` - -### 🔍 **8.4 Falco Runtime Security** - -```bash -# 8.4.1 Falco kurulumu -helm repo add falcosecurity https://falcosecurity.github.io/charts -helm repo update - -cat > falco-values.yaml << 'EOF' -falco: - rules_file: - - /etc/falco/falco_rules.yaml - - /etc/falco/falco_rules.local.yaml - - /etc/falco/k8s_audit_rules.yaml - - /etc/falco/rules.d - - time_format_iso_8601: true - json_output: true - json_include_output_property: true - json_include_tags_property: true - - log_stderr: true - log_syslog: true - log_level: info - - priority: debug - - buffered_outputs: false - - syscall_event_drops: - actions: - - log - - alert - rate: 0.03333 - max_burst: 1000 - - outputs: - rate: 1 - max_burst: 1000 - - syslog_output: - enabled: true - - file_output: - enabled: false - - stdout_output: - enabled: true - - webserver: - enabled: true - listen_port: 8765 - k8s_healthz_endpoint: /healthz - ssl_enabled: false - ssl_certificate: /etc/ssl/falco/falco.pem - - grpc: - enabled: false - - grpc_output: - enabled: false - -customRules: - custom-rules.yaml: |- - - rule: Unexpected outbound connection destination - desc: Detect outbound connections to unexpected destinations - condition: > - outbound and not - (fd.sip in (internal_networks)) - output: Outbound connection to unexpected destination (command=%proc.cmdline dest=%fd.rip) - priority: WARNING - tags: [network, mitre_exfiltration] - - - rule: Suspicious process in container - desc: Detect suspicious processes running in containers - condition: > - spawned_process and container and - (proc.name in (nc, ncat, netcat, nmap, dig, nslookup, tcpdump)) - output: Suspicious process in container (command=%proc.cmdline container=%container.name) - priority: WARNING - tags: [process, container] - -driver: - enabled: true - kind: ebpf - -collectors: - enabled: true - docker: - enabled: true - containerd: - enabled: true - crio: - enabled: false - -resources: - requests: - cpu: 100m - memory: 512Mi - limits: - cpu: 200m - memory: 1024Mi - -tolerations: - - effect: NoSchedule - key: node-role.kubernetes.io/master - - effect: NoSchedule - key: node-role.kubernetes.io/control-plane - -falcosidekick: - enabled: true - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 200m - memory: 256Mi - - config: - slack: - webhookurl: "YOUR_SLACK_WEBHOOK_URL" - channel: "#security-alerts" - username: "Falco" - minimumpriority: "warning" - messageformat: "long" - - alertmanager: - hostport: "http://kube-prometheus-stack-alertmanager.monitoring.svc.cluster.local:9093" - minimumpriority: "warning" -EOF - -kubectl create namespace falco -helm install falco falcosecurity/falco \ - --namespace falco \ - --values falco-values.yaml - -# 8.4.2 Falco durumunu kontrol et -kubectl get pods -n falco -kubectl logs -l app.kubernetes.io/name=falco -n falco -``` - ---- - -## 🗄️ **PHASE 8: BACKUP & DISASTER RECOVERY** (Gün 19-20) - -### 💾 **9.1 Velero Backup Setup** - -```bash -# 9.1.1 AWS S3 bucket oluştur -BACKUP_BUCKET="mycompany-k8s-backups-$(openssl rand -hex 4)" -aws s3 mb s3://$BACKUP_BUCKET --region eu-west-1 - -# S3 bucket policy -cat > backup-bucket-policy.json << EOF -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "VeleroBackupAccess", - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam::$(aws sts get-caller-identity --query Account --output text):role/velero-role" - }, - "Action": [ - "s3:GetObject", - "s3:DeleteObject", - "s3:PutObject", - "s3:AbortMultipartUpload", - "s3:ListMultipartUploadParts" - ], - "Resource": "arn:aws:s3:::$BACKUP_BUCKET/*" - }, - { - "Sid": "VeleroBackupList", - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam::$(aws sts get-caller-identity --query Account --output text):role/velero-role" - }, - "Action": [ - "s3:ListBucket" - ], - "Resource": "arn:aws:s3:::$BACKUP_BUCKET" - } - ] -} -EOF - -# IAM policy için Velero permissions -cat > velero-policy.json << 'EOF' -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "ec2:DescribeVolumes", - "ec2:DescribeSnapshots", - "ec2:CreateTags", - "ec2:CreateVolume", - "ec2:CreateSnapshot", - "ec2:DeleteSnapshot" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "s3:GetObject", - "s3:DeleteObject", - "s3:PutObject", - "s3:AbortMultipartUpload", - "s3:ListMultipartUploadParts" - ], - "Resource": [ - "arn:aws:s3:::BUCKET-NAME/*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "s3:ListBucket" - ], - "Resource": [ - "arn:aws:s3:::BUCKET-NAME" - ] - } - ] -} -EOF - -sed -i "s/BUCKET-NAME/$BACKUP_BUCKET/g" velero-policy.json - -# IAM policy oluştur -aws iam create-policy \ - --policy-name VeleroBackupPolicy \ - --policy-document file://velero-policy.json - -# Service account için trust policy -cat > velero-trust-policy.json << 'EOF' -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "Federated": "arn:aws:iam::ACCOUNT-ID:oidc-provider/OIDC-URL" - }, - "Action": "sts:AssumeRoleWithWebIdentity", - "Condition": { - "StringEquals": { - "OIDC-URL:sub": "system:serviceaccount:velero:velero", - "OIDC-URL:aud": "sts.amazonaws.com" - } - } - } - ] -} -EOF - -# OIDC provider URL'ini al -OIDC_URL=$(aws eks describe-cluster --name mycompany-dev-eks --query "cluster.identity.oidc.issuer" --output text | sed 's|https://||') -ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text) - -sed -i "s/ACCOUNT-ID/$ACCOUNT_ID/g" velero-trust-policy.json -sed -i "s/OIDC-URL/$OIDC_URL/g" velero-trust-policy.json - -# IAM role oluştur -aws iam create-role \ - --role-name velero-role \ - --assume-role-policy-document file://velero-trust-policy.json - -# Policy'yi role'e attach et -aws iam attach-role-policy \ - --role-arn arn:aws:iam::$ACCOUNT_ID:role/velero-role \ - --policy-arn arn:aws:iam::$ACCOUNT_ID:policy/VeleroBackupPolicy - -# 9.1.2 Velero CLI kurulumu -wget https://github.com/vmware-tanzu/velero/releases/download/v1.12.0/velero-v1.12.0-linux-amd64.tar.gz -tar -xzf velero-v1.12.0-linux-amd64.tar.gz -sudo mv velero-v1.12.0-linux-amd64/velero /usr/local/bin/ -rm -rf velero-v1.12.0-linux-amd64* - -# 9.1.3 Velero kurulumu -cat > velero-values.yaml << EOF -configuration: - backupStorageLocation: - - name: aws - provider: aws - bucket: $BACKUP_BUCKET - config: - region: eu-west-1 - volumeSnapshotLocation: - - name: aws - provider: aws - config: - region: eu-west-1 - -credentials: - useSecret: false - -serviceAccount: - server: - annotations: - eks.amazonaws.com/role-arn: arn:aws:iam::$ACCOUNT_ID:role/velero-role - -initContainers: -- name: velero-plugin-for-aws - image: velero/velero-plugin-for-aws:v1.8.0 - volumeMounts: - - mountPath: /target - name: plugins - -resources: - requests: - cpu: 500m - memory: 128Mi - limits: - cpu: 1000m - memory: 512Mi - -nodeAgent: - resources: - requests: - cpu: 500m - memory: 512Mi - limits: - cpu: 1000m - memory: 1024Mi - -schedules: - daily-backup: - disabled: false - schedule: "0 2 * * *" - template: - includedNamespaces: - - dev - - staging - - production - - monitoring - - vault - excludedResources: - - events - - events.events.k8s.io - storageLocation: aws - ttl: 720h0m0s - snapshotVolumes: true - - weekly-backup: - disabled: false - schedule: "0 3 * * 0" - template: - includedNamespaces: - - dev - - staging - - production - - monitoring - - vault - excludedResources: - - events - - events.events.k8s.io - storageLocation: aws - ttl: 2160h0m0s - snapshotVolumes: true -EOF - -helm repo add vmware-tanzu https://vmware-tanzu.github.io/helm-charts -helm repo update - -kubectl create namespace velero -helm install velero vmware-tanzu/velero \ - --namespace velero \ - --values velero-values.yaml - -# 9.1.4 Manual backup test -velero backup create test-backup --include-namespaces dev -velero backup describe test-backup -velero backup logs test-backup - -echo "Backup bucket: $BACKUP_BUCKET" -``` - -### 🔄 **9.2 Database Backup Strategy** - -```bash -# 9.2.1 RDS automated backup script -cat > ~/devops-infrastructure/scripts/rds-backup.sh << 'EOF' -#!/bin/bash - -# RDS Backup Script -set -e - -DB_IDENTIFIER="mycompany-dev-db" -BACKUP_PREFIX="manual-backup" -REGION="eu-west-1" - -# Create manual snapshot -SNAPSHOT_ID="${BACKUP_PREFIX}-$(date +%Y%m%d%H%M%S)" - -echo "Creating RDS snapshot: $SNAPSHOT_ID" -aws rds create-db-snapshot \ - --db-instance-identifier $DB_IDENTIFIER \ - --db-snapshot-identifier $SNAPSHOT_ID \ - --region $REGION - -# Wait for snapshot completion -echo "Waiting for snapshot completion..." -aws rds wait db-snapshot-completed \ - --db-snapshot-identifier $SNAPSHOT_ID \ - --region $REGION - -echo "Snapshot created successfully: $SNAPSHOT_ID" - -# List recent snapshots -echo "Recent snapshots:" -aws rds describe-db-snapshots \ - --db-instance-identifier $DB_IDENTIFIER \ - --snapshot-type manual \ - --region $REGION \ - --query 'DBSnapshots[0:5].[DBSnapshotIdentifier,Status,SnapshotCreateTime]' \ - --output table - -# Cleanup old manual snapshots (keep last 7) -OLD_SNAPSHOTS=$(aws rds describe-db-snapshots \ - --db-instance-identifier $DB_IDENTIFIER \ - --snapshot-type manual \ - --region $REGION \ - --query 'DBSnapshots[7:].DBSnapshotIdentifier' \ - --output text) - -if [ ! -z "$OLD_SNAPSHOTS" ]; then - echo "Cleaning up old snapshots..." - for snapshot in $OLD_SNAPSHOTS; do - echo "Deleting snapshot: $snapshot" - aws rds delete-db-snapshot \ - --db-snapshot-identifier $snapshot \ - --region $REGION - done -fi - -echo "Backup completed successfully!" -EOF - -chmod +x ~/devops-infrastructure/scripts/rds-backup.sh - -# 9.2.2 PostgreSQL logical backup (for application data) -cat > ~/devops-infrastructure/scripts/postgres-logical-backup.sh << 'EOF' -#!/bin/bash - -# PostgreSQL Logical Backup Script -set -e - -# Configuration -DB_HOST="your-rds-endpoint" -DB_NAME="mycompanydb" -DB_USER="admin" -BACKUP_DIR="/tmp/pg-backups" -S3_BUCKET="mycompany-db-logical-backups" -DATE=$(date +%Y%m%d_%H%M%S) - -# Create backup directory -mkdir -p $BACKUP_DIR - -# Get password from Kubernetes secret -DB_PASSWORD=$(kubectl get secret database-secret -n dev -o jsonpath='{.data.password}' | base64 -d) - -export PGPASSWORD=$DB_PASSWORD - -# Create backup -echo "Creating logical backup..." -pg_dump -h $DB_HOST -U $DB_USER -d $DB_NAME \ - --verbose \ - --no-password \ - --format=custom \ - --compress=9 \ - --file=$BACKUP_DIR/logical-backup-$DATE.dump - -# Upload to S3 -echo "Uploading to S3..." -aws s3 cp $BACKUP_DIR/logical-backup-$DATE.dump \ - s3://$S3_BUCKET/logical-backups/logical-backup-$DATE.dump - -# Cleanup local file -rm $BACKUP_DIR/logical-backup-$DATE.dump - -# Cleanup old S3 backups (keep last 30 days) -echo "Cleaning up old backups..." -aws s3 ls s3://$S3_BUCKET/logical-backups/ \ - --recursive \ - --query "Contents[?LastModified<='$(date -d '30 days ago' --iso-8601)'].Key" \ - --output text | \ - xargs -I {} aws s3 rm s3://$S3_BUCKET/{} - -echo "Logical backup completed successfully!" -EOF - -chmod +x ~/devops-infrastructure/scripts/postgres-logical-backup.sh - -# 9.2.3 CronJob for automated database backups -cat > database-backup-cronjob.yaml << 'EOF' -apiVersion: batch/v1 -kind: CronJob -metadata: - name: postgres-logical-backup - namespace: dev -spec: - schedule: "0 1 * * *" # Daily at 1 AM - concurrencyPolicy: Forbid - successfulJobsHistoryLimit: 3 - failedJobsHistoryLimit: 3 - jobTemplate: - spec: - template: - spec: - serviceAccountName: backup-sa - containers: - - name: backup - image: postgres:15-alpine - env: - - name: DB_HOST - value: "your-rds-endpoint" - - name: DB_NAME - value: "mycompanydb" - - name: DB_USER - value: "admin" - - name: DB_PASSWORD - valueFrom: - secretKeyRef: - name: database-secret - key: password - - name: S3_BUCKET - value: "mycompany-db-logical-backups" - command: - - /bin/bash - - -c - - | - set -e - apk add --no-cache aws-cli - - DATE=$(date +%Y%m%d_%H%M%S) - BACKUP_FILE="/tmp/logical-backup-$DATE.dump" - - export PGPASSWORD=$DB_PASSWORD - - echo "Creating logical backup..." - pg_dump -h $DB_HOST -U $DB_USER -d $DB_NAME \ - --verbose \ - --no-password \ - --format=custom \ - --compress=9 \ - --file=$BACKUP_FILE - - echo "Uploading to S3..." - aws s3 cp $BACKUP_FILE s3://$S3_BUCKET/logical-backups/ - - echo "Backup completed successfully!" - resources: - requests: - memory: "256Mi" - cpu: "100m" - limits: - memory: "512Mi" - cpu: "200m" - restartPolicy: OnFailure ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: backup-sa - namespace: dev - annotations: - eks.amazonaws.com/role-arn: arn:aws:iam::ACCOUNT_ID:role/backup-role -EOF - -kubectl apply -f database-backup-cronjob.yaml -``` - -### 📋 **9.3 Disaster Recovery Runbook** - -```bash -# 9.3.1 DR runbook oluştur -cat > ~/devops-infrastructure/docs/disaster-recovery-runbook.md << 'EOF' -# Disaster Recovery Runbook - -## Overview -Bu doküman Kubernetes cluster ve RDS veritabanı için disaster recovery prosedürlerini içerir. - -## RTO/RPO Targets -- **RTO (Recovery Time Objective)**: 4 saat -- **RPO (Recovery Point Objective)**: 1 saat - -## Disaster Scenarios - -### 1. Complete Cluster Loss - -#### Assessment -```bash -# Cluster durumunu kontrol et -kubectl get nodes -kubectl get pods --all-namespaces - -# AWS EKS cluster durumu -aws eks describe-cluster --name mycompany-dev-eks -``` - -#### Recovery Steps - -1. **Yeni cluster oluştur** -```bash -cd ~/devops-infrastructure/terraform/environments/dev -terraform plan -target=module.eks -terraform apply -target=module.eks -``` - -2. **Velero restore** -```bash -# En son backup'ı listele -velero backup get - -# Restore işlemi -velero restore create restore-$(date +%Y%m%d) \ - --from-backup daily-backup-YYYYMMDD -``` - -3. **Database connectivity kontrol** -```bash -kubectl get secrets database-secret -n dev -kubectl run test-db-connection --rm -i --tty \ - --image=postgres:15-alpine -- \ - psql -h RDS_ENDPOINT -U admin -d mycompanydb -``` - -### 2. Database Disaster - -#### Assessment -```bash -# RDS status kontrol -aws rds describe-db-instances \ - --db-instance-identifier mycompany-dev-db - -# Connection test -kubectl run db-test --rm -i --tty \ - --image=postgres:15-alpine -- \ - psql -h RDS_ENDPOINT -U admin -d mycompanydb -c "SELECT 1;" -``` - -#### Recovery Steps - -1. **Point-in-time recovery** -```bash -# Son valid backup time'ı bul -aws rds describe-db-instances \ - --db-instance-identifier mycompany-dev-db \ - --query 'DBInstances[0].LatestRestorableTime' - -# Point-in-time restore -aws rds restore-db-instance-to-point-in-time \ - --source-db-instance-identifier mycompany-dev-db \ - --target-db-instance-identifier mycompany-dev-db-recovered \ - --restore-time 2024-XX-XXTXX:XX:XX.000Z -``` - -2. **Manual snapshot restore** -```bash -# Available snapshots -aws rds describe-db-snapshots \ - --db-instance-identifier mycompany-dev-db - -# Restore from snapshot -aws rds restore-db-instance-from-db-snapshot \ - --db-instance-identifier mycompany-dev-db-recovered \ - --db-snapshot-identifier manual-backup-YYYYMMDDHHMMSS -``` - -3. **Application reconnection** -```bash -# Update database endpoint in secrets -kubectl patch secret database-secret -n dev \ - --type='json' \ - -p='[{"op": "replace", "path": "/data/host", "value":"'$(echo NEW_RDS_ENDPOINT | base64 -w 0)'"}]' - -# Restart applications -kubectl rollout restart deployment -n dev -``` - -### 3. Data Corruption - -#### Assessment -```bash -# Check for data inconsistencies -kubectl exec -it deployment/backend -n dev -- \ - python manage.py check_data_integrity - -# Check database logs -aws rds describe-db-log-files \ - --db-instance-identifier mycompany-dev-db -``` - -#### Recovery Steps - -1. **Identify corruption scope** -```bash -# Analyze affected data -kubectl exec -it deployment/backend -n dev -- \ - python manage.py analyze_corruption -``` - -2. **Restore from logical backup** -```bash -# Download latest logical backup -aws s3 cp s3://mycompany-db-logical-backups/logical-backups/latest.dump /tmp/ - -# Restore specific tables -pg_restore -h RDS_ENDPOINT -U admin -d mycompanydb \ - --table=affected_table \ - --clean \ - /tmp/latest.dump -``` - -## Testing Procedures - -### Monthly DR Drill -1. Create test restore in separate namespace -2. Verify data integrity -3. Test application functionality -4. Document lessons learned - -### Quarterly Full DR Test -1. Complete environment recreation -2. Full data restore -3. End-to-end testing -4. Performance validation - -## Emergency Contacts - -- **DevOps Team**: +90-XXX-XXX-XXXX -- **Database Team**: +90-XXX-XXX-XXXX -- **On-call Engineer**: +90-XXX-XXX-XXXX - -## Post-Incident Actions - -1. **Root Cause Analysis** - - Document incident timeline - - Identify failure points - - Implement preventive measures - -2. **Update Procedures** - - Update runbooks - - Improve monitoring - - Enhance alerting - -3. **Team Communication** - - Share lessons learned - - Update training materials - - Schedule review meeting -EOF - -# 9.3.2 DR test script -cat > ~/devops-infrastructure/scripts/dr-test.sh << 'EOF' -#!/bin/bash - -# Disaster Recovery Test Script -set -e - -NAMESPACE="dr-test" -BACKUP_NAME="$1" - -if [ -z "$BACKUP_NAME" ]; then - echo "Usage: $0 " - echo "Available backups:" - velero backup get - exit 1 -fi - -echo "Starting DR test with backup: $BACKUP_NAME" - -# Create test namespace -kubectl create namespace $NAMESPACE --dry-run=client -o yaml | kubectl apply -f - - -# Restore from backup to test namespace -velero restore create dr-test-$(date +%Y%m%d%H%M%S) \ - --from-backup $BACKUP_NAME \ - --namespace-mappings dev:$NAMESPACE,staging:$NAMESPACE - -# Wait for restore completion -echo "Waiting for restore completion..." -sleep 60 - -# Check restored resources -echo "Checking restored resources..." -kubectl get all -n $NAMESPACE - -# Test database connectivity -echo "Testing database connectivity..." -kubectl run db-test -n $NAMESPACE --rm -i --tty \ - --image=postgres:15-alpine -- \ - psql -h $(kubectl get secret database-secret -n $NAMESPACE -o jsonpath='{.data.host}' | base64 -d) \ - -U $(kubectl get secret database-secret -n $NAMESPACE -o jsonpath='{.data.username}' | base64 -d) \ - -d mycompanydb \ - -c "SELECT COUNT(*) FROM information_schema.tables;" - -echo "DR test completed successfully!" -echo "Cleanup: kubectl delete namespace $NAMESPACE" -EOF - -chmod +x ~/devops-infrastructure/scripts/dr-test.sh -``` - ---- - -## 🎯 **PHASE 9: GITOPS & DEPLOYMENT AUTOMATION** (Gün 21-22) - -### 🔄 **10.1 ArgoCD Setup** - -```bash -# 10.1.1 ArgoCD kurulumu -kubectl create namespace argocd -kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml - -# 10.1.2 ArgoCD CLI kurulumu -wget https://github.com/argoproj/argo-cd/releases/latest/download/argocd-linux-amd64 -sudo install -m 555 argocd-linux-amd64 /usr/local/bin/argocd -rm argocd-linux-amd64 - -# 10.1.3 ArgoCD initial password -ARGOCD_PASSWORD=$(kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d) -echo "ArgoCD admin password: $ARGOCD_PASSWORD" - -# 10.1.4 ArgoCD ingress -cat > argocd-ingress.yaml << 'EOF' -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: argocd-server-ingress - namespace: argocd - annotations: - kubernetes.io/ingress.class: nginx - nginx.ingress.kubernetes.io/ssl-redirect: "true" - nginx.ingress.kubernetes.io/force-ssl-redirect: "true" - nginx.ingress.kubernetes.io/backend-protocol: "GRPC" - cert-manager.io/cluster-issuer: "letsencrypt-prod" -spec: - tls: - - hosts: - - argocd.yourdomain.com - secretName: argocd-tls - rules: - - host: argocd.yourdomain.com - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: argocd-server - port: - number: 443 -EOF - -kubectl apply -f argocd-ingress.yaml - -# 10.1.5 ArgoCD server configuration -kubectl patch configmap argocd-cmd-params-cm -n argocd --patch '{"data":{"server.insecure":"true"}}' -kubectl rollout restart deployment argocd-server -n argocd - -# 10.1.6 ArgoCD login -argocd login argocd.yourdomain.com --username admin --password $ARGOCD_PASSWORD --insecure -``` - -### 📁 **10.2 GitOps Repository Structure** - -```bash -# 10.2.1 GitOps repository oluştur -cd ~/ -git clone https://github.com/yourusername/gitops-config.git -cd gitops-config - -# Repository structure -mkdir -p {applications/{dev,staging,production},infrastructure/{monitoring,logging,security},bootstrap} - -# 10.2.2 Application of Applications pattern -cat > bootstrap/root-app.yaml << 'EOF' -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: root-app - namespace: argocd - finalizers: - - resources-finalizer.argocd.argoproj.io -spec: - project: default - source: - repoURL: https://github.com/yourusername/gitops-config.git - targetRevision: main - path: bootstrap - destination: - server: https://kubernetes.default.svc - namespace: argocd - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true -EOF - -# 10.2.3 Infrastructure applications -cat > bootstrap/infrastructure-apps.yaml << 'EOF' -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: monitoring-stack - namespace: argocd -spec: - project: default - source: - repoURL: https://github.com/yourusername/gitops-config.git - targetRevision: main - path: infrastructure/monitoring - destination: - server: https://kubernetes.default.svc - namespace: monitoring - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true ---- -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: logging-stack - namespace: argocd -spec: - project: default - source: - repoURL: https://github.com/yourusername/gitops-config.git - targetRevision: main - path: infrastructure/logging - destination: - server: https://kubernetes.default.svc - namespace: logging - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true ---- -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: security-stack - namespace: argocd -spec: - project: default - source: - repoURL: https://github.com/yourusername/gitops-config.git - targetRevision: main - path: infrastructure/security - destination: - server: https://kubernetes.default.svc - namespace: security - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true -EOF - -# 10.2.4 Environment-specific applications -cat > bootstrap/dev-apps.yaml << 'EOF' -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: dev-applications - namespace: argocd -spec: - project: default - source: - repoURL: https://github.com/yourusername/gitops-config.git - targetRevision: main - path: applications/dev - destination: - server: https://kubernetes.default.svc - namespace: dev - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true -EOF - -# 10.2.5 Sample application manifest -cat > applications/dev/sample-app.yaml << 'EOF' -apiVersion: apps/v1 -kind: Deployment -metadata: - name: sample-app - namespace: dev - labels: - app: sample-app -spec: - replicas: 2 - selector: - matchLabels: - app: sample-app - template: - metadata: - labels: - app: sample-app - annotations: - prometheus.io/scrape: "true" - prometheus.io/port: "8080" - prometheus.io/path: "/metrics" - spec: - securityContext: - runAsNonRoot: true - runAsUser: 10001 - runAsGroup: 10001 - fsGroup: 10001 - containers: - - name: app - image: ghcr.io/yourusername/sample-app:v1.0.0 - ports: - - containerPort: 8080 - name: http - env: - - name: DATABASE_URL - valueFrom: - secretKeyRef: - name: database-secret - key: url - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 10001 - runAsGroup: 10001 - capabilities: - drop: - - ALL - resources: - requests: - memory: "128Mi" - cpu: "100m" - limits: - memory: "256Mi" - cpu: "200m" - livenessProbe: - httpGet: - path: /health - port: 8080 - initialDelaySeconds: 30 - periodSeconds: 10 - readinessProbe: - httpGet: - path: /ready - port: 8080 - initialDelaySeconds: 5 - periodSeconds: 5 - volumeMounts: - - name: tmp - mountPath: /tmp - volumes: - - name: tmp - emptyDir: {} ---- -apiVersion: v1 -kind: Service -metadata: - name: sample-app - namespace: dev - labels: - app: sample-app -spec: - selector: - app: sample-app - ports: - - port: 80 - targetPort: 8080 - name: http - type: ClusterIP ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: sample-app - namespace: dev - annotations: - kubernetes.io/ingress.class: nginx - nginx.ingress.kubernetes.io/ssl-redirect: "true" - cert-manager.io/cluster-issuer: "letsencrypt-prod" -spec: - tls: - - hosts: - - app-dev.yourdomain.com - secretName: sample-app-tls - rules: - - host: app-dev.yourdomain.com - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: sample-app - port: - number: 80 -EOF - -# Git'e commit -git add . -git commit -m "Initial GitOps repository structure" -git push origin main -``` - -### 🚀 **10.3 Progressive Delivery with Argo Rollouts** - -```bash -# 10.3.1 Argo Rollouts kurulumu -kubectl create namespace argo-rollouts -kubectl apply -n argo-rollouts -f https://github.com/argoproj/argo-rollouts/releases/latest/download/install.yaml - -# 10.3.2 Argo Rollouts CLI -wget https://github.com/argoproj/argo-rollouts/releases/latest/download/kubectl-argo-rollouts-linux-amd64 -sudo install -m 555 kubectl-argo-rollouts-linux-amd64 /usr/local/bin/kubectl-argo-rollouts -rm kubectl-argo-rollouts-linux-amd64 - -# 10.3.3 Canary deployment example -cat > applications/dev/sample-app-rollout.yaml << 'EOF' -apiVersion: argoproj.io/v1alpha1 -kind: Rollout -metadata: - name: sample-app-rollout - namespace: dev -spec: - replicas: 5 - strategy: - canary: - steps: - - setWeight: 20 - - pause: {} - - setWeight: 40 - - pause: {duration: 10} - - setWeight: 60 - - pause: {duration: 10} - - setWeight: 80 - - pause: {duration: 10} - canaryService: sample-app-canary - stableService: sample-app-stable - trafficRouting: - nginx: - stableIngress: sample-app-stable - annotationPrefix: nginx.ingress.kubernetes.io - additionalIngressAnnotations: - canary-by-header: X-Canary - analysis: - templates: - - templateName: success-rate - startingStep: 2 - args: - - name: service-name - value: sample-app-canary.dev.svc.cluster.local - selector: - matchLabels: - app: sample-app - template: - metadata: - labels: - app: sample-app - annotations: - prometheus.io/scrape: "true" - prometheus.io/port: "8080" - prometheus.io/path: "/metrics" - spec: - containers: - - name: app - image: ghcr.io/yourusername/sample-app:v1.0.0 - ports: - - containerPort: 8080 - name: http - env: - - name: DATABASE_URL - valueFrom: - secretKeyRef: - name: database-secret - key: url - resources: - requests: - memory: "128Mi" - cpu: "100m" - limits: - memory: "256Mi" - cpu: "200m" - livenessProbe: - httpGet: - path: /health - port: 8080 - initialDelaySeconds: 30 - periodSeconds: 10 - readinessProbe: - httpGet: - path: /ready - port: 8080 - initialDelaySeconds: 5 - periodSeconds: 5 ---- -apiVersion: v1 -kind: Service -metadata: - name: sample-app-stable - namespace: dev -spec: - selector: - app: sample-app - ports: - - port: 80 - targetPort: 8080 - name: http ---- -apiVersion: v1 -kind: Service -metadata: - name: sample-app-canary - namespace: dev -spec: - selector: - app: sample-app - ports: - - port: 80 - targetPort: 8080 - name: http ---- -apiVersion: argoproj.io/v1alpha1 -kind: AnalysisTemplate -metadata: - name: success-rate - namespace: dev -spec: - args: - - name: service-name - metrics: - - name: success-rate - interval: 30s - successCondition: result[0] >= 0.95 - failureLimit: 3 - provider: - prometheus: - address: http://kube-prometheus-stack-prometheus.monitoring.svc.cluster.local:9090 - query: | - sum(irate( - http_requests_total{job="{{args.service-name}}",status!~"5.*"}[5m] - )) / - sum(irate( - http_requests_total{job="{{args.service-name}}"}[5m] - )) -EOF - -# 10.3.4 Blue-Green deployment example -cat > applications/staging/sample-app-bluegreen.yaml << 'EOF' -apiVersion: argoproj.io/v1alpha1 -kind: Rollout -metadata: - name: sample-app-bluegreen - namespace: staging -spec: - replicas: 3 - strategy: - blueGreen: - activeService: sample-app-active - previewService: sample-app-preview - autoPromotionEnabled: false - scaleDownDelaySeconds: 30 - prePromotionAnalysis: - templates: - - templateName: success-rate - args: - - name: service-name - value: sample-app-preview.staging.svc.cluster.local - postPromotionAnalysis: - templates: - - templateName: success-rate - args: - - name: service-name - value: sample-app-active.staging.svc.cluster.local - selector: - matchLabels: - app: sample-app - template: - metadata: - labels: - app: sample-app - spec: - containers: - - name: app - image: ghcr.io/yourusername/sample-app:v1.0.0 - ports: - - containerPort: 8080 - name: http - resources: - requests: - memory: "128Mi" - cpu: "100m" - limits: - memory: "256Mi" - cpu: "200m" ---- -apiVersion: v1 -kind: Service -metadata: - name: sample-app-active - namespace: staging -spec: - selector: - app: sample-app - ports: - - port: 80 - targetPort: 8080 - name: http ---- -apiVersion: v1 -kind: Service -metadata: - name: sample-app-preview - namespace: staging -spec: - selector: - app: sample-app - ports: - - port: 80 - targetPort: 8080 - name: http -EOF - -# Changes'ları commit et -git add . -git commit -m "Add progressive delivery configurations" -git push origin main -``` - -### 🔧 **10.4 CI/CD Integration with GitOps** - -```bash -# 10.4.1 Image updater için ArgoCD configuration -cat > argocd-image-updater.yaml << 'EOF' -apiVersion: v1 -kind: ConfigMap -metadata: - name: argocd-image-updater-config - namespace: argocd -data: - registries.conf: | - registries: - - name: GitHub Container Registry - prefix: ghcr.io - api_url: https://ghcr.io - credentials: ext:/scripts/auth1.sh - credsexpire: 10h - ssh_config: | - Host github.com - User git - IdentitiesOnly yes - IdentityFile ~/.ssh/id_rsa - StrictHostKeyChecking no ---- -apiVersion: v1 -kind: Secret -metadata: - name: argocd-image-updater-secret - namespace: argocd -type: Opaque -stringData: - auth1.sh: | - #!/bin/sh - echo "username:$GITHUB_TOKEN" -EOF - -kubectl apply -f argocd-image-updater.yaml - -# 10.4.2 Application annotation for image updates -cat > applications/dev/sample-app-with-image-updater.yaml << 'EOF' -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: sample-app - namespace: argocd - annotations: - argocd-image-updater.argoproj.io/image-list: myapp=ghcr.io/yourusername/sample-app - argocd-image-updater.argoproj.io/write-back-method: git - argocd-image-updater.argoproj.io/git-branch: main -spec: - project: default - source: - repoURL: https://github.com/yourusername/gitops-config.git - targetRevision: main - path: applications/dev - destination: - server: https://kubernetes.default.svc - namespace: dev - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true -EOF - -# 10.4.3 Updated Jenkins pipeline with GitOps -cat > ~/devops-infrastructure/jenkins/gitops-pipeline.groovy << 'EOF' -@Library('shared-library') _ - -pipeline { - agent { - kubernetes { - yaml """ - apiVersion: v1 - kind: Pod - spec: - containers: - - name: docker - image: docker:latest - command: - - cat - tty: true - volumeMounts: - - mountPath: /var/run/docker.sock - name: docker-sock - - name: git - image: alpine/git:latest - command: - - cat - tty: true - volumes: - - name: docker-sock - hostPath: - path: /var/run/docker.sock - """ - } - } - - environment { - DOCKER_REGISTRY = 'ghcr.io' - IMAGE_NAME = 'yourusername/sample-app' - GIT_COMMIT_SHORT = sh(script: "git rev-parse --short HEAD", returnStdout: true).trim() - BUILD_VERSION = "v1.0.${env.BUILD_NUMBER}-${GIT_COMMIT_SHORT}" - GITOPS_REPO = 'https://github.com/yourusername/gitops-config.git' - } - - stages { - stage('Build & Push') { - steps { - container('docker') { - script { - def image = docker.build("${DOCKER_REGISTRY}/${IMAGE_NAME}:${BUILD_VERSION}") - docker.withRegistry("https://${DOCKER_REGISTRY}", 'github-registry-credentials') { - image.push() - image.push("latest") - } - } - } - } - } - - stage('Update GitOps Repo') { - steps { - container('git') { - withCredentials([usernamePassword(credentialsId: 'github-credentials', usernameVariable: 'GIT_USERNAME', passwordVariable: 'GIT_TOKEN')]) { - sh ''' - git config --global user.email "jenkins@company.com" - git config --global user.name "Jenkins CI" - - # Clone GitOps repository - git clone https://${GIT_USERNAME}:${GIT_TOKEN}@github.com/yourusername/gitops-config.git - cd gitops-config - - # Update image tag in deployment manifest - sed -i "s|image: ${DOCKER_REGISTRY}/${IMAGE_NAME}:.*|image: ${DOCKER_REGISTRY}/${IMAGE_NAME}:${BUILD_VERSION}|g" applications/dev/sample-app.yaml - - # Commit and push changes - git add . - git commit -m "Update ${IMAGE_NAME} to ${BUILD_VERSION}" - git push origin main - ''' - } - } - } - } - } - - post { - success { - slackSend( - channel: '#deployments', - color: 'good', - message: "✅ ${IMAGE_NAME}:${BUILD_VERSION} built and GitOps updated successfully" - ) - } - failure { - slackSend( - channel: '#deployments', - color: 'danger', - message: "❌ Pipeline failed for ${IMAGE_NAME}:${BUILD_VERSION}" - ) - } - } -} -EOF - -# 10.4.4 ArgoCD'ye root application'ı deploy et -kubectl apply -f ~/gitops-config/bootstrap/root-app.yaml - -echo "GitOps setup completed!" -echo "ArgoCD UI: https://argocd.yourdomain.com" -echo "Login: admin / $ARGOCD_PASSWORD" -``` - ---- - -## 📈 **PHASE 10: COST OPTIMIZATION & PERFORMANCE** (Gün 23-24) - -### 💰 **11.1 Cost Monitoring Setup** - -```bash -# 11.1.1 AWS Cost and Usage Report setup -cat > ~/devops-infrastructure/scripts/setup-cost-monitoring.sh << 'EOF' -#!/bin/bash - -# AWS Cost Monitoring Setup Script -set -e - -BUCKET_NAME="mycompany-cost-reports-$(openssl rand -hex 4)" -REGION="eu-west-1" - -# Create S3 bucket for cost reports -aws s3 mb s3://$BUCKET_NAME --region $REGION - -# Bucket policy for AWS Cost and Usage Reports -cat > cost-bucket-policy.json << EOF -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "Service": "billingreports.amazonaws.com" - }, - "Action": [ - "s3:GetBucketAcl", - "s3:GetBucketPolicy" - ], - "Resource": "arn:aws:s3:::$BUCKET_NAME" - }, - { - "Effect": "Allow", - "Principal": { - "Service": "billingreports.amazonaws.com" - }, - "Action": "s3:PutObject", - "Resource": "arn:aws:s3:::$BUCKET_NAME/*" - } - ] -} -EOF - -aws s3api put-bucket-policy --bucket $BUCKET_NAME --policy file://cost-bucket-policy.json - -echo "Cost monitoring S3 bucket created: $BUCKET_NAME" -echo "Configure Cost and Usage Report in AWS Console:" -echo "https://console.aws.amazon.com/billing/home#/reports" -rm cost-bucket-policy.json -EOF - -chmod +x ~/devops-infrastructure/scripts/setup-cost-monitoring.sh -./~/devops-infrastructure/scripts/setup-cost-monitoring.sh - -# 11.1.2 Kubecost kurulumu -helm repo add kubecost https://kubecost.github.io/cost-analyzer/ -helm repo update - -cat > kubecost-values.yaml << 'EOF' -global: - prometheus: - fqdn: http://kube-prometheus-stack-prometheus.monitoring.svc.cluster.local:9090 - enabled: false - grafana: - fqdn: http://kube-prometheus-stack-grafana.monitoring.svc.cluster.local:80 - enabled: false - -kubecostFrontend: - image: "kubecost/frontend" - resources: - requests: - cpu: "10m" - memory: "55Mi" - limits: - cpu: "100m" - memory: "256Mi" - -kubecost: - image: "kubecost/server" - resources: - requests: - cpu: "100m" - memory: "55Mi" - limits: - cpu: "200m" - memory: "256Mi" - -kubecostModel: - image: "kubecost/cost-model" - resources: - requests: - cpu: "200m" - memory: "55Mi" - limits: - cpu: "800m" - memory: "256Mi" - -ingress: - enabled: true - className: nginx - annotations: - nginx.ingress.kubernetes.io/ssl-redirect: "true" - cert-manager.io/cluster-issuer: "letsencrypt-prod" - hosts: - - host: kubecost.yourdomain.com - paths: - - path: / - pathType: Prefix - tls: - - secretName: kubecost-tls - hosts: - - kubecost.yourdomain.com - -persistentVolume: - enabled: true - storageClass: gp3 - size: 32Gi - -nodeSelector: {} -tolerations: [] -affinity: {} - -service: - type: ClusterIP - port: 9090 - targetPort: 9090 -EOF - -kubectl create namespace kubecost -helm install kubecost kubecost/cost-analyzer \ - --namespace kubecost \ - --values kubecost-values.yaml - -# 11.1.3 Resource recommendation script -cat > ~/devops-infrastructure/scripts/resource-recommendations.sh << 'EOF' -#!/bin/bash - -# Resource Recommendations Script -set -e - -echo "📊 Generating resource recommendations..." - -# VPA recommendations -echo "=== VPA Recommendations ===" -kubectl get vpa --all-namespaces -o custom-columns=\ -NAMESPACE:.metadata.namespace,\ -NAME:.metadata.name,\ -MODE:.spec.updatePolicy.updateMode,\ -CPU_TARGET:.status.recommendation.containerRecommendations[0].target.cpu,\ -MEMORY_TARGET:.status.recommendation.containerRecommendations[0].target.memory - -# Top resource consuming pods -echo "=== Top CPU Consuming Pods ===" -kubectl top pods --all-namespaces --sort-by=cpu | head -10 - -echo "=== Top Memory Consuming Pods ===" -kubectl top pods --all-namespaces --sort-by=memory | head -10 - -# Unused resources -echo "=== Pods with Low Resource Utilization ===" -kubectl get pods --all-namespaces -o json | \ -jq -r '.items[] | select(.status.phase=="Running") | - .metadata.namespace + "/" + .metadata.name + " - " + - (.spec.containers[0].resources.requests.cpu // "no-limit") + " CPU, " + - (.spec.containers[0].resources.requests.memory // "no-limit") + " Memory"' - -# HPA status -echo "=== HPA Status ===" -kubectl get hpa --all-namespaces - -echo "📋 Recommendations:" -echo "1. Check VPA recommendations for right-sizing" -echo "2. Set resource requests/limits for pods without them" -echo "3. Consider HPA for variable workloads" -echo "4. Use VPA in recommendation mode first" -EOF - -chmod +x ~/devops-infrastructure/scripts/resource-recommendations.sh -``` - -### ⚡ **11.2 Performance Optimization** - -```bash -# 11.2.1 Vertical Pod Autoscaler setup -git clone https://github.com/kubernetes/autoscaler.git -cd autoscaler/vertical-pod-autoscaler/ -./hack/vpa-install.sh -cd ~/devops-infrastructure - -# 11.2.2 VPA example configurations -cat > vpa-examples.yaml << 'EOF' -# VPA for sample app (recommendation mode) -apiVersion: autoscaling.k8s.io/v1 -kind: VerticalPodAutoscaler -metadata: - name: sample-app-vpa - namespace: dev -spec: - targetRef: - apiVersion: apps/v1 - kind: Deployment - name: sample-app - updatePolicy: - updateMode: "Off" # Recommendation only - resourcePolicy: - containerPolicies: - - containerName: app - minAllowed: - cpu: 100m - memory: 128Mi - maxAllowed: - cpu: 1000m - memory: 1Gi - controlledResources: ["cpu", "memory"] ---- -# VPA for monitoring stack (auto mode) -apiVersion: autoscaling.k8s.io/v1 -kind: VerticalPodAutoscaler -metadata: - name: kube-prometheus-stack-prometheus - updatePolicy: - updateMode: "Auto" - resourcePolicy: - containerPolicies: - - containerName: prometheus - minAllowed: - cpu: 500m - memory: 1Gi - maxAllowed: - cpu: 4000m - memory: 8Gi - controlledResources: ["cpu", "memory"] -EOF - -kubectl apply -f vpa-examples.yaml - -# 11.2.3 KEDA (Event-driven autoscaling) setup -helm repo add kedacore https://kedacore.github.io/charts -helm repo update - -helm install keda kedacore/keda \ - --namespace keda \ - --create-namespace - -# 11.2.4 KEDA ScaledObject example (Redis queue) -cat > keda-redis-scaler.yaml << 'EOF' -apiVersion: keda.sh/v1alpha1 -kind: ScaledObject -metadata: - name: redis-scaledobject - namespace: dev -spec: - scaleTargetRef: - name: worker-deployment - minReplicaCount: 1 - maxReplicaCount: 10 - triggers: - - type: redis - metadata: - address: redis.dev.svc.cluster.local:6379 - listName: job_queue - listLength: '5' ---- -apiVersion: keda.sh/v1alpha1 -kind: ScaledObject -metadata: - name: prometheus-scaledobject - namespace: dev -spec: - scaleTargetRef: - name: sample-app - minReplicaCount: 2 - maxReplicaCount: 20 - triggers: - - type: prometheus - metadata: - serverAddress: http://kube-prometheus-stack-prometheus.monitoring.svc.cluster.local:9090 - metricName: http_requests_per_second - threshold: '100' - query: sum(rate(http_requests_total{job="sample-app"}[1m])) -EOF - -kubectl apply -f keda-redis-scaler.yaml - -# 11.2.5 Performance monitoring dashboard -cat > performance-monitoring.yaml << 'EOF' -apiVersion: v1 -kind: ConfigMap -metadata: - name: performance-dashboard - namespace: monitoring - labels: - grafana_dashboard: "1" -data: - performance-dashboard.json: | - { - "dashboard": { - "id": null, - "title": "Application Performance Monitoring", - "tags": ["performance", "apm"], - "timezone": "browser", - "panels": [ - { - "id": 1, - "title": "Request Rate", - "type": "graph", - "targets": [ - { - "expr": "sum(rate(http_requests_total[5m])) by (service)", - "legendFormat": "{{service}}" - } - ] - }, - { - "id": 2, - "title": "Response Time", - "type": "graph", - "targets": [ - { - "expr": "histogram_quantile(0.95, sum(rate(http_request_duration_seconds_bucket[5m])) by (le, service))", - "legendFormat": "95th percentile - {{service}}" - } - ] - }, - { - "id": 3, - "title": "Error Rate", - "type": "graph", - "targets": [ - { - "expr": "sum(rate(http_requests_total{status=~'5..'}[5m])) by (service) / sum(rate(http_requests_total[5m])) by (service)", - "legendFormat": "Error rate - {{service}}" - } - ] - } - ], - "time": { - "from": "now-1h", - "to": "now" - }, - "refresh": "30s" - } - } -EOF - -kubectl apply -f performance-monitoring.yaml -``` - -### 🧪 **11.3 Load Testing & Performance Validation** - -```bash -# 11.3.1 K6 load testing setup -cat > load-testing/k6-config.yaml << 'EOF' -apiVersion: v1 -kind: ConfigMap -metadata: - name: k6-scripts - namespace: dev -data: - load-test.js: | - import http from 'k6/http'; - import { check, sleep } from 'k6'; - import { Rate } from 'k6/metrics'; - - export let errorRate = new Rate('errors'); - - export let options = { - stages: [ - { duration: '2m', target: 10 }, // Ramp up - { duration: '5m', target: 100 }, // Stay at 100 users - { duration: '2m', target: 200 }, // Ramp up to 200 users - { duration: '5m', target: 200 }, // Stay at 200 users - { duration: '2m', target: 0 }, // Ramp down - ], - thresholds: { - http_req_duration: ['p(95)<500'], // 95% of requests under 500ms - http_req_failed: ['rate<0.05'], // Error rate under 5% - errors: ['rate<0.1'], // Custom error rate under 10% - }, - }; - - export default function() { - let response = http.get('https://app-dev.yourdomain.com/api/health'); - - check(response, { - 'status is 200': (r) => r.status === 200, - 'response time < 500ms': (r) => r.timings.duration < 500, - }) || errorRate.add(1); - - sleep(1); - } - - stress-test.js: | - import http from 'k6/http'; - import { check } from 'k6'; - - export let options = { - stages: [ - { duration: '1m', target: 50 }, - { duration: '1m', target: 100 }, - { duration: '1m', target: 200 }, - { duration: '1m', target: 500 }, - { duration: '2m', target: 1000 }, // Stress level - { duration: '2m', target: 0 }, - ], - }; - - export default function() { - let response = http.get('https://app-dev.yourdomain.com/api/users'); - check(response, { - 'status is 200': (r) => r.status === 200, - }); - } -EOF - -kubectl apply -f load-testing/ - -# 11.3.2 K6 operator kurulumu -kubectl apply -f https://github.com/grafana/k6-operator/releases/latest/download/bundle.yaml - -# 11.3.3 Load test job -cat > load-test-job.yaml << 'EOF' -apiVersion: k6.io/v1alpha1 -kind: K6 -metadata: - name: load-test - namespace: dev -spec: - parallelism: 4 - script: - configMap: - name: k6-scripts - file: load-test.js - separate: true - runner: - image: grafana/k6:latest - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 500m - memory: 256Mi - env: - - name: K6_PROMETHEUS_RW_SERVER_URL - value: http://kube-prometheus-stack-prometheus.monitoring.svc.cluster.local:9090/api/v1/write - - name: K6_PROMETHEUS_RW_TREND_AS_NATIVE_HISTOGRAM - value: "true" -EOF - -# Load test çalıştır -kubectl apply -f load-test-job.yaml -kubectl logs -f job/load-test-1 -n dev - -# 11.3.4 Automated performance test pipeline -cat > ~/devops-infrastructure/jenkins/performance-test-pipeline.groovy << 'EOF' -pipeline { - agent { - kubernetes { - yaml """ - apiVersion: v1 - kind: Pod - spec: - containers: - - name: kubectl - image: bitnami/kubectl:latest - command: - - cat - tty: true - - name: k6 - image: grafana/k6:latest - command: - - cat - tty: true - """ - } - } - - parameters { - choice( - name: 'TEST_TYPE', - choices: ['load-test', 'stress-test', 'spike-test'], - description: 'Type of performance test to run' - ) - string( - name: 'TARGET_URL', - defaultValue: 'https://app-staging.yourdomain.com', - description: 'Target URL for testing' - ) - string( - name: 'DURATION', - defaultValue: '5m', - description: 'Test duration' - ) - } - - stages { - stage('Deploy Test Config') { - steps { - container('kubectl') { - sh ''' - cat > k6-test-config.yaml << EOF -apiVersion: v1 -kind: ConfigMap -metadata: - name: k6-test-config-${BUILD_NUMBER} - namespace: dev -data: - test.js: | - import http from 'k6/http'; - import { check, sleep } from 'k6'; - - export let options = { - duration: '${DURATION}', - vus: 50, - thresholds: { - http_req_duration: ['p(95)<1000'], - http_req_failed: ['rate<0.05'], - }, - }; - - export default function() { - let response = http.get('${TARGET_URL}/health'); - check(response, { - 'status is 200': (r) => r.status === 200, - }); - sleep(1); - } -EOF - kubectl apply -f k6-test-config.yaml - ''' - } - } - } - - stage('Run Performance Test') { - steps { - container('kubectl') { - sh ''' - cat > k6-job.yaml << EOF -apiVersion: k6.io/v1alpha1 -kind: K6 -metadata: - name: perf-test-${BUILD_NUMBER} - namespace: dev -spec: - parallelism: 2 - script: - configMap: - name: k6-test-config-${BUILD_NUMBER} - file: test.js - separate: true -EOF - kubectl apply -f k6-job.yaml - - # Wait for test completion - kubectl wait --for=condition=complete job/perf-test-${BUILD_NUMBER}-1 -n dev --timeout=600s - - # Get test results - kubectl logs job/perf-test-${BUILD_NUMBER}-1 -n dev - ''' - } - } - } - - stage('Analyze Results') { - steps { - container('kubectl') { - sh ''' - # Extract test metrics and validate against thresholds - TEST_RESULTS=$(kubectl logs job/perf-test-${BUILD_NUMBER}-1 -n dev | grep -E "(http_req_duration|http_req_failed)") - echo "Test Results: $TEST_RESULTS" - - # Check if test passed thresholds - if kubectl logs job/perf-test-${BUILD_NUMBER}-1 -n dev | grep -q "✓"; then - echo "Performance test PASSED" - else - echo "Performance test FAILED" - exit 1 - fi - ''' - } - } - } - } - - post { - always { - container('kubectl') { - sh ''' - # Cleanup test resources - kubectl delete configmap k6-test-config-${BUILD_NUMBER} -n dev || true - kubectl delete k6 perf-test-${BUILD_NUMBER} -n dev || true - ''' - } - } - success { - slackSend( - channel: '#performance', - color: 'good', - message: "✅ Performance test passed for ${params.TARGET_URL}" - ) - } - failure { - slackSend( - channel: '#performance', - color: 'danger', - message: "❌ Performance test failed for ${params.TARGET_URL}" - ) - } - } -} -EOF -``` - -### 📊 **11.4 Cost Optimization Scripts** - -```bash -# 11.4.1 Resource rightsizing script -cat > ~/devops-infrastructure/scripts/cost-optimization.sh << 'EOF' -#!/bin/bash - -# Cost Optimization Analysis Script -set -e - -echo "💰 AWS Cost Optimization Analysis" -echo "==================================" - -# 1. Unused EBS volumes -echo "🔍 Checking for unused EBS volumes..." -aws ec2 describe-volumes \ - --filters Name=status,Values=available \ - --query 'Volumes[*].[VolumeId,Size,VolumeType,CreateTime]' \ - --output table - -# 2. Unattached Elastic IPs -echo "🔍 Checking for unattached Elastic IPs..." -aws ec2 describe-addresses \ - --query 'Addresses[?AssociationId==null].[PublicIp,AllocationId]' \ - --output table - -# 3. Old snapshots (older than 30 days) -echo "🔍 Checking for old snapshots..." -CUTOFF_DATE=$(date -d '30 days ago' --iso-8601) -aws ec2 describe-snapshots \ - --owner-ids self \ - --query "Snapshots[?StartTime<='$CUTOFF_DATE'].[SnapshotId,StartTime,VolumeSize]" \ - --output table - -# 4. Right-sizing recommendations -echo "🔍 Generating right-sizing recommendations..." -aws ce get-rightsizing-recommendation \ - --service "EC2-Instance" \ - --query 'RightsizingRecommendations[*].[CurrentInstance.InstanceName,CurrentInstance.InstanceType,RightsizingType,TargetInstances[0].EstimatedMonthlySavings.Amount]' \ - --output table - -# 5. Reserved Instance recommendations -echo "🔍 Checking Reserved Instance opportunities..." -aws ce get-reservation-purchase-recommendation \ - --service "EC2-Instance" \ - --query 'Recommendations[*].[InstanceDetails.EC2InstanceDetails.InstanceType,InstanceDetails.EC2InstanceDetails.Region,RecommendationDetails.EstimatedMonthlySavingsAmount]' \ - --output table - -echo "💡 Cost Optimization Recommendations:" -echo "1. Delete unused EBS volumes" -echo "2. Release unattached Elastic IPs" -echo "3. Delete old snapshots" -echo "4. Implement right-sizing recommendations" -echo "5. Consider Reserved Instances for stable workloads" -EOF - -chmod +x ~/devops-infrastructure/scripts/cost-optimization.sh - -# 11.4.2 Spot instance integration -cat > spot-instances.yaml << 'EOF' -# Karpenter for spot instances -apiVersion: karpenter.sh/v1alpha5 -kind: Provisioner -metadata: - name: spot-provisioner -spec: - # Requirements that constrain which nodes will be created - requirements: - - key: karpenter.sh/capacity-type - operator: In - values: ["spot"] - - key: kubernetes.io/arch - operator: In - values: ["amd64"] - - key: node.kubernetes.io/instance-type - operator: In - values: ["t3.medium", "t3.large", "m5.large", "m5.xlarge"] - - # Provisioned nodes will have these taints - taints: - - key: spot - value: "true" - effect: NoSchedule - - # Resource limits constrain the total size of the cluster - limits: - resources: - cpu: 1000 - memory: 1000Gi - - # Deprovisioning configuration - ttlSecondsAfterEmpty: 30 - - # Provider-specific configuration - providerRef: - name: spot-nodepool ---- -apiVersion: karpenter.k8s.aws/v1alpha1 -kind: AWSNodePool -metadata: - name: spot-nodepool -spec: - amiFamily: AL2 - subnetSelector: - karpenter.sh/discovery: "mycompany-dev-eks" - securityGroupSelector: - karpenter.sh/discovery: "mycompany-dev-eks" - instanceProfile: "KarpenterNodeInstanceProfile" - - # Spot instance configuration - requirements: - - key: karpenter.sh/capacity-type - operator: In - values: ["spot"] - - key: node.kubernetes.io/instance-type - operator: In - values: ["t3.medium", "t3.large", "m5.large"] - - userData: | - #!/bin/bash - /etc/eks/bootstrap.sh mycompany-dev-eks - echo "spot=true" >> /etc/kubernetes/kubelet/kubelet-config.json -EOF - -# 11.4.3 Resource quota ve limits -cat > resource-quotas.yaml << 'EOF' -# Development namespace quotas -apiVersion: v1 -kind: ResourceQuota -metadata: - name: dev-quota - namespace: dev -spec: - hard: - requests.cpu: "4" - requests.memory: 8Gi - limits.cpu: "8" - limits.memory: 16Gi - persistentvolumeclaims: "10" - pods: "20" - services: "10" - secrets: "20" - configmaps: "20" ---- -# Staging namespace quotas -apiVersion: v1 -kind: ResourceQuota -metadata: - name: staging-quota - namespace: staging -spec: - hard: - requests.cpu: "8" - requests.memory: 16Gi - limits.cpu: "16" - limits.memory: 32Gi - persistentvolumeclaims: "15" - pods: "30" - services: "15" ---- -# Production namespace quotas -apiVersion: v1 -kind: ResourceQuota -metadata: - name: production-quota - namespace: production -spec: - hard: - requests.cpu: "20" - requests.memory: 40Gi - limits.cpu: "40" - limits.memory: 80Gi - persistentvolumeclaims: "25" - pods: "50" - services: "25" ---- -# Limit ranges for all namespaces -apiVersion: v1 -kind: LimitRange -metadata: - name: default-limits - namespace: dev -spec: - limits: - - default: - cpu: "200m" - memory: "256Mi" - defaultRequest: - cpu: "100m" - memory: "128Mi" - type: Container - - max: - cpu: "2" - memory: "4Gi" - min: - cpu: "50m" - memory: "64Mi" - type: Container -EOF - -kubectl apply -f resource-quotas.yaml -``` - ---- - -## 📚 **PHASE 11: DOCUMENTATION & TEAM PROCESSES** (Gün 25-26) - -### 📖 **12.1 Comprehensive Documentation** - -```bash -# 12.1.1 Architecture documentation -cat > ~/devops-infrastructure/docs/architecture-overview.md << 'EOF' -# DevOps Infrastructure Architecture - -## Overview -Bu doküman şirketimizin Kubernetes-based DevOps altyapısının mimari yapısını detaylandırır. - -## High-Level Architecture - -```mermaid -graph TB - Developer[Developer] --> GitHub[GitHub Repository] - GitHub --> Jenkins[Jenkins CI/CD] - Jenkins --> Registry[GitHub Container Registry] - Jenkins --> ArgoCD[ArgoCD GitOps] - - ArgoCD --> EKS[Amazon EKS] - EKS --> Apps[Applications] - - subgraph "AWS Infrastructure" - VPC[VPC] - EKS --> VPC - RDS[RDS PostgreSQL] - ElastiCache[ElastiCache Redis] - S3[S3 Buckets] - ALB[Application Load Balancer] - end - - subgraph "Monitoring Stack" - Prometheus[Prometheus] - Grafana[Grafana] - AlertManager[AlertManager] - Jaeger[Jaeger Tracing] - end - - subgraph "Logging Stack" - FluentBit[Fluent Bit] - OpenSearch[OpenSearch] - OpenSearchDashboards[OpenSearch Dashboards] - end - - subgraph "Security" - Vault[HashiCorp Vault] - Falco[Falco Runtime Security] - OPA[OPA Gatekeeper] - end - - Apps --> Monitoring Stack - Apps --> Logging Stack - Apps --> Security -``` - -## Component Details - -### Infrastructure Layer - -#### AWS Services -- **VPC**: Multi-AZ setup with public/private subnets -- **EKS**: Managed Kubernetes cluster (v1.28) -- **RDS**: PostgreSQL with Multi-AZ and read replicas -- **ElastiCache**: Redis for caching and session storage -- **ALB**: Application Load Balancer with SSL termination -- **S3**: Object storage for backups, logs, and artifacts - -#### Kubernetes Components -- **Namespaces**: dev, staging, production, monitoring, logging, security -- **RBAC**: Role-based access control for different teams -- **Network Policies**: Micro-segmentation with Calico -- **Pod Security Standards**: Enforced security contexts -- **Storage Classes**: GP3, IO1 for different performance needs - -### Application Layer - -#### Deployment Strategy -- **GitOps**: ArgoCD-based continuous deployment -- **Progressive Delivery**: Canary and Blue-Green deployments -- **Auto-scaling**: HPA, VPA, and KEDA for event-driven scaling -- **Service Mesh**: Istio for traffic management (optional) - -#### Security -- **Secrets Management**: HashiCorp Vault with External Secrets Operator -- **Runtime Security**: Falco for threat detection -- **Policy Enforcement**: OPA Gatekeeper for admission control -- **Image Security**: Trivy scanning in CI/CD pipeline - -### Observability - -#### Monitoring -- **Metrics**: Prometheus with custom and pre-built dashboards -- **Visualization**: Grafana with role-based dashboards -- **Alerting**: AlertManager with Slack/PagerDuty integration -- **Distributed Tracing**: Jaeger for request tracing - -#### Logging -- **Collection**: Fluent Bit daemonset -- **Storage**: OpenSearch cluster -- **Analysis**: OpenSearch Dashboards -- **Retention**: 30-day retention with automated cleanup - -## Security Architecture - -### Access Control -1. **AWS IAM**: Service accounts with IRSA -2. **Kubernetes RBAC**: Namespace-level permissions -3. **Vault**: Centralized secrets management -4. **Network Policies**: Pod-to-pod communication rules - -### Security Scanning -1. **Container Images**: Trivy in CI/CD -2. **Infrastructure**: Checkov for Terraform -3. **Runtime**: Falco for anomaly detection -4. **Policy**: OPA for compliance enforcement - -## Disaster Recovery - -### Backup Strategy -- **Kubernetes**: Velero daily/weekly backups -- **Database**: RDS automated backups + manual snapshots -- **Storage**: EBS snapshots -- **Cross-region**: S3 replication for critical data - -### Recovery Objectives -- **RTO**: 4 hours for complete infrastructure -- **RPO**: 1 hour for data loss -- **Testing**: Monthly DR drills - -## Cost Optimization - -### Strategies -1. **Resource Right-sizing**: VPA recommendations -2. **Spot Instances**: Karpenter for non-critical workloads -3. **Storage Optimization**: GP3 for better price/performance -4. **Reserved Instances**: For predictable workloads - -### Monitoring -- **Kubecost**: Kubernetes cost visibility -- **AWS Cost Explorer**: Infrastructure cost analysis -- **Automated Cleanup**: Unused resources identification - -## Performance Optimization - -### Auto-scaling -- **HPA**: CPU/Memory-based pod scaling -- **VPA**: Resource recommendation and adjustment -- **KEDA**: Event-driven scaling (queue length, metrics) -- **Cluster Autoscaler**: Node-level scaling - -### Load Testing -- **K6**: Automated performance testing -- **Chaos Engineering**: Failure injection testing -- **SLI/SLO**: Service level monitoring - -## Operational Procedures - -### Deployment Process -1. Developer pushes code to GitHub -2. Jenkins builds and tests application -3. Jenkins pushes image to GHCR -4. Jenkins updates GitOps repository -5. ArgoCD syncs changes to Kubernetes -6. Progressive delivery monitors health - -### Incident Response -1. **Detection**: Automated alerting via AlertManager -2. **Notification**: Slack/PagerDuty escalation -3. **Response**: Runbook-driven remediation -4. **Recovery**: Automated rollback if needed -5. **Post-mortem**: Root cause analysis - -## Team Responsibilities - -### DevOps Team -- Infrastructure maintenance -- CI/CD pipeline management -- Security compliance -- Performance optimization - -### Development Teams -- Application deployment -- Resource requirements definition -- Application monitoring setup -- Performance testing - -### Operations Team -- Incident response -- Backup verification -- Capacity planning -- Change management -EOF - -# 12.1.2 Operational runbooks -cat > ~/devops-infrastructure/docs/operational-runbooks.md << 'EOF' -# Operational Runbooks - -## Incident Response Procedures - -### High CPU Usage Alert - -#### Symptoms -- AlertManager fires "High CPU Usage" alert -- Application response times increase -- Users report slowness - -#### Investigation Steps -```bash -# 1. Check current CPU usage -kubectl top pods -n --sort-by=cpu - -# 2. Check HPA status -kubectl get hpa -n - -# 3. Check pod resource limits -kubectl describe pod -n - -# 4. Review metrics in Grafana -# Go to CPU Usage dashboard: https://grafana.yourdomain.com/d/cpu-usage -``` - -#### Resolution Steps -```bash -# 1. Immediate: Scale up manually if HPA not working -kubectl scale deployment --replicas= -n - -# 2. Check for resource limits -kubectl patch deployment -n --patch ' -{ - "spec": { - "template": { - "spec": { - "containers": [ - { - "name": "", - "resources": { - "limits": { - "cpu": "1000m", - "memory": "1Gi" - } - } - } - ] - } - } - } -}' - -# 3. Restart problematic pods -kubectl rollout restart deployment -n -``` - -#### Prevention -- Implement proper resource requests/limits -- Set up HPA with appropriate thresholds -- Regular load testing - -### Database Connection Issues - -#### Symptoms -- Applications cannot connect to database -- Connection timeout errors -- Database-related alerts - -#### Investigation Steps -```bash -# 1. Check database connectivity from pod -kubectl run db-test --rm -i --tty --image=postgres:15-alpine -- \ - psql -h -U -d -c "SELECT 1;" - -# 2. Check database secret -kubectl get secret database-secret -n -o yaml - -# 3. Check RDS status -aws rds describe-db-instances --db-instance-identifier - -# 4. Check security groups -aws ec2 describe-security-groups --group-ids -``` - -#### Resolution Steps -```bash -# 1. Restart application pods -kubectl rollout restart deployment -n - -# 2. Check and update database credentials -kubectl patch secret database-secret -n --patch ' -{ - "data": { - "password": "" - } -}' - -# 3. If RDS issue, check AWS console and restart if needed -aws rds reboot-db-instance --db-instance-identifier -``` - -### Pod Stuck in Pending State - -#### Investigation Steps -```bash -# 1. Describe the pod -kubectl describe pod -n - -# 2. Check node resources -kubectl describe nodes - -# 3. Check PVC status if using persistent storage -kubectl get pvc -n - -# 4. Check for resource quotas -kubectl describe quota -n -``` - -#### Resolution Steps -```bash -# 1. If insufficient resources, scale cluster -aws eks update-nodegroup-config \ - --cluster-name \ - --nodegroup-name \ - --scaling-config minSize=,maxSize=,desiredSize= - -# 2. If PVC issue, check storage class -kubectl get storageclass - -# 3. If quota exceeded, increase or clean up resources -kubectl delete deployment -n -``` - -## Maintenance Procedures - -### Kubernetes Cluster Upgrade - -#### Pre-upgrade Checklist -- [ ] Backup cluster state with Velero -- [ ] Review breaking changes in new version -- [ ] Test upgrade in staging environment -- [ ] Notify team about maintenance window -- [ ] Prepare rollback plan - -#### Upgrade Steps -```bash -# 1. Update control plane -aws eks update-cluster-version \ - --name \ - --version - -# 2. Wait for update completion -aws eks wait cluster-active --name - -# 3. Update node groups -aws eks update-nodegroup-version \ - --cluster-name \ - --nodegroup-name \ - --version - -# 4. Update addons -aws eks update-addon \ - --cluster-name \ - --addon-name vpc-cni \ - --addon-version - -# 5. Verify cluster health -kubectl get nodes -kubectl get pods --all-namespaces -``` - -### Database Maintenance - -#### Monthly Tasks -```bash -# 1. Review database performance -aws rds describe-db-instances \ - --db-instance-identifier \ - --query 'DBInstances[0].PerformanceInsights' - -# 2. Cleanup old snapshots -aws rds describe-db-snapshots \ - --db-instance-identifier \ - --snapshot-type manual \ - --query 'DBSnapshots[30:].[DBSnapshotIdentifier]' \ - --output text | \ - xargs -I {} aws rds delete-db-snapshot --db-snapshot-identifier {} - -# 3. Analyze slow queries -# Access RDS Performance Insights dashboard -``` - -### Certificate Renewal - -#### Let's Encrypt Certificates -```bash -# 1. Check certificate expiry -kubectl get certificates -A - -# 2. Force renewal if needed -kubectl annotate certificate -n \ - cert-manager.io/issue-temporary-certificate="true" - -# 3. Verify renewal -kubectl describe certificate -n -``` - -## Monitoring and Alerting - -### Key Metrics to Monitor - -#### Infrastructure -- Node CPU/Memory usage > 80% -- Disk usage > 85% -- Network connectivity issues -- Pod restart frequency - -#### Application -- Response time > 2s (95th percentile) -- Error rate > 5% -- Request rate anomalies -- Database connection pool exhaustion - -#### Security -- Failed authentication attempts -- Privilege escalation attempts -- Unusual network traffic -- Policy violations - -### Alert Escalation - -#### Severity Levels -1. **P1 (Critical)**: Immediate response (5 min) - - Production down - - Data breach - - Security incident - -2. **P2 (High)**: 30 min response - - Performance degradation - - Service partially down - - High error rates - -3. **P3 (Medium)**: 2 hour response - - Non-critical service issues - - Capacity warnings - - Configuration issues - -4. **P4 (Low)**: Next business day - - Informational alerts - - Optimization opportunities - - Compliance warnings - -## Change Management - -### Deployment Approval Process - -#### Development Environment -- Automatic deployment on merge to `develop` branch -- No approval required -- Immediate rollback available - -#### Staging Environment -- Automatic deployment on merge to `main` branch -- Automated testing required -- Manual approval for production promotion - -#### Production Environment -- Manual approval required -- Deployment during maintenance window -- Canary deployment strategy -- Automated rollback on failure - -### Emergency Change Process -1. Incident commander approval -2. Minimal viable fix -3. Fast-track testing -4. Immediate deployment -5. Post-incident review -EOF - -# 12.1.3 Team onboarding guide -cat > ~/devops-infrastructure/docs/team-onboarding.md << 'EOF' -# Team Onboarding Guide - -## Prerequisites - -### Required Tools -1. **kubectl** - Kubernetes CLI -2. **helm** - Kubernetes package manager -3. **terraform** - Infrastructure as Code -4. **docker** - Container runtime -5. **aws-cli** - AWS command line interface -6. **argocd** - GitOps CLI -7. **git** - Version control - -### Installation Script -```bash -# Run the automated setup script -curl -fsSL https://raw.githubusercontent.com/yourusername/devops-infrastructure/main/scripts/setup-dev-environment.sh | bash -``` - -## Access Setup - -### 1. AWS Access -```bash -# Configure AWS CLI -aws configure -# Use provided access key and secret key - -# Test access -aws sts get-caller-identity -``` - -### 2. Kubernetes Access -```bash -# Configure kubectl -aws eks update-kubeconfig --region eu-west-1 --name mycompany-dev-eks - -# Test cluster access -kubectl get nodes -``` - -### 3. ArgoCD Access -```bash -# Login to ArgoCD -argocd login argocd.yourdomain.com - -# List applications -argocd app list -``` - -### 4. Vault Access -```bash -# Set Vault address -export VAULT_ADDR="https://vault.yourdomain.com" - -# Login with provided token -vault auth -method=userpass username= -``` - -## Development Workflow - -### 1. Application Development -```bash -# 1. Clone application repository -git clone https://github.com/yourusername/sample-app.git -cd sample-app - -# 2. Create feature branch -git checkout -b feature/new-feature - -# 3. Make changes and test locally -docker build -t sample-app:local . -docker run -p 8080:8080 sample-app:local - -# 4. Commit and push -git add . -git commit -m "feat: add new feature" -git push origin feature/new-feature - -# 5. Create pull request -# Pipeline will automatically build and deploy to dev environment -``` - -### 2. Infrastructure Changes -```bash -# 1. Clone infrastructure repository -git clone https://github.com/yourusername/devops-infrastructure.git -cd devops-infrastructure - -# 2. Make changes to Terraform -cd terraform/environments/dev -terraform plan - -# 3. Apply changes -terraform apply - -# 4. Update GitOps repository if needed -cd ../../.. -git clone https://github.com/yourusername/gitops-config.git -# Make necessary Kubernetes manifest changes -``` - -## Common Tasks - -### Deploy New Application - -#### 1. Create Kubernetes Manifests -```yaml -# applications/dev/new-app.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: new-app - namespace: dev -spec: - replicas: 2 - selector: - matchLabels: - app: new-app - template: - metadata: - labels: - app: new-app - spec: - containers: - - name: app - image: ghcr.io/yourusername/new-app:v1.0.0 - ports: - - containerPort: 8080 - resources: - requests: - memory: "128Mi" - cpu: "100m" - limits: - memory: "256Mi" - cpu: "200m" -``` - -#### 2. Create Service and Ingress -```yaml ---- -apiVersion: v1 -kind: Service -metadata: - name: new-app - namespace: dev -spec: - selector: - app: new-app - ports: - - port: 80 - targetPort: 8080 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: new-app - namespace: dev - annotations: - kubernetes.io/ingress.class: nginx -spec: - rules: - - host: new-app-dev.yourdomain.com - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: new-app - port: - number: 80 -``` - -### Debug Application Issues - -#### 1. Check Pod Status -```bash -# List pods -kubectl get pods -n dev - -# Describe problematic pod -kubectl describe pod -n dev - -# Check logs -kubectl logs -n dev --tail=100 -``` - -#### 2. Access Pod for Debugging -```bash -# Execute commands in pod -kubectl exec -it -n dev -- /bin/bash - -# Port forward for local access -kubectl port-forward 8080:8080 -n dev -``` - -#### 3. Check Resource Usage -```bash -# Top pods by resource usage -kubectl top pods -n dev - -# Check HPA status -kubectl get hpa -n dev -``` - -### Scale Applications - -#### Manual Scaling -```bash -# Scale deployment -kubectl scale deployment --replicas=5 -n dev - -# Check scaling status -kubectl get deployment -n dev -``` - -#### Configure Auto-scaling -```yaml -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler -metadata: - name: app-hpa - namespace: dev -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: app-name - minReplicas: 2 - maxReplicas: 10 - metrics: - - type: Resource - resource: - name: cpu - target: - type: Utilization - averageUtilization: 70 -``` - -## Monitoring and Troubleshooting - -### Access Monitoring Tools - -#### Grafana Dashboards -- **URL**: https://grafana.yourdomain.com -- **Default Dashboards**: - - Kubernetes Cluster Overview - - Application Performance - - Infrastructure Metrics - - Cost Analysis - -#### Log Analysis -- **URL**: https://logs.yourdomain.com -- **Common Queries**: - ``` - # Application logs - kubernetes.namespace_name:"dev" AND kubernetes.labels.app:"sample-app" - - # Error logs - level:"error" AND kubernetes.namespace_name:"dev" - - # Specific time range - @timestamp:[now-1h TO now] AND kubernetes.pod_name:"pod-name" - ``` - -#### Distributed Tracing -- **URL**: https://jaeger.yourdomain.com -- **Usage**: Search by service name, operation, or trace ID - -### Performance Testing - -#### Run Load Test -```bash -# Apply load test configuration -kubectl apply -f - < ~/devops-infrastructure/scripts/health-report.sh << 'EOF' -#!/bin/bash - -# Infrastructure Health Report Generator -set -e - -REPORT_DATE=$(date +"%Y-%m-%d") -REPORT_FILE="/tmp/infrastructure-health-report-$REPORT_DATE.md" - -cat > $REPORT_FILE << EOF -# Infrastructure Health Report - $REPORT_DATE - -## Executive Summary -Generated at: $(date) -Report Period: Last 24 hours - -## Cluster Health - -### Node Status -\`\`\` -$(kubectl get nodes -o wide) -\`\`\` - -### Resource Utilization -\`\`\` -$(kubectl top nodes) -\`\`\` - -### Pod Status Summary -\`\`\` -$(kubectl get pods --all-namespaces | grep -E "(Running|Pending|Failed|Error)" | awk '{print $4}' | sort | uniq -c) -\`\`\` - -## Application Health - -### Deployment Status -\`\`\` -$(kubectl get deployments --all-namespaces) -\`\`\` - -### Failed Pods (if any) -\`\`\` -$(kubectl get pods --all-namespaces --field-selector=status.phase=Failed) -\`\`\` - -### HPA Status -\`\`\` -$(kubectl get hpa --all-namespaces) -\`\`\` - -## Security Status - -### Pod Security Policy Violations -\`\`\` -$(kubectl get events --all-namespaces | grep -i "security\|policy" | head -10) -\`\`\` - -### Certificate Status -\`\`\` -$(kubectl get certificates --all-namespaces) -\`\`\` - -## Cost Summary - -### Resource Requests vs Limits -\`\`\` -$(kubectl get pods --all-namespaces -o json | jq -r '.items[] | select(.status.phase=="Running") | "\(.metadata.namespace)/\(.metadata.name): CPU Req: \(.spec.containers[0].resources.requests.cpu // "none"), Mem Req: \(.spec.containers[0].resources.requests.memory // "none")"') -\`\`\` - -## Backup Status - -### Velero Backup Status -\`\`\` -$(velero backup get | head -10) -\`\`\` - -### Latest Backup Results -\`\`\` -$(velero backup describe $(velero backup get -o name | head -1 | cut -d'/' -f2) | grep -E "(Status|Started|Completed)") -\`\`\` - -## Alerts Summary - -### Active Alerts (Last 24h) -\`\`\` -$(curl -s "http://kube-prometheus-stack-alertmanager.monitoring.svc.cluster.local:9093/api/v1/alerts" | jq -r '.data[] | select(.status.state=="firing") | "\(.labels.alertname): \(.labels.severity)"' | sort | uniq -c) -\`\`\` - -## Performance Metrics - -### Top Resource Consuming Pods -\`\`\` -$(kubectl top pods --all-namespaces --sort-by=cpu | head -10) -\`\`\` - -## Recommendations - -EOF - -# Add recommendations based on findings -echo "### Current Issues" >> $REPORT_FILE - -# Check for pods without resource limits -NO_LIMITS=$(kubectl get pods --all-namespaces -o json | jq -r '.items[] | select(.status.phase=="Running") | select(.spec.containers[0].resources.limits == null) | "\(.metadata.namespace)/\(.metadata.name)"' | wc -l) -if [ $NO_LIMITS -gt 0 ]; then - echo "- $NO_LIMITS pods running without resource limits" >> $REPORT_FILE -fi - -# Check for high CPU usage -HIGH_CPU_NODES=$(kubectl top nodes --no-headers | awk '$3 > 80 {count++} END {print count+0}') -if [ $HIGH_CPU_NODES -gt 0 ]; then - echo "- $HIGH_CPU_NODES nodes with high CPU usage (>80%)" >> $REPORT_FILE -fi - -# Check for failed pods -FAILED_PODS=$(kubectl get pods --all-namespaces --field-selector=status.phase=Failed --no-headers | wc -l) -if [ $FAILED_PODS -gt 0 ]; then - echo "- $FAILED_PODS failed pods need investigation" >> $REPORT_FILE -fi - -echo "" >> $REPORT_FILE -echo "### Optimization Opportunities" >> $REPORT_FILE -echo "- Review VPA recommendations for resource optimization" >> $REPORT_FILE -echo "- Consider implementing HPA for variable workloads" >> $REPORT_FILE -echo "- Evaluate spot instance usage for cost savings" >> $REPORT_FILE - -echo "Report generated: $REPORT_FILE" - -# Send to Slack if webhook configured -if [ ! -z "$SLACK_WEBHOOK_URL" ]; then - curl -X POST -H 'Content-type: application/json' \ - --data "{\"text\":\"📊 Daily Infrastructure Health Report generated for $REPORT_DATE\"}" \ - $SLACK_WEBHOOK_URL -fi -EOF - -chmod +x ~/devops-infrastructure/scripts/health-report.sh - -# 12.2.2 Automated health report CronJob -cat > health-report-cronjob.yaml << 'EOF' -apiVersion: batch/v1 -kind: CronJob -metadata: - name: infrastructure-health-report - namespace: monitoring -spec: - schedule: "0 8 * * *" # Daily at 8 AM - jobTemplate: - spec: - template: - spec: - serviceAccountName: health-reporter - containers: - - name: reporter - image: bitnami/kubectl:latest - command: - - /bin/bash - - -c - - | - # Install required tools - apt-get update && apt-get install -y curl jq - - # Generate report - /scripts/health-report.sh - - # Upload to S3 if configured - if [ ! -z "$S3_BUCKET" ]; then - aws s3 cp /tmp/infrastructure-health-report-*.md s3://$S3_BUCKET/reports/ - fi - env: - - name: S3_BUCKET - value: "mycompany-reports" - - name: SLACK_WEBHOOK_URL - valueFrom: - secretKeyRef: - name: slack-webhook - key: url - volumeMounts: - - name: scripts - mountPath: /scripts - resources: - requests: - memory: "128Mi" - cpu: "100m" - limits: - memory: "256Mi" - cpu: "200m" - volumes: - - name: scripts - configMap: - name: health-report-scripts - defaultMode: 0755 - restartPolicy: OnFailure ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: health-reporter - namespace: monitoring - annotations: - eks.amazonaws.com/role-arn: arn:aws:iam::ACCOUNT_ID:role/health-reporter-role ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: health-reporter -rules: -- apiGroups: [""] - resources: ["nodes", "pods", "services", "events"] - verbs: ["get", "list"] -- apiGroups: ["apps"] - resources: ["deployments", "replicasets"] - verbs: ["get", "list"] -- apiGroups: ["autoscaling"] - resources: ["horizontalpodautoscalers"] - verbs: ["get", "list"] -- apiGroups: ["metrics.k8s.io"] - resources: ["nodes", "pods"] - verbs: ["get", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: health-reporter -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: health-reporter -subjects: -- kind: ServiceAccount - name: health-reporter - namespace: monitoring -EOF - -# ConfigMap for scripts -kubectl create configmap health-report-scripts \ - --from-file=health-report.sh=~/devops-infrastructure/scripts/health-report.sh \ - -n monitoring - -kubectl apply -f health-report-cronjob.yaml -``` - -### 🎓 **12.3 Training and Knowledge Transfer** - -```bash -# 12.3.1 Training curriculum -cat > ~/devops-infrastructure/docs/training-curriculum.md << 'EOF' -# DevOps Team Training Curriculum - -## Week 1: Fundamentals - -### Day 1-2: Kubernetes Basics -- **Topics**: Pods, Services, Deployments, ConfigMaps, Secrets -- **Hands-on**: Deploy sample application -- **Assessment**: Create multi-tier application deployment - -### Day 3-4: Infrastructure as Code -- **Topics**: Terraform basics, AWS resources, State management -- **Hands-on**: Create VPC and EKS cluster -- **Assessment**: Deploy complete infrastructure - -### Day 5: CI/CD Fundamentals -- **Topics**: Jenkins, Pipeline as Code, Docker -- **Hands-on**: Create build pipeline -- **Assessment**: End-to-end deployment pipeline - -## Week 2: Advanced Topics - -### Day 1-2: GitOps and Progressive Delivery -- **Topics**: ArgoCD, Argo Rollouts, Canary deployments -- **Hands-on**: Setup GitOps workflow -- **Assessment**: Implement progressive delivery - -### Day 3: Monitoring and Observability -- **Topics**: Prometheus, Grafana, Jaeger, Log analysis -- **Hands-on**: Create custom dashboards -- **Assessment**: End-to-end observability setup - -### Day 4: Security Best Practices -- **Topics**: Vault, RBAC, Network Policies, Image scanning -- **Hands-on**: Implement security controls -- **Assessment**: Security audit and remediation - -### Day 5: Troubleshooting and Operations -- **Topics**: Debugging techniques, Performance tuning, Incident response -- **Hands-on**: Simulate and resolve incidents -- **Assessment**: Handle real-world scenarios - -## Ongoing Learning - -### Monthly Topics -- **Month 1**: Cost optimization and resource management -- **Month 2**: Advanced networking and service mesh -- **Month 3**: Disaster recovery and backup strategies -- **Month 4**: Chaos engineering and reliability -- **Month 5**: Multi-cluster and multi-cloud strategies -- **Month 6**: Advanced security and compliance - -### Certification Paths -1. **AWS Certified DevOps Engineer** -2. **Certified Kubernetes Administrator (CKA)** -3. **Certified Kubernetes Security Specialist (CKS)** -4. **HashiCorp Certified: Terraform Associate** - -## Lab Exercises - -### Exercise 1: Application Deployment -```bash -# Deploy sample application with monitoring -kubectl apply -f - < ~/devops-infrastructure/scripts/setup-knowledge-base.sh << 'EOF' -#!/bin/bash - -# Knowledge Base Setup Script -set -e - -echo "📚 Setting up team knowledge base..." - -# Create knowledge base structure -mkdir -p ~/devops-infrastructure/docs/{architecture,runbooks,tutorials,troubleshooting,best-practices} - -# Architecture documentation -echo "Creating architecture documentation..." -cat > ~/devops-infrastructure/docs/architecture/README.md << 'ARCH_EOF' -# Architecture Documentation - -## Overview -This directory contains all architecture-related documentation. - -## Contents -- `system-overview.md` - High-level system architecture -- `data-flow.md` - Data flow diagrams and explanations -- `security-architecture.md` - Security design and controls -- `networking.md` - Network architecture and routing -- `disaster-recovery.md` - DR architecture and procedures - -## Diagrams -All diagrams are created using Mermaid and can be viewed in GitHub or VS Code with the Mermaid extension. -ARCH_EOF - -# Runbooks directory -echo "Creating runbooks..." -cat > ~/devops-infrastructure/docs/runbooks/README.md << 'RUN_EOF' -# Operational Runbooks - -## Purpose -Step-by-step procedures for common operational tasks and incident response. - -## Runbook Categories -- `incident-response/` - Emergency response procedures -- `maintenance/` - Scheduled maintenance procedures -- `deployment/` - Deployment and rollback procedures -- `monitoring/` - Monitoring and alerting procedures - -## Runbook Template -Each runbook should include: -1. Purpose and scope -2. Prerequisites -3. Step-by-step procedures -4. Verification steps -5. Rollback procedures -6. Post-completion tasks -RUN_EOF - -# Create searchable index -echo "Creating searchable documentation index..." -cat > ~/devops-infrastructure/scripts/generate-docs-index.sh << 'INDEX_EOF' -#!/bin/bash - -# Generate searchable documentation index -echo "# Documentation Index" > ~/devops-infrastructure/docs/INDEX.md -echo "Generated on: $(date)" >> ~/devops-infrastructure/docs/INDEX.md -echo "" >> ~/devops-infrastructure/docs/INDEX.md - -find ~/devops-infrastructure/docs -name "*.md" -not -name "INDEX.md" | while read file; do - echo "## $(basename "$file" .md)" >> ~/devops-infrastructure/docs/INDEX.md - echo "**Path:** $file" >> ~/devops-infrastructure/docs/INDEX.md - echo "" >> ~/devops-infrastructure/docs/INDEX.md - # Extract first paragraph as summary - head -10 "$file" | grep -E "^[A-Za-z]" | head -1 >> ~/devops-infrastructure/docs/INDEX.md - echo "" >> ~/devops-infrastructure/docs/INDEX.md -done - -echo "Documentation index generated!" -INDEX_EOF - -chmod +x ~/devops-infrastructure/scripts/generate-docs-index.sh - -echo "✅ Knowledge base structure created!" -echo "Run ~/devops-infrastructure/scripts/generate-docs-index.sh to create searchable index" -EOF - -chmod +x ~/devops-infrastructure/scripts/setup-knowledge-base.sh -./~/devops-infrastructure/scripts/setup-knowledge-base.sh -``` - ---- - -## 🎉 **FINAL SETUP AND VALIDATION** (Gün 27-28) - -### ✅ **13.1 End-to-End Testing** - -```bash -# 13.1.1 Complete system validation script -cat > ~/devops-infrastructure/scripts/system-validation.sh << 'EOF' -#!