The 'Why' of the platform
Many modern companies have, what is called a 'Internal developer platform (IDP)', often maintained by a Platform Team. With this platform, we do not only mimick industry best practices (IDP, platform engineering, continuous Delivery, DevOps, GitOps, CI/CD, IaC, etc), but mostly because Continuous Delivery maximizes your learning opportunities.
By delivering often, we stimuluate incremental and iterative development, and therefore provides opportunities to get early feedback from:
- your stakeholders (coaches, users, customers)
- your tests and design
- your development process (integration, collaboration)
If you want to learn more on continuous delivery, MinimumCD is a good starting point.
How the Platform Works
This page explains what's running behind the scenes. You don't need to know this to use the platform, but it helps to understand what's happening.
In the original design, we designed two Tiers: - Tier 1: students need to be able to deploy and operate with 0 setup and little extra knowledge. applies to early projects, where platform requirements are similar to all project groups. - Tier 2: students for later projects or experiments can onboard their application and have more access to the different moving parts of the platform, to setup and monitor.
Architecture Overview
┌─────────────────────────────────────────────────────────────────────────────┐
│ YOUR WORKFLOW │
└─────────────────────────────────────────────────────────────────────────────┘
│
│ git push
▼
┌─────────────────────────────────────────────────────────────────────────────┐
│ GITHUB │
│ ┌───────────────┐ ┌────────────────┐ │
│ │ Your Repo │───▶│ GitHub Actions │──┐ │
│ │ (code) │ │ (builds images)│ │ │
│ └───────────────┘ └────────────────┘ │ │
└───────────────────────────────────────────│─────────────────────────────────┘
│ docker push
▼
┌─────────────────────────────────────────────────────────────────────────────┐
│ KUBERNETES CLUSTER │
│ │
│ ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐ │
│ │ Harbor │◀───│ Image Updater │ │ ArgoCD │ │
│ │ (image storage) │ │ (detects new │───▶│ (deploys apps) │ │
│ └─────────────────┘ │ images) │ └────────┬────────┘ │
│ └─────────────────┘ │ │
│ │ deploys │
│ ┌──────────────────────────────────────────────────────┼─────────────────┐ │
│ │ prj2-system namespace │ │ │
│ │ ┌─────────────┐ ┌─────────────┐ │ │ │
│ │ │ PostgreSQL │ │ pgAdmin │ │ │ │
│ │ │ (shared DB) │ │ (web UI) │ │ │ │
│ │ └─────────────┘ └─────────────┘ │ │ │
│ └──────────────────────────────────────────────────────│─────────────────┘ │
│ │ │
│ ┌──────────────────────────────────────────────────────│─────────────────┐ │
│ │ prj2-team namespace ▼ │ │
│ │ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │ │
│ │ │ Init DB │─▶│ Backend │ │ Frontend │ │ │
│ │ │ (resets DB) │ │ (Java) │ │ (Svelte) │ │ │
│ │ └─────────────┘ └─────────────┘ └─────────────┘ │ │
│ └────────────────────────────────────────────────────────────────────────┘ │
│ │
│ ┌─────────────────┐ │
│ │ Traefik │ Routing │
│ │ (ingress/HTTPS) │ │
│ └─────────────────┘ │
└─────────────────────────────────────────────────────────────────────────────┘
Security Model
What's isolated
- Each team has their own Kubernetes namespace
- Database users can only access their own database
- Container images are in team-specific Harbor projects
What's shared
- PostgreSQL server (but databases are isolated)
- Kubernetes cluster resources (with limits)
- ArgoCD (but apps are separated by namespace)
What you can't do
- Access other teams' databases
- Modify platform infrastructure
- Run privileged containers
- Access the Kubernetes API directly
Technology Stack
| Layer | Technology |
|---|---|
| Container orchestration | Kubernetes |
| GitOps | ArgoCD |
| Image registry | Harbor |
| Ingress | Traefik |
| TLS certificates | cert-manager + Let's Encrypt |
| Database | PostgreSQL |
| Monitoring | Prometheus + Grafana + OpenTelemetry |
| DB management | pgAdmin |
All of this is configured as code in the IDP repository.