diff --git a/docs/gitops-cicd/09-cicd-components-comparison.md b/docs/gitops-cicd/09-cicd-components-comparison.md new file mode 100644 index 0000000..d2b7702 --- /dev/null +++ b/docs/gitops-cicd/09-cicd-components-comparison.md @@ -0,0 +1,451 @@ +# CI/CD Компоненты: Сравнение, Альтернативы и Обоснование выбора + +**Версия:** 1.0 +**Дата:** Январь 2026 +**Целевая аудитория:** Technical Architects, DevOps Team, Management +**Статус:** Decision Document + +--- + +## Executive Summary + +### Рекомендованный Stack для FinTech + +| Компонент | Продукт | License | Annual Cost | Обоснование | +|-----------|---------|---------|-------------|-------------| +| **Git Repository** | Gitea | MIT | $0 | Lightweight, full-featured, zero cost | +| **CI Server** | Jenkins | MIT | $0 | Industry standard, 1800+ plugins | +| **GitOps** | ArgoCD/Custom | Apache 2.0 | $0 | Best GitOps, audit trail | +| **Container Registry** | Harbor | Apache 2.0 | $0 | Security scanning built-in | +| **Orchestration UI** | Portainer CE | Zlib | $0 | User-friendly, RBAC | +| **TOTAL** | | | **$0** | **vs $6,720 commercial stack** | + +--- + +## Содержание + +1. [Git Repository: Gitea vs Alternatives](#git-repository-gitea) +2. [CI Server: Jenkins vs Alternatives](#ci-server-jenkins) +3. [GitOps: ArgoCD vs Alternatives](#gitops-argocd) +4. [Container Registry: Harbor vs Alternatives](#container-registry-harbor) +5. [Orchestration UI: Portainer vs Alternatives](#orchestration-ui-portainer) +6. [Cost Comparison](#cost-comparison) + +--- + +## Git Repository: Gitea + +### Функциональность + +**Core Features:** +- Git repository hosting (unlimited repos) +- Pull Request workflow + code review +- Issues + Projects (Kanban) +- Wiki documentation +- Branch protection rules +- Webhooks для CI integration +- LDAP/AD authentication +- GPG commit signing +- Git LFS support + +**Performance:** +- RAM usage: 200-500 MB +- Single Go binary (50-100 MB) +- Fast startup (<5 seconds) +- SQLite/PostgreSQL/MySQL support + +### Альтернативы + +| Feature | Gitea | GitLab CE | GitHub Enterprise | Bitbucket | +|---------|-------|-----------|-------------------|-----------| +| **Cost** | FREE | FREE | $21/user/mo | $30/user/mo | +| **RAM** | 200 MB | 4+ GB | 2+ GB | 1-2 GB | +| **Setup** | 5 min | 30-60 min | 60+ min | 30 min | +| **Built-in CI** | ❌ | ✅ | ✅ | ✅ | +| **Lightweight** | ✅ | ❌ | ❌ | ⚠️ | + +### Почему Gitea? + +✅ **Zero cost** - критично для budget +✅ **Lightweight** - 200 MB RAM vs 4+ GB GitLab +✅ **Simple** - single binary, easy upgrade +✅ **Full-featured** - все нужное для Git workflow +✅ **LDAP ready** - corporate authentication + +**Use GitLab instead if:** +- Need integrated CI/CD (without Jenkins) +- Team already knows GitLab +- Can allocate 8+ GB RAM + +--- + +## CI Server: Jenkins + +### Функциональность + +**Core Features:** +- Pipeline as Code (Jenkinsfile) +- 1800+ plugins ecosystem +- Distributed builds (master-agent) +- Docker/Kubernetes integration +- LDAP/AD + RBAC +- Credentials management +- Audit trail +- Blue Ocean modern UI + +**Plugin Examples:** +``` +Security: +├─ OWASP Dependency Check +├─ SonarQube Scanner +├─ Trivy Container Scanner +└─ Snyk Security + +Integrations: +├─ Gitea Plugin +├─ Docker Plugin +├─ Kubernetes Plugin +├─ Slack Notification +└─ Email Extension + +Quality: +├─ JUnit Test Results +├─ Code Coverage (JaCoCo) +├─ Warnings Next Generation +└─ Performance