/bin/bash - -# Complete System Validation Script -set -e - -echo "🧪 Starting End-to-End System Validation..." -echo "==========================================" - -# Colors for output -RED='\033[0;31m' -GREEN='\033[0;32m' -YELLOW='\033[1;33m' -NC='\033[0m' # No Color - -SUCCESS_COUNT=0 -TOTAL_TESTS=0 - -check_test() { - local test_name="$1" - local test_command="$2" - - TOTAL_TESTS=$((TOTAL_TESTS + 1)) - echo -n "Testing $test_name... " - - if eval "$test_command" &>/dev/null; then - echo -e "${GREEN}✓ PASS${NC}" - SUCCESS_COUNT=$((SUCCESS_COUNT + 1)) - return 0 - else - echo -e "${RED}✗ FAIL${NC}" - return 1 - fi -} - -echo "🔧 Infrastructure Tests" -echo "----------------------" - -# AWS connectivity -check_test "AWS CLI access" "aws sts get-caller-identity" - -# Terraform state -check_test "Terraform state accessible" "terraform show -json > /dev/null" || true - -# EKS cluster -check_test "EKS cluster connectivity" "kubectl get nodes" - -# Core system pods -check_test "CoreDNS running" "kubectl get pods -n kube-system -l k8s-app=kube-dns | grep Running" -check_test "AWS Load Balancer Controller" "kubectl get pods -n kube-system -l app.kubernetes.io/name=aws-load-balancer-controller | grep Running" - -echo "" -echo "📊 Monitoring Stack Tests" -echo "-------------------------" - -# Prometheus -check_test "Prometheus accessible" "kubectl get pods -n monitoring -l app.kubernetes.io/name=prometheus | grep Running" - -# Grafana -check_test "Grafana accessible" "kubectl get pods -n monitoring -l app.kubernetes.io/name=grafana | grep Running" - -# AlertManager -check_test "AlertManager accessible" "kubectl get pods -n monitoring -l app.kubernetes.io/name=alertmanager | grep Running" - -echo "" -echo "📝 Logging Stack Tests" -echo "----------------------" - -# Fluent Bit -check_test "Fluent Bit running" "kubectl get pods -n logging -l app.kubernetes.io/name=fluent-bit | grep Running" - -# OpenSearch -check_test "OpenSearch cluster healthy" "kubectl get pods -n logging -l app=opensearch | grep Running" - -echo "" -echo "🔒 Security Tests" -echo "----------------" - -# Vault -check_test "Vault cluster running" "kubectl get pods -n vault -l app.kubernetes.io/name=vault | grep Running" - -# External Secrets Operator -check_test "External Secrets Operator" "kubectl get pods -n external-secrets | grep Running" - -# Falco -check_test "Falco security monitoring" "kubectl get pods -n falco -l app.kubernetes.io/name=falco | grep Running" - -echo "" -echo "🔄 GitOps Tests" -echo "---------------" - -# ArgoCD -check_test "ArgoCD server running" "kubectl get pods -n argocd -l app.kubernetes.io/name=argocd-server | grep Running" - -# ArgoCD applications -check_test "ArgoCD applications synced" "argocd app list | grep -E 'Synced.*Healthy'" - -echo "" -echo "💾 Backup Tests" -echo "---------------" - -# Velero -check_test "Velero backup controller" "kubectl get pods -n velero -l app.kubernetes.io/name=velero | grep Running" - -# Recent backup -check_test "Recent backup exists" "velero backup get | grep Completed | head -1" - -echo "" -echo "🚀 Application Tests" -echo "--------------------" - -# Sample application -check_test "Sample application running" "kubectl get pods -n dev -l app=sample-app | grep Running" || true - -# Ingress connectivity -check_test "Ingress controller responsive" "kubectl get pods -n ingress-nginx -l app.kubernetes.io/name=ingress-nginx | grep Running" - -echo "" -echo "📈 Performance Tests" -echo "-------------------" - -# HPA -check_test "HPA controllers active" "kubectl get hpa --all-namespaces | grep -v TARGETS" || true - -# VPA -check_test "VPA recommendations available" "kubectl get vpa --all-namespaces" || true - -# Resource usage -check_test "Node resource usage healthy" "kubectl top nodes --no-headers | awk '\$3+0 < 90 && \$5+0 < 90' | wc -l | grep -v '^0-vpa - namespace: monitoring -spec: - targetRef: - apiVersion: apps/v1 - kind: StatefulSet" - -echo "" -echo "🌐 Network Tests" -echo "---------------" - -# CoreDNS resolution -check_test "DNS resolution working" "kubectl exec -n kube-system deployments/coredns -- nslookup kubernetes.default.svc.cluster.local" - -# Pod-to-pod communication -check_test "Inter-pod communication" "kubectl run network-test --image=busybox --rm -it --restart=Never -- nslookup kubernetes.default" || true - -echo "" -echo "🔐 Certificate Tests" -echo "-------------------" - -# Cert-manager -check_test "Cert-manager running" "kubectl get pods -n cert-manager | grep Running" - -# Certificate issuers -check_test "Certificate issuers ready" "kubectl get clusterissuers | grep True" - -# Valid certificates -check_test "TLS certificates valid" "kubectl get certificates --all-namespaces | grep True" || true - -echo "" -echo "📊 Cost Monitoring Tests" -echo "------------------------" - -# Kubecost -check_test "Kubecost running" "kubectl get pods -n kubecost | grep Running" || true - -echo "" -echo "🔍 Observability Tests" -echo "----------------------" - -# Jaeger -check_test "Jaeger tracing available" "kubectl get pods -n observability -l app.kubernetes.io/name=jaeger | grep Running" || true - -# OpenTelemetry -check_test "OpenTelemetry collector" "kubectl get pods -n observability -l app.kubernetes.io/name=opentelemetry-collector | grep Running" || true - -echo "" -echo "================================================" -echo "🎯 VALIDATION SUMMARY" -echo "================================================" -echo "Total Tests: $TOTAL_TESTS" -echo "Passed: $SUCCESS_COUNT" -echo "Failed: $((TOTAL_TESTS - SUCCESS_COUNT))" - -if [ $SUCCESS_COUNT -eq $TOTAL_TESTS ]; then - echo -e "${GREEN}🎉 ALL TESTS PASSED! System is fully operational.${NC}" - exit 0 -elif [ $SUCCESS_COUNT -gt $((TOTAL_TESTS * 80 / 100)) ]; then - echo -e "${YELLOW}⚠️ Most tests passed. Minor issues detected.${NC}" - exit 0 -else - echo -e "${RED}❌ Critical issues detected. System requires attention.${NC}" - exit 1 -fi -EOF - -chmod +x ~/devops-infrastructure/scripts/system-validation.sh - -# 13.1.2 Automated testing pipeline -cat > ~/devops-infrastructure/jenkins/system-validation-pipeline.groovy << 'EOF' -pipeline { - agent { - kubernetes { - yaml """ - apiVersion: v1 - kind: Pod - spec: - containers: - - name: kubectl - image: bitnami/kubectl:latest - command: - - cat - tty: true - - name: argocd - image: argoproj/argocd:latest - command: - - cat - tty: true - - name: velero - image: velero/velero:latest - command: - - cat - tty: true - """ - } - } - - triggers { - cron('0 6 * * *') // Daily at 6 AM - } - - stages { - stage('System Validation') { - steps { - container('kubectl') { - script { - sh ''' - # Copy validation script - curl -fsSL https://raw.githubusercontent.com/yourusername/devops-infrastructure/main/scripts/system-validation.sh -o validation.sh - chmod +x validation.sh - - # Run validation - ./validation.sh - ''' - } - } - } - } - - stage('Generate Report') { - steps { - container('kubectl') { - sh ''' - # Generate detailed report - echo "# System Health Report - $(date)" > system-report.md - echo "" >> system-report.md - - echo "## Cluster Overview" >> system-report.md - echo "\`\`\`" >> system-report.md - kubectl get nodes -o wide >> system-report.md - echo "\`\`\`" >> system-report.md - - echo "## Pod Status" >> system-report.md - echo "\`\`\`" >> system-report.md - kubectl get pods --all-namespaces | grep -v Running | head -20 >> system-report.md - echo "\`\`\`" >> system-report.md - - echo "## Resource Usage" >> system-report.md - echo "\`\`\`" >> system-report.md - kubectl top nodes >> system-report.md - echo "\`\`\`" >> system-report.md - - # Archive report - cat system-report.md - ''' - } - } - } - } - - post { - success { - slackSend( - channel: '#infrastructure', - color: 'good', - message: "✅ Daily system validation completed successfully" - ) - } - failure { - slackSend( - channel: '#infrastructure', - color: 'danger', - message: "❌ Daily system validation failed. Immediate attention required!" - ) - } - always { - archiveArtifacts artifacts: '*.md', allowEmptyArchive: true - } - } -} -EOF - -# 13.1.3 Çalıştır -~/devops-infrastructure/scripts/system-validation.sh -``` - -### 📚 **13.2 Final Documentation** - -```bash -# 13.2.1 Complete setup summary -cat > ~/devops-infrastructure/README.md << 'EOF' -# DevOps Infrastructure - Complete Setup - -🎉 **Congratulations!** You have successfully deployed a production-ready DevOps infrastructure. - -## 🏗️ What We've Built - -### Infrastructure Components -- ✅ **AWS EKS Cluster** - Managed Kubernetes with auto-scaling -- ✅ **VPC & Networking** - Multi-AZ setup with security groups -- ✅ **RDS PostgreSQL** - Managed database with backups -- ✅ **ElastiCache Redis** - In-memory caching -- ✅ **Application Load Balancer** - SSL termination and routing - -### CI/CD Pipeline -- ✅ **Jenkins** - Automated build and deployment -- ✅ **ArgoCD** - GitOps continuous deployment -- ✅ **GitHub Container Registry** - Container image storage -- ✅ **Progressive Delivery** - Canary and blue-green deployments - -### Monitoring & Observability -- ✅ **Prometheus** - Metrics collection and storage -- ✅ **Grafana** - Visualization and dashboards -- ✅ **AlertManager** - Intelligent alerting -- ✅ **Jaeger** - Distributed tracing -- ✅ **OpenSearch** - Log aggregation and search -- ✅ **Fluent Bit** - Log collection - -### Security -- ✅ **HashiCorp Vault** - Secrets management -- ✅ **External Secrets Operator** - Kubernetes-Vault integration -- ✅ **Falco** - Runtime security monitoring -- ✅ **OPA Gatekeeper** - Policy enforcement -- ✅ **Network Policies** - Micro-segmentation -- ✅ **Pod Security Standards** - Container security - -### Backup & DR -- ✅ **Velero** - Kubernetes backup and restore -- ✅ **RDS Automated Backups** - Database recovery -- ✅ **Cross-region Replication** - Disaster recovery -- ✅ **Automated Testing** - DR drill automation - -### Cost Optimization -- ✅ **Kubecost** - Kubernetes cost visibility -- ✅ **VPA/HPA** - Resource optimization -- ✅ **Spot Instances** - Cost-effective compute -- ✅ **Resource Quotas** - Spend control - -## 🚀 Access URLs - -| Service | URL | Purpose | -|---------|-----|---------| -| ArgoCD | https://argocd.yourdomain.com | GitOps Management | -| Grafana | https://grafana.yourdomain.com | Monitoring Dashboards | -| Jaeger | https://jaeger.yourdomain.com | Distributed Tracing | -| OpenSearch | https://logs.yourdomain.com | Log Analysis | -| Vault | https://vault.yourdomain.com | Secrets Management | -| Jenkins | https://jenkins.yourdomain.com | CI/CD Pipelines | -| Kubecost | https://kubecost.yourdomain.com | Cost Analytics | - -## 🔑 Default Credentials - -```bash -# ArgoCD -Username: admin -Password: $(kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d) - -# Grafana -Username: admin -Password: AdminPassword123! - -# Vault Root Token -Token: $(cat cluster-keys.json | jq -r ".root_token") -``` - -## 📊 System Overview - -```bash -# Check overall system health -kubectl get nodes -kubectl get pods --all-namespaces | grep -v Running - -# Monitor resource usage -kubectl top nodes -kubectl top pods --all-namespaces --sort-by=cpu - -# Check applications -argocd app list -helm list --all-namespaces -``` - -## 🛠️ Common Operations - -### Deploy New Application -```bash -# 1. Add application manifests to GitOps repo -cd gitops-config/applications/dev -# Create your application YAML files - -# 2. Commit and push -git add . -git commit -m "Add new application" -git push origin main - -# 3. ArgoCD will automatically sync -argocd app sync -``` - -### Scale Applications -```bash -# Manual scaling -kubectl scale deployment --replicas=5 -n - -# Auto-scaling with HPA -kubectl autoscale deployment --cpu-percent=70 --min=2 --max=10 -n -``` - -### Check Logs -```bash -# Pod logs -kubectl logs -n --tail=100 - -# Application logs in OpenSearch -# Visit: https://logs.yourdomain.com -# Query: kubernetes.namespace_name:"dev" AND kubernetes.labels.app:"your-app" -``` - -### Monitor Performance -```bash -# Real-time metrics -kubectl top pods -n - -# Grafana dashboards -# Visit: https://grafana.yourdomain.com -# Check: Kubernetes Cluster Overview dashboard -``` - -### Backup and Restore -```bash -# Create backup -velero backup create --include-namespaces - -# Restore from backup -velero restore create --from-backup - -# Check backup status -velero backup describe -``` - -## 🚨 Troubleshooting - -### Pod Issues -```bash -# Pod not starting -kubectl describe pod -n -kubectl logs -n - -# Resource issues -kubectl top pods -n -kubectl describe node -``` - -### Network Issues -```bash -# DNS resolution -kubectl exec -it -n -- nslookup kubernetes.default - -# Service connectivity -kubectl exec -it -n -- curl ..svc.cluster.local -``` - -### Storage Issues -```bash -# PVC status -kubectl get pvc -n -kubectl describe pvc -n - -# Storage classes -kubectl get storageclass -``` - -## 📈 Performance Optimization - -### Resource Right-sizing -```bash -# Check VPA recommendations -kubectl get vpa --all-namespaces - -# Apply VPA recommendations -kubectl patch deployment -n --patch ' -{ - "spec": { - "template": { - "spec": { - "containers": [ - { - "name": "", - "resources": { - "requests": { - "cpu": "", - "memory": "" - } - } - } - ] - } - } - } -}' -``` - -### Cost Optimization -```bash -# Check cost recommendations -# Visit: https://kubecost.yourdomain.com - -# Use spot instances for development -kubectl taint node spot=true:NoSchedule - -# Implement resource quotas -kubectl apply -f resource-quotas.yaml -``` - -## 🔒 Security Best Practices - -### Regular Security Tasks -```bash -# Update base images regularly -docker pull nginx:alpine -docker tag nginx:alpine ghcr.io/yourusername/nginx:latest -docker push ghcr.io/yourusername/nginx:latest - -# Scan for vulnerabilities -trivy image - -# Check for policy violations -kubectl get events --all-namespaces | grep -i policy - -# Review Falco alerts -kubectl logs -l app.kubernetes.io/name=falco -n falco -``` - -### Certificate Management -```bash -# Check certificate status -kubectl get certificates --all-namespaces - -# Force certificate renewal -kubectl annotate certificate -n \ - cert-manager.io/issue-temporary-certificate="true" -``` - -## 📚 Additional Resources - -### Documentation -- [Kubernetes Documentation](https://kubernetes.io/docs/) -- [AWS EKS User Guide](https://docs.aws.amazon.com/eks/) -- [Terraform Documentation](https://www.terraform.io/docs/) -- [ArgoCD Documentation](https://argo-cd.readthedocs.io/) - -### Monitoring -- [Prometheus Best Practices](https://prometheus.io/docs/practices/) -- [Grafana Dashboards](https://grafana.com/grafana/dashboards/) -- [SRE Workbook](https://sre.google/workbook/table-of-contents/) - -### Security -- [CIS Kubernetes Benchmark](https://www.cisecurity.org/benchmark/kubernetes) -- [NIST Cybersecurity Framework](https://www.nist.gov/cyberframework) -- [OWASP Container Security](https://owasp.org/www-project-container-security/) - -## 🆘 Support and Contacts - -### Internal Support -- **DevOps Team**: #devops-team (Slack) -- **On-call Engineer**: +90-XXX-XXX-XXXX -- **Documentation**: `~/devops-infrastructure/docs/` - -### Emergency Procedures -1. **Production Down**: Follow incident response runbook -2. **Security Incident**: Contact security team immediately -3. **Data Loss**: Initiate disaster recovery procedures +> 🆕 **Hızlı başlamak isteyenler:** önce [30 Dakikalık Hızlı Kurulum](advanced/13-quickstart-30min.md)'a göz at. --- -## 🎉 Congratulations! - -You now have a **production-ready, enterprise-grade DevOps infrastructure** that includes: - -✅ **Automated Infrastructure** - Everything as code -✅ **Continuous Deployment** - GitOps workflow -✅ **Comprehensive Monitoring** - Full observability stack -✅ **Enterprise Security** - Multi-layer security controls -✅ **Disaster Recovery** - Automated backup and restore -✅ **Cost Optimization** - Resource efficiency and cost visibility -✅ **Performance Management** - Auto-scaling and optimization -✅ **Team Processes** - Documentation and runbooks +## 🗺️ 28 Günlük Plan — Bölümler -**Your infrastructure is ready to support modern application development and deployment at scale!** 🚀 +| # | Bölüm | Gün | +|---|---|---| +| 0 | [Ön Koşullar ve Hazırlık](advanced/00-prerequisites.md) | — | +| 1 | [AWS Hesap ve İlk Kurulumlar](advanced/01-aws-account-setup.md) | 1-2 | +| 2 | [Terraform & Infrastructure as Code](advanced/02-terraform-iac.md) | 3-5 | +| 3 | [Containerization & Registry](advanced/03-containerization.md) | 6-7 | +| 4 | [CI/CD Pipeline Kurulumu](advanced/04-cicd-pipeline.md) | 8-10 | +| 5 | [Kubernetes Advanced Setup](advanced/05-kubernetes-advanced.md) | 11-13 | +| 6 | [Observability Stack](advanced/06-observability.md) | 14-16 | +| 7 | [Secrets Management & Security](advanced/07-secrets-security.md) | 17-18 | +| 8 | [Backup & Disaster Recovery](advanced/08-backup-dr.md) | 19-20 | +| 9 | [GitOps & Deployment Automation](advanced/09-gitops-automation.md) | 21-22 | +| 10 | [Cost Optimization & Performance](advanced/10-cost-performance.md) | 23-24 | +| 11 | [Documentation & Team Processes](advanced/11-documentation-processes.md) | 25-26 | +| 12 | [Final Setup ve Validation](advanced/12-final-validation.md) | 27-28 | +| ⚡ | [30 Dakikalık Hızlı Kurulum](advanced/13-quickstart-30min.md) | — | --- -*Generated on: $(date)* -*Infrastructure Version: v1.0.0* -*Last Updated: $(date '+%Y-%m-%d %H:%M:%S')* -EOF - -# 13.2.2 Quick start guide -cat > ~/devops-infrastructure/QUICKSTART.md << 'EOF' -# 🚀 Quick Start Guide - -## Prerequisites Checklist - -- [ ] AWS Account with administrative access -- [ ] Domain name for services (yourdomain.com) -- [ ] GitHub account for repositories -- [ ] Slack workspace for notifications -- [ ] Local development environment setup - -## 30-Minute Setup - -### Step 1: Initial Setup (5 minutes) -```bash -# Clone repository -git clone https://github.com/yourusername/devops-infrastructure.git -cd devops-infrastructure - -# Run automated setup -./scripts/quick-setup.sh -``` - -### Step 2: Infrastructure Deployment (15 minutes) -```bash -# Deploy AWS infrastructure -cd terraform/environments/dev -terraform init -backend-config=backend.conf -terraform plan -terraform apply -auto-approve - -# Configure kubectl -aws eks update-kubeconfig --region eu-west-1 --name mycompany-dev-eks -``` - -### Step 3: Application Deployment (10 minutes) -```bash -# Deploy monitoring stack -helm install kube-prometheus-stack prometheus-community/kube-prometheus-stack \ - --namespace monitoring --create-namespace --values monitoring-values.yaml - -# Deploy ArgoCD -kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml - -# Deploy root application -kubectl apply -f bootstrap/root-app.yaml -``` - -## Verification - -```bash -# Check cluster health -kubectl get nodes -kubectl get pods --all-namespaces - -# Access services -echo "ArgoCD: https://argocd.yourdomain.com" -echo "Grafana: https://grafana.yourdomain.com" -echo "Applications ready! 🎉" -``` - -## Next Steps - -1. **Configure DNS** - Point your domain to the load balancer -2. **Setup Certificates** - Configure SSL/TLS certificates -3. **Deploy Applications** - Add your applications to GitOps -4. **Configure Monitoring** - Set up dashboards and alerts -5. **Train Team** - Share access and documentation - -## Need Help? - -- 📖 **Full Documentation**: [README.md](README.md) -- 🔧 **Troubleshooting**: [docs/troubleshooting.md](docs/troubleshooting.md) -- 💬 **Support**: Contact DevOps team - -**Happy deploying!** 🚀🚀🚀 - +## 🎯 Bitirince ne elde edeceksin -```bash -echo "" -echo "🎉 ============================================" -echo "🎉 DEVOPS INFRASTRUCTURE SETUP COMPLETE!" -echo "🎉 ============================================" -echo "" -echo "📊 Summary:" -echo "✅ Infrastructure as Code (Terraform)" -echo "✅ Kubernetes Cluster (EKS)" -echo "✅ CI/CD Pipeline (Jenkins + ArgoCD)" -echo "✅ Monitoring Stack (Prometheus + Grafana)" -echo "✅ Logging Stack (OpenSearch + Fluent Bit)" -echo "✅ Security Layer (Vault + Falco + OPA)" -echo "✅ Backup & DR (Velero + RDS Backups)" -echo "✅ Cost Optimization (Kubecost + VPA/HPA)" -echo "✅ Documentation & Runbooks" -echo "" -echo "🔗 Access URLs:" -echo "• ArgoCD: https://argocd.yourdomain.com" -echo "• Grafana: https://grafana.yourdomain.com" -echo "• Jenkins: https://jenkins.yourdomain.com" -echo "• Vault: https://vault.yourdomain.com" -echo "" -echo "📚 Next Steps:" -echo "1. Run system validation: ./scripts/system-validation.sh" -echo "2. Configure your domain DNS" -echo "3. Deploy your first application" -echo "4. Train your team with provided documentation" -echo "" -echo "🎯 Your enterprise-grade DevOps infrastructure is ready!" -echo " Happy DevOps! 🚀🚀🚀" -``` +- Terraform ile yönetilen, çok-AZ'lı bir **EKS cluster** +- GitOps (ArgoCD) ile otomatik deployment +- Prometheus + Grafana + Loki ile **observability** +- Secrets management, network policy, RBAC ile **güvenlik temeli** +- Backup/DR planı, runbook'lar ve maliyet optimizasyonu -Bu kapsamlı implementation guide ile sıfırdan başlayarak **28 gün içinde** tam işlevsel, production-ready bir DevOps altyapısı kurabilirsiniz. Her adım detaylı komutlar, konfigürasyonlar ve best practice'ler içerir. +> *"Plan uzun görünüyor; ama her faz kendi başına bir kazanım. Bir faz bitir, bırak, devam et."* diff --git a/RoadMap/advanced/00-prerequisites.md b/RoadMap/advanced/00-prerequisites.md new file mode 100644 index 0000000..a4bfad4 --- /dev/null +++ b/RoadMap/advanced/00-prerequisites.md @@ -0,0 +1,83 @@ +# 📋 **ÖN KOŞULLAR VE HAZIRLIK** + +### 🖥️ **1. Geliştirici Makine Kurulumu** + +```bash +# 1.1 WSL2 kurulumu (Windows kullanıcıları için) +wsl --install +wsl --set-default-version 2 + +# 1.2 Essential tools kurulumu +# Ubuntu/Debian +sudo apt update && sudo apt install -y \ + curl wget git vim nano unzip \ + build-essential software-properties-common \ + apt-transport-https ca-certificates gnupg lsb-release + +# macOS +/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" +brew install curl wget git vim nano unzip +``` + +### 🔧 **1.2 Development Tools Kurulumu** + +```bash +# Docker kurulumu (Ubuntu) +curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg +echo "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null +sudo apt update && sudo apt install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin +sudo usermod -aG docker $USER +newgrp docker + +# Docker kurulumu (macOS) +brew install --cask docker + +# Docker test +docker --version +docker run hello-world + +# kubectl kurulumu +curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" +sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl +kubectl version --client + +# Helm kurulumu +curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash +helm version + +# Terraform kurulumu +wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg +echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list +sudo apt update && sudo apt install terraform +terraform --version + +# AWS CLI kurulumu +curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" +unzip awscliv2.zip +sudo ./aws/install +aws --version +``` + +### 🎯 **1.3 IDE ve Editör Kurulumu** + +```bash +# VS Code kurulumu +# Ubuntu +wget -qO- https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > packages.microsoft.gpg +sudo install -o root -g root -m 644 packages.microsoft.gpg /etc/apt/trusted.gpg.d/ +sudo sh -c 'echo "deb [arch=amd64,arm64,armhf signed-by=/etc/apt/trusted.gpg.d/packages.microsoft.gpg] https://packages.microsoft.com/repos/code stable main" > /etc/apt/sources.list.d/vscode.list' +sudo apt update && sudo apt install code + +# macOS +brew install --cask visual-studio-code + +# Essential VS Code extensions +code --install-extension ms-vscode-remote.remote-wsl +code --install-extension ms-vscode.vscode-docker +code --install-extension hashicorp.terraform +code --install-extension ms-kubernetes-tools.vscode-kubernetes-tools +code --install-extension redhat.vscode-yaml +code --install-extension ms-vscode.azure-account +``` + +--- diff --git a/RoadMap/advanced/01-aws-account-setup.md b/RoadMap/advanced/01-aws-account-setup.md new file mode 100644 index 0000000..9586ad8 --- /dev/null +++ b/RoadMap/advanced/01-aws-account-setup.md @@ -0,0 +1,145 @@ +# 🏢 **PHASE 1: AWS HESAP VE İLK KURULUMLAR** (Gün 1-2) + +### ☁️ **2.1 AWS Hesap Kurulumu ve Organization Setup** + +```bash +# 2.1.1 AWS hesabı oluştur (manuel - web üzerinden) +# https://aws.amazon.com/free/ üzerinden hesap oluştur + +# 2.1.2 AWS CLI konfigürasyonu +aws configure +# AWS Access Key ID [None]: YOUR_ACCESS_KEY +# AWS Secret Access Key [None]: YOUR_SECRET_KEY +# Default region name [None]: eu-west-1 +# Default output format [None]: json + +# 2.1.3 AWS hesap doğrulama +aws sts get-caller-identity +aws ec2 describe-regions + +# 2.1.4 AWS Organization setup (Root hesap için) +aws organizations create-organization --feature-set ALL + +# 2.1.5 Organizational Units oluştur +aws organizations create-organizational-unit \ + --parent-id r-xxxx \ + --name "Production" + +aws organizations create-organizational-unit \ + --parent-id r-xxxx \ + --name "Development" + +aws organizations create-organizational-unit \ + --parent-id r-xxxx \ + --name "Security" +``` + +### 🔐 **2.2 IAM Setup ve Security Hardening** + +```bash +# 2.2.1 Admin user oluştur (root user kullanmamak için) +aws iam create-user --user-name devops-admin + +# 2.2.2 Admin user'a AdministratorAccess policy ekle +aws iam attach-user-policy \ + --user-name devops-admin \ + --policy-arn arn:aws:iam::aws:policy/AdministratorAccess + +# 2.2.3 Admin user için programmatic access +aws iam create-access-key --user-name devops-admin +# Output'taki access key ve secret key'i kaydet + +# 2.2.4 Password policy oluştur +cat > password-policy.json << 'EOF' +{ + "MinimumPasswordLength": 12, + "RequireSymbols": true, + "RequireNumbers": true, + "RequireUppercaseCharacters": true, + "RequireLowercaseCharacters": true, + "AllowUsersToChangePassword": true, + "MaxPasswordAge": 90, + "PasswordReusePrevention": 5, + "HardExpiry": false +} +EOF + +aws iam update-account-password-policy --cli-input-json file://password-policy.json + +# 2.2.5 MFA activation (console üzerinden yapılacak) +# https://console.aws.amazon.com/iam/home#/security_credentials +``` + +### 🏗️ **2.3 Project Directory Structure Oluşturma** + +```bash +# 2.3.1 Ana proje dizini oluştur +mkdir -p ~/devops-infrastructure +cd ~/devops-infrastructure + +# 2.3.2 Directory structure oluştur +mkdir -p {terraform/{modules,environments/{dev,staging,prod}},kubernetes/{base,overlays/{dev,staging,prod}},docker,scripts,docs,monitoring,backup} + +# 2.3.3 Git repository initialize +git init +git config user.name "Your Name" +git config user.email "your.email@company.com" + +# 2.3.4 .gitignore oluştur +cat > .gitignore << 'EOF' +# Terraform +*.tfstate +*.tfstate.* +.terraform/ +.terraform.lock.hcl +terraform.tfvars +*.tfplan + +# Docker +.dockerignore + +# IDE +.vscode/ +.idea/ + +# OS +.DS_Store +Thumbs.db + +# Logs +*.log + +# Secrets +secrets/ +*.pem +*.key +!public.key + +# Backup +backup/ +EOF + +# 2.3.5 README.md oluştur +cat > README.md << 'EOF' +# DevOps Infrastructure + +Bu repository şirketimizin DevOps altyapısını içerir. + +## Struktur +- `terraform/` - Infrastructure as Code +- `kubernetes/` - K8s manifests +- `docker/` - Dockerfile'lar +- `scripts/` - Automation scripts +- `docs/` - Dokümantasyon +- `monitoring/` - Monitoring configs +- `backup/` - Backup scripts + +## Kurulum +[Kurulum talimatları buraya] +EOF + +git add . +git commit -m "Initial project structure" +``` + +--- diff --git a/RoadMap/advanced/02-terraform-iac.md b/RoadMap/advanced/02-terraform-iac.md new file mode 100644 index 0000000..a9c0837 --- /dev/null +++ b/RoadMap/advanced/02-terraform-iac.md @@ -0,0 +1,1367 @@ +# 🛠️ **PHASE 2: TERRAFORM VE INFRASTRUCTURE AS CODE** (Gün 3-5) + +### 🏗️ **3.1 Terraform Backend Setup** + +```bash +# 3.1.1 Terraform backend için S3 bucket ve DynamoDB table oluştur +cd ~/devops-infrastructure/terraform + +# 3.1.2 Backend setup script +cat > setup-backend.sh << 'EOF' +#!/bin/bash + +# Variables +BUCKET_NAME="devops-terraform-state-$(openssl rand -hex 8)" +REGION="eu-west-1" +DYNAMODB_TABLE="terraform-state-lock" + +# S3 bucket oluştur +aws s3 mb s3://$BUCKET_NAME --region $REGION + +# S3 bucket versioning aktifleştir +aws s3api put-bucket-versioning \ + --bucket $BUCKET_NAME \ + --versioning-configuration Status=Enabled + +# S3 bucket encryption aktifleştir +aws s3api put-bucket-encryption \ + --bucket $BUCKET_NAME \ + --server-side-encryption-configuration '{ + "Rules": [ + { + "ApplyServerSideEncryptionByDefault": { + "SSEAlgorithm": "AES256" + } + } + ] + }' + +# DynamoDB table oluştur +aws dynamodb create-table \ + --table-name $DYNAMODB_TABLE \ + --attribute-definitions AttributeName=LockID,AttributeType=S \ + --key-schema AttributeName=LockID,KeyType=HASH \ + --provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5 \ + --region $REGION + +echo "Backend setup completed!" +echo "S3 Bucket: $BUCKET_NAME" +echo "DynamoDB Table: $DYNAMODB_TABLE" +echo "Region: $REGION" + +# .env dosyasına kaydet +cat > ../.env << EOF +export TF_VAR_backend_bucket=$BUCKET_NAME +export TF_VAR_backend_region=$REGION +export TF_VAR_backend_dynamodb_table=$DYNAMODB_TABLE +EOF +EOF + +chmod +x setup-backend.sh +./setup-backend.sh +source ../.env +``` + +### 🗂️ **3.2 Terraform Module Structure** + +```bash +# 3.2.1 Terraform modules dizin yapısı +cd ~/devops-infrastructure/terraform/modules + +# 3.2.2 VPC module +mkdir -p vpc +cat > vpc/main.tf << 'EOF' +variable "vpc_cidr" { + description = "CIDR block for VPC" + type = string + default = "10.0.0.0/16" +} + +variable "availability_zones" { + description = "Availability zones" + type = list(string) + default = ["eu-west-1a", "eu-west-1b", "eu-west-1c"] +} + +variable "environment" { + description = "Environment name" + type = string +} + +variable "project_name" { + description = "Project name" + type = string +} + +# VPC +resource "aws_vpc" "main" { + cidr_block = var.vpc_cidr + enable_dns_hostnames = true + enable_dns_support = true + + tags = { + Name = "${var.project_name}-${var.environment}-vpc" + Environment = var.environment + Project = var.project_name + } +} + +# Internet Gateway +resource "aws_internet_gateway" "main" { + vpc_id = aws_vpc.main.id + + tags = { + Name = "${var.project_name}-${var.environment}-igw" + Environment = var.environment + Project = var.project_name + } +} + +# Public Subnets +resource "aws_subnet" "public" { + count = length(var.availability_zones) + + vpc_id = aws_vpc.main.id + cidr_block = cidrsubnet(var.vpc_cidr, 8, count.index) + availability_zone = var.availability_zones[count.index] + map_public_ip_on_launch = true + + tags = { + Name = "${var.project_name}-${var.environment}-public-${count.index + 1}" + Environment = var.environment + Project = var.project_name + Type = "public" + } +} + +# Private Subnets +resource "aws_subnet" "private" { + count = length(var.availability_zones) + + vpc_id = aws_vpc.main.id + cidr_block = cidrsubnet(var.vpc_cidr, 8, count.index + length(var.availability_zones)) + availability_zone = var.availability_zones[count.index] + + tags = { + Name = "${var.project_name}-${var.environment}-private-${count.index + 1}" + Environment = var.environment + Project = var.project_name + Type = "private" + } +} + +# Elastic IPs for NAT Gateways +resource "aws_eip" "nat" { + count = length(var.availability_zones) + + domain = "vpc" + depends_on = [aws_internet_gateway.main] + + tags = { + Name = "${var.project_name}-${var.environment}-eip-${count.index + 1}" + Environment = var.environment + Project = var.project_name + } +} + +# NAT Gateways +resource "aws_nat_gateway" "main" { + count = length(var.availability_zones) + + allocation_id = aws_eip.nat[count.index].id + subnet_id = aws_subnet.public[count.index].id + + tags = { + Name = "${var.project_name}-${var.environment}-nat-${count.index + 1}" + Environment = var.environment + Project = var.project_name + } + + depends_on = [aws_internet_gateway.main] +} + +# Route table for public subnets +resource "aws_route_table" "public" { + vpc_id = aws_vpc.main.id + + route { + cidr_block = "0.0.0.0/0" + gateway_id = aws_internet_gateway.main.id + } + + tags = { + Name = "${var.project_name}-${var.environment}-public-rt" + Environment = var.environment + Project = var.project_name + } +} + +# Route table associations for public subnets +resource "aws_route_table_association" "public" { + count = length(aws_subnet.public) + + subnet_id = aws_subnet.public[count.index].id + route_table_id = aws_route_table.public.id +} + +# Route tables for private subnets +resource "aws_route_table" "private" { + count = length(var.availability_zones) + + vpc_id = aws_vpc.main.id + + route { + cidr_block = "0.0.0.0/0" + nat_gateway_id = aws_nat_gateway.main[count.index].id + } + + tags = { + Name = "${var.project_name}-${var.environment}-private-rt-${count.index + 1}" + Environment = var.environment + Project = var.project_name + } +} + +# Route table associations for private subnets +resource "aws_route_table_association" "private" { + count = length(aws_subnet.private) + + subnet_id = aws_subnet.private[count.index].id + route_table_id = aws_route_table.private[count.index].id +} + +# VPC Flow Logs +resource "aws_flow_log" "vpc" { + iam_role_arn = aws_iam_role.flow_log.arn + log_destination = aws_cloudwatch_log_group.vpc_flow_log.arn + traffic_type = "ALL" + vpc_id = aws_vpc.main.id +} + +resource "aws_cloudwatch_log_group" "vpc_flow_log" { + name = "/aws/vpc/flow-logs" + retention_in_days = 7 +} + +resource "aws_iam_role" "flow_log" { + name = "${var.project_name}-${var.environment}-flow-log-role" + + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = "sts:AssumeRole" + Effect = "Allow" + Principal = { + Service = "vpc-flow-logs.amazonaws.com" + } + } + ] + }) +} + +resource "aws_iam_role_policy" "flow_log" { + name = "${var.project_name}-${var.environment}-flow-log-policy" + role = aws_iam_role.flow_log.id + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents", + "logs:DescribeLogGroups", + "logs:DescribeLogStreams" + ] + Effect = "Allow" + Resource = "*" + } + ] + }) +} +EOF + +cat > vpc/outputs.tf << 'EOF' +output "vpc_id" { + description = "ID of the VPC" + value = aws_vpc.main.id +} + +output "vpc_cidr_block" { + description = "CIDR block of the VPC" + value = aws_vpc.main.cidr_block +} + +output "public_subnet_ids" { + description = "IDs of the public subnets" + value = aws_subnet.public[*].id +} + +output "private_subnet_ids" { + description = "IDs of the private subnets" + value = aws_subnet.private[*].id +} + +output "internet_gateway_id" { + description = "ID of the Internet Gateway" + value = aws_internet_gateway.main.id +} + +output "nat_gateway_ids" { + description = "IDs of the NAT Gateways" + value = aws_nat_gateway.main[*].id +} +EOF + +cat > vpc/versions.tf << 'EOF' +terraform { + required_version = ">= 1.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.0" + } + } +} +EOF +``` + +### 🔒 **3.3 Security Groups Module** + +```bash +# 3.3.1 Security Groups module +mkdir -p security-groups +cat > security-groups/main.tf << 'EOF' +variable "vpc_id" { + description = "VPC ID" + type = string +} + +variable "environment" { + description = "Environment name" + type = string +} + +variable "project_name" { + description = "Project name" + type = string +} + +# ALB Security Group +resource "aws_security_group" "alb" { + name_prefix = "${var.project_name}-${var.environment}-alb-" + vpc_id = var.vpc_id + + ingress { + description = "HTTP" + from_port = 80 + to_port = 80 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + ingress { + description = "HTTPS" + from_port = 443 + to_port = 443 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + + tags = { + Name = "${var.project_name}-${var.environment}-alb-sg" + Environment = var.environment + Project = var.project_name + } + + lifecycle { + create_before_destroy = true + } +} + +# EKS Cluster Security Group +resource "aws_security_group" "eks_cluster" { + name_prefix = "${var.project_name}-${var.environment}-eks-cluster-" + vpc_id = var.vpc_id + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + + tags = { + Name = "${var.project_name}-${var.environment}-eks-cluster-sg" + Environment = var.environment + Project = var.project_name + } + + lifecycle { + create_before_destroy = true + } +} + +# EKS Node Group Security Group +resource "aws_security_group" "eks_nodes" { + name_prefix = "${var.project_name}-${var.environment}-eks-nodes-" + vpc_id = var.vpc_id + + ingress { + description = "Allow nodes to communicate with each other" + from_port = 0 + to_port = 65535 + protocol = "tcp" + self = true + } + + ingress { + description = "Allow worker Kubelets and pods to receive communication from the cluster control plane" + from_port = 1025 + to_port = 65535 + protocol = "tcp" + security_groups = [aws_security_group.eks_cluster.id] + } + + ingress { + description = "Allow pods running extension API servers on port 443 to receive communication from cluster control plane" + from_port = 443 + to_port = 443 + protocol = "tcp" + security_groups = [aws_security_group.eks_cluster.id] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + + tags = { + Name = "${var.project_name}-${var.environment}-eks-nodes-sg" + Environment = var.environment + Project = var.project_name + } + + lifecycle { + create_before_destroy = true + } +} + +# RDS Security Group +resource "aws_security_group" "rds" { + name_prefix = "${var.project_name}-${var.environment}-rds-" + vpc_id = var.vpc_id + + ingress { + description = "MySQL/Aurora" + from_port = 3306 + to_port = 3306 + protocol = "tcp" + security_groups = [aws_security_group.eks_nodes.id] + } + + ingress { + description = "PostgreSQL" + from_port = 5432 + to_port = 5432 + protocol = "tcp" + security_groups = [aws_security_group.eks_nodes.id] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + + tags = { + Name = "${var.project_name}-${var.environment}-rds-sg" + Environment = var.environment + Project = var.project_name + } + + lifecycle { + create_before_destroy = true + } +} + +# ElastiCache Security Group +resource "aws_security_group" "elasticache" { + name_prefix = "${var.project_name}-${var.environment}-elasticache-" + vpc_id = var.vpc_id + + ingress { + description = "Redis" + from_port = 6379 + to_port = 6379 + protocol = "tcp" + security_groups = [aws_security_group.eks_nodes.id] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + + tags = { + Name = "${var.project_name}-${var.environment}-elasticache-sg" + Environment = var.environment + Project = var.project_name + } + + lifecycle { + create_before_destroy = true + } +} +EOF + +cat > security-groups/outputs.tf << 'EOF' +output "alb_security_group_id" { + description = "ALB Security Group ID" + value = aws_security_group.alb.id +} + +output "eks_cluster_security_group_id" { + description = "EKS Cluster Security Group ID" + value = aws_security_group.eks_cluster.id +} + +output "eks_nodes_security_group_id" { + description = "EKS Nodes Security Group ID" + value = aws_security_group.eks_nodes.id +} + +output "rds_security_group_id" { + description = "RDS Security Group ID" + value = aws_security_group.rds.id +} + +output "elasticache_security_group_id" { + description = "ElastiCache Security Group ID" + value = aws_security_group.elasticache.id +} +EOF +``` + +### 🔧 **3.4 EKS Module** + +```bash +# 3.4.1 EKS module +mkdir -p eks +cat > eks/main.tf << 'EOF' +variable "cluster_name" { + description = "EKS cluster name" + type = string +} + +variable "cluster_version" { + description = "Kubernetes version" + type = string + default = "1.28" +} + +variable "subnet_ids" { + description = "Subnet IDs for EKS cluster" + type = list(string) +} + +variable "node_subnet_ids" { + description = "Subnet IDs for EKS node groups" + type = list(string) +} + +variable "cluster_security_group_id" { + description = "Security group ID for EKS cluster" + type = string +} + +variable "node_security_group_id" { + description = "Security group ID for EKS nodes" + type = string +} + +variable "environment" { + description = "Environment name" + type = string +} + +variable "project_name" { + description = "Project name" + type = string +} + +# EKS Cluster IAM Role +resource "aws_iam_role" "cluster" { + name = "${var.project_name}-${var.environment}-eks-cluster-role" + + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = "sts:AssumeRole" + Effect = "Allow" + Principal = { + Service = "eks.amazonaws.com" + } + } + ] + }) + + tags = { + Environment = var.environment + Project = var.project_name + } +} + +resource "aws_iam_role_policy_attachment" "cluster_AmazonEKSClusterPolicy" { + policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy" + role = aws_iam_role.cluster.name +} + +# EKS Node Group IAM Role +resource "aws_iam_role" "node_group" { + name = "${var.project_name}-${var.environment}-eks-node-group-role" + + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = "sts:AssumeRole" + Effect = "Allow" + Principal = { + Service = "ec2.amazonaws.com" + } + } + ] + }) + + tags = { + Environment = var.environment + Project = var.project_name + } +} + +resource "aws_iam_role_policy_attachment" "node_group_AmazonEKSWorkerNodePolicy" { + policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy" + role = aws_iam_role.node_group.name +} + +resource "aws_iam_role_policy_attachment" "node_group_AmazonEKS_CNI_Policy" { + policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy" + role = aws_iam_role.node_group.name +} + +resource "aws_iam_role_policy_attachment" "node_group_AmazonEC2ContainerRegistryReadOnly" { + policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly" + role = aws_iam_role.node_group.name +} + +# EKS Cluster +resource "aws_eks_cluster" "main" { + name = var.cluster_name + role_arn = aws_iam_role.cluster.arn + version = var.cluster_version + + vpc_config { + subnet_ids = var.subnet_ids + security_group_ids = [var.cluster_security_group_id] + endpoint_private_access = true + endpoint_public_access = true + public_access_cidrs = ["0.0.0.0/0"] + } + + enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"] + + encryption_config { + provider { + key_arn = aws_kms_key.eks.arn + } + resources = ["secrets"] + } + + depends_on = [ + aws_iam_role_policy_attachment.cluster_AmazonEKSClusterPolicy, + aws_cloudwatch_log_group.eks + ] + + tags = { + Name = var.cluster_name + Environment = var.environment + Project = var.project_name + } +} + +# CloudWatch Log Group for EKS +resource "aws_cloudwatch_log_group" "eks" { + name = "/aws/eks/${var.cluster_name}/cluster" + retention_in_days = 7 +} + +# KMS Key for EKS encryption +resource "aws_kms_key" "eks" { + description = "EKS Secret Encryption Key" + deletion_window_in_days = 7 + + tags = { + Name = "${var.project_name}-${var.environment}-eks-kms" + Environment = var.environment + Project = var.project_name + } +} + +resource "aws_kms_alias" "eks" { + name = "alias/${var.project_name}-${var.environment}-eks" + target_key_id = aws_kms_key.eks.key_id +} + +# EKS Node Group +resource "aws_eks_node_group" "main" { + cluster_name = aws_eks_cluster.main.name + node_group_name = "${var.cluster_name}-node-group" + node_role_arn = aws_iam_role.node_group.arn + subnet_ids = var.node_subnet_ids + + capacity_type = "ON_DEMAND" + ami_type = "AL2_x86_64" + instance_types = ["t3.medium"] + disk_size = 20 + + scaling_config { + desired_size = 2 + max_size = 10 + min_size = 1 + } + + update_config { + max_unavailable = 1 + } + + # Remote access configuration + remote_access { + ec2_ssh_key = aws_key_pair.eks_nodes.key_name + source_security_group_ids = [var.node_security_group_id] + } + + depends_on = [ + aws_iam_role_policy_attachment.node_group_AmazonEKSWorkerNodePolicy, + aws_iam_role_policy_attachment.node_group_AmazonEKS_CNI_Policy, + aws_iam_role_policy_attachment.node_group_AmazonEC2ContainerRegistryReadOnly, + ] + + tags = { + Name = "${var.cluster_name}-node-group" + Environment = var.environment + Project = var.project_name + } +} + +# SSH Key Pair for EKS nodes +resource "aws_key_pair" "eks_nodes" { + key_name = "${var.cluster_name}-eks-nodes" + public_key = file("~/.ssh/id_rsa.pub") + + tags = { + Name = "${var.cluster_name}-eks-nodes" + Environment = var.environment + Project = var.project_name + } +} + +# EKS Add-ons +resource "aws_eks_addon" "coredns" { + cluster_name = aws_eks_cluster.main.name + addon_name = "coredns" + addon_version = "v1.10.1-eksbuild.5" + resolve_conflicts_on_create = "OVERWRITE" +} + +resource "aws_eks_addon" "kube_proxy" { + cluster_name = aws_eks_cluster.main.name + addon_name = "kube-proxy" + addon_version = "v1.28.2-eksbuild.2" + resolve_conflicts_on_create = "OVERWRITE" +} + +resource "aws_eks_addon" "vpc_cni" { + cluster_name = aws_eks_cluster.main.name + addon_name = "vpc-cni" + addon_version = "v1.15.1-eksbuild.1" + resolve_conflicts_on_create = "OVERWRITE" +} + +resource "aws_eks_addon" "ebs_csi" { + cluster_name = aws_eks_cluster.main.name + addon_name = "aws-ebs-csi-driver" + addon_version = "v1.25.0-eksbuild.1" + resolve_conflicts_on_create = "OVERWRITE" +} +EOF + +cat > eks/outputs.tf << 'EOF' +output "cluster_id" { + description = "EKS cluster ID" + value = aws_eks_cluster.main.id +} + +output "cluster_arn" { + description = "EKS cluster ARN" + value = aws_eks_cluster.main.arn +} + +output "cluster_endpoint" { + description = "EKS cluster endpoint" + value = aws_eks_cluster.main.endpoint +} + +output "cluster_security_group_id" { + description = "EKS cluster security group ID" + value = aws_eks_cluster.main.vpc_config[0].cluster_security_group_id +} + +output "cluster_certificate_authority_data" { + description = "EKS cluster certificate authority data" + value = aws_eks_cluster.main.certificate_authority[0].data +} + +output "cluster_version" { + description = "EKS cluster Kubernetes version" + value = aws_eks_cluster.main.version +} + +output "node_group_arn" { + description = "EKS node group ARN" + value = aws_eks_node_group.main.arn +} + +output "node_group_status" { + description = "EKS node group status" + value = aws_eks_node_group.main.status +} +EOF +``` + +### 🗃️ **3.5 RDS Module** + +```bash +# 3.5.1 RDS module +mkdir -p rds +cat > rds/main.tf << 'EOF' +variable "db_name" { + description = "Database name" + type = string +} + +variable "db_username" { + description = "Database username" + type = string + default = "admin" +} + +variable "db_password" { + description = "Database password" + type = string + sensitive = true +} + +variable "subnet_ids" { + description = "Subnet IDs for RDS" + type = list(string) +} + +variable "security_group_id" { + description = "Security group ID for RDS" + type = string +} + +variable "environment" { + description = "Environment name" + type = string +} + +variable "project_name" { + description = "Project name" + type = string +} + +variable "engine" { + description = "Database engine" + type = string + default = "postgres" +} + +variable "engine_version" { + description = "Database engine version" + type = string + default = "15.4" +} + +variable "instance_class" { + description = "RDS instance class" + type = string + default = "db.t3.micro" +} + +variable "allocated_storage" { + description = "RDS allocated storage" + type = number + default = 20 +} + +variable "backup_retention_period" { + description = "Backup retention period in days" + type = number + default = 7 +} + +# DB Subnet Group +resource "aws_db_subnet_group" "main" { + name = "${var.project_name}-${var.environment}-db-subnet-group" + subnet_ids = var.subnet_ids + + tags = { + Name = "${var.project_name}-${var.environment}-db-subnet-group" + Environment = var.environment + Project = var.project_name + } +} + +# DB Parameter Group +resource "aws_db_parameter_group" "main" { + family = "${var.engine}15" + name = "${var.project_name}-${var.environment}-db-params" + + dynamic "parameter" { + for_each = var.engine == "postgres" ? [ + { + name = "log_statement" + value = "all" + }, + { + name = "log_duration" + value = "1" + }, + { + name = "log_min_duration_statement" + value = "1000" + } + ] : [] + + content { + name = parameter.value.name + value = parameter.value.value + } + } + + tags = { + Name = "${var.project_name}-${var.environment}-db-params" + Environment = var.environment + Project = var.project_name + } +} + +# KMS Key for RDS encryption +resource "aws_kms_key" "rds" { + description = "RDS encryption key" + deletion_window_in_days = 7 + + tags = { + Name = "${var.project_name}-${var.environment}-rds-kms" + Environment = var.environment + Project = var.project_name + } +} + +resource "aws_kms_alias" "rds" { + name = "alias/${var.project_name}-${var.environment}-rds" + target_key_id = aws_kms_key.rds.key_id +} + +# RDS Instance +resource "aws_db_instance" "main" { + identifier = "${var.project_name}-${var.environment}-db" + + # Engine options + engine = var.engine + engine_version = var.engine_version + instance_class = var.instance_class + + # Storage + allocated_storage = var.allocated_storage + max_allocated_storage = var.allocated_storage * 2 + storage_type = "gp3" + storage_encrypted = true + kms_key_id = aws_kms_key.rds.arn + + # Database + db_name = var.db_name + username = var.db_username + password = var.db_password + + # Network & Security + db_subnet_group_name = aws_db_subnet_group.main.name + vpc_security_group_ids = [var.security_group_id] + publicly_accessible = false + + # Backup + backup_retention_period = var.backup_retention_period + backup_window = "03:00-04:00" + maintenance_window = "sun:04:00-sun:05:00" + + # Monitoring + monitoring_interval = 60 + monitoring_role_arn = aws_iam_role.rds_monitoring.arn + + # Performance Insights + performance_insights_enabled = true + performance_insights_kms_key_id = aws_kms_key.rds.arn + + # Parameters + parameter_group_name = aws_db_parameter_group.main.name + + # Deletion protection + deletion_protection = var.environment == "prod" ? true : false + skip_final_snapshot = var.environment == "prod" ? false : true + final_snapshot_identifier = var.environment == "prod" ? "${var.project_name}-${var.environment}-final-snapshot-${formatdate("YYYY-MM-DD-hhmm", timestamp())}" : null + + tags = { + Name = "${var.project_name}-${var.environment}-db" + Environment = var.environment + Project = var.project_name + } +} + +# IAM Role for RDS Enhanced Monitoring +resource "aws_iam_role" "rds_monitoring" { + name = "${var.project_name}-${var.environment}-rds-monitoring-role" + + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = "sts:AssumeRole" + Effect = "Allow" + Principal = { + Service = "monitoring.rds.amazonaws.com" + } + } + ] + }) + + tags = { + Environment = var.environment + Project = var.project_name + } +} + +resource "aws_iam_role_policy_attachment" "rds_monitoring" { + role = aws_iam_role.rds_monitoring.name + policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole" +} + +# Read Replica (for production) +resource "aws_db_instance" "read_replica" { + count = var.environment == "prod" ? 1 : 0 + + identifier = "${var.project_name}-${var.environment}-db-read-replica" + + replicate_source_db = aws_db_instance.main.identifier + instance_class = var.instance_class + + # Network & Security + vpc_security_group_ids = [var.security_group_id] + publicly_accessible = false + + # Monitoring + monitoring_interval = 60 + monitoring_role_arn = aws_iam_role.rds_monitoring.arn + + # Performance Insights + performance_insights_enabled = true + performance_insights_kms_key_id = aws_kms_key.rds.arn + + skip_final_snapshot = true + + tags = { + Name = "${var.project_name}-${var.environment}-db-read-replica" + Environment = var.environment + Project = var.project_name + } +} +EOF + +cat > rds/outputs.tf << 'EOF' +output "db_instance_endpoint" { + description = "RDS instance endpoint" + value = aws_db_instance.main.endpoint +} + +output "db_instance_id" { + description = "RDS instance ID" + value = aws_db_instance.main.id +} + +output "db_instance_arn" { + description = "RDS instance ARN" + value = aws_db_instance.main.arn +} + +output "db_instance_port" { + description = "RDS instance port" + value = aws_db_instance.main.port +} + +output "db_subnet_group_id" { + description = "DB subnet group ID" + value = aws_db_subnet_group.main.id +} + +output "db_parameter_group_id" { + description = "DB parameter group ID" + value = aws_db_parameter_group.main.id +} + +output "read_replica_endpoint" { + description = "Read replica endpoint" + value = var.environment == "prod" ? aws_db_instance.read_replica[0].endpoint : null +} +EOF +``` + +### 🎯 **3.6 Environment-Specific Configurations** + +```bash +# 3.6.1 Development environment +cd ~/devops-infrastructure/terraform/environments/dev + +# SSH key pair oluştur +ssh-keygen -t rsa -b 4096 -C "devops@company.com" -f ~/.ssh/id_rsa -N "" + +cat > main.tf << 'EOF' +terraform { + required_version = ">= 1.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.0" + } + } + + backend "s3" { + # Backend configuration will be provided via backend config file + } +} + +provider "aws" { + region = var.aws_region + + default_tags { + tags = { + Environment = var.environment + Project = var.project_name + ManagedBy = "Terraform" + } + } +} + +# Local values +locals { + cluster_name = "${var.project_name}-${var.environment}-eks" +} + +# VPC Module +module "vpc" { + source = "../../modules/vpc" + + vpc_cidr = var.vpc_cidr + availability_zones = var.availability_zones + environment = var.environment + project_name = var.project_name +} + +# Security Groups Module +module "security_groups" { + source = "../../modules/security-groups" + + vpc_id = module.vpc.vpc_id + environment = var.environment + project_name = var.project_name +} + +# EKS Module +module "eks" { + source = "../../modules/eks" + + cluster_name = local.cluster_name + cluster_version = var.kubernetes_version + subnet_ids = concat(module.vpc.public_subnet_ids, module.vpc.private_subnet_ids) + node_subnet_ids = module.vpc.private_subnet_ids + cluster_security_group_id = module.security_groups.eks_cluster_security_group_id + node_security_group_id = module.security_groups.eks_nodes_security_group_id + environment = var.environment + project_name = var.project_name +} + +# RDS Module +module "rds" { + source = "../../modules/rds" + + db_name = var.db_name + db_username = var.db_username + db_password = var.db_password + subnet_ids = module.vpc.private_subnet_ids + security_group_id = module.security_groups.rds_security_group_id + environment = var.environment + project_name = var.project_name + engine = "postgres" + engine_version = "15.4" + instance_class = "db.t3.micro" + allocated_storage = 20 +} +EOF + +cat > variables.tf << 'EOF' +variable "aws_region" { + description = "AWS region" + type = string + default = "eu-west-1" +} + +variable "environment" { + description = "Environment name" + type = string + default = "dev" +} + +variable "project_name" { + description = "Project name" + type = string + default = "mycompany" +} + +variable "vpc_cidr" { + description = "CIDR block for VPC" + type = string + default = "10.0.0.0/16" +} + +variable "availability_zones" { + description = "Availability zones" + type = list(string) + default = ["eu-west-1a", "eu-west-1b", "eu-west-1c"] +} + +variable "kubernetes_version" { + description = "Kubernetes version" + type = string + default = "1.28" +} + +variable "db_name" { + description = "Database name" + type = string + default = "mycompanydb" +} + +variable "db_username" { + description = "Database username" + type = string + default = "admin" +} + +variable "db_password" { + description = "Database password" + type = string + sensitive = true +} +EOF + +cat > terraform.tfvars << 'EOF' +aws_region = "eu-west-1" +environment = "dev" +project_name = "mycompany" +vpc_cidr = "10.0.0.0/16" +availability_zones = ["eu-west-1a", "eu-west-1b", "eu-west-1c"] +kubernetes_version = "1.28" +db_name = "mycompanydb" +db_username = "admin" +db_password = "SuperSecurePassword123!" +EOF + +cat > outputs.tf << 'EOF' +output "vpc_id" { + description = "VPC ID" + value = module.vpc.vpc_id +} + +output "eks_cluster_endpoint" { + description = "EKS cluster endpoint" + value = module.eks.cluster_endpoint +} + +output "eks_cluster_name" { + description = "EKS cluster name" + value = module.eks.cluster_id +} + +output "rds_endpoint" { + description = "RDS endpoint" + value = module.rds.db_instance_endpoint +} + +output "configure_kubectl" { + description = "Configure kubectl command" + value = "aws eks update-kubeconfig --region ${var.aws_region} --name ${module.eks.cluster_id}" +} +EOF + +# Backend configuration +cat > backend.conf << EOF +bucket = "$TF_VAR_backend_bucket" +key = "dev/terraform.tfstate" +region = "$TF_VAR_backend_region" +dynamodb_table = "$TF_VAR_backend_dynamodb_table" +encrypt = true +EOF +``` + +### 🚀 **3.7 Terraform Initialize ve Deploy** + +```bash +# 3.7.1 Terraform initialize +cd ~/devops-infrastructure/terraform/environments/dev +terraform init -backend-config=backend.conf + +# 3.7.2 Terraform plan +terraform plan -out=tfplan + +# 3.7.3 Terraform apply +terraform apply tfplan + +# 3.7.4 kubectl konfigürasyonu +aws eks update-kubeconfig --region eu-west-1 --name $(terraform output -raw eks_cluster_name) + +# 3.7.5 Cluster bağlantısını test et +kubectl get nodes +kubectl get pods --all-namespaces + +# 3.7.6 Terraform outputs +terraform output +``` + +--- diff --git a/RoadMap/advanced/03-containerization.md b/RoadMap/advanced/03-containerization.md new file mode 100644 index 0000000..04fcb38 --- /dev/null +++ b/RoadMap/advanced/03-containerization.md @@ -0,0 +1,423 @@ +# 🐳 **PHASE 3: CONTAINERIZATION VE REGISTRY** (Gün 6-7) + +### 📦 **4.1 GitHub Container Registry Setup** + +```bash +# 4.1.1 GitHub Personal Access Token oluştur +# GitHub -> Settings -> Developer settings -> Personal access tokens -> Tokens (classic) +# Permissions: write:packages, read:packages, delete:packages + +# 4.1.2 GitHub Container Registry'ye login +echo $GITHUB_TOKEN | docker login ghcr.io -u USERNAME --password-stdin + +# 4.1.3 Test image push +docker pull hello-world +docker tag hello-world ghcr.io/yourusername/hello-world:latest +docker push ghcr.io/yourusername/hello-world:latest +``` + +### 🏗️ **4.2 Docker Multi-Stage Build Templates** + +```bash +# 4.2.1 Docker templates dizini +cd ~/devops-infrastructure/docker +mkdir -p {nodejs,python,golang,java,nginx} + +# 4.2.2 Node.js Dockerfile template +cat > nodejs/Dockerfile << 'EOF' +# Multi-stage build for Node.js applications +FROM node:18-alpine AS builder + +# Set working directory +WORKDIR /app + +# Copy package files +COPY package*.json ./ + +# Install dependencies +RUN npm ci --only=production && npm cache clean --force + +# Copy source code +COPY . . + +# Build application +RUN npm run build + +# Production stage +FROM node:18-alpine AS production + +# Install dumb-init for proper signal handling +RUN apk add --no-cache dumb-init + +# Create non-root user +RUN addgroup -g 1001 -S nodejs && \ + adduser -S nodejs -u 1001 + +# Set working directory +WORKDIR /app + +# Copy package files +COPY package*.json ./ + +# Install only production dependencies +RUN npm ci --only=production && npm cache clean --force + +# Copy built application from builder stage +COPY --from=builder --chown=nodejs:nodejs /app/dist ./dist +COPY --from=builder --chown=nodejs:nodejs /app/node_modules ./node_modules + +# Switch to non-root user +USER nodejs + +# Expose port +EXPOSE 3000 + +# Health check +HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \ + CMD node healthcheck.js + +# Use dumb-init to handle signals properly +ENTRYPOINT ["dumb-init", "--"] + +# Start application +CMD ["node", "dist/index.js"] +EOF + +# 4.2.3 Python Dockerfile template +cat > python/Dockerfile << 'EOF' +# Multi-stage build for Python applications +FROM python:3.11-slim AS builder + +# Set environment variables +ENV PYTHONDONTWRITEBYTECODE=1 \ + PYTHONUNBUFFERED=1 \ + PIP_NO_CACHE_DIR=1 \ + PIP_DISABLE_PIP_VERSION_CHECK=1 + +# Install system dependencies +RUN apt-get update && apt-get install -y --no-install-recommends \ + build-essential \ + && rm -rf /var/lib/apt/lists/* + +# Create virtual environment +RUN python -m venv /opt/venv +ENV PATH="/opt/venv/bin:$PATH" + +# Copy requirements +COPY requirements.txt . + +# Install Python dependencies +RUN pip install --no-cache-dir -r requirements.txt + +# Production stage +FROM python:3.11-slim AS production + +# Set environment variables +ENV PYTHONDONTWRITEBYTECODE=1 \ + PYTHONUNBUFFERED=1 \ + PATH="/opt/venv/bin:$PATH" + +# Install runtime dependencies +RUN apt-get update && apt-get install -y --no-install-recommends \ + dumb-init \ + && rm -rf /var/lib/apt/lists/* + +# Create non-root user +RUN groupadd -r appuser && useradd -r -g appuser appuser + +# Copy virtual environment from builder +COPY --from=builder /opt/venv /opt/venv + +# Set working directory +WORKDIR /app + +# Copy application code +COPY --chown=appuser:appuser . . + +# Switch to non-root user +USER appuser + +# Expose port +EXPOSE 8000 + +# Health check +HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \ + CMD python healthcheck.py + +# Use dumb-init to handle signals properly +ENTRYPOINT ["dumb-init", "--"] + +# Start application +CMD ["python", "app.py"] +EOF + +# 4.2.4 Golang Dockerfile template +cat > golang/Dockerfile << 'EOF' +# Multi-stage build for Go applications +FROM golang:1.21-alpine AS builder + +# Install git for go modules +RUN apk add --no-cache git + +# Set working directory +WORKDIR /app + +# Copy go mod files +COPY go.mod go.sum ./ + +# Download dependencies +RUN go mod download + +# Copy source code +COPY . . + +# Build application with optimizations +RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build \ + -ldflags='-w -s -extldflags "-static"' \ + -a -installsuffix cgo \ + -o main . + +# Production stage +FROM scratch AS production + +# Add ca-certificates for HTTPS +COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ + +# Copy binary from builder +COPY --from=builder /app/main /main + +# Expose port +EXPOSE 8080 + +# Health check (for scratch images, implement in Go) +HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \ + CMD ["/main", "-health"] + +# Start application +ENTRYPOINT ["/main"] +EOF + +# 4.2.5 Docker Compose template +cat > docker-compose.yml << 'EOF' +version: '3.8' + +services: + web: + build: + context: . + dockerfile: Dockerfile + target: production + ports: + - "3000:3000" + environment: + - NODE_ENV=production + - DATABASE_URL=postgresql://user:password@db:5432/myapp + - REDIS_URL=redis://redis:6379 + depends_on: + - db + - redis + networks: + - app-network + restart: unless-stopped + healthcheck: + test: ["CMD", "curl", "-f", "http://localhost:3000/health"] + interval: 30s + timeout: 10s + retries: 3 + + db: + image: postgres:15-alpine + environment: + - POSTGRES_DB=myapp + - POSTGRES_USER=user + - POSTGRES_PASSWORD=password + volumes: + - postgres_data:/var/lib/postgresql/data + - ./init.sql:/docker-entrypoint-initdb.d/init.sql + networks: + - app-network + restart: unless-stopped + healthcheck: + test: ["CMD-SHELL", "pg_isready -U user -d myapp"] + interval: 30s + timeout: 5s + retries: 3 + + redis: + image: redis:7-alpine + command: redis-server --appendonly yes + volumes: + - redis_data:/data + networks: + - app-network + restart: unless-stopped + healthcheck: + test: ["CMD", "redis-cli", "ping"] + interval: 30s + timeout: 5s + retries: 3 + +volumes: + postgres_data: + redis_data: + +networks: + app-network: + driver: bridge +EOF + +# 4.2.6 .dockerignore +cat > .dockerignore << 'EOF' +# Git +.git +.gitignore + +# Documentation +README.md +CHANGELOG.md +docs/ + +# Dependencies +node_modules/ +vendor/ +__pycache__/ +*.pyc +target/ + +# Build artifacts +dist/ +build/ +*.log + +# IDE +.vscode/ +.idea/ +*.swp +*.swo + +# OS +.DS_Store +Thumbs.db + +# Environment +.env +.env.local +.env.*.local + +# Testing +coverage/ +.nyc_output/ +test-results/ + +# Terraform +*.tfstate +*.tfstate.* +.terraform/ + +# Docker +Dockerfile* +docker-compose* +EOF +``` + +### 🔒 **4.3 Container Security Scanning Setup** + +```bash +# 4.3.1 Trivy kurulumu (vulnerability scanner) +# Ubuntu/Debian +wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add - +echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list +sudo apt-get update && sudo apt-get install trivy + +# macOS +brew install trivy + +# 4.3.2 Hadolint kurulumu (Dockerfile linter) +# Ubuntu/Debian +wget -O hadolint https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64 +chmod +x hadolint +sudo mv hadolint /usr/local/bin/ + +# macOS +brew install hadolint + +# 4.3.3 Container security scanning script +cat > ~/devops-infrastructure/scripts/container-security-scan.sh << 'EOF' +#!/bin/bash + +# Container Security Scanning Script +set -e + +IMAGE_NAME=$1 +if [ -z "$IMAGE_NAME" ]; then + echo "Usage: $0 " + exit 1 +fi + +echo "🔍 Starting security scan for $IMAGE_NAME..." + +# 1. Dockerfile linting +echo "📋 Running Dockerfile lint..." +if [ -f "Dockerfile" ]; then + hadolint Dockerfile || echo "⚠️ Dockerfile linting issues found" +else + echo "❌ Dockerfile not found" +fi + +# 2. Image vulnerability scanning +echo "🛡️ Running vulnerability scan..." +trivy image --exit-code 1 --severity HIGH,CRITICAL $IMAGE_NAME + +# 3. Configuration scanning +echo "⚙️ Running configuration scan..." +trivy config --exit-code 1 . + +# 4. Secret scanning +echo "🔐 Running secret scan..." +trivy fs --exit-code 1 --scanners secret . + +echo "✅ Security scan completed for $IMAGE_NAME" +EOF + +chmod +x ~/devops-infrastructure/scripts/container-security-scan.sh + +# 4.3.4 Pre-commit hooks için security scanning +cat > ~/devops-infrastructure/.pre-commit-config.yaml << 'EOF' +repos: + - repo: https://github.com/hadolint/hadolint + rev: v2.12.0 + hooks: + - id: hadolint-docker + args: [--config, .hadolint.yaml] + + - repo: https://github.com/aquasecurity/trivy + rev: v0.48.0 + hooks: + - id: trivy-docker + args: [--exit-code, "1", --severity, "HIGH,CRITICAL"] + + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.4.0 + hooks: + - id: trailing-whitespace + - id: end-of-file-fixer + - id: check-yaml + - id: check-added-large-files + - id: check-merge-conflict +EOF + +# Hadolint config +cat > ~/devops-infrastructure/.hadolint.yaml << 'EOF' +ignored: + - DL3008 # Pin versions in apt get install + - DL3009 # Delete the apt-get lists after installing something + - DL3015 # Avoid additional packages by specifying --no-install-recommends + +trusted-registries: + - docker.io + - ghcr.io + - quay.io +EOF +``` + +--- diff --git a/RoadMap/advanced/04-cicd-pipeline.md b/RoadMap/advanced/04-cicd-pipeline.md new file mode 100644 index 0000000..d715cbd --- /dev/null +++ b/RoadMap/advanced/04-cicd-pipeline.md @@ -0,0 +1,510 @@ +# 🔄 **PHASE 4: CI/CD PIPELINE KURULUMU** (Gün 8-10) + +### 🛠️ **5.1 Jenkins on Kubernetes Setup** + +```bash +# 5.1.1 Jenkins namespace ve RBAC oluştur +cd ~/devops-infrastructure/kubernetes/base +mkdir -p jenkins + +cat > jenkins/namespace.yaml << 'EOF' +apiVersion: v1 +kind: Namespace +metadata: + name: jenkins + labels: + name: jenkins +EOF + +cat > jenkins/serviceaccount.yaml << 'EOF' +apiVersion: v1 +kind: ServiceAccount +metadata: + name: jenkins + namespace: jenkins +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: jenkins +rules: +- apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update","watch"] +- apiGroups: [""] + resources: ["pods/exec"] + verbs: ["create","delete","get","list","patch","update","watch"] +- apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] +- apiGroups: [""] + resources: ["events"] + verbs: ["get","list","watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: jenkins +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: jenkins +subjects: +- kind: ServiceAccount + name: jenkins + namespace: jenkins +EOF + +cat > jenkins/pvc.yaml << 'EOF' +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: jenkins-pvc + namespace: jenkins +spec: + accessModes: + - ReadWriteOnce + storageClassName: gp3 + resources: + requests: + storage: 10Gi +EOF + +cat > jenkins/deployment.yaml << 'EOF' +apiVersion: apps/v1 +kind: Deployment +metadata: + name: jenkins + namespace: jenkins +spec: + replicas: 1 + selector: + matchLabels: + app: jenkins + template: + metadata: + labels: + app: jenkins + spec: + serviceAccountName: jenkins + containers: + - name: jenkins + image: jenkins/jenkins:2.414.1-lts-jdk11 + ports: + - containerPort: 8080 + - containerPort: 50000 + env: + - name: JAVA_OPTS + value: "-Xmx2048m -Dhudson.slaves.NodeProvisioner.MARGIN=50 -Dhudson.slaves.NodeProvisioner.MARGIN0=0.85" + - name: JENKINS_OPTS + value: "--httpPort=8080" + volumeMounts: + - name: jenkins-home + mountPath: /var/jenkins_home + - name: docker-sock + mountPath: /var/run/docker.sock + resources: + requests: + memory: "1Gi" + cpu: "500m" + limits: + memory: "2Gi" + cpu: "1000m" + livenessProbe: + httpGet: + path: /login + port: 8080 + initialDelaySeconds: 60 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 5 + readinessProbe: + httpGet: + path: /login + port: 8080 + initialDelaySeconds: 60 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 3 + volumes: + - name: jenkins-home + persistentVolumeClaim: + claimName: jenkins-pvc + - name: docker-sock + hostPath: + path: /var/run/docker.sock + securityContext: + fsGroup: 1000 + runAsUser: 1000 +EOF + +cat > jenkins/service.yaml << 'EOF' +apiVersion: v1 +kind: Service +metadata: + name: jenkins + namespace: jenkins +spec: + ports: + - name: http + port: 8080 + targetPort: 8080 + - name: jnlp + port: 50000 + targetPort: 50000 + selector: + app: jenkins + type: ClusterIP +EOF + +cat > jenkins/ingress.yaml << 'EOF' +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: jenkins + namespace: jenkins + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/ssl-redirect: "true" + nginx.ingress.kubernetes.io/proxy-body-size: "50m" + nginx.ingress.kubernetes.io/proxy-request-buffering: "off" + cert-manager.io/cluster-issuer: "letsencrypt-prod" +spec: + tls: + - hosts: + - jenkins.yourdomain.com + secretName: jenkins-tls + rules: + - host: jenkins.yourdomain.com + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: jenkins + port: + number: 8080 +EOF + +# 5.1.2 Jenkins deploy +kubectl apply -f jenkins/ +kubectl get pods -n jenkins +kubectl logs -f deployment/jenkins -n jenkins +``` + +### 🌐 **5.2 NGINX Ingress Controller Setup** + +```bash +# 5.2.1 NGINX Ingress Controller kurulumu +helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx +helm repo update + +helm install ingress-nginx ingress-nginx/ingress-nginx \ + --namespace ingress-nginx \ + --create-namespace \ + --set controller.service.type=LoadBalancer \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-type"="nlb" \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-cross-zone-load-balancing-enabled"="true" + +# 5.2.2 Ingress controller durumunu kontrol et +kubectl get pods -n ingress-nginx +kubectl get svc -n ingress-nginx + +# 5.2.3 External IP'yi al +EXTERNAL_IP=$(kubectl get svc ingress-nginx-controller -n ingress-nginx -o jsonpath='{.status.loadBalancer.ingress[0].hostname}') +echo "External LoadBalancer: $EXTERNAL_IP" +``` + +### 🔐 **5.3 Cert-Manager Setup (SSL/TLS)** + +```bash +# 5.3.1 Cert-Manager kurulumu +helm repo add jetstack https://charts.jetstack.io +helm repo update + +kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.0/cert-manager.crds.yaml + +helm install cert-manager jetstack/cert-manager \ + --namespace cert-manager \ + --create-namespace \ + --version v1.13.0 + +# 5.3.2 Let's Encrypt ClusterIssuer +cat > ~/devops-infrastructure/kubernetes/base/cert-manager-issuer.yaml << 'EOF' +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-staging +spec: + acme: + server: https://acme-staging-v02.api.letsencrypt.org/directory + email: admin@yourdomain.com + privateKeySecretRef: + name: letsencrypt-staging + solvers: + - http01: + ingress: + class: nginx +--- +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-prod +spec: + acme: + server: https://acme-v02.api.letsencrypt.org/directory + email: admin@yourdomain.com + privateKeySecretRef: + name: letsencrypt-prod + solvers: + - http01: + ingress: + class: nginx +EOF + +kubectl apply -f ~/devops-infrastructure/kubernetes/base/cert-manager-issuer.yaml + +# 5.3.3 Cert-manager durumunu kontrol et +kubectl get pods -n cert-manager +kubectl get clusterissuers +``` + +### 🔧 **5.4 Jenkins Initial Setup** + +```bash +# 5.4.1 Jenkins admin password'unu al +kubectl exec -n jenkins -it deployment/jenkins -- cat /var/jenkins_home/secrets/initialAdminPassword + +# 5.4.2 Jenkins URL'sine eriş (port-forward ile) +kubectl port-forward -n jenkins svc/jenkins 8080:8080 + +# 5.4.3 Jenkins Initial Setup (Browser üzerinden) +# http://localhost:8080 +# - Initial password gir +# - Suggested plugins install et +# - Admin user oluştur +# - Jenkins URL'yi ayarla + +# 5.4.4 Essential Jenkins plugins kurulumu (Browser üzerinden) +# Manage Jenkins -> Manage Plugins -> Available +# - Blue Ocean +# - Pipeline +# - Git Pipeline for Blue Ocean +# - Docker Pipeline +# - Kubernetes CLI +# - GitHub Integration +# - Slack Notification +# - Build Timestamp +# - AnsiColor +# - Workspace Cleanup +``` + +### 📝 **5.5 Jenkins Pipeline as Code** + +```bash +# 5.5.1 Shared Pipeline Library oluştur +mkdir -p ~/devops-infrastructure/jenkins/shared-library/{vars,src,resources} + +cat > ~/devops-infrastructure/jenkins/shared-library/vars/buildAndPush.groovy << 'EOF' +def call(Map config) { + pipeline { + agent { + kubernetes { + yaml """ + apiVersion: v1 + kind: Pod + spec: + containers: + - name: docker + image: docker:latest + command: + - cat + tty: true + volumeMounts: + - mountPath: /var/run/docker.sock + name: docker-sock + - name: kubectl + image: bitnami/kubectl:latest + command: + - cat + tty: true + - name: helm + image: alpine/helm:latest + command: + - cat + tty: true + volumes: + - name: docker-sock + hostPath: + path: /var/run/docker.sock + """ + } + } + + environment { + DOCKER_REGISTRY = 'ghcr.io' + IMAGE_NAME = "${config.imageName}" + GIT_COMMIT_SHORT = sh(script: "git rev-parse --short HEAD", returnStdout: true).trim() + BUILD_VERSION = "${env.BUILD_NUMBER}-${GIT_COMMIT_SHORT}" + } + + stages { + stage('Checkout') { + steps { + checkout scm + } + } + + stage('Build Info') { + steps { + script { + currentBuild.displayName = "#${env.BUILD_NUMBER} - ${BUILD_VERSION}" + currentBuild.description = "Branch: ${env.BRANCH_NAME}" + } + } + } + + stage('Lint Dockerfile') { + steps { + container('docker') { + sh ''' + echo "🔍 Linting Dockerfile..." + # Dockerfile linting would go here + ''' + } + } + } + + stage('Build Docker Image') { + steps { + container('docker') { + script { + def image = docker.build("${DOCKER_REGISTRY}/${IMAGE_NAME}:${BUILD_VERSION}") + docker.withRegistry("https://${DOCKER_REGISTRY}", 'github-registry-credentials') { + image.push() + image.push("latest") + } + } + } + } + } + + stage('Security Scan') { + steps { + container('docker') { + sh ''' + echo "🛡️ Running security scan..." + # Trivy scanning would go here + ''' + } + } + } + + stage('Deploy to Dev') { + when { + branch 'develop' + } + steps { + container('kubectl') { + sh ''' + echo "🚀 Deploying to development..." + kubectl set image deployment/${IMAGE_NAME} ${IMAGE_NAME}=${DOCKER_REGISTRY}/${IMAGE_NAME}:${BUILD_VERSION} -n dev + kubectl rollout status deployment/${IMAGE_NAME} -n dev + ''' + } + } + } + + stage('Deploy to Staging') { + when { + branch 'main' + } + steps { + container('kubectl') { + sh ''' + echo "🚀 Deploying to staging..." + kubectl set image deployment/${IMAGE_NAME} ${IMAGE_NAME}=${DOCKER_REGISTRY}/${IMAGE_NAME}:${BUILD_VERSION} -n staging + kubectl rollout status deployment/${IMAGE_NAME} -n staging + ''' + } + } + } + + stage('Deploy to Production') { + when { + buildingTag() + } + steps { + script { + timeout(time: 5, unit: 'MINUTES') { + input message: 'Deploy to production?', ok: 'Deploy' + } + } + container('kubectl') { + sh ''' + echo "🚀 Deploying to production..." + kubectl set image deployment/${IMAGE_NAME} ${IMAGE_NAME}=${DOCKER_REGISTRY}/${IMAGE_NAME}:${BUILD_VERSION} -n production + kubectl rollout status deployment/${IMAGE_NAME} -n production + ''' + } + } + } + } + + post { + success { + slackSend( + channel: '#deployments', + color: 'good', + message: "✅ ${IMAGE_NAME} v${BUILD_VERSION} deployed successfully to ${env.BRANCH_NAME}" + ) + } + failure { + slackSend( + channel: '#deployments', + color: 'danger', + message: "❌ ${IMAGE_NAME} v${BUILD_VERSION} deployment failed on ${env.BRANCH_NAME}" + ) + } + } + } +} +EOF + +# 5.5.2 Sample application Jenkinsfile +cat > ~/devops-infrastructure/jenkins/sample-Jenkinsfile << 'EOF' +@Library('shared-library') _ + +buildAndPush([ + imageName: 'mycompany/sample-app' +]) +EOF +``` + +### 🔐 **5.6 Jenkins Credentials Setup** + +```bash +# 5.6.1 GitHub credentials secret oluştur +kubectl create secret generic github-registry-credentials \ + --from-literal=username=YOUR_GITHUB_USERNAME \ + --from-literal=password=YOUR_GITHUB_TOKEN \ + --namespace=jenkins + +# 5.6.2 AWS credentials secret oluştur +kubectl create secret generic aws-credentials \ + --from-literal=access-key-id=YOUR_AWS_ACCESS_KEY \ + --from-literal=secret-access-key=YOUR_AWS_SECRET_KEY \ + --namespace=jenkins + +# 5.6.3 Jenkins'te credentials ekle (Browser üzerinden) +# Manage Jenkins -> Manage Credentials -> Global -> Add Credentials +# - GitHub Token: Kind=Username with password, ID=github-registry-credentials +# - AWS Credentials: Kind=AWS Credentials, ID=aws-credentials +# - Kubeconfig: Kind=Secret file, ID=kubeconfig +``` + +--- diff --git a/RoadMap/advanced/05-kubernetes-advanced.md b/RoadMap/advanced/05-kubernetes-advanced.md new file mode 100644 index 0000000..a7eb97e --- /dev/null +++ b/RoadMap/advanced/05-kubernetes-advanced.md @@ -0,0 +1,550 @@ +# ☸️ **PHASE 5: KUBERNETES ADVANCED SETUP** (Gün 11-13) + +### 🏷️ **6.1 Namespace ve RBAC Setup** + +```bash +# 6.1.1 Environment namespaces oluştur +cd ~/devops-infrastructure/kubernetes/base + +cat > namespaces.yaml << 'EOF' +apiVersion: v1 +kind: Namespace +metadata: + name: dev + labels: + environment: dev + istio-injection: enabled +--- +apiVersion: v1 +kind: Namespace +metadata: + name: staging + labels: + environment: staging + istio-injection: enabled +--- +apiVersion: v1 +kind: Namespace +metadata: + name: production + labels: + environment: production + istio-injection: enabled +--- +apiVersion: v1 +kind: Namespace +metadata: + name: monitoring + labels: + environment: monitoring + istio-injection: disabled +--- +apiVersion: v1 +kind: Namespace +metadata: + name: logging + labels: + environment: logging + istio-injection: disabled +EOF + +kubectl apply -f namespaces.yaml + +# 6.1.2 RBAC setup +cat > rbac.yaml << 'EOF' +# Developer Role - dev namespace +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + namespace: dev + name: developer +rules: +- apiGroups: [""] + resources: ["pods", "services", "configmaps", "secrets"] + verbs: ["get", "list", "create", "update", "patch", "delete"] +- apiGroups: ["apps"] + resources: ["deployments", "replicasets"] + verbs: ["get", "list", "create", "update", "patch", "delete"] +- apiGroups: [""] + resources: ["pods/log"] + verbs: ["get", "list"] +- apiGroups: [""] + resources: ["pods/exec"] + verbs: ["create"] +--- +# Staging Role - staging namespace +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + namespace: staging + name: staging-deployer +rules: +- apiGroups: [""] + resources: ["pods", "services", "configmaps"] + verbs: ["get", "list"] +- apiGroups: ["apps"] + resources: ["deployments"] + verbs: ["get", "list", "update", "patch"] +- apiGroups: [""] + resources: ["pods/log"] + verbs: ["get", "list"] +--- +# Production Role - production namespace (read-only + deploy) +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + namespace: production + name: production-deployer +rules: +- apiGroups: [""] + resources: ["pods", "services", "configmaps"] + verbs: ["get", "list"] +- apiGroups: ["apps"] + resources: ["deployments"] + verbs: ["get", "list", "update", "patch"] +- apiGroups: [""] + resources: ["pods/log"] + verbs: ["get", "list"] +--- +# ServiceAccount for developers +apiVersion: v1 +kind: ServiceAccount +metadata: + name: developer + namespace: dev +--- +# ServiceAccount for staging +apiVersion: v1 +kind: ServiceAccount +metadata: + name: staging-deployer + namespace: staging +--- +# ServiceAccount for production +apiVersion: v1 +kind: ServiceAccount +metadata: + name: production-deployer + namespace: production +--- +# RoleBinding for developers +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: developer-binding + namespace: dev +subjects: +- kind: ServiceAccount + name: developer + namespace: dev +roleRef: + kind: Role + name: developer + apiGroup: rbac.authorization.k8s.io +--- +# RoleBinding for staging +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: staging-deployer-binding + namespace: staging +subjects: +- kind: ServiceAccount + name: staging-deployer + namespace: staging +roleRef: + kind: Role + name: staging-deployer + apiGroup: rbac.authorization.k8s.io +--- +# RoleBinding for production +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: production-deployer-binding + namespace: production +subjects: +- kind: ServiceAccount + name: production-deployer + namespace: production +roleRef: + kind: Role + name: production-deployer + apiGroup: rbac.authorization.k8s.io +EOF + +kubectl apply -f rbac.yaml +``` + +### 📦 **6.2 StorageClass ve Persistent Volumes** + +```bash +# 6.2.1 StorageClass definitions +cat > storage-classes.yaml << 'EOF' +# GP3 StorageClass (default) +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: gp3 + annotations: + storageclass.kubernetes.io/is-default-class: "true" +provisioner: ebs.csi.aws.com +parameters: + type: gp3 + fsType: ext4 + encrypted: "true" +volumeBindingMode: WaitForFirstConsumer +allowVolumeExpansion: true +--- +# GP3 Fast StorageClass +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: gp3-fast +provisioner: ebs.csi.aws.com +parameters: + type: gp3 + fsType: ext4 + encrypted: "true" + iops: "4000" + throughput: "250" +volumeBindingMode: WaitForFirstConsumer +allowVolumeExpansion: true +--- +# IO1 StorageClass (high performance) +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: io1 +provisioner: ebs.csi.aws.com +parameters: + type: io1 + fsType: ext4 + encrypted: "true" + iops: "1000" +volumeBindingMode: WaitForFirstConsumer +allowVolumeExpansion: true +EOF + +kubectl apply -f storage-classes.yaml +kubectl get storageclass +``` + +### 🔧 **6.3 Horizontal Pod Autoscaler (HPA) Setup** + +```bash +# 6.3.1 Metrics Server kurulumu +kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml + +# Metrics server düzeltmesi (EKS için) +kubectl patch deployment metrics-server -n kube-system --type='json' -p='[ + { + "op": "add", + "path": "/spec/template/spec/containers/0/args/-", + "value": "--kubelet-insecure-tls" + } +]' + +# 6.3.2 HPA template +cat > hpa-template.yaml << 'EOF' +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: sample-app-hpa + namespace: dev +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: sample-app + minReplicas: 2 + maxReplicas: 10 + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: 70 + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: 80 + behavior: + scaleDown: + stabilizationWindowSeconds: 300 + policies: + - type: Percent + value: 50 + periodSeconds: 60 + scaleUp: + stabilizationWindowSeconds: 60 + policies: + - type: Percent + value: 100 + periodSeconds: 30 +EOF +``` + +### 🔄 **6.4 Cluster Autoscaler Setup** + +```bash +# 6.4.1 Cluster Autoscaler kurulumu +cat > cluster-autoscaler.yaml << 'EOF' +apiVersion: apps/v1 +kind: Deployment +metadata: + name: cluster-autoscaler + namespace: kube-system + labels: + app: cluster-autoscaler +spec: + selector: + matchLabels: + app: cluster-autoscaler + template: + metadata: + labels: + app: cluster-autoscaler + annotations: + prometheus.io/scrape: 'true' + prometheus.io/port: '8085' + spec: + serviceAccountName: cluster-autoscaler + containers: + - image: k8s.gcr.io/autoscaling/cluster-autoscaler:v1.28.0 + name: cluster-autoscaler + resources: + limits: + cpu: 100m + memory: 300Mi + requests: + cpu: 100m + memory: 300Mi + command: + - ./cluster-autoscaler + - --v=4 + - --stderrthreshold=info + - --cloud-provider=aws + - --skip-nodes-with-local-storage=false + - --expander=least-waste + - --node-group-auto-discovery=asg:tag=k8s.io/cluster-autoscaler/enabled,k8s.io/cluster-autoscaler/CLUSTER_NAME + env: + - name: AWS_REGION + value: eu-west-1 + volumeMounts: + - name: ssl-certs + mountPath: /etc/ssl/certs/ca-certificates.crt + readOnly: true + imagePullPolicy: "Always" + volumes: + - name: ssl-certs + hostPath: + path: "/etc/ssl/certs/ca-bundle.crt" +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + k8s-addon: cluster-autoscaler.addons.k8s.io + k8s-app: cluster-autoscaler + name: cluster-autoscaler + namespace: kube-system + annotations: + eks.amazonaws.com/role-arn: arn:aws:iam::ACCOUNT_ID:role/cluster-autoscaler +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cluster-autoscaler + labels: + k8s-addon: cluster-autoscaler.addons.k8s.io + k8s-app: cluster-autoscaler +rules: +- apiGroups: [""] + resources: ["events", "endpoints"] + verbs: ["create", "patch"] +- apiGroups: [""] + resources: ["pods/eviction"] + verbs: ["create"] +- apiGroups: [""] + resources: ["pods/status"] + verbs: ["update"] +- apiGroups: [""] + resources: ["endpoints"] + resourceNames: ["cluster-autoscaler"] + verbs: ["get", "update"] +- apiGroups: [""] + resources: ["nodes"] + verbs: ["watch", "list", "get", "update"] +- apiGroups: [""] + resources: ["pods", "services", "replicationcontrollers", "persistentvolumeclaims", "persistentvolumes"] + verbs: ["watch", "list", "get"] +- apiGroups: ["extensions"] + resources: ["replicasets", "daemonsets"] + verbs: ["watch", "list", "get"] +- apiGroups: ["policy"] + resources: ["poddisruptionbudgets"] + verbs: ["watch", "list"] +- apiGroups: ["apps"] + resources: ["statefulsets", "replicasets", "daemonsets"] + verbs: ["watch", "list", "get"] +- apiGroups: ["storage.k8s.io"] + resources: ["storageclasses", "csinodes", "csidrivers", "csistoragecapacities"] + verbs: ["watch", "list", "get"] +- apiGroups: ["batch", "extensions"] + resources: ["jobs"] + verbs: ["get", "list", "watch", "patch"] +- apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["create"] +- apiGroups: ["coordination.k8s.io"] + resourceNames: ["cluster-autoscaler"] + resources: ["leases"] + verbs: ["get", "update"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cluster-autoscaler + labels: + k8s-addon: cluster-autoscaler.addons.k8s.io + k8s-app: cluster-autoscaler +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-autoscaler +subjects: +- kind: ServiceAccount + name: cluster-autoscaler + namespace: kube-system +EOF + +# CLUSTER_NAME'i gerçek cluster ismiyle değiştir +sed -i 's/CLUSTER_NAME/mycompany-dev-eks/g' cluster-autoscaler.yaml +kubectl apply -f cluster-autoscaler.yaml +``` + +### 🔒 **6.5 Network Policies** + +```bash +# 6.5.1 Calico CNI kurulumu (Network Policies için) +kubectl apply -f https://raw.githubusercontent.com/projectcalico/calico/v3.26.1/manifests/tigera-operator.yaml + +# Calico configuration +cat > calico-config.yaml << 'EOF' +apiVersion: operator.tigera.io/v1 +kind: Installation +metadata: + name: default +spec: + calicoNetwork: + ipPools: + - blockSize: 26 + cidr: 192.168.0.0/16 + encapsulation: VXLANCrossSubnet + natOutgoing: Enabled + nodeSelector: all() +EOF + +kubectl apply -f calico-config.yaml + +# 6.5.2 Network Policy templates +cat > network-policies.yaml << 'EOF' +# Default deny all ingress traffic +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-deny-ingress + namespace: dev +spec: + podSelector: {} + policyTypes: + - Ingress +--- +# Allow ingress from same namespace +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-same-namespace + namespace: dev +spec: + podSelector: {} + policyTypes: + - Ingress + ingress: + - from: + - namespaceSelector: + matchLabels: + name: dev +--- +# Allow ingress from ingress-nginx +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-ingress-nginx + namespace: dev +spec: + podSelector: + matchLabels: + app: frontend + policyTypes: + - Ingress + ingress: + - from: + - namespaceSelector: + matchLabels: + name: ingress-nginx + ports: + - protocol: TCP + port: 8080 +--- +# Allow database access only from backend +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: database-access + namespace: dev +spec: + podSelector: + matchLabels: + app: database + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: backend + ports: + - protocol: TCP + port: 5432 +--- +# Allow monitoring namespace access +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-monitoring + namespace: dev +spec: + podSelector: {} + policyTypes: + - Ingress + ingress: + - from: + - namespaceSelector: + matchLabels: + name: monitoring + ports: + - protocol: TCP + port: 8080 + - protocol: TCP + port: 9090 +EOF + +kubectl apply -f network-policies.yaml +``` + +--- diff --git a/RoadMap/advanced/06-observability.md b/RoadMap/advanced/06-observability.md new file mode 100644 index 0000000..fd55085 --- /dev/null +++ b/RoadMap/advanced/06-observability.md @@ -0,0 +1,614 @@ +# 📊 **PHASE 6: OBSERVABILITY STACK** (Gün 14-16) + +### 📈 **7.1 Prometheus & Grafana Setup** + +```bash +# 7.1.1 kube-prometheus-stack kurulumu +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts +helm repo update + +# Custom values.yaml oluştur +cat > monitoring-values.yaml << 'EOF' +prometheus: + prometheusSpec: + storageSpec: + volumeClaimTemplate: + spec: + storageClassName: gp3 + accessModes: ["ReadWriteOnce"] + resources: + requests: + storage: 20Gi + retention: 15d + resources: + requests: + memory: 2Gi + cpu: 1000m + limits: + memory: 4Gi + cpu: 2000m + additionalScrapeConfigs: | + - job_name: 'kubernetes-pods' + kubernetes_sd_configs: + - role: pod + relabel_configs: + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape] + action: keep + regex: true + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path] + action: replace + target_label: __metrics_path__ + regex: (.+) + - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] + action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + target_label: __address__ + +alertmanager: + alertmanagerSpec: + storage: + volumeClaimTemplate: + spec: + storageClassName: gp3 + accessModes: ["ReadWriteOnce"] + resources: + requests: + storage: 5Gi + resources: + requests: + memory: 256Mi + cpu: 100m + limits: + memory: 512Mi + cpu: 200m + config: + global: + slack_api_url: 'YOUR_SLACK_WEBHOOK_URL' + route: + group_by: ['alertname'] + group_wait: 10s + group_interval: 10s + repeat_interval: 1h + receiver: 'web.hook' + routes: + - match: + alertname: DeadMansSwitch + receiver: 'null' + - match_re: + severity: critical|warning + receiver: 'slack-notifications' + receivers: + - name: 'null' + - name: 'web.hook' + webhook_configs: + - url: 'http://127.0.0.1:5001/' + - name: 'slack-notifications' + slack_configs: + - channel: '#alerts' + title: 'Cluster Alert - {{ .GroupLabels.alertname }}' + text: '{{ range .Alerts }}{{ .Annotations.summary }}{{ end }}' + send_resolved: true + +grafana: + adminPassword: 'AdminPassword123!' + persistence: + enabled: true + storageClassName: gp3 + size: 10Gi + resources: + requests: + memory: 256Mi + cpu: 100m + limits: + memory: 512Mi + cpu: 200m + dashboardProviders: + dashboardproviders.yaml: + apiVersion: 1 + providers: + - name: 'default' + orgId: 1 + folder: '' + type: file + disableDeletion: false + editable: true + options: + path: /var/lib/grafana/dashboards/default + dashboards: + default: + kubernetes-cluster-overview: + gnetId: 7249 + revision: 1 + datasource: Prometheus + kubernetes-pod-overview: + gnetId: 6417 + revision: 1 + datasource: Prometheus + nginx-ingress-controller: + gnetId: 9614 + revision: 1 + datasource: Prometheus + node-exporter: + gnetId: 1860 + revision: 31 + datasource: Prometheus + +nodeExporter: + enabled: true + +kubeStateMetrics: + enabled: true + +defaultRules: + create: true + rules: + alertmanager: true + etcd: true + configReloaders: true + general: true + k8s: true + kubeApiserverAvailability: true + kubeApiserverBurnrate: true + kubeApiserverHistogram: true + kubeApiserverSlos: true + kubelet: true + kubeProxy: true + kubePrometheusGeneral: true + kubePrometheusNodeRecording: true + kubernetesApps: true + kubernetesResources: true + kubernetesStorage: true + kubernetesSystem: true + network: true + node: true + nodeExporterAlerting: true + nodeExporterRecording: true + prometheus: true + prometheusOperator: true +EOF + +# Monitoring namespace'i oluştur ve kube-prometheus-stack'i kur +kubectl create namespace monitoring +helm install kube-prometheus-stack prometheus-community/kube-prometheus-stack \ + --namespace monitoring \ + --values monitoring-values.yaml + +# 7.1.2 Monitoring durumunu kontrol et +kubectl get pods -n monitoring +kubectl get svc -n monitoring + +# 7.1.3 Grafana ingress +cat > grafana-ingress.yaml << 'EOF' +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: grafana + namespace: monitoring + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/ssl-redirect: "true" + cert-manager.io/cluster-issuer: "letsencrypt-prod" +spec: + tls: + - hosts: + - grafana.yourdomain.com + secretName: grafana-tls + rules: + - host: grafana.yourdomain.com + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: kube-prometheus-stack-grafana + port: + number: 80 +EOF + +kubectl apply -f grafana-ingress.yaml +``` + +### 📝 **7.2 Centralized Logging Setup** + +```bash +# 7.2.1 OpenSearch (Elasticsearch alternative) kurulumu +helm repo add opensearch https://opensearch-project.github.io/helm-charts/ +helm repo update + +cat > opensearch-values.yaml << 'EOF' +clusterName: "opensearch-cluster" +nodeGroup: "master" + +roles: + - master + - ingest + - data + +replicas: 3 + +opensearchJavaOpts: "-Xmx1g -Xms1g" + +resources: + requests: + cpu: "500m" + memory: "1Gi" + limits: + cpu: "1000m" + memory: "2Gi" + +persistence: + enabled: true + size: 30Gi + storageClass: gp3 + +config: + opensearch.yml: | + cluster.name: opensearch-cluster + network.host: 0.0.0.0 + plugins: + security: + ssl: + transport: + pemcert_filepath: esnode.pem + pemkey_filepath: esnode-key.pem + pemtrustedcas_filepath: root-ca.pem + enforce_hostname_verification: false + http: + enabled: false + allow_unsafe_democertificates: true + allow_default_init_securityindex: true + authcz: + admin_dn: + - CN=kirk,OU=client,O=client,L=test,C=de + audit.type: internal_opensearch + enable_snapshot_restore_privilege: true + check_snapshot_restore_write_privileges: true + restapi: + roles_enabled: ["all_access", "security_rest_api_access"] + system_indices: + enabled: true + indices: + [ + ".opendistro-alerting-config", + ".opendistro-alerting-alert*", + ".opendistro-anomaly-results*", + ".opendistro-anomaly-detector*", + ".opendistro-anomaly-checkpoints", + ".opendistro-anomaly-detection-state", + ".opendistro-reports-*", + ".opendistro-notifications-*", + ".opendistro-notebooks", + ".opendistro-asynchronous-search-response*", + ] +EOF + +kubectl create namespace logging +helm install opensearch opensearch/opensearch \ + --namespace logging \ + --values opensearch-values.yaml + +# 7.2.2 OpenSearch Dashboards kurulumu +cat > opensearch-dashboards-values.yaml << 'EOF' +replicaCount: 1 + +opensearchHosts: "https://opensearch-cluster-master:9200" + +resources: + requests: + cpu: "250m" + memory: "512Mi" + limits: + cpu: "500m" + memory: "1Gi" + +config: + opensearch_dashboards.yml: | + server.name: opensearch-dashboards + server.host: 0.0.0.0 + opensearch.hosts: [https://opensearch-cluster-master:9200] + opensearch.ssl.verificationMode: none + opensearch.username: admin + opensearch.password: admin + opensearch.requestHeadersAllowlist: [authorization, securitytenant] + opensearch_security.multitenancy.enabled: true + opensearch_security.multitenancy.tenants.preferred: [Private, Global] + opensearch_security.readonly_mode.roles: [kibana_read_only] + opensearch_security.cookie.secure: false +EOF + +helm install opensearch-dashboards opensearch/opensearch-dashboards \ + --namespace logging \ + --values opensearch-dashboards-values.yaml + +# 7.2.3 Fluent Bit kurulumu +cat > fluent-bit-values.yaml << 'EOF' +daemonSetVolumes: + - name: varlog + hostPath: + path: /var/log + - name: varlibdockercontainers + hostPath: + path: /var/lib/docker/containers + - name: etcmachineid + hostPath: + path: /etc/machine-id + type: File + +daemonSetVolumeMounts: + - name: varlog + mountPath: /var/log + readOnly: true + - name: varlibdockercontainers + mountPath: /var/lib/docker/containers + readOnly: true + - name: etcmachineid + mountPath: /etc/machine-id + readOnly: true + +config: + service: | + [SERVICE] + Daemon Off + Flush {{ .Values.flush }} + Log_Level {{ .Values.logLevel }} + Parsers_File parsers.conf + Parsers_File custom_parsers.conf + HTTP_Server On + HTTP_Listen 0.0.0.0 + HTTP_Port {{ .Values.metricsPort }} + Health_Check On + + inputs: | + [INPUT] + Name tail + Path /var/log/containers/*.log + multiline.parser docker, cri + Tag kube.* + Mem_Buf_Limit 50MB + Skip_Long_Lines On + + [INPUT] + Name systemd + Tag host.* + Systemd_Filter _SYSTEMD_UNIT=kubelet.service + Read_From_Tail On + + filters: | + [FILTER] + Name kubernetes + Match kube.* + Kube_URL https://kubernetes.default.svc:443 + Kube_CA_File /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + Kube_Token_File /var/run/secrets/kubernetes.io/serviceaccount/token + Kube_Tag_Prefix kube.var.log.containers. + Merge_Log On + Keep_Log Off + K8S-Logging.Parser On + K8S-Logging.Exclude On + Annotations Off + Labels On + + [FILTER] + Name nest + Match kube.* + Operation lift + Nested_under kubernetes + Add_prefix kubernetes_ + + [FILTER] + Name modify + Match kube.* + Remove kubernetes_pod_id + Remove kubernetes_docker_id + Remove kubernetes_container_hash + + outputs: | + [OUTPUT] + Name opensearch + Match kube.* + Host opensearch-cluster-master.logging.svc.cluster.local + Port 9200 + Index fluentbit + Type _doc + HTTP_User admin + HTTP_Passwd admin + tls On + tls.verify Off + Suppress_Type_Name On + Replace_Dots On + + [OUTPUT] + Name opensearch + Match host.* + Host opensearch-cluster-master.logging.svc.cluster.local + Port 9200 + Index fluentbit-systemd + Type _doc + HTTP_User admin + HTTP_Passwd admin + tls On + tls.verify Off + Suppress_Type_Name On + Replace_Dots On +EOF + +helm repo add fluent https://fluent.github.io/helm-charts +helm install fluent-bit fluent/fluent-bit \ + --namespace logging \ + --values fluent-bit-values.yaml + +# 7.2.4 OpenSearch Dashboards ingress +cat > opensearch-dashboards-ingress.yaml << 'EOF' +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: opensearch-dashboards + namespace: logging + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/ssl-redirect: "true" + nginx.ingress.kubernetes.io/backend-protocol: "HTTP" + cert-manager.io/cluster-issuer: "letsencrypt-prod" +spec: + tls: + - hosts: + - logs.yourdomain.com + secretName: opensearch-dashboards-tls + rules: + - host: logs.yourdomain.com + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: opensearch-dashboards + port: + number: 5601 +EOF + +kubectl apply -f opensearch-dashboards-ingress.yaml +``` + +### 🔍 **7.3 Distributed Tracing with Jaeger** + +```bash +# 7.3.1 Jaeger Operator kurulumu +kubectl create namespace observability +kubectl apply -f https://github.com/jaegertracing/jaeger-operator/releases/download/v1.47.0/jaeger-operator.yaml -n observability + +# 7.3.2 Jaeger instance +cat > jaeger.yaml << 'EOF' +apiVersion: jaegertracing.io/v1 +kind: Jaeger +metadata: + name: jaeger + namespace: observability +spec: + strategy: production + storage: + type: opensearch + opensearch: + serverUrls: https://opensearch-cluster-master.logging.svc.cluster.local:9200 + username: admin + password: admin + tls: + insecureSkipVerify: true + collector: + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 200m + memory: 256Mi + query: + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 200m + memory: 256Mi + ingress: + enabled: true + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/ssl-redirect: "true" + cert-manager.io/cluster-issuer: "letsencrypt-prod" + hosts: + - jaeger.yourdomain.com + tls: + - secretName: jaeger-tls + hosts: + - jaeger.yourdomain.com +EOF + +kubectl apply -f jaeger.yaml + +# 7.3.3 OpenTelemetry Collector kurulumu +helm repo add open-telemetry https://open-telemetry.github.io/opentelemetry-helm-charts +helm repo update + +cat > otel-collector-values.yaml << 'EOF' +mode: daemonset + +presets: + logsCollection: + enabled: true + hostMetrics: + enabled: true + kubernetesAttributes: + enabled: true + +config: + receivers: + otlp: + protocols: + grpc: + endpoint: 0.0.0.0:4317 + http: + endpoint: 0.0.0.0:4318 + jaeger: + protocols: + grpc: + endpoint: 0.0.0.0:14250 + thrift_http: + endpoint: 0.0.0.0:14268 + thrift_compact: + endpoint: 0.0.0.0:6831 + zipkin: + endpoint: 0.0.0.0:9411 + + processors: + batch: {} + memory_limiter: + limit_mib: 400 + resource: + attributes: + - key: cluster.name + value: mycompany-dev-eks + action: insert + + exporters: + jaeger: + endpoint: jaeger-collector.observability.svc.cluster.local:14250 + tls: + insecure: true + prometheus: + endpoint: "0.0.0.0:8889" + const_labels: + cluster: mycompany-dev-eks + + service: + pipelines: + traces: + receivers: [otlp, jaeger, zipkin] + processors: [memory_limiter, resource, batch] + exporters: [jaeger] + metrics: + receivers: [otlp] + processors: [memory_limiter, resource, batch] + exporters: [prometheus] + logs: + receivers: [otlp] + processors: [memory_limiter, resource, batch] + exporters: [] + +resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 256m + memory: 512Mi +EOF + +helm install opentelemetry-collector open-telemetry/opentelemetry-collector \ + --namespace observability \ + --values otel-collector-values.yaml +``` + +--- diff --git a/RoadMap/advanced/07-secrets-security.md b/RoadMap/advanced/07-secrets-security.md new file mode 100644 index 0000000..fdf0e3b --- /dev/null +++ b/RoadMap/advanced/07-secrets-security.md @@ -0,0 +1,563 @@ +# 🔒 **PHASE 7: SECRETS MANAGEMENT & SECURITY** (Gün 17-18) + +### 🔐 **8.1 HashiCorp Vault Setup** + +```bash +# 8.1.1 Vault Helm kurulumu +helm repo add hashicorp https://helm.releases.hashicorp.com +helm repo update + +cat > vault-values.yaml << 'EOF' +global: + enabled: true + tlsDisable: false + +injector: + enabled: true + replicas: 1 + resources: + requests: + memory: 256Mi + cpu: 250m + limits: + memory: 256Mi + cpu: 250m + +server: + image: + repository: "vault" + tag: "1.15.0" + + resources: + requests: + memory: 256Mi + cpu: 250m + limits: + memory: 256Mi + cpu: 250m + + readinessProbe: + enabled: true + path: "/v1/sys/health?standbyok=true&sealedcode=204&uninitcode=204" + livenessProbe: + enabled: true + path: "/v1/sys/health?standbyok=true" + initialDelaySeconds: 60 + + extraEnvironmentVars: + VAULT_CACERT: /vault/userconfig/vault-ha-tls/vault.ca + VAULT_TLSCERT: /vault/userconfig/vault-ha-tls/vault.crt + VAULT_TLSKEY: /vault/userconfig/vault-ha-tls/vault.key + + extraVolumes: + - type: secret + name: vault-ha-tls + path: /vault/userconfig + + standalone: + enabled: false + + ha: + enabled: true + replicas: 3 + raft: + enabled: true + setNodeId: true + config: | + ui = true + + listener "tcp" { + tls_disable = 0 + address = "[::]:8200" + cluster_address = "[::]:8201" + tls_cert_file = "/vault/userconfig/vault-ha-tls/vault.crt" + tls_key_file = "/vault/userconfig/vault-ha-tls/vault.key" + tls_client_ca_file = "/vault/userconfig/vault-ha-tls/vault.ca" + } + + storage "raft" { + path = "/vault/data" + + retry_join { + leader_api_addr = "https://vault-0.vault-internal:8200" + leader_ca_cert_file = "/vault/userconfig/vault-ha-tls/vault.ca" + leader_client_cert_file = "/vault/userconfig/vault-ha-tls/vault.crt" + leader_client_key_file = "/vault/userconfig/vault-ha-tls/vault.key" + } + + retry_join { + leader_api_addr = "https://vault-1.vault-internal:8200" + leader_ca_cert_file = "/vault/userconfig/vault-ha-tls/vault.ca" + leader_client_cert_file = "/vault/userconfig/vault-ha-tls/vault.crt" + leader_client_key_file = "/vault/userconfig/vault-ha-tls/vault.key" + } + + retry_join { + leader_api_addr = "https://vault-2.vault-internal:8200" + leader_ca_cert_file = "/vault/userconfig/vault-ha-tls/vault.ca" + leader_client_cert_file = "/vault/userconfig/vault-ha-tls/vault.crt" + leader_client_key_file = "/vault/userconfig/vault-ha-tls/vault.key" + } + } + + service_registration "kubernetes" {} + + service: + enabled: true + type: ClusterIP + port: 8200 + targetPort: 8200 + + dataStorage: + enabled: true + size: 10Gi + storageClass: gp3 + + auditStorage: + enabled: true + size: 10Gi + storageClass: gp3 + +ui: + enabled: true + serviceType: ClusterIP +EOF + +# 8.1.2 TLS sertifikaları oluştur +mkdir -p vault-tls +cd vault-tls + +# CA private key +openssl genrsa -out vault-ca.key 2048 + +# CA certificate +openssl req -new -x509 -key vault-ca.key -out vault-ca.crt -days 365 \ + -subj "/C=US/ST=CA/L=San Francisco/O=HashiCorp/CN=Vault CA" + +# Vault private key +openssl genrsa -out vault.key 2048 + +# Vault certificate signing request +cat > vault.conf << 'EOF' +[req] +distinguished_name = req_distinguished_name +req_extensions = v3_req +prompt = no + +[req_distinguished_name] +C = US +ST = CA +L = San Francisco +O = HashiCorp +CN = vault + +[v3_req] +keyUsage = keyEncipherment, dataEncipherment +extendedKeyUsage = serverAuth +subjectAltName = @alt_names + +[alt_names] +DNS.1 = vault +DNS.2 = vault.vault +DNS.3 = vault.vault.svc +DNS.4 = vault.vault.svc.cluster.local +DNS.5 = vault-0.vault-internal +DNS.6 = vault-1.vault-internal +DNS.7 = vault-2.vault-internal +DNS.8 = vault-0.vault-internal.vault.svc.cluster.local +DNS.9 = vault-1.vault-internal.vault.svc.cluster.local +DNS.10 = vault-2.vault-internal.vault.svc.cluster.local +DNS.11 = vault.yourdomain.com +IP.1 = 127.0.0.1 +EOF + +openssl req -new -key vault.key -out vault.csr -config vault.conf + +# Vault certificate +openssl x509 -req -in vault.csr -CA vault-ca.crt -CAkey vault-ca.key \ + -CAcreateserial -out vault.crt -days 365 -extensions v3_req -extfile vault.conf + +# 8.1.3 Vault namespace ve TLS secret oluştur +kubectl create namespace vault + +kubectl create secret generic vault-ha-tls \ + --from-file=vault.key=vault.key \ + --from-file=vault.crt=vault.crt \ + --from-file=vault.ca=vault-ca.crt \ + --namespace vault + +cd .. + +# 8.1.4 Vault kurulumu +helm install vault hashicorp/vault \ + --namespace vault \ + --values vault-values.yaml + +# 8.1.5 Vault'u initialize et ve unseal et +kubectl exec vault-0 -n vault -- vault operator init \ + -key-shares=5 \ + -key-threshold=3 \ + -format=json > cluster-keys.json + +# Root token ve unseal key'leri çıkar +VAULT_UNSEAL_KEY_1=$(cat cluster-keys.json | jq -r ".unseal_keys_b64[0]") +VAULT_UNSEAL_KEY_2=$(cat cluster-keys.json | jq -r ".unseal_keys_b64[1]") +VAULT_UNSEAL_KEY_3=$(cat cluster-keys.json | jq -r ".unseal_keys_b64[2]") +CLUSTER_ROOT_TOKEN=$(cat cluster-keys.json | jq -r ".root_token") + +# Vault unseal +kubectl exec vault-0 -n vault -- vault operator unseal $VAULT_UNSEAL_KEY_1 +kubectl exec vault-0 -n vault -- vault operator unseal $VAULT_UNSEAL_KEY_2 +kubectl exec vault-0 -n vault -- vault operator unseal $VAULT_UNSEAL_KEY_3 + +# Diğer node'ları join et +kubectl exec vault-1 -n vault -- vault operator raft join https://vault-0.vault-internal:8200 +kubectl exec vault-1 -n vault -- vault operator unseal $VAULT_UNSEAL_KEY_1 +kubectl exec vault-1 -n vault -- vault operator unseal $VAULT_UNSEAL_KEY_2 +kubectl exec vault-1 -n vault -- vault operator unseal $VAULT_UNSEAL_KEY_3 + +kubectl exec vault-2 -n vault -- vault operator raft join https://vault-0.vault-internal:8200 +kubectl exec vault-2 -n vault -- vault operator unseal $VAULT_UNSEAL_KEY_1 +kubectl exec vault-2 -n vault -- vault operator unseal $VAULT_UNSEAL_KEY_2 +kubectl exec vault-2 -n vault -- vault operator unseal $VAULT_UNSEAL_KEY_3 + +echo "Root Token: $CLUSTER_ROOT_TOKEN" +``` + +### 🔧 **8.2 External Secrets Operator** + +```bash +# 8.2.1 External Secrets Operator kurulumu +helm repo add external-secrets https://charts.external-secrets.io +helm repo update + +helm install external-secrets external-secrets/external-secrets \ + --namespace external-secrets \ + --create-namespace + +# 8.2.2 Vault'ta Kubernetes auth method aktifleştir +kubectl exec vault-0 -n vault -- env VAULT_TOKEN=$CLUSTER_ROOT_TOKEN vault auth enable kubernetes + +# Service account token path'ini al +TOKEN_REVIEW_JWT=$(kubectl get secret \ + $(kubectl get serviceaccount vault -n vault -o jsonpath='{.secrets[0].name}') \ + -n vault -o jsonpath='{.data.token}' | base64 --decode) + +KUBE_CA_CERT=$(kubectl config view --raw --minify --flatten -o jsonpath='{.clusters[].cluster.certificate-authority-data}' | base64 --decode) + +KUBE_HOST=$(kubectl config view --raw --minify --flatten -o jsonpath='{.clusters[].cluster.server}') + +# Kubernetes auth method konfigüre et +kubectl exec vault-0 -n vault -- env VAULT_TOKEN=$CLUSTER_ROOT_TOKEN vault write auth/kubernetes/config \ + token_reviewer_jwt="$TOKEN_REVIEW_JWT" \ + kubernetes_host="$KUBE_HOST" \ + kubernetes_ca_cert="$KUBE_CA_CERT" + +# 8.2.3 Vault policy ve role oluştur +kubectl exec vault-0 -n vault -- env VAULT_TOKEN=$CLUSTER_ROOT_TOKEN vault policy write mycompany-dev - < vault-secret-store.yaml << 'EOF' +apiVersion: external-secrets.io/v1beta1 +kind: SecretStore +metadata: + name: vault-backend + namespace: dev +spec: + provider: + vault: + server: "https://vault.vault.svc.cluster.local:8200" + path: "secret" + version: "v2" + caBundle: "LS0tLS1CRUdJTi..." # Base64 encoded CA cert + auth: + kubernetes: + mountPath: "kubernetes" + role: "mycompany-dev" + serviceAccountRef: + name: "external-secrets" +EOF + +# CA cert'i base64 encode et +CA_BUNDLE=$(cat vault-tls/vault-ca.crt | base64 -w 0) +sed -i "s/LS0tLS1CRUdJTi.../$CA_BUNDLE/g" vault-secret-store.yaml + +kubectl apply -f vault-secret-store.yaml + +# 8.2.6 ExternalSecret oluştur +cat > external-secret-database.yaml << 'EOF' +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: database-credentials + namespace: dev +spec: + refreshInterval: 1m + secretStoreRef: + name: vault-backend + kind: SecretStore + target: + name: database-secret + creationPolicy: Owner + data: + - secretKey: username + remoteRef: + key: secret/dev/database + property: username + - secretKey: password + remoteRef: + key: secret/dev/database + property: password +EOF + +kubectl apply -f external-secret-database.yaml + +# Secret'in oluştuğunu kontrol et +kubectl get secrets -n dev +kubectl describe externalsecret database-credentials -n dev +``` + +### 🛡️ **8.3 Pod Security Standards** + +```bash +# 8.3.1 Pod Security Standards uygula +kubectl label --overwrite namespace dev pod-security.kubernetes.io/enforce=restricted +kubectl label --overwrite namespace dev pod-security.kubernetes.io/audit=restricted +kubectl label --overwrite namespace dev pod-security.kubernetes.io/warn=restricted + +kubectl label --overwrite namespace staging pod-security.kubernetes.io/enforce=restricted +kubectl label --overwrite namespace staging pod-security.kubernetes.io/audit=restricted +kubectl label --overwrite namespace staging pod-security.kubernetes.io/warn=restricted + +kubectl label --overwrite namespace production pod-security.kubernetes.io/enforce=restricted +kubectl label --overwrite namespace production pod-security.kubernetes.io/audit=restricted +kubectl label --overwrite namespace production pod-security.kubernetes.io/warn=restricted + +# 8.3.2 Security context template +cat > security-context-template.yaml << 'EOF' +apiVersion: apps/v1 +kind: Deployment +metadata: + name: secure-app + namespace: dev +spec: + replicas: 1 + selector: + matchLabels: + app: secure-app + template: + metadata: + labels: + app: secure-app + spec: + securityContext: + runAsNonRoot: true + runAsUser: 10001 + runAsGroup: 10001 + fsGroup: 10001 + seccompProfile: + type: RuntimeDefault + containers: + - name: app + image: nginx:alpine + ports: + - containerPort: 8080 + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 10001 + runAsGroup: 10001 + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + resources: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "256Mi" + cpu: "200m" + volumeMounts: + - name: tmp + mountPath: /tmp + - name: var-cache-nginx + mountPath: /var/cache/nginx + - name: var-run + mountPath: /var/run + volumes: + - name: tmp + emptyDir: {} + - name: var-cache-nginx + emptyDir: {} + - name: var-run + emptyDir: {} +EOF +``` + +### 🔍 **8.4 Falco Runtime Security** + +```bash +# 8.4.1 Falco kurulumu +helm repo add falcosecurity https://falcosecurity.github.io/charts +helm repo update + +cat > falco-values.yaml << 'EOF' +falco: + rules_file: + - /etc/falco/falco_rules.yaml + - /etc/falco/falco_rules.local.yaml + - /etc/falco/k8s_audit_rules.yaml + - /etc/falco/rules.d + + time_format_iso_8601: true + json_output: true + json_include_output_property: true + json_include_tags_property: true + + log_stderr: true + log_syslog: true + log_level: info + + priority: debug + + buffered_outputs: false + + syscall_event_drops: + actions: + - log + - alert + rate: 0.03333 + max_burst: 1000 + + outputs: + rate: 1 + max_burst: 1000 + + syslog_output: + enabled: true + + file_output: + enabled: false + + stdout_output: + enabled: true + + webserver: + enabled: true + listen_port: 8765 + k8s_healthz_endpoint: /healthz + ssl_enabled: false + ssl_certificate: /etc/ssl/falco/falco.pem + + grpc: + enabled: false + + grpc_output: + enabled: false + +customRules: + custom-rules.yaml: |- + - rule: Unexpected outbound connection destination + desc: Detect outbound connections to unexpected destinations + condition: > + outbound and not + (fd.sip in (internal_networks)) + output: Outbound connection to unexpected destination (command=%proc.cmdline dest=%fd.rip) + priority: WARNING + tags: [network, mitre_exfiltration] + + - rule: Suspicious process in container + desc: Detect suspicious processes running in containers + condition: > + spawned_process and container and + (proc.name in (nc, ncat, netcat, nmap, dig, nslookup, tcpdump)) + output: Suspicious process in container (command=%proc.cmdline container=%container.name) + priority: WARNING + tags: [process, container] + +driver: + enabled: true + kind: ebpf + +collectors: + enabled: true + docker: + enabled: true + containerd: + enabled: true + crio: + enabled: false + +resources: + requests: + cpu: 100m + memory: 512Mi + limits: + cpu: 200m + memory: 1024Mi + +tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/master + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane + +falcosidekick: + enabled: true + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 200m + memory: 256Mi + + config: + slack: + webhookurl: "YOUR_SLACK_WEBHOOK_URL" + channel: "#security-alerts" + username: "Falco" + minimumpriority: "warning" + messageformat: "long" + + alertmanager: + hostport: "http://kube-prometheus-stack-alertmanager.monitoring.svc.cluster.local:9093" + minimumpriority: "warning" +EOF + +kubectl create namespace falco +helm install falco falcosecurity/falco \ + --namespace falco \ + --values falco-values.yaml + +# 8.4.2 Falco durumunu kontrol et +kubectl get pods -n falco +kubectl logs -l app.kubernetes.io/name=falco -n falco +``` + +--- diff --git a/RoadMap/advanced/08-backup-dr.md b/RoadMap/advanced/08-backup-dr.md new file mode 100644 index 0000000..ac90c1f --- /dev/null +++ b/RoadMap/advanced/08-backup-dr.md @@ -0,0 +1,665 @@ +# 🗄️ **PHASE 8: BACKUP & DISASTER RECOVERY** (Gün 19-20) + +### 💾 **9.1 Velero Backup Setup** + +```bash +# 9.1.1 AWS S3 bucket oluştur +BACKUP_BUCKET="mycompany-k8s-backups-$(openssl rand -hex 4)" +aws s3 mb s3://$BACKUP_BUCKET --region eu-west-1 + +# S3 bucket policy +cat > backup-bucket-policy.json << EOF +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "VeleroBackupAccess", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::$(aws sts get-caller-identity --query Account --output text):role/velero-role" + }, + "Action": [ + "s3:GetObject", + "s3:DeleteObject", + "s3:PutObject", + "s3:AbortMultipartUpload", + "s3:ListMultipartUploadParts" + ], + "Resource": "arn:aws:s3:::$BACKUP_BUCKET/*" + }, + { + "Sid": "VeleroBackupList", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::$(aws sts get-caller-identity --query Account --output text):role/velero-role" + }, + "Action": [ + "s3:ListBucket" + ], + "Resource": "arn:aws:s3:::$BACKUP_BUCKET" + } + ] +} +EOF + +# IAM policy için Velero permissions +cat > velero-policy.json << 'EOF' +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ec2:DescribeVolumes", + "ec2:DescribeSnapshots", + "ec2:CreateTags", + "ec2:CreateVolume", + "ec2:CreateSnapshot", + "ec2:DeleteSnapshot" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:DeleteObject", + "s3:PutObject", + "s3:AbortMultipartUpload", + "s3:ListMultipartUploadParts" + ], + "Resource": [ + "arn:aws:s3:::BUCKET-NAME/*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "s3:ListBucket" + ], + "Resource": [ + "arn:aws:s3:::BUCKET-NAME" + ] + } + ] +} +EOF + +sed -i "s/BUCKET-NAME/$BACKUP_BUCKET/g" velero-policy.json + +# IAM policy oluştur +aws iam create-policy \ + --policy-name VeleroBackupPolicy \ + --policy-document file://velero-policy.json + +# Service account için trust policy +cat > velero-trust-policy.json << 'EOF' +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Federated": "arn:aws:iam::ACCOUNT-ID:oidc-provider/OIDC-URL" + }, + "Action": "sts:AssumeRoleWithWebIdentity", + "Condition": { + "StringEquals": { + "OIDC-URL:sub": "system:serviceaccount:velero:velero", + "OIDC-URL:aud": "sts.amazonaws.com" + } + } + } + ] +} +EOF + +# OIDC provider URL'ini al +OIDC_URL=$(aws eks describe-cluster --name mycompany-dev-eks --query "cluster.identity.oidc.issuer" --output text | sed 's|https://||') +ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text) + +sed -i "s/ACCOUNT-ID/$ACCOUNT_ID/g" velero-trust-policy.json +sed -i "s/OIDC-URL/$OIDC_URL/g" velero-trust-policy.json + +# IAM role oluştur +aws iam create-role \ + --role-name velero-role \ + --assume-role-policy-document file://velero-trust-policy.json + +# Policy'yi role'e attach et +aws iam attach-role-policy \ + --role-arn arn:aws:iam::$ACCOUNT_ID:role/velero-role \ + --policy-arn arn:aws:iam::$ACCOUNT_ID:policy/VeleroBackupPolicy + +# 9.1.2 Velero CLI kurulumu +wget https://github.com/vmware-tanzu/velero/releases/download/v1.12.0/velero-v1.12.0-linux-amd64.tar.gz +tar -xzf velero-v1.12.0-linux-amd64.tar.gz +sudo mv velero-v1.12.0-linux-amd64/velero /usr/local/bin/ +rm -rf velero-v1.12.0-linux-amd64* + +# 9.1.3 Velero kurulumu +cat > velero-values.yaml << EOF +configuration: + backupStorageLocation: + - name: aws + provider: aws + bucket: $BACKUP_BUCKET + config: + region: eu-west-1 + volumeSnapshotLocation: + - name: aws + provider: aws + config: + region: eu-west-1 + +credentials: + useSecret: false + +serviceAccount: + server: + annotations: + eks.amazonaws.com/role-arn: arn:aws:iam::$ACCOUNT_ID:role/velero-role + +initContainers: +- name: velero-plugin-for-aws + image: velero/velero-plugin-for-aws:v1.8.0 + volumeMounts: + - mountPath: /target + name: plugins + +resources: + requests: + cpu: 500m + memory: 128Mi + limits: + cpu: 1000m + memory: 512Mi + +nodeAgent: + resources: + requests: + cpu: 500m + memory: 512Mi + limits: + cpu: 1000m + memory: 1024Mi + +schedules: + daily-backup: + disabled: false + schedule: "0 2 * * *" + template: + includedNamespaces: + - dev + - staging + - production + - monitoring + - vault + excludedResources: + - events + - events.events.k8s.io + storageLocation: aws + ttl: 720h0m0s + snapshotVolumes: true + + weekly-backup: + disabled: false + schedule: "0 3 * * 0" + template: + includedNamespaces: + - dev + - staging + - production + - monitoring + - vault + excludedResources: + - events + - events.events.k8s.io + storageLocation: aws + ttl: 2160h0m0s + snapshotVolumes: true +EOF + +helm repo add vmware-tanzu https://vmware-tanzu.github.io/helm-charts +helm repo update + +kubectl create namespace velero +helm install velero vmware-tanzu/velero \ + --namespace velero \ + --values velero-values.yaml + +# 9.1.4 Manual backup test +velero backup create test-backup --include-namespaces dev +velero backup describe test-backup +velero backup logs test-backup + +echo "Backup bucket: $BACKUP_BUCKET" +``` + +### 🔄 **9.2 Database Backup Strategy** + +```bash +# 9.2.1 RDS automated backup script +cat > ~/devops-infrastructure/scripts/rds-backup.sh << 'EOF' +#!/bin/bash + +# RDS Backup Script +set -e + +DB_IDENTIFIER="mycompany-dev-db" +BACKUP_PREFIX="manual-backup" +REGION="eu-west-1" + +# Create manual snapshot +SNAPSHOT_ID="${BACKUP_PREFIX}-$(date +%Y%m%d%H%M%S)" + +echo "Creating RDS snapshot: $SNAPSHOT_ID" +aws rds create-db-snapshot \ + --db-instance-identifier $DB_IDENTIFIER \ + --db-snapshot-identifier $SNAPSHOT_ID \ + --region $REGION + +# Wait for snapshot completion +echo "Waiting for snapshot completion..." +aws rds wait db-snapshot-completed \ + --db-snapshot-identifier $SNAPSHOT_ID \ + --region $REGION + +echo "Snapshot created successfully: $SNAPSHOT_ID" + +# List recent snapshots +echo "Recent snapshots:" +aws rds describe-db-snapshots \ + --db-instance-identifier $DB_IDENTIFIER \ + --snapshot-type manual \ + --region $REGION \ + --query 'DBSnapshots[0:5].[DBSnapshotIdentifier,Status,SnapshotCreateTime]' \ + --output table + +# Cleanup old manual snapshots (keep last 7) +OLD_SNAPSHOTS=$(aws rds describe-db-snapshots \ + --db-instance-identifier $DB_IDENTIFIER \ + --snapshot-type manual \ + --region $REGION \ + --query 'DBSnapshots[7:].DBSnapshotIdentifier' \ + --output text) + +if [ ! -z "$OLD_SNAPSHOTS" ]; then + echo "Cleaning up old snapshots..." + for snapshot in $OLD_SNAPSHOTS; do + echo "Deleting snapshot: $snapshot" + aws rds delete-db-snapshot \ + --db-snapshot-identifier $snapshot \ + --region $REGION + done +fi + +echo "Backup completed successfully!" +EOF + +chmod +x ~/devops-infrastructure/scripts/rds-backup.sh + +# 9.2.2 PostgreSQL logical backup (for application data) +cat > ~/devops-infrastructure/scripts/postgres-logical-backup.sh << 'EOF' +#!/bin/bash + +# PostgreSQL Logical Backup Script +set -e + +# Configuration +DB_HOST="your-rds-endpoint" +DB_NAME="mycompanydb" +DB_USER="admin" +BACKUP_DIR="/tmp/pg-backups" +S3_BUCKET="mycompany-db-logical-backups" +DATE=$(date +%Y%m%d_%H%M%S) + +# Create backup directory +mkdir -p $BACKUP_DIR + +# Get password from Kubernetes secret +DB_PASSWORD=$(kubectl get secret database-secret -n dev -o jsonpath='{.data.password}' | base64 -d) + +export PGPASSWORD=$DB_PASSWORD + +# Create backup +echo "Creating logical backup..." +pg_dump -h $DB_HOST -U $DB_USER -d $DB_NAME \ + --verbose \ + --no-password \ + --format=custom \ + --compress=9 \ + --file=$BACKUP_DIR/logical-backup-$DATE.dump + +# Upload to S3 +echo "Uploading to S3..." +aws s3 cp $BACKUP_DIR/logical-backup-$DATE.dump \ + s3://$S3_BUCKET/logical-backups/logical-backup-$DATE.dump + +# Cleanup local file +rm $BACKUP_DIR/logical-backup-$DATE.dump + +# Cleanup old S3 backups (keep last 30 days) +echo "Cleaning up old backups..." +aws s3 ls s3://$S3_BUCKET/logical-backups/ \ + --recursive \ + --query "Contents[?LastModified<='$(date -d '30 days ago' --iso-8601)'].Key" \ + --output text | \ + xargs -I {} aws s3 rm s3://$S3_BUCKET/{} + +echo "Logical backup completed successfully!" +EOF + +chmod +x ~/devops-infrastructure/scripts/postgres-logical-backup.sh + +# 9.2.3 CronJob for automated database backups +cat > database-backup-cronjob.yaml << 'EOF' +apiVersion: batch/v1 +kind: CronJob +metadata: + name: postgres-logical-backup + namespace: dev +spec: + schedule: "0 1 * * *" # Daily at 1 AM + concurrencyPolicy: Forbid + successfulJobsHistoryLimit: 3 + failedJobsHistoryLimit: 3 + jobTemplate: + spec: + template: + spec: + serviceAccountName: backup-sa + containers: + - name: backup + image: postgres:15-alpine + env: + - name: DB_HOST + value: "your-rds-endpoint" + - name: DB_NAME + value: "mycompanydb" + - name: DB_USER + value: "admin" + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + name: database-secret + key: password + - name: S3_BUCKET + value: "mycompany-db-logical-backups" + command: + - /bin/bash + - -c + - | + set -e + apk add --no-cache aws-cli + + DATE=$(date +%Y%m%d_%H%M%S) + BACKUP_FILE="/tmp/logical-backup-$DATE.dump" + + export PGPASSWORD=$DB_PASSWORD + + echo "Creating logical backup..." + pg_dump -h $DB_HOST -U $DB_USER -d $DB_NAME \ + --verbose \ + --no-password \ + --format=custom \ + --compress=9 \ + --file=$BACKUP_FILE + + echo "Uploading to S3..." + aws s3 cp $BACKUP_FILE s3://$S3_BUCKET/logical-backups/ + + echo "Backup completed successfully!" + resources: + requests: + memory: "256Mi" + cpu: "100m" + limits: + memory: "512Mi" + cpu: "200m" + restartPolicy: OnFailure +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: backup-sa + namespace: dev + annotations: + eks.amazonaws.com/role-arn: arn:aws:iam::ACCOUNT_ID:role/backup-role +EOF + +kubectl apply -f database-backup-cronjob.yaml +``` + +### 📋 **9.3 Disaster Recovery Runbook** + +```bash +# 9.3.1 DR runbook oluştur +cat > ~/devops-infrastructure/docs/disaster-recovery-runbook.md << 'EOF' +# Disaster Recovery Runbook + +## Overview +Bu doküman Kubernetes cluster ve RDS veritabanı için disaster recovery prosedürlerini içerir. + +## RTO/RPO Targets +- **RTO (Recovery Time Objective)**: 4 saat +- **RPO (Recovery Point Objective)**: 1 saat + +## Disaster Scenarios + +### 1. Complete Cluster Loss + +#### Assessment +```bash +# Cluster durumunu kontrol et +kubectl get nodes +kubectl get pods --all-namespaces + +# AWS EKS cluster durumu +aws eks describe-cluster --name mycompany-dev-eks +``` + +#### Recovery Steps + +1. **Yeni cluster oluştur** +```bash +cd ~/devops-infrastructure/terraform/environments/dev +terraform plan -target=module.eks +terraform apply -target=module.eks +``` + +2. **Velero restore** +```bash +# En son backup'ı listele +velero backup get + +# Restore işlemi +velero restore create restore-$(date +%Y%m%d) \ + --from-backup daily-backup-YYYYMMDD +``` + +3. **Database connectivity kontrol** +```bash +kubectl get secrets database-secret -n dev +kubectl run test-db-connection --rm -i --tty \ + --image=postgres:15-alpine -- \ + psql -h RDS_ENDPOINT -U admin -d mycompanydb +``` + +### 2. Database Disaster + +#### Assessment +```bash +# RDS status kontrol +aws rds describe-db-instances \ + --db-instance-identifier mycompany-dev-db + +# Connection test +kubectl run db-test --rm -i --tty \ + --image=postgres:15-alpine -- \ + psql -h RDS_ENDPOINT -U admin -d mycompanydb -c "SELECT 1;" +``` + +#### Recovery Steps + +1. **Point-in-time recovery** +```bash +# Son valid backup time'ı bul +aws rds describe-db-instances \ + --db-instance-identifier mycompany-dev-db \ + --query 'DBInstances[0].LatestRestorableTime' + +# Point-in-time restore +aws rds restore-db-instance-to-point-in-time \ + --source-db-instance-identifier mycompany-dev-db \ + --target-db-instance-identifier mycompany-dev-db-recovered \ + --restore-time 2024-XX-XXTXX:XX:XX.000Z +``` + +2. **Manual snapshot restore** +```bash +# Available snapshots +aws rds describe-db-snapshots \ + --db-instance-identifier mycompany-dev-db + +# Restore from snapshot +aws rds restore-db-instance-from-db-snapshot \ + --db-instance-identifier mycompany-dev-db-recovered \ + --db-snapshot-identifier manual-backup-YYYYMMDDHHMMSS +``` + +3. **Application reconnection** +```bash +# Update database endpoint in secrets +kubectl patch secret database-secret -n dev \ + --type='json' \ + -p='[{"op": "replace", "path": "/data/host", "value":"'$(echo NEW_RDS_ENDPOINT | base64 -w 0)'"}]' + +# Restart applications +kubectl rollout restart deployment -n dev +``` + +### 3. Data Corruption + +#### Assessment +```bash +# Check for data inconsistencies +kubectl exec -it deployment/backend -n dev -- \ + python manage.py check_data_integrity + +# Check database logs +aws rds describe-db-log-files \ + --db-instance-identifier mycompany-dev-db +``` + +#### Recovery Steps + +1. **Identify corruption scope** +```bash +# Analyze affected data +kubectl exec -it deployment/backend -n dev -- \ + python manage.py analyze_corruption +``` + +2. **Restore from logical backup** +```bash +# Download latest logical backup +aws s3 cp s3://mycompany-db-logical-backups/logical-backups/latest.dump /tmp/ + +# Restore specific tables +pg_restore -h RDS_ENDPOINT -U admin -d mycompanydb \ + --table=affected_table \ + --clean \ + /tmp/latest.dump +``` + +## Testing Procedures + +### Monthly DR Drill +1. Create test restore in separate namespace +2. Verify data integrity +3. Test application functionality +4. Document lessons learned + +### Quarterly Full DR Test +1. Complete environment recreation +2. Full data restore +3. End-to-end testing +4. Performance validation + +## Emergency Contacts + +- **DevOps Team**: +90-XXX-XXX-XXXX +- **Database Team**: +90-XXX-XXX-XXXX +- **On-call Engineer**: +90-XXX-XXX-XXXX + +## Post-Incident Actions + +1. **Root Cause Analysis** + - Document incident timeline + - Identify failure points + - Implement preventive measures + +2. **Update Procedures** + - Update runbooks + - Improve monitoring + - Enhance alerting + +3. **Team Communication** + - Share lessons learned + - Update training materials + - Schedule review meeting +EOF + +# 9.3.2 DR test script +cat > ~/devops-infrastructure/scripts/dr-test.sh << 'EOF' +#!/bin/bash + +# Disaster Recovery Test Script +set -e + +NAMESPACE="dr-test" +BACKUP_NAME="$1" + +if [ -z "$BACKUP_NAME" ]; then + echo "Usage: $0 " + echo "Available backups:" + velero backup get + exit 1 +fi + +echo "Starting DR test with backup: $BACKUP_NAME" + +# Create test namespace +kubectl create namespace $NAMESPACE --dry-run=client -o yaml | kubectl apply -f - + +# Restore from backup to test namespace +velero restore create dr-test-$(date +%Y%m%d%H%M%S) \ + --from-backup $BACKUP_NAME \ + --namespace-mappings dev:$NAMESPACE,staging:$NAMESPACE + +# Wait for restore completion +echo "Waiting for restore completion..." +sleep 60 + +# Check restored resources +echo "Checking restored resources..." +kubectl get all -n $NAMESPACE + +# Test database connectivity +echo "Testing database connectivity..." +kubectl run db-test -n $NAMESPACE --rm -i --tty \ + --image=postgres:15-alpine -- \ + psql -h $(kubectl get secret database-secret -n $NAMESPACE -o jsonpath='{.data.host}' | base64 -d) \ + -U $(kubectl get secret database-secret -n $NAMESPACE -o jsonpath='{.data.username}' | base64 -d) \ + -d mycompanydb \ + -c "SELECT COUNT(*) FROM information_schema.tables;" + +echo "DR test completed successfully!" +echo "Cleanup: kubectl delete namespace $NAMESPACE" +EOF + +chmod +x ~/devops-infrastructure/scripts/dr-test.sh +``` + +--- diff --git a/RoadMap/advanced/09-gitops-automation.md b/RoadMap/advanced/09-gitops-automation.md new file mode 100644 index 0000000..6dfc13e --- /dev/null +++ b/RoadMap/advanced/09-gitops-automation.md @@ -0,0 +1,711 @@ +# 🎯 **PHASE 9: GITOPS & DEPLOYMENT AUTOMATION** (Gün 21-22) + +### 🔄 **10.1 ArgoCD Setup** + +```bash +# 10.1.1 ArgoCD kurulumu +kubectl create namespace argocd +kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml + +# 10.1.2 ArgoCD CLI kurulumu +wget https://github.com/argoproj/argo-cd/releases/latest/download/argocd-linux-amd64 +sudo install -m 555 argocd-linux-amd64 /usr/local/bin/argocd +rm argocd-linux-amd64 + +# 10.1.3 ArgoCD initial password +ARGOCD_PASSWORD=$(kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d) +echo "ArgoCD admin password: $ARGOCD_PASSWORD" + +# 10.1.4 ArgoCD ingress +cat > argocd-ingress.yaml << 'EOF' +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: argocd-server-ingress + namespace: argocd + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/ssl-redirect: "true" + nginx.ingress.kubernetes.io/force-ssl-redirect: "true" + nginx.ingress.kubernetes.io/backend-protocol: "GRPC" + cert-manager.io/cluster-issuer: "letsencrypt-prod" +spec: + tls: + - hosts: + - argocd.yourdomain.com + secretName: argocd-tls + rules: + - host: argocd.yourdomain.com + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: argocd-server + port: + number: 443 +EOF + +kubectl apply -f argocd-ingress.yaml + +# 10.1.5 ArgoCD server configuration +kubectl patch configmap argocd-cmd-params-cm -n argocd --patch '{"data":{"server.insecure":"true"}}' +kubectl rollout restart deployment argocd-server -n argocd + +# 10.1.6 ArgoCD login +argocd login argocd.yourdomain.com --username admin --password $ARGOCD_PASSWORD --insecure +``` + +### 📁 **10.2 GitOps Repository Structure** + +```bash +# 10.2.1 GitOps repository oluştur +cd ~/ +git clone https://github.com/yourusername/gitops-config.git +cd gitops-config + +# Repository structure +mkdir -p {applications/{dev,staging,production},infrastructure/{monitoring,logging,security},bootstrap} + +# 10.2.2 Application of Applications pattern +cat > bootstrap/root-app.yaml << 'EOF' +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: root-app + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + source: + repoURL: https://github.com/yourusername/gitops-config.git + targetRevision: main + path: bootstrap + destination: + server: https://kubernetes.default.svc + namespace: argocd + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true +EOF + +# 10.2.3 Infrastructure applications +cat > bootstrap/infrastructure-apps.yaml << 'EOF' +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: monitoring-stack + namespace: argocd +spec: + project: default + source: + repoURL: https://github.com/yourusername/gitops-config.git + targetRevision: main + path: infrastructure/monitoring + destination: + server: https://kubernetes.default.svc + namespace: monitoring + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: logging-stack + namespace: argocd +spec: + project: default + source: + repoURL: https://github.com/yourusername/gitops-config.git + targetRevision: main + path: infrastructure/logging + destination: + server: https://kubernetes.default.svc + namespace: logging + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: security-stack + namespace: argocd +spec: + project: default + source: + repoURL: https://github.com/yourusername/gitops-config.git + targetRevision: main + path: infrastructure/security + destination: + server: https://kubernetes.default.svc + namespace: security + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true +EOF + +# 10.2.4 Environment-specific applications +cat > bootstrap/dev-apps.yaml << 'EOF' +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: dev-applications + namespace: argocd +spec: + project: default + source: + repoURL: https://github.com/yourusername/gitops-config.git + targetRevision: main + path: applications/dev + destination: + server: https://kubernetes.default.svc + namespace: dev + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true +EOF + +# 10.2.5 Sample application manifest +cat > applications/dev/sample-app.yaml << 'EOF' +apiVersion: apps/v1 +kind: Deployment +metadata: + name: sample-app + namespace: dev + labels: + app: sample-app +spec: + replicas: 2 + selector: + matchLabels: + app: sample-app + template: + metadata: + labels: + app: sample-app + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "8080" + prometheus.io/path: "/metrics" + spec: + securityContext: + runAsNonRoot: true + runAsUser: 10001 + runAsGroup: 10001 + fsGroup: 10001 + containers: + - name: app + image: ghcr.io/yourusername/sample-app:v1.0.0 + ports: + - containerPort: 8080 + name: http + env: + - name: DATABASE_URL + valueFrom: + secretKeyRef: + name: database-secret + key: url + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 10001 + runAsGroup: 10001 + capabilities: + drop: + - ALL + resources: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "256Mi" + cpu: "200m" + livenessProbe: + httpGet: + path: /health + port: 8080 + initialDelaySeconds: 30 + periodSeconds: 10 + readinessProbe: + httpGet: + path: /ready + port: 8080 + initialDelaySeconds: 5 + periodSeconds: 5 + volumeMounts: + - name: tmp + mountPath: /tmp + volumes: + - name: tmp + emptyDir: {} +--- +apiVersion: v1 +kind: Service +metadata: + name: sample-app + namespace: dev + labels: + app: sample-app +spec: + selector: + app: sample-app + ports: + - port: 80 + targetPort: 8080 + name: http + type: ClusterIP +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: sample-app + namespace: dev + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/ssl-redirect: "true" + cert-manager.io/cluster-issuer: "letsencrypt-prod" +spec: + tls: + - hosts: + - app-dev.yourdomain.com + secretName: sample-app-tls + rules: + - host: app-dev.yourdomain.com + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: sample-app + port: + number: 80 +EOF + +# Git'e commit +git add . +git commit -m "Initial GitOps repository structure" +git push origin main +``` + +### 🚀 **10.3 Progressive Delivery with Argo Rollouts** + +```bash +# 10.3.1 Argo Rollouts kurulumu +kubectl create namespace argo-rollouts +kubectl apply -n argo-rollouts -f https://github.com/argoproj/argo-rollouts/releases/latest/download/install.yaml + +# 10.3.2 Argo Rollouts CLI +wget https://github.com/argoproj/argo-rollouts/releases/latest/download/kubectl-argo-rollouts-linux-amd64 +sudo install -m 555 kubectl-argo-rollouts-linux-amd64 /usr/local/bin/kubectl-argo-rollouts +rm kubectl-argo-rollouts-linux-amd64 + +# 10.3.3 Canary deployment example +cat > applications/dev/sample-app-rollout.yaml << 'EOF' +apiVersion: argoproj.io/v1alpha1 +kind: Rollout +metadata: + name: sample-app-rollout + namespace: dev +spec: + replicas: 5 + strategy: + canary: + steps: + - setWeight: 20 + - pause: {} + - setWeight: 40 + - pause: {duration: 10} + - setWeight: 60 + - pause: {duration: 10} + - setWeight: 80 + - pause: {duration: 10} + canaryService: sample-app-canary + stableService: sample-app-stable + trafficRouting: + nginx: + stableIngress: sample-app-stable + annotationPrefix: nginx.ingress.kubernetes.io + additionalIngressAnnotations: + canary-by-header: X-Canary + analysis: + templates: + - templateName: success-rate + startingStep: 2 + args: + - name: service-name + value: sample-app-canary.dev.svc.cluster.local + selector: + matchLabels: + app: sample-app + template: + metadata: + labels: + app: sample-app + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "8080" + prometheus.io/path: "/metrics" + spec: + containers: + - name: app + image: ghcr.io/yourusername/sample-app:v1.0.0 + ports: + - containerPort: 8080 + name: http + env: + - name: DATABASE_URL + valueFrom: + secretKeyRef: + name: database-secret + key: url + resources: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "256Mi" + cpu: "200m" + livenessProbe: + httpGet: + path: /health + port: 8080 + initialDelaySeconds: 30 + periodSeconds: 10 + readinessProbe: + httpGet: + path: /ready + port: 8080 + initialDelaySeconds: 5 + periodSeconds: 5 +--- +apiVersion: v1 +kind: Service +metadata: + name: sample-app-stable + namespace: dev +spec: + selector: + app: sample-app + ports: + - port: 80 + targetPort: 8080 + name: http +--- +apiVersion: v1 +kind: Service +metadata: + name: sample-app-canary + namespace: dev +spec: + selector: + app: sample-app + ports: + - port: 80 + targetPort: 8080 + name: http +--- +apiVersion: argoproj.io/v1alpha1 +kind: AnalysisTemplate +metadata: + name: success-rate + namespace: dev +spec: + args: + - name: service-name + metrics: + - name: success-rate + interval: 30s + successCondition: result[0] >= 0.95 + failureLimit: 3 + provider: + prometheus: + address: http://kube-prometheus-stack-prometheus.monitoring.svc.cluster.local:9090 + query: | + sum(irate( + http_requests_total{job="{{args.service-name}}",status!~"5.*"}[5m] + )) / + sum(irate( + http_requests_total{job="{{args.service-name}}"}[5m] + )) +EOF + +# 10.3.4 Blue-Green deployment example +cat > applications/staging/sample-app-bluegreen.yaml << 'EOF' +apiVersion: argoproj.io/v1alpha1 +kind: Rollout +metadata: + name: sample-app-bluegreen + namespace: staging +spec: + replicas: 3 + strategy: + blueGreen: + activeService: sample-app-active + previewService: sample-app-preview + autoPromotionEnabled: false + scaleDownDelaySeconds: 30 + prePromotionAnalysis: + templates: + - templateName: success-rate + args: + - name: service-name + value: sample-app-preview.staging.svc.cluster.local + postPromotionAnalysis: + templates: + - templateName: success-rate + args: + - name: service-name + value: sample-app-active.staging.svc.cluster.local + selector: + matchLabels: + app: sample-app + template: + metadata: + labels: + app: sample-app + spec: + containers: + - name: app + image: ghcr.io/yourusername/sample-app:v1.0.0 + ports: + - containerPort: 8080 + name: http + resources: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "256Mi" + cpu: "200m" +--- +apiVersion: v1 +kind: Service +metadata: + name: sample-app-active + namespace: staging +spec: + selector: + app: sample-app + ports: + - port: 80 + targetPort: 8080 + name: http +--- +apiVersion: v1 +kind: Service +metadata: + name: sample-app-preview + namespace: staging +spec: + selector: + app: sample-app + ports: + - port: 80 + targetPort: 8080 + name: http +EOF + +# Changes'ları commit et +git add . +git commit -m "Add progressive delivery configurations" +git push origin main +``` + +### 🔧 **10.4 CI/CD Integration with GitOps** + +```bash +# 10.4.1 Image updater için ArgoCD configuration +cat > argocd-image-updater.yaml << 'EOF' +apiVersion: v1 +kind: ConfigMap +metadata: + name: argocd-image-updater-config + namespace: argocd +data: + registries.conf: | + registries: + - name: GitHub Container Registry + prefix: ghcr.io + api_url: https://ghcr.io + credentials: ext:/scripts/auth1.sh + credsexpire: 10h + ssh_config: | + Host github.com + User git + IdentitiesOnly yes + IdentityFile ~/.ssh/id_rsa + StrictHostKeyChecking no +--- +apiVersion: v1 +kind: Secret +metadata: + name: argocd-image-updater-secret + namespace: argocd +type: Opaque +stringData: + auth1.sh: | + #!/bin/sh + echo "username:$GITHUB_TOKEN" +EOF + +kubectl apply -f argocd-image-updater.yaml + +# 10.4.2 Application annotation for image updates +cat > applications/dev/sample-app-with-image-updater.yaml << 'EOF' +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: sample-app + namespace: argocd + annotations: + argocd-image-updater.argoproj.io/image-list: myapp=ghcr.io/yourusername/sample-app + argocd-image-updater.argoproj.io/write-back-method: git + argocd-image-updater.argoproj.io/git-branch: main +spec: + project: default + source: + repoURL: https://github.com/yourusername/gitops-config.git + targetRevision: main + path: applications/dev + destination: + server: https://kubernetes.default.svc + namespace: dev + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true +EOF + +# 10.4.3 Updated Jenkins pipeline with GitOps +cat > ~/devops-infrastructure/jenkins/gitops-pipeline.groovy << 'EOF' +@Library('shared-library') _ + +pipeline { + agent { + kubernetes { + yaml """ + apiVersion: v1 + kind: Pod + spec: + containers: + - name: docker + image: docker:latest + command: + - cat + tty: true + volumeMounts: + - mountPath: /var/run/docker.sock + name: docker-sock + - name: git + image: alpine/git:latest + command: + - cat + tty: true + volumes: + - name: docker-sock + hostPath: + path: /var/run/docker.sock + """ + } + } + + environment { + DOCKER_REGISTRY = 'ghcr.io' + IMAGE_NAME = 'yourusername/sample-app' + GIT_COMMIT_SHORT = sh(script: "git rev-parse --short HEAD", returnStdout: true).trim() + BUILD_VERSION = "v1.0.${env.BUILD_NUMBER}-${GIT_COMMIT_SHORT}" + GITOPS_REPO = 'https://github.com/yourusername/gitops-config.git' + } + + stages { + stage('Build & Push') { + steps { + container('docker') { + script { + def image = docker.build("${DOCKER_REGISTRY}/${IMAGE_NAME}:${BUILD_VERSION}") + docker.withRegistry("https://${DOCKER_REGISTRY}", 'github-registry-credentials') { + image.push() + image.push("latest") + } + } + } + } + } + + stage('Update GitOps Repo') { + steps { + container('git') { + withCredentials([usernamePassword(credentialsId: 'github-credentials', usernameVariable: 'GIT_USERNAME', passwordVariable: 'GIT_TOKEN')]) { + sh ''' + git config --global user.email "jenkins@company.com" + git config --global user.name "Jenkins CI" + + # Clone GitOps repository + git clone https://${GIT_USERNAME}:${GIT_TOKEN}@github.com/yourusername/gitops-config.git + cd gitops-config + + # Update image tag in deployment manifest + sed -i "s|image: ${DOCKER_REGISTRY}/${IMAGE_NAME}:.*|image: ${DOCKER_REGISTRY}/${IMAGE_NAME}:${BUILD_VERSION}|g" applications/dev/sample-app.yaml + + # Commit and push changes + git add . + git commit -m "Update ${IMAGE_NAME} to ${BUILD_VERSION}" + git push origin main + ''' + } + } + } + } + } + + post { + success { + slackSend( + channel: '#deployments', + color: 'good', + message: "✅ ${IMAGE_NAME}:${BUILD_VERSION} built and GitOps updated successfully" + ) + } + failure { + slackSend( + channel: '#deployments', + color: 'danger', + message: "❌ Pipeline failed for ${IMAGE_NAME}:${BUILD_VERSION}" + ) + } + } +} +EOF + +# 10.4.4 ArgoCD'ye root application'ı deploy et +kubectl apply -f ~/gitops-config/bootstrap/root-app.yaml + +echo "GitOps setup completed!" +echo "ArgoCD UI: https://argocd.yourdomain.com" +echo "Login: admin / $ARGOCD_PASSWORD" +``` + +--- diff --git a/RoadMap/advanced/10-cost-performance.md b/RoadMap/advanced/10-cost-performance.md new file mode 100644 index 0000000..df0bf51 --- /dev/null +++ b/RoadMap/advanced/10-cost-performance.md @@ -0,0 +1,822 @@ +# 📈 **PHASE 10: COST OPTIMIZATION & PERFORMANCE** (Gün 23-24) + +### 💰 **11.1 Cost Monitoring Setup** + +```bash +# 11.1.1 AWS Cost and Usage Report setup +cat > ~/devops-infrastructure/scripts/setup-cost-monitoring.sh << 'EOF' +#!/bin/bash + +# AWS Cost Monitoring Setup Script +set -e + +BUCKET_NAME="mycompany-cost-reports-$(openssl rand -hex 4)" +REGION="eu-west-1" + +# Create S3 bucket for cost reports +aws s3 mb s3://$BUCKET_NAME --region $REGION + +# Bucket policy for AWS Cost and Usage Reports +cat > cost-bucket-policy.json << EOF +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": "billingreports.amazonaws.com" + }, + "Action": [ + "s3:GetBucketAcl", + "s3:GetBucketPolicy" + ], + "Resource": "arn:aws:s3:::$BUCKET_NAME" + }, + { + "Effect": "Allow", + "Principal": { + "Service": "billingreports.amazonaws.com" + }, + "Action": "s3:PutObject", + "Resource": "arn:aws:s3:::$BUCKET_NAME/*" + } + ] +} +EOF + +aws s3api put-bucket-policy --bucket $BUCKET_NAME --policy file://cost-bucket-policy.json + +echo "Cost monitoring S3 bucket created: $BUCKET_NAME" +echo "Configure Cost and Usage Report in AWS Console:" +echo "https://console.aws.amazon.com/billing/home#/reports" +rm cost-bucket-policy.json +EOF + +chmod +x ~/devops-infrastructure/scripts/setup-cost-monitoring.sh +./~/devops-infrastructure/scripts/setup-cost-monitoring.sh + +# 11.1.2 Kubecost kurulumu +helm repo add kubecost https://kubecost.github.io/cost-analyzer/ +helm repo update + +cat > kubecost-values.yaml << 'EOF' +global: + prometheus: + fqdn: http://kube-prometheus-stack-prometheus.monitoring.svc.cluster.local:9090 + enabled: false + grafana: + fqdn: http://kube-prometheus-stack-grafana.monitoring.svc.cluster.local:80 + enabled: false + +kubecostFrontend: + image: "kubecost/frontend" + resources: + requests: + cpu: "10m" + memory: "55Mi" + limits: + cpu: "100m" + memory: "256Mi" + +kubecost: + image: "kubecost/server" + resources: + requests: + cpu: "100m" + memory: "55Mi" + limits: + cpu: "200m" + memory: "256Mi" + +kubecostModel: + image: "kubecost/cost-model" + resources: + requests: + cpu: "200m" + memory: "55Mi" + limits: + cpu: "800m" + memory: "256Mi" + +ingress: + enabled: true + className: nginx + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "true" + cert-manager.io/cluster-issuer: "letsencrypt-prod" + hosts: + - host: kubecost.yourdomain.com + paths: + - path: / + pathType: Prefix + tls: + - secretName: kubecost-tls + hosts: + - kubecost.yourdomain.com + +persistentVolume: + enabled: true + storageClass: gp3 + size: 32Gi + +nodeSelector: {} +tolerations: [] +affinity: {} + +service: + type: ClusterIP + port: 9090 + targetPort: 9090 +EOF + +kubectl create namespace kubecost +helm install kubecost kubecost/cost-analyzer \ + --namespace kubecost \ + --values kubecost-values.yaml + +# 11.1.3 Resource recommendation script +cat > ~/devops-infrastructure/scripts/resource-recommendations.sh << 'EOF' +#!/bin/bash + +# Resource Recommendations Script +set -e + +echo "📊 Generating resource recommendations..." + +# VPA recommendations +echo "=== VPA Recommendations ===" +kubectl get vpa --all-namespaces -o custom-columns=\ +NAMESPACE:.metadata.namespace,\ +NAME:.metadata.name,\ +MODE:.spec.updatePolicy.updateMode,\ +CPU_TARGET:.status.recommendation.containerRecommendations[0].target.cpu,\ +MEMORY_TARGET:.status.recommendation.containerRecommendations[0].target.memory + +# Top resource consuming pods +echo "=== Top CPU Consuming Pods ===" +kubectl top pods --all-namespaces --sort-by=cpu | head -10 + +echo "=== Top Memory Consuming Pods ===" +kubectl top pods --all-namespaces --sort-by=memory | head -10 + +# Unused resources +echo "=== Pods with Low Resource Utilization ===" +kubectl get pods --all-namespaces -o json | \ +jq -r '.items[] | select(.status.phase=="Running") | + .metadata.namespace + "/" + .metadata.name + " - " + + (.spec.containers[0].resources.requests.cpu // "no-limit") + " CPU, " + + (.spec.containers[0].resources.requests.memory // "no-limit") + " Memory"' + +# HPA status +echo "=== HPA Status ===" +kubectl get hpa --all-namespaces + +echo "📋 Recommendations:" +echo "1. Check VPA recommendations for right-sizing" +echo "2. Set resource requests/limits for pods without them" +echo "3. Consider HPA for variable workloads" +echo "4. Use VPA in recommendation mode first" +EOF + +chmod +x ~/devops-infrastructure/scripts/resource-recommendations.sh +``` + +### ⚡ **11.2 Performance Optimization** + +```bash +# 11.2.1 Vertical Pod Autoscaler setup +git clone https://github.com/kubernetes/autoscaler.git +cd autoscaler/vertical-pod-autoscaler/ +./hack/vpa-install.sh +cd ~/devops-infrastructure + +# 11.2.2 VPA example configurations +cat > vpa-examples.yaml << 'EOF' +# VPA for sample app (recommendation mode) +apiVersion: autoscaling.k8s.io/v1 +kind: VerticalPodAutoscaler +metadata: + name: sample-app-vpa + namespace: dev +spec: + targetRef: + apiVersion: apps/v1 + kind: Deployment + name: sample-app + updatePolicy: + updateMode: "Off" # Recommendation only + resourcePolicy: + containerPolicies: + - containerName: app + minAllowed: + cpu: 100m + memory: 128Mi + maxAllowed: + cpu: 1000m + memory: 1Gi + controlledResources: ["cpu", "memory"] +--- +# VPA for monitoring stack (auto mode) +apiVersion: autoscaling.k8s.io/v1 +kind: VerticalPodAutoscaler +metadata: + name: kube-prometheus-stack-prometheus + updatePolicy: + updateMode: "Auto" + resourcePolicy: + containerPolicies: + - containerName: prometheus + minAllowed: + cpu: 500m + memory: 1Gi + maxAllowed: + cpu: 4000m + memory: 8Gi + controlledResources: ["cpu", "memory"] +EOF + +kubectl apply -f vpa-examples.yaml + +# 11.2.3 KEDA (Event-driven autoscaling) setup +helm repo add kedacore https://kedacore.github.io/charts +helm repo update + +helm install keda kedacore/keda \ + --namespace keda \ + --create-namespace + +# 11.2.4 KEDA ScaledObject example (Redis queue) +cat > keda-redis-scaler.yaml << 'EOF' +apiVersion: keda.sh/v1alpha1 +kind: ScaledObject +metadata: + name: redis-scaledobject + namespace: dev +spec: + scaleTargetRef: + name: worker-deployment + minReplicaCount: 1 + maxReplicaCount: 10 + triggers: + - type: redis + metadata: + address: redis.dev.svc.cluster.local:6379 + listName: job_queue + listLength: '5' +--- +apiVersion: keda.sh/v1alpha1 +kind: ScaledObject +metadata: + name: prometheus-scaledobject + namespace: dev +spec: + scaleTargetRef: + name: sample-app + minReplicaCount: 2 + maxReplicaCount: 20 + triggers: + - type: prometheus + metadata: + serverAddress: http://kube-prometheus-stack-prometheus.monitoring.svc.cluster.local:9090 + metricName: http_requests_per_second + threshold: '100' + query: sum(rate(http_requests_total{job="sample-app"}[1m])) +EOF + +kubectl apply -f keda-redis-scaler.yaml + +# 11.2.5 Performance monitoring dashboard +cat > performance-monitoring.yaml << 'EOF' +apiVersion: v1 +kind: ConfigMap +metadata: + name: performance-dashboard + namespace: monitoring + labels: + grafana_dashboard: "1" +data: + performance-dashboard.json: | + { + "dashboard": { + "id": null, + "title": "Application Performance Monitoring", + "tags": ["performance", "apm"], + "timezone": "browser", + "panels": [ + { + "id": 1, + "title": "Request Rate", + "type": "graph", + "targets": [ + { + "expr": "sum(rate(http_requests_total[5m])) by (service)", + "legendFormat": "{{service}}" + } + ] + }, + { + "id": 2, + "title": "Response Time", + "type": "graph", + "targets": [ + { + "expr": "histogram_quantile(0.95, sum(rate(http_request_duration_seconds_bucket[5m])) by (le, service))", + "legendFormat": "95th percentile - {{service}}" + } + ] + }, + { + "id": 3, + "title": "Error Rate", + "type": "graph", + "targets": [ + { + "expr": "sum(rate(http_requests_total{status=~'5..'}[5m])) by (service) / sum(rate(http_requests_total[5m])) by (service)", + "legendFormat": "Error rate - {{service}}" + } + ] + } + ], + "time": { + "from": "now-1h", + "to": "now" + }, + "refresh": "30s" + } + } +EOF + +kubectl apply -f performance-monitoring.yaml +``` + +### 🧪 **11.3 Load Testing & Performance Validation** + +```bash +# 11.3.1 K6 load testing setup +cat > load-testing/k6-config.yaml << 'EOF' +apiVersion: v1 +kind: ConfigMap +metadata: + name: k6-scripts + namespace: dev +data: + load-test.js: | + import http from 'k6/http'; + import { check, sleep } from 'k6'; + import { Rate } from 'k6/metrics'; + + export let errorRate = new Rate('errors'); + + export let options = { + stages: [ + { duration: '2m', target: 10 }, // Ramp up + { duration: '5m', target: 100 }, // Stay at 100 users + { duration: '2m', target: 200 }, // Ramp up to 200 users + { duration: '5m', target: 200 }, // Stay at 200 users + { duration: '2m', target: 0 }, // Ramp down + ], + thresholds: { + http_req_duration: ['p(95)<500'], // 95% of requests under 500ms + http_req_failed: ['rate<0.05'], // Error rate under 5% + errors: ['rate<0.1'], // Custom error rate under 10% + }, + }; + + export default function() { + let response = http.get('https://app-dev.yourdomain.com/api/health'); + + check(response, { + 'status is 200': (r) => r.status === 200, + 'response time < 500ms': (r) => r.timings.duration < 500, + }) || errorRate.add(1); + + sleep(1); + } + + stress-test.js: | + import http from 'k6/http'; + import { check } from 'k6'; + + export let options = { + stages: [ + { duration: '1m', target: 50 }, + { duration: '1m', target: 100 }, + { duration: '1m', target: 200 }, + { duration: '1m', target: 500 }, + { duration: '2m', target: 1000 }, // Stress level + { duration: '2m', target: 0 }, + ], + }; + + export default function() { + let response = http.get('https://app-dev.yourdomain.com/api/users'); + check(response, { + 'status is 200': (r) => r.status === 200, + }); + } +EOF + +kubectl apply -f load-testing/ + +# 11.3.2 K6 operator kurulumu +kubectl apply -f https://github.com/grafana/k6-operator/releases/latest/download/bundle.yaml + +# 11.3.3 Load test job +cat > load-test-job.yaml << 'EOF' +apiVersion: k6.io/v1alpha1 +kind: K6 +metadata: + name: load-test + namespace: dev +spec: + parallelism: 4 + script: + configMap: + name: k6-scripts + file: load-test.js + separate: true + runner: + image: grafana/k6:latest + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 500m + memory: 256Mi + env: + - name: K6_PROMETHEUS_RW_SERVER_URL + value: http://kube-prometheus-stack-prometheus.monitoring.svc.cluster.local:9090/api/v1/write + - name: K6_PROMETHEUS_RW_TREND_AS_NATIVE_HISTOGRAM + value: "true" +EOF + +# Load test çalıştır +kubectl apply -f load-test-job.yaml +kubectl logs -f job/load-test-1 -n dev + +# 11.3.4 Automated performance test pipeline +cat > ~/devops-infrastructure/jenkins/performance-test-pipeline.groovy << 'EOF' +pipeline { + agent { + kubernetes { + yaml """ + apiVersion: v1 + kind: Pod + spec: + containers: + - name: kubectl + image: bitnami/kubectl:latest + command: + - cat + tty: true + - name: k6 + image: grafana/k6:latest + command: + - cat + tty: true + """ + } + } + + parameters { + choice( + name: 'TEST_TYPE', + choices: ['load-test', 'stress-test', 'spike-test'], + description: 'Type of performance test to run' + ) + string( + name: 'TARGET_URL', + defaultValue: 'https://app-staging.yourdomain.com', + description: 'Target URL for testing' + ) + string( + name: 'DURATION', + defaultValue: '5m', + description: 'Test duration' + ) + } + + stages { + stage('Deploy Test Config') { + steps { + container('kubectl') { + sh ''' + cat > k6-test-config.yaml << EOF +apiVersion: v1 +kind: ConfigMap +metadata: + name: k6-test-config-${BUILD_NUMBER} + namespace: dev +data: + test.js: | + import http from 'k6/http'; + import { check, sleep } from 'k6'; + + export let options = { + duration: '${DURATION}', + vus: 50, + thresholds: { + http_req_duration: ['p(95)<1000'], + http_req_failed: ['rate<0.05'], + }, + }; + + export default function() { + let response = http.get('${TARGET_URL}/health'); + check(response, { + 'status is 200': (r) => r.status === 200, + }); + sleep(1); + } +EOF + kubectl apply -f k6-test-config.yaml + ''' + } + } + } + + stage('Run Performance Test') { + steps { + container('kubectl') { + sh ''' + cat > k6-job.yaml << EOF +apiVersion: k6.io/v1alpha1 +kind: K6 +metadata: + name: perf-test-${BUILD_NUMBER} + namespace: dev +spec: + parallelism: 2 + script: + configMap: + name: k6-test-config-${BUILD_NUMBER} + file: test.js + separate: true +EOF + kubectl apply -f k6-job.yaml + + # Wait for test completion + kubectl wait --for=condition=complete job/perf-test-${BUILD_NUMBER}-1 -n dev --timeout=600s + + # Get test results + kubectl logs job/perf-test-${BUILD_NUMBER}-1 -n dev + ''' + } + } + } + + stage('Analyze Results') { + steps { + container('kubectl') { + sh ''' + # Extract test metrics and validate against thresholds + TEST_RESULTS=$(kubectl logs job/perf-test-${BUILD_NUMBER}-1 -n dev | grep -E "(http_req_duration|http_req_failed)") + echo "Test Results: $TEST_RESULTS" + + # Check if test passed thresholds + if kubectl logs job/perf-test-${BUILD_NUMBER}-1 -n dev | grep -q "✓"; then + echo "Performance test PASSED" + else + echo "Performance test FAILED" + exit 1 + fi + ''' + } + } + } + } + + post { + always { + container('kubectl') { + sh ''' + # Cleanup test resources + kubectl delete configmap k6-test-config-${BUILD_NUMBER} -n dev || true + kubectl delete k6 perf-test-${BUILD_NUMBER} -n dev || true + ''' + } + } + success { + slackSend( + channel: '#performance', + color: 'good', + message: "✅ Performance test passed for ${params.TARGET_URL}" + ) + } + failure { + slackSend( + channel: '#performance', + color: 'danger', + message: "❌ Performance test failed for ${params.TARGET_URL}" + ) + } + } +} +EOF +``` + +### 📊 **11.4 Cost Optimization Scripts** + +```bash +# 11.4.1 Resource rightsizing script +cat > ~/devops-infrastructure/scripts/cost-optimization.sh << 'EOF' +#!/bin/bash + +# Cost Optimization Analysis Script +set -e + +echo "💰 AWS Cost Optimization Analysis" +echo "==================================" + +# 1. Unused EBS volumes +echo "🔍 Checking for unused EBS volumes..." +aws ec2 describe-volumes \ + --filters Name=status,Values=available \ + --query 'Volumes[*].[VolumeId,Size,VolumeType,CreateTime]' \ + --output table + +# 2. Unattached Elastic IPs +echo "🔍 Checking for unattached Elastic IPs..." +aws ec2 describe-addresses \ + --query 'Addresses[?AssociationId==null].