admin/k3s-gitops
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
71a08b5eca912fbcda7fea28b8d0dc319b115f20
k3s-gitops/docs/gitops-cicd/09-cicd-components-comparison.md

451 lines
11 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# CI/CD Компоненты: Сравнение, Альтернативы и Обоснование выбора
**Версия:** 1.0
**Дата:** Январь 2026
**Целевая аудитория:** Technical Architects, DevOps Team, Management
**Статус:** Decision Document
---
## Executive Summary
### Рекомендованный Stack для FinTech
| Компонент | Продукт | License | Annual Cost | Обоснование |
|-----------|---------|---------|-------------|-------------|
| **Git Repository** | Gitea | MIT | $0 | Lightweight, full-featured, zero cost |
| **CI Server** | Jenkins | MIT | $0 | Industry standard, 1800+ plugins |
| **GitOps** | ArgoCD/Custom | Apache 2.0 | $0 | Best GitOps, audit trail |
| **Container Registry** | Harbor | Apache 2.0 | $0 | Security scanning built-in |
| **Orchestration UI** | Portainer CE | Zlib | $0 | User-friendly, RBAC |
| **TOTAL** | | | **$0** | **vs $6,720 commercial stack** |
---
## Содержание
1. [Git Repository: Gitea vs Alternatives](#git-repository-gitea)
2. [CI Server: Jenkins vs Alternatives](#ci-server-jenkins)
3. [GitOps: ArgoCD vs Alternatives](#gitops-argocd)
4. [Container Registry: Harbor vs Alternatives](#container-registry-harbor)
5. [Orchestration UI: Portainer vs Alternatives](#orchestration-ui-portainer)
6. [Cost Comparison](#cost-comparison)
---
## Git Repository: Gitea
### Функциональность
**Core Features:**
- Git repository hosting (unlimited repos)
- Pull Request workflow + code review
- Issues + Projects (Kanban)
- Wiki documentation
- Branch protection rules
- Webhooks для CI integration
- LDAP/AD authentication
- GPG commit signing
- Git LFS support
**Performance:**
- RAM usage: 200-500 MB
- Single Go binary (50-100 MB)
- Fast startup (<5 seconds)
- SQLite/PostgreSQL/MySQL support
### Альтернативы
| Feature | Gitea | GitLab CE | GitHub Enterprise | Bitbucket |
|---------|-------|-----------|-------------------|-----------|
| **Cost** | FREE | FREE | $21/user/mo | $30/user/mo |
| **RAM** | 200 MB | 4+ GB | 2+ GB | 1-2 GB |
| **Setup** | 5 min | 30-60 min | 60+ min | 30 min |
| **Built-in CI** | | | | |
| **Lightweight** | | | | |
### Почему Gitea?
**Zero cost** - критично для budget
**Lightweight** - 200 MB RAM vs 4+ GB GitLab
**Simple** - single binary, easy upgrade
**Full-featured** - все нужное для Git workflow
**LDAP ready** - corporate authentication
**Use GitLab instead if:**
- Need integrated CI/CD (without Jenkins)
- Team already knows GitLab
- Can allocate 8+ GB RAM
---
## CI Server: Jenkins
### Функциональность
**Core Features:**
- Pipeline as Code (Jenkinsfile)
- 1800+ plugins ecosystem
- Distributed builds (master-agent)
- Docker/Kubernetes integration
- LDAP/AD + RBAC
- Credentials management
- Audit trail
- Blue Ocean modern UI
**Plugin Examples:**
```
Security:
├─ OWASP Dependency Check
├─ SonarQube Scanner
├─ Trivy Container Scanner
└─ Snyk Security
Integrations:
├─ Gitea Plugin
├─ Docker Plugin
├─ Kubernetes Plugin
├─ Slack Notification
└─ Email Extension
Quality:
├─ JUnit Test Results
├─ Code Coverage (JaCoCo)
├─ Warnings Next Generation
└─ Performance Plugin
```
### Альтернативы
| Feature | Jenkins | GitLab CI | GitHub Actions | Drone |
|---------|---------|-----------|----------------|-------|
| **Cost** | FREE | FREE | Cloud/Self-hosted | FREE |
| **Plugins** | 1800+ | Limited | Marketplace | ~100 |
| **Flexibility** | High | Medium | Medium | Medium |
| **Learning Curve** | Medium | Low | Low | Low |
| **Git Agnostic** | | GitLab only | GitHub only | |
### Pipeline Example
```groovy
pipeline {
agent { docker { image 'maven:3.8-openjdk-17' } }
stages {
stage('Build') {
steps {
sh 'mvn clean package'
}
}
stage('Test') {
parallel {
stage('Unit Tests') {
steps { sh 'mvn test' }
}
stage('Security Scan') {
steps { sh 'mvn dependency-check:check' }
}
}
}
stage('Docker Build') {
steps {
sh 'docker build -t app:${BUILD_NUMBER} .'
