Application Team ยท Design & Onboarding

Application onboarding

How an application is designed, secured, and delivered โ€” from a Git commit to a running, exposed, observed app, riding a paved road that wires TLS, mesh, observability, and policy automatically.

Design

Principles

๐Ÿš€ GitOps self-service

The app's desired state lives in Git; Argo CD syncs it into the tenant namespace. No kubectl by humans.

๐Ÿ›ฃ๏ธ Paved road

Ingress+TLS, mesh mTLS, tracing, metrics, and policy are provided by the platform โ€” the app declares intent.

โœ… Compliant by construction

The recommended manifests already satisfy the guardrails, so the easy way is the compliant way.

๐Ÿ”ญ Observability built-in

Traces and metrics appear without instrumenting the app โ€” mesh sidecars + ServiceMonitor.

๐Ÿงฉ Tier-aware

Stateless tiers scale; stateful tiers get stable identity + storage; batch runs as Jobs/CronJobs.

๐Ÿ”’ Least privilege at the edge

The app team operates only inside their namespace, under their scoped AppProject / kubeconfig.

Design

The paved road โ€” provided automatically

๐Ÿ”
Public URL + TLSnginx ingress + cert-manager โ€” declare an Ingress, get an HTTPS URL with a valid cert.
๐Ÿ›ก๏ธ
mTLS between servicesIstio sidecars (istio-cni) โ€” be in a mesh-enabled namespace, get zero-trust east-west.
๐Ÿ”ญ
Distributed tracingIstio โ†’ OTel Collector โ†’ Jaeger โ€” spans with no application instrumentation.
๐Ÿ“ˆ
Metrics & autoscalingPrometheus Operator + metrics-server โ€” emit a ServiceMonitor, declare an HPA.
๐Ÿ’พ
StorageLonghorn (RWO + RWX) โ€” declare a PVC with storageClassName: longhorn.
โš–๏ธ
Policy guardrailsKyverno enforces limits, non-root, no-privileged, approved registry at admission.
Design

Architecture tiers โ†’ Kubernetes primitives

Web / API
Stateless, scalable โ†’ Deployment ยท HPA ยท PDB ยท Service ยท Ingress
WordPress (2 replicas, RWX content, HPA 2โ†’4)
Database
Stateful, stable identity โ†’ StatefulSet ยท headless Service ยท PVC (RWO)
MySQL StatefulSet + Longhorn PVC
Config & secrets
Externalised โ†’ ConfigMap ยท Secret (+ Sealed/External in prod)
my.cnf, php uploads.ini, DB creds
Batch
One-off & scheduled โ†’ Job ยท CronJob ยท initContainer
wp-install Job ยท mysqldump backup CronJob ยท wait-for-mysql
Mesh
Security + telemetry โ†’ sidecar ยท PeerAuthentication ยท DestinationRule
STRICT mTLS, distributed traces
How

Deployment steps โ€” from one commit

Author

Write manifests/values under apps/<name>/ โ€” the golden-path chart for a simple service, or a kustomize/Helm bundle for a multi-tier app.

Commit

git commit && git push. Argo CD detects the change and syncs it under the tenant's scoped AppProject.

Platform wires it

cert-manager issues TLS; Istio injects sidecars (mTLS + traces); Prometheus discovers the ServiceMonitor; Kyverno admits it.

Live

Open https://<app>.<domain> โ€” running, TLS-terminated, mesh-secured, observed. The app team never ran kubectl.

# the whole full-stack app โ€” web + db + storage + jobs + mesh โ€” from one commit
git add apps/wordpress && git commit -m "deploy wordpress" && git push
# Argo CD reconciles; the platform layers on TLS, mTLS, tracing, metrics, policy.
Tenant onboarding โ†’ Full design blueprint โ† Portal