[PublicIp,AllocationId]' \ + --output table + +# 3. Old snapshots (older than 30 days) +echo "🔍 Checking for old snapshots..." +CUTOFF_DATE=$(date -d '30 days ago' --iso-8601) +aws ec2 describe-snapshots \ + --owner-ids self \ + --query "Snapshots[?StartTime<='$CUTOFF_DATE'].[SnapshotId,StartTime,VolumeSize]" \ + --output table + +# 4. Right-sizing recommendations +echo "🔍 Generating right-sizing recommendations..." +aws ce get-rightsizing-recommendation \ + --service "EC2-Instance" \ + --query 'RightsizingRecommendations[*].[CurrentInstance.InstanceName,CurrentInstance.InstanceType,RightsizingType,TargetInstances[0].EstimatedMonthlySavings.Amount]' \ + --output table + +# 5. Reserved Instance recommendations +echo "🔍 Checking Reserved Instance opportunities..." +aws ce get-reservation-purchase-recommendation \ + --service "EC2-Instance" \ + --query 'Recommendations[*].[InstanceDetails.EC2InstanceDetails.InstanceType,InstanceDetails.EC2InstanceDetails.Region,RecommendationDetails.EstimatedMonthlySavingsAmount]' \ + --output table + +echo "💡 Cost Optimization Recommendations:" +echo "1. Delete unused EBS volumes" +echo "2. Release unattached Elastic IPs" +echo "3. Delete old snapshots" +echo "4. Implement right-sizing recommendations" +echo "5. Consider Reserved Instances for stable workloads" +EOF + +chmod +x ~/devops-infrastructure/scripts/cost-optimization.sh + +# 11.4.2 Spot instance integration +cat > spot-instances.yaml << 'EOF' +# Karpenter for spot instances +apiVersion: karpenter.sh/v1alpha5 +kind: Provisioner +metadata: + name: spot-provisioner +spec: + # Requirements that constrain which nodes will be created + requirements: + - key: karpenter.sh/capacity-type + operator: In + values: ["spot"] + - key: kubernetes.io/arch + operator: In + values: ["amd64"] + - key: node.kubernetes.io/instance-type + operator: In + values: ["t3.medium", "t3.large", "m5.large", "m5.xlarge"] + + # Provisioned nodes will have these taints + taints: + - key: spot + value: "true" + effect: NoSchedule + + # Resource limits constrain the total size of the cluster + limits: + resources: + cpu: 1000 + memory: 1000Gi + + # Deprovisioning configuration + ttlSecondsAfterEmpty: 30 + + # Provider-specific configuration + providerRef: + name: spot-nodepool +--- +apiVersion: karpenter.k8s.aws/v1alpha1 +kind: AWSNodePool +metadata: + name: spot-nodepool +spec: + amiFamily: AL2 + subnetSelector: + karpenter.sh/discovery: "mycompany-dev-eks" + securityGroupSelector: + karpenter.sh/discovery: "mycompany-dev-eks" + instanceProfile: "KarpenterNodeInstanceProfile" + + # Spot instance configuration + requirements: + - key: karpenter.sh/capacity-type + operator: In + values: ["spot"] + - key: node.kubernetes.io/instance-type + operator: In + values: ["t3.medium", "t3.large", "m5.large"] + + userData: | + #!/bin/bash + /etc/eks/bootstrap.sh mycompany-dev-eks + echo "spot=true" >> /etc/kubernetes/kubelet/kubelet-config.json +EOF + +# 11.4.3 Resource quota ve limits +cat > resource-quotas.yaml << 'EOF' +# Development namespace quotas +apiVersion: v1 +kind: ResourceQuota +metadata: + name: dev-quota + namespace: dev +spec: + hard: + requests.cpu: "4" + requests.memory: 8Gi + limits.cpu: "8" + limits.memory: 16Gi + persistentvolumeclaims: "10" + pods: "20" + services: "10" + secrets: "20" + configmaps: "20" +--- +# Staging namespace quotas +apiVersion: v1 +kind: ResourceQuota +metadata: + name: staging-quota + namespace: staging +spec: + hard: + requests.cpu: "8" + requests.memory: 16Gi + limits.cpu: "16" + limits.memory: 32Gi + persistentvolumeclaims: "15" + pods: "30" + services: "15" +--- +# Production namespace quotas +apiVersion: v1 +kind: ResourceQuota +metadata: + name: production-quota + namespace: production +spec: + hard: + requests.cpu: "20" + requests.memory: 40Gi + limits.cpu: "40" + limits.memory: 80Gi + persistentvolumeclaims: "25" + pods: "50" + services: "25" +--- +# Limit ranges for all namespaces +apiVersion: v1 +kind: LimitRange +metadata: + name: default-limits + namespace: dev +spec: + limits: + - default: + cpu: "200m" + memory: "256Mi" + defaultRequest: + cpu: "100m" + memory: "128Mi" + type: Container + - max: + cpu: "2" + memory: "4Gi" + min: + cpu: "50m" + memory: "64Mi" + type: Container +EOF + +kubectl apply -f resource-quotas.yaml +``` + +--- diff --git a/RoadMap/advanced/11-documentation-processes.md b/RoadMap/advanced/11-documentation-processes.md new file mode 100644 index 0000000..53e0586 --- /dev/null +++ b/RoadMap/advanced/11-documentation-processes.md @@ -0,0 +1,1364 @@ +# 📚 **PHASE 11: DOCUMENTATION & TEAM PROCESSES** (Gün 25-26) + +### 📖 **12.1 Comprehensive Documentation** + +```bash +# 12.1.1 Architecture documentation +cat > ~/devops-infrastructure/docs/architecture-overview.md << 'EOF' +# DevOps Infrastructure Architecture + +## Overview +Bu doküman şirketimizin Kubernetes-based DevOps altyapısının mimari yapısını detaylandırır. + +## High-Level Architecture + +```mermaid +graph TB + Developer[Developer] --> GitHub[GitHub Repository] + GitHub --> Jenkins[Jenkins CI/CD] + Jenkins --> Registry[GitHub Container Registry] + Jenkins --> ArgoCD[ArgoCD GitOps] + + ArgoCD --> EKS[Amazon EKS] + EKS --> Apps[Applications] + + subgraph "AWS Infrastructure" + VPC[VPC] + EKS --> VPC + RDS[RDS PostgreSQL] + ElastiCache[ElastiCache Redis] + S3[S3 Buckets] + ALB[Application Load Balancer] + end + + subgraph "Monitoring Stack" + Prometheus[Prometheus] + Grafana[Grafana] + AlertManager[AlertManager] + Jaeger[Jaeger Tracing] + end + + subgraph "Logging Stack" + FluentBit[Fluent Bit] + OpenSearch[OpenSearch] + OpenSearchDashboards[OpenSearch Dashboards] + end + + subgraph "Security" + Vault[HashiCorp Vault] + Falco[Falco Runtime Security] + OPA[OPA Gatekeeper] + end + + Apps --> Monitoring Stack + Apps --> Logging Stack + Apps --> Security +``` + +## Component Details + +### Infrastructure Layer + +#### AWS Services +- **VPC**: Multi-AZ setup with public/private subnets +- **EKS**: Managed Kubernetes cluster (v1.28) +- **RDS**: PostgreSQL with Multi-AZ and read replicas +- **ElastiCache**: Redis for caching and session storage +- **ALB**: Application Load Balancer with SSL termination +- **S3**: Object storage for backups, logs, and artifacts + +#### Kubernetes Components +- **Namespaces**: dev, staging, production, monitoring, logging, security +- **RBAC**: Role-based access control for different teams +- **Network Policies**: Micro-segmentation with Calico +- **Pod Security Standards**: Enforced security contexts +- **Storage Classes**: GP3, IO1 for different performance needs + +### Application Layer + +#### Deployment Strategy +- **GitOps**: ArgoCD-based continuous deployment +- **Progressive Delivery**: Canary and Blue-Green deployments +- **Auto-scaling**: HPA, VPA, and KEDA for event-driven scaling +- **Service Mesh**: Istio for traffic management (optional) + +#### Security +- **Secrets Management**: HashiCorp Vault with External Secrets Operator +- **Runtime Security**: Falco for threat detection +- **Policy Enforcement**: OPA Gatekeeper for admission control +- **Image Security**: Trivy scanning in CI/CD pipeline + +### Observability + +#### Monitoring +- **Metrics**: Prometheus with custom and pre-built dashboards +- **Visualization**: Grafana with role-based dashboards +- **Alerting**: AlertManager with Slack/PagerDuty integration +- **Distributed Tracing**: Jaeger for request tracing + +#### Logging +- **Collection**: Fluent Bit daemonset +- **Storage**: OpenSearch cluster +- **Analysis**: OpenSearch Dashboards +- **Retention**: 30-day retention with automated cleanup + +## Security Architecture + +### Access Control +1. **AWS IAM**: Service accounts with IRSA +2. **Kubernetes RBAC**: Namespace-level permissions +3. **Vault**: Centralized secrets management +4. **Network Policies**: Pod-to-pod communication rules + +### Security Scanning +1. **Container Images**: Trivy in CI/CD +2. **Infrastructure**: Checkov for Terraform +3. **Runtime**: Falco for anomaly detection +4. **Policy**: OPA for compliance enforcement + +## Disaster Recovery + +### Backup Strategy +- **Kubernetes**: Velero daily/weekly backups +- **Database**: RDS automated backups + manual snapshots +- **Storage**: EBS snapshots +- **Cross-region**: S3 replication for critical data + +### Recovery Objectives +- **RTO**: 4 hours for complete infrastructure +- **RPO**: 1 hour for data loss +- **Testing**: Monthly DR drills + +## Cost Optimization + +### Strategies +1. **Resource Right-sizing**: VPA recommendations +2. **Spot Instances**: Karpenter for non-critical workloads +3. **Storage Optimization**: GP3 for better price/performance +4. **Reserved Instances**: For predictable workloads + +### Monitoring +- **Kubecost**: Kubernetes cost visibility +- **AWS Cost Explorer**: Infrastructure cost analysis +- **Automated Cleanup**: Unused resources identification + +## Performance Optimization + +### Auto-scaling +- **HPA**: CPU/Memory-based pod scaling +- **VPA**: Resource recommendation and adjustment +- **KEDA**: Event-driven scaling (queue length, metrics) +- **Cluster Autoscaler**: Node-level scaling + +### Load Testing +- **K6**: Automated performance testing +- **Chaos Engineering**: Failure injection testing +- **SLI/SLO**: Service level monitoring + +## Operational Procedures + +### Deployment Process +1. Developer pushes code to GitHub +2. Jenkins builds and tests application +3. Jenkins pushes image to GHCR +4. Jenkins updates GitOps repository +5. ArgoCD syncs changes to Kubernetes +6. Progressive delivery monitors health + +### Incident Response +1. **Detection**: Automated alerting via AlertManager +2. **Notification**: Slack/PagerDuty escalation +3. **Response**: Runbook-driven remediation +4. **Recovery**: Automated rollback if needed +5. **Post-mortem**: Root cause analysis + +## Team Responsibilities + +### DevOps Team +- Infrastructure maintenance +- CI/CD pipeline management +- Security compliance +- Performance optimization + +### Development Teams +- Application deployment +- Resource requirements definition +- Application monitoring setup +- Performance testing + +### Operations Team +- Incident response +- Backup verification +- Capacity planning +- Change management +EOF + +# 12.1.2 Operational runbooks +cat > ~/devops-infrastructure/docs/operational-runbooks.md << 'EOF' +# Operational Runbooks + +## Incident Response Procedures + +### High CPU Usage Alert + +#### Symptoms +- AlertManager fires "High CPU Usage" alert +- Application response times increase +- Users report slowness + +#### Investigation Steps +```bash +# 1. Check current CPU usage +kubectl top pods -n --sort-by=cpu + +# 2. Check HPA status +kubectl get hpa -n + +# 3. Check pod resource limits +kubectl describe pod -n + +# 4. Review metrics in Grafana +# Go to CPU Usage dashboard: https://grafana.yourdomain.com/d/cpu-usage +``` + +#### Resolution Steps +```bash +# 1. Immediate: Scale up manually if HPA not working +kubectl scale deployment --replicas= -n + +# 2. Check for resource limits +kubectl patch deployment -n --patch ' +{ + "spec": { + "template": { + "spec": { + "containers": [ + { + "name": "", + "resources": { + "limits": { + "cpu": "1000m", + "memory": "1Gi" + } + } + } + ] + } + } + } +}' + +# 3. Restart problematic pods +kubectl rollout restart deployment -n +``` + +#### Prevention +- Implement proper resource requests/limits +- Set up HPA with appropriate thresholds +- Regular load testing + +### Database Connection Issues + +#### Symptoms +- Applications cannot connect to database +- Connection timeout errors +- Database-related alerts + +#### Investigation Steps +```bash +# 1. Check database connectivity from pod +kubectl run db-test --rm -i --tty --image=postgres:15-alpine -- \ + psql -h -U -d -c "SELECT 1;" + +# 2. Check database secret +kubectl get secret database-secret -n -o yaml + +# 3. Check RDS status +aws rds describe-db-instances --db-instance-identifier + +# 4. Check security groups +aws ec2 describe-security-groups --group-ids +``` + +#### Resolution Steps +```bash +# 1. Restart application pods +kubectl rollout restart deployment -n + +# 2. Check and update database credentials +kubectl patch secret database-secret -n --patch ' +{ + "data": { + "password": "" + } +}' + +# 3. If RDS issue, check AWS console and restart if needed +aws rds reboot-db-instance --db-instance-identifier +``` + +### Pod Stuck in Pending State + +#### Investigation Steps +```bash +# 1. Describe the pod +kubectl describe pod -n + +# 2. Check node resources +kubectl describe nodes + +# 3. Check PVC status if using persistent storage +kubectl get pvc -n + +# 4. Check for resource quotas +kubectl describe quota -n +``` + +#### Resolution Steps +```bash +# 1. If insufficient resources, scale cluster +aws eks update-nodegroup-config \ + --cluster-name \ + --nodegroup-name \ + --scaling-config minSize=,maxSize=,desiredSize= + +# 2. If PVC issue, check storage class +kubectl get storageclass + +# 3. If quota exceeded, increase or clean up resources +kubectl delete deployment -n +``` + +## Maintenance Procedures + +### Kubernetes Cluster Upgrade + +#### Pre-upgrade Checklist +- [ ] Backup cluster state with Velero +- [ ] Review breaking changes in new version +- [ ] Test upgrade in staging environment +- [ ] Notify team about maintenance window +- [ ] Prepare rollback plan + +#### Upgrade Steps +```bash +# 1. Update control plane +aws eks update-cluster-version \ + --name \ + --version + +# 2. Wait for update completion +aws eks wait cluster-active --name + +# 3. Update node groups +aws eks update-nodegroup-version \ + --cluster-name \ + --nodegroup-name \ + --version + +# 4. Update addons +aws eks update-addon \ + --cluster-name \ + --addon-name vpc-cni \ + --addon-version + +# 5. Verify cluster health +kubectl get nodes +kubectl get pods --all-namespaces +``` + +### Database Maintenance + +#### Monthly Tasks +```bash +# 1. Review database performance +aws rds describe-db-instances \ + --db-instance-identifier \ + --query 'DBInstances[0].PerformanceInsights' + +# 2. Cleanup old snapshots +aws rds describe-db-snapshots \ + --db-instance-identifier \ + --snapshot-type manual \ + --query 'DBSnapshots[30:].[DBSnapshotIdentifier]' \ + --output text | \ + xargs -I {} aws rds delete-db-snapshot --db-snapshot-identifier {} + +# 3. Analyze slow queries +# Access RDS Performance Insights dashboard +``` + +### Certificate Renewal + +#### Let's Encrypt Certificates +```bash +# 1. Check certificate expiry +kubectl get certificates -A + +# 2. Force renewal if needed +kubectl annotate certificate -n \ + cert-manager.io/issue-temporary-certificate="true" + +# 3. Verify renewal +kubectl describe certificate -n +``` + +## Monitoring and Alerting + +### Key Metrics to Monitor + +#### Infrastructure +- Node CPU/Memory usage > 80% +- Disk usage > 85% +- Network connectivity issues +- Pod restart frequency + +#### Application +- Response time > 2s (95th percentile) +- Error rate > 5% +- Request rate anomalies +- Database connection pool exhaustion + +#### Security +- Failed authentication attempts +- Privilege escalation attempts +- Unusual network traffic +- Policy violations + +### Alert Escalation + +#### Severity Levels +1. **P1 (Critical)**: Immediate response (5 min) + - Production down + - Data breach + - Security incident + +2. **P2 (High)**: 30 min response + - Performance degradation + - Service partially down + - High error rates + +3. **P3 (Medium)**: 2 hour response + - Non-critical service issues + - Capacity warnings + - Configuration issues + +4. **P4 (Low)**: Next business day + - Informational alerts + - Optimization opportunities + - Compliance warnings + +## Change Management + +### Deployment Approval Process + +#### Development Environment +- Automatic deployment on merge to `develop` branch +- No approval required +- Immediate rollback available + +#### Staging Environment +- Automatic deployment on merge to `main` branch +- Automated testing required +- Manual approval for production promotion + +#### Production Environment +- Manual approval required +- Deployment during maintenance window +- Canary deployment strategy +- Automated rollback on failure + +### Emergency Change Process +1. Incident commander approval +2. Minimal viable fix +3. Fast-track testing +4. Immediate deployment +5. Post-incident review +EOF + +# 12.1.3 Team onboarding guide +cat > ~/devops-infrastructure/docs/team-onboarding.md << 'EOF' +# Team Onboarding Guide + +## Prerequisites + +### Required Tools +1. **kubectl** - Kubernetes CLI +2. **helm** - Kubernetes package manager +3. **terraform** - Infrastructure as Code +4. **docker** - Container runtime +5. **aws-cli** - AWS command line interface +6. **argocd** - GitOps CLI +7. **git** - Version control + +### Installation Script +```bash +# Run the automated setup script +curl -fsSL https://raw.githubusercontent.com/yourusername/devops-infrastructure/main/scripts/setup-dev-environment.sh | bash +``` + +## Access Setup + +### 1. AWS Access +```bash +# Configure AWS CLI +aws configure +# Use provided access key and secret key + +# Test access +aws sts get-caller-identity +``` + +### 2. Kubernetes Access +```bash +# Configure kubectl +aws eks update-kubeconfig --region eu-west-1 --name mycompany-dev-eks + +# Test cluster access +kubectl get nodes +``` + +### 3. ArgoCD Access +```bash +# Login to ArgoCD +argocd login argocd.yourdomain.com + +# List applications +argocd app list +``` + +### 4. Vault Access +```bash +# Set Vault address +export VAULT_ADDR="https://vault.yourdomain.com" + +# Login with provided token +vault auth -method=userpass username= +``` + +## Development Workflow + +### 1. Application Development +```bash +# 1. Clone application repository +git clone https://github.com/yourusername/sample-app.git +cd sample-app + +# 2. Create feature branch +git checkout -b feature/new-feature + +# 3. Make changes and test locally +docker build -t sample-app:local . +docker run -p 8080:8080 sample-app:local + +# 4. Commit and push +git add . +git commit -m "feat: add new feature" +git push origin feature/new-feature + +# 5. Create pull request +# Pipeline will automatically build and deploy to dev environment +``` + +### 2. Infrastructure Changes +```bash +# 1. Clone infrastructure repository +git clone https://github.com/yourusername/devops-infrastructure.git +cd devops-infrastructure + +# 2. Make changes to Terraform +cd terraform/environments/dev +terraform plan + +# 3. Apply changes +terraform apply + +# 4. Update GitOps repository if needed +cd ../../.. +git clone https://github.com/yourusername/gitops-config.git +# Make necessary Kubernetes manifest changes +``` + +## Common Tasks + +### Deploy New Application + +#### 1. Create Kubernetes Manifests +```yaml +# applications/dev/new-app.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: new-app + namespace: dev +spec: + replicas: 2 + selector: + matchLabels: + app: new-app + template: + metadata: + labels: + app: new-app + spec: + containers: + - name: app + image: ghcr.io/yourusername/new-app:v1.0.0 + ports: + - containerPort: 8080 + resources: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "256Mi" + cpu: "200m" +``` + +#### 2. Create Service and Ingress +```yaml +--- +apiVersion: v1 +kind: Service +metadata: + name: new-app + namespace: dev +spec: + selector: + app: new-app + ports: + - port: 80 + targetPort: 8080 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: new-app + namespace: dev + annotations: + kubernetes.io/ingress.class: nginx +spec: + rules: + - host: new-app-dev.yourdomain.com + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: new-app + port: + number: 80 +``` + +### Debug Application Issues + +#### 1. Check Pod Status +```bash +# List pods +kubectl get pods -n dev + +# Describe problematic pod +kubectl describe pod -n dev + +# Check logs +kubectl logs -n dev --tail=100 +``` + +#### 2. Access Pod for Debugging +```bash +# Execute commands in pod +kubectl exec -it -n dev -- /bin/bash + +# Port forward for local access +kubectl port-forward 8080:8080 -n dev +``` + +#### 3. Check Resource Usage +```bash +# Top pods by resource usage +kubectl top pods -n dev + +# Check HPA status +kubectl get hpa -n dev +``` + +### Scale Applications + +#### Manual Scaling +```bash +# Scale deployment +kubectl scale deployment --replicas=5 -n dev + +# Check scaling status +kubectl get deployment -n dev +``` + +#### Configure Auto-scaling +```yaml +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: app-hpa + namespace: dev +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: app-name + minReplicas: 2 + maxReplicas: 10 + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: 70 +``` + +## Monitoring and Troubleshooting + +### Access Monitoring Tools + +#### Grafana Dashboards +- **URL**: https://grafana.yourdomain.com +- **Default Dashboards**: + - Kubernetes Cluster Overview + - Application Performance + - Infrastructure Metrics + - Cost Analysis + +#### Log Analysis +- **URL**: https://logs.yourdomain.com +- **Common Queries**: + ``` + # Application logs + kubernetes.namespace_name:"dev" AND kubernetes.labels.app:"sample-app" + + # Error logs + level:"error" AND kubernetes.namespace_name:"dev" + + # Specific time range + @timestamp:[now-1h TO now] AND kubernetes.pod_name:"pod-name" + ``` + +#### Distributed Tracing +- **URL**: https://jaeger.yourdomain.com +- **Usage**: Search by service name, operation, or trace ID + +### Performance Testing + +#### Run Load Test +```bash +# Apply load test configuration +kubectl apply -f - < ~/devops-infrastructure/scripts/health-report.sh << 'EOF' +#!/bin/bash + +# Infrastructure Health Report Generator +set -e + +REPORT_DATE=$(date +"%Y-%m-%d") +REPORT_FILE="/tmp/infrastructure-health-report-$REPORT_DATE.md" + +cat > $REPORT_FILE << EOF +# Infrastructure Health Report - $REPORT_DATE + +## Executive Summary +Generated at: $(date) +Report Period: Last 24 hours + +## Cluster Health + +### Node Status +\`\`\` +$(kubectl get nodes -o wide) +\`\`\` + +### Resource Utilization +\`\`\` +$(kubectl top nodes) +\`\`\` + +### Pod Status Summary +\`\`\` +$(kubectl get pods --all-namespaces | grep -E "(Running|Pending|Failed|Error)" | awk '{print $4}' | sort | uniq -c) +\`\`\` + +## Application Health + +### Deployment Status +\`\`\` +$(kubectl get deployments --all-namespaces) +\`\`\` + +### Failed Pods (if any) +\`\`\` +$(kubectl get pods --all-namespaces --field-selector=status.phase=Failed) +\`\`\` + +### HPA Status +\`\`\` +$(kubectl get hpa --all-namespaces) +\`\`\` + +## Security Status + +### Pod Security Policy Violations +\`\`\` +$(kubectl get events --all-namespaces | grep -i "security\|policy" | head -10) +\`\`\` + +### Certificate Status +\`\`\` +$(kubectl get certificates --all-namespaces) +\`\`\` + +## Cost Summary + +### Resource Requests vs Limits +\`\`\` +$(kubectl get pods --all-namespaces -o json | jq -r '.items[] | select(.status.phase=="Running") | "\(.metadata.namespace)/\(.metadata.name): CPU Req: \(.spec.containers[0].resources.requests.cpu // "none"), Mem Req: \(.spec.containers[0].resources.requests.memory // "none")"') +\`\`\` + +## Backup Status + +### Velero Backup Status +\`\`\` +$(velero backup get | head -10) +\`\`\` + +### Latest Backup Results +\`\`\` +$(velero backup describe $(velero backup get -o name | head -1 | cut -d'/' -f2) | grep -E "(Status|Started|Completed)") +\`\`\` + +## Alerts Summary + +### Active Alerts (Last 24h) +\`\`\` +$(curl -s "http://kube-prometheus-stack-alertmanager.monitoring.svc.cluster.local:9093/api/v1/alerts" | jq -r '.data[] | select(.status.state=="firing") | "\(.labels.alertname): \(.labels.severity)"' | sort | uniq -c) +\`\`\` + +## Performance Metrics + +### Top Resource Consuming Pods +\`\`\` +$(kubectl top pods --all-namespaces --sort-by=cpu | head -10) +\`\`\` + +## Recommendations + +EOF + +# Add recommendations based on findings +echo "### Current Issues" >> $REPORT_FILE + +# Check for pods without resource limits +NO_LIMITS=$(kubectl get pods --all-namespaces -o json | jq -r '.items[] | select(.status.phase=="Running") | select(.spec.containers[0].resources.limits == null) | "\(.metadata.namespace)/\(.metadata.name)"' | wc -l) +if [ $NO_LIMITS -gt 0 ]; then + echo "- $NO_LIMITS pods running without resource limits" >> $REPORT_FILE +fi + +# Check for high CPU usage +HIGH_CPU_NODES=$(kubectl top nodes --no-headers | awk '$3 > 80 {count++} END {print count+0}') +if [ $HIGH_CPU_NODES -gt 0 ]; then + echo "- $HIGH_CPU_NODES nodes with high CPU usage (>80%)" >> $REPORT_FILE +fi + +# Check for failed pods +FAILED_PODS=$(kubectl get pods --all-namespaces --field-selector=status.phase=Failed --no-headers | wc -l) +if [ $FAILED_PODS -gt 0 ]; then + echo "- $FAILED_PODS failed pods need investigation" >> $REPORT_FILE +fi + +echo "" >> $REPORT_FILE +echo "### Optimization Opportunities" >> $REPORT_FILE +echo "- Review VPA recommendations for resource optimization" >> $REPORT_FILE +echo "- Consider implementing HPA for variable workloads" >> $REPORT_FILE +echo "- Evaluate spot instance usage for cost savings" >> $REPORT_FILE + +echo "Report generated: $REPORT_FILE" + +# Send to Slack if webhook configured +if [ ! -z "$SLACK_WEBHOOK_URL" ]; then + curl -X POST -H 'Content-type: application/json' \ + --data "{\"text\":\"📊 Daily Infrastructure Health Report generated for $REPORT_DATE\"}" \ + $SLACK_WEBHOOK_URL +fi +EOF + +chmod +x ~/devops-infrastructure/scripts/health-report.sh + +# 12.2.2 Automated health report CronJob +cat > health-report-cronjob.yaml << 'EOF' +apiVersion: batch/v1 +kind: CronJob +metadata: + name: infrastructure-health-report + namespace: monitoring +spec: + schedule: "0 8 * * *" # Daily at 8 AM + jobTemplate: + spec: + template: + spec: + serviceAccountName: health-reporter + containers: + - name: reporter + image: bitnami/kubectl:latest + command: + - /bin/bash + - -c + - | + # Install required tools + apt-get update && apt-get install -y curl jq + + # Generate report + /scripts/health-report.sh + + # Upload to S3 if configured + if [ ! -z "$S3_BUCKET" ]; then + aws s3 cp /tmp/infrastructure-health-report-*.md s3://$S3_BUCKET/reports/ + fi + env: + - name: S3_BUCKET + value: "mycompany-reports" + - name: SLACK_WEBHOOK_URL + valueFrom: + secretKeyRef: + name: slack-webhook + key: url + volumeMounts: + - name: scripts + mountPath: /scripts + resources: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "256Mi" + cpu: "200m" + volumes: + - name: scripts + configMap: + name: health-report-scripts + defaultMode: 0755 + restartPolicy: OnFailure +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: health-reporter + namespace: monitoring + annotations: + eks.amazonaws.com/role-arn: arn:aws:iam::ACCOUNT_ID:role/health-reporter-role +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: health-reporter +rules: +- apiGroups: [""] + resources: ["nodes", "pods", "services", "events"] + verbs: ["get", "list"] +- apiGroups: ["apps"] + resources: ["deployments", "replicasets"] + verbs: ["get", "list"] +- apiGroups: ["autoscaling"] + resources: ["horizontalpodautoscalers"] + verbs: ["get", "list"] +- apiGroups: ["metrics.k8s.io"] + resources: ["nodes", "pods"] + verbs: ["get", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: health-reporter +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: health-reporter +subjects: +- kind: ServiceAccount + name: health-reporter + namespace: monitoring +EOF + +# ConfigMap for scripts +kubectl create configmap health-report-scripts \ + --from-file=health-report.sh=~/devops-infrastructure/scripts/health-report.sh \ + -n monitoring + +kubectl apply -f health-report-cronjob.yaml +``` + +### 🎓 **12.3 Training and Knowledge Transfer** + +```bash +# 12.3.1 Training curriculum +cat > ~/devops-infrastructure/docs/training-curriculum.md << 'EOF' +# DevOps Team Training Curriculum + +## Week 1: Fundamentals + +### Day 1-2: Kubernetes Basics +- **Topics**: Pods, Services, Deployments, ConfigMaps, Secrets +- **Hands-on**: Deploy sample application +- **Assessment**: Create multi-tier application deployment + +### Day 3-4: Infrastructure as Code +- **Topics**: Terraform basics, AWS resources, State management +- **Hands-on**: Create VPC and EKS cluster +- **Assessment**: Deploy complete infrastructure + +### Day 5: CI/CD Fundamentals +- **Topics**: Jenkins, Pipeline as Code, Docker +- **Hands-on**: Create build pipeline +- **Assessment**: End-to-end deployment pipeline + +## Week 2: Advanced Topics + +### Day 1-2: GitOps and Progressive Delivery +- **Topics**: ArgoCD, Argo Rollouts, Canary deployments +- **Hands-on**: Setup GitOps workflow +- **Assessment**: Implement progressive delivery + +### Day 3: Monitoring and Observability +- **Topics**: Prometheus, Grafana, Jaeger, Log analysis +- **Hands-on**: Create custom dashboards +- **Assessment**: End-to-end observability setup + +### Day 4: Security Best Practices +- **Topics**: Vault, RBAC, Network Policies, Image scanning +- **Hands-on**: Implement security controls +- **Assessment**: Security audit and remediation + +### Day 5: Troubleshooting and Operations +- **Topics**: Debugging techniques, Performance tuning, Incident response +- **Hands-on**: Simulate and resolve incidents +- **Assessment**: Handle real-world scenarios + +## Ongoing Learning + +### Monthly Topics +- **Month 1**: Cost optimization and resource management +- **Month 2**: Advanced networking and service mesh +- **Month 3**: Disaster recovery and backup strategies +- **Month 4**: Chaos engineering and reliability +- **Month 5**: Multi-cluster and multi-cloud strategies +- **Month 6**: Advanced security and compliance + +### Certification Paths +1. **AWS Certified DevOps Engineer** +2. **Certified Kubernetes Administrator (CKA)** +3. **Certified Kubernetes Security Specialist (CKS)** +4. **HashiCorp Certified: Terraform Associate** + +## Lab Exercises + +### Exercise 1: Application Deployment +```bash +# Deploy sample application with monitoring +kubectl apply -f - < ~/devops-infrastructure/scripts/setup-knowledge-base.sh << 'EOF' +#!/bin/bash + +# Knowledge Base Setup Script +set -e + +echo "📚 Setting up team knowledge base..." + +# Create knowledge base structure +mkdir -p ~/devops-infrastructure/docs/{architecture,runbooks,tutorials,troubleshooting,best-practices} + +# Architecture documentation +echo "Creating architecture documentation..." +cat > ~/devops-infrastructure/docs/architecture/README.md << 'ARCH_EOF' +# Architecture Documentation + +## Overview +This directory contains all architecture-related documentation. + +## Contents +- `system-overview.md` - High-level system architecture +- `data-flow.md` - Data flow diagrams and explanations +- `security-architecture.md` - Security design and controls +- `networking.md` - Network architecture and routing +- `disaster-recovery.md` - DR architecture and procedures + +## Diagrams +All diagrams are created using Mermaid and can be viewed in GitHub or VS Code with the Mermaid extension. +ARCH_EOF + +# Runbooks directory +echo "Creating runbooks..." +cat > ~/devops-infrastructure/docs/runbooks/README.md << 'RUN_EOF' +# Operational Runbooks + +## Purpose +Step-by-step procedures for common operational tasks and incident response. + +## Runbook Categories +- `incident-response/` - Emergency response procedures +- `maintenance/` - Scheduled maintenance procedures +- `deployment/` - Deployment and rollback procedures +- `monitoring/` - Monitoring and alerting procedures + +## Runbook Template +Each runbook should include: +1. Purpose and scope +2. Prerequisites +3. Step-by-step procedures +4. Verification steps +5. Rollback procedures +6. Post-completion tasks +RUN_EOF + +# Create searchable index +echo "Creating searchable documentation index..." +cat > ~/devops-infrastructure/scripts/generate-docs-index.sh << 'INDEX_EOF' +#!/bin/bash + +# Generate searchable documentation index +echo "# Documentation Index" > ~/devops-infrastructure/docs/INDEX.md +echo "Generated on: $(date)" >> ~/devops-infrastructure/docs/INDEX.md +echo "" >> ~/devops-infrastructure/docs/INDEX.md + +find ~/devops-infrastructure/docs -name "*.md" -not -name "INDEX.md" | while read file; do + echo "## $(basename "$file" .md)" >> ~/devops-infrastructure/docs/INDEX.md + echo "**Path:** $file" >> ~/devops-infrastructure/docs/INDEX.md + echo "" >> ~/devops-infrastructure/docs/INDEX.md + # Extract first paragraph as summary + head -10 "$file" | grep -E "^[A-Za-z]" | head -1 >> ~/devops-infrastructure/docs/INDEX.md + echo "" >> ~/devops-infrastructure/docs/INDEX.md +done + +echo "Documentation index generated!" +INDEX_EOF + +chmod +x ~/devops-infrastructure/scripts/generate-docs-index.sh + +echo "✅ Knowledge base structure created!" +echo "Run ~/devops-infrastructure/scripts/generate-docs-index.sh to create searchable index" +EOF + +chmod +x ~/devops-infrastructure/scripts/setup-knowledge-base.sh +./~/devops-infrastructure/scripts/setup-knowledge-base.sh +``` + +--- diff --git a/RoadMap/advanced/12-final-validation.md b/RoadMap/advanced/12-final-validation.md new file mode 100644 index 0000000..2321377 --- /dev/null +++ b/RoadMap/advanced/12-final-validation.md @@ -0,0 +1,624 @@ +# 🎉 **FINAL SETUP AND VALIDATION** (Gün 27-28) + +### ✅ **13.1 End-to-End Testing** + +```bash +# 13.1.1 Complete system validation script +cat > ~/devops-infrastructure/scripts/system-validation.sh << 'EOF' +#!/bin/bash + +# Complete System Validation Script +set -e + +echo "🧪 Starting End-to-End System Validation..." +echo "==========================================" + +# Colors for output +RED='\033[0;31m' +GREEN='\033[0;32m' +YELLOW='\033[1;33m' +NC='\033[0m' # No Color + +SUCCESS_COUNT=0 +TOTAL_TESTS=0 + +check_test() { + local test_name="$1" + local test_command="$2" + + TOTAL_TESTS=$((TOTAL_TESTS + 1)) + echo -n "Testing $test_name... " + + if eval "$test_command" &>/dev/null; then + echo -e "${GREEN}✓ PASS${NC}" + SUCCESS_COUNT=$((SUCCESS_COUNT + 1)) + return 0 + else + echo -e "${RED}✗ FAIL${NC}" + return 1 + fi +} + +echo "🔧 Infrastructure Tests" +echo "----------------------" + +# AWS connectivity +check_test "AWS CLI access" "aws sts get-caller-identity" + +# Terraform state +check_test "Terraform state accessible" "terraform show -json > /dev/null" || true + +# EKS cluster +check_test "EKS cluster connectivity" "kubectl get nodes" + +# Core system pods +check_test "CoreDNS running" "kubectl get pods -n kube-system -l k8s-app=kube-dns | grep Running" +check_test "AWS Load Balancer Controller" "kubectl get pods -n kube-system -l app.kubernetes.io/name=aws-load-balancer-controller | grep Running" + +echo "" +echo "📊 Monitoring Stack Tests" +echo "-------------------------" + +# Prometheus +check_test "Prometheus accessible" "kubectl get pods -n monitoring -l app.kubernetes.io/name=prometheus | grep Running" + +# Grafana +check_test "Grafana accessible" "kubectl get pods -n monitoring -l app.kubernetes.io/name=grafana | grep Running" + +# AlertManager +check_test "AlertManager accessible" "kubectl get pods -n monitoring -l app.kubernetes.io/name=alertmanager | grep Running" + +echo "" +echo "📝 Logging Stack Tests" +echo "----------------------" + +# Fluent Bit +check_test "Fluent Bit running" "kubectl get pods -n logging -l app.kubernetes.io/name=fluent-bit | grep Running" + +# OpenSearch +check_test "OpenSearch cluster healthy" "kubectl get pods -n logging -l app=opensearch | grep Running" + +echo "" +echo "🔒 Security Tests" +echo "----------------" + +# Vault +check_test "Vault cluster running" "kubectl get pods -n vault -l app.kubernetes.io/name=vault | grep Running" + +# External Secrets Operator +check_test "External Secrets Operator" "kubectl get pods -n external-secrets | grep Running" + +# Falco +check_test "Falco security monitoring" "kubectl get pods -n falco -l app.kubernetes.io/name=falco | grep Running" + +echo "" +echo "🔄 GitOps Tests" +echo "---------------" + +# ArgoCD +check_test "ArgoCD server running" "kubectl get pods -n argocd -l app.kubernetes.io/name=argocd-server | grep Running" + +# ArgoCD applications +check_test "ArgoCD applications synced" "argocd app list | grep -E 'Synced.*Healthy'" + +echo "" +echo "💾 Backup Tests" +echo "---------------" + +# Velero +check_test "Velero backup controller" "kubectl get pods -n velero -l app.kubernetes.io/name=velero | grep Running" + +# Recent backup +check_test "Recent backup exists" "velero backup get | grep Completed | head -1" + +echo "" +echo "🚀 Application Tests" +echo "--------------------" + +# Sample application +check_test "Sample application running" "kubectl get pods -n dev -l app=sample-app | grep Running" || true + +# Ingress connectivity +check_test "Ingress controller responsive" "kubectl get pods -n ingress-nginx -l app.kubernetes.io/name=ingress-nginx | grep Running" + +echo "" +echo "📈 Performance Tests" +echo "-------------------" + +# HPA +check_test "HPA controllers active" "kubectl get hpa --all-namespaces | grep -v TARGETS" || true + +# VPA +check_test "VPA recommendations available" "kubectl get vpa --all-namespaces" || true + +# Resource usage +check_test "Node resource usage healthy" "kubectl top nodes --no-headers | awk '\$3+0 < 90 && \$5+0 < 90' | wc -l | grep -v '^0-vpa + namespace: monitoring +spec: + targetRef: + apiVersion: apps/v1 + kind: StatefulSet" + +echo "" +echo "🌐 Network Tests" +echo "---------------" + +# CoreDNS resolution +check_test "DNS resolution working" "kubectl exec -n kube-system deployments/coredns -- nslookup kubernetes.default.svc.cluster.local" + +# Pod-to-pod communication +check_test "Inter-pod communication" "kubectl run network-test --image=busybox --rm -it --restart=Never -- nslookup kubernetes.default" || true + +echo "" +echo "🔐 Certificate Tests" +echo "-------------------" + +# Cert-manager +check_test "Cert-manager running" "kubectl get pods -n cert-manager | grep Running" + +# Certificate issuers +check_test "Certificate issuers ready" "kubectl get clusterissuers | grep True" + +# Valid certificates +check_test "TLS certificates valid" "kubectl get certificates --all-namespaces | grep True" || true + +echo "" +echo "📊 Cost Monitoring Tests" +echo "------------------------" + +# Kubecost +check_test "Kubecost running" "kubectl get pods -n kubecost | grep Running" || true + +echo "" +echo "🔍 Observability Tests" +echo "----------------------" + +# Jaeger +check_test "Jaeger tracing available" "kubectl get pods -n observability -l app.kubernetes.io/name=jaeger | grep Running" || true + +# OpenTelemetry +check_test "OpenTelemetry collector" "kubectl get pods -n observability -l app.kubernetes.io/name=opentelemetry-collector | grep Running" || true + +echo "" +echo "================================================" +echo "🎯 VALIDATION SUMMARY" +echo "================================================" +echo "Total Tests: $TOTAL_TESTS" +echo "Passed: $SUCCESS_COUNT" +echo "Failed: $((TOTAL_TESTS - SUCCESS_COUNT))" + +if [ $SUCCESS_COUNT -eq $TOTAL_TESTS ]; then + echo -e "${GREEN}🎉 ALL TESTS PASSED! System is fully operational.${NC}" + exit 0 +elif [ $SUCCESS_COUNT -gt $((TOTAL_TESTS * 80 / 100)) ]; then + echo -e "${YELLOW}⚠️ Most tests passed. Minor issues detected.${NC}" + exit 0 +else + echo -e "${RED}❌ Critical issues detected. System requires attention.${NC}" + exit 1 +fi +EOF + +chmod +x ~/devops-infrastructure/scripts/system-validation.sh + +# 13.1.2 Automated testing pipeline +cat > ~/devops-infrastructure/jenkins/system-validation-pipeline.groovy << 'EOF' +pipeline { + agent { + kubernetes { + yaml """ + apiVersion: v1 + kind: Pod + spec: + containers: + - name: kubectl + image: bitnami/kubectl:latest + command: + - cat + tty: true + - name: argocd + image: argoproj/argocd:latest + command: + - cat + tty: true + - name: velero + image: velero/velero:latest + command: + - cat + tty: true + """ + } + } + + triggers { + cron('0 6 * * *') // Daily at 6 AM + } + + stages { + stage('System Validation') { + steps { + container('kubectl') { + script { + sh ''' + # Copy validation script + curl -fsSL https://raw.githubusercontent.com/yourusername/devops-infrastructure/main/scripts/system-validation.sh -o validation.sh + chmod +x validation.sh + + # Run validation + ./validation.sh + ''' + } + } + } + } + + stage('Generate Report') { + steps { + container('kubectl') { + sh ''' + # Generate detailed report + echo "# System Health Report - $(date)" > system-report.md + echo "" >> system-report.md + + echo "## Cluster Overview" >> system-report.md + echo "\`\`\`" >> system-report.md + kubectl get nodes -o wide >> system-report.md + echo "\`\`\`" >> system-report.md + + echo "## Pod Status" >> system-report.md + echo "\`\`\`" >> system-report.md + kubectl get pods --all-namespaces | grep -v Running | head -20 >> system-report.md + echo "\`\`\`" >> system-report.md + + echo "## Resource Usage" >> system-report.md + echo "\`\`\`" >> system-report.md + kubectl top nodes >> system-report.md + echo "\`\`\`" >> system-report.md + + # Archive report + cat system-report.md + ''' + } + } + } + } + + post { + success { + slackSend( + channel: '#infrastructure', + color: 'good', + message: "✅ Daily system validation completed successfully" + ) + } + failure { + slackSend( + channel: '#infrastructure', + color: 'danger', + message: "❌ Daily system validation failed. Immediate attention required!" + ) + } + always { + archiveArtifacts artifacts: '*.md', allowEmptyArchive: true + } + } +} +EOF + +# 13.1.3 Çalıştır +~/devops-infrastructure/scripts/system-validation.sh +``` + +### 📚 **13.2 Final Documentation** + +```bash +# 13.2.1 Complete setup summary +cat > ~/devops-infrastructure/README.md << 'EOF' +# DevOps Infrastructure - Complete Setup + +🎉 **Congratulations!** You have successfully deployed a production-ready DevOps infrastructure. + +## 🏗️ What We've Built + +### Infrastructure Components +- ✅ **AWS EKS Cluster** - Managed Kubernetes with auto-scaling +- ✅ **VPC & Networking** - Multi-AZ setup with security groups +- ✅ **RDS PostgreSQL** - Managed database with backups +- ✅ **ElastiCache Redis** - In-memory caching +- ✅ **Application Load Balancer** - SSL termination and routing + +### CI/CD Pipeline +- ✅ **Jenkins** - Automated build and deployment +- ✅ **ArgoCD** - GitOps continuous deployment +- ✅ **GitHub Container Registry** - Container image storage +- ✅ **Progressive Delivery** - Canary and blue-green deployments + +### Monitoring & Observability +- ✅ **Prometheus** - Metrics collection and storage +- ✅ **Grafana** - Visualization and dashboards +- ✅ **AlertManager** - Intelligent alerting +- ✅ **Jaeger** - Distributed tracing +- ✅ **OpenSearch** - Log aggregation and search +- ✅ **Fluent Bit** - Log collection + +### Security +- ✅ **HashiCorp Vault** - Secrets management +- ✅ **External Secrets Operator** - Kubernetes-Vault integration +- ✅ **Falco** - Runtime security monitoring +- ✅ **OPA Gatekeeper** - Policy enforcement +- ✅ **Network Policies** - Micro-segmentation +- ✅ **Pod Security Standards** - Container security + +### Backup & DR +- ✅ **Velero** - Kubernetes backup and restore +- ✅ **RDS Automated Backups** - Database recovery +- ✅ **Cross-region Replication** - Disaster recovery +- ✅ **Automated Testing** - DR drill automation + +### Cost Optimization +- ✅ **Kubecost** - Kubernetes cost visibility +- ✅ **VPA/HPA** - Resource optimization +- ✅ **Spot Instances** - Cost-effective compute +- ✅ **Resource Quotas** - Spend control + +## 🚀 Access URLs + +| Service | URL | Purpose | +|---------|-----|---------| +| ArgoCD | https://argocd.yourdomain.com | GitOps Management | +| Grafana | https://grafana.yourdomain.com | Monitoring Dashboards | +| Jaeger | https://jaeger.yourdomain.com | Distributed Tracing | +| OpenSearch | https://logs.yourdomain.com | Log Analysis | +| Vault | https://vault.yourdomain.com | Secrets Management | +| Jenkins | https://jenkins.yourdomain.com | CI/CD Pipelines | +| Kubecost | https://kubecost.yourdomain.com | Cost Analytics | + +## 🔑 Default Credentials + +```bash +# ArgoCD +Username: admin +Password: $(kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d) + +# Grafana +Username: admin +Password: AdminPassword123! + +# Vault Root Token +Token: $(cat cluster-keys.json | jq -r ".root_token") +``` + +## 📊 System Overview + +```bash +# Check overall system health +kubectl get nodes +kubectl get pods --all-namespaces | grep -v Running + +# Monitor resource usage +kubectl top nodes +kubectl top pods --all-namespaces --sort-by=cpu + +# Check applications +argocd app list +helm list --all-namespaces +``` + +## 🛠️ Common Operations + +### Deploy New Application +```bash +# 1. Add application manifests to GitOps repo +cd gitops-config/applications/dev +# Create your application YAML files + +# 2. Commit and push +git add . +git commit -m "Add new application" +git push origin main + +# 3. ArgoCD will automatically sync +argocd app sync +``` + +### Scale Applications +```bash +# Manual scaling +kubectl scale deployment --replicas=5 -n + +# Auto-scaling with HPA +kubectl autoscale deployment --cpu-percent=70 --min=2 --max=10 -n +``` + +### Check Logs +```bash +# Pod logs +kubectl logs -n --tail=100 + +# Application logs in OpenSearch +# Visit: https://logs.yourdomain.com +# Query: kubernetes.namespace_name:"dev" AND kubernetes.labels.app:"your-app" +``` + +### Monitor Performance +```bash +# Real-time metrics +kubectl top pods -n + +# Grafana dashboards +# Visit: https://grafana.yourdomain.com +# Check: Kubernetes Cluster Overview dashboard +``` + +### Backup and Restore +```bash +# Create backup +velero backup create --include-namespaces + +# Restore from backup +velero restore create --from-backup + +# Check backup status +velero backup describe +``` + +## 🚨 Troubleshooting + +### Pod Issues +```bash +# Pod not starting +kubectl describe pod -n +kubectl logs -n + +# Resource issues +kubectl top pods -n +kubectl describe node +``` + +### Network Issues +```bash +# DNS resolution +kubectl exec -it -n -- nslookup kubernetes.default + +# Service connectivity +kubectl exec -it -n -- curl ..svc.cluster.local +``` + +### Storage Issues +```bash +# PVC status +kubectl get pvc -n +kubectl describe pvc -n + +# Storage classes +kubectl get storageclass +``` + +## 📈 Performance Optimization + +### Resource Right-sizing +```bash +# Check VPA recommendations +kubectl get vpa --all-namespaces + +# Apply VPA recommendations +kubectl patch deployment -n --patch ' +{ + "spec": { + "template": { + "spec": { + "containers": [ + { + "name": "", + "resources": { + "requests": { + "cpu": "", + "memory": "" + } + } + } + ] + } + } + } +}' +``` + +### Cost Optimization +```bash +# Check cost recommendations +# Visit: https://kubecost.yourdomain.com + +# Use spot instances for development +kubectl taint node spot=true:NoSchedule + +# Implement resource quotas +kubectl apply -f resource-quotas.yaml +``` + +## 🔒 Security Best Practices + +### Regular Security Tasks +```bash +# Update base images regularly +docker pull nginx:alpine +docker tag nginx:alpine ghcr.io/yourusername/nginx:latest +docker push ghcr.io/yourusername/nginx:latest + +# Scan for vulnerabilities +trivy image + +# Check for policy violations +kubectl get events --all-namespaces | grep -i policy + +# Review Falco alerts +kubectl logs -l app.kubernetes.io/name=falco -n falco +``` + +### Certificate Management +```bash +# Check certificate status +kubectl get certificates --all-namespaces + +# Force certificate renewal +kubectl annotate certificate -n \ + cert-manager.io/issue-temporary-certificate="true" +``` + +## 📚 Additional Resources + +### Documentation +- [Kubernetes Documentation](https://kubernetes.io/docs/) +- [AWS EKS User Guide](https://docs.aws.amazon.com/eks/) +- [Terraform Documentation](https://www.terraform.io/docs/) +- [ArgoCD Documentation](https://argo-cd.readthedocs.io/) + +### Monitoring +- [Prometheus Best Practices](https://prometheus.io/docs/practices/) +- [Grafana Dashboards](https://grafana.com/grafana/dashboards/) +- [SRE Workbook](https://sre.google/workbook/table-of-contents/) + +### Security +- [CIS Kubernetes Benchmark](https://www.cisecurity.org/benchmark/kubernetes) +- [NIST Cybersecurity Framework](https://www.nist.gov/cyberframework) +- [OWASP Container Security](https://owasp.org/www-project-container-security/) + +## 🆘 Support and Contacts + +### Internal Support +- **DevOps Team**: #devops-team (Slack) +- **On-call Engineer**: +90-XXX-XXX-XXXX +- **Documentation**: `~/devops-infrastructure/docs/` + +### Emergency Procedures +1. **Production Down**: Follow incident response runbook +2. **Security Incident**: Contact security team immediately +3. **Data Loss**: Initiate disaster recovery procedures + +--- + +## 🎉 Congratulations! + +You now have a **production-ready, enterprise-grade DevOps infrastructure** that includes: + +✅ **Automated Infrastructure** - Everything as code +✅ **Continuous Deployment** - GitOps workflow +✅ **Comprehensive Monitoring** - Full observability stack +✅ **Enterprise Security** - Multi-layer security controls +✅ **Disaster Recovery** - Automated backup and restore +✅ **Cost Optimization** - Resource efficiency and cost visibility +✅ **Performance Management** - Auto-scaling and optimization +✅ **Team Processes** - Documentation and runbooks + +**Your infrastructure is ready to support modern application development and deployment at scale!** 🚀 + +--- + +*Generated on: $(date)* +*Infrastructure Version: v1.0.0* +*Last Updated: $(date '+%Y-%m-%d %H:%M:%S')* +EOF + +# 13.2.2 Quick start guide +cat > ~/devops-infrastructure/QUICKSTART.md << 'EOF' +# 🚀 Quick Start Guide diff --git a/RoadMap/advanced/13-quickstart-30min.md b/RoadMap/advanced/13-quickstart-30min.md new file mode 100644 index 0000000..2d09a2d --- /dev/null +++ b/RoadMap/advanced/13-quickstart-30min.md @@ -0,0 +1,113 @@ +# ⚡ 30 Dakikalık Hızlı Kurulum + +> Tüm 28 günlük planı okumadan, çalışan bir iskeleti hızlıca ayağa kaldırmak için. + +## Ön Koşul Checklist + +- [ ] AWS Account with administrative access +- [ ] Domain name for services (yourdomain.com) +- [ ] GitHub account for repositories +- [ ] Slack workspace for notifications +- [ ] Local development environment setup + +## 30-Minute Setup + +### Step 1: Initial Setup (5 minutes) +```bash +# Clone repository +git clone https://github.com/yourusername/devops-infrastructure.git +cd devops-infrastructure + +# Run automated setup +./scripts/quick-setup.sh +``` + +### Step 2: Infrastructure Deployment (15 minutes) +```bash +# Deploy AWS infrastructure +cd terraform/environments/dev +terraform init -backend-config=backend.conf +terraform plan +terraform apply -auto-approve + +# Configure kubectl +aws eks update-kubeconfig --region eu-west-1 --name mycompany-dev-eks +``` + +### Step 3: Application Deployment (10 minutes) +```bash +# Deploy monitoring stack +helm install kube-prometheus-stack prometheus-community/kube-prometheus-stack \ + --namespace monitoring --create-namespace --values monitoring-values.yaml + +# Deploy ArgoCD +kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml + +# Deploy root application +kubectl apply -f bootstrap/root-app.yaml +``` + +## Verification + +```bash +# Check cluster health +kubectl get nodes +kubectl get pods --all-namespaces + +# Access services +echo "ArgoCD: https://argocd.yourdomain.com" +echo "Grafana: https://grafana.yourdomain.com" +echo "Applications ready! 🎉" +``` + +## Next Steps + +1. **Configure DNS** - Point your domain to the load balancer +2. **Setup Certificates** - Configure SSL/TLS certificates +3. **Deploy Applications** - Add your applications to GitOps +4. **Configure Monitoring** - Set up dashboards and alerts +5. **Train Team** - Share access and documentation + +## Need Help? + +- 📖 **Full Documentation**: [README.md](README.md) +- 🔧 **Troubleshooting**: [docs/troubleshooting.md](docs/troubleshooting.md) +- 💬 **Support**: Contact DevOps team + +**Happy deploying!** 🚀🚀🚀 + + +```bash +echo "" +echo "🎉 ============================================" +echo "🎉 DEVOPS INFRASTRUCTURE SETUP COMPLETE!" +echo "🎉 ============================================" +echo "" +echo "📊 Summary:" +echo "✅ Infrastructure as Code (Terraform)" +echo "✅ Kubernetes Cluster (EKS)" +echo "✅ CI/CD Pipeline (Jenkins + ArgoCD)" +echo "✅ Monitoring Stack (Prometheus + Grafana)" +echo "✅ Logging Stack (OpenSearch + Fluent Bit)" +echo "✅ Security Layer (Vault + Falco + OPA)" +echo "✅ Backup & DR (Velero + RDS Backups)" +echo "✅ Cost Optimization (Kubecost + VPA/HPA)" +echo "✅ Documentation & Runbooks" +echo "" +echo "🔗 Access URLs:" +echo "• ArgoCD: https://argocd.yourdomain.com" +echo "• Grafana: https://grafana.yourdomain.com" +echo "• Jenkins: https://jenkins.yourdomain.com" +echo "• Vault: https://vault.yourdomain.com" +echo "" +echo "📚 Next Steps:" +echo "1. Run system validation: ./scripts/system-validation.sh" +echo "2. Configure your domain DNS" +echo "3. Deploy your first application" +echo "4. Train your team with provided documentation" +echo "" +echo "🎯 Your enterprise-grade DevOps infrastructure is ready!" +echo " Happy DevOps! 🚀🚀🚀" +``` + +Bu kapsamlı implementation guide ile sıfırdan başlayarak **28 gün içinde** tam işlevsel, production-ready bir DevOps altyapısı kurabilirsiniz. Her adım detaylı komutlar, konfigürasyonlar ve best practice'ler içerir. diff --git a/scripts/build-docs.sh b/scripts/build-docs.sh index fd0d564..f993750 100644 --- a/scripts/build-docs.sh +++ b/scripts/build-docs.sh @@ -137,6 +137,7 @@ nav: - "Modern DevOps 2026 — Felsefe + 2026 Stack": Modern-DevOps-2026.md - "GitOps A→Z (Mid+)": RoadMap.md - "Advanced — AWS/EKS Implementation (Senior)": advanced-roadmap.md + - "Advanced — Faz Detayları": advanced - "Planning Şablonu (Tech Lead)": Planning.md EOF echo " + RoadMap/.pages (yeniden sıralı, Modern-DevOps-2026 başta)" From 03638ebb926ca2c135460e85b7b3d07bfe6b4f80 Mon Sep 17 00:00:00 2001 From: halilibrahimd27 Date: Sun, 28 Jun 2026 01:04:38 +0300 Subject: [PATCH 04/10] =?UTF-8?q?docs(readme):=20Faz=205=20=E2=80=94=20REA?= =?UTF-8?q?DME'yi=20profesyonel/reklams=C4=B1z=20tona=20=C3=A7ek=20+=20say?= =?UTF-8?q?=C4=B1lar=C4=B1=20ger=C3=A7e=C4=9Fe=20e=C5=9Fle?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit AUDIT.md §8 (CLAUDE.md "pazarlama tonu yasak" ihlali): - Badge yağmuru (8+ shields + Awesome) → 3 anlamlı badge (site, license, last-commit) - Kaldırıldı: "Türkiye'nin en kapsamlı", yıldız-dilenme blokları, "rakip-dövme" karşılaştırma tablosu, "desteklemek istiyorsan" + star-history - Sayılar gerçeğe eşlendi: 125+ → 125 deep-dive, 25+ → 19 template, 64K → ~66K satır; "production-tested" → dürüst "production'da yaşanıp damıtılmış" - KIRIK link düzeltmesi: eski Ansible/System/Network/Terraform/Kubectl klasör linkleri → tek "21-Field-Notes" satırı (Faz 1 taşımasıyla senkron) - Korundu: görev-bazlı Hızlı Başlangıç tablosu, İçindekiler, mimari diyagram, repo felsefesi, yan-repolar, keywords (
içinde) - mkdocs.yml site_description: 125+/25+ → 125/19 Co-Authored-By: Claude Opus 4.8 (1M context) --- README.md | 240 ++++++++++++++++++++--------------------------------- mkdocs.yml | 2 +- 2 files changed, 90 insertions(+), 152 deletions(-) diff --git a/README.md b/README.md index c321905..7a1b235 100644 --- a/README.md +++ b/README.md @@ -2,95 +2,64 @@ # 🛠️ DevOps Notebook — Türkçe DevSecOps Rehberi -### *Production'da işleyen modern DevOps + DevSecOps + SRE pratiklerinin Türkçe başucu kitabı* +*Production'da işleyen modern DevOps · DevSecOps · SRE pratiklerinin Türkçe, eylemsel referansı.* -**Kubernetes · CI/CD · GitOps · DevSecOps · SRE · IaC · Platform Engineering · FinOps · Observability · LLMOps · Compliance** +Kubernetes · CI/CD · GitOps · IaC · Observability · Security · SRE · Platform Engineering · FinOps · LLMOps · Compliance -[![GitHub Stars](https://img.shields.io/github/stars/halilibrahimd27/DevOps?style=for-the-badge&color=yellow&logo=github)](https://github.com/halilibrahimd27/DevOps/stargazers) -[![GitHub Forks](https://img.shields.io/github/forks/halilibrahimd27/DevOps?style=for-the-badge&color=blue&logo=github)](https://github.com/halilibrahimd27/DevOps/network/members) -[![GitHub Watchers](https://img.shields.io/github/watchers/halilibrahimd27/DevOps?style=for-the-badge&color=green&logo=github)](https://github.com/halilibrahimd27/DevOps/watchers) -[![Last Commit](https://img.shields.io/github/last-commit/halilibrahimd27/DevOps?style=for-the-badge&color=purple)](https://github.com/halilibrahimd27/DevOps/commits/main) - -[![Topics](https://img.shields.io/badge/topics-21-blueviolet?style=flat-square)](#-içindekiler) -[![Deep Dives](https://img.shields.io/badge/deep--dives-125%2B-success?style=flat-square)](#-içindekiler) -[![Cheatsheets](https://img.shields.io/badge/cheatsheets-9-success?style=flat-square)](16-Cheatsheets/) -[![Templates](https://img.shields.io/badge/copy--paste%20templates-25%2B-orange?style=flat-square)](17-Templates/) -[![Lines](https://img.shields.io/badge/markdown-64K%2B%20lines-informational?style=flat-square)](#-içindekiler) +[![Site](https://img.shields.io/badge/canlı_site-halilibrahimd27.github.io%2FDevOps-deeppurple?style=flat-square)](https://halilibrahimd27.github.io/DevOps/) [![License](https://img.shields.io/badge/license-MIT-green?style=flat-square)](LICENSE) -[![Awesome](https://awesome.re/badge-flat2.svg)](#) - -**🇹🇷 Türkçe** · *2026 itibarıyla güncel* · *placeholder'lı, production-safe* - -### **🚀 Türkiye'nin en kapsamlı Türkçe DevSecOps kaynağı** - -> **⭐ Yıldız bırakırsan repo daha çok kişiye ulaşır.** Repo'nun büyümesi senin yıldızınla başlar. +[![Last Commit](https://img.shields.io/github/last-commit/halilibrahimd27/DevOps?style=flat-square)](https://github.com/halilibrahimd27/DevOps/commits/main) -[**🌐 Site**](https://halilibrahimd27.github.io/DevOps/) · [**📚 İçindekiler**](#-içindekiler) · [**🚀 Hızlı Başlangıç**](#-hızlı-başlangıç) · [**🤝 Katkı**](#-katkı) · [**📖 Sözlük**](Glossary.md) · [**📣 Discussions**](https://github.com/halilibrahimd27/DevOps/discussions) +[Site](https://halilibrahimd27.github.io/DevOps/) · [İçindekiler](#-i̇çindekiler) · [Hızlı Başlangıç](#-hızlı-başlangıç) · [Sözlük](Glossary.md) · [Katkı](CONTRIBUTING.md) --- -> **Niçin var:** Çoğu DevOps kaynağı ya yüzeysel listedir, ya da -> "müşteri başına bir şirket" tonunda satışçıdır. Bu repo, **production'da -> kafayı yedikten sonra damıtılmış pratikleri** Türkçe ve eylemsel -> tutar. Konferans slaytı değil, oncall'da işine yarayan referans. +> **Niçin var:** Çoğu DevOps kaynağı ya yüzeysel bir listedir, ya da satışçı +> bir tondadır. Bu repo, production'da yaşanıp damıtılmış pratikleri Türkçe ve +> eylemsel tutar. Konferans slaytı değil, on-call'da işine yarayan referans. -> **Kim için:** sıfırdan başlayan bir junior'dan, ekip kurmaya çalışan -> bir staff/principal'a kadar. Her klasör kendi içinde "öğrenme yolu → -> uygulama → cheatsheet → şablon" akışını izler. +> **Kim için:** sıfırdan başlayan bir junior'dan, ekip kuran bir staff/principal'a +> kadar. Her bölüm "öğren → uygula → cheatsheet → şablon" akışını izler. --- -## 🎯 Bu Repo Sana Ne Verir? - -- ✅ **125+ deep-dive doküman** — her biri 250-600 satır, production-tested -- ✅ **64,000+ satır Türkçe içerik** — DevOps + DevSecOps + SRE + Platform -- ✅ **21 ana bölüm** — kültür, Git, CI/CD, IaC, Containers, Kubernetes, GitOps, Observability, Security, Networking, Databases, SRE, FinOps, Platform Engineering, Sustainability, AI/LLMOps, Cheatsheets, Templates, Career, Compliance, Soft Skills -- ✅ **Anti-pattern tablosu** — her dokümanda "yapma" listesi -- ✅ **Production checklist** — "yarın işine başlayabilirsin" -- ✅ **9 cheatsheet** + **25+ copy-paste template** (Kubernetes, GitHub Actions, Dockerfile, Kyverno, runbook) -- ✅ **Compliance**: KVKK, GDPR, ISO 27001, SOC 2, EU AI Act, NIS2, PCI DSS — mühendislik açısından -- ✅ **Soft skills**: oncall sustainability, stakeholder management, mentoring, "hayır" demek, RFC yazımı -- ✅ **TR-spesifik**: Iyzico, BDDK, KVK Kurumu, Wazuh entegrasyonu, TR pazarı maaş context'i - -### 🆚 Diğer Türkçe DevOps Kaynakları ile - -| Boyut | Bu Repo | Diğerleri (genelde) | -|---|---|---| -| **Derinlik** | 250-600 satır deep-dive | Yüzeysel liste (50-100 satır) | -| **Güncellik** | 2026 (CloudNativePG, Karpenter, OpenTofu, Cilium ambient) | 2020-2022 (eski tool'lar) | -| **DevSecOps kapsamı** | 8 derin doküman (security amiral gemisi) | Genelde 1-2 sayfa | -| **Anti-pattern + Checklist** | Her dokümanda zorunlu | Yok | -| **Compliance (TR/EU)** | KVKK + GDPR + SOC2 + ISO + NIS2 + EU AI Act | Eksik | -| **Soft skills** | 8 doküman (oncall, stakeholder, mentoring) | Yok | -| **Placeholder güvenli** | Gerçek IP/credential yok | Bazen var (kopyala-yapıştır risk) | -| **Glossary** | TR↔EN tam terim sözlüğü | Yok | +## 🎯 Ne içerir + +- **125 deep-dive doküman** — çoğu 250-600 satır, eylemsel ve yargılı +- **~66.000 satır** Türkçe içerik — DevOps + DevSecOps + SRE + Platform +- **21 ana konu** (00–20) + **Saha Notları** + **Yol Haritası** +- Her deep-dive'da **anti-pattern tablosu** ("yapma" listesi) ve **production checklist** +- **9 cheatsheet** + **19 kopyala-yapıştır şablon** (Kubernetes, GitHub Actions, Dockerfile, Kyverno, runbook) +- **Compliance**: KVKK, GDPR, ISO 27001, SOC 2, EU AI Act, NIS2, PCI DSS — mühendislik kontrolleriyle +- **Soft skills**: on-call sürdürülebilirliği, stakeholder yönetimi, mentoring, "hayır" demek, RFC yazımı +- **TR-spesifik**: KVKK, BDDK, yerli vendor ve TR pazarı bağlamı --- ## 🚀 Hızlı Başlangıç -| Sen kim hissediyorsun? | Buradan başla | +| Durumun | Buradan başla | |---|---| -| 🆕 **Yeni başlıyorum, "DevOps nedir?"** | [`RoadMap/Modern-DevOps-2026.md`](RoadMap/Modern-DevOps-2026.md) | -| 🏗️ **Sıfırdan altyapı kuracağım** | [`RoadMap/Advanced RoadMap.md`](RoadMap/advanced-roadmap.md) → [`05-Kubernetes/Production-Checklist.md`](05-Kubernetes/Production-Checklist.md) | -| 🔥 **Şu an yangın söndürüyorum** | [`16-Cheatsheets/`](16-Cheatsheets/) → [`11-SRE/Incident-Response.md`](11-SRE/Incident-Response.md) | -| 📦 **Yeni servis konteynerleştireceğim** | [`04-Containers/Dockerfile-Best-Practices.md`](04-Containers/Dockerfile-Best-Practices.md) → [`17-Templates/dockerfiles/`](17-Templates/dockerfiles/) | -| 🚀 **CI/CD pipeline yazacağım** | [`02-CI-CD/Pipeline-Patterns.md`](02-CI-CD/Pipeline-Patterns.md) → [`17-Templates/github-actions/`](17-Templates/github-actions/) | -| 🛡️ **Güvenlik review'ı geliyor** | [`08-Security/DevSecOps-Pipeline.md`](08-Security/DevSecOps-Pipeline.md) → [`08-Security/Kubernetes-Hardening.md`](08-Security/Kubernetes-Hardening.md) | -| 💰 **Cloud faturası patladı** | [`12-FinOps/Cloud-Cost-Allocation.md`](12-FinOps/Cloud-Cost-Allocation.md) → [`12-FinOps/Right-Sizing.md`](12-FinOps/Right-Sizing.md) | -| 🎯 **Mülakata hazırlanıyorum** | [`18-Career/`](18-Career/) | -| ⚖️ **KVKK/GDPR/SOC2 audit geliyor** | [`19-Compliance/KVKK-Practical.md`](19-Compliance/KVKK-Practical.md) → [`19-Compliance/`](19-Compliance/) | -| 🔥 **On-call'da burnout oluyorum** | [`20-Soft-Skills/Oncall-Sustainability.md`](20-Soft-Skills/Oncall-Sustainability.md) | -| 📖 **Türkçe terim aradım** | [`Glossary.md`](Glossary.md) | -| 🤖 **AI ile DevOps yapmak istiyorum** | [`15-AI-LLMOps/AI-Augmented-Operations.md`](15-AI-LLMOps/AI-Augmented-Operations.md) | -| 📈 **K8s upgrade'i yapacağım** | [`05-Kubernetes/Upgrade-Strategy.md`](05-Kubernetes/Upgrade-Strategy.md) | -| 🌳 **GitOps adopt ediyorum** | [`06-GitOps/ArgoCD-Setup.md`](06-GitOps/ArgoCD-Setup.md) → [`06-GitOps/Flux-vs-ArgoCD.md`](06-GitOps/Flux-vs-ArgoCD.md) | -| 🔍 **Postgres prod'a alıyorum** | [`10-Databases-Production/Postgres-Production-Guide.md`](10-Databases-Production/Postgres-Production-Guide.md) | -| 👀 **Observability stack kuruyorum** | [`07-Observability/OpenTelemetry-Adoption.md`](07-Observability/OpenTelemetry-Adoption.md) | -| 🏗️ **Internal Developer Platform** | [`13-Platform-Engineering/Internal-Developer-Platform.md`](13-Platform-Engineering/Internal-Developer-Platform.md) | -| 🌱 **Yeşil yazılım yapacağım** | [`14-Sustainability/Green-Software-Principles.md`](14-Sustainability/Green-Software-Principles.md) | +| 🆕 **"DevOps nedir?" — yeni başlıyorum** | [RoadMap/Modern-DevOps-2026.md](RoadMap/Modern-DevOps-2026.md) | +| 🏗️ **Sıfırdan altyapı kuracağım** | [RoadMap/advanced-roadmap.md](RoadMap/advanced-roadmap.md) → [05-Kubernetes/Production-Checklist.md](05-Kubernetes/Production-Checklist.md) | +| 🔥 **Şu an yangın söndürüyorum** | [16-Cheatsheets/](16-Cheatsheets/) → [11-SRE/Incident-Response.md](11-SRE/Incident-Response.md) | +| 📦 **Yeni servis konteynerleştireceğim** | [04-Containers/Dockerfile-Best-Practices.md](04-Containers/Dockerfile-Best-Practices.md) → [17-Templates/dockerfiles/](17-Templates/dockerfiles/) | +| 🚀 **CI/CD pipeline yazacağım** | [02-CI-CD/Pipeline-Patterns.md](02-CI-CD/Pipeline-Patterns.md) → [17-Templates/github-actions/](17-Templates/github-actions/) | +| 🛡️ **Güvenlik review'ı geliyor** | [08-Security/DevSecOps-Pipeline.md](08-Security/DevSecOps-Pipeline.md) → [08-Security/Kubernetes-Hardening.md](08-Security/Kubernetes-Hardening.md) | +| 💰 **Cloud faturası patladı** | [12-FinOps/Cloud-Cost-Allocation.md](12-FinOps/Cloud-Cost-Allocation.md) → [12-FinOps/Right-Sizing.md](12-FinOps/Right-Sizing.md) | +| 🎯 **Mülakata hazırlanıyorum** | [18-Career/](18-Career/) | +| ⚖️ **KVKK/GDPR/SOC2 audit geliyor** | [19-Compliance/KVKK-Practical.md](19-Compliance/KVKK-Practical.md) → [19-Compliance/](19-Compliance/) | +| 🔥 **On-call'da tükeniyorum** | [20-Soft-Skills/Oncall-Sustainability.md](20-Soft-Skills/Oncall-Sustainability.md) | +| 📖 **Türkçe terim aradım** | [Glossary.md](Glossary.md) | +| 🤖 **AI ile DevOps yapmak istiyorum** | [15-AI-LLMOps/AI-Augmented-Operations.md](15-AI-LLMOps/AI-Augmented-Operations.md) | +| 📈 **K8s upgrade'i yapacağım** | [05-Kubernetes/Upgrade-Strategy.md](05-Kubernetes/Upgrade-Strategy.md) | +| 🌳 **GitOps adopt ediyorum** | [06-GitOps/ArgoCD-Setup.md](06-GitOps/ArgoCD-Setup.md) → [06-GitOps/Flux-vs-ArgoCD.md](06-GitOps/Flux-vs-ArgoCD.md) | +| 🔍 **Postgres prod'a alıyorum** | [10-Databases-Production/Postgres-Production-Guide.md](10-Databases-Production/Postgres-Production-Guide.md) | +| 👀 **Observability stack kuruyorum** | [07-Observability/OpenTelemetry-Adoption.md](07-Observability/OpenTelemetry-Adoption.md) | +| 🏗️ **Internal Developer Platform** | [13-Platform-Engineering/Internal-Developer-Platform.md](13-Platform-Engineering/Internal-Developer-Platform.md) | +| 🌱 **Yeşil yazılım yapacağım** | [14-Sustainability/Green-Software-Principles.md](14-Sustainability/Green-Software-Principles.md) | --- @@ -99,69 +68,55 @@ ### 🧭 Yol Haritası & Felsefe | Bölüm | Konu | |---|---| -| [`RoadMap/`](RoadMap/) | Yol haritaları + **Modern DevOps 2026** kültür/metodoloji rehberi | -| [`00-Culture/`](00-Culture/) | DevOps kültürü, blameless postmortem, on-call playbook, DORA/SPACE, Team Topologies | +| [RoadMap/](RoadMap/) | Yol haritaları + **Modern DevOps 2026** kültür/metodoloji rehberi + 28 günlük AWS/EKS implementation | +| [00-Culture/](00-Culture/) | DevOps kültürü, blameless postmortem, on-call playbook, DORA/SPACE, Team Topologies | ### 🏗️ Build & Ship | Bölüm | Konu | |---|---| -| [`01-Git-Workflow/`](01-Git-Workflow/) | Trunk-based, conventional commits, PR/code review checklist | -| [`02-CI-CD/`](02-CI-CD/) | Pipeline pattern'ler, GitHub Actions/GitLab CI tarifleri, caching, reusable workflows | -| [`03-IaC/`](03-IaC/) | Terraform best practices, OpenTofu geçişi, Pulumi vs Terraform, Crossplane | -| [`04-Containers/`](04-Containers/) | Dockerfile best practices, multi-stage, distroless/Chainguard, BuildKit, image imzalama | -| [`05-Kubernetes/`](05-Kubernetes/) | Production checklist, resource limits, HPA/VPA/KEDA, Gateway API, multi-tenancy, upgrade | -| [`06-GitOps/`](06-GitOps/) | ArgoCD setup, Flux vs ArgoCD, ApplicationSet, App-of-Apps | +| [01-Git-Workflow/](01-Git-Workflow/) | Trunk-based, conventional commits, PR/code review checklist | +| [02-CI-CD/](02-CI-CD/) | Pipeline pattern'ler, GitHub Actions/GitLab CI tarifleri, caching, reusable workflows | +| [03-IaC/](03-IaC/) | Terraform best practices, OpenTofu geçişi, Pulumi vs Terraform, Crossplane | +| [04-Containers/](04-Containers/) | Dockerfile best practices, multi-stage, distroless/Chainguard, BuildKit, image imzalama | +| [05-Kubernetes/](05-Kubernetes/) | Production checklist, resource limits, HPA/VPA/KEDA, Gateway API, multi-tenancy, upgrade | +| [06-GitOps/](06-GitOps/) | ArgoCD setup, Flux vs ArgoCD, ApplicationSet, App-of-Apps | ### 🔭 Run & Observe | Bölüm | Konu | |---|---| -| [`07-Observability/`](07-Observability/) | OpenTelemetry, Prometheus best practices, SLO engineering, alerting done right, profiling | -| [`08-Security/`](08-Security/) | DevSecOps pipeline, secrets, image scan, K8s hardening, SLSA/SBOM, OPA/Kyverno, threat modeling | -| [`09-Networking/`](09-Networking/) | Service mesh comparison, Cilium/eBPF, Ingress patterns, DNS strategies | -| [`10-Databases-Production/`](10-Databases-Production/) | Postgres prod guide, backup/restore, HA (Patroni/Stolon), zero-downtime migrations | -| [`11-SRE/`](11-SRE/) | SLI/SLO/error budget, incident response, runbook template, chaos engineering, capacity | -| [`12-FinOps/`](12-FinOps/) | Cost allocation, right-sizing, spot strategy, RI/SP, Kubecost | +| [07-Observability/](07-Observability/) | OpenTelemetry, Prometheus best practices, SLO engineering, alerting, profiling | +| [08-Security/](08-Security/) | DevSecOps pipeline, secrets, image scan, K8s hardening, SLSA/SBOM, OPA/Kyverno, threat modeling | +| [09-Networking/](09-Networking/) | Service mesh comparison, Cilium/eBPF, Ingress patterns, DNS strategies | +| [10-Databases-Production/](10-Databases-Production/) | Postgres prod guide, backup/restore, HA (Patroni/Stolon), zero-downtime migrations | +| [11-SRE/](11-SRE/) | SLI/SLO/error budget, incident response, runbook template, chaos engineering, capacity | +| [12-FinOps/](12-FinOps/) | Cost allocation, right-sizing, spot strategy, RI/SP, Kubecost | ### 🌟 Modern Trendler | Bölüm | Konu | |---|---| -| [`13-Platform-Engineering/`](13-Platform-Engineering/) | IDP, Backstage, golden paths, service catalog | -| [`14-Sustainability/`](14-Sustainability/) | Green Software Foundation principles, carbon-aware computing, SCI ölçümü | -| [`15-AI-LLMOps/`](15-AI-LLMOps/) | LLM in production, prompt eng for ops, RAG architecture, AI-augmented ops | +| [13-Platform-Engineering/](13-Platform-Engineering/) | IDP, Backstage, golden paths, service catalog | +| [14-Sustainability/](14-Sustainability/) | Green Software Foundation principles, carbon-aware computing, SCI ölçümü | +| [15-AI-LLMOps/](15-AI-LLMOps/) | LLM in production, prompt engineering for ops, RAG architecture, AI-augmented ops | ### 🎒 Hazır Cebinde | Bölüm | Konu | |---|---| -| [`16-Cheatsheets/`](16-Cheatsheets/) | kubectl · docker · git · helm · terraform · aws-cli · linux-troubleshooting · networking · vim | -| [`17-Templates/`](17-Templates/) | GitHub Actions · K8s manifest · Dockerfile · Terraform module · Kyverno policy · runbook | -| [`18-Career/`](18-Career/) | DevOps/SRE interview soruları, system design hazırlığı | +| [16-Cheatsheets/](16-Cheatsheets/) | kubectl · docker · git · helm · terraform · aws-cli · linux-troubleshooting · networking · vim | +| [17-Templates/](17-Templates/) | GitHub Actions · K8s manifest · Dockerfile · Terraform module · Kyverno policy · runbook | +| [18-Career/](18-Career/) | DevOps/SRE mülakat soruları, system design hazırlığı | ### ⚖️ Hukuki Çerçeve & İnsan Tarafı | Bölüm | Konu | |---|---| -| [`19-Compliance/`](19-Compliance/) | KVKK, GDPR, ISO 27001, SOC 2, **EU AI Act**, NIS2, PCI DSS — mühendislik kontrolüyle | -| [`20-Soft-Skills/`](20-Soft-Skills/) | On-call sürdürülebilirliği, stakeholder yönetimi, security ekibi ile çalışma, "hayır" demek | -| [`Glossary.md`](Glossary.md) | Türkçe ↔ İngilizce DevOps terim sözlüğü | -| [`CLAUDE.md`](CLAUDE.md) | Yazım stili & editorial rehber (katkı yapanlar için) | - -### 🧰 Operasyonel Notlar -| Klasör | Konu | -|---|---| -| [`Ansible/`](Ansible/) | Ansible playbook ve sistem hazırlığı notları | -| [`Kubectl/`](Kubectl/) | Logging ve secret/credential örnekleri | -| [`Terraform/`](Terraform/) | Proxmox + manuel VM Terraform örnekleri | -| [`Network/`](Network/) | Wazuh SIEM + ağ segmentasyonu | -| [`System/`](System/) | Sistem-seviyesi rehberler (K8s install, GitHub Actions, external access) | - -### 🔗 Yan Repolar (bu repo'dan ayrılan tamamlayıcı projeler) +| [19-Compliance/](19-Compliance/) | KVKK, GDPR, ISO 27001, SOC 2, **EU AI Act**, NIS2, PCI DSS — mühendislik kontrolüyle | +| [20-Soft-Skills/](20-Soft-Skills/) | On-call sürdürülebilirliği, stakeholder yönetimi, security ekibiyle çalışma, "hayır" demek | +| [Glossary.md](Glossary.md) | Türkçe ↔ İngilizce DevOps terim sözlüğü | +| [CLAUDE.md](CLAUDE.md) | Yazım stili & editorial rehber (katkı yapanlar için) | -| Repo | Konu | +### 🗒️ Saha Notları +| Bölüm | Konu | |---|---| -| **[databases-stack](https://github.com/halilibrahimd27/databases-stack)** | Tek `docker compose up` ile MariaDB+PostgreSQL+MongoDB+Redis self-hosted stack — admin paneller, Prometheus exporters, 15-dakikalık backup automation, Google Drive sync | -| **[file-crypter](https://github.com/halilibrahimd27/file-crypter)** | AES-256 CBC + PBKDF2 ile dosya/klasör şifreleme — terminalden tek komut | -| **[wakapi-admin](https://github.com/halilibrahimd27/wakapi-admin)** | Wakapi self-hosted stack + custom admin panel (realtime active users, domain tag system, AI editor detection) | -| **[api-sentinel](https://github.com/halilibrahimd27/api-sentinel)** | 3. parti API schema değişiklik tespiti — plugin tabanlı, severity-aware monitoring | -| **[cheat-sheet](https://github.com/halilibrahimd27/cheat-sheet)** | Offensive security komut referansı — 2000+ pentest komutu, OSCP/OSWE/OSEP prep | +| [21-Field-Notes/](21-Field-Notes/) | Gerçek kurulumlardan ham notlar: Ansible hazırlık, Terraform/Proxmox, K8s install, Wazuh SIEM, kubectl. Cilalı deep-dive değil; "olduğu gibi çalışan" saha kayıtları. | --- @@ -211,62 +166,45 @@ ## ⭐ Repo Felsefesi 1. **Türkçe yazılır.** Çeviriden kaybolan nüansların yeri yok. -2. **Eylemsel.** Her bölüm "ne yapılacak / nasıl yapılacak / niye yapılacak" sırasıyla yazılır. -3. **Placeholder güvenli.** Hiçbir gerçek IP/domain/credential yer almaz. ``, ``, `` gibi yer tutucular kullanılır. -4. **Yorum-yargılı.** Bir tool/paradigma 2026'da artık önerilmiyorsa "bunu yapma" diye söylenir, neutral değildir. -5. **Anti-pattern'leri açıkça yazar.** Doğrudan "şunu yapma" tabloları her klasörde vardır. -6. **Yıldız kovalamaz, faydayı kovalar.** Buzzword listeleri yerine *bugün* açıp uygulanacak adımlar. - ---- - -## 🤝 Katkı - -PR'lar memnuniyetle. [`CONTRIBUTING.md`](CONTRIBUTING.md) okuyun. - -> 🔍 *Issue açarken:* "Kubernetes hardening'de X eksik" gibi spesifik -> önerin varsa belirt. "Daha çok içerik ekle" tarzı genel issue'lar -> [`good first issue`](https://github.com/halilibrahimd27/DevOps/labels/good%20first%20issue) etiketiyle başkasına paslanır. - -## 📜 Lisans - -[MIT](LICENSE) — özgürce kullanın, yıldızlamayı unutmayın ⭐ +2. **Eylemsel.** Her bölüm "ne / nasıl / niye" sırasıyla yazılır. +3. **Placeholder güvenli.** Gerçek IP/domain/credential yer almaz; ``, ``, `` gibi yer tutucular kullanılır. +4. **Yargılı.** Bir tool/paradigma 2026'da önerilmiyorsa "bunu yapma" diye yazılır; nötr değildir. +5. **Anti-pattern açık.** "Şunu yapma" tabloları her deep-dive'da vardır. +6. **Fayda odaklı.** Buzzword listesi değil, bugün açıp uygulanacak adımlar. --- -
+## 🔗 Yan Repolar -## 🌟 Repo'yu desteklemek istiyorsan +Bu repodan ayrılan tamamlayıcı projeler: -| Süre | Yardımın | +| Repo | Konu | |---|---| -| **5 saniye** | Sağ üstteki **⭐ Star** butonuna tıkla | -| **30 saniye** | Repo'yu Twitter/LinkedIn/Slack'te paylaş | -| **5 dakika** | Eksik bulduğun bir konu için [issue](../../issues/new/choose) aç | -| **30 dakika** | Bir cheatsheet'e katkı PR'ı | -| **2 saat** | Yeni bir deep-dive yaz, [`CONTRIBUTING.md`](CONTRIBUTING.md) okuyup PR aç | +| [databases-stack](https://github.com/halilibrahimd27/databases-stack) | Tek `docker compose up` ile MariaDB+PostgreSQL+MongoDB+Redis self-hosted stack — admin paneller, Prometheus exporter, otomatik backup | +| [file-crypter](https://github.com/halilibrahimd27/file-crypter) | AES-256 CBC + PBKDF2 ile dosya/klasör şifreleme — terminalden tek komut | +| [wakapi-admin](https://github.com/halilibrahimd27/wakapi-admin) | Wakapi self-hosted stack + custom admin panel | +| [api-sentinel](https://github.com/halilibrahimd27/api-sentinel) | 3. parti API schema değişiklik tespiti — plugin tabanlı, severity-aware | +| [cheat-sheet](https://github.com/halilibrahimd27/cheat-sheet) | Offensive security komut referansı — OSCP/OSWE/OSEP hazırlık | --- -*Bu repo'nun hedefi: bir DevOps mühendisinin **3 yıl boyunca** açıp baktığında değer bulduğu bir referans olmak.* +## 🤝 Katkı -**Star history:** +PR'lar memnuniyetle. Önce [CONTRIBUTING.md](CONTRIBUTING.md) ve yazım rehberi [CLAUDE.md](CLAUDE.md)'yi oku. -[![Star History Chart](https://api.star-history.com/svg?repos=halilibrahimd27/DevOps&type=Date)](https://star-history.com/#halilibrahimd27/DevOps&Date) +> *Issue açarken spesifik ol:* "Kubernetes hardening'de X eksik" gibi. "Daha çok içerik ekle" tarzı genel issue'lar [good first issue](https://github.com/halilibrahimd27/DevOps/labels/good%20first%20issue) etiketiyle paslanır. -
+## 📜 Lisans + +[MIT](LICENSE) — özgürce kullan. --- +*Hedef: bir DevOps mühendisinin yıllar boyunca açıp baktığında değer bulduğu bir referans olmak.* +
-🔍 Keywords (Google + GitHub Search için) +🔍 Anahtar kelimeler (arama için) -Türkçe DevOps rehberi · Türkçe DevSecOps · Kubernetes Türkçe · DevOps mülakat · SRE rehberi · GitOps Türkçe · CI/CD pipeline Türkçe · Docker best practices Türkçe · Helm vs Kustomize · ArgoCD setup · Flux vs ArgoCD · Postgres production · CloudNativePG · Patroni HA · Prometheus best practices · OpenTelemetry · Grafana Loki Tempo · SLO error budget · incident response · postmortem template · chaos engineering · KVKK uyumu · GDPR mühendislik · ISO 27001 · SOC 2 Type II · EU AI Act · NIS2 directive · PCI DSS v4 · Backstage IDP · Internal Developer Platform · platform engineering · golden path · service catalog · FinOps Türkçe · Kubecost · spot instance · savings plan · right-sizing · sustainability · green software · carbon-aware computing · LLMOps · RAG architecture · prompt engineering · vLLM · self-hosted LLM · Cilium eBPF · Gateway API · service mesh · zero trust networking · cosign image signing · SLSA SBOM · Kyverno OPA · threat modeling · STRIDE LINDDUN · Falco runtime security · Trivy vulnerability scanning · Vault secrets management · External Secrets Operator · trunk-based development · conventional commits · stacked diffs · code review · oncall sustainability · stakeholder management · mentoring junior · DevOps cheatsheet · K8s production checklist · DevOps interview Turkish · SRE interview · system design Türkçe. +Türkçe DevOps rehberi · Türkçe DevSecOps · Kubernetes Türkçe · DevOps mülakat · SRE rehberi · GitOps Türkçe · CI/CD pipeline Türkçe · Docker best practices Türkçe · Helm vs Kustomize · ArgoCD setup · Flux vs ArgoCD · Postgres production · CloudNativePG · Patroni HA · Prometheus best practices · OpenTelemetry · Grafana Loki Tempo · SLO error budget · incident response · postmortem template · chaos engineering · KVKK uyumu · GDPR mühendislik · ISO 27001 · SOC 2 Type II · EU AI Act · NIS2 directive · PCI DSS v4 · Backstage IDP · Internal Developer Platform · platform engineering · golden path · service catalog · FinOps Türkçe · Kubecost · spot instance · savings plan · right-sizing · sustainability · green software · carbon-aware computing · LLMOps · RAG architecture · prompt engineering · vLLM · self-hosted LLM · Cilium eBPF · Gateway API · service mesh · zero trust networking · cosign image signing · SLSA SBOM · Kyverno OPA · threat modeling · STRIDE LINDDUN · Falco runtime security · Trivy vulnerability scanning · Vault secrets management · External Secrets Operator · trunk-based development · conventional commits · code review · oncall sustainability · stakeholder management · DevOps cheatsheet · K8s production checklist · DevOps interview Turkish · SRE interview · system design Türkçe.