}
}
stage('Push to Harbor') {
steps {
sh 'docker push harbor.local/app:${BUILD_NUMBER}'
}
}
}
}
```
### Почему Jenkins?
**Industry standard** - 70% Fortune 500 use it
**Plugin ecosystem** - 1800+ plugins
**Proven in FinTech** - JPMorgan, Deutsche Bank
**Flexibility** - Pipeline as Code
**Git agnostic** - works with Gitea, GitLab, etc.
**Use GitLab CI instead if:**
- Using GitLab as Git provider
- Need simpler YAML syntax
- Want all-in-one platform
---
## GitOps: ArgoCD / Custom
### ArgoCD (для Kubernetes)
**Features:**
- Declarative GitOps
- Automatic sync from Git
- Web UI (topology view)
- Multi-cluster support
- SSO (OIDC, LDAP)
- Rollback capabilities
- Audit logging
**Альтернативы:**
- **Flux CD** - no UI, CLI-first
- **Jenkins X** - very opinionated
- **Spinnaker** - complex, multi-cloud
### Custom GitOps Operator (для Docker Swarm)
**Why custom для Swarm:**
- ArgoCD designed для K8s
- Swarm simpler - custom operator = 200 lines Python
- Full control, easy maintenance
**Implementation:**
```python
# gitops-swarm-operator.py
import time, subprocess
from git import Repo
class GitOpsOperator:
def __init__(self, repo_url, local_path):
self.repo = Repo.clone_from(repo_url, local_path)
def sync_loop(self, interval=30):
while True:
self.repo.remotes.origin.pull()
for compose_file in Path(self.local_path).rglob('docker-compose.yml'):
stack_name = compose_file.parent.name
subprocess.run([
'docker', 'stack', 'deploy',
'-c', str(compose_file),
stack_name
])
time.sleep(interval)
```
### Почему ArgoCD/Custom?
**Kubernetes:** ArgoCD
Best-in-class UI
Strong RBAC
Audit trail
**Docker Swarm:** Custom
Simple (200 lines)
Lightweight (50 MB RAM)
Easy troubleshooting
---
## Container Registry: Harbor
### Функциональность
**Core Features:**
- Docker Registry v2 API
- Vulnerability scanning (Trivy)
- Image signing (Notary/Cosign)
- RBAC (project-level)