Plugin +``` + +### Альтернативы + +| Feature | Jenkins | GitLab CI | GitHub Actions | Drone | +|---------|---------|-----------|----------------|-------| +| **Cost** | FREE | FREE | Cloud/Self-hosted | FREE | +| **Plugins** | 1800+ | Limited | Marketplace | ~100 | +| **Flexibility** | High | Medium | Medium | Medium | +| **Learning Curve** | Medium | Low | Low | Low | +| **Git Agnostic** | ✅ | ❌ GitLab only | ❌ GitHub only | ✅ | + +### Pipeline Example + +```groovy +pipeline { + agent { docker { image 'maven:3.8-openjdk-17' } } + + stages { + stage('Build') { + steps { + sh 'mvn clean package' + } + } + + stage('Test') { + parallel { + stage('Unit Tests') { + steps { sh 'mvn test' } + } + stage('Security Scan') { + steps { sh 'mvn dependency-check:check' } + } + } + } + + stage('Docker Build') { + steps { + sh 'docker build -t app:${BUILD_NUMBER} .' + } + } + + stage('Push to Harbor') { + steps { + sh 'docker push harbor.local/app:${BUILD_NUMBER}' + } + } + } +} +``` + +### Почему Jenkins? + +✅ **Industry standard** - 70% Fortune 500 use it +✅ **Plugin ecosystem** - 1800+ plugins +✅ **Proven in FinTech** - JPMorgan, Deutsche Bank +✅ **Flexibility** - Pipeline as Code +✅ **Git agnostic** - works with Gitea, GitLab, etc. + +**Use GitLab CI instead if:** +- Using GitLab as Git provider +- Need simpler YAML syntax +- Want all-in-one platform + +--- + +## GitOps: ArgoCD / Custom + +### ArgoCD (для Kubernetes) + +**Features:** +- Declarative GitOps +- Automatic sync from Git +- Web UI (topology view) +- Multi-cluster support +- SSO (OIDC, LDAP) +- Rollback capabilities +- Audit logging + +**Альтернативы:** +- **Flux CD** - no UI, CLI-first +- **Jenkins X** - very opinionated +- **Spinnaker** - complex, multi-cloud + +### Custom GitOps Operator (для Docker Swarm) + +**Why custom для Swarm:** +- ArgoCD designed для K8s +- Swarm simpler - custom operator = 200 lines Python +- Full control, easy maintenance + +**Implementation:** + +```python +# gitops-swarm-operator.py +import time, subprocess +from git import Repo + +class GitOpsOperator: + def __init__(self, repo_url, local_path): + self.repo = Repo.clone_from(repo_url, local_path) + + def sync_loop(self, interval=30): + while True: + self.repo.remotes.origin.pull() + + for compose_file in Path(self.local_path).rglob('docker-compose.yml'): + stack_name = compose_file.parent.name + subprocess.run([ + 'docker', 'stack', 'deploy', + '-c', str(compose_file), + stack_name + ]) + + time.sleep(interval) +``` + +### Почему ArgoCD/Custom? + +**Kubernetes:** ArgoCD +✅ Best-in-class UI +✅ Strong RBAC +✅ Audit trail + +**Docker Swarm:** Custom +✅ Simple (200 lines) +✅ Lightweight (50 MB RAM) +✅ Easy troubleshooting + +--- + +## Container Registry: Harbor + +### Функциональность + +**Core Features:** +- Docker Registry v2 API +- Vulnerability scanning (Trivy) +- Image signing (Notary/Cosign) +- RBAC (project-level) +- LDAP/AD integration +- Replication +- Webhook notifications +- Audit logging + +**Security Workflow:** +``` +Push Image → Harbor + │ + ├──> Trivy Scan + │ ├─ OS vulnerabilities + │ └─ App dependencies + │ + ├──> Policy Check + │ ├─ CRITICAL CVEs? → ❌ Block + │ ├─ HIGH CVEs? → ⚠️ Warn + │ └─ MEDIUM/LOW → ✅ Allow + │ + └──> Notification + └─ Slack/Email +``` + +### Альтернативы + +| Feature | Harbor | Docker Registry | Nexus | Artifactory | +|---------|--------|-----------------|-------|-------------| +| **Cost** | FREE | FREE | FREE (limited) | $3K+/year | +| **UI** | ✅ | ❌ | ✅ | ✅ | +| **Vuln Scan** | ✅ Trivy | ❌ | ⚠️ Paid | ✅ | +| **Signing** | ✅ | ❌ | ⚠️ Paid | ✅ | +| **RBAC** | ✅ | ❌ | ✅ | ✅ | + +### Почему Harbor? + +✅ **Security built-in** - Trivy scanning included +✅ **Compliance-ready** - audit logs, signing +✅ **Enterprise RBAC** - project-level permissions +✅ **Zero cost** - vs $3K+ Artifactory + +**Use Nexus instead if:** +- Need multi-format (Maven, npm, PyPI) +- Already using Sonatype tools + +--- + +## Orchestration UI: Portainer + +### Функциональность + +**Core Features:** +- Docker Swarm native support +- Modern Web UI +- Stack deployment (Compose) +- RBAC + Teams +- LDAP/AD integration +- Container logs streaming +- Resource monitoring +- Template library + +**RBAC Example:** +``` +Teams: +├── DevOps (Admin) +│ └─ Full access +├── Developers +│ └─ Deploy to dev only +├── QA +│ └─ Deploy to staging +└── Managers + └─ View-only +``` + +### Альтернативы + +| Feature | Portainer CE | Swarmpit | Docker CLI | Rancher | +|---------|--------------|----------|------------|---------| +| **Cost** | FREE | FREE | FREE | FREE | +| **UI** | ✅ Excellent | ✅ Good | ❌ | ✅ Excellent | +| **RBAC** | ✅ | ⚠️ Basic | ❌ | ✅ | +| **LDAP** | ✅ | ❌ | ❌ | ✅ | +| **Swarm Focus** | ✅ | ✅ | ✅ | ⚠️ K8s focus | + +### Почему Portainer? + +✅ **User-friendly** - non-DevOps can deploy +✅ **RBAC** - compliance-ready access control +✅ **Free** - CE version has all needed features +✅ **Audit trail** - who deployed what + +--- + +## Cost Comparison + +### Recommended (Open Source) + +``` +Gitea: $0 +Jenkins: $0 +ArgoCD/Custom: $0 +Harbor: $0 +Portainer CE: $0 +─────────────────── +TOTAL: $0/year + +Savings: $6,720/year +``` + +### Alternative (Commercial) + +``` +GitHub Enterprise: $2,520/year (10 users) +Bamboo CI: $1,200/year +Spinnaker: $0 (FOSS) +Artifactory: $3,000/year +Rancher: $0 (FOSS) +──────────────────────────────────── +TOTAL: $6,720/year +``` + +--- + +## Implementation Priority + +**Week 1-2: Core** +1. Deploy Gitea + PostgreSQL +2. Deploy Harbor +3. Migrate existing repos + +**Week 3-4: CI/CD** +4. Deploy Jenkins +5. Create first pipeline +6. Setup webhooks + +**Week 5-6: GitOps** +7. Deploy ArgoCD/Custom +8. Deploy Portainer +9. End-to-end test + +--- + +## Decision Matrix + +### When to Choose Alternatives + +**GitLab over Gitea:** +- ❓ Need integrated CI/CD +- ❓ Team knows GitLab +- ❓ Have 8+ GB RAM + +**GitHub Actions over Jenkins:** +- ❓ Using GitHub (not on-prem) +- ❓ Simple workflows only + +**Artifactory over Harbor:** +- ❓ Need multi-format registry +- ❓ Budget allows $3K+/year + +**Rancher over Portainer:** +- ❓ Multiple clusters +- ❓ Heavy K8s focus + +--- + +## Appendix: Quick Reference + +### Component URLs + +``` +Gitea: https://git.company.local +Jenkins: https://jenkins.company.local +Harbor: https://harbor.company.local +ArgoCD: https://argocd.company.local +Portainer: https://portainer.company.local:9443 +``` + +### Default Ports + +``` +Gitea: 3000 (HTTP), 22 (SSH) +Jenkins: 8080 (HTTP) +Harbor: 80/443 (HTTP/HTTPS) +ArgoCD: 8080 (HTTP), 8083 (gRPC) +Portainer: 9443 (HTTPS), 8000 (Edge) +``` + +--- + +**Document Version:** 1.0 +**Last Updated:** Январь 2026 +**Status:** Decision Document - Ready for Approval + +**Approvals:** +- [ ] Technical Architect +- [ ] DevOps Lead +- [ ] Security Lead +- [ ] CTO \ No newline at end of file