- -
- -**🇹🇷 Made with discipline in Türkiye · 2026** - -
- diff --git a/mkdocs.yml b/mkdocs.yml index a30e1f3..ad6514d 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -1,7 +1,7 @@ site_name: DevOps Notebook site_description: >- Türkçe DevOps · DevSecOps · SRE · Platform Engineering başucu kitabı. - 21 konu, 125+ deep-dive, 9 cheatsheet, 25+ production-ready template. + 21 konu, 125 deep-dive, 9 cheatsheet, 19 production-ready template. Kubernetes · Terraform · GitOps · Observability · FinOps · LLMOps · KVKK/GDPR. site_author: Halil İbrahim Dürmüş site_url: https://halilibrahimd27.github.io/DevOps/ From 10dbea056219133fe330923ccf814cadc5310bc7 Mon Sep 17 00:00:00 2001 From: halilibrahimd27 Date: Sun, 28 Jun 2026 01:08:46 +0300 Subject: [PATCH 05/10] =?UTF-8?q?docs(readme):=20Faz=205=20review=20?= =?UTF-8?q?=E2=80=94=20adversarial=20review=20d=C3=BCzeltmeleri?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 3-mercek adversarial review (anayasa/doğruluk/kıdemli) bulguları: - SEO keyword-stuffing
bloğu kaldırıldı (README'nin kendi "buzzword listesi değil" felsefesiyle çelişiyordu — CLAUDE.md ihlali) - Geçersiz shields rengi deeppurple → 8A2BE2 (ilk badge kırık görünüyordu) - Yazar atfı eklendi (Halil İbrahim Dürmüş — portfolyo/kredibilite varlığı) - "production'da yaşanıp damıtılmış" → "production senaryolarına göre yazılmış, 21-Field-Notes ile desteklenen" (dürüst çerçeve) - Hızlı Başlangıç tekrar eden emoji ayrıldı (🔥→🪫 on-call, 🏗️→🧩 IDP) Co-Authored-By: Claude Opus 4.8 (1M context) --- README.md | 18 +++++++----------- 1 file changed, 7 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 7a1b235..298c00f 100644 --- a/README.md +++ b/README.md @@ -2,11 +2,11 @@ # 🛠️ DevOps Notebook — Türkçe DevSecOps Rehberi -*Production'da işleyen modern DevOps · DevSecOps · SRE pratiklerinin Türkçe, eylemsel referansı.* +*Production'a yönelik modern DevOps · DevSecOps · SRE pratiklerinin Türkçe, eylemsel referansı.* Kubernetes · CI/CD · GitOps · IaC · Observability · Security · SRE · Platform Engineering · FinOps · LLMOps · Compliance -[![Site](https://img.shields.io/badge/canlı_site-halilibrahimd27.github.io%2FDevOps-deeppurple?style=flat-square)](https://halilibrahimd27.github.io/DevOps/) +[![Site](https://img.shields.io/badge/canlı_site-halilibrahimd27.github.io%2FDevOps-8A2BE2?style=flat-square)](https://halilibrahimd27.github.io/DevOps/) [![License](https://img.shields.io/badge/license-MIT-green?style=flat-square)](LICENSE) [![Last Commit](https://img.shields.io/github/last-commit/halilibrahimd27/DevOps?style=flat-square)](https://github.com/halilibrahimd27/DevOps/commits/main) @@ -17,7 +17,8 @@ Kubernetes · CI/CD · GitOps · IaC · Observability · Security · SRE · Plat --- > **Niçin var:** Çoğu DevOps kaynağı ya yüzeysel bir listedir, ya da satışçı -> bir tondadır. Bu repo, production'da yaşanıp damıtılmış pratikleri Türkçe ve +> bir tondadır. Bu repo, production senaryolarına göre yazılmış ve gerçek kurulum +> deneyimiyle ([21-Field-Notes](21-Field-Notes/)) desteklenen pratikleri Türkçe ve > eylemsel tutar. Konferans slaytı değil, on-call'da işine yarayan referans. > **Kim için:** sıfırdan başlayan bir junior'dan, ekip kuran bir staff/principal'a @@ -51,14 +52,14 @@ Kubernetes · CI/CD · GitOps · IaC · Observability · Security · SRE · Plat | 💰 **Cloud faturası patladı** | [12-FinOps/Cloud-Cost-Allocation.md](12-FinOps/Cloud-Cost-Allocation.md) → [12-FinOps/Right-Sizing.md](12-FinOps/Right-Sizing.md) | | 🎯 **Mülakata hazırlanıyorum** | [18-Career/](18-Career/) | | ⚖️ **KVKK/GDPR/SOC2 audit geliyor** | [19-Compliance/KVKK-Practical.md](19-Compliance/KVKK-Practical.md) → [19-Compliance/](19-Compliance/) | -| 🔥 **On-call'da tükeniyorum** | [20-Soft-Skills/Oncall-Sustainability.md](20-Soft-Skills/Oncall-Sustainability.md) | +| 🪫 **On-call'da tükeniyorum** | [20-Soft-Skills/Oncall-Sustainability.md](20-Soft-Skills/Oncall-Sustainability.md) | | 📖 **Türkçe terim aradım** | [Glossary.md](Glossary.md) | | 🤖 **AI ile DevOps yapmak istiyorum** | [15-AI-LLMOps/AI-Augmented-Operations.md](15-AI-LLMOps/AI-Augmented-Operations.md) | | 📈 **K8s upgrade'i yapacağım** | [05-Kubernetes/Upgrade-Strategy.md](05-Kubernetes/Upgrade-Strategy.md) | | 🌳 **GitOps adopt ediyorum** | [06-GitOps/ArgoCD-Setup.md](06-GitOps/ArgoCD-Setup.md) → [06-GitOps/Flux-vs-ArgoCD.md](06-GitOps/Flux-vs-ArgoCD.md) | | 🔍 **Postgres prod'a alıyorum** | [10-Databases-Production/Postgres-Production-Guide.md](10-Databases-Production/Postgres-Production-Guide.md) | | 👀 **Observability stack kuruyorum** | [07-Observability/OpenTelemetry-Adoption.md](07-Observability/OpenTelemetry-Adoption.md) | -| 🏗️ **Internal Developer Platform** | [13-Platform-Engineering/Internal-Developer-Platform.md](13-Platform-Engineering/Internal-Developer-Platform.md) | +| 🧩 **Internal Developer Platform** | [13-Platform-Engineering/Internal-Developer-Platform.md](13-Platform-Engineering/Internal-Developer-Platform.md) | | 🌱 **Yeşil yazılım yapacağım** | [14-Sustainability/Green-Software-Principles.md](14-Sustainability/Green-Software-Principles.md) | --- @@ -202,9 +203,4 @@ PR'lar memnuniyetle. Önce [CONTRIBUTING.md](CONTRIBUTING.md) ve yazım rehberi *Hedef: bir DevOps mühendisinin yıllar boyunca açıp baktığında değer bulduğu bir referans olmak.* -
-🔍 Anahtar kelimeler (arama için) - -Türkçe DevOps rehberi · Türkçe DevSecOps · Kubernetes Türkçe · DevOps mülakat · SRE rehberi · GitOps Türkçe · CI/CD pipeline Türkçe · Docker best practices Türkçe · Helm vs Kustomize · ArgoCD setup · Flux vs ArgoCD · Postgres production · CloudNativePG · Patroni HA · Prometheus best practices · OpenTelemetry · Grafana Loki Tempo · SLO error budget · incident response · postmortem template · chaos engineering · KVKK uyumu · GDPR mühendislik · ISO 27001 · SOC 2 Type II · EU AI Act · NIS2 directive · PCI DSS v4 · Backstage IDP · Internal Developer Platform · platform engineering · golden path · service catalog · FinOps Türkçe · Kubecost · spot instance · savings plan · right-sizing · sustainability · green software · carbon-aware computing · LLMOps · RAG architecture · prompt engineering · vLLM · self-hosted LLM · Cilium eBPF · Gateway API · service mesh · zero trust networking · cosign image signing · SLSA SBOM · Kyverno OPA · threat modeling · STRIDE LINDDUN · Falco runtime security · Trivy vulnerability scanning · Vault secrets management · External Secrets Operator · trunk-based development · conventional commits · code review · oncall sustainability · stakeholder management · DevOps cheatsheet · K8s production checklist · DevOps interview Turkish · SRE interview · system design Türkçe. - -
+Yazan & sürdüren: **Halil İbrahim Dürmüş** — [@halilibrahimd27](https://github.com/halilibrahimd27) · [LinkedIn](https://www.linkedin.com/in/halilibrahimd) From 090ebcb22bf7ddeedf194a7125b35c7336631ae9 Mon Sep 17 00:00:00 2001 From: halilibrahimd27 Date: Sun, 28 Jun 2026 01:08:46 +0300 Subject: [PATCH 06/10] =?UTF-8?q?fix(placeholder):=20Faz=204=20=E2=80=94?= =?UTF-8?q?=20credential/placeholder=20hijyeni=20+=20action=20versiyon=20p?= =?UTF-8?q?in?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit AUDIT.md §7 (CLAUDE.md placeholder kırmızı-çizgisi): - Terraform cipassword zayıf hardcoded "ubuntu" → (18 yer: modules-create-vm 13 + proxmox-configuration 5) - System repo-layout zayıf parola örnekleri → // / (7 yer) - GitHub Action full-semver pin osv-scanner-action@v1.7.0 → @ - Network guide: 85 RFC-1918 örnek IP mangle edilmedi; yerine segmentasyon dersini koruyan açık "RFC 1918 örnek" disclaimer notu eklendi - Bilinçli bırakıldı: image-tag semver'leri (node:22.11.0 vb. "sürüm pin'le" dersi), @v1.2.3 semver-format örneği, @v4 idiomatik major-pin Co-Authored-By: Claude Opus 4.8 (1M context) --- 08-Security/DevSecOps-Pipeline.md | 2 +- .../network-segmentation-wazuh-siem.md | 4 +++ .../system/production-ready-repo-layout.md | 14 +++++----- 21-Field-Notes/terraform/modules-create-vm.md | 26 +++++++++---------- .../terraform/proxmox-configuration.md | 10 +++---- 5 files changed, 30 insertions(+), 26 deletions(-) diff --git a/08-Security/DevSecOps-Pipeline.md b/08-Security/DevSecOps-Pipeline.md index a3b15d6..558011f 100644 --- a/08-Security/DevSecOps-Pipeline.md +++ b/08-Security/DevSecOps-Pipeline.md @@ -180,7 +180,7 @@ Bağımlılıkları (3rd-party libraries) için CVE/lisans tarama. runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - uses: google/osv-scanner-action@v1.7.0 + - uses: google/osv-scanner-action@ with: scan-args: |- --recursive diff --git a/21-Field-Notes/network/network-segmentation-wazuh-siem.md b/21-Field-Notes/network/network-segmentation-wazuh-siem.md index 69cc054..a186b40 100644 --- a/21-Field-Notes/network/network-segmentation-wazuh-siem.md +++ b/21-Field-Notes/network/network-segmentation-wazuh-siem.md @@ -1,5 +1,9 @@ # 🔒 Ağ Segmentasyonu ve Wazuh SIEM Entegrasyon Rehberi +> ℹ️ **Placeholder notu:** Bu rehberdeki tüm IP/subnet değerleri (`192.168.x.x` vb.) +> **RFC 1918 örnek adresleridir** — gerçek altyapı değildir. Segmentasyon şemasını +> anlatmak için somut tutulmuştur; kendi VLAN/subnet planına uyarla. + ## 📋 Mevcut Durum ve Hedef Mimari ### 🎯 Hedef Ağ Segmentasyonu diff --git a/21-Field-Notes/system/production-ready-repo-layout.md b/21-Field-Notes/system/production-ready-repo-layout.md index a3e1dc1..e4f8bc4 100644 --- a/21-Field-Notes/system/production-ready-repo-layout.md +++ b/21-Field-Notes/system/production-ready-repo-layout.md @@ -586,7 +586,7 @@ jobs: mysql: image: mysql:8.0 env: - MYSQL_ROOT_PASSWORD: password + MYSQL_ROOT_PASSWORD: MYSQL_DATABASE: laravel_test ports: - 3306:3306 @@ -644,7 +644,7 @@ jobs: DB_PORT: 3306 DB_DATABASE: laravel_test DB_USERNAME: root - DB_PASSWORD: password + DB_PASSWORD: REDIS_HOST: 127.0.0.1 REDIS_PORT: 6379 @@ -903,7 +903,7 @@ backend: secrets: APP_KEY: base64:your-app-key - DB_PASSWORD: your-db-password + DB_PASSWORD: JWT_SECRET: your-jwt-secret # Frontend configuration @@ -927,10 +927,10 @@ frontend: mysql: enabled: true auth: - rootPassword: your-root-password + rootPassword: database: laravel_prod username: laravel_user - password: your-db-password + password: primary: persistence: @@ -951,7 +951,7 @@ redis: enabled: true auth: enabled: true - password: your-redis-password + password: master: persistence: @@ -999,7 +999,7 @@ monitoring: enabled: true grafana: enabled: true - adminPassword: your-grafana-password + adminPassword: alerts: enabled: true diff --git a/21-Field-Notes/terraform/modules-create-vm.md b/21-Field-Notes/terraform/modules-create-vm.md index 9dcef7e..3f955a9 100644 --- a/21-Field-Notes/terraform/modules-create-vm.md +++ b/21-Field-Notes/terraform/modules-create-vm.md @@ -17,7 +17,7 @@ qm resize 100 scsi0 100G qm set 100 --ipconfig0 ip=/24,gw= qm set 100 --nameserver 8.8.8.8 qm set 100 --sshkeys ~/.ssh/k8s-cluster.pub -qm set 100 --ciuser ubuntu --cipassword ubuntu +qm set 100 --ciuser ubuntu --cipassword '' qm start 100 qm clone 999 101 --name k8s-master-2 --full @@ -26,7 +26,7 @@ qm resize 101 scsi0 100G qm set 101 --ipconfig0 ip=/24,gw= qm set 101 --nameserver 8.8.8.8 qm set 101 --sshkeys ~/.ssh/k8s-cluster.pub -qm set 101 --ciuser ubuntu --cipassword ubuntu +qm set 101 --ciuser ubuntu --cipassword '' qm start 101 qm clone 999 102 --name k8s-master-3 --full @@ -35,7 +35,7 @@ qm resize 102 scsi0 100G qm set 102 --ipconfig0 ip=/24,gw= qm set 102 --nameserver 8.8.8.8 qm set 102 --sshkeys ~/.ssh/k8s-cluster.pub -qm set 102 --ciuser ubuntu --cipassword ubuntu +qm set 102 --ciuser ubuntu --cipassword '' qm start 102 echo "✅ Master nodes created, waiting..." @@ -49,7 +49,7 @@ qm resize 110 scsi0 500G qm set 110 --ipconfig0 ip=/24,gw= qm set 110 --nameserver 8.8.8.8 qm set 110 --sshkeys ~/.ssh/k8s-cluster.pub -qm set 110 --ciuser ubuntu --cipassword ubuntu +qm set 110 --ciuser ubuntu --cipassword '' qm start 110 qm clone 999 111 --name k8s-worker-2 --full @@ -58,7 +58,7 @@ qm resize 111 scsi0 500G qm set 111 --ipconfig0 ip=/24,gw= qm set 111 --nameserver 8.8.8.8 qm set 111 --sshkeys ~/.ssh/k8s-cluster.pub -qm set 111 --ciuser ubuntu --cipassword ubuntu +qm set 111 --ciuser ubuntu --cipassword '' qm start 111 qm clone 999 112 --name k8s-worker-3 --full @@ -67,7 +67,7 @@ qm resize 112 scsi0 500G qm set 112 --ipconfig0 ip=/24,gw= qm set 112 --nameserver 8.8.8.8 qm set 112 --sshkeys ~/.ssh/k8s-cluster.pub -qm set 112 --ciuser ubuntu --cipassword ubuntu +qm set 112 --ciuser ubuntu --cipassword '' qm start 112 echo "✅ Worker nodes created, waiting..." @@ -81,7 +81,7 @@ qm resize 120 scsi0 300G qm set 120 --ipconfig0 ip=/24,gw= qm set 120 --nameserver 8.8.8.8 qm set 120 --sshkeys ~/.ssh/k8s-cluster.pub -qm set 120 --ciuser ubuntu --cipassword ubuntu +qm set 120 --ciuser ubuntu --cipassword '' qm start 120 qm clone 999 121 --name k8s-infra-2 --full @@ -90,7 +90,7 @@ qm resize 121 scsi0 300G qm set 121 --ipconfig0 ip=/24,gw= qm set 121 --nameserver 8.8.8.8 qm set 121 --sshkeys ~/.ssh/k8s-cluster.pub -qm set 121 --ciuser ubuntu --cipassword ubuntu +qm set 121 --ciuser ubuntu --cipassword '' qm start 121 qm clone 999 122 --name k8s-infra-3 --full @@ -99,7 +99,7 @@ qm resize 122 scsi0 300G qm set 122 --ipconfig0 ip=/24,gw= qm set 122 --nameserver 8.8.8.8 qm set 122 --sshkeys ~/.ssh/k8s-cluster.pub -qm set 122 --ciuser ubuntu --cipassword ubuntu +qm set 122 --ciuser ubuntu --cipassword '' qm start 122 qm clone 999 123 --name k8s-infra-4 --full @@ -108,7 +108,7 @@ qm resize 123 scsi0 300G qm set 123 --ipconfig0 ip=/24,gw= qm set 123 --nameserver 8.8.8.8 qm set 123 --sshkeys ~/.ssh/k8s-cluster.pub -qm set 123 --ciuser ubuntu --cipassword ubuntu +qm set 123 --ciuser ubuntu --cipassword '' qm start 123 echo "✅ Infrastructure nodes created, waiting..." @@ -122,7 +122,7 @@ qm resize 130 scsi0 50G qm set 130 --ipconfig0 ip=/24,gw= qm set 130 --nameserver 8.8.8.8 qm set 130 --sshkeys ~/.ssh/k8s-cluster.pub -qm set 130 --ciuser ubuntu --cipassword ubuntu +qm set 130 --ciuser ubuntu --cipassword '' qm start 130 qm clone 999 131 --name k8s-lb-2 --full @@ -131,7 +131,7 @@ qm resize 131 scsi0 50G qm set 131 --ipconfig0 ip=/24,gw= qm set 131 --nameserver 8.8.8.8 qm set 131 --sshkeys ~/.ssh/k8s-cluster.pub -qm set 131 --ciuser ubuntu --cipassword ubuntu +qm set 131 --ciuser ubuntu --cipassword '' qm start 131 echo "✅ Load balancer nodes created, waiting..." @@ -145,7 +145,7 @@ qm resize 140 scsi0 1000G qm set 140 --ipconfig0 ip=/24,gw= qm set 140 --nameserver 8.8.8.8 qm set 140 --sshkeys ~/.ssh/k8s-cluster.pub -qm set 140 --ciuser ubuntu --cipassword ubuntu +qm set 140 --ciuser ubuntu --cipassword '' qm start 140 echo "✅ Storage node created" diff --git a/21-Field-Notes/terraform/proxmox-configuration.md b/21-Field-Notes/terraform/proxmox-configuration.md index 0d5b23d..74606e7 100644 --- a/21-Field-Notes/terraform/proxmox-configuration.md +++ b/21-Field-Notes/terraform/proxmox-configuration.md @@ -278,7 +278,7 @@ resource "proxmox_vm_qemu" "k8s_masters" { # Cloud-init settings ciuser = "ubuntu" - cipassword = "ubuntu" + cipassword = "" # Tags tags = "kubernetes,master,production" @@ -348,7 +348,7 @@ resource "proxmox_vm_qemu" "k8s_workers" { sshkeys = var.ssh_public_key ciuser = "ubuntu" - cipassword = "ubuntu" + cipassword = "" tags = "kubernetes,worker,${local.worker_nodes[count.index].role}" @@ -413,7 +413,7 @@ resource "proxmox_vm_qemu" "k8s_infra" { sshkeys = var.ssh_public_key ciuser = "ubuntu" - cipassword = "ubuntu" + cipassword = "" tags = "kubernetes,infrastructure,${local.infra_nodes[count.index].role}" @@ -478,7 +478,7 @@ resource "proxmox_vm_qemu" "k8s_lb" { sshkeys = var.ssh_public_key ciuser = "ubuntu" - cipassword = "ubuntu" + cipassword = "" tags = "loadbalancer,haproxy" @@ -543,7 +543,7 @@ resource "proxmox_vm_qemu" "k8s_storage" { sshkeys = var.ssh_public_key ciuser = "ubuntu" - cipassword = "ubuntu" + cipassword = "" tags = "storage,nfs" From 82b03ee4dd61b05601df98415efc9eced4cd80c4 Mon Sep 17 00:00:00 2001 From: halilibrahimd27 Date: Sun, 28 Jun 2026 01:17:25 +0300 Subject: [PATCH 07/10] =?UTF-8?q?docs(content):=20Faz=203=20=E2=80=94=20ek?= =?UTF-8?q?sik=20anti-pattern=20tablolar=C4=B1=20+=20checklist'ler=20(CLAU?= =?UTF-8?q?DE.md=20anatomi)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit AUDIT.md §2 (düzeltilmiş gerçek rakam: 7 anti-pattern + 13 checklist eksikti): - 7 dosyaya anti-pattern tablosu eklendi (8-11 satır, 3 sütun, domain-spesifik) - 12 dosyaya production checklist eklendi ([ ] maddeleri, somut) - 05-Kubernetes/Production-Checklist.md: zaten baştan sona checklist olduğu için jenerik checklist eklenmedi (bilinçli, gerekçeli skip); anti-pattern eklendi - Tümü dosyanın gerçek konusuna dayalı — uydurma YOK; CLAUDE.md yargılı/eylemsel Türkçe sesinde; referans/kapanıştan önce doğru yerleşim - AUDIT.md §2: hatalı "1/125" rakamı düzeltildi (zsh word-splitting artefaktıydı) 15 dosya ultracode workflow ile işlendi: dosya başına ekleme + bağımsız adversarial doğrulama (15/15 pass, 0 uydurma riski). Co-Authored-By: Claude Opus 4.8 (1M context) --- 00-Culture/DORA-SPACE-Metrics.md | 33 +++++++++++ 00-Culture/Documentation-Culture.md | 21 +++++++ 00-Culture/On-Call-Playbook.md | 22 +++++++ 00-Culture/Team-Topologies.md | 19 +++++++ 02-CI-CD/Mobile-CICD-Flutter.md | 19 +++++++ 03-IaC/Terraform-Best-Practices.md | 47 +++++++++++++++ 05-Kubernetes/Production-Checklist.md | 24 ++++++++ 07-Observability/OpenTelemetry-Adoption.md | 44 ++++++++++++++ .../Prometheus-Grafana-K8s-Setup.md | 37 ++++++++++++ 08-Security/DevSecOps-Pipeline.md | 38 +++++++++++++ 11-SRE/SLI-SLO-Error-Budget.md | 56 ++++++++++++++++++ 12-FinOps/Cloud-Cost-Allocation.md | 57 +++++++++++++++++++ 18-Career/DevOps-Interview-Questions.md | 40 +++++++++++++ 18-Career/SRE-Interview-Prep.md | 36 ++++++++++++ 18-Career/System-Design-Cheatsheet.md | 21 +++++++ AUDIT.md | 18 ++++-- 16 files changed, 527 insertions(+), 5 deletions(-) diff --git a/00-Culture/DORA-SPACE-Metrics.md b/00-Culture/DORA-SPACE-Metrics.md index efd6954..9ba5770 100644 --- a/00-Culture/DORA-SPACE-Metrics.md +++ b/00-Culture/DORA-SPACE-Metrics.md @@ -242,6 +242,39 @@ Gün 7: Dashboard'u team channel'da haftalık otomatik post yap --- +## 📋 Checklist — production-ready ölçüm sistemi + +Dashboard'u "kuruldu" sayma; aşağıdakiler bitmeden veri güvenilmez. + +**Veri toplama** +- [ ] 4 DORA metriği de otomatik toplanıyor (manuel Excel YOK — manuel veri bayatlar ve güvenilmez) +- [ ] Deploy event'i tek doğruluk kaynağından geliyor (CI pipeline), elle işaretleme yok +- [ ] "Failed deploy" tanımı yazılı ve ekipçe onaylı (rollback + hotfix + incident-correlation) +- [ ] Incident kaynağı (PagerDuty/Opsgenie/issue) deploy'larla otomatik ilişkilendiriliyor +- [ ] Lead time ölçümü ilk commit timestamp'ından başlıyor (PR açılış'tan değil) + +**İstatistik kalitesi** +- [ ] Lead time ve MTTR için ortalama değil p50 + p95 raporlanıyor (averaj outlier'ı saklar) +- [ ] Metrikler rolling pencere ile (7d / 30d) gösteriliyor, tek snapshot değil +- [ ] Düşük hacimli ekipler için sample size belirtiliyor (n<10 deploy → trend yorumlanmaz) + +**SPACE dengesi** +- [ ] DORA yanında en az bir SPACE boyutu (satisfaction/focus) düzenli ölçülüyor +- [ ] Hız metriklerinin yanında burnout/satisfaction trend'i izleniyor (hız ↑ + memnuniyet ↓ = kırmızı bayrak) +- [ ] Hiçbir karar tek metriğe dayanmıyor; en az iki sinyal çapraz kontrol ediliyor + +**Erişim ve ritim** +- [ ] Dashboard tüm ekibe açık (sadece yönetici görmüyor — gözetim hissi yaratır) +- [ ] Haftalık otomatik özet team channel'a post ediliyor (quarterly değil) +- [ ] Metrikler ekipler arası kıyas için DEĞİL, her ekibin kendi trend'i için kullanılıyor +- [ ] Gizli veri/credential dashboard URL'lerinde yok (``, `` env'de tutuluyor) + +**Eylem döngüsü** +- [ ] Negatif trend için sahip + aksiyon tanımlanıyor (sadece kırmızı ok göstermek yetmez) +- [ ] Metrik review'ı retrospektifin parçası — veri konuşmaya dönüşüyor + +--- + ## 📚 Devamı - [DORA — State of DevOps Report](https://dora.dev) (yıllık) diff --git a/00-Culture/Documentation-Culture.md b/00-Culture/Documentation-Culture.md index 2836928..567a7da 100644 --- a/00-Culture/Documentation-Culture.md +++ b/00-Culture/Documentation-Culture.md @@ -254,6 +254,27 @@ Yılda bir audit. Her doc: --- +## 📋 Checklist + +Bir doc'u "production-ready" saymadan önce: + +- [ ] Her repo'da Tier-1 README var — özet + quick start + architecture link 5 dakikada anlaşılıyor +- [ ] Önemli mimari kararlar numaralı ADR'da (`docs/adr/`), 1 sayfayı geçmiyor, immutable +- [ ] Doc başında `last-reviewed` + `owner` + `review-frequency` frontmatter'ı dolu +- [ ] `CODEOWNERS`'ta doc dizinlerinin sahibi tanımlı (orphan doc yok) +- [ ] CI'da link checker (lychee vb.) çalışıyor — kırık link PR'ı bloke ediyor +- [ ] CI'da "6 aydır review olmamış" / stale doc uyarısı aktif +- [ ] Code change ile doc aynı PR'da güncelleniyor (drift'e karşı PR kuralı) +- [ ] Tüm code block'lar test edildi — komutlar gerçekten çalışıyor +- [ ] Placeholder'lar `` formatında, gerçek IP/domain/credential yok +- [ ] Linkler relative — repo taşınınca kırılmıyor +- [ ] Diátaxis ayrımı korunmuş — tutorial / how-to / reference / explanation karışmamış +- [ ] On-call için runbook + incident sonrası postmortem template'i mevcut +- [ ] Doc Git'te (markdown), meeting notes Notion/Confluence'da — kaynak doc Slack thread değil +- [ ] Audit'te "decommission ya da düzelt" geçti — stale doc silindi + +--- + ## 📚 Devamı - [Diátaxis framework](https://diataxis.fr) — 4 doc türü diff --git a/00-Culture/On-Call-Playbook.md b/00-Culture/On-Call-Playbook.md index d68690f..31e908d 100644 --- a/00-Culture/On-Call-Playbook.md +++ b/00-Culture/On-Call-Playbook.md @@ -228,6 +228,28 @@ Bir mühendisin "production-ready on-call" olması için: --- +## 📋 Checklist + +On-call rotation'ı **production-ready** saymadan önce hepsini işaretle: + +- [ ] Rotation 4-8 kişi — < 4 ise burnout riski, hemen büyüt. +- [ ] PagerDuty/Opsgenie ile auto-rotation kurulu, tatil/izin override çalışıyor. +- [ ] Her aktif alert'in runbook'u var — runbook'suz alert canlıya alınmaz. +- [ ] Alert'ler actionable + customer-impacting + urgent; gerisi ticket'a düşürüldü. +- [ ] Severity tier (SEV-1..SEV-4) tanımlı, her tier'ın bildirim kanalı net. +- [ ] Acknowledge SLA'i (15 dk) ölçülüyor, kaçırılınca secondary'ye eskale oluyor. +- [ ] Incident Commander + Comms Lead rolleri SEV-1/SEV-2 için belirli. +- [ ] Status page () bağlı, Comms Lead güncelliyor. +- [ ] Handoff ritüeli var — outgoing özet yazıyor, 30 dk overlap uygulanıyor. +- [ ] Postmortem 24 saat içinde draft'a giriyor, blameless yürütülüyor. +- [ ] Postmortem aksiyon item'larının > %70'i kapatılıyor (takip ediliyor). +- [ ] Haftalık alert audit yapılıyor; false positive eşik ayarı veya silme ile kapatılıyor. +- [ ] Compensation politikası net: standby/page-time pay veya comp-day veriliyor. +- [ ] Yeni mühendis 4 haftalık onboarding (shadow → reverse shadow → solo) tamamladı. +- [ ] Rotation ortalaması < 5 page; üzeri reliability yatırımı tetikliyor. + +--- + ## 📚 Devamı - [Google SRE Book — Chapter 11: Being On-Call](https://sre.google/sre-book/being-on-call/) diff --git a/00-Culture/Team-Topologies.md b/00-Culture/Team-Topologies.md index 37f4f82..9173651 100644 --- a/00-Culture/Team-Topologies.md +++ b/00-Culture/Team-Topologies.md @@ -241,6 +241,25 @@ DevOps & Platform Engineering ekiplerinin **yapı** referansı. --- +## 📋 Checklist + +Bir org yapısını "Team Topologies uyumlu" saymadan önce şunları doğrula: + +- [ ] Her takım net bir tipe oturuyor (stream-aligned / enabling / complicated subsystem / platform) — "karma" takım yok +- [ ] Stream-aligned takımlar end-to-end bir akışın sahibi: build + deploy + on-call aynı ekipte ("you build it, you run it") +- [ ] Hiçbir stream-aligned takım 9 kişiyi aşmıyor (aşıyorsa böl) +- [ ] Platform team ürün gibi yönetiliyor: roadmap var, NPS ölçülüyor, ticket-driven değil +- [ ] Platform self-service: yeni servis açmak / prod'a deploy etmek tek ekiple, az adımda yapılıyor +- [ ] "DevOps team" / "QA team" / "Database team" gibi silo bottleneck'ler yok +- [ ] Enabling takımlar için çıkış kriteri tanımlı — kalıcı hale gelmiyor, iş bitince dağılıyor +- [ ] Her takım çifti için etkileşim modu açık (collaboration / X-as-a-Service / facilitating) ve süreli olanların bitiş tarihi var +- [ ] Cognitive load ölçülüyor: "yeni servis / deploy / incident için kaç ekiple konuşmalıyım?" sayısı takip ediliyor +- [ ] Extraneous cognitive load (tooling/process karmaşası) platform team backlog'unda azaltma hedefi olarak duruyor +- [ ] Mimari diyagramı org chart'ı yansıtıyor (Conway's Law) — uyumsuzluk reorg sinyali olarak izleniyor +- [ ] Reorg tetikleyicileri tanımlı: feature lead time'ı, koordinasyon toplantısı yükü, çapraz-ekip ticket sayısı + +--- + ## 📚 Devamı - *Team Topologies* — Skelton & Pais (kitap, **must read**) diff --git a/02-CI-CD/Mobile-CICD-Flutter.md b/02-CI-CD/Mobile-CICD-Flutter.md index 45a1fcb..2c62960 100644 --- a/02-CI-CD/Mobile-CICD-Flutter.md +++ b/02-CI-CD/Mobile-CICD-Flutter.md @@ -871,6 +871,25 @@ README.md'ye: --- +## 🚫 Anti-Pattern + +Flutter CI/CD kurarken sık yapılan ve mutlaka kaçınılması gereken hatalar: + +| Anti-pattern | Niye kötü | Doğru | +|--------------|-----------|-------| +| Keystore/.p12/.mobileprovision dosyalarını repo'ya commit etmek | Sertifika sızar, herkes uygulamanı imzalayabilir; geri alınamaz. | Hassas dosyaları `.gitignore`'a al, base64 olarak GitHub Secrets'ta sakla. | +| Şifreleri workflow YAML'ına veya koda gömmek | Repo'yu gören herkes credential'a erişir; rotasyon imkânsızlaşır. | Tüm credential'ları `${{ secrets.* }}` referansıyla Secrets'tan oku. | +| Keystore'u tek yerde tutmak / yedek almamak | Kaybedersen uygulamayı bir daha güncelleyemezsin (Play Store imza zorunlu). | En az 3 ayrı yerde yedekle: password manager + şifreli cloud + offline. | +| Build number'ı elle artırmak | İnsan unutur, çakışan build number upload'ı reddedilir. | `--build-number=${{ github.run_number }}` ile otomatik artır. | +| İlk testleri doğrudan production track'e atmak | Hatalı build gerçek kullanıcılara ulaşır, geri çekme zor. | Önce Firebase Distribution / internal track / TestFlight'ta dene. | +| API key / service account JSON'unu loglara yazdırmak | Actions logları sızdırırsa credential ifşa olur. | Secret'ları echo etme; `add-mask` kullan veya hiç yazdırma. | +| Sertifika expiry tarihini takip etmemek | Sertifika dolduğunda pipeline aniden kırılır, release durur. | Expiry tarihlerini takvime/uyarıya bağla, dolmadan yenile. | +| Release build'i imzasız veya `minifyEnabled false` ile çıkmak | Store reddeder ya da APK şişer, kod açıkta kalır. | `signingConfig` + `minifyEnabled`/`shrinkResources` + ProGuard aktif olsun. | +| `flutter test` / lint adımını CI'dan atlamak | Kırık kod store'a kadar gider, geç fark edilir. | Test job'ı build'lerden önce zorunlu (required check) yap. | +| Service account'a Owner/aşırı geniş izin vermek | Sızarsa tüm projeye erişim açılır. | En az ayrıcalık: yalnız Release Manager / App Manager rolü ver. | + +--- + ## 📞 Yardım Kaynakları ### Dokümantasyon: diff --git a/03-IaC/Terraform-Best-Practices.md b/03-IaC/Terraform-Best-Practices.md index 01a7890..760c99d 100644 --- a/03-IaC/Terraform-Best-Practices.md +++ b/03-IaC/Terraform-Best-Practices.md @@ -488,6 +488,53 @@ Developer push → PR open --- +## 📋 Checklist + +Production'a çıkmadan önce her madde işaretlenmeli. İşaretlenmeyen madde = +açık risk. + +### State & Backend +- [ ] State remote backend'de (S3/GCS/Azure Blob) — local state YOK +- [ ] State locking aktif (DynamoDB / GCS native / Azure lease) +- [ ] State bucket'ta versioning enabled (rollback için) +- [ ] State encryption KMS ile (SSE-S3 değil) +- [ ] Bucket public access block: all + access logging ayrı bucket'a +- [ ] `*.tfstate` ve `*.tfstate.backup` `.gitignore`'da +- [ ] Her env/service için ayrı state key (monolitik state YOK) + +### Kod & Module +- [ ] `required_version` ve tüm provider'lar pinned (`~> 5.0` / `>= 5.0, < 6.0`) +- [ ] `.terraform.lock.hcl` commit'lenmiş (multi-platform hash'lerle) +- [ ] Module'ler Git tag / Registry version ile referanslı — path-based YOK +- [ ] `for_each` kullanılıyor (mümkün olan her yerde `count` yerine) +- [ ] Tüm `variable`'larda `type` + `description`, kritiklerinde `validation` +- [ ] `terraform fmt -recursive -check` temiz +- [ ] `terraform validate` ve `tflint --recursive` hatasız + +### Güvenlik +- [ ] Sensitive değişken/output'lar `sensitive = true` +- [ ] Gerçek secret'lar Vault/Secrets Manager veya ephemeral resource'tan +- [ ] tfsec/Checkov taraması CI'da, kritik bulgu YOK +- [ ] OPA/Conftest policy gate plan üzerinde çalışıyor +- [ ] Provider credential'ları OIDC/role-assume ile (uzun ömürlü key YOK) + +### Lifecycle & Güvenli Apply +- [ ] Kritik kaynaklarda (RDS, KMS, prod bucket) `prevent_destroy = true` +- [ ] Replace gerektiren değişiklikler `create_before_destroy` ile +- [ ] `ignore_changes` spesifik field'larda (`["*"]` YOK) +- [ ] Plan PR'da görünür (Atlantis / GHA comment) +- [ ] Apply manuel onay gate'inin arkasında, audit log'lu — `-auto-approve` YOK +- [ ] Apply öncesi state backup adımı pipeline'da + +### Operasyon +- [ ] Drift detection scheduled (daily/weekly) + alarm (Slack/PagerDuty) +- [ ] Promote sırası uygulanıyor: dev → staging → prod +- [ ] Module'lerde `README.md` (terraform-docs) ve `examples/` var +- [ ] Kritik module'ler için Terratest/`tofu test` entegrasyon testi +- [ ] Backend bootstrap chicken-and-egg çözümü dokümante (`-migrate-state`) + +--- + ## 📚 Devamı - [Terraform official docs](https://www.terraform.io/docs) diff --git a/05-Kubernetes/Production-Checklist.md b/05-Kubernetes/Production-Checklist.md index 5ca1962..5793e58 100644 --- a/05-Kubernetes/Production-Checklist.md +++ b/05-Kubernetes/Production-Checklist.md @@ -426,6 +426,30 @@ kubectl diff -f deployment.yaml --- +## 🚫 Anti-Pattern + +Red flag'ler "neyi yapma"yı söyler; bu tablo "onun yerine ne yap"ı da verir. + +| Anti-pattern | Niye kötü | Doğru | +|---|---|---| +| `image: :latest` | Tag mutable; aynı tag farklı içerik çeker, rollback imkansız | SHA-pinned (`@sha256:...`) veya semantic version | +| `imagePullPolicy: Always` prod'da | Her pod start'ında registry'ye gider; rate-limit + yavaş başlangıç | SHA-pinned image + `IfNotPresent` | +| `resources` tanımsız | BestEffort QoS; node baskısında ilk evict edilen pod olursun | Her container'a `requests`, memory `limits` zorunlu | +| Memory `limit` yok | Sızıntı node'u OOM'a sürükler, komşu pod'ları öldürür | Memory limit mutlaka; CPU limit opsiyonel | +| CPU `limit == request` her yerde | Gereksiz CFS throttling, p99 latency artar | CPU'da burst bırak (limit yok ya da request'ten yüksek) | +| `livenessProbe` ağır `/health`'e bağlı | DB yavaşlayınca probe fail → cascade restart fırtınası | Liveness hafif `/health/live`; bağımlılık kontrolü readiness'te | +| `readinessProbe` yok | Henüz warm-up bitmemiş pod'a trafik gider, 503 | `/health/ready` ile downstream + warm-up kontrolü | +| `preStop` + grace period yok | Pod kill anında in-flight bağlantılar 503 alır | `preStop: sleep`, `terminationGracePeriodSeconds` yeterli | +| `replicas: 1` (leader-election'sız) | Tek node/zone arızası = tam kesinti (SPOF) | min 2-3 replica + PDB + topology spread | +| PDB yok | Node drain/upgrade tüm replica'ları aynı anda kaldırabilir | `PodDisruptionBudget: minAvailable` | +| Secret `env` içinde plain | Log, `env` dump ve `kubectl describe`'da sızar | `Secret` resource / ESO / Sealed Secrets / SOPS | +| `runAsRoot` (securityContext yok) | Container escape ayrıcalıklı; node compromise yolu | `runAsNonRoot`, `drop: ["ALL"]`, `readOnlyRootFilesystem` | +| Default ServiceAccount + cluster-admin | Tek pod compromise = cluster pwn | Kendi SA + dar Role; `automountServiceAccountToken: false` | +| NetworkPolicy yok | Düz ağ; bir pod'dan tüm namespace'lere lateral movement | Namespace başına default-deny + explicit allow | +| `kubectl apply` manuel | Drift, audit-trail yok, "kim ne deploy etti" belirsiz | GitOps (ArgoCD/Flux) Git'i izlesin, drift'i düzeltsin | + +--- + ## 🚦 "Bu prod'a çıkamaz" red flag'ler | 🚩 | Açıklama | diff --git a/07-Observability/OpenTelemetry-Adoption.md b/07-Observability/OpenTelemetry-Adoption.md index 260cfbf..3562933 100644 --- a/07-Observability/OpenTelemetry-Adoption.md +++ b/07-Observability/OpenTelemetry-Adoption.md @@ -374,6 +374,50 @@ queue_gauge = meter.create_observable_gauge("queue.depth", callbacks=[cb]) --- +## 🚫 Anti-Pattern + +| Anti-pattern | Niye kötü | Doğru | +|---|---|---| +| Vendor SDK'sını (Datadog/NewRelic) yeni kodda kullanmak | OTel'in tüm amacını öldürür; vendor değişince yine kod değişir | OTel API/SDK ile yaz, Collector exporter'ından vendor'a gönder | +| `user_id`/`order_id` gibi high-cardinality attribute'u metric'e koymak | Time-series patlar, Prometheus/Mimir maliyeti uçar | High-cardinality alanları trace'e bırak; metric'te düşük-kardinalite label kullan | +| Memory limiter processor'ı atlamak | Collector OOM olur, tüm telemetry kaybı + restart loop | Her pipeline'da `memory_limiter`'ı ilk processor yap | +| Batch processor'sız OTLP export | Her span ayrı RPC; network/CPU overhead patlar | `batch` processor ile gönderimi grupla | +| Prod'da head-based %100 sampling | Veri ve maliyet kontrolsüz büyür | Tail-based sampling: error + slow %100, geri kalan düşük yüzde | +| Tail sampling'i `decision_wait` çok kısa ayarlamak | Geç gelen span'lar trace'ten düşer, eksik trace | `decision_wait`'i en yavaş span'ı kapsayacak şekilde ver (örn. 10s) | +| Custom attribute isimleri (`httpMethod`, `env`) | Semantic convention bozulur, vendor dashboard/query çalışmaz | `http.method`, `deployment.environment` standart isimlerini kullan | +| Trace ID'yi log'a eklememek | Trace ↔ log korelasyonu kopar, debug'da köprü yok | Logger'a `trace_id`/`span_id` enjekte et, JSON log'a yaz | +| `traceparent` header'ı manuel forward etmemek | Servisler arası trace zinciri kırılır | W3C propagator'ı kur; HTTP client auto-inject etsin | +| PII'yı (email, token) span/log'a olduğu gibi göndermek | KVKK/GDPR ihlali, sızıntı riski | `attributes` processor ile delete/hash uygula | +| Auto-instrument'i kör açıp bırakmak | Gereksiz span (redirect, health-check, DB ping) noise + maliyet | İstenmeyen span'ları sampler/filter ile sustur | +| OTLP endpoint'ini TLS'siz public ağda kullanmak | Telemetry trafiği şifresiz akar, dinlenebilir | İç ağda `insecure` tamam; dış hop'ta mTLS/TLS zorunlu kıl | +| Hepsini tek seferde (trace+metric+log) migrate etmek | Risk büyük, geri dönüş zor, ekip boğulur | Faz faz git: önce trace, sonra metric, sonra log | + +--- + +## 📋 Checklist + +Production-ready OTel adoption için: + +- [ ] OTel SDK (auto + manuel span) tüm servislerde kurulu, vendor SDK kaldırıldı +- [ ] `service.name`, `service.version`, `deployment.environment` her serviste set ediliyor +- [ ] Attribute isimleri semantic conventions'a uygun (`http.*`, `db.*`, `service.*`) +- [ ] Collector deploy edildi (`mode` workload'a uygun: deployment/daemonset) +- [ ] Her pipeline'da `memory_limiter` ilk, `batch` processor ekli +- [ ] Tail-based sampling aktif: error + slow %100, random düşük yüzde +- [ ] `decision_wait` en yavaş işlemi kapsayacak şekilde ayarlı +- [ ] PII redaction: email/token/user-agent için delete/hash processor'ı ekli +- [ ] W3C `traceparent` propagation tüm servisler arası HTTP/gRPC'de çalışıyor +- [ ] Log'lara `trace_id`/`span_id` enjekte ediliyor, Grafana'da trace ↔ log geçişi test edildi +- [ ] High-cardinality attribute'lar metric'e değil trace'e gidiyor (cardinality kontrol edildi) +- [ ] Yeni metric'ler OTel metrics API ile yazılıyor (eski Prometheus client değil) +- [ ] OTLP endpoint dış hop'larda TLS/mTLS ile korunuyor +- [ ] Collector kendi telemetry'sini export ediyor (self-monitoring: drop/queue metrikleri) +- [ ] Collector resource limit/request set edildi, OOM ve restart loop izleniyor +- [ ] Migration fazları planlandı ve sıralı yürütülüyor (trace → metric → log → vendor-neutral) +- [ ] Exporter failover/queue (sending_queue + retry) backend down senaryosu için ayarlı + +--- + ## 📚 Devamı - [opentelemetry.io](https://opentelemetry.io) diff --git a/07-Observability/Prometheus-Grafana-K8s-Setup.md b/07-Observability/Prometheus-Grafana-K8s-Setup.md index 967c9f2..f86013d 100644 --- a/07-Observability/Prometheus-Grafana-K8s-Setup.md +++ b/07-Observability/Prometheus-Grafana-K8s-Setup.md @@ -578,6 +578,43 @@ kubectl port-forward -n monitoring svc/prometheus-kube-prometheus-alertmanager 9 --- +## 🚫 Anti-Pattern + +| Anti-pattern | Niye kötü | Doğru | +|--------------|-----------|-------| +| Grafana admin şifresini `values.yaml`'a düz metin yazmak (`adminPassword: "admin123!"`) | Şifre git'e ve Helm release secret'ına sızar, herkes okur | Şifreyi K8s Secret olarak oluştur, `admin.existingSecret` ile referansla | +| Tüm servisleri NodePort ile internete açmak | Prometheus/AlertManager kimlik doğrulamasız, cluster metrikleri ve config dışarı sızar | İç erişimi ClusterIP'te tut, dış erişimi Ingress + auth (OAuth2/basic) arkasına al | +| `retention` ayarlamadan Prometheus çalıştırmak | TSDB disk'i sınırsız büyür, PVC dolar, Prometheus crash olur | `retention: 15d` ve `retentionSize` ile sınır koy, PVC boyutuyla uyumlu tut | +| Pod'lara resource `requests`/`limits` koymamak | Prometheus OOM-kill yer veya node'u boğar, scrape kesilir | Her bileşene memory/cpu request+limit ver (örn. Prometheus 1Gi limit) | +| `emptyDir` veya persistence kapalı çalıştırmak | Pod restart'ında tüm metrik ve dashboard geçmişi silinir | `persistence.enabled: true` + kalıcı StorageClass kullan | +| `helm upgrade`'i mevcut values almadan çalıştırmak | Önceki özelleştirmeler default'a döner, NodePort/şifre/retention sıfırlanır | Önce `helm get values ... > current.yaml`, sonra `--values current.yaml` ile upgrade et | +| Alert kuralı yazmadan sadece dashboard'a bakmak | Sorunlar ekrana bakan biri olmadığında fark edilmez | Kritik metrikler için `PrometheusRule` ile alert tanımla, AlertManager'ı bir kanala bağla | +| Tek replica AlertManager ile prod'a çıkmak | Pod düşünce hiçbir alarm iletilmez, sessiz arıza | AlertManager'ı HA (en az 2 replica) ve gerçek receiver (Slack/e-posta/PagerDuty) ile kur | +| `kubectl patch` ile servisleri elle düzenleyip values'a yazmamak | Bir sonraki Helm upgrade değişikliği ezer, drift oluşur | Değişiklikleri `values.yaml`'a yaz, kaynak-doğru (GitOps) tut | +| Metrics server / `kubectl top` olmadan kapasite planlamak | Kaynak kullanımı görünmez, limit ayarları tahmine dayanır | Metrics server kur, `kubectl top` ve Grafana ile gerçek kullanımı izle | + +--- + +## 📋 Checklist + +Production'a çıkmadan önce: + +- [ ] Grafana admin şifresi K8s Secret'ta (`existingSecret`), values'da düz metin yok +- [ ] Prometheus `retention` + `retentionSize` ayarlandı ve PVC boyutuyla uyumlu +- [ ] Tüm bileşenlerde resource `requests` ve `limits` tanımlı +- [ ] Persistence açık ve kalıcı StorageClass kullanılıyor (Prometheus, Grafana, AlertManager) +- [ ] Dış erişim Ingress + TLS + auth arkasında; Prometheus/AlertManager doğrudan NodePort ile açık değil +- [ ] AlertManager HA (>=2 replica) ve gerçek receiver'a (Slack/e-posta/PagerDuty) bağlı +- [ ] Kritik metrikler için `PrometheusRule` alert kuralları yazıldı ve test edildi +- [ ] Prometheus `/targets` sayfasında tüm hedefler `UP` +- [ ] Metrics server kurulu, `kubectl top pods/nodes` çalışıyor +- [ ] `externalLabels` (cluster adı) ayarlandı — çok-cluster federasyon için +- [ ] Backup planı var: Prometheus data + Grafana config/dashboard'lar düzenli alınıyor +- [ ] RBAC ve NetworkPolicy ile monitoring namespace izole edildi +- [ ] Tüm konfigürasyon `values.yaml`'da versiyonlanıyor; manuel `kubectl patch` drift'i yok + +--- + ## 📖 Ek Kaynaklar ### Resmi Dokümantasyon diff --git a/08-Security/DevSecOps-Pipeline.md b/08-Security/DevSecOps-Pipeline.md index 558011f..da08982 100644 --- a/08-Security/DevSecOps-Pipeline.md +++ b/08-Security/DevSecOps-Pipeline.md @@ -402,6 +402,44 @@ Track et: --- +## 📋 Checklist + +Production'a çıkmadan önce her satırı işaretle — biri eksikse pipeline tam değil. + +**Pre-commit** +- [ ] `pre-commit install` repo'yu klonlayan herkeste çalışıyor (CONTRIBUTING'de zorunlu adım). +- [ ] gitleaks pre-commit hook aktif; secret commit'i lokalde durduruyor. +- [ ] IDE plugin'leri (Snyk/Semgrep/SonarLint) standart kurulum imajına dahil. + +**CI / PR** +- [ ] gitleaks CI job leak bulunca PR'ı bloklar ve secret rotation ticket'ı açar. +- [ ] SAST (Semgrep + CodeQL) en az javascript/python/go için çalışıyor. +- [ ] SCA (OSV-Scanner veya Trivy fs) + Dependabot aktif, lisans taraması açık. +- [ ] IaC scan (Checkov) `soft_fail: false` ile HIGH/CRITICAL ihlalleri bloklar. +- [ ] Tüm SARIF çıktıları GitHub Security tab'ına yükleniyor. +- [ ] Severity threshold tanımlı: LOW bulgular pipeline'ı KIRMIYOR (sadece raporlanıyor). + +**Build** +- [ ] Trivy image scan CRITICAL/HIGH bulguda build'i fail ediyor. +- [ ] Cosign keyless OIDC ile her imaj imzalanıyor (`id-token: write` izni var). +- [ ] SBOM (CycloneDX) üretiliyor ve cosign attestation olarak imaja bağlanıyor. +- [ ] Base image minimal/distroless (örn. Chainguard) ve düzenli güncelleniyor. + +**Deploy / Admission** +- [ ] Kyverno `verify-signature` policy `validationFailureAction: Enforce` modunda. +- [ ] İmzasız veya doğrulanamayan imaj cluster'a giremiyor (test edildi). +- [ ] Namespace'lerde Pod Security Standards `restricted` enforce ediliyor. +- [ ] NetworkPolicy default-deny tanımlı; sadece gerekli trafik açık. +- [ ] Bypass yetkisi sınırlı kişide ve her bypass audit log'a düşüyor. + +**Runtime** +- [ ] Falco veya Tetragon çalışıyor; alert'ler bir kanala (Slack/SIEM) gidiyor. +- [ ] kube-apiserver audit log'u merkezi log sistemine akıyor ve saklanıyor. +- [ ] Threat model tablosundaki her saldırı türü için en az bir aktif kontrol var. +- [ ] Metrikler (signed image %, CVE MTTR, gate block %) dashboard'da izleniyor. + +--- + ## 📚 Devamı - [OWASP DevSecOps Guideline](https://owasp.org/www-project-devsecops-guideline/) diff --git a/11-SRE/SLI-SLO-Error-Budget.md b/11-SRE/SLI-SLO-Error-Budget.md index a00a12f..c606150 100644 --- a/11-SRE/SLI-SLO-Error-Budget.md +++ b/11-SRE/SLI-SLO-Error-Budget.md @@ -251,6 +251,62 @@ duyur. Kim bu kuralı uygulayacak (tooling enforce'u + manager onayı)? --- +## 🚫 Anti-Pattern + +Aşağıdaki tablo SLO pratiğinde en sık görülen yanlışları damıtır. Sol +sütundakini yapma, sağdakini yap. + +| Anti-pattern | Niye kötü | Doğru | +|---|---|---| +| SLO = %100 hedefle | Matematiksel imkansız; error budget = 0 olur, hiç deploy edemezsin. | Gerçekçi koy (%99.9 çoğu prod için). Budget'ı risk almak için harca. | +| SLO'yu mevcut davranışa eşitle (retro-fit) | "%99.7'deyim, hedefim %99.7" ölçümdür, hedef değil; iyileştirme baskısı kaybolur. | Mevcut + biraz mühendislik gücü = SLO. Hedef şu ankine yakın ama biraz iyi olsun. | +| SLI olarak CPU/memory/disk seç | Saturation göstergesi; kullanıcı CPU yüksekken bile etkilenmemiş olabilir. | Müşteri-deneyimi yansıtan SLI: success rate, latency, freshness. | +| Latency'yi average ile ölç | Ortalama yalan söyler; kuyruktaki kötü request'leri gizler. | `histogram_quantile` ile p99/p95 percentile kullan. | +| Sadece error rate'i SLO yap | Hızlı ama yanlış/bayat yanıt SLO'yu yeşil gösterir, müşteri kötü. | Latency + freshness + correctness'i de SLO'ya kat. | +| Cause-based alert (CPU > %80) | False positive üretir; gerçek müşteri etkisi olmadan page atar. | Symptom-based: error budget burn-rate üzerinden alert. | +| Tek-window SLO alert | Ya çok geç (low-burn) ya çok hassas (false positive) görür. | Multi-burn-rate: 2 pencere (fast 14.4x + slow 6x) birlikte. | +| Toplam/aggregate metric'e bak | Bir büyük tenant %50 down olsa toplamda fark etmezsin. | Per-tenant / per-journey breakdown ile ölç. | +| Endpoint bazında SLO | Tek endpoint yeşil olabilir ama user journey kırık. | User journey (akış zinciri) bazında SLO yaz. | +| Üretici tarafında (app 5xx) ölç | LB/gateway'de timeout olan request app'e hiç ulaşmaz, ölçülmez. | Müşteriye yakın ölç: CDN / API gateway tarafı. | +| SLA = SLO (aynı değer) | Buffer yok; iç hedefi kaçırınca direkt müşteri sözünü ihlal edersin. | İç SLO'yu SLA'dan sıkı tut (SLA %99.5 → SLO %99.7). | +| Error budget policy'yi manuel "biz tutarız" yap | Disiplin baskı altında ilk çöken şeydir; gating uygulanmaz. | Policy'yi tooling ile enforce et (GitOps gating + alertmanager). | +| Window'u çok kısa (7 gün) seç | Noisy; sürekli yanlış alarm, sinir bozucu. | 30 gün rolling standart. Çok uzun (90 gün) da kötüyü geç fark ettirir. | + +--- + +## 📋 Checklist + +Bir servisin SLO'su production-ready sayılmadan önce hepsi işaretlenmeli. + +**SLI tanımı** +- [ ] SLI'lar müşteri perspektifinden seçildi (CPU/memory değil, success rate / latency) +- [ ] Latency SLI percentile (p99/p95) ile ölçülüyor, average ile değil +- [ ] Servis kategorisine uygun SLI'lar var (request/response → availability + latency; data → freshness + correctness) +- [ ] Ölçüm müşteriye en yakın noktada yapılıyor (CDN / API gateway), app içinde değil +- [ ] User journey bazında en az bir SLI tanımlandı (kritik akış endpoint zinciri) + +**SLO hedefi** +- [ ] Mevcut performans son 30 günde ölçüldü (gerçek baseline) +- [ ] Hedef gerçekçi konuldu (downtime tablosuna karşı maliyet/gerek doğrulandı) +- [ ] İç SLO, müşteriye verilen SLA'dan sıkı (buffer var) +- [ ] Window 30 gün rolling olarak sabitlendi +- [ ] Multi-tenant ise per-tenant breakdown query'si mevcut + +**Error budget & alerting** +- [ ] Error budget matematiği hesaplandı (allowed bad minutes belli) +- [ ] Multi-burn-rate alert kuruldu (fast 14.4x → page, slow 6x → ticket) +- [ ] Alert'ler symptom-based (burn-rate), cause-based (CPU) değil +- [ ] Recording + alerting rules versiyon kontrolünde (`/slo-recording-rules.yaml`) +- [ ] Budget eşiklerine bağlı deploy gating tooling ile enforce ediliyor (manuel değil) + +**Gözlemlenebilirlik & süreç** +- [ ] Dashboard tek bakışta gösteriyor: current SLO, budget remaining, burn-rate, deploy annotation +- [ ] Error budget policy yazılı ve takıma duyuruldu (budget < %20 → feature freeze) +- [ ] Policy'yi kimin/neyin uygulayacağı net (tooling enforce + manager onayı) +- [ ] Aylık SLO review takvime alındı (budget yanması, alert doğruluğu, hedef güncelleme) + +--- + ## 📚 Devamı - *Site Reliability Engineering* (Google SRE Book) — bölüm 4 diff --git a/12-FinOps/Cloud-Cost-Allocation.md b/12-FinOps/Cloud-Cost-Allocation.md index 463bc86..7f99eba 100644 --- a/12-FinOps/Cloud-Cost-Allocation.md +++ b/12-FinOps/Cloud-Cost-Allocation.md @@ -428,6 +428,63 @@ Monthly cost change: +$320 --- +## 🚫 Anti-Pattern + +Maliyet allocation'da en sık görülen ve faturayı kör eden hatalar: + +| Anti-pattern | Niye kötü | Doğru | +|---|---|---| +| Tag enforcement olmadan allocation başlatmak | Untagged resource = atfedilemeyen para; rapor delik dolu çıkar | Önce SCP/Config/Kyverno ile zorunlu tag, sonra rapor | +| Sadece toplam faturaya bakmak | Hangi ekip/servis yaktı görünmez, optimizasyon kör | Team + Service tag bazında breakdown çek | +| Ay sonunu bekleyip faturaya bakmak | Sürpriz patlama; sapma 30 gün boyunca büyür | Günlük anomaly detection (Cost Anomaly veya Athena cron) | +| Cost Explorer ile resource-seviye analiz | CE aggregate; tek resource'u izleyemezsin | Resource-seviye için CUR → Athena kullan | +| Kubernetes maliyetini cloud bill'den okumak | Bill node bazlı; pod/namespace attribution yok | OpenCost/Kubecost ile pod-seviye allocation | +| Egress maliyetini görmezden gelmek | Kontrolsüz büyür ($0.09/GB); en büyük gizli gider | VPC Endpoint + CDN + cross-region trafiği izle | +| Hemen 3-yıl all-upfront RI almak | Esneklik sıfır; instance tipi değişince para çöp | Önce 1-year SP, kullanım oturunca uzun commit | +| SP/RI expiration'ı takip etmemek | Commit cliff'e çarpıp on-demand fiyata düşmek | Bitişten 60 gün önce alarm + yenileme planı | +| Idle resource'u (boş EIP/EBS/LB) bırakmak | Kullanılmadan fatura yazar; ay ay birikir | Haftalık idle taraması + otomatik temizlik | +| Maliyeti merkezi tek ekibe yıkmak (showback yok) | Kimse kendi tüketimini görmez, sorumluluk yok | Showback dashboard; her ekip kendi maliyetini görür | +| Maliyet diff'ini merge sonrası fark etmek | Pahalı kaynak prod'a sızar, geri almak zor | PR-time Infracost diff ile merge öncesi gör | + +--- + +## 📋 Checklist + +Production-ready cost allocation için somut maddeler: + +**Tagging foundation** +- [ ] Zorunlu tag set tanımlı (`Environment`, `Team`, `Service`, `CostCenter`, `ManagedBy`, `Owner`) +- [ ] SCP ile tag'siz resource oluşturma engelleniyor (org-level) +- [ ] Terraform `required-tags` modülü tüm modüllerde kullanımda +- [ ] Kyverno/AWS Config ile K8s + AWS tag compliance denetimi aktif +- [ ] Mevcut (legacy) resource'lar retro-tag'lendi +- [ ] Haftalık untagged raporu otomatik; 4 hafta üst üste untagged kalan durduruluyor + +**Reporting** +- [ ] CUR aktif ve Athena'ya bağlı (resource-seviye sorgu mümkün) +- [ ] Team bazlı breakdown raporu çalışıyor +- [ ] Untagged-cost raporu izleniyor (kayıp para görünür) +- [ ] Kubernetes için OpenCost/Kubecost kurulu (pod/namespace allocation) + +**Showback / Chargeback** +- [ ] Her ekibe aylık showback dashboard/e-mail gidiyor +- [ ] Bütçe vs gerçek karşılaştırması raporda var +- [ ] (Büyük org) Chargeback iç fatura akışı finansla entegre + +**Anomaly & alarm** +- [ ] AWS Cost Anomaly Detection monitor + subscription aktif +- [ ] Günlük sapma sorgusu (>%30) Slack/e-mail'e düşüyor +- [ ] Alarm subscriber ARN/endpoint `` ile parametrize, hardcode kredensiyal yok + +**Optimizasyon** +- [ ] Idle EC2/EBS/EIP/LB haftalık taranıyor +- [ ] gp2→gp3 ve eski snapshot temizliği planlı +- [ ] Egress (data transfer) izleniyor; VPC Endpoint/CDN devrede +- [ ] RI/SP stratejisi baseline'a göre belirli; expiration'a 60 gün alarm +- [ ] PR-time Infracost diff CI'da çalışıyor + +--- + ## 📚 Devamı - [FinOps Foundation](https://www.finops.org) diff --git a/18-Career/DevOps-Interview-Questions.md b/18-Career/DevOps-Interview-Questions.md index ba82116..864ffe2 100644 --- a/18-Career/DevOps-Interview-Questions.md +++ b/18-Career/DevOps-Interview-Questions.md @@ -492,6 +492,46 @@ Hata türleri: --- +## 🚫 Anti-Pattern + +Mülakatta sık görülen tuzaklar — bunlardan kaçın. + +| Anti-pattern | Niye kötü | Doğru | +|--------------|-----------|-------| +| Tanım ezberleyip okumak | Mülakatçı deneyim arıyor, Wikipedia değil; takip sorusunda çökersin | Kavramı kendi yaşadığın bir olayla, trade-off vererek anlat | +| "Her zaman X kullanılır" demek | Mutlak ifade tecrübesizlik sinyali; gerçek hayatta her şey bağlama bağlı | "Şu durumda X, şu durumda Y; çünkü..." diye koşula bağla | +| Bilmediğin konuda uydurmak | Yanlış cevap, dürüst "bilmiyorum"dan çok daha kötü; güveni yıkar | "Bunu kullanmadım ama şöyle yaklaşırdım / nasıl öğrenirim" de | +| Problemi netleştirmeden çözüme dalmak | Yanlış soruyu çözersin; sistem tasarımında ölümcül | Önce varsayımları/kısıtları sor, scope'u netleştir, sonra çöz | +| Debug sorusunda rastgele komut denemek | Sistematiksizlik panik gösterir; gerçek incident'te de tehlikeli | Hipotez → ölç → daralt; `describe`/`logs`/`events` sırayla | +| Behavioral'da "biz" diye anlatmak | Senin katkın görünmez; rolün belirsiz kalır | STAR ile **senin** aksiyonunu net ver, sayı ile destekle | +| Eski incident'te başkasını suçlamak | Blameless kültür yoksunluğu; takım oyuncusu değilsin sinyali | Sistemik kök neden + "niye yakalanmadı" + ne değiştirdin | +| Trade-off söylemeden tek doğru sunmak | Senior+ sinyali trade-off farkındalığıdır; tek-boyutlu cevap junior gösterir | Her kararın maliyetini/karmaşıklığını da söyle | +| Soru sormadan teklifi kabul etmek | İlgisizlik/araştırmasızlık sinyali; karşılıklı uyum kaçar | Ürün, ekip yapısı, on-call, teknik borç hakkında hazır soru getir | +| Abartılı/yalan deneyim anlatmak | Derinleşen soruda ortaya çıkar; tüm güveni sıfırlar | Gerçek deneyim + dürüstçe sınırını belirt | + +--- + +## 📋 Checklist + +Mülakata girmeden önce hazır olduğunu doğrula. + +- [ ] Her seviye için en az 2 gerçek hikaye hazır (STAR formatında, sayısal impact ile) +- [ ] "En zor incident" hikayesi prova edildi — timeline, rolün, öğrenilen ders net +- [ ] "Yanlış çıkan kararım" örneği dürüst ve sistemik dersle hazır +- [ ] Container/K8s/CI-CD/Terraform temel kavramları trade-off ile anlatılabiliyor +- [ ] Debug yaklaşımı sistematik prova edildi (hipotez → ölç → daralt) +- [ ] Sistem tasarımında önce scope/kısıt sorma refleksi yerleşik +- [ ] Whiteboard/ekran paylaşımı ile düşünerek konuşma (think-aloud) çalışıldı +- [ ] Başvurulan şirket araştırıldı: ürün, engineering blog, son haberler, tech stack +- [ ] Mülakatçıya sorulacak en az 5 anlamlı soru hazır (on-call, teknik borç, ekip yapısı) +- [ ] CV'deki her satırı derinleşen takip sorusuna karşı savunabiliyorsun +- [ ] Production-like lab (kind/k3d/minikube) ile pratik yapıldı, eller kirlendi +- [ ] Maaş/seviye beklentisi ve müzakere aralığı önceden belirlendi +- [ ] Teknik ortam test edildi (kamera, mikrofon, IDE/terminal paylaşımı) — remote mülakat için +- [ ] "Bilmiyorum"u dürüstçe söyleyip nasıl öğrenirim ekleme refleksi prova edildi + +--- + ## 📚 Hazırlık kaynakları - [System Design Interview — Alex Xu] diff --git a/18-Career/SRE-Interview-Prep.md b/18-Career/SRE-Interview-Prep.md index 598dc5c..2742b17 100644 --- a/18-Career/SRE-Interview-Prep.md +++ b/18-Career/SRE-Interview-Prep.md @@ -223,6 +223,42 @@ Tek bir partition/shard tüm trafiği yiyor. --- +## 🚫 Mülakatta sık hatalar + +| Anti-pattern | Niye kötü | Doğru | +|---|---|---| +| SLO'yu rakamsız "yüksek availability" diye geçmek | Ölçülemez hedef = error budget yok = mühendislik yok | SLI seç, %99.9x koy, dakikaya/budget'a çevir | +| %100 availability hedeflemek | Imkansız + sonsuz maliyet, hiçbir deploy/risk alınamaz | Error budget kavramını savun: %99.95 yeter, kalanı hız için harca | +| Incident'te önce root-cause araştırmak | Müşteri down'ken dakikalar yanar, "mitigate first" ihlali | Önce rollback/mitigate, root-cause postmortem'e bırak | +| Alert'i acknowledge etmeden dalmak | Ekip "kimse bakıyor mu" panik yapar, çift müdahale | İlk hareket: acknowledge + severity + incident channel | +| Kapasiteyi linear ölçeklemek (5x trafik = 5x pod) | DB/cache/downstream pinch point'leri görmezden gelir | Bottleneck'i (genelde DB) tespit et, pre-scale + headroom | +| HPA'ya güvenip event'e reactive girmek | İlk dalga acı çeker, scale-up window'u geç kalır | Black Friday öncesi manuel pre-scale + pool pre-warm | +| Chaos'u staging'de bırakıp prod'a hiç sokmamak | Sadece prod'da çıkan hatalar yakalanmaz | Blast radius minimize (%1 traffic, off-hours) edip prod'da koştur | +| Toil'i "sıfırlayacağım" demek | Gerçekçi değil; yeni feature yeni toil yaratır | "Kontrol altına alırım" + ROI/payback ile önceliklendir | +| Retry'ı jitter'sız/limitsiz eklemek | Retry storm + thundering herd, cascade'i büyütür | Backoff + jitter + circuit breaker + load shedding | +| Cache miss'i request coalescing'siz bırakmak | 1000 pod aynı query'yi atar, DB çöker | Coalescing + stale-while-revalidate + early refresh | +| Postmortem'i kişi suçlamak için kullanmak | Blameless kültür kırılır, gerçek root-cause saklanır | Blameless: sistem/process eksiğine odaklan, action item çıkar | + +--- + +## 📋 Hazırlık adımları + +- [ ] Back-of-envelope matematik akıcı: RPS↔QPS, dakika↔budget, %99.9x→downtime çevirimini ezberle +- [ ] Bir SLO'yu uçtan uca tasarlayabiliyorum (SLI seç → SLO → SLA → multi-burn-rate alert → error budget policy) +- [ ] Incident response sıralamasını refleks haline getir: ack → severity → channel → recent-change → rollback → diagnosis → comms +- [ ] "Mitigate first, investigate later" prensibini bir örnekle anlatabiliyorum +- [ ] Capacity planning'de bottleneck-önce-DB yaklaşımını ve pre-scale gerekçesini sözel verebiliyorum +- [ ] Cascading failure çözümlerini (circuit breaker, bulkhead, backoff+jitter, load shedding) ezbere sayabiliyorum +- [ ] Thundering herd / hot spot kalıplarına en az 2'şer çözüm hazır +- [ ] Bir chaos experiment'i steady-state→hipotez→blast-radius→observe→iterate sırasıyla tasarlayabiliyorum +- [ ] Blameless postmortem yapısını (timeline, impact, root cause, action items) biliyorum +- [ ] En az 1 gerçek incident/proje hikayemi STAR formatında hazırladım (Situation-Task-Action-Result) +- [ ] 4 haftalık çalışma planındaki SRE Book + Workbook bölümlerini tamamladım +- [ ] En az 1 mock interview yaptım (peer ya da Pramp/Interviewing.io) +- [ ] kubectl rollout / HPA / k6 gibi araçların temel komutlarını canlı yazabiliyorum + +--- + ## 📚 Hazırlık kaynakları - *Site Reliability Engineering* — Google (ücretsiz online) diff --git a/18-Career/System-Design-Cheatsheet.md b/18-Career/System-Design-Cheatsheet.md index b5df001..d385d90 100644 --- a/18-Career/System-Design-Cheatsheet.md +++ b/18-Career/System-Design-Cheatsheet.md @@ -284,6 +284,27 @@ Eğer gerçekten gerekli: --- +## 📋 Checklist + +Mülakatta tasarımı sunmadan önce/sunarken işaretle — her madde sorulmadan kendin kapat: + +- [ ] **Requirements netleştirildi** — functional + non-functional (RPS, kullanıcı, SLO, bütçe) yazıldı; varsayım yapma, sor. +- [ ] **Somut sayı verildi** — "high scale" değil "10K RPS, 50M user, p99 < 500ms"; sayısız iddia zayıf görünür. +- [ ] **Her karar trade-off'lu** — "X çünkü Y, ama Z bedeli var"; alternatifsiz seçim olgunluk eksikliği sinyali. +- [ ] **Failure mode konuşuldu** — node/zone/region down, DB failover, cascade; sadece happy path tasarım eksiktir. +- [ ] **Availability hedefi tanımlı** — SLO + error budget; "%99.9 → 43 dk/ay down" gibi bütçeye çevir. +- [ ] **Veri katmanı düşünüldü** — replication, consistency (CAP), backup/restore, RTO/RPO; stateful en zor kısım. +- [ ] **Deploy stratejisi var** — canary/blue-green + rollback yolu; tasarım deploy edilemiyorsa eksik. +- [ ] **Observability planlandı** — metrics/logs/traces + alerting; gözlemlenemeyen sistem operasyonda kördür. +- [ ] **Güvenlik ele alındı** — secret yönetimi, network policy, least-privilege, image scan; sonradan eklenmez. +- [ ] **Maliyet tartışıldı** — compute/storage/egress kalemleri; mühendis maliyeti de tasarlar. +- [ ] **Operability söylendi** — on-call, runbook, game day; sistemi kim, nasıl işletecek? +- [ ] **Vendor lock-in görüldü** — kritik bağımlılık ve çıkış maliyeti açıkça not edildi. +- [ ] **Evolution çizildi** — bugün 1K RPS, yarın 100K → hangi bileşen önce kırılır, ne değişir? +- [ ] **Gizli değer placeholder** — gerçek IP/domain/credential yok; `` kullanıldı. + +--- + ## 📚 Devamı - [System Design Interview — Alex Xu] diff --git a/AUDIT.md b/AUDIT.md index cf926a3..e15d485 100644 --- a/AUDIT.md +++ b/AUDIT.md @@ -26,11 +26,19 @@ ## 2. CLAUDE.md Anatomi Uyumu -**Numaralı deep-dive'lar (125 dosya) — çok iyi durumda:** -- Anti-pattern tablosu eksik: **1 / 125** -- Checklist eksik: **1 / 125** - -→ Numaralı içerik anayasaya neredeyse tam uyumlu; Faz 3 burada **minimal**. (1'er sapan dosya Faz 3'te tek tek tespit edilip kapatılacak.) +**Numaralı deep-dive'lar (125 dosya) — büyük ölçüde uyumlu:** +- Anti-pattern tablosu eksik: **7 / 125** +- Checklist eksik: **13 / 125** + +> ⚠️ **Düzeltme:** İlk taramada "1/125" yazılmıştı; bu bir zsh word-splitting +> hatasının ürünüydü (döngü tek iterasyon koştu). Python ile yeniden ölçülen +> doğru rakamlar yukarıdadır. ~16 benzersiz dosya etkileniyor. + +→ İçeriğin %85+'i anatomiye uyumlu; Faz 3 eksik bölümleri (anti-pattern/checklist) +dosyanın gerçek konusuna dayalı, CLAUDE.md sesinde ekler (uydurma yok). +Kod-bloğu dil etiketi (`MD040`) CI'da zorunlu değil (`.markdownlint.jsonc: MD040 false`, +zaten markdownlint CI'dan çıkarılmış) → 511 etiketsiz fence (çoğu ASCII diyagram/ +tree/çıktı) bilinçli olarak değiştirilmedi. **Eski klasörler (RoadMap/System/Network/Ansible/Terraform/Kubectl) — anatomi YOK:** Bunlar saha notu / uzun rehber formatında; CLAUDE.md deep-dive iskeletini (epigraf, kavram tablosu, anti-pattern tablosu, checklist, kapanış) izlemiyor. Bilinçli mi (saha notu) yoksa dönüştürülecek mi → **§5 kararına bağlı**. From 67a9e0991a635fa0004a8ac5c3bdb32804b58c79 Mon Sep 17 00:00:00 2001 From: halilibrahimd27 Date: Sun, 28 Jun 2026 01:30:13 +0300 Subject: [PATCH 08/10] =?UTF-8?q?docs(seo):=20Faz=206=20=E2=80=94=20SEO=20?= =?UTF-8?q?description=20frontmatter=20+=20link=20b=C3=BCt=C3=BCnl=C3=BC?= =?UTF-8?q?=C4=9F=C3=BC=20+=20eksik=20template'ler?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Keşfedilebilirlik (AUDIT.md §9): - 190 içerik dosyasına YAML frontmatter `description` eklendi (MkDocs Material meta açıklaması; arama + sosyal paylaşma önizlemesi). 0 atlandı, içerik korundu. (folder-bazlı 23-agent ultracode workflow; bütünlük: 0 eksik/0 bozuk doğrulandı) - Bilinçli kapsam-dışı: tags frontmatter (plugin yok → inert), kütle mermaid + çapraz-link (churn; ASCII diyagram + bölüm index'leri navigasyonu sağlıyor) Link bütünlüğü (Faz 2 bölme artefaktları + pre-existing): - RoadMap/advanced/13-quickstart-30min.md: README.md → ../advanced-roadmap.md; docs/troubleshooting.md kırık linki açıklayıcı metne çevrildi - 11-SRE/SLI-SLO-Error-Budget.md: prometheus-rules/ dizin linki → spesifik .yaml - 18-Career/CV-Tips.md: (...) placeholder URL → placeholder Eksik template'ler (17-Templates/README'nin vaat ettiği ama olmayan): - 17-Templates/terraform/ (README + main.tf + variables.tf + outputs.tf — tip-güvenli/validation'lı modül iskeleti) - 17-Templates/gitignore/ (stack başına .gitignore örnekleri + anti-pattern) Doğrulama: `mkdocs build --strict` EXIT 0, 0 WARNING/ERROR; kırık-link tarama 0. Co-Authored-By: Claude Opus 4.8 (1M context) --- 00-Culture/Blameless-Postmortem-Template.md | 4 + 00-Culture/DORA-SPACE-Metrics.md | 4 + 00-Culture/Documentation-Culture.md | 4 + 00-Culture/On-Call-Playbook.md | 4 + 00-Culture/README.md | 4 + 00-Culture/Team-Topologies.md | 4 + 01-Git-Workflow/Code-Review-Checklist.md | 3 + 01-Git-Workflow/Conventional-Commits.md | 3 + .../PR-Templates-and-Automation.md | 3 + 01-Git-Workflow/README.md | 3 + 01-Git-Workflow/Stacked-Diffs.md | 3 + 01-Git-Workflow/Trunk-Based-Development.md | 3 + 02-CI-CD/Caching-Strategies.md | 3 + 02-CI-CD/GitHub-Actions-Recipes.md | 3 + 02-CI-CD/GitLab-CI-Recipes.md | 3 + 02-CI-CD/Mobile-CICD-Flutter.md | 3 + 02-CI-CD/Pipeline-Patterns.md | 3 + 02-CI-CD/Pipeline-Performance.md | 3 + 02-CI-CD/README.md | 3 + 02-CI-CD/Reusable-Workflows.md | 3 + 03-IaC/Crossplane-Intro.md | 3 + 03-IaC/Drift-Detection.md | 3 + 03-IaC/OpenTofu-Migration.md | 3 + 03-IaC/Pulumi-vs-Terraform.md | 3 + 03-IaC/README.md | 3 + 03-IaC/Terraform-Best-Practices.md | 3 + 03-IaC/Terraform-Module-Layout.md | 3 + 04-Containers/BuildKit-Tips.md | 3 + 04-Containers/Container-vs-WASM.md | 3 + 04-Containers/Distroless-and-Chainguard.md | 3 + 04-Containers/Dockerfile-Best-Practices.md | 3 + 04-Containers/Image-Signing-Cosign.md | 3 + 04-Containers/Multi-Stage-Builds.md | 3 + 04-Containers/README.md | 3 + 05-Kubernetes/Debugging-Pods.md | 3 + 05-Kubernetes/HPA-VPA-KEDA.md | 3 + 05-Kubernetes/Multi-Tenancy-Patterns.md | 3 + 05-Kubernetes/Production-Checklist.md | 3 + 05-Kubernetes/README.md | 3 + 05-Kubernetes/Resource-Limits-Guide.md | 3 + 05-Kubernetes/Upgrade-Strategy.md | 3 + 06-GitOps/App-of-Apps-Pattern.md | 3 + 06-GitOps/ApplicationSet-Patterns.md | 3 + 06-GitOps/ArgoCD-Setup.md | 3 + 06-GitOps/Flux-vs-ArgoCD.md | 3 + 06-GitOps/Helm-vs-Kustomize-vs-Raw.md | 3 + 06-GitOps/README.md | 3 + 06-GitOps/Secrets-in-GitOps.md | 3 + 07-Observability/Alerting-Done-Right.md | 3 + 07-Observability/Logs-Loki-vs-ELK.md | 3 + 07-Observability/OpenTelemetry-Adoption.md | 3 + 07-Observability/Profiling-with-Pyroscope.md | 3 + 07-Observability/Prometheus-Best-Practices.md | 3 + .../Prometheus-Grafana-K8s-Setup.md | 3 + 07-Observability/README.md | 3 + 07-Observability/SLO-Engineering.md | 3 + 07-Observability/Tracing-with-Tempo.md | 3 + 08-Security/Container-Image-Scanning.md | 3 + 08-Security/DevSecOps-Pipeline.md | 3 + 08-Security/Kubernetes-Hardening.md | 3 + 08-Security/Policy-as-Code-OPA-Kyverno.md | 3 + 08-Security/README.md | 3 + 08-Security/Runtime-Security.md | 3 + 08-Security/SLSA-and-SBOM.md | 3 + 08-Security/Secrets-Management.md | 3 + 08-Security/Threat-Modeling.md | 3 + 08-Security/Zero-Trust-Networking.md | 3 + 09-Networking/Cilium-eBPF-Intro.md | 3 + 09-Networking/DNS-Strategies.md | 3 + 09-Networking/Gateway-API-Migration.md | 3 + 09-Networking/Ingress-NGINX-Patterns.md | 3 + 09-Networking/Ingress-and-Gateway-API.md | 3 + 09-Networking/Network-Troubleshooting.md | 3 + 09-Networking/README.md | 3 + 09-Networking/Service-Mesh-Comparison.md | 3 + .../Backup-Restore-Patterns.md | 3 + 10-Databases-Production/Connection-Pooling.md | 3 + 10-Databases-Production/HA-Patroni-Stolon.md | 3 + .../Monitoring-Postgres.md | 3 + 10-Databases-Production/Operator-Patterns.md | 3 + .../Postgres-Production-Guide.md | 3 + 10-Databases-Production/README.md | 3 + .../StatefulSet-vs-Operator.md | 3 + .../Zero-Downtime-Migrations.md | 3 + 11-SRE/Capacity-Planning.md | 3 + 11-SRE/Chaos-Engineering.md | 3 + 11-SRE/Incident-Response.md | 3 + 11-SRE/Postmortem-Practice.md | 3 + 11-SRE/README.md | 3 + 11-SRE/Runbook-Template.md | 3 + 11-SRE/SLI-SLO-Error-Budget.md | 5 +- 11-SRE/Toil-Reduction.md | 3 + 12-FinOps/Cloud-Cost-Allocation.md | 3 + 12-FinOps/Egress-Cost-Reduction.md | 3 + 12-FinOps/Kubecost-Setup.md | 3 + 12-FinOps/PR-Cost-Diff.md | 3 + 12-FinOps/README.md | 3 + 12-FinOps/Reserved-and-Savings-Plans.md | 3 + 12-FinOps/Right-Sizing.md | 3 + 12-FinOps/Spot-Instance-Strategy.md | 3 + 12-FinOps/Storage-Cost-Optimization.md | 3 + 13-Platform-Engineering/Backstage-Setup.md | 3 + 13-Platform-Engineering/Golden-Paths.md | 3 + .../Internal-Developer-Platform.md | 3 + .../Platform-as-Product.md | 3 + 13-Platform-Engineering/README.md | 3 + 13-Platform-Engineering/Service-Catalog.md | 3 + 14-Sustainability/Carbon-Aware-Computing.md | 3 + 14-Sustainability/Efficiency-Practices.md | 3 + .../Green-Software-Principles.md | 3 + .../Measuring-Software-Carbon.md | 3 + 14-Sustainability/README.md | 3 + 14-Sustainability/Region-Selection.md | 3 + 15-AI-LLMOps/AI-Augmented-Operations.md | 3 + 15-AI-LLMOps/LLM-in-Production.md | 3 + 15-AI-LLMOps/Model-Cost-Optimization.md | 3 + 15-AI-LLMOps/Prompt-Engineering-for-Ops.md | 3 + 15-AI-LLMOps/RAG-Architecture.md | 3 + 15-AI-LLMOps/README.md | 3 + 15-AI-LLMOps/Safety-and-Guardrails.md | 3 + 15-AI-LLMOps/Self-Hosted-LLM.md | 3 + 16-Cheatsheets/README.md | 3 + 16-Cheatsheets/aws-cli.md | 3 + 16-Cheatsheets/docker.md | 3 + 16-Cheatsheets/git.md | 3 + 16-Cheatsheets/helm.md | 3 + 16-Cheatsheets/kubectl.md | 3 + 16-Cheatsheets/linux-troubleshooting.md | 3 + 16-Cheatsheets/networking-tools.md | 3 + 16-Cheatsheets/terraform.md | 3 + 16-Cheatsheets/vim-survival.md | 3 + 17-Templates/README.md | 3 + 17-Templates/gitignore/README.md | 96 +++++++++++++++++++ 17-Templates/runbooks/postmortem-template.md | 3 + 17-Templates/runbooks/runbook-template.md | 3 + 17-Templates/terraform/README.md | 36 +++++++ 17-Templates/terraform/main.tf | 32 +++++++ 17-Templates/terraform/outputs.tf | 18 ++++ 17-Templates/terraform/variables.tf | 27 ++++++ 18-Career/CV-Tips.md | 5 +- 18-Career/DevOps-Interview-Questions.md | 3 + 18-Career/README.md | 3 + 18-Career/SRE-Interview-Prep.md | 3 + 18-Career/System-Design-Cheatsheet.md | 3 + 19-Compliance/Audit-Evidence-Automation.md | 3 + 19-Compliance/EU-AI-Act.md | 3 + 19-Compliance/GDPR-Engineering.md | 3 + 19-Compliance/ISO-27001-Controls.md | 3 + 19-Compliance/KVKK-Practical.md | 3 + 19-Compliance/NIS2-Directive.md | 3 + 19-Compliance/PCI-DSS-4.md | 3 + 19-Compliance/README.md | 3 + 19-Compliance/SOC2-Type2-Prep.md | 3 + .../Documentation-as-Communication.md | 3 + 20-Soft-Skills/Mentoring-Junior-Engineers.md | 3 + 20-Soft-Skills/Oncall-Sustainability.md | 3 + 20-Soft-Skills/Postmortem-Conversation.md | 3 + 20-Soft-Skills/README.md | 3 + 20-Soft-Skills/Saying-No.md | 3 + 20-Soft-Skills/Stakeholder-Management.md | 3 + 20-Soft-Skills/Vendor-Management.md | 3 + 20-Soft-Skills/Working-with-Security-Team.md | 3 + 21-Field-Notes/README.md | 3 + .../ansible/ssh-connectivity-test.md | 3 + 21-Field-Notes/ansible/system-preparation.md | 3 + 21-Field-Notes/kubectl/cluster-passwords.md | 3 + .../kubectl/logging-elasticsearch.md | 3 + .../network-segmentation-wazuh-siem.md | 3 + .../system/devops-certification-roadmap.md | 3 + .../system/external-access-solutions.md | 3 + .../system/github-actions-pipeline-setup.md | 3 + .../system/inventory-management-example.md | 3 + .../system/kubernetes-cluster-installation.md | 3 + .../system/production-ready-repo-layout.md | 3 + 21-Field-Notes/terraform/modules-create-vm.md | 3 + .../terraform/proxmox-configuration.md | 3 + RoadMap/Modern-DevOps-2026.md | 3 + RoadMap/Planning.md | 3 + RoadMap/README.md | 3 + RoadMap/RoadMap.md | 3 + RoadMap/advanced-roadmap.md | 3 + RoadMap/advanced/00-prerequisites.md | 3 + RoadMap/advanced/01-aws-account-setup.md | 3 + RoadMap/advanced/02-terraform-iac.md | 3 + RoadMap/advanced/03-containerization.md | 3 + RoadMap/advanced/04-cicd-pipeline.md | 3 + RoadMap/advanced/05-kubernetes-advanced.md | 3 + RoadMap/advanced/06-observability.md | 3 + RoadMap/advanced/07-secrets-security.md | 3 + RoadMap/advanced/08-backup-dr.md | 3 + RoadMap/advanced/09-gitops-automation.md | 3 + RoadMap/advanced/10-cost-performance.md | 3 + .../advanced/11-documentation-processes.md | 3 + RoadMap/advanced/12-final-validation.md | 3 + RoadMap/advanced/13-quickstart-30min.md | 7 +- 195 files changed, 789 insertions(+), 4 deletions(-) create mode 100644 17-Templates/gitignore/README.md create mode 100644 17-Templates/terraform/README.md create mode 100644 17-Templates/terraform/main.tf create mode 100644 17-Templates/terraform/outputs.tf create mode 100644 17-Templates/terraform/variables.tf diff --git a/00-Culture/Blameless-Postmortem-Template.md b/00-Culture/Blameless-Postmortem-Template.md index 1e3c0ae..54992c0 100644 --- a/00-Culture/Blameless-Postmortem-Template.md +++ b/00-Culture/Blameless-Postmortem-Template.md @@ -1,3 +1,7 @@ +--- +description: "Suçlamayan (blameless) postmortem felsefesi ve şablonu: neden blameless, blameful/blameless ton karşılaştırması, dolu örnek ve kontrol listesi." +--- + # Blameless Postmortem — Felsefe ve Şablon > *"Blameless" = "Suçsuz" değil; **suçlamayan**. Sistem hatasını diff --git a/00-Culture/DORA-SPACE-Metrics.md b/00-Culture/DORA-SPACE-Metrics.md index 9ba5770..aa50ba4 100644 --- a/00-Culture/DORA-SPACE-Metrics.md +++ b/00-Culture/DORA-SPACE-Metrics.md @@ -1,3 +1,7 @@ +--- +description: "Mühendislik performansı için iki çerçeve: DORA 4 delivery metriği (deploy sıklığı, lead time, MTTR, change failure) ve bütünsel SPACE modeli." +--- + # DORA & SPACE — Mühendislik Performansı Metrikleri > *"Ölçmediğin şeyi iyileştiremezsin; ama yanlış ölçtüğün şey ekibini boğar."* diff --git a/00-Culture/Documentation-Culture.md b/00-Culture/Documentation-Culture.md index 567a7da..b6060b7 100644 --- a/00-Culture/Documentation-Culture.md +++ b/00-Culture/Documentation-Culture.md @@ -1,3 +1,7 @@ +--- +description: "Right-sized, role-targeted dokümantasyon kültürü: 4 katmanlı hiyerarşi (README, RFC, ADR, runbook) ve doc rotting'e karşı pratik stratejiler." +--- + # Documentation Culture > *"Dokümante etmediğin sistem, sadece sen anlıyor; bus factor 1; sen diff --git a/00-Culture/On-Call-Playbook.md b/00-Culture/On-Call-Playbook.md index 31e908d..a1b0fef 100644 --- a/00-Culture/On-Call-Playbook.md +++ b/00-Culture/On-Call-Playbook.md @@ -1,3 +1,7 @@ +--- +description: "Sağlıklı on-call rotation kurma rehberi: primary/secondary roller, alert hijyeni, devir-teslim, eskalasyon ve sürdürülebilir nöbet pratikleri." +--- + # On-Call Playbook > *"Sağlıklı on-call: 7 gün boyunca rotation'da olduğunda **2 kez bile diff --git a/00-Culture/README.md b/00-Culture/README.md index 413bbb6..3c2ba99 100644 --- a/00-Culture/README.md +++ b/00-Culture/README.md @@ -1,3 +1,7 @@ +--- +description: "DevOps kültürü referans klasörünün indeksi: blameless postmortem, on-call playbook, DORA/SPACE metrikleri, Team Topologies ve dokümantasyon kültürü." +--- + # 00 · DevOps Kültürü > *"En zor problem, kodun değil; insanların problemidir."