- LDAP/AD integration
- Replication
- Webhook notifications
- Audit logging
**Security Workflow:**
```
Push Image → Harbor
├──> Trivy Scan
│ ├─ OS vulnerabilities
│ └─ App dependencies
├──> Policy Check
│ ├─ CRITICAL CVEs? → ❌ Block
│ ├─ HIGH CVEs? → ⚠️ Warn
│ └─ MEDIUM/LOW → ✅ Allow
└──> Notification
└─ Slack/Email
```
### Альтернативы
| Feature | Harbor | Docker Registry | Nexus | Artifactory |
|---------|--------|-----------------|-------|-------------|
| **Cost** | FREE | FREE | FREE (limited) | $3K+/year |
| **UI** | | | | |
| **Vuln Scan** | Trivy | | Paid | |
| **Signing** | | | Paid | |
| **RBAC** | | | | |
### Почему Harbor?
**Security built-in** - Trivy scanning included
**Compliance-ready** - audit logs, signing
**Enterprise RBAC** - project-level permissions
**Zero cost** - vs $3K+ Artifactory
**Use Nexus instead if:**
- Need multi-format (Maven, npm, PyPI)
- Already using Sonatype tools
---
## Orchestration UI: Portainer
### Функциональность
**Core Features:**
- Docker Swarm native support
- Modern Web UI
- Stack deployment (Compose)
- RBAC + Teams
- LDAP/AD integration
- Container logs streaming
- Resource monitoring
- Template library
**RBAC Example:**
```
Teams:
├── DevOps (Admin)
│ └─ Full access
├── Developers
│ └─ Deploy to dev only
├── QA
│ └─ Deploy to staging
└── Managers
└─ View-only
```
### Альтернативы
| Feature | Portainer CE | Swarmpit | Docker CLI | Rancher |
|---------|--------------|----------|------------|---------|
| **Cost** | FREE | FREE | FREE | FREE |
| **UI** | Excellent | Good | | Excellent |
| **RBAC** | | Basic | | |
| **LDAP** | | | | |
| **Swarm Focus** | | | | K8s focus |
### Почему Portainer?
**User-friendly** - non-DevOps can deploy
**RBAC** - compliance-ready access control
**Free** - CE version has all needed features
**Audit trail** - who deployed what
---
## Cost Comparison
### Recommended (Open Source)
```
Gitea: $0
Jenkins: $0
ArgoCD/Custom: $0
Harbor: $0
Portainer CE: $0
───────────────────
TOTAL: $0/year
Savings: $6,720/year
```
### Alternative (Commercial)
```
GitHub Enterprise: $2,520/year (10 users)
Bamboo CI: $1,200/year
Spinnaker: $0 (FOSS)
Artifactory: $3,000/year
Rancher: $0 (FOSS)
────────────────────────────────────
TOTAL: $6,720/year
```
---
## Implementation Priority
**Week 1-2: Core**
1. Deploy Gitea + PostgreSQL
2. Deploy Harbor
3. Migrate existing repos
**Week 3-4: CI/CD**
4. Deploy Jenkins
5. Create first pipeline
6. Setup webhooks
**Week 5-6: GitOps**
7. Deploy ArgoCD/Custom
8. Deploy Portainer
9. End-to-end test
---
## Decision Matrix
### When to Choose Alternatives
**GitLab over Gitea:**
- Need integrated CI/CD
- Team knows GitLab
- Have 8+ GB RAM
**GitHub Actions over Jenkins:**
- Using GitHub (not on-prem)
- Simple workflows only
**Artifactory over Harbor:**
- Need multi-format registry
- Budget allows $3K+/year
**Rancher over Portainer:**
- Multiple clusters
- Heavy K8s focus
---
## Appendix: Quick Reference
### Component URLs
```
Gitea: https://git.company.local
Jenkins: https://jenkins.company.local
Harbor: https://harbor.company.local
ArgoCD: https://argocd.company.local
Portainer: https://portainer.company.local:9443
```
### Default Ports
```
Gitea: 3000 (HTTP), 22 (SSH)
Jenkins: 8080 (HTTP)
Harbor: 80/443 (HTTP/HTTPS)
ArgoCD: 8080 (HTTP), 8083 (gRPC)
Portainer: 9443 (HTTPS), 8000 (Edge)
```
---
**Document Version:** 1.0
**Last Updated:** Январь 2026
**Status:** Decision Document - Ready for Approval
**Approvals:**
- [ ] Technical Architect
- [ ] DevOps Lead
- [ ] Security Lead
- [ ] CTO
Reference in New Issue View Git Blame Copy Permalink