* diff --git a/00-Culture/Team-Topologies.md b/00-Culture/Team-Topologies.md index 9173651..89bed62 100644 --- a/00-Culture/Team-Topologies.md +++ b/00-Culture/Team-Topologies.md @@ -1,3 +1,7 @@ +--- +description: "Skelton & Pais'in Team Topologies kitabından damıtılmış 4 takım türü (stream-aligned, enabling, complicated-subsystem, platform) ve etkileşim modları rehberi." +--- + # Team Topologies — Ekip Yapısı Olarak Mühendislik > *Conway's Law: "Sistemler, tasarlayan organizasyonların iletişim diff --git a/01-Git-Workflow/Code-Review-Checklist.md b/01-Git-Workflow/Code-Review-Checklist.md index 0deb0d3..668ca1f 100644 --- a/01-Git-Workflow/Code-Review-Checklist.md +++ b/01-Git-Workflow/Code-Review-Checklist.md @@ -1,3 +1,6 @@ +--- +description: "Code review'i bilgi paylaşımı ve kalite aracına çeviren pratikler: review'ın 3 amacı, nit/blocker/question kategori sistemi, reviewer ve author rehberi." +--- # Code Review Checklist — İyi Review, İyi Reviewer > *"PR'a 'LGTM' yazıp geçmek review değildir; **kontroldür**. diff --git a/01-Git-Workflow/Conventional-Commits.md b/01-Git-Workflow/Conventional-Commits.md index 0cc2325..2eb432a 100644 --- a/01-Git-Workflow/Conventional-Commits.md +++ b/01-Git-Workflow/Conventional-Commits.md @@ -1,3 +1,6 @@ +--- +description: "Conventional Commits 1.0 spec: feat/fix/chore commit formatı, niye işe yaradığı ve CI'da nasıl enforce edileceği; otomatik changelog ve semver bump'ın temeli." +--- # Conventional Commits — Disiplinli Commit Mesajları > *"`fix typo lol` mesajı olan bir commit, 6 ay sonra hangi bug'ın diff --git a/01-Git-Workflow/PR-Templates-and-Automation.md b/01-Git-Workflow/PR-Templates-and-Automation.md index 7876ec2..04904cf 100644 --- a/01-Git-Workflow/PR-Templates-and-Automation.md +++ b/01-Git-Workflow/PR-Templates-and-Automation.md @@ -1,3 +1,6 @@ +--- +description: "GitHub'da PR hijyeni: PR template, otomatik label, semantic-pr-action, commit doğrulama, CODEOWNERS ve Renovate/Dependabot ile PR trafiğini otomasyona bağlama." +--- # PR Templates & Automation — PR'ları Standart, Hızlı, İzlenebilir Yap > *"Her PR description boş, label yok, link yok, checklist yok → diff --git a/01-Git-Workflow/README.md b/01-Git-Workflow/README.md index 3cdbf07..9cf6113 100644 --- a/01-Git-Workflow/README.md +++ b/01-Git-Workflow/README.md @@ -1,3 +1,6 @@ +--- +description: "Modern Git iş akışı rehberi indeksi: trunk-based development, conventional commits, code review, stacked diffs ve PR otomasyonu; 2026 branching stack'i." +--- # 01 · Git Workflow > *"Branch'lerin yaşam süresi, bug'ların yaşam süresine eşittir."* diff --git a/01-Git-Workflow/Stacked-Diffs.md b/01-Git-Workflow/Stacked-Diffs.md index b441241..2d2f179 100644 --- a/01-Git-Workflow/Stacked-Diffs.md +++ b/01-Git-Workflow/Stacked-Diffs.md @@ -1,3 +1,6 @@ +--- +description: "Stacked diffs pattern: büyük feature'ı küçük ve gerçekten review edilebilir PR'lara bölme; Graphite, Sapling veya manuel branch chain ile araç ve workflow." +--- # Stacked Diffs — Büyük Feature'ı Küçük PR'lara Bölme > *"3000 satırlık PR'ı 'review et' demek, mühendisin **gözünü diff --git a/01-Git-Workflow/Trunk-Based-Development.md b/01-Git-Workflow/Trunk-Based-Development.md index 3d8f23d..4ed5a57 100644 --- a/01-Git-Workflow/Trunk-Based-Development.md +++ b/01-Git-Workflow/Trunk-Based-Development.md @@ -1,3 +1,6 @@ +--- +description: "Git Flow yerine trunk-based development: kısa ömürlü feature branch, feature flag ve güvenli prod deploy ile main üzerinde hızlı ve güvenli geliştirme rehberi." +--- # Trunk-Based Development — Hızın ve Güvenliğin Buluştuğu Yer > *"Branch'iniz 3 gün yaşıyorsa kötü; 3 hafta yaşıyorsa felaket; diff --git a/02-CI-CD/Caching-Strategies.md b/02-CI-CD/Caching-Strategies.md index 484240b..f0c84ee 100644 --- a/02-CI-CD/Caching-Strategies.md +++ b/02-CI-CD/Caching-Strategies.md @@ -1,3 +1,6 @@ +--- +description: "CI/CD cache katmanlari rehberi: dependency, build, Docker layer ve test result cache stratejileri somut config ornekleriyle; pipeline'i dakikalara indirir." +--- # Caching Strategies — Build, Test, Deploy Cache > *"Cache hit %0 = 'biz yeni başlıyoruz' demek. Production CI'da diff --git a/02-CI-CD/GitHub-Actions-Recipes.md b/02-CI-CD/GitHub-Actions-Recipes.md index 101f567..657a1f9 100644 --- a/02-CI-CD/GitHub-Actions-Recipes.md +++ b/02-CI-CD/GitHub-Actions-Recipes.md @@ -1,3 +1,6 @@ +--- +description: "GitHub Actions production tarifleri: OIDC cloud auth, matrix build, reusable workflow, caching ve secret yonetimi somut YAML ornekleriyle anlatilir." +--- # GitHub Actions Recipes — Production Tarifleri > *"GitHub Actions YAML 'magic' değil — **disiplin**. Reusable diff --git a/02-CI-CD/GitLab-CI-Recipes.md b/02-CI-CD/GitLab-CI-Recipes.md index 2abfcf1..12067c5 100644 --- a/02-CI-CD/GitLab-CI-Recipes.md +++ b/02-CI-CD/GitLab-CI-Recipes.md @@ -1,3 +1,6 @@ +--- +description: "GitLab CI/CD pratik tarifleri: DAG pipeline, dynamic child, multi-project trigger ve OIDC AWS auth; monorepo dostu DAG-native kullanim anlatilir." +--- # GitLab CI Recipes — DAG, Dynamic Child, Multi-Project > *"GitLab CI 'GitHub Actions klonu' değil — **DAG-native** + **monorepo diff --git a/02-CI-CD/Mobile-CICD-Flutter.md b/02-CI-CD/Mobile-CICD-Flutter.md index 2c62960..62c5f57 100644 --- a/02-CI-CD/Mobile-CICD-Flutter.md +++ b/02-CI-CD/Mobile-CICD-Flutter.md @@ -1,3 +1,6 @@ +--- +description: "Flutter CI/CD icin komple checklist: hesaplar, Android/iOS gereksinimleri, Firebase, GitHub kurulumu, kod tarafi duzenlemeler ve toplam maliyet hesabi." +--- # Flutter CI/CD için Gerekli Tüm Şeyler - Komple Checklist ## 📑 İçindekiler diff --git a/02-CI-CD/Pipeline-Patterns.md b/02-CI-CD/Pipeline-Patterns.md index 98ff133..6f6b833 100644 --- a/02-CI-CD/Pipeline-Patterns.md +++ b/02-CI-CD/Pipeline-Patterns.md @@ -1,3 +1,6 @@ +--- +description: "CI/CD pipeline patternleri: lint, test, security scan, build, image scan, imzalama, SBOM ve GitOps promote adimlarinin sirali katmanlama referansi." +--- # CI/CD Pipeline Patterns > *"Pipeline'ın 10 dakika sürüyorsa ekip 'bekleyim de bir kahve içeyim' diff --git a/02-CI-CD/Pipeline-Performance.md b/02-CI-CD/Pipeline-Performance.md index 6728c9f..c15ccf0 100644 --- a/02-CI-CD/Pipeline-Performance.md +++ b/02-CI-CD/Pipeline-Performance.md @@ -1,3 +1,6 @@ +--- +description: "CI pipeline optimizasyonu: caching, parallelization, selective testing ve runner secimi teknikleriyle 30 dakikalik CI'yi 90 saniyeye indirme protokolu." +--- # Pipeline Performance — "10 Dakikalık CI"yi 90 Saniyeye İndir > *"CI 30 dakika sürüyorsa, mühendislerin yarısı PR açtıktan diff --git a/02-CI-CD/README.md b/02-CI-CD/README.md index db3a5d0..acce2a7 100644 --- a/02-CI-CD/README.md +++ b/02-CI-CD/README.md @@ -1,3 +1,6 @@ +--- +description: "CI/CD bolumu indeksi: pipeline patternleri, GitHub Actions ve GitLab CI tarifleri, caching, reusable workflow ve yavas CI tedavi protokolleri." +--- # 02 · CI/CD > *"Her commit deploy edilebilir olmalı; her deploy reversible olmalı."* diff --git a/02-CI-CD/Reusable-Workflows.md b/02-CI-CD/Reusable-Workflows.md index a05d0a2..4634726 100644 --- a/02-CI-CD/Reusable-Workflows.md +++ b/02-CI-CD/Reusable-Workflows.md @@ -1,3 +1,6 @@ +--- +description: "GitHub Actions reusable workflow ve composite action ile org-wide CI/CD standardizasyonu: step, job ve workflow seviyesinde soyutlama pratikleri." +--- # Reusable Workflows — Org-Wide Template > *"50 repo, 50 farklı CI workflow YAML. Bug 1 yerde fix → 50 repo diff --git a/03-IaC/Crossplane-Intro.md b/03-IaC/Crossplane-Intro.md index 4ec4609..42e31bb 100644 --- a/03-IaC/Crossplane-Intro.md +++ b/03-IaC/Crossplane-Intro.md @@ -1,3 +1,6 @@ +--- +description: "Crossplane ile cloud resource'ları K8s CRD olarak yönetme rehberi: continuous reconciliation, Terraform farkı, Composition pattern ve GitOps native." +--- # Crossplane — K8s API ile Cloud Resource Yönet > *"Terraform'un imperative `apply` döngüsü değil, K8s'in **continuous diff --git a/03-IaC/Drift-Detection.md b/03-IaC/Drift-Detection.md index 488611e..30bfc58 100644 --- a/03-IaC/Drift-Detection.md +++ b/03-IaC/Drift-Detection.md @@ -1,3 +1,6 @@ +--- +description: "Terraform/OpenTofu drift detection rehberi: Git ile cloud arasındaki farkı sürekli yakalama, otomasyon, alarm ve remediation pattern'leri somut araçlarla." +--- # Drift Detection — Git'te Yazan ile Cloud'da Olan Arasındaki Fark > *"Console'dan tıklayarak EBS değiştirdin, Terraform bilmiyor. **Drift**. diff --git a/03-IaC/OpenTofu-Migration.md b/03-IaC/OpenTofu-Migration.md index 4dd8d43..08edaa5 100644 --- a/03-IaC/OpenTofu-Migration.md +++ b/03-IaC/OpenTofu-Migration.md @@ -1,3 +1,6 @@ +--- +description: "Terraform'dan OpenTofu'ya geçiş rehberi: HashiCorp BSL license sorunu, MPL 2.0 forku, uyumluluk farkları ve 2026'da neye geçilmeli sorusunun pratik cevabı." +--- # OpenTofu Migration — Terraform'dan Bağımsız Olmak > *"HashiCorp 2023 Ağustos'ta Terraform license'ını BSL'e değiştirdi. diff --git a/03-IaC/Pulumi-vs-Terraform.md b/03-IaC/Pulumi-vs-Terraform.md index 9f928d2..f8ea71b 100644 --- a/03-IaC/Pulumi-vs-Terraform.md +++ b/03-IaC/Pulumi-vs-Terraform.md @@ -1,3 +1,6 @@ +--- +description: "Pulumi ile Terraform/OpenTofu karşılaştırması: HCL'e karşı Python/Go/TS gibi genel amaçlı diller, hangi durumda hangisinin tercih edildiği ve geçiş stratejisi." +--- # Pulumi vs Terraform — General-Purpose Lang vs HCL > *"Terraform: HCL, deklaratif, IaC için optimize. Pulumi: Python/Go/TS, diff --git a/03-IaC/README.md b/03-IaC/README.md index 801185a..178c7e2 100644 --- a/03-IaC/README.md +++ b/03-IaC/README.md @@ -1,3 +1,6 @@ +--- +description: "Infrastructure as Code bölüm indeksi: Terraform best practices, module layout, OpenTofu migration, Pulumi, Crossplane, drift detection ve IaC karar ağacı." +--- # 03 · Infrastructure as Code > *"Console'dan tıklayarak kurduğun bir kaynak, bir gün biri tarafından diff --git a/03-IaC/Terraform-Best-Practices.md b/03-IaC/Terraform-Best-Practices.md index 760c99d..209287c 100644 --- a/03-IaC/Terraform-Best-Practices.md +++ b/03-IaC/Terraform-Best-Practices.md @@ -1,3 +1,6 @@ +--- +description: "Terraform/OpenTofu 2026 production rehberi: remote state, versiyonlu module, PR'da plan, manuel apply, for_each, sensitive marking ve sürekli drift izleme." +--- # Terraform Best Practices > *"Terraform `apply -auto-approve` insanlığın en pahalı klavye diff --git a/03-IaC/Terraform-Module-Layout.md b/03-IaC/Terraform-Module-Layout.md index feaf23d..be0ab61 100644 --- a/03-IaC/Terraform-Module-Layout.md +++ b/03-IaC/Terraform-Module-Layout.md @@ -1,3 +1,6 @@ +--- +description: "Terraform/OpenTofu repo yapısı ve module tasarımı rehberi: mono/multi repo modelleri, vpc/eks/rds modül iskeleti, versioning ve composition pattern örnekleri." +--- # Terraform Module Layout — Repo Yapısı + Module Tasarımı > *"50 service için tek `main.tf` 5000 satır oldu. **Module yok**, diff --git a/04-Containers/BuildKit-Tips.md b/04-Containers/BuildKit-Tips.md index 6a686ee..8a7c396 100644 --- a/04-Containers/BuildKit-Tips.md +++ b/04-Containers/BuildKit-Tips.md @@ -1,3 +1,6 @@ +--- +description: "BuildKit'in modern Docker build feature'lari: cache mount, secret mount, multi-platform ve frontend syntax. Somut Dockerfile ornekleriyle anlatim." +--- # BuildKit Tips — Modern Docker Build > *"Docker 18.09'tan beri BuildKit var, 2024'te default. Hâlâ diff --git a/04-Containers/Container-vs-WASM.md b/04-Containers/Container-vs-WASM.md index f893163..61b4dfd 100644 --- a/04-Containers/Container-vs-WASM.md +++ b/04-Containers/Container-vs-WASM.md @@ -1,3 +1,6 @@ +--- +description: "WebAssembly (WASM) ve WASI'nin server-side runtime olarak container'a gore avantaj/dezavantajlari ve 2026'da ne zaman tercih edilecegi." +--- # Container vs WASM — Yeni Runtime Geliyor mu? > *"Container 2014'te 'VM'i öldürdü' iddiasıyla geldi; bugün VM hâlâ diff --git a/04-Containers/Distroless-and-Chainguard.md b/04-Containers/Distroless-and-Chainguard.md index 5477e1e..637e858 100644 --- a/04-Containers/Distroless-and-Chainguard.md +++ b/04-Containers/Distroless-and-Chainguard.md @@ -1,3 +1,6 @@ +--- +description: "Distroless ve Chainguard image'lari, niye 2026 standardi olduklari, base image CVE karsilastirmasi, migration stratejisi ve trade-off'lar uzerine pratik rehber." +--- # Distroless & Chainguard — 0-CVE Image Stratejisi > *"Ubuntu base = 100+ CVE, daily. Alpine = ~30 CVE. Distroless = diff --git a/04-Containers/Dockerfile-Best-Practices.md b/04-Containers/Dockerfile-Best-Practices.md index d84feaa..52e9384 100644 --- a/04-Containers/Dockerfile-Best-Practices.md +++ b/04-Containers/Dockerfile-Best-Practices.md @@ -1,3 +1,6 @@ +--- +description: "Build hizi, imaj boyutu ve guvenligi iyilestiren 20 maddelik Dockerfile best practice listesi: multi-stage, layer/cache ve least privilege." +--- # Dockerfile Best Practices — 20 Madde > *"Imaj ne kadar küçük olursa o kadar güvenli, o kadar hızlı, o kadar diff --git a/04-Containers/Image-Signing-Cosign.md b/04-Containers/Image-Signing-Cosign.md index 3a11391..5652ab5 100644 --- a/04-Containers/Image-Signing-Cosign.md +++ b/04-Containers/Image-Signing-Cosign.md @@ -1,3 +1,6 @@ +--- +description: "Container imaj imzalamayi Cosign keyless OIDC ile production'da kurma: tehdit modeli, adimlar, GitHub Actions ve admission verification." +--- # Image Signing — Cosign + Keyless OIDC > *"İmajını imzalamadan registry'ye push'lamak, 'kim koymuş bilemem' diff --git a/04-Containers/Multi-Stage-Builds.md b/04-Containers/Multi-Stage-Builds.md index 4d16c4a..08288b0 100644 --- a/04-Containers/Multi-Stage-Builds.md +++ b/04-Containers/Multi-Stage-Builds.md @@ -1,3 +1,6 @@ +--- +description: "Multi-stage Docker build pattern'leri ve anti-pattern'leri: builder/runner ayrimi, dil-spesifik ornekler ve cache optimizasyonu ile imaji 10x kucultme rehberi." +--- # Multi-Stage Builds — Küçük, Güvenli, Hızlı Image > *"Tek-stage Dockerfile = build araçları + runtime aynı image'da. diff --git a/04-Containers/README.md b/04-Containers/README.md index 285d6cd..dc79b1b 100644 --- a/04-Containers/README.md +++ b/04-Containers/README.md @@ -1,3 +1,6 @@ +--- +description: "Container imajlarini hizli, kucuk ve guvenli yapmak icin 2026 referansi: Dockerfile best practices, multi-stage, distroless, BuildKit ve Cosign imzalama." +--- # 04 · Containers > *"Son commit-image-deploy döngüsünü 90 saniyede yapamayan ekip, diff --git a/05-Kubernetes/Debugging-Pods.md b/05-Kubernetes/Debugging-Pods.md index cba56ea..805563b 100644 --- a/05-Kubernetes/Debugging-Pods.md +++ b/05-Kubernetes/Debugging-Pods.md @@ -1,3 +1,6 @@ +--- +description: "Pod-level debugging rehberi: kubectl describe/logs, ephemeral container, distroless image debug, CrashLoopBackOff ve OOMKilled gibi yaygin senaryolar." +--- # Debugging Pods — `kubectl debug`, ephemeral, exec rehberi > *"`kubectl logs` çıktı vermiyor, pod CrashLoopBackOff. Production'da diff --git a/05-Kubernetes/HPA-VPA-KEDA.md b/05-Kubernetes/HPA-VPA-KEDA.md index 2008879..caee1a4 100644 --- a/05-Kubernetes/HPA-VPA-KEDA.md +++ b/05-Kubernetes/HPA-VPA-KEDA.md @@ -1,3 +1,6 @@ +--- +description: "Kubernetes autoscaling rehberi: HPA (pod sayisi), VPA (pod resource) ve KEDA (event-driven) karsilastirmasi, hangi senaryoda hangisi ve birlikte calisma." +--- # HPA, VPA, KEDA — K8s Autoscaling Tam Rehber > *"3 farklı autoscaler, 3 farklı niche. HPA: pod sayısı CPU'ya göre. diff --git a/05-Kubernetes/Multi-Tenancy-Patterns.md b/05-Kubernetes/Multi-Tenancy-Patterns.md index b637386..a3b0969 100644 --- a/05-Kubernetes/Multi-Tenancy-Patterns.md +++ b/05-Kubernetes/Multi-Tenancy-Patterns.md @@ -1,3 +1,6 @@ +--- +description: "Kubernetes multi-tenancy modelleri: soft (namespace + RBAC), hard, vCluster ve cluster-per-tenant; izolasyon, maliyet ve kullanim karsilastirmasi." +--- # Multi-Tenancy Patterns — Soft, Hard, Hibrit > *"Tek cluster + 10 ekip. 'Her ekip kendi namespace'i' diyen ekip, diff --git a/05-Kubernetes/Production-Checklist.md b/05-Kubernetes/Production-Checklist.md index 5793e58..738d125 100644 --- a/05-Kubernetes/Production-Checklist.md +++ b/05-Kubernetes/Production-Checklist.md @@ -1,3 +1,6 @@ +--- +description: "50 maddelik Kubernetes prod-readiness checklist: workload tasarimi, resource, security, reliability/HA, observability ve operations/GitOps eksenleri." +--- # Kubernetes Production Checklist > *"`kubectl apply -f` çalıştı diye production'da çalışıyor demek değil."* diff --git a/05-Kubernetes/README.md b/05-Kubernetes/README.md index 2468c76..b996a9e 100644 --- a/05-Kubernetes/README.md +++ b/05-Kubernetes/README.md @@ -1,3 +1,6 @@ +--- +description: "Production Kubernetes referans seti icindekiler: prod-readiness checklist, resource limitleri, HPA/VPA/KEDA, multi-tenancy, upgrade stratejisi ve pod debugging." +--- # 05 · Kubernetes > *"`kubectl apply -f` çalıştı diye production'da işliyor demek diff --git a/05-Kubernetes/Resource-Limits-Guide.md b/05-Kubernetes/Resource-Limits-Guide.md index a2f525b..0513e22 100644 --- a/05-Kubernetes/Resource-Limits-Guide.md +++ b/05-Kubernetes/Resource-Limits-Guide.md @@ -1,3 +1,6 @@ +--- +description: "Kubernetes resource yonetimi rehberi: requests vs limits farki, QoS class'lari, OOMKilled davranisi ve dogru CPU/memory sayilarinin nasil bulunacagi." +--- # Resource Limits Guide — Request, Limit, QoS > *"`requests: 100m, limits: 2000m` setlemenin ne anlamı geldiğini diff --git a/05-Kubernetes/Upgrade-Strategy.md b/05-Kubernetes/Upgrade-Strategy.md index bde5894..323ae1b 100644 --- a/05-Kubernetes/Upgrade-Strategy.md +++ b/05-Kubernetes/Upgrade-Strategy.md @@ -1,3 +1,6 @@ +--- +description: "Kubernetes cluster'i zero-downtime upgrade rehberi: release cycle, upgrade disiplini, rollback, deprecated API gecisi, managed vs self-managed farklari." +--- # Kubernetes Upgrade Strategy — Zero-Downtime Versiyon Migration > *"K8s 4 ayda bir minor versiyon yayınlar. Skip eden ekip 1 yılda diff --git a/06-GitOps/App-of-Apps-Pattern.md b/06-GitOps/App-of-Apps-Pattern.md index 7325615..6dfeefd 100644 --- a/06-GitOps/App-of-Apps-Pattern.md +++ b/06-GitOps/App-of-Apps-Pattern.md @@ -1,3 +1,6 @@ +--- +description: "App-of-Apps pattern: ArgoCD'yi tek bir root Application ile bootstrap edip kendi kendini yöneten self-managed GitOps akışına dönüştürme rehberi." +--- # App-of-Apps Pattern — ArgoCD'yi Kendi Kendinden Yönet > *"ArgoCD'yi `helm install` ile manuel kuran ekip, bir gün diff --git a/06-GitOps/ApplicationSet-Patterns.md b/06-GitOps/ApplicationSet-Patterns.md index 3fafda7..7108fe2 100644 --- a/06-GitOps/ApplicationSet-Patterns.md +++ b/06-GitOps/ApplicationSet-Patterns.md @@ -1,3 +1,6 @@ +--- +description: "ArgoCD ApplicationSet ile multi-cluster ve multi-tenant GitOps: cluster, git, matrix, list ve SCM generator türleriyle Application factory kurma." +--- # ApplicationSet — Multi-Cluster ve Multi-Tenant GitOps > *"5 cluster, 3 environment, 50 servis = 750 ArgoCD Application diff --git a/06-GitOps/ArgoCD-Setup.md b/06-GitOps/ArgoCD-Setup.md index 6331753..b8cd35f 100644 --- a/06-GitOps/ArgoCD-Setup.md +++ b/06-GitOps/ArgoCD-Setup.md @@ -1,3 +1,6 @@ +--- +description: "ArgoCD'yi sıfırdan production-grade kurma rehberi: HA, SSO, RBAC, AppProject, notification ve ApplicationSet ile multi-cluster pull-based GitOps." +--- # ArgoCD Setup — Production-Grade GitOps Kurulumu > *"GitOps demek, cluster'da olan ile Git'te yazan **arasında fark diff --git a/06-GitOps/Flux-vs-ArgoCD.md b/06-GitOps/Flux-vs-ArgoCD.md index 68c45b4..df064a9 100644 --- a/06-GitOps/Flux-vs-ArgoCD.md +++ b/06-GitOps/Flux-vs-ArgoCD.md @@ -1,3 +1,6 @@ +--- +description: "Flux ve ArgoCD GitOps araçlarının 2026 karşılaştırması: felsefe, UI, multi-cluster, Helm/Kustomize desteği ve hangi senaryoda hangisi tercih edilir." +--- # Flux vs ArgoCD — GitOps Tool Karar Rehberi > *"İki tool da CNCF Graduated, ikisi de production-ready, ikisi de diff --git a/06-GitOps/Helm-vs-Kustomize-vs-Raw.md b/06-GitOps/Helm-vs-Kustomize-vs-Raw.md index 8c92b50..13d9d27 100644 --- a/06-GitOps/Helm-vs-Kustomize-vs-Raw.md +++ b/06-GitOps/Helm-vs-Kustomize-vs-Raw.md @@ -1,3 +1,6 @@ +--- +description: "Kubernetes manifest stratejisi: Helm, Kustomize ve Raw YAML yaklaşımlarının templating, multi-env ve reusability ekseninde karar ağacı ve karşılaştırması." +--- # Helm vs Kustomize vs Raw YAML — Manifest Stratejisi Karar Rehberi > *"Üç araç, üç farklı felsefe. Yanlış seçim 6 ay sonra 'her şeyi diff --git a/06-GitOps/README.md b/06-GitOps/README.md index b447cc8..025e9a5 100644 --- a/06-GitOps/README.md +++ b/06-GitOps/README.md @@ -1,3 +1,6 @@ +--- +description: "GitOps bölümü indeksi: ArgoCD, Flux, ApplicationSet, App-of-Apps, Helm/Kustomize ve secret yönetimi rehberlerine bağlantılar ve OpenGitOps prensipleri." +--- # 06 · GitOps > *"Cluster'ında ne çalıştığını öğrenmek için `kubectl get` kullanan ekip, diff --git a/06-GitOps/Secrets-in-GitOps.md b/06-GitOps/Secrets-in-GitOps.md index 04f4e80..70c8552 100644 --- a/06-GitOps/Secrets-in-GitOps.md +++ b/06-GitOps/Secrets-in-GitOps.md @@ -1,3 +1,6 @@ +--- +description: "GitOps'ta secret yönetimi: Sealed Secrets, SOPS, External Secrets Operator ve ArgoCD Vault Plugin karşılaştırması; Git'te şifreli, cluster'da çözük." +--- # Secrets in GitOps — Git'e Sır Koyabilir misin? > *"GitOps 'her şey Git'te' der. Sırlar da. Ama **plaintext değil** — diff --git a/07-Observability/Alerting-Done-Right.md b/07-Observability/Alerting-Done-Right.md index 5acb9ad..239cb19 100644 --- a/07-Observability/Alerting-Done-Right.md +++ b/07-Observability/Alerting-Done-Right.md @@ -1,3 +1,6 @@ +--- +description: "Symptom-based, actionable ve az sayida alarm tasarlama rehberi: alarmin 3 sarti, cause vs symptom ayrimi, alert fatigue, runbook ve alert review pratikleri." +--- # Alerting Done Right — Symptom-Based, Actionable, Az > *"50 alarm/gün gelen ekibin SRE'si **bağışıklık** geliştirir. diff --git a/07-Observability/Logs-Loki-vs-ELK.md b/07-Observability/Logs-Loki-vs-ELK.md index 5bd5a8a..2f00f29 100644 --- a/07-Observability/Logs-Loki-vs-ELK.md +++ b/07-Observability/Logs-Loki-vs-ELK.md @@ -1,3 +1,6 @@ +--- +description: "Loki ve ELK (Elasticsearch + Logstash + Kibana) log stack karsilastirmasi: indexleme felsefesi, depolama maliyeti, sorgu desenleri ve Wazuh entegrasyonu." +--- # Logs — Loki vs ELK Stack > *"Log stack 'yıllarca aynı' kaldı (ELK), 2020'de Loki geldi — diff --git a/07-Observability/OpenTelemetry-Adoption.md b/07-Observability/OpenTelemetry-Adoption.md index 3562933..f5b577b 100644 --- a/07-Observability/OpenTelemetry-Adoption.md +++ b/07-Observability/OpenTelemetry-Adoption.md @@ -1,3 +1,6 @@ +--- +description: "OpenTelemetry (OTel) ile vendor-neutral observability: tek SDK ve OTLP protokolu, Collector mimarisi, auto-correlation ve semantic conventions ile vendor bagimliligini kaldirma." +--- # OpenTelemetry Adoption — Vendor-Neutral Observability > *"Datadog SDK + Prometheus client + Loki driver hep aynı bilgiyi diff --git a/07-Observability/Profiling-with-Pyroscope.md b/07-Observability/Profiling-with-Pyroscope.md index 807a217..0760db6 100644 --- a/07-Observability/Profiling-with-Pyroscope.md +++ b/07-Observability/Profiling-with-Pyroscope.md @@ -1,3 +1,6 @@ +--- +description: "Continuous profiling rehberi: gozlemlenebilirligin 4. ayagi olarak Pyroscope, eBPF tabanli auto-profiling, flame graph analizi ve production'da line-level performans tespiti." +--- # Continuous Profiling — Pyroscope, eBPF Profiling > *"Trace 'hangi span yavaş' söyler; profiling **hangi line yavaş** diff --git a/07-Observability/Prometheus-Best-Practices.md b/07-Observability/Prometheus-Best-Practices.md index 54ec84a..4a42f46 100644 --- a/07-Observability/Prometheus-Best-Practices.md +++ b/07-Observability/Prometheus-Best-Practices.md @@ -1,3 +1,6 @@ +--- +description: "Production-grade Prometheus best practices: metric naming, cardinality kontrolu, retention politikasi, federation, HA ve recording rules ile OOM'dan kacinma kurallari." +--- # Prometheus Best Practices — Production-Grade > *"Prometheus 'install et çalışıyor' değil — **disiplin gerektiren diff --git a/07-Observability/Prometheus-Grafana-K8s-Setup.md b/07-Observability/Prometheus-Grafana-K8s-Setup.md index f86013d..a416b9f 100644 --- a/07-Observability/Prometheus-Grafana-K8s-Setup.md +++ b/07-Observability/Prometheus-Grafana-K8s-Setup.md @@ -1,3 +1,6 @@ +--- +description: "Kubernetes uzerinde Prometheus ve Grafana kurulum dokumantasyonu: sistem gereksinimleri, on kosullar, Helm kurulum adimlari, service konfigurasyonu, erisim ve sorun giderme." +--- # Prometheus + Grafana Kubernetes Kurulum Dokümantasyonu ## 📋 İçindekiler diff --git a/07-Observability/README.md b/07-Observability/README.md index 113f068..e6c5eb8 100644 --- a/07-Observability/README.md +++ b/07-Observability/README.md @@ -1,3 +1,6 @@ +--- +description: "Observability bolumu indeksi: metrics, logs, traces ve profiles dort ayagi ile OpenTelemetry, Prometheus, SLO, alerting, Loki, Tempo ve Pyroscope rehberlerine giris." +--- # 07 · Observability > *"Loglar olmadan çalışmıyor, traces olmadan yavaş, metrics olmadan SLO diff --git a/07-Observability/SLO-Engineering.md b/07-Observability/SLO-Engineering.md index b9d83e6..c1db4ed 100644 --- a/07-Observability/SLO-Engineering.md +++ b/07-Observability/SLO-Engineering.md @@ -1,3 +1,6 @@ +--- +description: "SLO'yu muhendislik disiplinine cevirme rehberi: SLI/SLO/error budget ozeti, multi-window burn rate alarmlari, error budget policy ve operasyonel tooling." +--- # SLO Engineering — Multi-Window, Burn Rate, Error Budget > *"SLI tanımladın. SLO koydun. **Error budget alarmı yoksa**, SLO diff --git a/07-Observability/Tracing-with-Tempo.md b/07-Observability/Tracing-with-Tempo.md index 9eeb713..b910a2c 100644 --- a/07-Observability/Tracing-with-Tempo.md +++ b/07-Observability/Tracing-with-Tempo.md @@ -1,3 +1,6 @@ +--- +description: "Distributed tracing rehberi: OpenTelemetry SDK ile Grafana Tempo kurulumu, trace anatomisi, sampling stratejileri ve production'da trace analizi best practice'leri." +--- # Distributed Tracing — Tempo + OpenTelemetry > *"Microservice X'in p99 8s. Hangi servis yavaş? Logs alone bunu diff --git a/08-Security/Container-Image-Scanning.md b/08-Security/Container-Image-Scanning.md index 2e57991..07ed633 100644 --- a/08-Security/Container-Image-Scanning.md +++ b/08-Security/Container-Image-Scanning.md @@ -1,3 +1,6 @@ +--- +description: "Trivy ekseninde shift-left container image tarama rehberi: OS/dil CVE, IaC misconfig, secret ve SBOM taramasi; CI gate'ten admission ve runtime drift'e." +--- # Container Image Scanning — CVE'yi Üretime Sokmamak > *"CVE'yi prod'da bulmaktansa, prod'a sokmamak — 1000 kat ucuz, 100 diff --git a/08-Security/DevSecOps-Pipeline.md b/08-Security/DevSecOps-Pipeline.md index da08982..9eabbe5 100644 --- a/08-Security/DevSecOps-Pipeline.md +++ b/08-Security/DevSecOps-Pipeline.md @@ -1,3 +1,6 @@ +--- +description: "Pre-commit'ten runtime'a her asamada guvenlik kontrolu olan fail-fast ama developer-friendly DevSecOps pipeline tasarimi: shift-left ve defense in depth." +--- # DevSecOps Pipeline — Shift-Left'ten Runtime'a > *"Security review en sonda, deploy gününden 2 hafta önce başlar" diff --git a/08-Security/Kubernetes-Hardening.md b/08-Security/Kubernetes-Hardening.md index b5e961c..b565b5f 100644 --- a/08-Security/Kubernetes-Hardening.md +++ b/08-Security/Kubernetes-Hardening.md @@ -1,3 +1,6 @@ +--- +description: "CIS Benchmark esasli adim adim Kubernetes prod-grade hardening: tehdit modeli, API server hardening, RBAC, NetworkPolicy ve Pod Security Standards rehberi." +--- # Kubernetes Hardening — 2026 Production Rehberi > *"Default Kubernetes config'i 'çalışıyor' demek, banka kasasının kapısını diff --git a/08-Security/Policy-as-Code-OPA-Kyverno.md b/08-Security/Policy-as-Code-OPA-Kyverno.md index aa20325..1010220 100644 --- a/08-Security/Policy-as-Code-OPA-Kyverno.md +++ b/08-Security/Policy-as-Code-OPA-Kyverno.md @@ -1,3 +1,6 @@ +--- +description: "Kubernetes admission policy oyuncusu Kyverno ve OPA Gatekeeper karsilastirmasi: hazir policy katalogu ve production'a girerken sart olan 10 policy." +--- # Policy-as-Code — Kyverno vs OPA Gatekeeper > *"Ekipte 14 mühendis, 200 namespace, 3 cluster. Hangi pod root mu çalışıyor, diff --git a/08-Security/README.md b/08-Security/README.md index 0eed988..33d0322 100644 --- a/08-Security/README.md +++ b/08-Security/README.md @@ -1,3 +1,6 @@ +--- +description: "DevSecOps bolumu indeksi: shift-left pipeline, secrets yonetimi, image scanning, Kubernetes hardening, SLSA/SBOM, policy-as-code ve zero-trust rehberleri." +--- # 08 · Security (DevSecOps) > *"Production'da ihlal olduğunda 'security takımının sorunu değil, hepimizin diff --git a/08-Security/Runtime-Security.md b/08-Security/Runtime-Security.md index 149a825..c82b615 100644 --- a/08-Security/Runtime-Security.md +++ b/08-Security/Runtime-Security.md @@ -1,3 +1,6 @@ +--- +description: "Kubernetes'te runtime'da kotu davranisi tespit etmenin modern yolu: Falco (rule-based), Tetragon (eBPF native) ve alarmdan eyleme uzanan zincirin kurulumu." +--- # Runtime Security — Falco, Tetragon, eBPF > *"Build-time tarama duvarı yapar; runtime detection **alarmı çalan diff --git a/08-Security/SLSA-and-SBOM.md b/08-Security/SLSA-and-SBOM.md index 20c8775..78dfec0 100644 --- a/08-Security/SLSA-and-SBOM.md +++ b/08-Security/SLSA-and-SBOM.md @@ -1,3 +1,6 @@ +--- +description: "Yazilim tedarik zinciri guvenligi: SLSA seviyeleri, SBOM, provenance ve attestation; Sigstore/cosign/Rekor ile xz-utils tipi saldirilara karsi savunma." +--- # SLSA & SBOM — Supply Chain Integrity > *"Kodun senden, dependency'lerin başkalarından, build'in CI'dan, runtime'ın diff --git a/08-Security/Secrets-Management.md b/08-Security/Secrets-Management.md index 24b3555..9a85d55 100644 --- a/08-Security/Secrets-Management.md +++ b/08-Security/Secrets-Management.md @@ -1,3 +1,6 @@ +--- +description: "Production'da sir yonetimi: DB parolasi, API key ve token'lari Vault, ESO, SOPS ve Sealed Secrets ile yoneten stack karsilastirmasi ve karar agaci." +--- # Secrets Management — Production'da Sır Yönetimi > *"Sır, Git history'ye giren her şeydir. Bir kez girdi mi, oradadır — diff --git a/08-Security/Threat-Modeling.md b/08-Security/Threat-Modeling.md index d44513c..9be61f4 100644 --- a/08-Security/Threat-Modeling.md +++ b/08-Security/Threat-Modeling.md @@ -1,3 +1,6 @@ +--- +description: "Threat modeling pratik rehberi: sistemin nasil saldirilabileceginin ve hangi kontrolun hangi tehdidi azalttiginin kaydi; STRIDE/LINDDUN ile yasayan dokuman." +--- # Threat Modeling — Sistemsiz Tehdit Avı Bitsin > *"Saldırgan zaten **size** bir threat model yapıyor. Siz yapmazsanız diff --git a/08-Security/Zero-Trust-Networking.md b/08-Security/Zero-Trust-Networking.md index c434fdc..df05e0a 100644 --- a/08-Security/Zero-Trust-Networking.md +++ b/08-Security/Zero-Trust-Networking.md @@ -1,3 +1,6 @@ +--- +description: "Zero Trust networking'i uygulanabilir kilan rehber: NIST 800-207 prensipleri, BeyondCorp, her yerde mTLS, service mesh authZ ve workload identity." +--- # Zero-Trust Networking — "Network Sınırı" Yalanı Bitti > *"VPN'in arkasında olan her şey güvenilir" diye düşünmek 2026'da diff --git a/09-Networking/Cilium-eBPF-Intro.md b/09-Networking/Cilium-eBPF-Intro.md index 398c6a1..a3b14e8 100644 --- a/09-Networking/Cilium-eBPF-Intro.md +++ b/09-Networking/Cilium-eBPF-Intro.md @@ -1,3 +1,6 @@ +--- +description: "Cilium ve eBPF teknolojisine pratik giris: kube-proxy replacement, sidecar'siz mimari ve modern kernel-tabanli network stack'in nasil kuruldugu anlatilir." +--- # Cilium & eBPF — 30 Dakikada Modern Network Stack > *"kube-proxy, iptables, sidecar — 2014'ün K8s networking diff --git a/09-Networking/DNS-Strategies.md b/09-Networking/DNS-Strategies.md index 9de99e2..b09d40b 100644 --- a/09-Networking/DNS-Strategies.md +++ b/09-Networking/DNS-Strategies.md @@ -1,3 +1,6 @@ +--- +description: "Kubernetes ortaminda production-grade DNS kurulumu: external-dns, CoreDNS tuning, NodeLocal DNSCache ve split-horizon ile DNS incident'larini onleme rehberi." +--- # DNS Strategies — external-dns, NodeLocal, CoreDNS Tuning > *"Production'da %30 incident **DNS**'tedir. 'It's always DNS' meme'si diff --git a/09-Networking/Gateway-API-Migration.md b/09-Networking/Gateway-API-Migration.md index aeb726f..bab9073 100644 --- a/09-Networking/Gateway-API-Migration.md +++ b/09-Networking/Gateway-API-Migration.md @@ -1,3 +1,6 @@ +--- +description: "Ingress'ten Gateway API'ye gecis rehberi: niye gerekli, persona-bazli CRD modeli, adim adim migration plani ve gecis sirasinda beklenen tuzaklar." +--- # Gateway API — Ingress'in Halefi, 2026'da Standart > *"Ingress 2015'te tasarlandı: tek CRD, tek tip ekibe (cluster-ops), diff --git a/09-Networking/Ingress-NGINX-Patterns.md b/09-Networking/Ingress-NGINX-Patterns.md index 87a5e76..a51f9d0 100644 --- a/09-Networking/Ingress-NGINX-Patterns.md +++ b/09-Networking/Ingress-NGINX-Patterns.md @@ -1,3 +1,6 @@ +--- +description: "Ingress-NGINX production pattern'leri: TLS termination, rate limit, canary deployment, auth ve WAF ayarlari somut annotation ornekleriyle anlatilir." +--- # Ingress-NGINX Patterns — TLS, Rate Limit, Canary, Auth > *"Ingress-NGINX 2026'da hâlâ en yaygın K8s ingress controller. Yeni diff --git a/09-Networking/Ingress-and-Gateway-API.md b/09-Networking/Ingress-and-Gateway-API.md index 09fa629..5ce99bf 100644 --- a/09-Networking/Ingress-and-Gateway-API.md +++ b/09-Networking/Ingress-and-Gateway-API.md @@ -1,3 +1,6 @@ +--- +description: "Ingress ve Gateway API'nin yan yana calistirilmasi: gecis stratejisi, hibrit pattern (yeni servis Gateway, eski Ingress) ve hangisini ne zaman sececegin." +--- # Ingress vs Gateway API — Yan Yana, Hangisi Ne Zaman > *"2026'da Ingress 'eskiyen' ama hâlâ yaygın; Gateway API yeni ve diff --git a/09-Networking/Network-Troubleshooting.md b/09-Networking/Network-Troubleshooting.md index 3869adb..e7162e8 100644 --- a/09-Networking/Network-Troubleshooting.md +++ b/09-Networking/Network-Troubleshooting.md @@ -1,3 +1,6 @@ +--- +description: "Production'da network sorunlarini sistemli debug etme: tcpdump, ss, dig ve conntrack komutlari ile karar agaci yontemini somut adimlarla anlatan rehber." +--- # Network Troubleshooting — tcpdump, ss, dig, conntrack > *"Connection timeout. Sebep: A) NetworkPolicy, B) DNS, C) firewall, diff --git a/09-Networking/README.md b/09-Networking/README.md index 296079b..69722e7 100644 --- a/09-Networking/README.md +++ b/09-Networking/README.md @@ -1,3 +1,6 @@ +--- +description: "Kubernetes networking rehber dizini: cluster ici/disi network kavramlari, eBPF dunyasi, service mesh ve Ingress'ten Gateway API'ye gecis konulari." +--- # 09 · Networking > *"`curl` çalışıyor ama `dig` yanlış IP veriyor, NetworkPolicy boğuyor, diff --git a/09-Networking/Service-Mesh-Comparison.md b/09-Networking/Service-Mesh-Comparison.md index 1cb6354..e3507d2 100644 --- a/09-Networking/Service-Mesh-Comparison.md +++ b/09-Networking/Service-Mesh-Comparison.md @@ -1,3 +1,6 @@ +--- +description: "Istio, Linkerd ve Cilium service mesh'lerinin 2026 karsilastirmasi: sidecar-less yukselisi, mTLS, observability ve hangi senaryoda hangisini sececegin." +--- # Service Mesh Karşılaştırma — Istio, Linkerd, Cilium > *"Service mesh kurmadan önce sor: 'Hangi problemi çözüyor?' Cevabın diff --git a/10-Databases-Production/Backup-Restore-Patterns.md b/10-Databases-Production/Backup-Restore-Patterns.md index 29085fc..88e56d0 100644 --- a/10-Databases-Production/Backup-Restore-Patterns.md +++ b/10-Databases-Production/Backup-Restore-Patterns.md @@ -1,3 +1,6 @@ +--- +description: "Postgres backup stratejileri: 3-2-1 kuralı, RPO/RTO hedefleri, logical/physical backup, PITR ve restore tatbikatını otomasyonla disiplin haline getirme." +--- # Postgres Backup & Restore — Test Edilmemiş Backup, Backup Değildir > *"Backup'ı olmayanların verisi gider; backup'ı olan ama test diff --git a/10-Databases-Production/Connection-Pooling.md b/10-Databases-Production/Connection-Pooling.md index f3a6c6b..e84da69 100644 --- a/10-Databases-Production/Connection-Pooling.md +++ b/10-Databases-Production/Connection-Pooling.md @@ -1,3 +1,6 @@ +--- +description: "Postgres connection pooling rehberi: PgBouncer pratikleri, pgcat ve app-side pooling alternatifleri, pool exhaustion sorunu ve doğru pool size hesabı." +--- # Connection Pooling — Postgres'in En Sık İhmal Edilen Tarafı > *"Postgres connection = process. 10 MB RAM. 500 connection = 5 GB. diff --git a/10-Databases-Production/HA-Patroni-Stolon.md b/10-Databases-Production/HA-Patroni-Stolon.md index 8e04218..ba9c703 100644 --- a/10-Databases-Production/HA-Patroni-Stolon.md +++ b/10-Databases-Production/HA-Patroni-Stolon.md @@ -1,3 +1,6 @@ +--- +description: "Postgres yüksek erişilebilirlik (HA) çözümleri: Patroni, Stolon ve CloudNativePG karşılaştırması, otomatik failover, split-brain çözümü ve 2026 önerisi." +--- # Postgres HA — Patroni, Stolon, CloudNativePG > *"Single instance prod Postgres = saatlik downtime kabul eden iş. diff --git a/10-Databases-Production/Monitoring-Postgres.md b/10-Databases-Production/Monitoring-Postgres.md index 38bd2a0..e5d998a 100644 --- a/10-Databases-Production/Monitoring-Postgres.md +++ b/10-Databases-Production/Monitoring-Postgres.md @@ -1,3 +1,6 @@ +--- +description: "Postgres observability stack rehberi: pg_stat_statements, postgres-exporter, slow query log ve replication monitoring; somut alarm ve dashboard örnekleriyle." +--- # Postgres Monitoring — Slow Query, Lock, Bloat, Replication > *"Postgres 'bir şey yok gibi' çalışırken aslında 5 farklı yerde yangın diff --git a/10-Databases-Production/Operator-Patterns.md b/10-Databases-Production/Operator-Patterns.md index c1ef477..a6fc01a 100644 --- a/10-Databases-Production/Operator-Patterns.md +++ b/10-Databases-Production/Operator-Patterns.md @@ -1,3 +1,6 @@ +--- +description: "Kubernetes için 3 büyük Postgres operator karşılaştırması: CloudNativePG, Crunchy PGO ve Zalando; HA, backup, monitoring ve 2026 için net karar." +--- # Postgres Operator Karşılaştırma — CloudNativePG, Crunchy, Zalando > *"K8s'de Postgres yönetiyorsan **operator zorunlu**. Manuel diff --git a/10-Databases-Production/Postgres-Production-Guide.md b/10-Databases-Production/Postgres-Production-Guide.md index f50032a..2c50f94 100644 --- a/10-Databases-Production/Postgres-Production-Guide.md +++ b/10-Databases-Production/Postgres-Production-Guide.md @@ -1,3 +1,6 @@ +--- +description: "Prod-grade PostgreSQL kurulumu için rehber: postgresql.conf tuning, connection pooling, monitoring ve operasyonel kararlar; Postgres 16/17 referansli." +--- # PostgreSQL Production Guide — Tuning, Pooling, Monitoring > *"PostgreSQL'in default config'i bir RaspberryPi için yazılmış gibidir. diff --git a/10-Databases-Production/README.md b/10-Databases-Production/README.md index cf9a6d1..fbaba1b 100644 --- a/10-Databases-Production/README.md +++ b/10-Databases-Production/README.md @@ -1,3 +1,6 @@ +--- +description: "Production veritabanları bölümünün indeksi: Postgres tuning, backup/restore, HA failover, zero-downtime migration, operator pattern ve connection pooling." +--- # 10 · Databases in Production > *"Bütün startup'ların ilk 5 yıllık problemi 'PostgreSQL'i nasıl ölçeklenir diff --git a/10-Databases-Production/StatefulSet-vs-Operator.md b/10-Databases-Production/StatefulSet-vs-Operator.md index 6610f53..a52a6a7 100644 --- a/10-Databases-Production/StatefulSet-vs-Operator.md +++ b/10-Databases-Production/StatefulSet-vs-Operator.md @@ -1,3 +1,6 @@ +--- +description: "Kubernetes'te stateful workload yonetimi: plain StatefulSet'in nerede yeterli oldugu, operator pattern'in ne zaman zorunlu oldugu ve karar agaci." +--- # StatefulSet vs Operator — Stateful Workload K8s'de > *"Postgres'i K8s'e nasıl koyarsın? StatefulSet manuel yönet, ya diff --git a/10-Databases-Production/Zero-Downtime-Migrations.md b/10-Databases-Production/Zero-Downtime-Migrations.md index 1e0a0eb..21b8e18 100644 --- a/10-Databases-Production/Zero-Downtime-Migrations.md +++ b/10-Databases-Production/Zero-Downtime-Migrations.md @@ -1,3 +1,6 @@ +--- +description: "Postgres zero-downtime schema migration pattern'leri: expand/contract, online schema change, gh-ost ve pg_repack; naif migration neden coker, somut orneklerle." +--- # Zero-Downtime Migrations — Schema Değişikliği Yaparken Prod'u Düşürme > *"Schema migration deploy ortasında 'sadece bir DROP COLUMN' diyen diff --git a/11-SRE/Capacity-Planning.md b/11-SRE/Capacity-Planning.md index ad55116..d99c55f 100644 --- a/11-SRE/Capacity-Planning.md +++ b/11-SRE/Capacity-Planning.md @@ -1,3 +1,6 @@ +--- +description: "Demand forecasting, headroom hesaplama, load test framework'ü ve 'ne zaman scale up?' sorusunun yöntemsel cevabını veren capacity planning rehberi." +--- # Capacity Planning — "Ne Kadar Yeterli?" Sorusunun Mühendislik Cevabı > *"Yeterli kapasite 'sezgi' değil — **veri** ile kanıtlanır. diff --git a/11-SRE/Chaos-Engineering.md b/11-SRE/Chaos-Engineering.md index fe23345..cddc02d 100644 --- a/11-SRE/Chaos-Engineering.md +++ b/11-SRE/Chaos-Engineering.md @@ -1,3 +1,6 @@ +--- +description: "Chaos engineering'i game day, fault injection, Litmus ve Chaos Mesh ile ekibin kültürüne entegre etmenin somut yollarını anlatan rehber." +--- # Chaos Engineering — Kontrollü Hata Yaratmak > *"Production'da incident'ı **bekleyen ekip**, ihlal anında öğrenir. diff --git a/11-SRE/Incident-Response.md b/11-SRE/Incident-Response.md index fb0c7c4..c4096d3 100644 --- a/11-SRE/Incident-Response.md +++ b/11-SRE/Incident-Response.md @@ -1,3 +1,6 @@ +--- +description: "Üretimde incident çıktığında ne yapılır, kim ne der, kim karar verir sorularına net cevap veren; IC rolü, severity ve iletişim odaklı pratik rehber." +--- # Incident Response — Yangın Söndürmenin Anatomi'si > *"Bir incident'ı 30 dakikada kapatabilen ekip ve 4 saatte kapatan ekip arasındaki fark — ekibin yetkinliği değil, **prosedürü**."* diff --git a/11-SRE/Postmortem-Practice.md b/11-SRE/Postmortem-Practice.md index 281d2b3..73a6ba2 100644 --- a/11-SRE/Postmortem-Practice.md +++ b/11-SRE/Postmortem-Practice.md @@ -1,3 +1,6 @@ +--- +description: "Blameless postmortem kültürünün rutine dönüştürülmesini, yazma süreci, fasilitasyon, action item yönetimi ve kültürel sürdürülebilirliği anlatır." +--- # Postmortem Practice — Blameless'i Rutin Haline Getirmek > *"Postmortem yazılmamış incident, **bir daha olmaya hazırlanan** diff --git a/11-SRE/README.md b/11-SRE/README.md index 5458d26..c5d69fa 100644 --- a/11-SRE/README.md +++ b/11-SRE/README.md @@ -1,3 +1,6 @@ +--- +description: "Site Reliability Engineering modülünün indeksi: SLI/SLO/error budget, incident response, runbook, chaos engineering, capacity, toil ve postmortem." +--- # 11 · Site Reliability Engineering > *"Hesabımıza güvenilirliği bir feature gibi mühendislik yapmazsak, diff --git a/11-SRE/Runbook-Template.md b/11-SRE/Runbook-Template.md index abd8eab..72750aa 100644 --- a/11-SRE/Runbook-Template.md +++ b/11-SRE/Runbook-Template.md @@ -1,3 +1,6 @@ +--- +description: "Prod ortamında alarmlara cevap vermek için runbook'un ne olduğunu, neden ve nasıl yazıldığını anlatan rehber; şablon, örnek ve anti-pattern'ler." +--- # Runbook — Alarm Düştüğünde Ne Yap > *"Gece 03:14, telefon çalıyor. Beynin %30 kapasitede. Runbook diff --git a/11-SRE/SLI-SLO-Error-Budget.md b/11-SRE/SLI-SLO-Error-Budget.md index c606150..4d069d4 100644 --- a/11-SRE/SLI-SLO-Error-Budget.md +++ b/11-SRE/SLI-SLO-Error-Budget.md @@ -1,3 +1,6 @@ +--- +description: "SLI, SLO, SLA ve error budget kavramlarını Türkçe ve uygulanabilir biçimde anlatan, kendi servisinin ilk SLO'sunu yazdıran pratik rehber." +--- # SLI / SLO / Error Budget — Pratik Rehber > *"%100 uptime hedef değildir; matematiksel imkansızdır. **%99.9 hedeftir, geri kalan %0.1 mühendislik karar bütçenizdir.**"* @@ -313,4 +316,4 @@ Bir servisin SLO'su production-ready sayılmadan önce hepsi işaretlenmeli. - *The Site Reliability Workbook* — bölüm 2 - [SRE Book online](https://sre.google/sre-book/service-level-objectives/) — ücretsiz - [Awesome SLO](https://github.com/awesome-slo/awesome-slo) — pratik örnekler -- [`17-Templates/prometheus-rules/`](../17-Templates/prometheus-rules/) — bu repo'da hazır rule'lar +- [`17-Templates/prometheus-rules/slo-recording-rules.yaml`](../17-Templates/prometheus-rules/slo-recording-rules.yaml) — bu repo'da hazır rule'lar diff --git a/11-SRE/Toil-Reduction.md b/11-SRE/Toil-Reduction.md index c7d9b47..99782c7 100644 --- a/11-SRE/Toil-Reduction.md +++ b/11-SRE/Toil-Reduction.md @@ -1,3 +1,6 @@ +--- +description: "Google SRE Book'un toil kavramını, nasıl ölçüleceğini, %50 kuralını ve toil'i azaltmanın somut tekniklerini anlatan pratik rehber." +--- # Toil Reduction — "Ekibin %50'si Toil'da" Demek > *"Toil = manuel + tekrarlayan + value yaratmayan iş. SRE diff --git a/12-FinOps/Cloud-Cost-Allocation.md b/12-FinOps/Cloud-Cost-Allocation.md index 7f99eba..f2e5e48 100644 --- a/12-FinOps/Cloud-Cost-Allocation.md +++ b/12-FinOps/Cloud-Cost-Allocation.md @@ -1,3 +1,6 @@ +--- +description: "Cloud faturasini anlamlandirma: kim ne icin harcadi sorusuna cevap; tagging stratejisi, showback, chargeback ve anomaly detection ile maliyet allocation." +--- # Cloud Cost Allocation — Faturayı Anlamak > *"Bu ay AWS faturası $42,318. Ne için? Bilmiyorum. Hangi takım yaktı? diff --git a/12-FinOps/Egress-Cost-Reduction.md b/12-FinOps/Egress-Cost-Reduction.md index 1467430..b85face 100644 --- a/12-FinOps/Egress-Cost-Reduction.md +++ b/12-FinOps/Egress-Cost-Reduction.md @@ -1,3 +1,6 @@ +--- +description: "AWS, GCP ve Azure'da egress maliyetini azaltma: VPC Endpoints, CDN, peering, single-AZ ve NAT Gateway kontrolu ile gizli bill kalemini somut tasarrufa cevirme." +--- # Egress Cost Reduction — Görünmez Bill Kaleminin Kontrolü > *"AWS bill'inin %25-40'ı **egress traffic**. Çoğu ekip 'storage, diff --git a/12-FinOps/Kubecost-Setup.md b/12-FinOps/Kubecost-Setup.md index aa3b262..cec9b51 100644 --- a/12-FinOps/Kubecost-Setup.md +++ b/12-FinOps/Kubecost-Setup.md @@ -1,3 +1,6 @@ +--- +description: "Kubecost ile Kubernetes cost visibility: per-namespace, workload ve label bazli dollar maliyet dashboard, allocation modeli, alert ve OpenCost alternatifi." +--- # Kubecost Setup — K8s Cost Visibility > *"K8s cluster $80K/ay maliyet, 'kim kullanıyor?' bilen yok. diff --git a/12-FinOps/PR-Cost-Diff.md b/12-FinOps/PR-Cost-Diff.md index bfb5160..a95293a 100644 --- a/12-FinOps/PR-Cost-Diff.md +++ b/12-FinOps/PR-Cost-Diff.md @@ -1,3 +1,6 @@ +--- +description: "CI'da PR'in cost impact'ini hesaplama ve PR yorumuna ekleme: Infracost ve Kubecost ile pre-merge maliyet review, sürpriz bill yerine bilincli karar." +--- # PR Cost Diff — "Bu PR ne kadara mal olacak?" > *"Developer PR açıyor: replica 3 → 10, instance type m5.large → r5.4xlarge. diff --git a/12-FinOps/README.md b/12-FinOps/README.md index b59e2a9..eac5c1f 100644 --- a/12-FinOps/README.md +++ b/12-FinOps/README.md @@ -1,3 +1,6 @@ +--- +description: "FinOps Foundation cercevesi (Inform-Optimize-Operate) rehberleri: cost allocation, right-sizing, spot, reserved plan, storage, egress, Kubecost ve PR cost diff." +--- # 12 · FinOps > *"AWS faturası ay başında geldi: $42,318. Geçen ay $19,200'dü. Kim, diff --git a/12-FinOps/Reserved-and-Savings-Plans.md b/12-FinOps/Reserved-and-Savings-Plans.md index b70ccc9..e95a10e 100644 --- a/12-FinOps/Reserved-and-Savings-Plans.md +++ b/12-FinOps/Reserved-and-Savings-Plans.md @@ -1,3 +1,6 @@ +--- +description: "AWS Reserved Instances, Savings Plans, GCP CUDs ve Azure Reservations icin uzun vadeli commitment stratejisi; forecast, commitment ladder, over-commit kacinma." +--- # Reserved Instances & Savings Plans — Long-Term Commitment > *"On-demand prod kullanan ekip, **3 yıl Reserved** alabilirdi diff --git a/12-FinOps/Right-Sizing.md b/12-FinOps/Right-Sizing.md index 088c28d..518e043 100644 --- a/12-FinOps/Right-Sizing.md +++ b/12-FinOps/Right-Sizing.md @@ -1,3 +1,6 @@ +--- +description: "AWS, GCP ve Kubernetes icin right-sizing rehberi: kullanim profiline gore instance kuculttme, CPU/memory hedefleri, tooling ve ne zaman kuculteleceginin karari." +--- # Right-Sizing — Doğru Boyutta Resource > *"Ortalama %15 CPU kullanan instance'a `4 vCPU` allocate eden ekip, diff --git a/12-FinOps/Spot-Instance-Strategy.md b/12-FinOps/Spot-Instance-Strategy.md index 0adccc6..7d77852 100644 --- a/12-FinOps/Spot-Instance-Strategy.md +++ b/12-FinOps/Spot-Instance-Strategy.md @@ -1,3 +1,6 @@ +--- +description: "AWS Spot, GCP Preemptible ve Azure Spot ile %70 tasarruf: uygun workload secimi, graceful interruption handling ve Karpenter ile mixed fleet stratejisi." +--- # Spot Instance Strategy — %70 Tasarruf > *"Spot %70 daha ucuz — 'ama interrupt edilebilir' diye kullanmayan diff --git a/12-FinOps/Storage-Cost-Optimization.md b/12-FinOps/Storage-Cost-Optimization.md index 9d7f6de..793d34b 100644 --- a/12-FinOps/Storage-Cost-Optimization.md +++ b/12-FinOps/Storage-Cost-Optimization.md @@ -1,3 +1,6 @@ +--- +description: "S3, EBS, snapshot ve backup icin storage maliyet optimizasyonu: lifecycle policy, tier transition, idle volume ve zombie snapshot temizligi ile somut tasarruf." +--- # Storage Cost Optimization — S3, EBS, Snapshot, Backup > *"S3 bill $20K/ay, %80'i 6 ay önceki log + zombie snapshot. diff --git a/13-Platform-Engineering/Backstage-Setup.md b/13-Platform-Engineering/Backstage-Setup.md index aaab5e5..afa17ba 100644 --- a/13-Platform-Engineering/Backstage-Setup.md +++ b/13-Platform-Engineering/Backstage-Setup.md @@ -1,3 +1,6 @@ +--- +description: "Spotify'ın açık kaynak Backstage geliştirici portalını sıfırdan prod-grade seviyeye kurma rehberi: catalog, scaffolder, TechDocs, plugin'ler ve OIDC auth adımları." +--- # Backstage Setup — IDP'nin Pratik Kuruluşu > *"Backstage 'Confluence + Jenkins + Datadog'un evladı' değildir. diff --git a/13-Platform-Engineering/Golden-Paths.md b/13-Platform-Engineering/Golden-Paths.md index bc3f43d..9fa435c 100644 --- a/13-Platform-Engineering/Golden-Paths.md +++ b/13-Platform-Engineering/Golden-Paths.md @@ -1,3 +1,6 @@ +--- +description: "Internal Developer Platform'un kalbi golden path'leri tasarlama rehberi: opinionated ve otomatik 'yeni servis 5 dakikada' yol haritaları, kapsamı ve adoption ölçümü." +--- # Golden Paths — "Yeni Servis 5 Dakikada" > *"Geliştirici 'yeni servis nasıl açılır?' diye sorduğunda Confluence diff --git a/13-Platform-Engineering/Internal-Developer-Platform.md b/13-Platform-Engineering/Internal-Developer-Platform.md index 361d2fe..f506534 100644 --- a/13-Platform-Engineering/Internal-Developer-Platform.md +++ b/13-Platform-Engineering/Internal-Developer-Platform.md @@ -1,3 +1,6 @@ +--- +description: "Internal Developer Platform (IDP) kavramını teknolojiden önce kültürel ve ürün bakışıyla anlatan rehber: self-service altın yol, build vs buy ve somut yol haritası." +--- # Internal Developer Platform — Niye, Nasıl, Hangi Sırayla > *"Geliştirici 14 ticket'a soruyor: 'Yeni servis nasıl açılır?' Cevap diff --git a/13-Platform-Engineering/Platform-as-Product.md b/13-Platform-Engineering/Platform-as-Product.md index 18bb8bc..0b87fc1 100644 --- a/13-Platform-Engineering/Platform-as-Product.md +++ b/13-Platform-Engineering/Platform-as-Product.md @@ -1,3 +1,6 @@ +--- +description: "Platform Engineering'i bir ürün disiplini olarak yönetmenin somut yolları: developer'ı müşteri görme felsefesi, NPS ölçümü, roadmap, OKR, beta program ve evangelism." +--- # Platform-as-Product — İç Müşteri Memnuniyeti > *"Platform takımının ürünü 'bir tool' değil, **diğer mühendislere diff --git a/13-Platform-Engineering/README.md b/13-Platform-Engineering/README.md index 5f66d94..99e7cbe 100644 --- a/13-Platform-Engineering/README.md +++ b/13-Platform-Engineering/README.md @@ -1,3 +1,6 @@ +--- +description: "Platform Engineering bölümünün indeksi: Internal Developer Platform, Backstage kurulumu, golden paths, service catalog ve platform-as-product konularına genel bakış ve dosya rehberi." +--- # 13 · Platform Engineering > *"DevOps takımı 14 ticket'a cevap veriyor; geliştirici beklerken sigara diff --git a/13-Platform-Engineering/Service-Catalog.md b/13-Platform-Engineering/Service-Catalog.md index ed97214..6f12883 100644 --- a/13-Platform-Engineering/Service-Catalog.md +++ b/13-Platform-Engineering/Service-Catalog.md @@ -1,3 +1,6 @@ +--- +description: "Backstage Catalog ile servis envanterini tutma, ownership atama, dependency graph görüntüleme ve on-call eşlemesi yapmanın pratik yollarını anlatan rehber." +--- # Service Catalog — Servis Envanteri, Ownership, Dependency Graph > *"50 mikroservis var. 'X servisi kim sahipleniyor?' sorusuna 5 dakikada diff --git a/14-Sustainability/Carbon-Aware-Computing.md b/14-Sustainability/Carbon-Aware-Computing.md index faf4dbd..3559a2b 100644 --- a/14-Sustainability/Carbon-Aware-Computing.md +++ b/14-Sustainability/Carbon-Aware-Computing.md @@ -1,3 +1,6 @@ +--- +description: "Carbon-aware workload scheduling rehberi: isin ne zaman ve nerede calisacagini sebekenin anlik karbon yogunluguna gore secme, gercek zamanli API'lar, K8s ve CI ornekleri." +--- # Carbon-Aware Computing — Düşük-Karbon Saatte Çalış > *"Aynı işi rüzgârlı bir gece çalıştırmak ile fosil yakıt yüklü diff --git a/14-Sustainability/Efficiency-Practices.md b/14-Sustainability/Efficiency-Practices.md index d62b158..a716432 100644 --- a/14-Sustainability/Efficiency-Practices.md +++ b/14-Sustainability/Efficiency-Practices.md @@ -1,3 +1,6 @@ +--- +description: "Yesil yazilim icin hizli uygulanabilen verimlilik pratikleri: ARM/Graviton, spot instance, idle cleanup, compression, caching ve right-sizing; cost-carbon dual ROI ornekleriyle." +--- # Efficiency Practices — Quick Wins for Carbon + Cost > *"Yeşil yazılım 'gelecekte düşünelim' işi değil — **bu çeyrek** diff --git a/14-Sustainability/Green-Software-Principles.md b/14-Sustainability/Green-Software-Principles.md index 5b702ad..082cee2 100644 --- a/14-Sustainability/Green-Software-Principles.md +++ b/14-Sustainability/Green-Software-Principles.md @@ -1,3 +1,6 @@ +--- +description: "Green Software Foundation'un 8 prensibini somut muhendislik kararlarina ceviren rehber; SCI metrigiyle olcum ve yesil yazilimi CI'da pass/fail metrige donusturme, CSRD/SEC baglamiyla." +--- # Green Software Principles — Karbonu Mühendislik Disiplinine Çevirmek > *"Software is **never** carbon-neutral; it's just CO₂ that you decided diff --git a/14-Sustainability/Measuring-Software-Carbon.md b/14-Sustainability/Measuring-Software-Carbon.md index a3980b2..0c7c0f3 100644 --- a/14-Sustainability/Measuring-Software-Carbon.md +++ b/14-Sustainability/Measuring-Software-Carbon.md @@ -1,3 +1,6 @@ +--- +description: "Yazilim emisyonunu gercek metrige donusturen stack rehberi: SCI formulu, Cloud Carbon Footprint, Kepler eBPF ve AWS/GCP/Azure native karbon dashboard'lari adim adim." +--- # Measuring Software Carbon — SCI, Cloud Carbon Footprint, Kepler > *"Yazılım karbonunu ölçmüyorsan, **azaltma iddiası boştur**. diff --git a/14-Sustainability/README.md b/14-Sustainability/README.md index 0caa4b9..7a8e941 100644 --- a/14-Sustainability/README.md +++ b/14-Sustainability/README.md @@ -1,3 +1,6 @@ +--- +description: "Surdurulebilir muhendislik ve Green IT bolum indeksi: GSF 8 prensibi, carbon-aware computing, SCI olcumu, dusuk-karbon region secimi ve verimlilik pratikleri rehberleri." +--- # 14 · Sustainable Engineering / Green IT > *"Software is **never** carbon-neutral; it's just CO₂ that you decided diff --git a/14-Sustainability/Region-Selection.md b/14-Sustainability/Region-Selection.md index b35edbe..6f84f10 100644 --- a/14-Sustainability/Region-Selection.md +++ b/14-Sustainability/Region-Selection.md @@ -1,3 +1,6 @@ +--- +description: "AWS, GCP ve Azure region'larini karbon yogunluguna gore karsilastiran rehber; latency, maliyet ve data-residency trade-off'lariyla dusuk-karbon region karar matrisi kurma." +--- # Region Selection — Cloud Region Karbon Karar Matrisi > *"Aynı workload'u Frankfurt yerine Stockholm'de çalıştırmak %60 diff --git a/15-AI-LLMOps/AI-Augmented-Operations.md b/15-AI-LLMOps/AI-Augmented-Operations.md index 904ea10..42e5abd 100644 --- a/15-AI-LLMOps/AI-Augmented-Operations.md +++ b/15-AI-LLMOps/AI-Augmented-Operations.md @@ -1,3 +1,6 @@ +--- +description: "LLM'in DevOps akisindaki pratik kullanimlari: log analiz, runbook, postmortem, alarm triage; agent pattern'leri, use case matrisi ve otomasyon-insan dengesi." +--- # AI-Augmented Operations — LLM ile DevOps İşi > *"LLM'i 'chatbot' sanmak 2024'tü. 2026'da LLM, **DevOps mühendisinin diff --git a/15-AI-LLMOps/LLM-in-Production.md b/15-AI-LLMOps/LLM-in-Production.md index fa2db4e..fd04f3d 100644 --- a/15-AI-LLMOps/LLM-in-Production.md +++ b/15-AI-LLMOps/LLM-in-Production.md @@ -1,3 +1,6 @@ +--- +description: "LLM uygulamalarini production'a alma: rate limit, input safety, prompt template registry, eval, observability, cost ve guardrail'ler ile LLMOps mimarisi." +--- # LLM Uygulamalarını Production'a Almak > *"Demo'mda harikaydı; production'da p99 latency 12 saniye, bir tenant diff --git a/15-AI-LLMOps/Model-Cost-Optimization.md b/15-AI-LLMOps/Model-Cost-Optimization.md index 2103be6..0afc131 100644 --- a/15-AI-LLMOps/Model-Cost-Optimization.md +++ b/15-AI-LLMOps/Model-Cost-Optimization.md @@ -1,3 +1,6 @@ +--- +description: "LLM maliyet optimizasyonu: token fiyatlandirma, model tier secimi, prompt caching, batch API, semantic cache ve fine-tuning ROI ile ayni isi %70 ucuza yapma." +--- # Model Cost Optimization — LLM Bill'i Yönetmek > *"OpenAI bill ay sonu $20K. 'Çok mu kullandık?' Hayır, **yanlış diff --git a/15-AI-LLMOps/Prompt-Engineering-for-Ops.md b/15-AI-LLMOps/Prompt-Engineering-for-Ops.md index 65f21c4..cb3c173 100644 --- a/15-AI-LLMOps/Prompt-Engineering-for-Ops.md +++ b/15-AI-LLMOps/Prompt-Engineering-for-Ops.md @@ -1,3 +1,6 @@ +--- +description: "DevOps/SRE icin pratik prompt engineering: log analizi, runbook generation, incident summary ve postmortem icin somut prompt pattern'leri ve 5 temel prensip." +--- # Prompt Engineering for Ops — DevOps İçin Pratik LLM Kullanımı > *"LLM'e 'şunu yap' demek = junior'a yarım talimat vermek. Spesifik diff --git a/15-AI-LLMOps/RAG-Architecture.md b/15-AI-LLMOps/RAG-Architecture.md index 72f4aa7..10fac5b 100644 --- a/15-AI-LLMOps/RAG-Architecture.md +++ b/15-AI-LLMOps/RAG-Architecture.md @@ -1,3 +1,6 @@ +--- +description: "RAG (Retrieval-Augmented Generation) mimarisi: embedding, vector store, retriever, reranker ve generation asamalarini production'da kurma; LLM'e dis kaynak." +--- # RAG Architecture — Retrieval-Augmented Generation > *"LLM 'her şeyi bildiğinden' emin olduğu **halüsinasyonun** diff --git a/15-AI-LLMOps/README.md b/15-AI-LLMOps/README.md index ca947ca..9167432 100644 --- a/15-AI-LLMOps/README.md +++ b/15-AI-LLMOps/README.md @@ -1,3 +1,6 @@ +--- +description: "AI/LLMOps bolumu indeksi: RAG, prompt engineering, self-hosted LLM, cost optimization, safety guardrail'leri ve MLOps vs LLMOps karsilastirmasi." +--- # 15 · AI / LLMOps > *"Çalışıyor demo'mda; production'da p99 latency 12 saniye, bir tenant diff --git a/15-AI-LLMOps/Safety-and-Guardrails.md b/15-AI-LLMOps/Safety-and-Guardrails.md index dc5670a..98be4c6 100644 --- a/15-AI-LLMOps/Safety-and-Guardrails.md +++ b/15-AI-LLMOps/Safety-and-Guardrails.md @@ -1,3 +1,6 @@ +--- +description: "LLM safety ve guardrails: prompt injection, jailbreak, PII sizintisi, hallucination ve brand-safety risklerine karsi katmanli savunma ve tehdit modeli." +--- # LLM Safety & Guardrails — Production'da Korumalar > *"LLM'in ne diyebileceği belirsiz; **müşteriye ne diyeceğini** diff --git a/15-AI-LLMOps/Self-Hosted-LLM.md b/15-AI-LLMOps/Self-Hosted-LLM.md index 18a1b22..fbb10dc 100644 --- a/15-AI-LLMOps/Self-Hosted-LLM.md +++ b/15-AI-LLMOps/Self-Hosted-LLM.md @@ -1,3 +1,6 @@ +--- +description: "Self-hosted LLM: vLLM, Ollama ve Llama Stack ile kurulum, GPU kapasite planlamasi, production onerileri; privacy, cost ve offline icin self-host artilari." +--- # Self-Hosted LLM — vLLM, Ollama, Llama Stack > *"OpenAI / Anthropic API kullanmak hızlı ama: data gönderiyorsun, diff --git a/16-Cheatsheets/README.md b/16-Cheatsheets/README.md index 3e4e0b7..33f8d5a 100644 --- a/16-Cheatsheets/README.md +++ b/16-Cheatsheets/README.md @@ -1,3 +1,6 @@ +--- +description: "DevOps cheatsheet koleksiyonu indeksi: kubectl, docker, git, helm, terraform, aws-cli ve daha fazlasi. Sik kullanilan komutlari gruplayip hizli erisim saglar." +--- # 16 · Cheatsheets > *"Bilmek değil, **hatırlamak** yetenektir; ortalama mühendisin gerçek diff --git a/16-Cheatsheets/aws-cli.md b/16-Cheatsheets/aws-cli.md index 6d17be2..1cc4a8f 100644 --- a/16-Cheatsheets/aws-cli.md +++ b/16-Cheatsheets/aws-cli.md @@ -1,3 +1,6 @@ +--- +description: "AWS CLI pratik komut notlari: profil ve SSO auth, sts assume-role, EC2/S3/IAM islemleri, query filtreleme ve caller-identity dogrulama ornekleri." +--- # AWS CLI Cheatsheet ## 🔐 Auth & Profile diff --git a/16-Cheatsheets/docker.md b/16-Cheatsheets/docker.md index 3dd555c..ddc2e70 100644 --- a/16-Cheatsheets/docker.md +++ b/16-Cheatsheets/docker.md @@ -1,3 +1,6 @@ +--- +description: "Docker pratik komut notlari: image build, build-arg, BuildKit/buildx ile multi-platform build ve cache, run, exec, network, volume ve prune islemleri." +--- # Docker Cheatsheet ## 🔨 Build diff --git a/16-Cheatsheets/git.md b/16-Cheatsheets/git.md index 5cb0b05..0d10ea8 100644 --- a/16-Cheatsheets/git.md +++ b/16-Cheatsheets/git.md @@ -1,3 +1,6 @@ +--- +description: "Git pratik komut notlari: status ve log inspection, gecmis duzenleme, bisect, cherry-pick, reflog ve worktree. Senior dev'lerin gunluk kullandigi ipuclari." +--- # Git Cheatsheet > *"Git'i kullanmıyorsun, Git seni kullanıyor."* — her senior dev, eninde sonunda diff --git a/16-Cheatsheets/helm.md b/16-Cheatsheets/helm.md index 26cbd2a..0153d19 100644 --- a/16-Cheatsheets/helm.md +++ b/16-Cheatsheets/helm.md @@ -1,3 +1,6 @@ +--- +description: "Helm 3+ icin komut notlari: repo yonetimi, chart template debug, release kurulumu/upgrade, hook'lar ve OCI registry. Tiller'siz, namespace bazli release." +--- # Helm Cheatsheet > Helm 3+ varsayılır. Tiller'sız, namespace bazlı release. diff --git a/16-Cheatsheets/kubectl.md b/16-Cheatsheets/kubectl.md index d42abfd..26c60c6 100644 --- a/16-Cheatsheets/kubectl.md +++ b/16-Cheatsheets/kubectl.md @@ -1,3 +1,6 @@ +--- +description: "kubectl pratik komut notlari: cluster inspection, etiket filtreleme, JSONPath ile alan secimi, pod debug, rollout, port-forward ve sirali cikti ornekleri." +--- # kubectl Cheatsheet ## 🔍 Inspection diff --git a/16-Cheatsheets/linux-troubleshooting.md b/16-Cheatsheets/linux-troubleshooting.md index 779ea8b..8daa132 100644 --- a/16-Cheatsheets/linux-troubleshooting.md +++ b/16-Cheatsheets/linux-troubleshooting.md @@ -1,3 +1,6 @@ +--- +description: "Linux sorun giderme cheatsheet'i: Brendan Gregg USE metodu ile CPU, bellek, disk ve network teshisi. Production'da neyin yavas oldugunu bulma araclari." +--- # Linux Troubleshooting Cheatsheet > *"Production'da bir şey yavaş, hangi şey?"* sorusunun çoklu pencereli cevabı. diff --git a/16-Cheatsheets/networking-tools.md b/16-Cheatsheets/networking-tools.md index c956fdc..940bb6c 100644 --- a/16-Cheatsheets/networking-tools.md +++ b/16-Cheatsheets/networking-tools.md @@ -1,3 +1,6 @@ +--- +description: "Network teshis araclari cheatsheet'i: DNS icin dig, baglanti ve port testleri, 7 katmanli sorun giderme. Ping doner ama uygulama 503 verir senaryolari icin." +--- # Networking Tools Cheatsheet > *"Pingledi, döndü; curl çalıştı; ama uygulama 503 veriyor."* diff --git a/16-Cheatsheets/terraform.md b/16-Cheatsheets/terraform.md index 9c656ce..9bf940b 100644 --- a/16-Cheatsheets/terraform.md +++ b/16-Cheatsheets/terraform.md @@ -1,3 +1,6 @@ +--- +description: "Terraform ve OpenTofu icin komut notlari: init, fmt, validate, plan/apply workflow, state islemleri, import ve console. Komutlar her iki arac icin ayni calisir." +--- # Terraform / OpenTofu Cheatsheet > Komutlar `terraform` ve `tofu` için aynıdır. OpenTofu fork sonrası diff --git a/16-Cheatsheets/vim-survival.md b/16-Cheatsheets/vim-survival.md index cb9aaa1..34633aa 100644 --- a/16-Cheatsheets/vim-survival.md +++ b/16-Cheatsheets/vim-survival.md @@ -1,3 +1,6 @@ +--- +description: "Vim hayatta kalma rehberi: cikma, kaydetme, undo, modlar ve temel duzenleme. Usta olmak degil, production sunucusunda 2 dakikada config duzeltip cikmak icin." +--- # Vim Survival Guide > *"Vim'den nasıl çıkarım?"* — `:q!` (Enter) diff --git a/17-Templates/README.md b/17-Templates/README.md index 400a74a..cac13e8 100644 --- a/17-Templates/README.md +++ b/17-Templates/README.md @@ -1,3 +1,6 @@ +--- +description: "Kopyala-değiştir-kullan DevOps template koleksiyonu: GitHub Actions, Kubernetes, Dockerfile, Terraform, Kyverno, runbook ve Prometheus kuralları; tüm placeholder'lar UPPER_CASE." +--- # 17 · Templates > Copy-paste-değiştir-kullan. Tüm placeholder'lar `` ile. diff --git a/17-Templates/gitignore/README.md b/17-Templates/gitignore/README.md new file mode 100644 index 0000000..0c818c4 --- /dev/null +++ b/17-Templates/gitignore/README.md @@ -0,0 +1,96 @@ +--- +description: "Stack başına kopyala-yapıştır .gitignore örnekleri (Terraform, Node, Python, Java) + secret-leak önleme anti-pattern tablosu." +--- +# .gitignore Örnekleri — Stack Başına + +> Kopyala-yapıştır `.gitignore` blokları. Çoğu sızıntı, ignore edilmeyen +> `.env` / state / credential dosyasından gelir — önce bunları kapat. + +## 🔴 Her repoda (ortak) + +```gitignore +# OS +.DS_Store +Thumbs.db + +# Editor +.idea/ +.vscode/ +*.swp + +# Secrets — ASLA commit'leme +.env +.env.* +!.env.example +*.pem +*.key +credentials.json +``` + +## Terraform + +```gitignore +# State + plan (secret + büyük) +*.tfstate +*.tfstate.* +*.tfplan +crash.log + +# Provider/modül indirmeleri +.terraform/ +.terraform.lock.hcl # ekip kararına göre: lock'u commit etmek genelde DOĞRU + +# Değişken dosyaları (gizli değer içerir) +*.tfvars +!example.tfvars +``` + +## Node.js + +```gitignore +node_modules/ +dist/ +build/ +coverage/ +npm-debug.log* +.pnpm-debug.log* +.env*.local +``` + +## Python + +```gitignore +__pycache__/ +*.py[cod] +.venv/ +venv/ +.pytest_cache/ +.mypy_cache/ +*.egg-info/ +.coverage +``` + +## Java / Gradle + +```gitignore +.gradle/ +build/ +*.class +*.jar +!gradle/wrapper/gradle-wrapper.jar +.settings/ +bin/ +``` + +--- + +## 🚫 Anti-Pattern + +| Anti-pattern | Niye kötü | Doğru | +|---|---|---| +| `.env`'i ignore etmeyi unutmak | Credential repo geçmişine girer; rotate etmeden temizlenmez | İlk commit'ten önce `.env` ignore + `.env.example` ekle | +| State dosyasını commit'lemek | `*.tfstate` plaintext secret içerir | Remote backend (S3/GCS) + `*.tfstate` ignore | +| Sızan secret'ı sadece silmek | Git geçmişinde kalır | `git filter-repo` ile geçmişten temizle + secret'ı rotate et | +| `node_modules/` commit'lemek | Repo şişer, platform-spesifik binary'ler | `node_modules/` ignore, `package-lock.json` commit | + +> *"`.gitignore` güvenlik kontrolüdür: en ucuz secret-leak önlemi commit'ten önce gelir."* diff --git a/17-Templates/runbooks/postmortem-template.md b/17-Templates/runbooks/postmortem-template.md index f46dc5c..49c4de8 100644 --- a/17-Templates/runbooks/postmortem-template.md +++ b/17-Templates/runbooks/postmortem-template.md @@ -1,3 +1,6 @@ +--- +description: "Blameless postmortem template: TL;DR, etki metrikleri, UTC zaman çizelgesi, kök neden, savunma katmanları, owner'lı aksiyon maddeleri ve öğrenilen dersler." +--- # Postmortem: > **Status:** Draft / Under Review / Final diff --git a/17-Templates/runbooks/runbook-template.md b/17-Templates/runbooks/runbook-template.md index 6f83081..24c8b61 100644 --- a/17-Templates/runbooks/runbook-template.md +++ b/17-Templates/runbooks/runbook-template.md @@ -1,3 +1,6 @@ +--- +description: "Alert runbook template: adım-adım ilk teşhis komutları, olası sebepler ve çözümler, rollback prosedürü, eskalasyon matrisi ve incident kapanış doğrulaması." +--- # Runbook: > **Severity:** P1 / P2 / P3 diff --git a/17-Templates/terraform/README.md b/17-Templates/terraform/README.md new file mode 100644 index 0000000..6738ed4 --- /dev/null +++ b/17-Templates/terraform/README.md @@ -0,0 +1,36 @@ +--- +description: "Standart Terraform modül iskeleti: main.tf + variables.tf + outputs.tf; tip-güvenli, validation'lı, versiyon-pinli kopyala-yapıştır şablon." +--- +# Terraform Module Skeleton + +> Standart bir Terraform modülü iskeleti: `main.tf` + `variables.tf` + `outputs.tf`. +> Kopyala, kendi kaynağına göre doldur. + +## Dosyalar + +| Dosya | Amaç | +|---|---| +| [`main.tf`](main.tf) | Kaynak tanımları + `terraform`/`required_providers` bloğu | +| [`variables.tf`](variables.tf) | Tip-güvenli, açıklamalı, validation'lı girdi değişkenleri | +| [`outputs.tf`](outputs.tf) | Modülü tüketen kaynaklar için çıktılar | + +## Kullanım + +```bash +# Modülü kendi root config'inden çağır +module "" { + source = "git::https://github.com//.git//17-Templates/terraform?ref=" + + name = "" + environment = "" + tags = { team = "", owner = "" } +} +``` + +## Neden bu yapı + +- **3 dosya ayrımı** standarttır: kaynaklar, girdiler, çıktılar ayrı okunur. +- **`variables.tf` validation'lı**: yanlış girdi `plan` aşamasında patlar, `apply`'da değil. +- **Versiyon pin'i** (`required_providers`): provider upgrade'i sürpriz drift yaratmasın. + +> *"Modül, kopyalanan değil çağrılan koddur — girdi/çıktı sözleşmesi nettir."* diff --git a/17-Templates/terraform/main.tf b/17-Templates/terraform/main.tf new file mode 100644 index 0000000..d766963 --- /dev/null +++ b/17-Templates/terraform/main.tf @@ -0,0 +1,32 @@ +# main.tf — Terraform modül iskeleti +# Kopyala, 'ları kendi kaynağına göre doldur. + +terraform { + required_version = ">= 1.5" + + required_providers { + # Örnek: AWS. Kendi provider'ına göre değiştir. + aws = { + source = "hashicorp/aws" + version = "~> 5.0" + } + } +} + +# Ortak etiketler — her kaynağa uygulanır (cost allocation + sahiplik için) +locals { + common_tags = merge( + { + "managed-by" = "terraform" + "module" = var.name + "environment" = var.environment + }, + var.tags, + ) +} + +# Örnek kaynak — kendi kaynağınla değiştir. +# resource "aws_" "this" { +# name = var.name +# tags = local.common_tags +# } diff --git a/17-Templates/terraform/outputs.tf b/17-Templates/terraform/outputs.tf new file mode 100644 index 0000000..2443041 --- /dev/null +++ b/17-Templates/terraform/outputs.tf @@ -0,0 +1,18 @@ +# outputs.tf — modülü tüketen kaynaklar için çıktılar +# Çıktıları, modülü çağıranın gerçekten ihtiyaç duyduğu değerlerle sınırla. + +output "name" { + description = "Modülün oluşturduğu kaynağın normalize adı." + value = var.name +} + +output "tags" { + description = "Kaynaklara uygulanan birleşik etiket seti." + value = local.common_tags +} + +# Örnek: oluşturulan kaynağın ID'si +# output "id" { +# description = "Oluşturulan kaynağın ID'si." +# value = aws_.this.id +# } diff --git a/17-Templates/terraform/variables.tf b/17-Templates/terraform/variables.tf new file mode 100644 index 0000000..2faef18 --- /dev/null +++ b/17-Templates/terraform/variables.tf @@ -0,0 +1,27 @@ +# variables.tf — tip-güvenli, açıklamalı, validation'lı girdiler + +variable "name" { + description = "Kaynak adı (kebab-case, ortam adı dahil değil)." + type = string + + validation { + condition = can(regex("^[a-z][a-z0-9-]{1,38}[a-z0-9]$", var.name)) + error_message = "name kebab-case olmalı (3-40 karakter, küçük harf/rakam/tire)." + } +} + +variable "environment" { + description = "Dağıtım ortamı." + type = string + + validation { + condition = contains(["dev", "staging", "prod"], var.environment) + error_message = "environment yalnız dev | staging | prod olabilir." + } +} + +variable "tags" { + description = "Modül kaynaklarına eklenecek ek etiketler." + type = map(string) + default = {} +} diff --git a/18-Career/CV-Tips.md b/18-Career/CV-Tips.md index 7f73409..8a741fc 100644 --- a/18-Career/CV-Tips.md +++ b/18-Career/CV-Tips.md @@ -1,3 +1,6 @@ +--- +description: "DevOps/SRE/Platform CV yazım rehberi: görev yerine etki odaklı yazım, STAR formülü, ATS uyumu ve Türk pazarı ile global pazar farkları üzerine pratik notlar." +--- # DevOps / SRE CV Tips — Türk Pazarı + Global > *"CV'ni 'görev listesi' olarak yazan ekipte kalır; **etki listesi** @@ -263,7 +266,7 @@ Building reliable systems @ DevHub.io. ## Recent writing - [DevOps Notebook (TR)](https://github.com/.../DevOps) — production-grade Türkçe -- [Blog: Why we migrated from Helm to Kustomize](...) +- [Blog: Why we migrated from Helm to Kustomize](https:///helm-to-kustomize) ## Reach me - alarm@example.com (general) diff --git a/18-Career/DevOps-Interview-Questions.md b/18-Career/DevOps-Interview-Questions.md index 864ffe2..75b9814 100644 --- a/18-Career/DevOps-Interview-Questions.md +++ b/18-Career/DevOps-Interview-Questions.md @@ -1,3 +1,6 @@ +--- +description: "Junior'dan Staff seviyeye 60+ DevOps mülakat sorusu: container, Kubernetes, Git, CI/CD ve daha fazlası için her soruda ne göstermeli ipuçları ve trade-off odağı." +--- # DevOps Interview Questions — 60+ soru ile hazırlık > Mülakatçılar farklı tarzda soruyor: "tanım ezberle" değil **deneyim diff --git a/18-Career/README.md b/18-Career/README.md index 9064a4e..a188ccf 100644 --- a/18-Career/README.md +++ b/18-Career/README.md @@ -1,3 +1,6 @@ +--- +description: "DevOps/SRE kariyer rehberi index: mülakat soruları, SRE prep, system design cheatsheet ve CV ipuçları; Junior'dan Principal'a seviye haritası ve maaş tartışması notları." +--- # 18 · Career > *"DevOps mühendisi ne yapar?" sorusu **mülakatçıya** göre değişir; diff --git a/18-Career/SRE-Interview-Prep.md b/18-Career/SRE-Interview-Prep.md index 2742b17..edbe729 100644 --- a/18-Career/SRE-Interview-Prep.md +++ b/18-Career/SRE-Interview-Prep.md @@ -1,3 +1,6 @@ +--- +description: "SRE mülakat hazırlığı: SLO design round, error budget ve kapasite matematiği, incident simulation ve postmortem; SRE rolünde aranan core skill'ler üzerine pratik notlar." +--- # SRE Interview Prep > SRE rolünün DevOps'tan ayrılan tarafı: **rakam ile düşünme**, *kasten* diff --git a/18-Career/System-Design-Cheatsheet.md b/18-Career/System-Design-Cheatsheet.md index d385d90..f5a0a43 100644 --- a/18-Career/System-Design-Cheatsheet.md +++ b/18-Career/System-Design-Cheatsheet.md @@ -1,3 +1,6 @@ +--- +description: "DevOps/SRE mülakatlarına özgü system design cheatsheet: infra, deploy, observability, disaster recovery ve maliyet sorularını çözmek için sıralı framework." +--- # DevOps/SRE System Design — Cheatsheet > Geleneksel "Design Twitter" sorularından farklı olarak, DevOps/SRE diff --git a/19-Compliance/Audit-Evidence-Automation.md b/19-Compliance/Audit-Evidence-Automation.md index 313cebc..03994be 100644 --- a/19-Compliance/Audit-Evidence-Automation.md +++ b/19-Compliance/Audit-Evidence-Automation.md @@ -1,3 +1,6 @@ +--- +description: "Audit evidence'ı otomatik toplama disiplini: continuous evidence collection ile SOC 2, ISO 27001, KVKK ve PCI DSS için ortak kanıt pattern'i ve tooling." +--- # Audit Evidence Automation — "Audit Gününe Hazırlık" Bitsin > *"Audit haftasında 80 saat manual evidence toplayan ekip, diff --git a/19-Compliance/EU-AI-Act.md b/19-Compliance/EU-AI-Act.md index f7a5b2f..56da26e 100644 --- a/19-Compliance/EU-AI-Act.md +++ b/19-Compliance/EU-AI-Act.md @@ -1,3 +1,6 @@ +--- +description: "EU AI Act'in mühendislik açısından pratik rehberi: risk kategorileri, high-risk AI sistem yükümlülükleri ve 2025-2027 kademeli uygulama takvimi özeti." +--- # EU AI Act — Mühendislik Açısından Pratik Rehber > *"AI sistemini production'a almadan önce 'high-risk mi?' diye sormayan diff --git a/19-Compliance/GDPR-Engineering.md b/19-Compliance/GDPR-Engineering.md index 8e7572d..5896926 100644 --- a/19-Compliance/GDPR-Engineering.md +++ b/19-Compliance/GDPR-Engineering.md @@ -1,3 +1,6 @@ +--- +description: "GDPR'ın mühendislik karşılığı: madde eşlemesi, KVKK ile farkları, right-to-erasure, DPA ve Türkiye'den AB pazarına hizmet verirken pratik uyum adımları." +--- # GDPR — Mühendislik Açısından Pratik Rehber > *"GDPR'ı 'AB yasası' diye atlayıp Türkiye'den hizmet veren ekip, diff --git a/19-Compliance/ISO-27001-Controls.md b/19-Compliance/ISO-27001-Controls.md index 9614fa6..9279605 100644 --- a/19-Compliance/ISO-27001-Controls.md +++ b/19-Compliance/ISO-27001-Controls.md @@ -1,3 +1,6 @@ +--- +description: "ISO/IEC 27001:2022 Annex A kontrollerinin mühendislik eşlemesi: hangi kontrol Kyverno policy, GitHub Actions ve tooling ile karşılanır, SOC 2 ile karşılaştırma." +--- # ISO 27001 — Annex A Kontrolleri (Mühendislik Eşlemesi) > *"ISO 27001 'kâğıt sertifikası' iddia eden ekip, Annex A'nın 93 diff --git a/19-Compliance/KVKK-Practical.md b/19-Compliance/KVKK-Practical.md index 770fb0e..062931b 100644 --- a/19-Compliance/KVKK-Practical.md +++ b/19-Compliance/KVKK-Practical.md @@ -1,3 +1,6 @@ +--- +description: "6698 sayılı KVKK'nın DevSecOps açısından pratik rehberi: data inventory, DPIA, encryption, retention ve incident notification için somut tool ve pipeline gate'leri." +--- # KVKK Pratik Rehberi — Mühendislik Açısından > *"KVKK 'hukuk metni' olarak kalsın istemiyorsan, **kontrol** olarak diff --git a/19-Compliance/NIS2-Directive.md b/19-Compliance/NIS2-Directive.md index a6b6363..07efeef 100644 --- a/19-Compliance/NIS2-Directive.md +++ b/19-Compliance/NIS2-Directive.md @@ -1,3 +1,6 @@ +--- +description: "EU NIS2 Directive (2022/2555) rehberi: kritik altyapı kapsamı, mühendislik gereksinimleri, yürürlük takvimi, cezalar ve TR şirketlerin AB müşterileriyle etkisi." +--- # NIS2 Directive — EU Kritik Altyapı Güvenliği > *"NIS2 'AB yasası' diye atlanan ekipler, 2024-2025'te **bir diff --git a/19-Compliance/PCI-DSS-4.md b/19-Compliance/PCI-DSS-4.md index 1a1b8c6..53428a1 100644 --- a/19-Compliance/PCI-DSS-4.md +++ b/19-Compliance/PCI-DSS-4.md @@ -1,3 +1,6 @@ +--- +description: "PCI DSS v4.0 rehberi: kart verisi işleyen sistemler için mühendislik gereksinimleri, tokenization stratejisi, scope reduction ve TR e-ticaret bağlamı." +--- # PCI DSS v4.0 — Kart Verisi İşleyenler İçin > *"Kredi kartı verisi tutuyorsan **PCI DSS** zorunluluk. v4.0 diff --git a/19-Compliance/README.md b/19-Compliance/README.md index 1eb4425..2761fec 100644 --- a/19-Compliance/README.md +++ b/19-Compliance/README.md @@ -1,3 +1,6 @@ +--- +description: "DevSecOps'un yasal-uyum boyutu: KVKK, GDPR, ISO 27001, SOC 2, EU AI Act, NIS2 ve PCI DSS'in kod, pipeline ve K8s policy ile continuous compliance'a dönüşümü." +--- # 19 · Compliance & Legal > *"Compliance bir 'sertifika asma duvarı' değildir; **mühendislik diff --git a/19-Compliance/SOC2-Type2-Prep.md b/19-Compliance/SOC2-Type2-Prep.md index 3b37167..d7a3195 100644 --- a/19-Compliance/SOC2-Type2-Prep.md +++ b/19-Compliance/SOC2-Type2-Prep.md @@ -1,3 +1,6 @@ +--- +description: "SOC 2 Type II'nin mühendislik hazırlığı: Trust Service Criteria, observation period, audit evidence automation ve continuous compliance disiplini ile audit günü hazırlığı." +--- # SOC 2 Type II — Mühendislik Hazırlığı > *"SOC 2 Type II 'sertifika asma duvarı' değil — **6 ay süreyle diff --git a/20-Soft-Skills/Documentation-as-Communication.md b/20-Soft-Skills/Documentation-as-Communication.md index c130320..f673a55 100644 --- a/20-Soft-Skills/Documentation-as-Communication.md +++ b/20-Soft-Skills/Documentation-as-Communication.md @@ -1,3 +1,6 @@ +--- +description: "RFC, ADR ve Design Doc gibi yazılı iletişim biçimlerinin ne, ne zaman, nasıl yazıldığını ve async toplantısız karar kültürünü anlatan rehber." +--- # Documentation as Communication — RFC, ADR, Design Doc > *"Toplantı yapmak 5 kişinin 1 saatini götürür. **5 sayfalık RFC** diff --git a/20-Soft-Skills/Mentoring-Junior-Engineers.md b/20-Soft-Skills/Mentoring-Junior-Engineers.md index 28b2a24..1fa8bda 100644 --- a/20-Soft-Skills/Mentoring-Junior-Engineers.md +++ b/20-Soft-Skills/Mentoring-Junior-Engineers.md @@ -1,3 +1,6 @@ +--- +description: "DevOps/SRE/Platform alanında junior mühendisi yetiştirmenin somut tekniklerini, on-boarding planını, shadow-solo geçişini ve TR iş kültürünü anlatır." +--- # Mentoring Junior Engineers — Infra/SRE Öğretmek > *"Senior'ın görevi 'kendi başına en hızlı kim?' yarışı değil — diff --git a/20-Soft-Skills/Oncall-Sustainability.md b/20-Soft-Skills/Oncall-Sustainability.md index 7828292..5e688f7 100644 --- a/20-Soft-Skills/Oncall-Sustainability.md +++ b/20-Soft-Skills/Oncall-Sustainability.md @@ -1,3 +1,6 @@ +--- +description: "On-call'ı sağlıklı yönetilebilir bir disiplin olarak ele alır: vardiya tasarımı, post-incident dinlenme, burnout sinyalleri ve önleme taktikleri." +--- # On-Call Sürdürülebilirliği — Burnout Olmadan Yangın Söndürme > *"On-call **işin bir parçası**, ama **işin tamamı** olmamalı. diff --git a/20-Soft-Skills/Postmortem-Conversation.md b/20-Soft-Skills/Postmortem-Conversation.md index 712337e..951b1f5 100644 --- a/20-Soft-Skills/Postmortem-Conversation.md +++ b/20-Soft-Skills/Postmortem-Conversation.md @@ -1,3 +1,6 @@ +--- +description: "Blameless kültürünü gerçek konuşmaya yansıtma rehberi: fasilitasyon teknikleri, tipik dil tuzakları ve psikolojik güvenlik yaratmanın somut adımları." +--- # Postmortem Conversation — Blameless'i Konuşmaya Yansıtmak > *"Postmortem dokümanı 'blameless' olabilir; ama ekibin **kullandığı diff --git a/20-Soft-Skills/README.md b/20-Soft-Skills/README.md index ceccaf0..57b8711 100644 --- a/20-Soft-Skills/README.md +++ b/20-Soft-Skills/README.md @@ -1,3 +1,6 @@ +--- +description: "DevOps/SRE/Platform işlerinde insan tarafına dair soft skill rehberlerinin dizini: on-call, stakeholder, security, vendor, hayır demek, postmortem, mentoring." +--- # 20 · Soft Skills — Mühendislikten Daha Önemli (Bazen) > *"En iyi mimari kararı veren mühendis, **yanlış kişiye** anlatınca diff --git a/20-Soft-Skills/Saying-No.md b/20-Soft-Skills/Saying-No.md index 22e8cf7..5c20116 100644 --- a/20-Soft-Skills/Saying-No.md +++ b/20-Soft-Skills/Saying-No.md @@ -1,3 +1,6 @@ +--- +description: "DevOps/SRE'de scope creep, premature commitment ve gerçekçi olmayan deadline'lara karşı 'hayır' demeyi profesyonel iletişim aracına çeviren rehber." +--- # "Hayır" Demek — Soft Skill'in Özü > *"Üstüne aldığın işi yapamadığında verdiğin zarar, **baştan diff --git a/20-Soft-Skills/Stakeholder-Management.md b/20-Soft-Skills/Stakeholder-Management.md index 17c37f1..410f1a0 100644 --- a/20-Soft-Skills/Stakeholder-Management.md +++ b/20-Soft-Skills/Stakeholder-Management.md @@ -1,3 +1,6 @@ +--- +description: "Çok-paydaşlı DevOps/SRE işlerinde yönetim, ürün, müşteri, hukuk ve security'ye kime ne dilde ne kadar anlatılacağını gösteren paydaş yönetimi rehberi." +--- # Stakeholder Management — Kime, Ne Dilde, Ne Kadar > *"Aynı outage hikâyesini CTO'ya 30 saniyede, müşteri destek diff --git a/20-Soft-Skills/Vendor-Management.md b/20-Soft-Skills/Vendor-Management.md index 7750290..2405be9 100644 --- a/20-Soft-Skills/Vendor-Management.md +++ b/20-Soft-Skills/Vendor-Management.md @@ -1,3 +1,6 @@ +--- +description: "DevOps için vendor seçimi, kontrat müzakeresi, lock-in ölçümü ve escape stratejisini somut tekniklerle anlatan vendor yönetimi rehberi." +--- # Vendor Management — Lock-In, Müzakere, Escape Stratejisi > *"Vendor 'müşteri başına maliyetler artıyor' dediğinde 6 ay diff --git a/20-Soft-Skills/Working-with-Security-Team.md b/20-Soft-Skills/Working-with-Security-Team.md index cb06da6..30f0262 100644 --- a/20-Soft-Skills/Working-with-Security-Team.md +++ b/20-Soft-Skills/Working-with-Security-Team.md @@ -1,3 +1,6 @@ +--- +description: "DevOps/SRE ile Security ekipleri arasındaki sürtünmenin niye olduğunu, nasıl ortadan kalkacağını ve sağlıklı işbirliğinin somut pratiklerini anlatır." +--- # Security Ekibiyle Çalışmak — Düşman Değil, Partner > *"Security ekibi 'nope' dediğinde DevOps ekibinin ilk içgüdüsü diff --git a/21-Field-Notes/README.md b/21-Field-Notes/README.md index 972b202..3f6f257 100644 --- a/21-Field-Notes/README.md +++ b/21-Field-Notes/README.md @@ -1,3 +1,6 @@ +--- +description: "Production kurulumlardan kalan ham DevOps saha notları: Ansible, Terraform, Kubernetes, kubectl ve sistem rehberlerinin olduğu gibi korunmuş komut dökümleri." +--- # 21 · Saha Notları — Field Notes > *"Cilalı deep-dive değil; production'da yaşanıp not düşülmüş ham gerçeklik."* diff --git a/21-Field-Notes/ansible/ssh-connectivity-test.md b/21-Field-Notes/ansible/ssh-connectivity-test.md index 205c35c..fe495ba 100644 --- a/21-Field-Notes/ansible/ssh-connectivity-test.md +++ b/21-Field-Notes/ansible/ssh-connectivity-test.md @@ -1,3 +1,6 @@ +--- +description: "Kubernetes cluster node'larına (master, worker, storage, infra, load balancer) SSH erişimini ConnectTimeout ile toplu doğrulayan bash test script'i." +--- # SSH Bağlantı Testi > 🗒️ **Saha notu** — ham komut/konfigürasyon dökümü. Olduğu gibi korunmuştur; kendi ortamına uyarla. diff --git a/21-Field-Notes/ansible/system-preparation.md b/21-Field-Notes/ansible/system-preparation.md index 6060bd2..0a5a79e 100644 --- a/21-Field-Notes/ansible/system-preparation.md +++ b/21-Field-Notes/ansible/system-preparation.md @@ -1,3 +1,6 @@ +--- +description: "Kubernetes öncesi Ansible ile sistem hazırlığı: production inventory dosyası oluşturma, master/worker host tanımları, etcd member ve node label ayarları." +--- # Ansible ile Sistem Hazırlığı > 🗒️ **Saha notu** — ham komut/konfigürasyon dökümü. Olduğu gibi korunmuştur; kendi ortamına uyarla. diff --git a/21-Field-Notes/kubectl/cluster-passwords.md b/21-Field-Notes/kubectl/cluster-passwords.md index bac790e..4420975 100644 --- a/21-Field-Notes/kubectl/cluster-passwords.md +++ b/21-Field-Notes/kubectl/cluster-passwords.md @@ -1,3 +1,6 @@ +--- +description: "Kubernetes cluster servis parolalarını secret'lardan toplayan bash script'i: Jenkins, Grafana, Elasticsearch kimlikleri ve servis erişim URL'leri." +--- # Kubernetes Cluster Parolaları (Toplama Script'i) > 🗒️ **Saha notu** — ham komut/konfigürasyon dökümü. Olduğu gibi korunmuştur; kendi ortamına uyarla. diff --git a/21-Field-Notes/kubectl/logging-elasticsearch.md b/21-Field-Notes/kubectl/logging-elasticsearch.md index 75bf600..3bf2690 100644 --- a/21-Field-Notes/kubectl/logging-elasticsearch.md +++ b/21-Field-Notes/kubectl/logging-elasticsearch.md @@ -1,3 +1,6 @@ +--- +description: "Kubernetes logging namespace'inde ElasticSearch deployment kurulumu: kubectl apply manifesti, nodeSelector, toleration ve elasticsearch 8.5.1 imajı." +--- # kubectl — Logging (ElasticSearch) ## ElasticSearch diff --git a/21-Field-Notes/network/network-segmentation-wazuh-siem.md b/21-Field-Notes/network/network-segmentation-wazuh-siem.md index a186b40..4fe6e33 100644 --- a/21-Field-Notes/network/network-segmentation-wazuh-siem.md +++ b/21-Field-Notes/network/network-segmentation-wazuh-siem.md @@ -1,3 +1,6 @@ +--- +description: "DMZ, application ve management zone'larına ayrılmış ağ segmentasyonu mimarisi ve Wazuh SIEM entegrasyonu rehberi; VLAN/subnet planı ve güvenlik şeması." +--- # 🔒 Ağ Segmentasyonu ve Wazuh SIEM Entegrasyon Rehberi > ℹ️ **Placeholder notu:** Bu rehberdeki tüm IP/subnet değerleri (`192.168.x.x` vb.) diff --git a/21-Field-Notes/system/devops-certification-roadmap.md b/21-Field-Notes/system/devops-certification-roadmap.md index c33bd05..52167e5 100644 --- a/21-Field-Notes/system/devops-certification-roadmap.md +++ b/21-Field-Notes/system/devops-certification-roadmap.md @@ -1,3 +1,6 @@ +--- +description: "2025 DevOps sertifika roadmap'i: entry-level'dan senior'a en değerli 10 sertifika (AWS, Docker DCA, Terraform), süre, maliyet, ROI ve kariyer etkileri." +--- # DevOps Sertifika Roadmap: 2025 Senior Seviye Kariyer Rehberi DevOps mühendisliği 2025'te **%19.7 yıllık büyüme** ile en hızlı gelişen IT alanlarından biri. **1.31 milyon aktif AWS sertifikası** ve **%37 DevOps beceri açığı** ile piyasada güçlü talep var. Bu rehber, entry-level'dan senior seviyeye kadar en değerli 10 sertifika ve stratejik kariyer yolunu sunuyor. diff --git a/21-Field-Notes/system/external-access-solutions.md b/21-Field-Notes/system/external-access-solutions.md index ea4a471..e45341e 100644 --- a/21-Field-Notes/system/external-access-solutions.md +++ b/21-Field-Notes/system/external-access-solutions.md @@ -1,3 +1,6 @@ +--- +description: "Kubernetes servislerine dış erişim çözümleri: kubectl port-forward ile 0.0.0.0 bind, NodePort service ve kalıcı external access yöntemleri; bash örnekleri." +--- # Dış Erişim (External Access) Çözümleri > 🗒️ **Saha notu** — ham komut/konfigürasyon dökümü. Olduğu gibi korunmuştur; kendi ortamına uyarla. diff --git a/21-Field-Notes/system/github-actions-pipeline-setup.md b/21-Field-Notes/system/github-actions-pipeline-setup.md index b8bb562..e0a9eb5 100644 --- a/21-Field-Notes/system/github-actions-pipeline-setup.md +++ b/21-Field-Notes/system/github-actions-pipeline-setup.md @@ -1,3 +1,6 @@ +--- +description: "GitHub Actions CI/CD pipeline kurulum rehberi: repository yapısı, workflow dosyaları, Kustomize tabanlı k8s base/staging/production ortamları ve Docker akışı." +--- # 🚀 GitHub Actions Pipeline Kurulum Rehberi ## 📁 **ADIM 1: Repository Yapısını Organize Et** diff --git a/21-Field-Notes/system/inventory-management-example.md b/21-Field-Notes/system/inventory-management-example.md index 48a031d..0689388 100644 --- a/21-Field-Notes/system/inventory-management-example.md +++ b/21-Field-Notes/system/inventory-management-example.md @@ -1,3 +1,6 @@ +--- +description: "DevOps envanter yönetimi master şablonu: sunucu/instance envanteri ve kullanıcı erişim envanteri tabloları; hostname, IP, rol, OS ve SSH key kayıtları." +--- # Envanter Yönetimi — Örnek (Master Template) ## 📂 DEVOPS ENVANTER ANALİZİ — MASTER TEMPLATE diff --git a/21-Field-Notes/system/kubernetes-cluster-installation.md b/21-Field-Notes/system/kubernetes-cluster-installation.md index f77b4b6..8ff1614 100644 --- a/21-Field-Notes/system/kubernetes-cluster-installation.md +++ b/21-Field-Notes/system/kubernetes-cluster-installation.md @@ -1,3 +1,6 @@ +--- +description: "Proxmox üzerinde Ubuntu ile Kubernetes cluster kurulum rehberi: makine gereksinimleri, IP planı, eski Docker/Kubernetes temizliği ve adım adım kurulum." +--- # Kubernetes Cluster Kurulum Rehberi - Proxmox Ubuntu ## Sistem Gereksinimleri ve Ön Hazırlık diff --git a/21-Field-Notes/system/production-ready-repo-layout.md b/21-Field-Notes/system/production-ready-repo-layout.md index e4f8bc4..0e69050 100644 --- a/21-Field-Notes/system/production-ready-repo-layout.md +++ b/21-Field-Notes/system/production-ready-repo-layout.md @@ -1,3 +1,6 @@ +--- +description: "Laravel API, TypeScript SPA, Flutter mobil ve Kubernetes için enterprise DevOps proje yapısı: Dockerfile, nginx, ortam dosyaları ve dizin şablonu." +--- # 🚀 Enterprise-Grade DevOps Setup - Laravel + TypeScript + Flutter + K8s ## 📁 Complete Project Structure diff --git a/21-Field-Notes/terraform/modules-create-vm.md b/21-Field-Notes/terraform/modules-create-vm.md index 3f955a9..855e045 100644 --- a/21-Field-Notes/terraform/modules-create-vm.md +++ b/21-Field-Notes/terraform/modules-create-vm.md @@ -1,3 +1,6 @@ +--- +description: "Proxmox üzerinde qm clone ile Kubernetes master ve worker VM'lerini elle oluşturan bash script'i: cores, memory, disk, cloud-init IP ve SSH key ayarları." +--- # Terraform — Modüllerle VM Oluşturma > 🗒️ **Saha notu** — ham komut/konfigürasyon dökümü. Olduğu gibi korunmuştur; kendi ortamına uyarla. diff --git a/21-Field-Notes/terraform/proxmox-configuration.md b/21-Field-Notes/terraform/proxmox-configuration.md index 74606e7..b878229 100644 --- a/21-Field-Notes/terraform/proxmox-configuration.md +++ b/21-Field-Notes/terraform/proxmox-configuration.md @@ -1,3 +1,6 @@ +--- +description: "Proxmox üzerinde uçtan uca VM provisioning için tam Terraform konfigürasyonu: telmate/proxmox provider, providers.tf, değişkenler ve VM kaynak tanımları." +--- # Terraform — Proxmox Tam Konfigürasyon > 🗒️ **Saha notu** — ham komut/konfigürasyon dökümü. Olduğu gibi korunmuştur; kendi ortamına uyarla. diff --git a/RoadMap/Modern-DevOps-2026.md b/RoadMap/Modern-DevOps-2026.md index 450d65a..df81209 100644 --- a/RoadMap/Modern-DevOps-2026.md +++ b/RoadMap/Modern-DevOps-2026.md @@ -1,3 +1,6 @@ +--- +description: "2026'da ekiplerin gerçekten kullandığı DevOps çerçeveleri: CALMS, DORA, platform engineering, GitOps, SRE, DevSecOps, FinOps ve operasyonel pratikler." +--- # Modern DevOps 2026 — Metodolojiler, Stratejiler & Kültür > 2026 itibarıyla *yapan ekiplerin* gerçekten kullandığı çerçeveler, diff --git a/RoadMap/Planning.md b/RoadMap/Planning.md index 4cc9957..ea8c589 100644 --- a/RoadMap/Planning.md +++ b/RoadMap/Planning.md @@ -1,3 +1,6 @@ +--- +description: "Sıfırdan production'a DevOps GitOps yol haritası: planlama, envanter, Git stratejisi, güvenlik temelleri ve fazlara bölünmüş kapsamlı uygulama adımları." +--- # 🗺️ **DevOps GitOps Kapsamlı Uygulama Yol Haritası** (Sıfırdan Production'a) --- diff --git a/RoadMap/README.md b/RoadMap/README.md index a95586f..5c3e203 100644 --- a/RoadMap/README.md +++ b/RoadMap/README.md @@ -1,3 +1,6 @@ +--- +description: "DevOps öğrenme yol haritası index'i: yeni başlayan, junior/mid ve senior/staff için dört ayrı patika önerir; seviyene göre nereden başlayacağını gösterir." +--- # 🗺️ Yol Haritası — Hangi Seviyedeysen Oradan Başla > *"Yol haritası, herkese aynı yolu önermek değil — sana göre hangi yola diff --git a/RoadMap/RoadMap.md b/RoadMap/RoadMap.md index b704d78..c15fcad 100644 --- a/RoadMap/RoadMap.md +++ b/RoadMap/RoadMap.md @@ -1,3 +1,6 @@ +--- +description: "A'dan Z'ye DevOps GitOps yol haritası: her adımda ne yapılacak, hangi araçla ve neden sorularını planlama, IaC ve containerization başlıklarıyla yanıtlar." +--- ## 🗺️ **DevOps GitOps Uygulama Yol Haritası** (A'dan Z'ye) --- diff --git a/RoadMap/advanced-roadmap.md b/RoadMap/advanced-roadmap.md index ba84f61..3ec8ec6 100644 --- a/RoadMap/advanced-roadmap.md +++ b/RoadMap/advanced-roadmap.md @@ -1,3 +1,6 @@ +--- +description: "Sıfır altyapıdan 28 günde production-grade kurulum rehberi: AWS, Terraform, EKS, ArgoCD, observability, güvenlik ve backup/DR'ı faz faz anlatan ana sayfa." +--- # 🏗️ **DevOps Altyapısı Sıfırdan Implementation Guide** *Hiçbir şeyin kurulu olmadığını varsayarak adım adım DevOps altyapısı kuracağız.* diff --git a/RoadMap/advanced/00-prerequisites.md b/RoadMap/advanced/00-prerequisites.md index a4bfad4..6887ba0 100644 --- a/RoadMap/advanced/00-prerequisites.md +++ b/RoadMap/advanced/00-prerequisites.md @@ -1,3 +1,6 @@ +--- +description: "DevOps kurulumu öncesi ön koşullar: geliştirici makine kurulumu, WSL2, temel araçlar, Docker ve diğer development tool'larının komut satırıyla hazırlanması." +--- # 📋 **ÖN KOŞULLAR VE HAZIRLIK** ### 🖥️ **1. Geliştirici Makine Kurulumu** diff --git a/RoadMap/advanced/01-aws-account-setup.md b/RoadMap/advanced/01-aws-account-setup.md index 9586ad8..af22ab9 100644 --- a/RoadMap/advanced/01-aws-account-setup.md +++ b/RoadMap/advanced/01-aws-account-setup.md @@ -1,3 +1,6 @@ +--- +description: "Faz 1 (Gün 1-2): AWS hesap açma, AWS CLI konfigürasyonu, kimlik doğrulama, Organization kurulumu ve Organizational Unit oluşturma adımları." +--- # 🏢 **PHASE 1: AWS HESAP VE İLK KURULUMLAR** (Gün 1-2) ### ☁️ **2.1 AWS Hesap Kurulumu ve Organization Setup** diff --git a/RoadMap/advanced/02-terraform-iac.md b/RoadMap/advanced/02-terraform-iac.md index a9c0837..16e2bed 100644 --- a/RoadMap/advanced/02-terraform-iac.md +++ b/RoadMap/advanced/02-terraform-iac.md @@ -1,3 +1,6 @@ +--- +description: "Faz 2 (Gün 3-5): Terraform ile Infrastructure as Code; S3 ve DynamoDB ile remote state backend kurulumu, versioning ve state locking yapılandırması." +--- # 🛠️ **PHASE 2: TERRAFORM VE INFRASTRUCTURE AS CODE** (Gün 3-5) ### 🏗️ **3.1 Terraform Backend Setup** diff --git a/RoadMap/advanced/03-containerization.md b/RoadMap/advanced/03-containerization.md index 04fcb38..8e89c00 100644 --- a/RoadMap/advanced/03-containerization.md +++ b/RoadMap/advanced/03-containerization.md @@ -1,3 +1,6 @@ +--- +description: "Faz 3 (Gün 6-7): Containerization ve registry; GitHub Container Registry kurulumu, login, image push ve Docker multi-stage build şablonlarının hazırlanması." +--- # 🐳 **PHASE 3: CONTAINERIZATION VE REGISTRY** (Gün 6-7) ### 📦 **4.1 GitHub Container Registry Setup** diff --git a/RoadMap/advanced/04-cicd-pipeline.md b/RoadMap/advanced/04-cicd-pipeline.md index d715cbd..ff38571 100644 --- a/RoadMap/advanced/04-cicd-pipeline.md +++ b/RoadMap/advanced/04-cicd-pipeline.md @@ -1,3 +1,6 @@ +--- +description: "Faz 4 (Gün 8-10): CI/CD pipeline kurulumu; Kubernetes üzerinde Jenkins kurulumu, namespace, ServiceAccount ve RBAC ile pipeline altyapısının oluşturulması." +--- # 🔄 **PHASE 4: CI/CD PIPELINE KURULUMU** (Gün 8-10) ### 🛠️ **5.1 Jenkins on Kubernetes Setup** diff --git a/RoadMap/advanced/05-kubernetes-advanced.md b/RoadMap/advanced/05-kubernetes-advanced.md index a7eb97e..dcfd23f 100644 --- a/RoadMap/advanced/05-kubernetes-advanced.md +++ b/RoadMap/advanced/05-kubernetes-advanced.md @@ -1,3 +1,6 @@ +--- +description: "Faz 5 (Gün 11-13): Kubernetes ileri seviye kurulum; dev/staging/prod namespace'leri, RBAC ve Istio injection ile çok-ortamlı cluster yapılandırması." +--- # ☸️ **PHASE 5: KUBERNETES ADVANCED SETUP** (Gün 11-13) ### 🏷️ **6.1 Namespace ve RBAC Setup** diff --git a/RoadMap/advanced/06-observability.md b/RoadMap/advanced/06-observability.md index fd55085..5664896 100644 --- a/RoadMap/advanced/06-observability.md +++ b/RoadMap/advanced/06-observability.md @@ -1,3 +1,6 @@ +--- +description: "Faz 6 (Gün 14-16): Observability stack; kube-prometheus-stack ile Prometheus ve Grafana kurulumu, gp3 storage, retention ve kaynak ayarlarının yapılandırması." +--- # 📊 **PHASE 6: OBSERVABILITY STACK** (Gün 14-16) ### 📈 **7.1 Prometheus & Grafana Setup** diff --git a/RoadMap/advanced/07-secrets-security.md b/RoadMap/advanced/07-secrets-security.md index fdf0e3b..6603766 100644 --- a/RoadMap/advanced/07-secrets-security.md +++ b/RoadMap/advanced/07-secrets-security.md @@ -1,3 +1,6 @@ +--- +description: "Faz 7 (Gün 17-18): Secrets management ve güvenlik; HashiCorp Vault'un Helm ile kurulumu, TLS, injector yapılandırması ve kaynak limitlerinin ayarlanması." +--- # 🔒 **PHASE 7: SECRETS MANAGEMENT & SECURITY** (Gün 17-18) ### 🔐 **8.1 HashiCorp Vault Setup** diff --git a/RoadMap/advanced/08-backup-dr.md b/RoadMap/advanced/08-backup-dr.md index ac90c1f..1fa68a7 100644 --- a/RoadMap/advanced/08-backup-dr.md +++ b/RoadMap/advanced/08-backup-dr.md @@ -1,3 +1,6 @@ +--- +description: "Faz 8 (Gün 19-20): Backup ve felaket kurtarma; Velero ile Kubernetes yedekleme, S3 bucket oluşturma ve IAM rolüne dayalı bucket policy yapılandırması." +--- # 🗄️ **PHASE 8: BACKUP & DISASTER RECOVERY** (Gün 19-20) ### 💾 **9.1 Velero Backup Setup** diff --git a/RoadMap/advanced/09-gitops-automation.md b/RoadMap/advanced/09-gitops-automation.md index 6dfc13e..e09099f 100644 --- a/RoadMap/advanced/09-gitops-automation.md +++ b/RoadMap/advanced/09-gitops-automation.md @@ -1,3 +1,6 @@ +--- +description: "Faz 9 (Gün 21-22): GitOps ve deployment otomasyonu; ArgoCD kurulumu, CLI yükleme, initial admin parolası alma ve ArgoCD ingress yapılandırması." +--- # 🎯 **PHASE 9: GITOPS & DEPLOYMENT AUTOMATION** (Gün 21-22) ### 🔄 **10.1 ArgoCD Setup** diff --git a/RoadMap/advanced/10-cost-performance.md b/RoadMap/advanced/10-cost-performance.md index df0bf51..a1a592c 100644 --- a/RoadMap/advanced/10-cost-performance.md +++ b/RoadMap/advanced/10-cost-performance.md @@ -1,3 +1,6 @@ +--- +description: "Faz 10 (Gün 23-24): Maliyet optimizasyonu ve performans; AWS Cost and Usage Report kurulumu, S3 bucket ve maliyet raporları için bucket policy ayarları." +--- # 📈 **PHASE 10: COST OPTIMIZATION & PERFORMANCE** (Gün 23-24) ### 💰 **11.1 Cost Monitoring Setup** diff --git a/RoadMap/advanced/11-documentation-processes.md b/RoadMap/advanced/11-documentation-processes.md index 53e0586..b921a74 100644 --- a/RoadMap/advanced/11-documentation-processes.md +++ b/RoadMap/advanced/11-documentation-processes.md @@ -1,3 +1,6 @@ +--- +description: "Faz 11 (Gün 25-26): Dokümantasyon ve ekip süreçleri; mimari dokümantasyon, mermaid diyagramları ve GitHub'dan EKS'e uzanan CI/CD akışının kayda geçirilmesi." +--- # 📚 **PHASE 11: DOCUMENTATION & TEAM PROCESSES** (Gün 25-26) ### 📖 **12.1 Comprehensive Documentation** diff --git a/RoadMap/advanced/12-final-validation.md b/RoadMap/advanced/12-final-validation.md index 2321377..94c1372 100644 --- a/RoadMap/advanced/12-final-validation.md +++ b/RoadMap/advanced/12-final-validation.md @@ -1,3 +1,6 @@ +--- +description: "Faz 12 (Gün 27-28): Final kurulum ve doğrulama; tüm sistemin uçtan uca test scriptiyle validasyonu, başarı sayacı ve test kontrollerinin çalıştırılması." +--- # 🎉 **FINAL SETUP AND VALIDATION** (Gün 27-28) ### ✅ **13.1 End-to-End Testing** diff --git a/RoadMap/advanced/13-quickstart-30min.md b/RoadMap/advanced/13-quickstart-30min.md index 2d09a2d..50c07bf 100644 --- a/RoadMap/advanced/13-quickstart-30min.md +++ b/RoadMap/advanced/13-quickstart-30min.md @@ -1,3 +1,6 @@ +--- +description: "28 günlük planı okumadan çalışan bir iskeleti 30 dakikada ayağa kaldırma rehberi: ön koşul checklist, ilk kurulum ve hızlı altyapı deployment adımları." +--- # ⚡ 30 Dakikalık Hızlı Kurulum > Tüm 28 günlük planı okumadan, çalışan bir iskeleti hızlıca ayağa kaldırmak için. @@ -70,8 +73,8 @@ echo "Applications ready! 🎉" ## Need Help? -- 📖 **Full Documentation**: [README.md](README.md) -- 🔧 **Troubleshooting**: [docs/troubleshooting.md](docs/troubleshooting.md) +- 📖 **Tam rehber**: [advanced-roadmap.md](../advanced-roadmap.md) (28 günlük detaylı plan) +- 🔧 **Troubleshooting**: kurulum tamamlanınca kendi platformunda `docs/troubleshooting.md` oluştur - 💬 **Support**: Contact DevOps team **Happy deploying!** 🚀🚀🚀 From 0824b6048f5cee8c54df639214f5f57272934559 Mon Sep 17 00:00:00 2001 From: halilibrahimd27 Date: Sun, 28 Jun 2026 01:33:06 +0300 Subject: [PATCH 09/10] =?UTF-8?q?docs:=20Faz=207=20=E2=80=94=20kapan=C4=B1?= =?UTF-8?q?=C5=9F:=20CHANGELOG=20+=20CHANGES-SUMMARY=20+=20build=20do?= =?UTF-8?q?=C4=9Frulama?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - CHANGELOG.md [Unreleased]: repo-cilası özeti (Keep a Changelog formatı) - CHANGES-SUMMARY.md: tam şeffaflık belgesi — taşıma haritası, eklenenler, açıkça raporlanan README pazarlama-bloğu silmeleri, doğrulama tablosu, gerekçeli kapsam-dışı kararlar - AUDIT.md + CHANGES-SUMMARY.md exclude_docs'ta (site'a girmez) Doğrulama (yerel, bash 5 + mkdocs venv): - mkdocs build --strict: EXIT 0, 0 WARNING/ERROR - kırık-link tarama: 0 | frontmatter bütünlüğü: 0 eksik/bozuk - leak guard: temiz (AWS key yok; doc-range/Google-DNS IP'leri meşru) Co-Authored-By: Claude Opus 4.8 (1M context) --- CHANGELOG.md | 30 ++++++++++- CHANGES-SUMMARY.md | 122 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 150 insertions(+), 2 deletions(-) create mode 100644 CHANGES-SUMMARY.md diff --git a/CHANGELOG.md b/CHANGELOG.md index 6bcf8f7..e3c7348 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,8 +9,34 @@ sürümleme [Semantic Versioning](https://semver.org/spec/v2.0.0.html) kuralına ## [Unreleased] -### Eklendi -- (Sıradaki içerik buraya) +### Repo Cilası (chore/repo-polish) — 2026-06 + +Tam denetim + kalite pası (repo kökünde `AUDIT.md`). İçerik silinmedi; tüm +değişiklikler repo kökündeki `CHANGES-SUMMARY.md`'de. + +#### Eklendi +- **21-Field-Notes/** bölümü: dağınık saha-notu klasörleri (System/Network/Ansible/ + Terraform/kubectl) tek bölümde toplandı; her dosya kebab-case + geçerli markdown +- **RoadMap/advanced/**: 8568 satırlık tek dosya 14 faz sayfası + index'e bölündü +- **SEO frontmatter**: 190 içerik dosyasına `description` meta açıklaması +- **17-Templates/terraform/** + **17-Templates/gitignore/**: README'nin vaat ettiği + ama eksik olan template'ler eklendi +- 7 dosyaya anti-pattern tablosu, 12 dosyaya production checklist (CLAUDE.md anatomi) + +#### Değiştirildi +- **README** profesyonel/reklamsız tona çekildi: badge yağmuru → 3 anlamlı badge, + pazarlama klişeleri + yıldız-dilenme + rakip-tablosu kaldırıldı, yazar atfı eklendi +- Sayılar gerçeğe eşlendi: deep-dive **125** (125+ değil), template **19** (25+ değil), + satır **~66K**; `mkdocs.yml` site_description da güncellendi + +#### Düzeltildi +- Placeholder hijyeni: hardcoded zayıf parolalar (`cipassword "ubuntu"` vb.) → + ``; GitHub Action full-semver pin → `@` +- Kırık iç linkler (Faz 2 bölme artefaktları + pre-existing) düzeltildi +- Yazım hataları: "Preperation" → preparation, "Manuel" → modules +- Bayat `exclude_docs` kayıtları (LAUNCH-PLAN.md) temizlendi + +Doğrulama: `mkdocs build --strict` 0 uyarı/hata; kırık-link tarama 0; leak-guard temiz. --- diff --git a/CHANGES-SUMMARY.md b/CHANGES-SUMMARY.md new file mode 100644 index 0000000..91acfda --- /dev/null +++ b/CHANGES-SUMMARY.md @@ -0,0 +1,122 @@ +# CHANGES-SUMMARY — Repo Cilası (chore/repo-polish) + +> Bu belge, `chore/repo-polish` branch'indeki **tüm** değişiklikleri şeffaf +> biçimde listeler. Denetim raporu: [`AUDIT.md`](AUDIT.md). +> +> **İlke:** Hiçbir teknik içerik kaybedilmedi. Taşımalar `git mv` ile yapıldı +> (geçmiş korundu); bölme işlemleri byte-eksiksiz doğrulandı (assertion). Aşağıda +> "açıkça raporlanan silmeler" başlığı altında **yalnızca README pazarlama bloğu** +> kaldırıldı. + +**Kapsam:** 8 commit · 200 dosya · +10.316 / −8.784 satır (çoğu taşıma/yeniden-yapı, içerik kaybı değil). + +--- + +## 1. Taşınan / Yeniden Adlandırılan Dosyalar (içerik korundu) + +Dağınık saha-notu klasörleri tek bir **`21-Field-Notes/`** bölümünde toplandı; tümü +kebab-case + `.md` uzantısı + geçerli markdown (uzantısız ham script'ler `bash`/`hcl` +code-fence içine alındı, H1 eklendi): + +| Eski yol | Yeni yol | +|---|---| +| `Ansible/Ansible System Preperation` | `21-Field-Notes/ansible/system-preparation.md` | +| `Ansible/SSH CONNECTIVITY TEST` | `21-Field-Notes/ansible/ssh-connectivity-test.md` | +| `Network/Network Segmentation and Wazuh SIEM Integration Guide.md` | `21-Field-Notes/network/network-segmentation-wazuh-siem.md` | +| `System/Certified.md` | `21-Field-Notes/system/devops-certification-roadmap.md` | +| `System/EXTERNAL ACCESS PROBLEM` | `21-Field-Notes/system/external-access-solutions.md` | +| `System/Full Production-Ready Repo Layout.md` | `21-Field-Notes/system/production-ready-repo-layout.md` | +| `System/GitHub Actions Pipeline Setup Guide.md` | `21-Field-Notes/system/github-actions-pipeline-setup.md` | +| `System/Inventory Management Example.md` | `21-Field-Notes/system/inventory-management-example.md` | +| `System/Kubernetes Cluster Installation Guide.md` | `21-Field-Notes/system/kubernetes-cluster-installation.md` | +| `Terraform/COMPLETE TERRAFORM CONFIGURATION FOR PROXMOX` | `21-Field-Notes/terraform/proxmox-configuration.md` | +| `Terraform/Manuel Terraform Modules Create VM` | `21-Field-Notes/terraform/modules-create-vm.md` | +| `Kubectl/Logging/Apply.md` | `21-Field-Notes/kubectl/logging-elasticsearch.md` | +| `Kubectl/Password/Pass.md` | `21-Field-Notes/kubectl/cluster-passwords.md` | + +**RoadMap** sitenin hero öğrenme-yolu olduğu için top-level bırakıldı: +- `RoadMap/Advanced RoadMap.md` → `RoadMap/advanced-roadmap.md` (index) + **`RoadMap/advanced/00…13-*.md`** (14 faz sayfası). 8568 satır byte-eksiksiz dağıtıldı. + +--- + +## 2. Eklenen İçerik + +- **SEO frontmatter** (`description`): 190 içerik dosyası. +- **Anti-pattern tabloları**: 7 dosya (Mobile-CICD-Flutter, Production-Checklist, + OpenTelemetry-Adoption, Prometheus-Grafana-K8s-Setup, SLI-SLO-Error-Budget, + Cloud-Cost-Allocation, SRE-Interview-Prep). +- **Production checklist'leri**: 12 dosya (00-Culture'da 4, Terraform-Best-Practices, + DevSecOps-Pipeline, OpenTelemetry-Adoption, SLI-SLO, Cloud-Cost-Allocation, 18-Career'da 3). +- **Yeni template'ler** (README'nin vaat ettiği ama eksik olanlar): + `17-Templates/terraform/` (README + main.tf + variables.tf + outputs.tf), + `17-Templates/gitignore/` (stack başına .gitignore + anti-pattern). +- **Index**: `21-Field-Notes/README.md`. +- **Meta**: `AUDIT.md`, bu `CHANGES-SUMMARY.md`. + +--- + +## 3. Değiştirilen İçerik + +- **README.md** — profesyonel/reklamsız tona çekildi (detay §5). +- **mkdocs.yml** — `site_description` sayıları gerçeğe eşlendi; `exclude_docs` bayat + kayıtları temizlendi (LAUNCH-PLAN.md, taşınan Ansible girdisi, gitignore'lı MARKETING). +- **scripts/build-docs.sh** — 21-Field-Notes + RoadMap/advanced nav'a eklendi; + kaldırılan eski klasörlerin kopyalama/başlık blokları temizlendi. +- **Placeholder hijyeni**: `cipassword "ubuntu"` → `` (18 yer), zayıf + parola örnekleri → `<...>` (7 yer), `osv-scanner-action@v1.7.0` → `@`. +- **CHANGELOG.md** — [Unreleased] bölümü dolduruldu. + +--- + +## 4. 🔴 Açıkça Raporlanan Silmeler + +İçerik silme ilkesi gereği — **yalnız README pazarlama bloğu** kaldırıldı (teknik +içerik DEĞİL): + +| Kaldırılan | Neden | +|---|---| +| "Türkiye'nin en kapsamlı …" başlığı | Doğrulanamaz pazarlama iddiası (CLAUDE.md ihlali) | +| "🆚 Diğer Türkçe DevOps Kaynakları ile" rakip-karşılaştırma tablosu | Satışçı ton | +| "⭐ Yıldız bırakırsan…" + "🌟 Repo'yu desteklemek istiyorsan" tablosu | Yıldız-dilenme | +| Star-history grafiği + Awesome rozeti + ~5 fazla shields badge | Badge yağmuru | +| `
` SEO keyword-stuffing bloğu (~90 terim) | README'nin kendi "buzzword listesi değil" felsefesiyle çelişiyordu | +| Bayat `exclude_docs: LAUNCH-PLAN.md` | Dosya zaten yoktu | + +> Bu kaldırmalar **CLAUDE.md "Yapılması Yasak / Pazarlama Tonu"** kuralının uygulanmasıdır. +> Hiçbir teknik bilgi, kod veya rehber içeriği silinmedi. + +--- + +## 5. README Yeniden Yazımı + +- Badge: 8+ → 3 anlamlı (site, license, last-commit; geçersiz `deeppurple` rengi düzeltildi). +- Sayılar gerçeğe eşlendi: **125** deep-dive (125+ değil), **19** template (25+ değil), **~66K** satır. +- "production-tested" → "production senaryolarına göre yazılmış, 21-Field-Notes ile desteklenen" (dürüst çerçeve). +- **Yazar atfı eklendi** (Halil İbrahim Dürmüş). +- Korundu: görev-bazlı Hızlı Başlangıç tablosu, İçindekiler, mimari diyagram, repo felsefesi, yan-repolar. +- 3-mercek **adversarial review** (anayasa/doğruluk/kıdemli) ile denetlendi; bulgular uygulandı. + +--- + +## 6. Doğrulama + +| Kontrol | Sonuç | +|---|---| +| `bash scripts/build-docs.sh` (bash 5) | ✅ 193 dosya stage | +| `mkdocs build --strict` | ✅ EXIT 0 — 0 WARNING / 0 ERROR | +| Kırık iç-link taraması | ✅ 0 (docs/index staged false-pozitifleri hariç) | +| CI-parity leak guard (AWS key / public IPv4) | ✅ temiz (203.0.113.x = RFC 5737 doc-range, 8.8.4.4 = Google DNS) | +| Frontmatter bütünlüğü | ✅ 0 eksik / 0 bozuk | +| İçerik-koruma (RoadMap bölme) | ✅ assertion: 8568 satır byte-eksiksiz | + +--- + +## 7. Bilinçli Kapsam-Dışı Bırakılanlar (gerekçeli) + +- **Kütle kod-bloğu dil etiketi** (511 fence): markdownlint CI'da zorunlu değil + (`MD040: false`, markdownlint zaten CI'dan çıkarılmış); çoğu ASCII diyagram/tree/çıktı. +- **Kütle mermaid + çapraz-link**: churn riski; mevcut ASCII diyagramlar + bölüm + index'leri navigasyonu sağlıyor. +- **Network guide'da 85 RFC-1918 IP**: segmentasyon dersini bozmamak için mangle + edilmedi; yerine "RFC 1918 örnek" disclaimer notu eklendi. +- **`tags` frontmatter**: tags plugin etkin değil → inert olurdu. From 61ade3c383ef2fac8874cd7c0eb4fdb553e5a12c Mon Sep 17 00:00:00 2001 From: halilibrahimd27 Date: Sun, 28 Jun 2026 10:12:50 +0300 Subject: [PATCH 10/10] =?UTF-8?q?feat(site):=20konu=20etiketleri=20(Materi?= =?UTF-8?q?al=20tags)=20+=20etiket=20indeks=20sayfas=C4=B1?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Keşfedilebilirlik eklentisi: - mkdocs.yml: Material `tags` plugin etkin (deprecated tags_file yerine marker-tabanlı; 9.7.6 uyumlu) - docs/tags.md: etiket indeks sayfası ( marker) + nav'a eklendi - scripts/build-docs.sh: tags.md staging + nav girdisi - 192 dosyaya kontrollü-vocabulary `tags` frontmatter (folder-bazlı ultracode workflow): 47 benzersiz etiket (Kubernetes 66, Security 53, SRE 46, CI/CD 35…), fragmente değil — her dosyada klasör birincil etiketi + ilgili konular Doğrulama: tüm frontmatter YAML geçerli (0 bozuk); mkdocs build --strict EXIT 0, 0 uyarı; tags sayfası dolu (189KB). Co-Authored-By: Claude Opus 4.8 (1M context) --- 00-Culture/Blameless-Postmortem-Template.md | 5 +++++ 00-Culture/DORA-SPACE-Metrics.md | 5 +++++ 00-Culture/Documentation-Culture.md | 4 ++++ 00-Culture/On-Call-Playbook.md | 5 +++++ 00-Culture/README.md | 4 ++++ 00-Culture/Team-Topologies.md | 4 ++++ 01-Git-Workflow/Code-Review-Checklist.md | 5 +++++ 01-Git-Workflow/Conventional-Commits.md | 5 +++++ 01-Git-Workflow/PR-Templates-and-Automation.md | 5 +++++ 01-Git-Workflow/README.md | 5 +++++ 01-Git-Workflow/Stacked-Diffs.md | 5 +++++ 01-Git-Workflow/Trunk-Based-Development.md | 5 +++++ 02-CI-CD/Caching-Strategies.md | 5 +++++ 02-CI-CD/GitHub-Actions-Recipes.md | 6 ++++++ 02-CI-CD/GitLab-CI-Recipes.md | 5 +++++ 02-CI-CD/Mobile-CICD-Flutter.md | 5 +++++ 02-CI-CD/Pipeline-Patterns.md | 5 +++++ 02-CI-CD/Pipeline-Performance.md | 4 ++++ 02-CI-CD/README.md | 4 ++++ 02-CI-CD/Reusable-Workflows.md | 5 +++++ 03-IaC/Crossplane-Intro.md | 5 +++++ 03-IaC/Drift-Detection.md | 5 +++++ 03-IaC/OpenTofu-Migration.md | 4 ++++ 03-IaC/Pulumi-vs-Terraform.md | 4 ++++ 03-IaC/README.md | 4 ++++ 03-IaC/Terraform-Best-Practices.md | 5 +++++ 03-IaC/Terraform-Module-Layout.md | 5 +++++ 04-Containers/BuildKit-Tips.md | 5 +++++ 04-Containers/Container-vs-WASM.md | 5 +++++ 04-Containers/Distroless-and-Chainguard.md | 5 +++++ 04-Containers/Dockerfile-Best-Practices.md | 6 ++++++ 04-Containers/Image-Signing-Cosign.md | 6 ++++++ 04-Containers/Multi-Stage-Builds.md | 5 +++++ 04-Containers/README.md | 5 +++++ 05-Kubernetes/Debugging-Pods.md | 6 ++++++ 05-Kubernetes/HPA-VPA-KEDA.md | 6 ++++++ 05-Kubernetes/Multi-Tenancy-Patterns.md | 6 ++++++ 05-Kubernetes/Production-Checklist.md | 7 +++++++ 05-Kubernetes/README.md | 5 +++++ 05-Kubernetes/Resource-Limits-Guide.md | 6 ++++++ 05-Kubernetes/Upgrade-Strategy.md | 5 +++++ 06-GitOps/App-of-Apps-Pattern.md | 5 +++++ 06-GitOps/ApplicationSet-Patterns.md | 5 +++++ 06-GitOps/ArgoCD-Setup.md | 6 ++++++ 06-GitOps/Flux-vs-ArgoCD.md | 5 +++++ 06-GitOps/Helm-vs-Kustomize-vs-Raw.md | 6 ++++++ 06-GitOps/README.md | 5 +++++ 06-GitOps/Secrets-in-GitOps.md | 5 +++++ 07-Observability/Alerting-Done-Right.md | 5 +++++ 07-Observability/Logs-Loki-vs-ELK.md | 5 +++++ 07-Observability/OpenTelemetry-Adoption.md | 5 +++++ 07-Observability/Profiling-with-Pyroscope.md | 5 +++++ 07-Observability/Prometheus-Best-Practices.md | 5 +++++ 07-Observability/Prometheus-Grafana-K8s-Setup.md | 6 ++++++ 07-Observability/README.md | 5 +++++ 07-Observability/SLO-Engineering.md | 5 +++++ 07-Observability/Tracing-with-Tempo.md | 5 +++++ 08-Security/Container-Image-Scanning.md | 5 +++++ 08-Security/DevSecOps-Pipeline.md | 5 +++++ 08-Security/Kubernetes-Hardening.md | 5 +++++ 08-Security/Policy-as-Code-OPA-Kyverno.md | 5 +++++ 08-Security/README.md | 5 +++++ 08-Security/Runtime-Security.md | 5 +++++ 08-Security/SLSA-and-SBOM.md | 5 +++++ 08-Security/Secrets-Management.md | 5 +++++ 08-Security/Threat-Modeling.md | 4 ++++ 08-Security/Zero-Trust-Networking.md | 5 +++++ 09-Networking/Cilium-eBPF-Intro.md | 6 ++++++ 09-Networking/DNS-Strategies.md | 5 +++++ 09-Networking/Gateway-API-Migration.md | 5 +++++ 09-Networking/Ingress-NGINX-Patterns.md | 4 ++++ 09-Networking/Ingress-and-Gateway-API.md | 4 ++++ 09-Networking/Network-Troubleshooting.md | 5 +++++ 09-Networking/README.md | 5 +++++ 09-Networking/Service-Mesh-Comparison.md | 6 ++++++ 10-Databases-Production/Backup-Restore-Patterns.md | 5 +++++ 10-Databases-Production/Connection-Pooling.md | 5 +++++ 10-Databases-Production/HA-Patroni-Stolon.md | 5 +++++ 10-Databases-Production/Monitoring-Postgres.md | 6 ++++++ 10-Databases-Production/Operator-Patterns.md | 5 +++++ 10-Databases-Production/Postgres-Production-Guide.md | 5 +++++ 10-Databases-Production/README.md | 5 +++++ 10-Databases-Production/StatefulSet-vs-Operator.md | 5 +++++ 10-Databases-Production/Zero-Downtime-Migrations.md | 5 +++++ 11-SRE/Capacity-Planning.md | 5 +++++ 11-SRE/Chaos-Engineering.md | 5 +++++ 11-SRE/Incident-Response.md | 5 +++++ 11-SRE/Postmortem-Practice.md | 5 +++++ 11-SRE/README.md | 5 +++++ 11-SRE/Runbook-Template.md | 5 +++++ 11-SRE/SLI-SLO-Error-Budget.md | 5 +++++ 11-SRE/Toil-Reduction.md | 5 +++++ 12-FinOps/Cloud-Cost-Allocation.md | 5 +++++ 12-FinOps/Egress-Cost-Reduction.md | 6 ++++++ 12-FinOps/Kubecost-Setup.md | 6 ++++++ 12-FinOps/PR-Cost-Diff.md | 6 ++++++ 12-FinOps/README.md | 5 +++++ 12-FinOps/Reserved-and-Savings-Plans.md | 5 +++++ 12-FinOps/Right-Sizing.md | 6 ++++++ 12-FinOps/Spot-Instance-Strategy.md | 6 ++++++ 12-FinOps/Storage-Cost-Optimization.md | 6 ++++++ 13-Platform-Engineering/Backstage-Setup.md | 5 +++++ 13-Platform-Engineering/Golden-Paths.md | 5 +++++ .../Internal-Developer-Platform.md | 5 +++++ 13-Platform-Engineering/Platform-as-Product.md | 5 +++++ 13-Platform-Engineering/README.md | 4 ++++ 13-Platform-Engineering/Service-Catalog.md | 4 ++++ 14-Sustainability/Carbon-Aware-Computing.md | 5 +++++ 14-Sustainability/Efficiency-Practices.md | 6 ++++++ 14-Sustainability/Green-Software-Principles.md | 6 ++++++ 14-Sustainability/Measuring-Software-Carbon.md | 6 ++++++ 14-Sustainability/README.md | 5 +++++ 14-Sustainability/Region-Selection.md | 6 ++++++ 15-AI-LLMOps/AI-Augmented-Operations.md | 6 ++++++ 15-AI-LLMOps/LLM-in-Production.md | 6 ++++++ 15-AI-LLMOps/Model-Cost-Optimization.md | 5 +++++ 15-AI-LLMOps/Prompt-Engineering-for-Ops.md | 5 +++++ 15-AI-LLMOps/RAG-Architecture.md | 6 ++++++ 15-AI-LLMOps/README.md | 6 ++++++ 15-AI-LLMOps/Safety-and-Guardrails.md | 7 +++++++ 15-AI-LLMOps/Self-Hosted-LLM.md | 6 ++++++ 16-Cheatsheets/README.md | 4 ++++ 16-Cheatsheets/aws-cli.md | 4 ++++ 16-Cheatsheets/docker.md | 4 ++++ 16-Cheatsheets/git.md | 3 +++ 16-Cheatsheets/helm.md | 5 +++++ 16-Cheatsheets/kubectl.md | 4 ++++ 16-Cheatsheets/linux-troubleshooting.md | 5 +++++ 16-Cheatsheets/networking-tools.md | 4 ++++ 16-Cheatsheets/terraform.md | 4 ++++ 16-Cheatsheets/vim-survival.md | 3 +++ 17-Templates/README.md | 7 +++++++ 17-Templates/gitignore/README.md | 5 +++++ 17-Templates/runbooks/postmortem-template.md | 5 +++++ 17-Templates/runbooks/runbook-template.md | 5 +++++ 17-Templates/terraform/README.md | 4 ++++ 18-Career/CV-Tips.md | 4 ++++ 18-Career/DevOps-Interview-Questions.md | 6 ++++++ 18-Career/README.md | 4 ++++ 18-Career/SRE-Interview-Prep.md | 5 +++++ 18-Career/System-Design-Cheatsheet.md | 6 ++++++ 19-Compliance/Audit-Evidence-Automation.md | 6 ++++++ 19-Compliance/EU-AI-Act.md | 5 +++++ 19-Compliance/GDPR-Engineering.md | 6 ++++++ 19-Compliance/ISO-27001-Controls.md | 6 ++++++ 19-Compliance/KVKK-Practical.md | 6 ++++++ 19-Compliance/NIS2-Directive.md | 5 +++++ 19-Compliance/PCI-DSS-4.md | 5 +++++ 19-Compliance/README.md | 6 ++++++ 19-Compliance/SOC2-Type2-Prep.md | 5 +++++ 20-Soft-Skills/Documentation-as-Communication.md | 5 +++++ 20-Soft-Skills/Mentoring-Junior-Engineers.md | 5 +++++ 20-Soft-Skills/Oncall-Sustainability.md | 6 ++++++ 20-Soft-Skills/Postmortem-Conversation.md | 5 +++++ 20-Soft-Skills/README.md | 5 +++++ 20-Soft-Skills/Saying-No.md | 4 ++++ 20-Soft-Skills/Stakeholder-Management.md | 5 +++++ 20-Soft-Skills/Vendor-Management.md | 5 +++++ 20-Soft-Skills/Working-with-Security-Team.md | 5 +++++ 21-Field-Notes/README.md | 6 ++++++ 21-Field-Notes/ansible/ssh-connectivity-test.md | 5 +++++ 21-Field-Notes/ansible/system-preparation.md | 6 ++++++ 21-Field-Notes/kubectl/cluster-passwords.md | 6 ++++++ 21-Field-Notes/kubectl/logging-elasticsearch.md | 6 ++++++ .../network/network-segmentation-wazuh-siem.md | 7 +++++++ .../system/devops-certification-roadmap.md | 6 ++++++ 21-Field-Notes/system/external-access-solutions.md | 5 +++++ .../system/github-actions-pipeline-setup.md | 6 ++++++ .../system/inventory-management-example.md | 6 ++++++ .../system/kubernetes-cluster-installation.md | 6 ++++++ .../system/production-ready-repo-layout.md | 7 +++++++ 21-Field-Notes/terraform/modules-create-vm.md | 6 ++++++ 21-Field-Notes/terraform/proxmox-configuration.md | 6 ++++++ RoadMap/Modern-DevOps-2026.md | 7 +++++++ RoadMap/Planning.md | 6 ++++++ RoadMap/README.md | 5 +++++ RoadMap/RoadMap.md | 6 ++++++ RoadMap/advanced-roadmap.md | 7 +++++++ RoadMap/advanced/00-prerequisites.md | 5 +++++ RoadMap/advanced/01-aws-account-setup.md | 5 +++++ RoadMap/advanced/02-terraform-iac.md | 5 +++++ RoadMap/advanced/03-containerization.md | 5 +++++ RoadMap/advanced/04-cicd-pipeline.md | 5 +++++ RoadMap/advanced/05-kubernetes-advanced.md | 6 ++++++ RoadMap/advanced/06-observability.md | 6 ++++++ RoadMap/advanced/07-secrets-security.md | 6 ++++++ RoadMap/advanced/08-backup-dr.md | 6 ++++++ RoadMap/advanced/09-gitops-automation.md | 6 ++++++ RoadMap/advanced/10-cost-performance.md | 6 ++++++ RoadMap/advanced/11-documentation-processes.md | 5 +++++ RoadMap/advanced/12-final-validation.md | 5 +++++ RoadMap/advanced/13-quickstart-30min.md | 6 ++++++ docs/tags.md | 12 ++++++++++++ mkdocs.yml | 1 + scripts/build-docs.sh | 7 +++++++ 195 files changed, 1022 insertions(+) create mode 100644 docs/tags.md diff --git a/00-Culture/Blameless-Postmortem-Template.md b/00-Culture/Blameless-Postmortem-Template.md index 54992c0..f6afe93 100644 --- a/00-Culture/Blameless-Postmortem-Template.md +++ b/00-Culture/Blameless-Postmortem-Template.md @@ -1,5 +1,10 @@ --- description: "Suçlamayan (blameless) postmortem felsefesi ve şablonu: neden blameless, blameful/blameless ton karşılaştırması, dolu örnek ve kontrol listesi." +tags: + - Culture + - Incident Response + - SRE + - Template --- # Blameless Postmortem — Felsefe ve Şablon diff --git a/00-Culture/DORA-SPACE-Metrics.md b/00-Culture/DORA-SPACE-Metrics.md index aa50ba4..5487f3e 100644 --- a/00-Culture/DORA-SPACE-Metrics.md +++ b/00-Culture/DORA-SPACE-Metrics.md @@ -1,5 +1,10 @@ --- description: "Mühendislik performansı için iki çerçeve: DORA 4 delivery metriği (deploy sıklığı, lead time, MTTR, change failure) ve bütünsel SPACE modeli." +tags: + - Culture + - DORA + - SRE + - Performance --- # DORA & SPACE — Mühendislik Performansı Metrikleri diff --git a/00-Culture/Documentation-Culture.md b/00-Culture/Documentation-Culture.md index b6060b7..0a43baa 100644 --- a/00-Culture/Documentation-Culture.md +++ b/00-Culture/Documentation-Culture.md @@ -1,5 +1,9 @@ --- description: "Right-sized, role-targeted dokümantasyon kültürü: 4 katmanlı hiyerarşi (README, RFC, ADR, runbook) ve doc rotting'e karşı pratik stratejiler." +tags: + - Culture + - Soft Skills + - Platform Engineering --- # Documentation Culture diff --git a/00-Culture/On-Call-Playbook.md b/00-Culture/On-Call-Playbook.md index a1b0fef..c80c475 100644 --- a/00-Culture/On-Call-Playbook.md +++ b/00-Culture/On-Call-Playbook.md @@ -1,5 +1,10 @@ --- description: "Sağlıklı on-call rotation kurma rehberi: primary/secondary roller, alert hijyeni, devir-teslim, eskalasyon ve sürdürülebilir nöbet pratikleri." +tags: + - Culture + - Incident Response + - SRE + - Monitoring --- # On-Call Playbook diff --git a/00-Culture/README.md b/00-Culture/README.md index 3c2ba99..225dc97 100644 --- a/00-Culture/README.md +++ b/00-Culture/README.md @@ -1,5 +1,9 @@ --- description: "DevOps kültürü referans klasörünün indeksi: blameless postmortem, on-call playbook, DORA/SPACE metrikleri, Team Topologies ve dokümantasyon kültürü." +tags: + - Culture + - SRE + - Roadmap --- # 00 · DevOps Kültürü diff --git a/00-Culture/Team-Topologies.md b/00-Culture/Team-Topologies.md index 89bed62..9b73af9 100644 --- a/00-Culture/Team-Topologies.md +++ b/00-Culture/Team-Topologies.md @@ -1,5 +1,9 @@ --- description: "Skelton & Pais'in Team Topologies kitabından damıtılmış 4 takım türü (stream-aligned, enabling, complicated-subsystem, platform) ve etkileşim modları rehberi." +tags: + - Culture + - Platform Engineering + - Soft Skills --- # Team Topologies — Ekip Yapısı Olarak Mühendislik diff --git a/01-Git-Workflow/Code-Review-Checklist.md b/01-Git-Workflow/Code-Review-Checklist.md index 668ca1f..22c766b 100644 --- a/01-Git-Workflow/Code-Review-Checklist.md +++ b/01-Git-Workflow/Code-Review-Checklist.md @@ -1,5 +1,10 @@ --- description: "Code review'i bilgi paylaşımı ve kalite aracına çeviren pratikler: review'ın 3 amacı, nit/blocker/question kategori sistemi, reviewer ve author rehberi." +tags: + - Git + - Culture + - Soft Skills + - Cheatsheet --- # Code Review Checklist — İyi Review, İyi Reviewer diff --git a/01-Git-Workflow/Conventional-Commits.md b/01-Git-Workflow/Conventional-Commits.md index 2eb432a..5c0883f 100644 --- a/01-Git-Workflow/Conventional-Commits.md +++ b/01-Git-Workflow/Conventional-Commits.md @@ -1,5 +1,10 @@ --- description: "Conventional Commits 1.0 spec: feat/fix/chore commit formatı, niye işe yaradığı ve CI'da nasıl enforce edileceği; otomatik changelog ve semver bump'ın temeli." +tags: + - Git + - CI/CD + - Policy as Code + - Cheatsheet --- # Conventional Commits — Disiplinli Commit Mesajları diff --git a/01-Git-Workflow/PR-Templates-and-Automation.md b/01-Git-Workflow/PR-Templates-and-Automation.md index 04904cf..6a0ca4f 100644 --- a/01-Git-Workflow/PR-Templates-and-Automation.md +++ b/01-Git-Workflow/PR-Templates-and-Automation.md @@ -1,5 +1,10 @@ --- description: "GitHub'da PR hijyeni: PR template, otomatik label, semantic-pr-action, commit doğrulama, CODEOWNERS ve Renovate/Dependabot ile PR trafiğini otomasyona bağlama." +tags: + - Git + - CI/CD + - Template + - Policy as Code --- # PR Templates & Automation — PR'ları Standart, Hızlı, İzlenebilir Yap diff --git a/01-Git-Workflow/README.md b/01-Git-Workflow/README.md index 9cf6113..48fa305 100644 --- a/01-Git-Workflow/README.md +++ b/01-Git-Workflow/README.md @@ -1,5 +1,10 @@ --- description: "Modern Git iş akışı rehberi indeksi: trunk-based development, conventional commits, code review, stacked diffs ve PR otomasyonu; 2026 branching stack'i." +tags: + - Git + - CI/CD + - Roadmap + - Platform Engineering --- # 01 · Git Workflow diff --git a/01-Git-Workflow/Stacked-Diffs.md b/01-Git-Workflow/Stacked-Diffs.md index 2d2f179..a411717 100644 --- a/01-Git-Workflow/Stacked-Diffs.md +++ b/01-Git-Workflow/Stacked-Diffs.md @@ -1,5 +1,10 @@ --- description: "Stacked diffs pattern: büyük feature'ı küçük ve gerçekten review edilebilir PR'lara bölme; Graphite, Sapling veya manuel branch chain ile araç ve workflow." +tags: + - Git + - CI/CD + - Culture + - Field Notes --- # Stacked Diffs — Büyük Feature'ı Küçük PR'lara Bölme diff --git a/01-Git-Workflow/Trunk-Based-Development.md b/01-Git-Workflow/Trunk-Based-Development.md index 4ed5a57..b3797eb 100644 --- a/01-Git-Workflow/Trunk-Based-Development.md +++ b/01-Git-Workflow/Trunk-Based-Development.md @@ -1,5 +1,10 @@ --- description: "Git Flow yerine trunk-based development: kısa ömürlü feature branch, feature flag ve güvenli prod deploy ile main üzerinde hızlı ve güvenli geliştirme rehberi." +tags: + - Git + - CI/CD + - DORA + - Platform Engineering --- # Trunk-Based Development — Hızın ve Güvenliğin Buluştuğu Yer diff --git a/02-CI-CD/Caching-Strategies.md b/02-CI-CD/Caching-Strategies.md index f0c84ee..4488ed9 100644 --- a/02-CI-CD/Caching-Strategies.md +++ b/02-CI-CD/Caching-Strategies.md @@ -1,5 +1,10 @@ --- description: "CI/CD cache katmanlari rehberi: dependency, build, Docker layer ve test result cache stratejileri somut config ornekleriyle; pipeline'i dakikalara indirir." +tags: + - CI/CD + - Performance + - Docker + - Containers --- # Caching Strategies — Build, Test, Deploy Cache diff --git a/02-CI-CD/GitHub-Actions-Recipes.md b/02-CI-CD/GitHub-Actions-Recipes.md index 657a1f9..cfc300e 100644 --- a/02-CI-CD/GitHub-Actions-Recipes.md +++ b/02-CI-CD/GitHub-Actions-Recipes.md @@ -1,5 +1,11 @@ --- description: "GitHub Actions production tarifleri: OIDC cloud auth, matrix build, reusable workflow, caching ve secret yonetimi somut YAML ornekleriyle anlatilir." +tags: + - CI/CD + - Git + - Security + - Secrets + - AWS --- # GitHub Actions Recipes — Production Tarifleri diff --git a/02-CI-CD/GitLab-CI-Recipes.md b/02-CI-CD/GitLab-CI-Recipes.md index 12067c5..eb41cf2 100644 --- a/02-CI-CD/GitLab-CI-Recipes.md +++ b/02-CI-CD/GitLab-CI-Recipes.md @@ -1,5 +1,10 @@ --- description: "GitLab CI/CD pratik tarifleri: DAG pipeline, dynamic child, multi-project trigger ve OIDC AWS auth; monorepo dostu DAG-native kullanim anlatilir." +tags: + - CI/CD + - Git + - AWS + - Security --- # GitLab CI Recipes — DAG, Dynamic Child, Multi-Project diff --git a/02-CI-CD/Mobile-CICD-Flutter.md b/02-CI-CD/Mobile-CICD-Flutter.md index 62c5f57..56421b5 100644 --- a/02-CI-CD/Mobile-CICD-Flutter.md +++ b/02-CI-CD/Mobile-CICD-Flutter.md @@ -1,5 +1,10 @@ --- description: "Flutter CI/CD icin komple checklist: hesaplar, Android/iOS gereksinimleri, Firebase, GitHub kurulumu, kod tarafi duzenlemeler ve toplam maliyet hesabi." +tags: + - CI/CD + - Git + - Template + - Roadmap --- # Flutter CI/CD için Gerekli Tüm Şeyler - Komple Checklist diff --git a/02-CI-CD/Pipeline-Patterns.md b/02-CI-CD/Pipeline-Patterns.md index 6f6b833..d732fcf 100644 --- a/02-CI-CD/Pipeline-Patterns.md +++ b/02-CI-CD/Pipeline-Patterns.md @@ -1,5 +1,10 @@ --- description: "CI/CD pipeline patternleri: lint, test, security scan, build, image scan, imzalama, SBOM ve GitOps promote adimlarinin sirali katmanlama referansi." +tags: + - CI/CD + - Security + - SBOM + - GitOps --- # CI/CD Pipeline Patterns diff --git a/02-CI-CD/Pipeline-Performance.md b/02-CI-CD/Pipeline-Performance.md index c15ccf0..1afb2ee 100644 --- a/02-CI-CD/Pipeline-Performance.md +++ b/02-CI-CD/Pipeline-Performance.md @@ -1,5 +1,9 @@ --- description: "CI pipeline optimizasyonu: caching, parallelization, selective testing ve runner secimi teknikleriyle 30 dakikalik CI'yi 90 saniyeye indirme protokolu." +tags: + - CI/CD + - Performance + - Cost Optimization --- # Pipeline Performance — "10 Dakikalık CI"yi 90 Saniyeye İndir diff --git a/02-CI-CD/README.md b/02-CI-CD/README.md index acce2a7..065a186 100644 --- a/02-CI-CD/README.md +++ b/02-CI-CD/README.md @@ -1,5 +1,9 @@ --- description: "CI/CD bolumu indeksi: pipeline patternleri, GitHub Actions ve GitLab CI tarifleri, caching, reusable workflow ve yavas CI tedavi protokolleri." +tags: + - CI/CD + - Git + - Roadmap --- # 02 · CI/CD diff --git a/02-CI-CD/Reusable-Workflows.md b/02-CI-CD/Reusable-Workflows.md index 4634726..72f27a0 100644 --- a/02-CI-CD/Reusable-Workflows.md +++ b/02-CI-CD/Reusable-Workflows.md @@ -1,5 +1,10 @@ --- description: "GitHub Actions reusable workflow ve composite action ile org-wide CI/CD standardizasyonu: step, job ve workflow seviyesinde soyutlama pratikleri." +tags: + - CI/CD + - Git + - Template + - Platform Engineering --- # Reusable Workflows — Org-Wide Template diff --git a/03-IaC/Crossplane-Intro.md b/03-IaC/Crossplane-Intro.md index 42e31bb..ac1ec50 100644 --- a/03-IaC/Crossplane-Intro.md +++ b/03-IaC/Crossplane-Intro.md @@ -1,5 +1,10 @@ --- description: "Crossplane ile cloud resource'ları K8s CRD olarak yönetme rehberi: continuous reconciliation, Terraform farkı, Composition pattern ve GitOps native." +tags: + - IaC + - Kubernetes + - GitOps + - Platform Engineering --- # Crossplane — K8s API ile Cloud Resource Yönet diff --git a/03-IaC/Drift-Detection.md b/03-IaC/Drift-Detection.md index 30bfc58..e0b6c91 100644 --- a/03-IaC/Drift-Detection.md +++ b/03-IaC/Drift-Detection.md @@ -1,5 +1,10 @@ --- description: "Terraform/OpenTofu drift detection rehberi: Git ile cloud arasındaki farkı sürekli yakalama, otomasyon, alarm ve remediation pattern'leri somut araçlarla." +tags: + - IaC + - Terraform + - GitOps + - Observability --- # Drift Detection — Git'te Yazan ile Cloud'da Olan Arasındaki Fark diff --git a/03-IaC/OpenTofu-Migration.md b/03-IaC/OpenTofu-Migration.md index 08edaa5..29fd85b 100644 --- a/03-IaC/OpenTofu-Migration.md +++ b/03-IaC/OpenTofu-Migration.md @@ -1,5 +1,9 @@ --- description: "Terraform'dan OpenTofu'ya geçiş rehberi: HashiCorp BSL license sorunu, MPL 2.0 forku, uyumluluk farkları ve 2026'da neye geçilmeli sorusunun pratik cevabı." +tags: + - IaC + - Terraform + - Compliance --- # OpenTofu Migration — Terraform'dan Bağımsız Olmak diff --git a/03-IaC/Pulumi-vs-Terraform.md b/03-IaC/Pulumi-vs-Terraform.md index f8ea71b..4c3b6d2 100644 --- a/03-IaC/Pulumi-vs-Terraform.md +++ b/03-IaC/Pulumi-vs-Terraform.md @@ -1,5 +1,9 @@ --- description: "Pulumi ile Terraform/OpenTofu karşılaştırması: HCL'e karşı Python/Go/TS gibi genel amaçlı diller, hangi durumda hangisinin tercih edildiği ve geçiş stratejisi." +tags: + - IaC + - Terraform + - Platform Engineering --- # Pulumi vs Terraform — General-Purpose Lang vs HCL diff --git a/03-IaC/README.md b/03-IaC/README.md index 178c7e2..39a3744 100644 --- a/03-IaC/README.md +++ b/03-IaC/README.md @@ -1,5 +1,9 @@ --- description: "Infrastructure as Code bölüm indeksi: Terraform best practices, module layout, OpenTofu migration, Pulumi, Crossplane, drift detection ve IaC karar ağacı." +tags: + - IaC + - Terraform + - Roadmap --- # 03 · Infrastructure as Code diff --git a/03-IaC/Terraform-Best-Practices.md b/03-IaC/Terraform-Best-Practices.md index 209287c..6a0345d 100644 --- a/03-IaC/Terraform-Best-Practices.md +++ b/03-IaC/Terraform-Best-Practices.md @@ -1,5 +1,10 @@ --- description: "Terraform/OpenTofu 2026 production rehberi: remote state, versiyonlu module, PR'da plan, manuel apply, for_each, sensitive marking ve sürekli drift izleme." +tags: + - IaC + - Terraform + - CI/CD + - Security --- # Terraform Best Practices diff --git a/03-IaC/Terraform-Module-Layout.md b/03-IaC/Terraform-Module-Layout.md index be0ab61..d7aae21 100644 --- a/03-IaC/Terraform-Module-Layout.md +++ b/03-IaC/Terraform-Module-Layout.md @@ -1,5 +1,10 @@ --- description: "Terraform/OpenTofu repo yapısı ve module tasarımı rehberi: mono/multi repo modelleri, vpc/eks/rds modül iskeleti, versioning ve composition pattern örnekleri." +tags: + - IaC + - Terraform + - Template + - Networking --- # Terraform Module Layout — Repo Yapısı + Module Tasarımı diff --git a/04-Containers/BuildKit-Tips.md b/04-Containers/BuildKit-Tips.md index 8a7c396..9280d49 100644 --- a/04-Containers/BuildKit-Tips.md +++ b/04-Containers/BuildKit-Tips.md @@ -1,5 +1,10 @@ --- description: "BuildKit'in modern Docker build feature'lari: cache mount, secret mount, multi-platform ve frontend syntax. Somut Dockerfile ornekleriyle anlatim." +tags: + - Containers + - Docker + - Performance + - Secrets --- # BuildKit Tips — Modern Docker Build diff --git a/04-Containers/Container-vs-WASM.md b/04-Containers/Container-vs-WASM.md index 61b4dfd..48e437b 100644 --- a/04-Containers/Container-vs-WASM.md +++ b/04-Containers/Container-vs-WASM.md @@ -1,5 +1,10 @@ --- description: "WebAssembly (WASM) ve WASI'nin server-side runtime olarak container'a gore avantaj/dezavantajlari ve 2026'da ne zaman tercih edilecegi." +tags: + - Containers + - Docker + - Performance + - Field Notes --- # Container vs WASM — Yeni Runtime Geliyor mu? diff --git a/04-Containers/Distroless-and-Chainguard.md b/04-Containers/Distroless-and-Chainguard.md index 637e858..6600e1e 100644 --- a/04-Containers/Distroless-and-Chainguard.md +++ b/04-Containers/Distroless-and-Chainguard.md @@ -1,5 +1,10 @@ --- description: "Distroless ve Chainguard image'lari, niye 2026 standardi olduklari, base image CVE karsilastirmasi, migration stratejisi ve trade-off'lar uzerine pratik rehber." +tags: + - Containers + - Docker + - Security + - SBOM --- # Distroless & Chainguard — 0-CVE Image Stratejisi diff --git a/04-Containers/Dockerfile-Best-Practices.md b/04-Containers/Dockerfile-Best-Practices.md index 52e9384..1ca8038 100644 --- a/04-Containers/Dockerfile-Best-Practices.md +++ b/04-Containers/Dockerfile-Best-Practices.md @@ -1,5 +1,11 @@ --- description: "Build hizi, imaj boyutu ve guvenligi iyilestiren 20 maddelik Dockerfile best practice listesi: multi-stage, layer/cache ve least privilege." +tags: + - Containers + - Docker + - Security + - Performance + - Cheatsheet --- # Dockerfile Best Practices — 20 Madde diff --git a/04-Containers/Image-Signing-Cosign.md b/04-Containers/Image-Signing-Cosign.md index 5652ab5..ff28c43 100644 --- a/04-Containers/Image-Signing-Cosign.md +++ b/04-Containers/Image-Signing-Cosign.md @@ -1,5 +1,11 @@ --- description: "Container imaj imzalamayi Cosign keyless OIDC ile production'da kurma: tehdit modeli, adimlar, GitHub Actions ve admission verification." +tags: + - Containers + - Security + - SBOM + - CI/CD + - Threat Modeling --- # Image Signing — Cosign + Keyless OIDC diff --git a/04-Containers/Multi-Stage-Builds.md b/04-Containers/Multi-Stage-Builds.md index 08288b0..07df3d9 100644 --- a/04-Containers/Multi-Stage-Builds.md +++ b/04-Containers/Multi-Stage-Builds.md @@ -1,5 +1,10 @@ --- description: "Multi-stage Docker build pattern'leri ve anti-pattern'leri: builder/runner ayrimi, dil-spesifik ornekler ve cache optimizasyonu ile imaji 10x kucultme rehberi." +tags: + - Containers + - Docker + - Performance + - Security --- # Multi-Stage Builds — Küçük, Güvenli, Hızlı Image diff --git a/04-Containers/README.md b/04-Containers/README.md index dc79b1b..4388c32 100644 --- a/04-Containers/README.md +++ b/04-Containers/README.md @@ -1,5 +1,10 @@ --- description: "Container imajlarini hizli, kucuk ve guvenli yapmak icin 2026 referansi: Dockerfile best practices, multi-stage, distroless, BuildKit ve Cosign imzalama." +tags: + - Containers + - Docker + - Security + - Roadmap --- # 04 · Containers diff --git a/05-Kubernetes/Debugging-Pods.md b/05-Kubernetes/Debugging-Pods.md index 805563b..15cf5cd 100644 --- a/05-Kubernetes/Debugging-Pods.md +++ b/05-Kubernetes/Debugging-Pods.md @@ -1,5 +1,11 @@ --- description: "Pod-level debugging rehberi: kubectl describe/logs, ephemeral container, distroless image debug, CrashLoopBackOff ve OOMKilled gibi yaygin senaryolar." +tags: + - Kubernetes + - Incident Response + - SRE + - Containers + - Cheatsheet --- # Debugging Pods — `kubectl debug`, ephemeral, exec rehberi diff --git a/05-Kubernetes/HPA-VPA-KEDA.md b/05-Kubernetes/HPA-VPA-KEDA.md index caee1a4..72585a7 100644 --- a/05-Kubernetes/HPA-VPA-KEDA.md +++ b/05-Kubernetes/HPA-VPA-KEDA.md @@ -1,5 +1,11 @@ --- description: "Kubernetes autoscaling rehberi: HPA (pod sayisi), VPA (pod resource) ve KEDA (event-driven) karsilastirmasi, hangi senaryoda hangisi ve birlikte calisma." +tags: + - Kubernetes + - Performance + - Cost Optimization + - SRE + - Observability --- # HPA, VPA, KEDA — K8s Autoscaling Tam Rehber diff --git a/05-Kubernetes/Multi-Tenancy-Patterns.md b/05-Kubernetes/Multi-Tenancy-Patterns.md index a3b0969..6093fcd 100644 --- a/05-Kubernetes/Multi-Tenancy-Patterns.md +++ b/05-Kubernetes/Multi-Tenancy-Patterns.md @@ -1,5 +1,11 @@ --- description: "Kubernetes multi-tenancy modelleri: soft (namespace + RBAC), hard, vCluster ve cluster-per-tenant; izolasyon, maliyet ve kullanim karsilastirmasi." +tags: + - Kubernetes + - Security + - Networking + - Platform Engineering + - Policy as Code --- # Multi-Tenancy Patterns — Soft, Hard, Hibrit diff --git a/05-Kubernetes/Production-Checklist.md b/05-Kubernetes/Production-Checklist.md index 738d125..49193a5 100644 --- a/05-Kubernetes/Production-Checklist.md +++ b/05-Kubernetes/Production-Checklist.md @@ -1,5 +1,12 @@ --- description: "50 maddelik Kubernetes prod-readiness checklist: workload tasarimi, resource, security, reliability/HA, observability ve operations/GitOps eksenleri." +tags: + - Kubernetes + - Security + - SRE + - Observability + - GitOps + - Cheatsheet --- # Kubernetes Production Checklist diff --git a/05-Kubernetes/README.md b/05-Kubernetes/README.md index b996a9e..59b1144 100644 --- a/05-Kubernetes/README.md +++ b/05-Kubernetes/README.md @@ -1,5 +1,10 @@ --- description: "Production Kubernetes referans seti icindekiler: prod-readiness checklist, resource limitleri, HPA/VPA/KEDA, multi-tenancy, upgrade stratejisi ve pod debugging." +tags: + - Kubernetes + - Platform Engineering + - SRE + - Roadmap --- # 05 · Kubernetes diff --git a/05-Kubernetes/Resource-Limits-Guide.md b/05-Kubernetes/Resource-Limits-Guide.md index 0513e22..82e7273 100644 --- a/05-Kubernetes/Resource-Limits-Guide.md +++ b/05-Kubernetes/Resource-Limits-Guide.md @@ -1,5 +1,11 @@ --- description: "Kubernetes resource yonetimi rehberi: requests vs limits farki, QoS class'lari, OOMKilled davranisi ve dogru CPU/memory sayilarinin nasil bulunacagi." +tags: + - Kubernetes + - Performance + - Cost Optimization + - SRE + - Containers --- # Resource Limits Guide — Request, Limit, QoS diff --git a/05-Kubernetes/Upgrade-Strategy.md b/05-Kubernetes/Upgrade-Strategy.md index 323ae1b..b729414 100644 --- a/05-Kubernetes/Upgrade-Strategy.md +++ b/05-Kubernetes/Upgrade-Strategy.md @@ -1,5 +1,10 @@ --- description: "Kubernetes cluster'i zero-downtime upgrade rehberi: release cycle, upgrade disiplini, rollback, deprecated API gecisi, managed vs self-managed farklari." +tags: + - Kubernetes + - SRE + - Platform Engineering + - Incident Response --- # Kubernetes Upgrade Strategy — Zero-Downtime Versiyon Migration diff --git a/06-GitOps/App-of-Apps-Pattern.md b/06-GitOps/App-of-Apps-Pattern.md index 6dfeefd..fd15352 100644 --- a/06-GitOps/App-of-Apps-Pattern.md +++ b/06-GitOps/App-of-Apps-Pattern.md @@ -1,5 +1,10 @@ --- description: "App-of-Apps pattern: ArgoCD'yi tek bir root Application ile bootstrap edip kendi kendini yöneten self-managed GitOps akışına dönüştürme rehberi." +tags: + - GitOps + - ArgoCD + - Kubernetes + - Platform Engineering --- # App-of-Apps Pattern — ArgoCD'yi Kendi Kendinden Yönet diff --git a/06-GitOps/ApplicationSet-Patterns.md b/06-GitOps/ApplicationSet-Patterns.md index 7108fe2..7e2d9c0 100644 --- a/06-GitOps/ApplicationSet-Patterns.md +++ b/06-GitOps/ApplicationSet-Patterns.md @@ -1,5 +1,10 @@ --- description: "ArgoCD ApplicationSet ile multi-cluster ve multi-tenant GitOps: cluster, git, matrix, list ve SCM generator türleriyle Application factory kurma." +tags: + - GitOps + - ArgoCD + - Kubernetes + - Platform Engineering --- # ApplicationSet — Multi-Cluster ve Multi-Tenant GitOps diff --git a/06-GitOps/ArgoCD-Setup.md b/06-GitOps/ArgoCD-Setup.md index b8cd35f..be6583a 100644 --- a/06-GitOps/ArgoCD-Setup.md +++ b/06-GitOps/ArgoCD-Setup.md @@ -1,5 +1,11 @@ --- description: "ArgoCD'yi sıfırdan production-grade kurma rehberi: HA, SSO, RBAC, AppProject, notification ve ApplicationSet ile multi-cluster pull-based GitOps." +tags: + - GitOps + - ArgoCD + - Kubernetes + - Security + - Platform Engineering --- # ArgoCD Setup — Production-Grade GitOps Kurulumu diff --git a/06-GitOps/Flux-vs-ArgoCD.md b/06-GitOps/Flux-vs-ArgoCD.md index df064a9..0002402 100644 --- a/06-GitOps/Flux-vs-ArgoCD.md +++ b/06-GitOps/Flux-vs-ArgoCD.md @@ -1,5 +1,10 @@ --- description: "Flux ve ArgoCD GitOps araçlarının 2026 karşılaştırması: felsefe, UI, multi-cluster, Helm/Kustomize desteği ve hangi senaryoda hangisi tercih edilir." +tags: + - GitOps + - ArgoCD + - Kubernetes + - CI/CD --- # Flux vs ArgoCD — GitOps Tool Karar Rehberi diff --git a/06-GitOps/Helm-vs-Kustomize-vs-Raw.md b/06-GitOps/Helm-vs-Kustomize-vs-Raw.md index 13d9d27..ce40a49 100644 --- a/06-GitOps/Helm-vs-Kustomize-vs-Raw.md +++ b/06-GitOps/Helm-vs-Kustomize-vs-Raw.md @@ -1,5 +1,11 @@ --- description: "Kubernetes manifest stratejisi: Helm, Kustomize ve Raw YAML yaklaşımlarının templating, multi-env ve reusability ekseninde karar ağacı ve karşılaştırması." +tags: + - GitOps + - Kubernetes + - Helm + - IaC + - Template --- # Helm vs Kustomize vs Raw YAML — Manifest Stratejisi Karar Rehberi diff --git a/06-GitOps/README.md b/06-GitOps/README.md index 025e9a5..17a739d 100644 --- a/06-GitOps/README.md +++ b/06-GitOps/README.md @@ -1,5 +1,10 @@ --- description: "GitOps bölümü indeksi: ArgoCD, Flux, ApplicationSet, App-of-Apps, Helm/Kustomize ve secret yönetimi rehberlerine bağlantılar ve OpenGitOps prensipleri." +tags: + - GitOps + - ArgoCD + - Kubernetes + - Roadmap --- # 06 · GitOps diff --git a/06-GitOps/Secrets-in-GitOps.md b/06-GitOps/Secrets-in-GitOps.md index 70c8552..a1e8ffa 100644 --- a/06-GitOps/Secrets-in-GitOps.md +++ b/06-GitOps/Secrets-in-GitOps.md @@ -1,5 +1,10 @@ --- description: "GitOps'ta secret yönetimi: Sealed Secrets, SOPS, External Secrets Operator ve ArgoCD Vault Plugin karşılaştırması; Git'te şifreli, cluster'da çözük." +tags: + - GitOps + - Secrets + - Security + - Kubernetes --- # Secrets in GitOps — Git'e Sır Koyabilir misin? diff --git a/07-Observability/Alerting-Done-Right.md b/07-Observability/Alerting-Done-Right.md index 239cb19..7de2edf 100644 --- a/07-Observability/Alerting-Done-Right.md +++ b/07-Observability/Alerting-Done-Right.md @@ -1,5 +1,10 @@ --- description: "Symptom-based, actionable ve az sayida alarm tasarlama rehberi: alarmin 3 sarti, cause vs symptom ayrimi, alert fatigue, runbook ve alert review pratikleri." +tags: + - Observability + - Monitoring + - Incident Response + - SRE --- # Alerting Done Right — Symptom-Based, Actionable, Az diff --git a/07-Observability/Logs-Loki-vs-ELK.md b/07-Observability/Logs-Loki-vs-ELK.md index 2f00f29..54037f9 100644 --- a/07-Observability/Logs-Loki-vs-ELK.md +++ b/07-Observability/Logs-Loki-vs-ELK.md @@ -1,5 +1,10 @@ --- description: "Loki ve ELK (Elasticsearch + Logstash + Kibana) log stack karsilastirmasi: indexleme felsefesi, depolama maliyeti, sorgu desenleri ve Wazuh entegrasyonu." +tags: + - Observability + - Monitoring + - Security + - Cost Optimization --- # Logs — Loki vs ELK Stack diff --git a/07-Observability/OpenTelemetry-Adoption.md b/07-Observability/OpenTelemetry-Adoption.md index f5b577b..7434b6b 100644 --- a/07-Observability/OpenTelemetry-Adoption.md +++ b/07-Observability/OpenTelemetry-Adoption.md @@ -1,5 +1,10 @@ --- description: "OpenTelemetry (OTel) ile vendor-neutral observability: tek SDK ve OTLP protokolu, Collector mimarisi, auto-correlation ve semantic conventions ile vendor bagimliligini kaldirma." +tags: + - Observability + - Monitoring + - Platform Engineering + - SRE --- # OpenTelemetry Adoption — Vendor-Neutral Observability diff --git a/07-Observability/Profiling-with-Pyroscope.md b/07-Observability/Profiling-with-Pyroscope.md index 0760db6..6b4f7f4 100644 --- a/07-Observability/Profiling-with-Pyroscope.md +++ b/07-Observability/Profiling-with-Pyroscope.md @@ -1,5 +1,10 @@ --- description: "Continuous profiling rehberi: gozlemlenebilirligin 4. ayagi olarak Pyroscope, eBPF tabanli auto-profiling, flame graph analizi ve production'da line-level performans tespiti." +tags: + - Observability + - Performance + - Monitoring + - SRE --- # Continuous Profiling — Pyroscope, eBPF Profiling diff --git a/07-Observability/Prometheus-Best-Practices.md b/07-Observability/Prometheus-Best-Practices.md index 4a42f46..a830fe6 100644 --- a/07-Observability/Prometheus-Best-Practices.md +++ b/07-Observability/Prometheus-Best-Practices.md @@ -1,5 +1,10 @@ --- description: "Production-grade Prometheus best practices: metric naming, cardinality kontrolu, retention politikasi, federation, HA ve recording rules ile OOM'dan kacinma kurallari." +tags: + - Observability + - Prometheus + - Monitoring + - SRE --- # Prometheus Best Practices — Production-Grade diff --git a/07-Observability/Prometheus-Grafana-K8s-Setup.md b/07-Observability/Prometheus-Grafana-K8s-Setup.md index a416b9f..5772cd5 100644 --- a/07-Observability/Prometheus-Grafana-K8s-Setup.md +++ b/07-Observability/Prometheus-Grafana-K8s-Setup.md @@ -1,5 +1,11 @@ --- description: "Kubernetes uzerinde Prometheus ve Grafana kurulum dokumantasyonu: sistem gereksinimleri, on kosullar, Helm kurulum adimlari, service konfigurasyonu, erisim ve sorun giderme." +tags: + - Observability + - Prometheus + - Kubernetes + - Helm + - Monitoring --- # Prometheus + Grafana Kubernetes Kurulum Dokümantasyonu diff --git a/07-Observability/README.md b/07-Observability/README.md index e6c5eb8..20482c0 100644 --- a/07-Observability/README.md +++ b/07-Observability/README.md @@ -1,5 +1,10 @@ --- description: "Observability bolumu indeksi: metrics, logs, traces ve profiles dort ayagi ile OpenTelemetry, Prometheus, SLO, alerting, Loki, Tempo ve Pyroscope rehberlerine giris." +tags: + - Observability + - Monitoring + - Prometheus + - SRE --- # 07 · Observability diff --git a/07-Observability/SLO-Engineering.md b/07-Observability/SLO-Engineering.md index c1db4ed..85925b3 100644 --- a/07-Observability/SLO-Engineering.md +++ b/07-Observability/SLO-Engineering.md @@ -1,5 +1,10 @@ --- description: "SLO'yu muhendislik disiplinine cevirme rehberi: SLI/SLO/error budget ozeti, multi-window burn rate alarmlari, error budget policy ve operasyonel tooling." +tags: + - Observability + - SRE + - Monitoring + - Incident Response --- # SLO Engineering — Multi-Window, Burn Rate, Error Budget diff --git a/07-Observability/Tracing-with-Tempo.md b/07-Observability/Tracing-with-Tempo.md index b910a2c..409f934 100644 --- a/07-Observability/Tracing-with-Tempo.md +++ b/07-Observability/Tracing-with-Tempo.md @@ -1,5 +1,10 @@ --- description: "Distributed tracing rehberi: OpenTelemetry SDK ile Grafana Tempo kurulumu, trace anatomisi, sampling stratejileri ve production'da trace analizi best practice'leri." +tags: + - Observability + - Monitoring + - Performance + - SRE --- # Distributed Tracing — Tempo + OpenTelemetry diff --git a/08-Security/Container-Image-Scanning.md b/08-Security/Container-Image-Scanning.md index 07ed633..8a1e5ce 100644 --- a/08-Security/Container-Image-Scanning.md +++ b/08-Security/Container-Image-Scanning.md @@ -1,5 +1,10 @@ --- description: "Trivy ekseninde shift-left container image tarama rehberi: OS/dil CVE, IaC misconfig, secret ve SBOM taramasi; CI gate'ten admission ve runtime drift'e." +tags: + - Security + - Containers + - SBOM + - CI/CD --- # Container Image Scanning — CVE'yi Üretime Sokmamak diff --git a/08-Security/DevSecOps-Pipeline.md b/08-Security/DevSecOps-Pipeline.md index 9eabbe5..3593e16 100644 --- a/08-Security/DevSecOps-Pipeline.md +++ b/08-Security/DevSecOps-Pipeline.md @@ -1,5 +1,10 @@ --- description: "Pre-commit'ten runtime'a her asamada guvenlik kontrolu olan fail-fast ama developer-friendly DevSecOps pipeline tasarimi: shift-left ve defense in depth." +tags: + - Security + - CI/CD + - Containers + - Policy as Code --- # DevSecOps Pipeline — Shift-Left'ten Runtime'a diff --git a/08-Security/Kubernetes-Hardening.md b/08-Security/Kubernetes-Hardening.md index b565b5f..a66727f 100644 --- a/08-Security/Kubernetes-Hardening.md +++ b/08-Security/Kubernetes-Hardening.md @@ -1,5 +1,10 @@ --- description: "CIS Benchmark esasli adim adim Kubernetes prod-grade hardening: tehdit modeli, API server hardening, RBAC, NetworkPolicy ve Pod Security Standards rehberi." +tags: + - Security + - Kubernetes + - Networking + - Compliance --- # Kubernetes Hardening — 2026 Production Rehberi diff --git a/08-Security/Policy-as-Code-OPA-Kyverno.md b/08-Security/Policy-as-Code-OPA-Kyverno.md index 1010220..dc57bd2 100644 --- a/08-Security/Policy-as-Code-OPA-Kyverno.md +++ b/08-Security/Policy-as-Code-OPA-Kyverno.md @@ -1,5 +1,10 @@ --- description: "Kubernetes admission policy oyuncusu Kyverno ve OPA Gatekeeper karsilastirmasi: hazir policy katalogu ve production'a girerken sart olan 10 policy." +tags: + - Security + - Policy as Code + - Kubernetes + - Compliance --- # Policy-as-Code — Kyverno vs OPA Gatekeeper diff --git a/08-Security/README.md b/08-Security/README.md index 33d0322..2ee8285 100644 --- a/08-Security/README.md +++ b/08-Security/README.md @@ -1,5 +1,10 @@ --- description: "DevSecOps bolumu indeksi: shift-left pipeline, secrets yonetimi, image scanning, Kubernetes hardening, SLSA/SBOM, policy-as-code ve zero-trust rehberleri." +tags: + - Security + - Kubernetes + - CI/CD + - Roadmap --- # 08 · Security (DevSecOps) diff --git a/08-Security/Runtime-Security.md b/08-Security/Runtime-Security.md index c82b615..0aee77b 100644 --- a/08-Security/Runtime-Security.md +++ b/08-Security/Runtime-Security.md @@ -1,5 +1,10 @@ --- description: "Kubernetes'te runtime'da kotu davranisi tespit etmenin modern yolu: Falco (rule-based), Tetragon (eBPF native) ve alarmdan eyleme uzanan zincirin kurulumu." +tags: + - Security + - Kubernetes + - Observability + - Incident Response --- # Runtime Security — Falco, Tetragon, eBPF diff --git a/08-Security/SLSA-and-SBOM.md b/08-Security/SLSA-and-SBOM.md index 78dfec0..a71865b 100644 --- a/08-Security/SLSA-and-SBOM.md +++ b/08-Security/SLSA-and-SBOM.md @@ -1,5 +1,10 @@ --- description: "Yazilim tedarik zinciri guvenligi: SLSA seviyeleri, SBOM, provenance ve attestation; Sigstore/cosign/Rekor ile xz-utils tipi saldirilara karsi savunma." +tags: + - Security + - SBOM + - CI/CD + - Compliance --- # SLSA & SBOM — Supply Chain Integrity diff --git a/08-Security/Secrets-Management.md b/08-Security/Secrets-Management.md index 9a85d55..488ca15 100644 --- a/08-Security/Secrets-Management.md +++ b/08-Security/Secrets-Management.md @@ -1,5 +1,10 @@ --- description: "Production'da sir yonetimi: DB parolasi, API key ve token'lari Vault, ESO, SOPS ve Sealed Secrets ile yoneten stack karsilastirmasi ve karar agaci." +tags: + - Security + - Secrets + - Kubernetes + - Compliance --- # Secrets Management — Production'da Sır Yönetimi diff --git a/08-Security/Threat-Modeling.md b/08-Security/Threat-Modeling.md index 9be61f4..120eddd 100644 --- a/08-Security/Threat-Modeling.md +++ b/08-Security/Threat-Modeling.md @@ -1,5 +1,9 @@ --- description: "Threat modeling pratik rehberi: sistemin nasil saldirilabileceginin ve hangi kontrolun hangi tehdidi azalttiginin kaydi; STRIDE/LINDDUN ile yasayan dokuman." +tags: + - Security + - Threat Modeling + - Compliance --- # Threat Modeling — Sistemsiz Tehdit Avı Bitsin diff --git a/08-Security/Zero-Trust-Networking.md b/08-Security/Zero-Trust-Networking.md index df05e0a..5121004 100644 --- a/08-Security/Zero-Trust-Networking.md +++ b/08-Security/Zero-Trust-Networking.md @@ -1,5 +1,10 @@ --- description: "Zero Trust networking'i uygulanabilir kilan rehber: NIST 800-207 prensipleri, BeyondCorp, her yerde mTLS, service mesh authZ ve workload identity." +tags: + - Security + - Networking + - Service Mesh + - Kubernetes --- # Zero-Trust Networking — "Network Sınırı" Yalanı Bitti diff --git a/09-Networking/Cilium-eBPF-Intro.md b/09-Networking/Cilium-eBPF-Intro.md index a3b14e8..62c7718 100644 --- a/09-Networking/Cilium-eBPF-Intro.md +++ b/09-Networking/Cilium-eBPF-Intro.md @@ -1,5 +1,11 @@ --- description: "Cilium ve eBPF teknolojisine pratik giris: kube-proxy replacement, sidecar'siz mimari ve modern kernel-tabanli network stack'in nasil kuruldugu anlatilir." +tags: + - Networking + - Cilium + - Kubernetes + - Performance + - Service Mesh --- # Cilium & eBPF — 30 Dakikada Modern Network Stack diff --git a/09-Networking/DNS-Strategies.md b/09-Networking/DNS-Strategies.md index b09d40b..12cb124 100644 --- a/09-Networking/DNS-Strategies.md +++ b/09-Networking/DNS-Strategies.md @@ -1,5 +1,10 @@ --- description: "Kubernetes ortaminda production-grade DNS kurulumu: external-dns, CoreDNS tuning, NodeLocal DNSCache ve split-horizon ile DNS incident'larini onleme rehberi." +tags: + - Networking + - Kubernetes + - SRE + - Incident Response --- # DNS Strategies — external-dns, NodeLocal, CoreDNS Tuning diff --git a/09-Networking/Gateway-API-Migration.md b/09-Networking/Gateway-API-Migration.md index bab9073..eedce4e 100644 --- a/09-Networking/Gateway-API-Migration.md +++ b/09-Networking/Gateway-API-Migration.md @@ -1,5 +1,10 @@ --- description: "Ingress'ten Gateway API'ye gecis rehberi: niye gerekli, persona-bazli CRD modeli, adim adim migration plani ve gecis sirasinda beklenen tuzaklar." +tags: + - Networking + - Kubernetes + - Platform Engineering + - Roadmap --- # Gateway API — Ingress'in Halefi, 2026'da Standart diff --git a/09-Networking/Ingress-NGINX-Patterns.md b/09-Networking/Ingress-NGINX-Patterns.md index a51f9d0..c0bcbc5 100644 --- a/09-Networking/Ingress-NGINX-Patterns.md +++ b/09-Networking/Ingress-NGINX-Patterns.md @@ -1,5 +1,9 @@ --- description: "Ingress-NGINX production pattern'leri: TLS termination, rate limit, canary deployment, auth ve WAF ayarlari somut annotation ornekleriyle anlatilir." +tags: + - Networking + - Kubernetes + - Security --- # Ingress-NGINX Patterns — TLS, Rate Limit, Canary, Auth diff --git a/09-Networking/Ingress-and-Gateway-API.md b/09-Networking/Ingress-and-Gateway-API.md index 5ce99bf..c23045b 100644 --- a/09-Networking/Ingress-and-Gateway-API.md +++ b/09-Networking/Ingress-and-Gateway-API.md @@ -1,5 +1,9 @@ --- description: "Ingress ve Gateway API'nin yan yana calistirilmasi: gecis stratejisi, hibrit pattern (yeni servis Gateway, eski Ingress) ve hangisini ne zaman sececegin." +tags: + - Networking + - Kubernetes + - Platform Engineering --- # Ingress vs Gateway API — Yan Yana, Hangisi Ne Zaman diff --git a/09-Networking/Network-Troubleshooting.md b/09-Networking/Network-Troubleshooting.md index e7162e8..4012fe7 100644 --- a/09-Networking/Network-Troubleshooting.md +++ b/09-Networking/Network-Troubleshooting.md @@ -1,5 +1,10 @@ --- description: "Production'da network sorunlarini sistemli debug etme: tcpdump, ss, dig ve conntrack komutlari ile karar agaci yontemini somut adimlarla anlatan rehber." +tags: + - Networking + - SRE + - Incident Response + - Cheatsheet --- # Network Troubleshooting — tcpdump, ss, dig, conntrack diff --git a/09-Networking/README.md b/09-Networking/README.md index 69722e7..660c00c 100644 --- a/09-Networking/README.md +++ b/09-Networking/README.md @@ -1,5 +1,10 @@ --- description: "Kubernetes networking rehber dizini: cluster ici/disi network kavramlari, eBPF dunyasi, service mesh ve Ingress'ten Gateway API'ye gecis konulari." +tags: + - Networking + - Kubernetes + - Service Mesh + - Roadmap --- # 09 · Networking diff --git a/09-Networking/Service-Mesh-Comparison.md b/09-Networking/Service-Mesh-Comparison.md index e3507d2..bfb2493 100644 --- a/09-Networking/Service-Mesh-Comparison.md +++ b/09-Networking/Service-Mesh-Comparison.md @@ -1,5 +1,11 @@ --- description: "Istio, Linkerd ve Cilium service mesh'lerinin 2026 karsilastirmasi: sidecar-less yukselisi, mTLS, observability ve hangi senaryoda hangisini sececegin." +tags: + - Networking + - Service Mesh + - Kubernetes + - Cilium + - Observability --- # Service Mesh Karşılaştırma — Istio, Linkerd, Cilium diff --git a/10-Databases-Production/Backup-Restore-Patterns.md b/10-Databases-Production/Backup-Restore-Patterns.md index 88e56d0..7ea9fec 100644 --- a/10-Databases-Production/Backup-Restore-Patterns.md +++ b/10-Databases-Production/Backup-Restore-Patterns.md @@ -1,5 +1,10 @@ --- description: "Postgres backup stratejileri: 3-2-1 kuralı, RPO/RTO hedefleri, logical/physical backup, PITR ve restore tatbikatını otomasyonla disiplin haline getirme." +tags: + - Databases + - PostgreSQL + - Backup + - SRE --- # Postgres Backup & Restore — Test Edilmemiş Backup, Backup Değildir diff --git a/10-Databases-Production/Connection-Pooling.md b/10-Databases-Production/Connection-Pooling.md index e84da69..69e1ee8 100644 --- a/10-Databases-Production/Connection-Pooling.md +++ b/10-Databases-Production/Connection-Pooling.md @@ -1,5 +1,10 @@ --- description: "Postgres connection pooling rehberi: PgBouncer pratikleri, pgcat ve app-side pooling alternatifleri, pool exhaustion sorunu ve doğru pool size hesabı." +tags: + - Databases + - PostgreSQL + - Performance + - Networking --- # Connection Pooling — Postgres'in En Sık İhmal Edilen Tarafı diff --git a/10-Databases-Production/HA-Patroni-Stolon.md b/10-Databases-Production/HA-Patroni-Stolon.md index ba9c703..e118c38 100644 --- a/10-Databases-Production/HA-Patroni-Stolon.md +++ b/10-Databases-Production/HA-Patroni-Stolon.md @@ -1,5 +1,10 @@ --- description: "Postgres yüksek erişilebilirlik (HA) çözümleri: Patroni, Stolon ve CloudNativePG karşılaştırması, otomatik failover, split-brain çözümü ve 2026 önerisi." +tags: + - Databases + - PostgreSQL + - Postgres HA + - SRE --- # Postgres HA — Patroni, Stolon, CloudNativePG diff --git a/10-Databases-Production/Monitoring-Postgres.md b/10-Databases-Production/Monitoring-Postgres.md index e5d998a..4d85fb1 100644 --- a/10-Databases-Production/Monitoring-Postgres.md +++ b/10-Databases-Production/Monitoring-Postgres.md @@ -1,5 +1,11 @@ --- description: "Postgres observability stack rehberi: pg_stat_statements, postgres-exporter, slow query log ve replication monitoring; somut alarm ve dashboard örnekleriyle." +tags: + - Databases + - PostgreSQL + - Observability + - Monitoring + - Prometheus --- # Postgres Monitoring — Slow Query, Lock, Bloat, Replication diff --git a/10-Databases-Production/Operator-Patterns.md b/10-Databases-Production/Operator-Patterns.md index a6fc01a..d5c2f23 100644 --- a/10-Databases-Production/Operator-Patterns.md +++ b/10-Databases-Production/Operator-Patterns.md @@ -1,5 +1,10 @@ --- description: "Kubernetes için 3 büyük Postgres operator karşılaştırması: CloudNativePG, Crunchy PGO ve Zalando; HA, backup, monitoring ve 2026 için net karar." +tags: + - Databases + - Kubernetes + - PostgreSQL + - Postgres HA --- # Postgres Operator Karşılaştırma — CloudNativePG, Crunchy, Zalando diff --git a/10-Databases-Production/Postgres-Production-Guide.md b/10-Databases-Production/Postgres-Production-Guide.md index 2c50f94..c1f93aa 100644 --- a/10-Databases-Production/Postgres-Production-Guide.md +++ b/10-Databases-Production/Postgres-Production-Guide.md @@ -1,5 +1,10 @@ --- description: "Prod-grade PostgreSQL kurulumu için rehber: postgresql.conf tuning, connection pooling, monitoring ve operasyonel kararlar; Postgres 16/17 referansli." +tags: + - Databases + - PostgreSQL + - Performance + - Monitoring --- # PostgreSQL Production Guide — Tuning, Pooling, Monitoring diff --git a/10-Databases-Production/README.md b/10-Databases-Production/README.md index fbaba1b..78a372f 100644 --- a/10-Databases-Production/README.md +++ b/10-Databases-Production/README.md @@ -1,5 +1,10 @@ --- description: "Production veritabanları bölümünün indeksi: Postgres tuning, backup/restore, HA failover, zero-downtime migration, operator pattern ve connection pooling." +tags: + - Databases + - PostgreSQL + - Postgres HA + - Roadmap --- # 10 · Databases in Production diff --git a/10-Databases-Production/StatefulSet-vs-Operator.md b/10-Databases-Production/StatefulSet-vs-Operator.md index a52a6a7..7719701 100644 --- a/10-Databases-Production/StatefulSet-vs-Operator.md +++ b/10-Databases-Production/StatefulSet-vs-Operator.md @@ -1,5 +1,10 @@ --- description: "Kubernetes'te stateful workload yonetimi: plain StatefulSet'in nerede yeterli oldugu, operator pattern'in ne zaman zorunlu oldugu ve karar agaci." +tags: + - Databases + - Kubernetes + - PostgreSQL + - Platform Engineering --- # StatefulSet vs Operator — Stateful Workload K8s'de diff --git a/10-Databases-Production/Zero-Downtime-Migrations.md b/10-Databases-Production/Zero-Downtime-Migrations.md index 21b8e18..0d76ee2 100644 --- a/10-Databases-Production/Zero-Downtime-Migrations.md +++ b/10-Databases-Production/Zero-Downtime-Migrations.md @@ -1,5 +1,10 @@ --- description: "Postgres zero-downtime schema migration pattern'leri: expand/contract, online schema change, gh-ost ve pg_repack; naif migration neden coker, somut orneklerle." +tags: + - Databases + - PostgreSQL + - SRE + - Performance --- # Zero-Downtime Migrations — Schema Değişikliği Yaparken Prod'u Düşürme diff --git a/11-SRE/Capacity-Planning.md b/11-SRE/Capacity-Planning.md index d99c55f..16e3933 100644 --- a/11-SRE/Capacity-Planning.md +++ b/11-SRE/Capacity-Planning.md @@ -1,5 +1,10 @@ --- description: "Demand forecasting, headroom hesaplama, load test framework'ü ve 'ne zaman scale up?' sorusunun yöntemsel cevabını veren capacity planning rehberi." +tags: + - SRE + - Performance + - Cost Optimization + - Monitoring --- # Capacity Planning — "Ne Kadar Yeterli?" Sorusunun Mühendislik Cevabı diff --git a/11-SRE/Chaos-Engineering.md b/11-SRE/Chaos-Engineering.md index cddc02d..a600856 100644 --- a/11-SRE/Chaos-Engineering.md +++ b/11-SRE/Chaos-Engineering.md @@ -1,5 +1,10 @@ --- description: "Chaos engineering'i game day, fault injection, Litmus ve Chaos Mesh ile ekibin kültürüne entegre etmenin somut yollarını anlatan rehber." +tags: + - SRE + - Chaos Engineering + - Kubernetes + - Culture --- # Chaos Engineering — Kontrollü Hata Yaratmak diff --git a/11-SRE/Incident-Response.md b/11-SRE/Incident-Response.md index c4096d3..d88517c 100644 --- a/11-SRE/Incident-Response.md +++ b/11-SRE/Incident-Response.md @@ -1,5 +1,10 @@ --- description: "Üretimde incident çıktığında ne yapılır, kim ne der, kim karar verir sorularına net cevap veren; IC rolü, severity ve iletişim odaklı pratik rehber." +tags: + - SRE + - Incident Response + - Monitoring + - Soft Skills --- # Incident Response — Yangın Söndürmenin Anatomi'si diff --git a/11-SRE/Postmortem-Practice.md b/11-SRE/Postmortem-Practice.md index 73a6ba2..e3fff7d 100644 --- a/11-SRE/Postmortem-Practice.md +++ b/11-SRE/Postmortem-Practice.md @@ -1,5 +1,10 @@ --- description: "Blameless postmortem kültürünün rutine dönüştürülmesini, yazma süreci, fasilitasyon, action item yönetimi ve kültürel sürdürülebilirliği anlatır." +tags: + - SRE + - Incident Response + - Culture + - Soft Skills --- # Postmortem Practice — Blameless'i Rutin Haline Getirmek diff --git a/11-SRE/README.md b/11-SRE/README.md index c5d69fa..c991540 100644 --- a/11-SRE/README.md +++ b/11-SRE/README.md @@ -1,5 +1,10 @@ --- description: "Site Reliability Engineering modülünün indeksi: SLI/SLO/error budget, incident response, runbook, chaos engineering, capacity, toil ve postmortem." +tags: + - SRE + - Observability + - Incident Response + - Roadmap --- # 11 · Site Reliability Engineering diff --git a/11-SRE/Runbook-Template.md b/11-SRE/Runbook-Template.md index 72750aa..5d6b0b5 100644 --- a/11-SRE/Runbook-Template.md +++ b/11-SRE/Runbook-Template.md @@ -1,5 +1,10 @@ --- description: "Prod ortamında alarmlara cevap vermek için runbook'un ne olduğunu, neden ve nasıl yazıldığını anlatan rehber; şablon, örnek ve anti-pattern'ler." +tags: + - SRE + - Incident Response + - Template + - Field Notes --- # Runbook — Alarm Düştüğünde Ne Yap diff --git a/11-SRE/SLI-SLO-Error-Budget.md b/11-SRE/SLI-SLO-Error-Budget.md index 4d069d4..bb48fe2 100644 --- a/11-SRE/SLI-SLO-Error-Budget.md +++ b/11-SRE/SLI-SLO-Error-Budget.md @@ -1,5 +1,10 @@ --- description: "SLI, SLO, SLA ve error budget kavramlarını Türkçe ve uygulanabilir biçimde anlatan, kendi servisinin ilk SLO'sunu yazdıran pratik rehber." +tags: + - SRE + - Observability + - Monitoring + - DORA --- # SLI / SLO / Error Budget — Pratik Rehber diff --git a/11-SRE/Toil-Reduction.md b/11-SRE/Toil-Reduction.md index 99782c7..96bfcdd 100644 --- a/11-SRE/Toil-Reduction.md +++ b/11-SRE/Toil-Reduction.md @@ -1,5 +1,10 @@ --- description: "Google SRE Book'un toil kavramını, nasıl ölçüleceğini, %50 kuralını ve toil'i azaltmanın somut tekniklerini anlatan pratik rehber." +tags: + - SRE + - Culture + - Performance + - Field Notes --- # Toil Reduction — "Ekibin %50'si Toil'da" Demek diff --git a/12-FinOps/Cloud-Cost-Allocation.md b/12-FinOps/Cloud-Cost-Allocation.md index f2e5e48..57be96c 100644 --- a/12-FinOps/Cloud-Cost-Allocation.md +++ b/12-FinOps/Cloud-Cost-Allocation.md @@ -1,5 +1,10 @@ --- description: "Cloud faturasini anlamlandirma: kim ne icin harcadi sorusuna cevap; tagging stratejisi, showback, chargeback ve anomaly detection ile maliyet allocation." +tags: + - FinOps + - Cost Optimization + - AWS + - Cost --- # Cloud Cost Allocation — Faturayı Anlamak diff --git a/12-FinOps/Egress-Cost-Reduction.md b/12-FinOps/Egress-Cost-Reduction.md index b85face..c09c1e0 100644 --- a/12-FinOps/Egress-Cost-Reduction.md +++ b/12-FinOps/Egress-Cost-Reduction.md @@ -1,5 +1,11 @@ --- description: "AWS, GCP ve Azure'da egress maliyetini azaltma: VPC Endpoints, CDN, peering, single-AZ ve NAT Gateway kontrolu ile gizli bill kalemini somut tasarrufa cevirme." +tags: + - FinOps + - Cost Optimization + - Networking + - AWS + - Cost --- # Egress Cost Reduction — Görünmez Bill Kaleminin Kontrolü diff --git a/12-FinOps/Kubecost-Setup.md b/12-FinOps/Kubecost-Setup.md index cec9b51..b841038 100644 --- a/12-FinOps/Kubecost-Setup.md +++ b/12-FinOps/Kubecost-Setup.md @@ -1,5 +1,11 @@ --- description: "Kubecost ile Kubernetes cost visibility: per-namespace, workload ve label bazli dollar maliyet dashboard, allocation modeli, alert ve OpenCost alternatifi." +tags: + - FinOps + - Cost Optimization + - Kubernetes + - Observability + - Cost --- # Kubecost Setup — K8s Cost Visibility diff --git a/12-FinOps/PR-Cost-Diff.md b/12-FinOps/PR-Cost-Diff.md index a95293a..5b8e00d 100644 --- a/12-FinOps/PR-Cost-Diff.md +++ b/12-FinOps/PR-Cost-Diff.md @@ -1,5 +1,11 @@ --- description: "CI'da PR'in cost impact'ini hesaplama ve PR yorumuna ekleme: Infracost ve Kubecost ile pre-merge maliyet review, sürpriz bill yerine bilincli karar." +tags: + - FinOps + - Cost Optimization + - CI/CD + - Terraform + - Cost --- # PR Cost Diff — "Bu PR ne kadara mal olacak?" diff --git a/12-FinOps/README.md b/12-FinOps/README.md index eac5c1f..025b0e8 100644 --- a/12-FinOps/README.md +++ b/12-FinOps/README.md @@ -1,5 +1,10 @@ --- description: "FinOps Foundation cercevesi (Inform-Optimize-Operate) rehberleri: cost allocation, right-sizing, spot, reserved plan, storage, egress, Kubecost ve PR cost diff." +tags: + - FinOps + - Cost Optimization + - Roadmap + - Cost --- # 12 · FinOps diff --git a/12-FinOps/Reserved-and-Savings-Plans.md b/12-FinOps/Reserved-and-Savings-Plans.md index e95a10e..794866b 100644 --- a/12-FinOps/Reserved-and-Savings-Plans.md +++ b/12-FinOps/Reserved-and-Savings-Plans.md @@ -1,5 +1,10 @@ --- description: "AWS Reserved Instances, Savings Plans, GCP CUDs ve Azure Reservations icin uzun vadeli commitment stratejisi; forecast, commitment ladder, over-commit kacinma." +tags: + - FinOps + - Cost Optimization + - AWS + - Cost --- # Reserved Instances & Savings Plans — Long-Term Commitment diff --git a/12-FinOps/Right-Sizing.md b/12-FinOps/Right-Sizing.md index 518e043..6647dc4 100644 --- a/12-FinOps/Right-Sizing.md +++ b/12-FinOps/Right-Sizing.md @@ -1,5 +1,11 @@ --- description: "AWS, GCP ve Kubernetes icin right-sizing rehberi: kullanim profiline gore instance kuculttme, CPU/memory hedefleri, tooling ve ne zaman kuculteleceginin karari." +tags: + - FinOps + - Cost Optimization + - Kubernetes + - AWS + - Performance --- # Right-Sizing — Doğru Boyutta Resource diff --git a/12-FinOps/Spot-Instance-Strategy.md b/12-FinOps/Spot-Instance-Strategy.md index 7d77852..2016411 100644 --- a/12-FinOps/Spot-Instance-Strategy.md +++ b/12-FinOps/Spot-Instance-Strategy.md @@ -1,5 +1,11 @@ --- description: "AWS Spot, GCP Preemptible ve Azure Spot ile %70 tasarruf: uygun workload secimi, graceful interruption handling ve Karpenter ile mixed fleet stratejisi." +tags: + - FinOps + - Cost Optimization + - AWS + - Kubernetes + - Cost --- # Spot Instance Strategy — %70 Tasarruf diff --git a/12-FinOps/Storage-Cost-Optimization.md b/12-FinOps/Storage-Cost-Optimization.md index 793d34b..780ee72 100644 --- a/12-FinOps/Storage-Cost-Optimization.md +++ b/12-FinOps/Storage-Cost-Optimization.md @@ -1,5 +1,11 @@ --- description: "S3, EBS, snapshot ve backup icin storage maliyet optimizasyonu: lifecycle policy, tier transition, idle volume ve zombie snapshot temizligi ile somut tasarruf." +tags: + - FinOps + - Cost Optimization + - AWS + - Backup + - Cost --- # Storage Cost Optimization — S3, EBS, Snapshot, Backup diff --git a/13-Platform-Engineering/Backstage-Setup.md b/13-Platform-Engineering/Backstage-Setup.md index afa17ba..1ee71ab 100644 --- a/13-Platform-Engineering/Backstage-Setup.md +++ b/13-Platform-Engineering/Backstage-Setup.md @@ -1,5 +1,10 @@ --- description: "Spotify'ın açık kaynak Backstage geliştirici portalını sıfırdan prod-grade seviyeye kurma rehberi: catalog, scaffolder, TechDocs, plugin'ler ve OIDC auth adımları." +tags: + - Platform Engineering + - Kubernetes + - Security + - Template --- # Backstage Setup — IDP'nin Pratik Kuruluşu diff --git a/13-Platform-Engineering/Golden-Paths.md b/13-Platform-Engineering/Golden-Paths.md index 9fa435c..5e9008c 100644 --- a/13-Platform-Engineering/Golden-Paths.md +++ b/13-Platform-Engineering/Golden-Paths.md @@ -1,5 +1,10 @@ --- description: "Internal Developer Platform'un kalbi golden path'leri tasarlama rehberi: opinionated ve otomatik 'yeni servis 5 dakikada' yol haritaları, kapsamı ve adoption ölçümü." +tags: + - Platform Engineering + - GitOps + - CI/CD + - Template --- # Golden Paths — "Yeni Servis 5 Dakikada" diff --git a/13-Platform-Engineering/Internal-Developer-Platform.md b/13-Platform-Engineering/Internal-Developer-Platform.md index f506534..625d61d 100644 --- a/13-Platform-Engineering/Internal-Developer-Platform.md +++ b/13-Platform-Engineering/Internal-Developer-Platform.md @@ -1,5 +1,10 @@ --- description: "Internal Developer Platform (IDP) kavramını teknolojiden önce kültürel ve ürün bakışıyla anlatan rehber: self-service altın yol, build vs buy ve somut yol haritası." +tags: + - Platform Engineering + - Culture + - Roadmap + - Kubernetes --- # Internal Developer Platform — Niye, Nasıl, Hangi Sırayla diff --git a/13-Platform-Engineering/Platform-as-Product.md b/13-Platform-Engineering/Platform-as-Product.md index 0b87fc1..aaa94d2 100644 --- a/13-Platform-Engineering/Platform-as-Product.md +++ b/13-Platform-Engineering/Platform-as-Product.md @@ -1,5 +1,10 @@ --- description: "Platform Engineering'i bir ürün disiplini olarak yönetmenin somut yolları: developer'ı müşteri görme felsefesi, NPS ölçümü, roadmap, OKR, beta program ve evangelism." +tags: + - Platform Engineering + - Culture + - Soft Skills + - Roadmap --- # Platform-as-Product — İç Müşteri Memnuniyeti diff --git a/13-Platform-Engineering/README.md b/13-Platform-Engineering/README.md index 99e7cbe..a8d36ff 100644 --- a/13-Platform-Engineering/README.md +++ b/13-Platform-Engineering/README.md @@ -1,5 +1,9 @@ --- description: "Platform Engineering bölümünün indeksi: Internal Developer Platform, Backstage kurulumu, golden paths, service catalog ve platform-as-product konularına genel bakış ve dosya rehberi." +tags: + - Platform Engineering + - Roadmap + - Culture --- # 13 · Platform Engineering diff --git a/13-Platform-Engineering/Service-Catalog.md b/13-Platform-Engineering/Service-Catalog.md index 6f12883..6fdbfc9 100644 --- a/13-Platform-Engineering/Service-Catalog.md +++ b/13-Platform-Engineering/Service-Catalog.md @@ -1,5 +1,9 @@ --- description: "Backstage Catalog ile servis envanterini tutma, ownership atama, dependency graph görüntüleme ve on-call eşlemesi yapmanın pratik yollarını anlatan rehber." +tags: + - Platform Engineering + - SRE + - Incident Response --- # Service Catalog — Servis Envanteri, Ownership, Dependency Graph diff --git a/14-Sustainability/Carbon-Aware-Computing.md b/14-Sustainability/Carbon-Aware-Computing.md index 3559a2b..eee80ff 100644 --- a/14-Sustainability/Carbon-Aware-Computing.md +++ b/14-Sustainability/Carbon-Aware-Computing.md @@ -1,5 +1,10 @@ --- description: "Carbon-aware workload scheduling rehberi: isin ne zaman ve nerede calisacagini sebekenin anlik karbon yogunluguna gore secme, gercek zamanli API'lar, K8s ve CI ornekleri." +tags: + - Sustainability + - Kubernetes + - CI/CD + - FinOps --- # Carbon-Aware Computing — Düşük-Karbon Saatte Çalış diff --git a/14-Sustainability/Efficiency-Practices.md b/14-Sustainability/Efficiency-Practices.md index a716432..1ca5973 100644 --- a/14-Sustainability/Efficiency-Practices.md +++ b/14-Sustainability/Efficiency-Practices.md @@ -1,5 +1,11 @@ --- description: "Yesil yazilim icin hizli uygulanabilen verimlilik pratikleri: ARM/Graviton, spot instance, idle cleanup, compression, caching ve right-sizing; cost-carbon dual ROI ornekleriyle." +tags: + - Sustainability + - FinOps + - Cost Optimization + - Kubernetes + - Performance --- # Efficiency Practices — Quick Wins for Carbon + Cost diff --git a/14-Sustainability/Green-Software-Principles.md b/14-Sustainability/Green-Software-Principles.md index 082cee2..2749bc8 100644 --- a/14-Sustainability/Green-Software-Principles.md +++ b/14-Sustainability/Green-Software-Principles.md @@ -1,5 +1,11 @@ --- description: "Green Software Foundation'un 8 prensibini somut muhendislik kararlarina ceviren rehber; SCI metrigiyle olcum ve yesil yazilimi CI'da pass/fail metrige donusturme, CSRD/SEC baglamiyla." +tags: + - Sustainability + - Observability + - Prometheus + - CI/CD + - Compliance --- # Green Software Principles — Karbonu Mühendislik Disiplinine Çevirmek diff --git a/14-Sustainability/Measuring-Software-Carbon.md b/14-Sustainability/Measuring-Software-Carbon.md index 0c7c0f3..dc21a00 100644 --- a/14-Sustainability/Measuring-Software-Carbon.md +++ b/14-Sustainability/Measuring-Software-Carbon.md @@ -1,5 +1,11 @@ --- description: "Yazilim emisyonunu gercek metrige donusturen stack rehberi: SCI formulu, Cloud Carbon Footprint, Kepler eBPF ve AWS/GCP/Azure native karbon dashboard'lari adim adim." +tags: + - Sustainability + - Observability + - Prometheus + - Compliance + - FinOps --- # Measuring Software Carbon — SCI, Cloud Carbon Footprint, Kepler diff --git a/14-Sustainability/README.md b/14-Sustainability/README.md index 7a8e941..29c8db5 100644 --- a/14-Sustainability/README.md +++ b/14-Sustainability/README.md @@ -1,5 +1,10 @@ --- description: "Surdurulebilir muhendislik ve Green IT bolum indeksi: GSF 8 prensibi, carbon-aware computing, SCI olcumu, dusuk-karbon region secimi ve verimlilik pratikleri rehberleri." +tags: + - Sustainability + - FinOps + - Kubernetes + - Roadmap --- # 14 · Sustainable Engineering / Green IT diff --git a/14-Sustainability/Region-Selection.md b/14-Sustainability/Region-Selection.md index 6f84f10..01fc3c8 100644 --- a/14-Sustainability/Region-Selection.md +++ b/14-Sustainability/Region-Selection.md @@ -1,5 +1,11 @@ --- description: "AWS, GCP ve Azure region'larini karbon yogunluguna gore karsilastiran rehber; latency, maliyet ve data-residency trade-off'lariyla dusuk-karbon region karar matrisi kurma." +tags: + - Sustainability + - AWS + - Cost Optimization + - Compliance + - KVKK --- # Region Selection — Cloud Region Karbon Karar Matrisi diff --git a/15-AI-LLMOps/AI-Augmented-Operations.md b/15-AI-LLMOps/AI-Augmented-Operations.md index 42e5abd..38abbcc 100644 --- a/15-AI-LLMOps/AI-Augmented-Operations.md +++ b/15-AI-LLMOps/AI-Augmented-Operations.md @@ -1,5 +1,11 @@ --- description: "LLM'in DevOps akisindaki pratik kullanimlari: log analiz, runbook, postmortem, alarm triage; agent pattern'leri, use case matrisi ve otomasyon-insan dengesi." +tags: + - AI/LLMOps + - SRE + - Incident Response + - Observability + - Security --- # AI-Augmented Operations — LLM ile DevOps İşi diff --git a/15-AI-LLMOps/LLM-in-Production.md b/15-AI-LLMOps/LLM-in-Production.md index fd04f3d..00ad412 100644 --- a/15-AI-LLMOps/LLM-in-Production.md +++ b/15-AI-LLMOps/LLM-in-Production.md @@ -1,5 +1,11 @@ --- description: "LLM uygulamalarini production'a alma: rate limit, input safety, prompt template registry, eval, observability, cost ve guardrail'ler ile LLMOps mimarisi." +tags: + - AI/LLMOps + - Observability + - Security + - Cost Optimization + - Platform Engineering --- # LLM Uygulamalarını Production'a Almak diff --git a/15-AI-LLMOps/Model-Cost-Optimization.md b/15-AI-LLMOps/Model-Cost-Optimization.md index 0afc131..09014b2 100644 --- a/15-AI-LLMOps/Model-Cost-Optimization.md +++ b/15-AI-LLMOps/Model-Cost-Optimization.md @@ -1,5 +1,10 @@ --- description: "LLM maliyet optimizasyonu: token fiyatlandirma, model tier secimi, prompt caching, batch API, semantic cache ve fine-tuning ROI ile ayni isi %70 ucuza yapma." +tags: + - AI/LLMOps + - Cost Optimization + - FinOps + - Performance --- # Model Cost Optimization — LLM Bill'i Yönetmek diff --git a/15-AI-LLMOps/Prompt-Engineering-for-Ops.md b/15-AI-LLMOps/Prompt-Engineering-for-Ops.md index cb3c173..15af4d0 100644 --- a/15-AI-LLMOps/Prompt-Engineering-for-Ops.md +++ b/15-AI-LLMOps/Prompt-Engineering-for-Ops.md @@ -1,5 +1,10 @@ --- description: "DevOps/SRE icin pratik prompt engineering: log analizi, runbook generation, incident summary ve postmortem icin somut prompt pattern'leri ve 5 temel prensip." +tags: + - AI/LLMOps + - SRE + - Incident Response + - Template --- # Prompt Engineering for Ops — DevOps İçin Pratik LLM Kullanımı diff --git a/15-AI-LLMOps/RAG-Architecture.md b/15-AI-LLMOps/RAG-Architecture.md index 10fac5b..033e945 100644 --- a/15-AI-LLMOps/RAG-Architecture.md +++ b/15-AI-LLMOps/RAG-Architecture.md @@ -1,5 +1,11 @@ --- description: "RAG (Retrieval-Augmented Generation) mimarisi: embedding, vector store, retriever, reranker ve generation asamalarini production'da kurma; LLM'e dis kaynak." +tags: + - AI/LLMOps + - Databases + - PostgreSQL + - Security + - Performance --- # RAG Architecture — Retrieval-Augmented Generation diff --git a/15-AI-LLMOps/README.md b/15-AI-LLMOps/README.md index 9167432..6cd36c7 100644 --- a/15-AI-LLMOps/README.md +++ b/15-AI-LLMOps/README.md @@ -1,5 +1,11 @@ --- description: "AI/LLMOps bolumu indeksi: RAG, prompt engineering, self-hosted LLM, cost optimization, safety guardrail'leri ve MLOps vs LLMOps karsilastirmasi." +tags: + - AI/LLMOps + - Observability + - Cost Optimization + - Security + - Roadmap --- # 15 · AI / LLMOps diff --git a/15-AI-LLMOps/Safety-and-Guardrails.md b/15-AI-LLMOps/Safety-and-Guardrails.md index 98be4c6..a10e7ba 100644 --- a/15-AI-LLMOps/Safety-and-Guardrails.md +++ b/15-AI-LLMOps/Safety-and-Guardrails.md @@ -1,5 +1,12 @@ --- description: "LLM safety ve guardrails: prompt injection, jailbreak, PII sizintisi, hallucination ve brand-safety risklerine karsi katmanli savunma ve tehdit modeli." +tags: + - AI/LLMOps + - Security + - Threat Modeling + - Compliance + - KVKK + - GDPR --- # LLM Safety & Guardrails — Production'da Korumalar diff --git a/15-AI-LLMOps/Self-Hosted-LLM.md b/15-AI-LLMOps/Self-Hosted-LLM.md index fbb10dc..1f82c59 100644 --- a/15-AI-LLMOps/Self-Hosted-LLM.md +++ b/15-AI-LLMOps/Self-Hosted-LLM.md @@ -1,5 +1,11 @@ --- description: "Self-hosted LLM: vLLM, Ollama ve Llama Stack ile kurulum, GPU kapasite planlamasi, production onerileri; privacy, cost ve offline icin self-host artilari." +tags: + - AI/LLMOps + - Kubernetes + - Cost Optimization + - Performance + - Security --- # Self-Hosted LLM — vLLM, Ollama, Llama Stack diff --git a/16-Cheatsheets/README.md b/16-Cheatsheets/README.md index 33f8d5a..d55a224 100644 --- a/16-Cheatsheets/README.md +++ b/16-Cheatsheets/README.md @@ -1,5 +1,9 @@ --- description: "DevOps cheatsheet koleksiyonu indeksi: kubectl, docker, git, helm, terraform, aws-cli ve daha fazlasi. Sik kullanilan komutlari gruplayip hizli erisim saglar." +tags: + - Cheatsheet + - Roadmap + - Field Notes --- # 16 · Cheatsheets diff --git a/16-Cheatsheets/aws-cli.md b/16-Cheatsheets/aws-cli.md index 1cc4a8f..107e1df 100644 --- a/16-Cheatsheets/aws-cli.md +++ b/16-Cheatsheets/aws-cli.md @@ -1,5 +1,9 @@ --- description: "AWS CLI pratik komut notlari: profil ve SSO auth, sts assume-role, EC2/S3/IAM islemleri, query filtreleme ve caller-identity dogrulama ornekleri." +tags: + - Cheatsheet + - AWS + - Security --- # AWS CLI Cheatsheet diff --git a/16-Cheatsheets/docker.md b/16-Cheatsheets/docker.md index ddc2e70..7d14016 100644 --- a/16-Cheatsheets/docker.md +++ b/16-Cheatsheets/docker.md @@ -1,5 +1,9 @@ --- description: "Docker pratik komut notlari: image build, build-arg, BuildKit/buildx ile multi-platform build ve cache, run, exec, network, volume ve prune islemleri." +tags: + - Cheatsheet + - Docker + - Containers --- # Docker Cheatsheet diff --git a/16-Cheatsheets/git.md b/16-Cheatsheets/git.md index 0d10ea8..9ae00f1 100644 --- a/16-Cheatsheets/git.md +++ b/16-Cheatsheets/git.md @@ -1,5 +1,8 @@ --- description: "Git pratik komut notlari: status ve log inspection, gecmis duzenleme, bisect, cherry-pick, reflog ve worktree. Senior dev'lerin gunluk kullandigi ipuclari." +tags: + - Cheatsheet + - Git --- # Git Cheatsheet diff --git a/16-Cheatsheets/helm.md b/16-Cheatsheets/helm.md index 0153d19..5483fee 100644 --- a/16-Cheatsheets/helm.md +++ b/16-Cheatsheets/helm.md @@ -1,5 +1,10 @@ --- description: "Helm 3+ icin komut notlari: repo yonetimi, chart template debug, release kurulumu/upgrade, hook'lar ve OCI registry. Tiller'siz, namespace bazli release." +tags: + - Cheatsheet + - Helm + - Kubernetes + - Containers --- # Helm Cheatsheet diff --git a/16-Cheatsheets/kubectl.md b/16-Cheatsheets/kubectl.md index 26c60c6..771610a 100644 --- a/16-Cheatsheets/kubectl.md +++ b/16-Cheatsheets/kubectl.md @@ -1,5 +1,9 @@ --- description: "kubectl pratik komut notlari: cluster inspection, etiket filtreleme, JSONPath ile alan secimi, pod debug, rollout, port-forward ve sirali cikti ornekleri." +tags: + - Cheatsheet + - Kubernetes + - Containers --- # kubectl Cheatsheet diff --git a/16-Cheatsheets/linux-troubleshooting.md b/16-Cheatsheets/linux-troubleshooting.md index 8daa132..5892d17 100644 --- a/16-Cheatsheets/linux-troubleshooting.md +++ b/16-Cheatsheets/linux-troubleshooting.md @@ -1,5 +1,10 @@ --- description: "Linux sorun giderme cheatsheet'i: Brendan Gregg USE metodu ile CPU, bellek, disk ve network teshisi. Production'da neyin yavas oldugunu bulma araclari." +tags: + - Cheatsheet + - Incident Response + - Performance + - SRE --- # Linux Troubleshooting Cheatsheet diff --git a/16-Cheatsheets/networking-tools.md b/16-Cheatsheets/networking-tools.md index 940bb6c..8794f76 100644 --- a/16-Cheatsheets/networking-tools.md +++ b/16-Cheatsheets/networking-tools.md @@ -1,5 +1,9 @@ --- description: "Network teshis araclari cheatsheet'i: DNS icin dig, baglanti ve port testleri, 7 katmanli sorun giderme. Ping doner ama uygulama 503 verir senaryolari icin." +tags: + - Cheatsheet + - Networking + - Incident Response --- # Networking Tools Cheatsheet diff --git a/16-Cheatsheets/terraform.md b/16-Cheatsheets/terraform.md index 9bf940b..e637a02 100644 --- a/16-Cheatsheets/terraform.md +++ b/16-Cheatsheets/terraform.md @@ -1,5 +1,9 @@ --- description: "Terraform ve OpenTofu icin komut notlari: init, fmt, validate, plan/apply workflow, state islemleri, import ve console. Komutlar her iki arac icin ayni calisir." +tags: + - Cheatsheet + - Terraform + - IaC --- # Terraform / OpenTofu Cheatsheet diff --git a/16-Cheatsheets/vim-survival.md b/16-Cheatsheets/vim-survival.md index 34633aa..71437a5 100644 --- a/16-Cheatsheets/vim-survival.md +++ b/16-Cheatsheets/vim-survival.md @@ -1,5 +1,8 @@ --- description: "Vim hayatta kalma rehberi: cikma, kaydetme, undo, modlar ve temel duzenleme. Usta olmak degil, production sunucusunda 2 dakikada config duzeltip cikmak icin." +tags: + - Cheatsheet + - Field Notes --- # Vim Survival Guide diff --git a/17-Templates/README.md b/17-Templates/README.md index cac13e8..9276b8f 100644 --- a/17-Templates/README.md +++ b/17-Templates/README.md @@ -1,5 +1,12 @@ --- description: "Kopyala-değiştir-kullan DevOps template koleksiyonu: GitHub Actions, Kubernetes, Dockerfile, Terraform, Kyverno, runbook ve Prometheus kuralları; tüm placeholder'lar UPPER_CASE." +tags: + - Template + - CI/CD + - Kubernetes + - Terraform + - Security + - Observability --- # 17 · Templates diff --git a/17-Templates/gitignore/README.md b/17-Templates/gitignore/README.md index 0c818c4..310ea40 100644 --- a/17-Templates/gitignore/README.md +++ b/17-Templates/gitignore/README.md @@ -1,5 +1,10 @@ --- description: "Stack başına kopyala-yapıştır .gitignore örnekleri (Terraform, Node, Python, Java) + secret-leak önleme anti-pattern tablosu." +tags: + - Template + - Git + - Security + - Secrets --- # .gitignore Örnekleri — Stack Başına diff --git a/17-Templates/runbooks/postmortem-template.md b/17-Templates/runbooks/postmortem-template.md index 49c4de8..c701154 100644 --- a/17-Templates/runbooks/postmortem-template.md +++ b/17-Templates/runbooks/postmortem-template.md @@ -1,5 +1,10 @@ --- description: "Blameless postmortem template: TL;DR, etki metrikleri, UTC zaman çizelgesi, kök neden, savunma katmanları, owner'lı aksiyon maddeleri ve öğrenilen dersler." +tags: + - Template + - Incident Response + - SRE + - DORA --- # Postmortem: diff --git a/17-Templates/runbooks/runbook-template.md b/17-Templates/runbooks/runbook-template.md index 24c8b61..10dc851 100644 --- a/17-Templates/runbooks/runbook-template.md +++ b/17-Templates/runbooks/runbook-template.md @@ -1,5 +1,10 @@ --- description: "Alert runbook template: adım-adım ilk teşhis komutları, olası sebepler ve çözümler, rollback prosedürü, eskalasyon matrisi ve incident kapanış doğrulaması." +tags: + - Template + - Incident Response + - SRE + - Observability --- # Runbook: diff --git a/17-Templates/terraform/README.md b/17-Templates/terraform/README.md index 6738ed4..7760aad 100644 --- a/17-Templates/terraform/README.md +++ b/17-Templates/terraform/README.md @@ -1,5 +1,9 @@ --- description: "Standart Terraform modül iskeleti: main.tf + variables.tf + outputs.tf; tip-güvenli, validation'lı, versiyon-pinli kopyala-yapıştır şablon." +tags: + - Template + - Terraform + - IaC --- # Terraform Module Skeleton diff --git a/18-Career/CV-Tips.md b/18-Career/CV-Tips.md index 8a741fc..6511aa6 100644 --- a/18-Career/CV-Tips.md +++ b/18-Career/CV-Tips.md @@ -1,5 +1,9 @@ --- description: "DevOps/SRE/Platform CV yazım rehberi: görev yerine etki odaklı yazım, STAR formülü, ATS uyumu ve Türk pazarı ile global pazar farkları üzerine pratik notlar." +tags: + - Career + - Soft Skills + - Template --- # DevOps / SRE CV Tips — Türk Pazarı + Global diff --git a/18-Career/DevOps-Interview-Questions.md b/18-Career/DevOps-Interview-Questions.md index 75b9814..ed1e8aa 100644 --- a/18-Career/DevOps-Interview-Questions.md +++ b/18-Career/DevOps-Interview-Questions.md @@ -1,5 +1,11 @@ --- description: "Junior'dan Staff seviyeye 60+ DevOps mülakat sorusu: container, Kubernetes, Git, CI/CD ve daha fazlası için her soruda ne göstermeli ipuçları ve trade-off odağı." +tags: + - Career + - Kubernetes + - CI/CD + - Containers + - Git --- # DevOps Interview Questions — 60+ soru ile hazırlık diff --git a/18-Career/README.md b/18-Career/README.md index a188ccf..a649d42 100644 --- a/18-Career/README.md +++ b/18-Career/README.md @@ -1,5 +1,9 @@ --- description: "DevOps/SRE kariyer rehberi index: mülakat soruları, SRE prep, system design cheatsheet ve CV ipuçları; Junior'dan Principal'a seviye haritası ve maaş tartışması notları." +tags: + - Career + - SRE + - Roadmap --- # 18 · Career diff --git a/18-Career/SRE-Interview-Prep.md b/18-Career/SRE-Interview-Prep.md index edbe729..031ba42 100644 --- a/18-Career/SRE-Interview-Prep.md +++ b/18-Career/SRE-Interview-Prep.md @@ -1,5 +1,10 @@ --- description: "SRE mülakat hazırlığı: SLO design round, error budget ve kapasite matematiği, incident simulation ve postmortem; SRE rolünde aranan core skill'ler üzerine pratik notlar." +tags: + - Career + - SRE + - Incident Response + - Observability --- # SRE Interview Prep diff --git a/18-Career/System-Design-Cheatsheet.md b/18-Career/System-Design-Cheatsheet.md index f5a0a43..d3a11e9 100644 --- a/18-Career/System-Design-Cheatsheet.md +++ b/18-Career/System-Design-Cheatsheet.md @@ -1,5 +1,11 @@ --- description: "DevOps/SRE mülakatlarına özgü system design cheatsheet: infra, deploy, observability, disaster recovery ve maliyet sorularını çözmek için sıralı framework." +tags: + - Career + - Cheatsheet + - SRE + - Observability + - Cost Optimization --- # DevOps/SRE System Design — Cheatsheet diff --git a/19-Compliance/Audit-Evidence-Automation.md b/19-Compliance/Audit-Evidence-Automation.md index 03994be..b0f050e 100644 --- a/19-Compliance/Audit-Evidence-Automation.md +++ b/19-Compliance/Audit-Evidence-Automation.md @@ -1,5 +1,11 @@ --- description: "Audit evidence'ı otomatik toplama disiplini: continuous evidence collection ile SOC 2, ISO 27001, KVKK ve PCI DSS için ortak kanıt pattern'i ve tooling." +tags: + - Compliance + - Security + - Policy as Code + - CI/CD + - Observability --- # Audit Evidence Automation — "Audit Gününe Hazırlık" Bitsin diff --git a/19-Compliance/EU-AI-Act.md b/19-Compliance/EU-AI-Act.md index 56da26e..d00555c 100644 --- a/19-Compliance/EU-AI-Act.md +++ b/19-Compliance/EU-AI-Act.md @@ -1,5 +1,10 @@ --- description: "EU AI Act'in mühendislik açısından pratik rehberi: risk kategorileri, high-risk AI sistem yükümlülükleri ve 2025-2027 kademeli uygulama takvimi özeti." +tags: + - Compliance + - AI/LLMOps + - Security + - Threat Modeling --- # EU AI Act — Mühendislik Açısından Pratik Rehber diff --git a/19-Compliance/GDPR-Engineering.md b/19-Compliance/GDPR-Engineering.md index 5896926..61c3f98 100644 --- a/19-Compliance/GDPR-Engineering.md +++ b/19-Compliance/GDPR-Engineering.md @@ -1,5 +1,11 @@ --- description: "GDPR'ın mühendislik karşılığı: madde eşlemesi, KVKK ile farkları, right-to-erasure, DPA ve Türkiye'den AB pazarına hizmet verirken pratik uyum adımları." +tags: + - Compliance + - GDPR + - KVKK + - Security + - Databases --- # GDPR — Mühendislik Açısından Pratik Rehber diff --git a/19-Compliance/ISO-27001-Controls.md b/19-Compliance/ISO-27001-Controls.md index 9279605..b3f520d 100644 --- a/19-Compliance/ISO-27001-Controls.md +++ b/19-Compliance/ISO-27001-Controls.md @@ -1,5 +1,11 @@ --- description: "ISO/IEC 27001:2022 Annex A kontrollerinin mühendislik eşlemesi: hangi kontrol Kyverno policy, GitHub Actions ve tooling ile karşılanır, SOC 2 ile karşılaştırma." +tags: + - Compliance + - Security + - Policy as Code + - Kubernetes + - CI/CD --- # ISO 27001 — Annex A Kontrolleri (Mühendislik Eşlemesi) diff --git a/19-Compliance/KVKK-Practical.md b/19-Compliance/KVKK-Practical.md index 062931b..cee5740 100644 --- a/19-Compliance/KVKK-Practical.md +++ b/19-Compliance/KVKK-Practical.md @@ -1,5 +1,11 @@ --- description: "6698 sayılı KVKK'nın DevSecOps açısından pratik rehberi: data inventory, DPIA, encryption, retention ve incident notification için somut tool ve pipeline gate'leri." +tags: + - Compliance + - KVKK + - Security + - Policy as Code + - Incident Response --- # KVKK Pratik Rehberi — Mühendislik Açısından diff --git a/19-Compliance/NIS2-Directive.md b/19-Compliance/NIS2-Directive.md index 07efeef..6590aff 100644 --- a/19-Compliance/NIS2-Directive.md +++ b/19-Compliance/NIS2-Directive.md @@ -1,5 +1,10 @@ --- description: "EU NIS2 Directive (2022/2555) rehberi: kritik altyapı kapsamı, mühendislik gereksinimleri, yürürlük takvimi, cezalar ve TR şirketlerin AB müşterileriyle etkisi." +tags: + - Compliance + - Security + - Incident Response + - Networking --- # NIS2 Directive — EU Kritik Altyapı Güvenliği diff --git a/19-Compliance/PCI-DSS-4.md b/19-Compliance/PCI-DSS-4.md index 53428a1..b739b7a 100644 --- a/19-Compliance/PCI-DSS-4.md +++ b/19-Compliance/PCI-DSS-4.md @@ -1,5 +1,10 @@ --- description: "PCI DSS v4.0 rehberi: kart verisi işleyen sistemler için mühendislik gereksinimleri, tokenization stratejisi, scope reduction ve TR e-ticaret bağlamı." +tags: + - Compliance + - Security + - Networking + - Secrets --- # PCI DSS v4.0 — Kart Verisi İşleyenler İçin diff --git a/19-Compliance/README.md b/19-Compliance/README.md index 2761fec..7bd14e9 100644 --- a/19-Compliance/README.md +++ b/19-Compliance/README.md @@ -1,5 +1,11 @@ --- description: "DevSecOps'un yasal-uyum boyutu: KVKK, GDPR, ISO 27001, SOC 2, EU AI Act, NIS2 ve PCI DSS'in kod, pipeline ve K8s policy ile continuous compliance'a dönüşümü." +tags: + - Compliance + - Security + - KVKK + - GDPR + - Policy as Code --- # 19 · Compliance & Legal diff --git a/19-Compliance/SOC2-Type2-Prep.md b/19-Compliance/SOC2-Type2-Prep.md index d7a3195..887ebc2 100644 --- a/19-Compliance/SOC2-Type2-Prep.md +++ b/19-Compliance/SOC2-Type2-Prep.md @@ -1,5 +1,10 @@ --- description: "SOC 2 Type II'nin mühendislik hazırlığı: Trust Service Criteria, observation period, audit evidence automation ve continuous compliance disiplini ile audit günü hazırlığı." +tags: + - Compliance + - Security + - Policy as Code + - Observability --- # SOC 2 Type II — Mühendislik Hazırlığı diff --git a/20-Soft-Skills/Documentation-as-Communication.md b/20-Soft-Skills/Documentation-as-Communication.md index f673a55..dbf5a40 100644 --- a/20-Soft-Skills/Documentation-as-Communication.md +++ b/20-Soft-Skills/Documentation-as-Communication.md @@ -1,5 +1,10 @@ --- description: "RFC, ADR ve Design Doc gibi yazılı iletişim biçimlerinin ne, ne zaman, nasıl yazıldığını ve async toplantısız karar kültürünü anlatan rehber." +tags: + - Soft Skills + - Culture + - Template + - Career --- # Documentation as Communication — RFC, ADR, Design Doc diff --git a/20-Soft-Skills/Mentoring-Junior-Engineers.md b/20-Soft-Skills/Mentoring-Junior-Engineers.md index 1fa8bda..e749ccb 100644 --- a/20-Soft-Skills/Mentoring-Junior-Engineers.md +++ b/20-Soft-Skills/Mentoring-Junior-Engineers.md @@ -1,5 +1,10 @@ --- description: "DevOps/SRE/Platform alanında junior mühendisi yetiştirmenin somut tekniklerini, on-boarding planını, shadow-solo geçişini ve TR iş kültürünü anlatır." +tags: + - Soft Skills + - Career + - Culture + - Platform Engineering --- # Mentoring Junior Engineers — Infra/SRE Öğretmek diff --git a/20-Soft-Skills/Oncall-Sustainability.md b/20-Soft-Skills/Oncall-Sustainability.md index 5e688f7..1adbeac 100644 --- a/20-Soft-Skills/Oncall-Sustainability.md +++ b/20-Soft-Skills/Oncall-Sustainability.md @@ -1,5 +1,11 @@ --- description: "On-call'ı sağlıklı yönetilebilir bir disiplin olarak ele alır: vardiya tasarımı, post-incident dinlenme, burnout sinyalleri ve önleme taktikleri." +tags: + - Soft Skills + - SRE + - Incident Response + - Sustainability + - Culture --- # On-Call Sürdürülebilirliği — Burnout Olmadan Yangın Söndürme diff --git a/20-Soft-Skills/Postmortem-Conversation.md b/20-Soft-Skills/Postmortem-Conversation.md index 951b1f5..08eea20 100644 --- a/20-Soft-Skills/Postmortem-Conversation.md +++ b/20-Soft-Skills/Postmortem-Conversation.md @@ -1,5 +1,10 @@ --- description: "Blameless kültürünü gerçek konuşmaya yansıtma rehberi: fasilitasyon teknikleri, tipik dil tuzakları ve psikolojik güvenlik yaratmanın somut adımları." +tags: + - Soft Skills + - Incident Response + - SRE + - Culture --- # Postmortem Conversation — Blameless'i Konuşmaya Yansıtmak diff --git a/20-Soft-Skills/README.md b/20-Soft-Skills/README.md index 57b8711..d690358 100644 --- a/20-Soft-Skills/README.md +++ b/20-Soft-Skills/README.md @@ -1,5 +1,10 @@ --- description: "DevOps/SRE/Platform işlerinde insan tarafına dair soft skill rehberlerinin dizini: on-call, stakeholder, security, vendor, hayır demek, postmortem, mentoring." +tags: + - Soft Skills + - Culture + - Career + - SRE --- # 20 · Soft Skills — Mühendislikten Daha Önemli (Bazen) diff --git a/20-Soft-Skills/Saying-No.md b/20-Soft-Skills/Saying-No.md index 5c20116..76e7ccf 100644 --- a/20-Soft-Skills/Saying-No.md +++ b/20-Soft-Skills/Saying-No.md @@ -1,5 +1,9 @@ --- description: "DevOps/SRE'de scope creep, premature commitment ve gerçekçi olmayan deadline'lara karşı 'hayır' demeyi profesyonel iletişim aracına çeviren rehber." +tags: + - Soft Skills + - Culture + - Career --- # "Hayır" Demek — Soft Skill'in Özü diff --git a/20-Soft-Skills/Stakeholder-Management.md b/20-Soft-Skills/Stakeholder-Management.md index 410f1a0..a865541 100644 --- a/20-Soft-Skills/Stakeholder-Management.md +++ b/20-Soft-Skills/Stakeholder-Management.md @@ -1,5 +1,10 @@ --- description: "Çok-paydaşlı DevOps/SRE işlerinde yönetim, ürün, müşteri, hukuk ve security'ye kime ne dilde ne kadar anlatılacağını gösteren paydaş yönetimi rehberi." +tags: + - Soft Skills + - Culture + - Career + - SRE --- # Stakeholder Management — Kime, Ne Dilde, Ne Kadar diff --git a/20-Soft-Skills/Vendor-Management.md b/20-Soft-Skills/Vendor-Management.md index 2405be9..9c6ef8e 100644 --- a/20-Soft-Skills/Vendor-Management.md +++ b/20-Soft-Skills/Vendor-Management.md @@ -1,5 +1,10 @@ --- description: "DevOps için vendor seçimi, kontrat müzakeresi, lock-in ölçümü ve escape stratejisini somut tekniklerle anlatan vendor yönetimi rehberi." +tags: + - Soft Skills + - FinOps + - Cost Optimization + - Culture --- # Vendor Management — Lock-In, Müzakere, Escape Stratejisi diff --git a/20-Soft-Skills/Working-with-Security-Team.md b/20-Soft-Skills/Working-with-Security-Team.md index 30f0262..6aa465c 100644 --- a/20-Soft-Skills/Working-with-Security-Team.md +++ b/20-Soft-Skills/Working-with-Security-Team.md @@ -1,5 +1,10 @@ --- description: "DevOps/SRE ile Security ekipleri arasındaki sürtünmenin niye olduğunu, nasıl ortadan kalkacağını ve sağlıklı işbirliğinin somut pratiklerini anlatır." +tags: + - Soft Skills + - Security + - Culture + - Compliance --- # Security Ekibiyle Çalışmak — Düşman Değil, Partner diff --git a/21-Field-Notes/README.md b/21-Field-Notes/README.md index 3f6f257..b28c98c 100644 --- a/21-Field-Notes/README.md +++ b/21-Field-Notes/README.md @@ -1,5 +1,11 @@ --- description: "Production kurulumlardan kalan ham DevOps saha notları: Ansible, Terraform, Kubernetes, kubectl ve sistem rehberlerinin olduğu gibi korunmuş komut dökümleri." +tags: + - Field Notes + - Kubernetes + - Terraform + - IaC + - Cheatsheet --- # 21 · Saha Notları — Field Notes diff --git a/21-Field-Notes/ansible/ssh-connectivity-test.md b/21-Field-Notes/ansible/ssh-connectivity-test.md index fe495ba..f9ffe86 100644 --- a/21-Field-Notes/ansible/ssh-connectivity-test.md +++ b/21-Field-Notes/ansible/ssh-connectivity-test.md @@ -1,5 +1,10 @@ --- description: "Kubernetes cluster node'larına (master, worker, storage, infra, load balancer) SSH erişimini ConnectTimeout ile toplu doğrulayan bash test script'i." +tags: + - Field Notes + - Kubernetes + - Networking + - Cheatsheet --- # SSH Bağlantı Testi diff --git a/21-Field-Notes/ansible/system-preparation.md b/21-Field-Notes/ansible/system-preparation.md index 0a5a79e..053c7d7 100644 --- a/21-Field-Notes/ansible/system-preparation.md +++ b/21-Field-Notes/ansible/system-preparation.md @@ -1,5 +1,11 @@ --- description: "Kubernetes öncesi Ansible ile sistem hazırlığı: production inventory dosyası oluşturma, master/worker host tanımları, etcd member ve node label ayarları." +tags: + - Field Notes + - Kubernetes + - IaC + - Containers + - Networking --- # Ansible ile Sistem Hazırlığı diff --git a/21-Field-Notes/kubectl/cluster-passwords.md b/21-Field-Notes/kubectl/cluster-passwords.md index 4420975..fa66e46 100644 --- a/21-Field-Notes/kubectl/cluster-passwords.md +++ b/21-Field-Notes/kubectl/cluster-passwords.md @@ -1,5 +1,11 @@ --- description: "Kubernetes cluster servis parolalarını secret'lardan toplayan bash script'i: Jenkins, Grafana, Elasticsearch kimlikleri ve servis erişim URL'leri." +tags: + - Field Notes + - Kubernetes + - Secrets + - Security + - Cheatsheet --- # Kubernetes Cluster Parolaları (Toplama Script'i) diff --git a/21-Field-Notes/kubectl/logging-elasticsearch.md b/21-Field-Notes/kubectl/logging-elasticsearch.md index 3bf2690..c5aa863 100644 --- a/21-Field-Notes/kubectl/logging-elasticsearch.md +++ b/21-Field-Notes/kubectl/logging-elasticsearch.md @@ -1,5 +1,11 @@ --- description: "Kubernetes logging namespace'inde ElasticSearch deployment kurulumu: kubectl apply manifesti, nodeSelector, toleration ve elasticsearch 8.5.1 imajı." +tags: + - Field Notes + - Kubernetes + - Observability + - Monitoring + - Containers --- # kubectl — Logging (ElasticSearch) diff --git a/21-Field-Notes/network/network-segmentation-wazuh-siem.md b/21-Field-Notes/network/network-segmentation-wazuh-siem.md index 4fe6e33..55f4226 100644 --- a/21-Field-Notes/network/network-segmentation-wazuh-siem.md +++ b/21-Field-Notes/network/network-segmentation-wazuh-siem.md @@ -1,5 +1,12 @@ --- description: "DMZ, application ve management zone'larına ayrılmış ağ segmentasyonu mimarisi ve Wazuh SIEM entegrasyonu rehberi; VLAN/subnet planı ve güvenlik şeması." +tags: + - Field Notes + - Security + - Networking + - Kubernetes + - Incident Response + - Compliance --- # 🔒 Ağ Segmentasyonu ve Wazuh SIEM Entegrasyon Rehberi diff --git a/21-Field-Notes/system/devops-certification-roadmap.md b/21-Field-Notes/system/devops-certification-roadmap.md index 52167e5..25e7f00 100644 --- a/21-Field-Notes/system/devops-certification-roadmap.md +++ b/21-Field-Notes/system/devops-certification-roadmap.md @@ -1,5 +1,11 @@ --- description: "2025 DevOps sertifika roadmap'i: entry-level'dan senior'a en değerli 10 sertifika (AWS, Docker DCA, Terraform), süre, maliyet, ROI ve kariyer etkileri." +tags: + - Field Notes + - Career + - Roadmap + - Culture + - Soft Skills --- # DevOps Sertifika Roadmap: 2025 Senior Seviye Kariyer Rehberi diff --git a/21-Field-Notes/system/external-access-solutions.md b/21-Field-Notes/system/external-access-solutions.md index e45341e..1785f7c 100644 --- a/21-Field-Notes/system/external-access-solutions.md +++ b/21-Field-Notes/system/external-access-solutions.md @@ -1,5 +1,10 @@ --- description: "Kubernetes servislerine dış erişim çözümleri: kubectl port-forward ile 0.0.0.0 bind, NodePort service ve kalıcı external access yöntemleri; bash örnekleri." +tags: + - Field Notes + - Kubernetes + - Networking + - Cheatsheet --- # Dış Erişim (External Access) Çözümleri diff --git a/21-Field-Notes/system/github-actions-pipeline-setup.md b/21-Field-Notes/system/github-actions-pipeline-setup.md index e0a9eb5..43fcb98 100644 --- a/21-Field-Notes/system/github-actions-pipeline-setup.md +++ b/21-Field-Notes/system/github-actions-pipeline-setup.md @@ -1,5 +1,11 @@ --- description: "GitHub Actions CI/CD pipeline kurulum rehberi: repository yapısı, workflow dosyaları, Kustomize tabanlı k8s base/staging/production ortamları ve Docker akışı." +tags: + - Field Notes + - CI/CD + - Kubernetes + - Docker + - GitOps --- # 🚀 GitHub Actions Pipeline Kurulum Rehberi diff --git a/21-Field-Notes/system/inventory-management-example.md b/21-Field-Notes/system/inventory-management-example.md index 0689388..c49a6e6 100644 --- a/21-Field-Notes/system/inventory-management-example.md +++ b/21-Field-Notes/system/inventory-management-example.md @@ -1,5 +1,11 @@ --- description: "DevOps envanter yönetimi master şablonu: sunucu/instance envanteri ve kullanıcı erişim envanteri tabloları; hostname, IP, rol, OS ve SSH key kayıtları." +tags: + - Field Notes + - Template + - Security + - AWS + - Compliance --- # Envanter Yönetimi — Örnek (Master Template) diff --git a/21-Field-Notes/system/kubernetes-cluster-installation.md b/21-Field-Notes/system/kubernetes-cluster-installation.md index 8ff1614..f410dd0 100644 --- a/21-Field-Notes/system/kubernetes-cluster-installation.md +++ b/21-Field-Notes/system/kubernetes-cluster-installation.md @@ -1,5 +1,11 @@ --- description: "Proxmox üzerinde Ubuntu ile Kubernetes cluster kurulum rehberi: makine gereksinimleri, IP planı, eski Docker/Kubernetes temizliği ve adım adım kurulum." +tags: + - Field Notes + - Kubernetes + - Containers + - Docker + - Networking --- # Kubernetes Cluster Kurulum Rehberi - Proxmox Ubuntu diff --git a/21-Field-Notes/system/production-ready-repo-layout.md b/21-Field-Notes/system/production-ready-repo-layout.md index 0e69050..9f216af 100644 --- a/21-Field-Notes/system/production-ready-repo-layout.md +++ b/21-Field-Notes/system/production-ready-repo-layout.md @@ -1,5 +1,12 @@ --- description: "Laravel API, TypeScript SPA, Flutter mobil ve Kubernetes için enterprise DevOps proje yapısı: Dockerfile, nginx, ortam dosyaları ve dizin şablonu." +tags: + - Field Notes + - Platform Engineering + - Kubernetes + - CI/CD + - Docker + - Template --- # 🚀 Enterprise-Grade DevOps Setup - Laravel + TypeScript + Flutter + K8s diff --git a/21-Field-Notes/terraform/modules-create-vm.md b/21-Field-Notes/terraform/modules-create-vm.md index 855e045..5fda6a4 100644 --- a/21-Field-Notes/terraform/modules-create-vm.md +++ b/21-Field-Notes/terraform/modules-create-vm.md @@ -1,5 +1,11 @@ --- description: "Proxmox üzerinde qm clone ile Kubernetes master ve worker VM'lerini elle oluşturan bash script'i: cores, memory, disk, cloud-init IP ve SSH key ayarları." +tags: + - Field Notes + - Terraform + - IaC + - Kubernetes + - Containers --- # Terraform — Modüllerle VM Oluşturma diff --git a/21-Field-Notes/terraform/proxmox-configuration.md b/21-Field-Notes/terraform/proxmox-configuration.md index b878229..b2ffebe 100644 --- a/21-Field-Notes/terraform/proxmox-configuration.md +++ b/21-Field-Notes/terraform/proxmox-configuration.md @@ -1,5 +1,11 @@ --- description: "Proxmox üzerinde uçtan uca VM provisioning için tam Terraform konfigürasyonu: telmate/proxmox provider, providers.tf, değişkenler ve VM kaynak tanımları." +tags: + - Field Notes + - Terraform + - IaC + - Kubernetes + - Template --- # Terraform — Proxmox Tam Konfigürasyon diff --git a/RoadMap/Modern-DevOps-2026.md b/RoadMap/Modern-DevOps-2026.md index df81209..b3972c0 100644 --- a/RoadMap/Modern-DevOps-2026.md +++ b/RoadMap/Modern-DevOps-2026.md @@ -1,5 +1,12 @@ --- description: "2026'da ekiplerin gerçekten kullandığı DevOps çerçeveleri: CALMS, DORA, platform engineering, GitOps, SRE, DevSecOps, FinOps ve operasyonel pratikler." +tags: + - Roadmap + - Platform Engineering + - GitOps + - SRE + - DORA + - FinOps --- # Modern DevOps 2026 — Metodolojiler, Stratejiler & Kültür diff --git a/RoadMap/Planning.md b/RoadMap/Planning.md index ea8c589..4d5a491 100644 --- a/RoadMap/Planning.md +++ b/RoadMap/Planning.md @@ -1,5 +1,11 @@ --- description: "Sıfırdan production'a DevOps GitOps yol haritası: planlama, envanter, Git stratejisi, güvenlik temelleri ve fazlara bölünmüş kapsamlı uygulama adımları." +tags: + - Roadmap + - GitOps + - IaC + - Security + - Git --- # 🗺️ **DevOps GitOps Kapsamlı Uygulama Yol Haritası** (Sıfırdan Production'a) diff --git a/RoadMap/README.md b/RoadMap/README.md index 5c3e203..c246f17 100644 --- a/RoadMap/README.md +++ b/RoadMap/README.md @@ -1,5 +1,10 @@ --- description: "DevOps öğrenme yol haritası index'i: yeni başlayan, junior/mid ve senior/staff için dört ayrı patika önerir; seviyene göre nereden başlayacağını gösterir." +tags: + - Roadmap + - Career + - Culture + - Soft Skills --- # 🗺️ Yol Haritası — Hangi Seviyedeysen Oradan Başla diff --git a/RoadMap/RoadMap.md b/RoadMap/RoadMap.md index c15fcad..448b5ba 100644 --- a/RoadMap/RoadMap.md +++ b/RoadMap/RoadMap.md @@ -1,5 +1,11 @@ --- description: "A'dan Z'ye DevOps GitOps yol haritası: her adımda ne yapılacak, hangi araçla ve neden sorularını planlama, IaC ve containerization başlıklarıyla yanıtlar." +tags: + - Roadmap + - GitOps + - IaC + - Containers + - CI/CD --- ## 🗺️ **DevOps GitOps Uygulama Yol Haritası** (A'dan Z'ye) diff --git a/RoadMap/advanced-roadmap.md b/RoadMap/advanced-roadmap.md index 3ec8ec6..0455da5 100644 --- a/RoadMap/advanced-roadmap.md +++ b/RoadMap/advanced-roadmap.md @@ -1,5 +1,12 @@ --- description: "Sıfır altyapıdan 28 günde production-grade kurulum rehberi: AWS, Terraform, EKS, ArgoCD, observability, güvenlik ve backup/DR'ı faz faz anlatan ana sayfa." +tags: + - Roadmap + - AWS + - Terraform + - Kubernetes + - ArgoCD + - Observability --- # 🏗️ **DevOps Altyapısı Sıfırdan Implementation Guide** *Hiçbir şeyin kurulu olmadığını varsayarak adım adım DevOps altyapısı kuracağız.* diff --git a/RoadMap/advanced/00-prerequisites.md b/RoadMap/advanced/00-prerequisites.md index 6887ba0..b742e10 100644 --- a/RoadMap/advanced/00-prerequisites.md +++ b/RoadMap/advanced/00-prerequisites.md @@ -1,5 +1,10 @@ --- description: "DevOps kurulumu öncesi ön koşullar: geliştirici makine kurulumu, WSL2, temel araçlar, Docker ve diğer development tool'larının komut satırıyla hazırlanması." +tags: + - Roadmap + - Docker + - Containers + - Cheatsheet --- # 📋 **ÖN KOŞULLAR VE HAZIRLIK** diff --git a/RoadMap/advanced/01-aws-account-setup.md b/RoadMap/advanced/01-aws-account-setup.md index af22ab9..dc035bb 100644 --- a/RoadMap/advanced/01-aws-account-setup.md +++ b/RoadMap/advanced/01-aws-account-setup.md @@ -1,5 +1,10 @@ --- description: "Faz 1 (Gün 1-2): AWS hesap açma, AWS CLI konfigürasyonu, kimlik doğrulama, Organization kurulumu ve Organizational Unit oluşturma adımları." +tags: + - Roadmap + - AWS + - Security + - Compliance --- # 🏢 **PHASE 1: AWS HESAP VE İLK KURULUMLAR** (Gün 1-2) diff --git a/RoadMap/advanced/02-terraform-iac.md b/RoadMap/advanced/02-terraform-iac.md index 16e2bed..946273a 100644 --- a/RoadMap/advanced/02-terraform-iac.md +++ b/RoadMap/advanced/02-terraform-iac.md @@ -1,5 +1,10 @@ --- description: "Faz 2 (Gün 3-5): Terraform ile Infrastructure as Code; S3 ve DynamoDB ile remote state backend kurulumu, versioning ve state locking yapılandırması." +tags: + - Roadmap + - Terraform + - IaC + - AWS --- # 🛠️ **PHASE 2: TERRAFORM VE INFRASTRUCTURE AS CODE** (Gün 3-5) diff --git a/RoadMap/advanced/03-containerization.md b/RoadMap/advanced/03-containerization.md index 8e89c00..8da1a7a 100644 --- a/RoadMap/advanced/03-containerization.md +++ b/RoadMap/advanced/03-containerization.md @@ -1,5 +1,10 @@ --- description: "Faz 3 (Gün 6-7): Containerization ve registry; GitHub Container Registry kurulumu, login, image push ve Docker multi-stage build şablonlarının hazırlanması." +tags: + - Roadmap + - Docker + - Containers + - CI/CD --- # 🐳 **PHASE 3: CONTAINERIZATION VE REGISTRY** (Gün 6-7) diff --git a/RoadMap/advanced/04-cicd-pipeline.md b/RoadMap/advanced/04-cicd-pipeline.md index ff38571..ac47809 100644 --- a/RoadMap/advanced/04-cicd-pipeline.md +++ b/RoadMap/advanced/04-cicd-pipeline.md @@ -1,5 +1,10 @@ --- description: "Faz 4 (Gün 8-10): CI/CD pipeline kurulumu; Kubernetes üzerinde Jenkins kurulumu, namespace, ServiceAccount ve RBAC ile pipeline altyapısının oluşturulması." +tags: + - Roadmap + - CI/CD + - Kubernetes + - Security --- # 🔄 **PHASE 4: CI/CD PIPELINE KURULUMU** (Gün 8-10) diff --git a/RoadMap/advanced/05-kubernetes-advanced.md b/RoadMap/advanced/05-kubernetes-advanced.md index dcfd23f..febcbfc 100644 --- a/RoadMap/advanced/05-kubernetes-advanced.md +++ b/RoadMap/advanced/05-kubernetes-advanced.md @@ -1,5 +1,11 @@ --- description: "Faz 5 (Gün 11-13): Kubernetes ileri seviye kurulum; dev/staging/prod namespace'leri, RBAC ve Istio injection ile çok-ortamlı cluster yapılandırması." +tags: + - Roadmap + - Kubernetes + - Service Mesh + - Security + - Networking --- # ☸️ **PHASE 5: KUBERNETES ADVANCED SETUP** (Gün 11-13) diff --git a/RoadMap/advanced/06-observability.md b/RoadMap/advanced/06-observability.md index 5664896..561e7a3 100644 --- a/RoadMap/advanced/06-observability.md +++ b/RoadMap/advanced/06-observability.md @@ -1,5 +1,11 @@ --- description: "Faz 6 (Gün 14-16): Observability stack; kube-prometheus-stack ile Prometheus ve Grafana kurulumu, gp3 storage, retention ve kaynak ayarlarının yapılandırması." +tags: + - Roadmap + - Observability + - Monitoring + - Prometheus + - Kubernetes --- # 📊 **PHASE 6: OBSERVABILITY STACK** (Gün 14-16) diff --git a/RoadMap/advanced/07-secrets-security.md b/RoadMap/advanced/07-secrets-security.md index 6603766..5070c31 100644 --- a/RoadMap/advanced/07-secrets-security.md +++ b/RoadMap/advanced/07-secrets-security.md @@ -1,5 +1,11 @@ --- description: "Faz 7 (Gün 17-18): Secrets management ve güvenlik; HashiCorp Vault'un Helm ile kurulumu, TLS, injector yapılandırması ve kaynak limitlerinin ayarlanması." +tags: + - Roadmap + - Secrets + - Security + - Helm + - Kubernetes --- # 🔒 **PHASE 7: SECRETS MANAGEMENT & SECURITY** (Gün 17-18) diff --git a/RoadMap/advanced/08-backup-dr.md b/RoadMap/advanced/08-backup-dr.md index 1fa68a7..766474a 100644 --- a/RoadMap/advanced/08-backup-dr.md +++ b/RoadMap/advanced/08-backup-dr.md @@ -1,5 +1,11 @@ --- description: "Faz 8 (Gün 19-20): Backup ve felaket kurtarma; Velero ile Kubernetes yedekleme, S3 bucket oluşturma ve IAM rolüne dayalı bucket policy yapılandırması." +tags: + - Roadmap + - Backup + - Kubernetes + - AWS + - SRE --- # 🗄️ **PHASE 8: BACKUP & DISASTER RECOVERY** (Gün 19-20) diff --git a/RoadMap/advanced/09-gitops-automation.md b/RoadMap/advanced/09-gitops-automation.md index e09099f..b1d9f93 100644 --- a/RoadMap/advanced/09-gitops-automation.md +++ b/RoadMap/advanced/09-gitops-automation.md @@ -1,5 +1,11 @@ --- description: "Faz 9 (Gün 21-22): GitOps ve deployment otomasyonu; ArgoCD kurulumu, CLI yükleme, initial admin parolası alma ve ArgoCD ingress yapılandırması." +tags: + - Roadmap + - GitOps + - ArgoCD + - Kubernetes + - CI/CD --- # 🎯 **PHASE 9: GITOPS & DEPLOYMENT AUTOMATION** (Gün 21-22) diff --git a/RoadMap/advanced/10-cost-performance.md b/RoadMap/advanced/10-cost-performance.md index a1a592c..9e82668 100644 --- a/RoadMap/advanced/10-cost-performance.md +++ b/RoadMap/advanced/10-cost-performance.md @@ -1,5 +1,11 @@ --- description: "Faz 10 (Gün 23-24): Maliyet optimizasyonu ve performans; AWS Cost and Usage Report kurulumu, S3 bucket ve maliyet raporları için bucket policy ayarları." +tags: + - Roadmap + - FinOps + - Cost Optimization + - AWS + - Performance --- # 📈 **PHASE 10: COST OPTIMIZATION & PERFORMANCE** (Gün 23-24) diff --git a/RoadMap/advanced/11-documentation-processes.md b/RoadMap/advanced/11-documentation-processes.md index b921a74..9f27950 100644 --- a/RoadMap/advanced/11-documentation-processes.md +++ b/RoadMap/advanced/11-documentation-processes.md @@ -1,5 +1,10 @@ --- description: "Faz 11 (Gün 25-26): Dokümantasyon ve ekip süreçleri; mimari dokümantasyon, mermaid diyagramları ve GitHub'dan EKS'e uzanan CI/CD akışının kayda geçirilmesi." +tags: + - Roadmap + - Culture + - Soft Skills + - CI/CD --- # 📚 **PHASE 11: DOCUMENTATION & TEAM PROCESSES** (Gün 25-26) diff --git a/RoadMap/advanced/12-final-validation.md b/RoadMap/advanced/12-final-validation.md index 94c1372..f4aec82 100644 --- a/RoadMap/advanced/12-final-validation.md +++ b/RoadMap/advanced/12-final-validation.md @@ -1,5 +1,10 @@ --- description: "Faz 12 (Gün 27-28): Final kurulum ve doğrulama; tüm sistemin uçtan uca test scriptiyle validasyonu, başarı sayacı ve test kontrollerinin çalıştırılması." +tags: + - Roadmap + - SRE + - Performance + - Observability --- # 🎉 **FINAL SETUP AND VALIDATION** (Gün 27-28) diff --git a/RoadMap/advanced/13-quickstart-30min.md b/RoadMap/advanced/13-quickstart-30min.md index 50c07bf..9e53080 100644 --- a/RoadMap/advanced/13-quickstart-30min.md +++ b/RoadMap/advanced/13-quickstart-30min.md @@ -1,5 +1,11 @@ --- description: "28 günlük planı okumadan çalışan bir iskeleti 30 dakikada ayağa kaldırma rehberi: ön koşul checklist, ilk kurulum ve hızlı altyapı deployment adımları." +tags: + - Roadmap + - AWS + - Terraform + - Kubernetes + - Cheatsheet --- # ⚡ 30 Dakikalık Hızlı Kurulum diff --git a/docs/tags.md b/docs/tags.md new file mode 100644 index 0000000..b844e12 --- /dev/null +++ b/docs/tags.md @@ -0,0 +1,12 @@ +--- +description: "DevOps Notebook'taki tüm dokümanların konu etiketlerine göre indeksi — Kubernetes, Security, SRE, CI/CD ve daha fazlasına göz at." +hide: + - navigation +--- + +# 🏷️ Etiketler + +Dokümanları konuya göre tara. Aynı etiketi taşıyan tüm sayfalar aşağıda +gruplanmıştır — bir konunun repo genelinde nerelerde geçtiğini tek bakışta gör. + + diff --git a/mkdocs.yml b/mkdocs.yml index ad6514d..04b2519 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -81,6 +81,7 @@ plugins: - tr - en separator: '[\s\-,:!=\[\]()"/]+|(?!\b)(?=[A-Z][a-z])|\.(?!\d)|&[lg]t;' + - tags - awesome-pages: collapse_single_pages: false strict: false diff --git a/scripts/build-docs.sh b/scripts/build-docs.sh index f993750..49a2c9c 100644 --- a/scripts/build-docs.sh +++ b/scripts/build-docs.sh @@ -29,6 +29,12 @@ if [ -f docs/index.md ]; then echo " + index.md (hero homepage)" fi +# 1b) Etiket indeksi — docs/tags.md (Material tags plugin tags_file) +if [ -f docs/tags.md ]; then + cp docs/tags.md "$STAGE/tags.md" + echo " + tags.md (etiket indeksi)" +fi + # 2) Kök seviyesi md dosyaları for f in CHANGELOG.md Glossary.md; do if [ -f "$f" ]; then @@ -124,6 +130,7 @@ nav: - 20-Soft-Skills - 21-Field-Notes - "📖 Sözlük": Glossary.md + - "🏷️ Etiketler": tags.md - "📋 Changelog": CHANGELOG.md PAGES_EOF echo " + .pages (root nav)"