VPS Deployment
Purpose
Section titled “Purpose”The VPS deployment is the staging environment between local test execution and the Kubernetes platform. It demonstrates HTTPS termination, reverse-proxy routing, a WAF decision point, backend network isolation and deployment telemetry without requiring the full Kubernetes control plane for every validation cycle.
Environment Position
Section titled “Environment Position”flowchart LR local[Local test stack] --> staging[VPS staging] staging --> platform[Kubernetes platform]
local --> localScope[Fast feedback without edge security] staging --> stagingScope[HTTPS, Traefik, WAF, registry pull and monitoring] platform --> platformScope[GitOps, policy enforcement, network isolation and platform observability]Runtime Architecture
Section titled “Runtime Architecture”flowchart TD Browser[User browser] -- HTTPS --> PublicEndpoint[VPS public HTTPS endpoint] PublicEndpoint --> Traefik[Traefik container weather-app-traefik]
Browser -- HTTP --> RedirectEndpoint[VPS HTTP endpoint] RedirectEndpoint -- redirect-to-https middleware --> Traefik
subgraph PublicNetwork["VPS network: public-network"] Traefik -- weather-app.yourbox.site --> FrontendRouter{Router: frontend-secure} FrontendRouter -- WAF middleware --> WafPlugin[traefik-modsecurity-plugin] WafPlugin -- HTTP 8080 --> WafContainer[WAF container weather-app-waf] WafContainer -- OWASP CRS analysis --> WafDecision{Request allowed?} WafDecision -- yes --> WafPlugin WafDecision -- no --> WafPlugin WafPlugin -- decision --> FrontendRouter FrontendRouter -- allowed request --> Frontend[weather-app-frontend Nginx] Frontend -- API Call: / & Serves static files (HTML, JS, CSS) --> FrontendRouter Frontend -- /api proxy --> BackendProxy{ProxyPass to backend} end
subgraph AppNetwork["VPS network: weather-app-network"] BackendProxy -- HTTP 3001 with internal token --> Backend[weather-app-backend] Backend -- request weather data --> Provider[Open-Meteo API] Provider -- weather payload --> Backend Backend -- JSON response --> BackendProxy end
BackendProxy --> Frontend Frontend --> FrontendRouter FrontendRouter --> Traefik Traefik --> Browser
subgraph Dashboard["Traefik dashboard path"] Traefik -- traefik-dash.yourbox.site --> DashboardRouter{Router: dashboard-secure} DashboardRouter -- BasicAuth middleware --> DashboardAuth{Auth allowed?} DashboardAuth -- yes --> DashboardService["api@internal"] DashboardService --> DashboardAuth DashboardAuth --> Traefik end
subgraph Monitoring["Monitoring stack"] Prometheus[Prometheus] -- scrape frontend and blackbox targets --> FrontendMetrics[Frontend metrics endpoint] GitLab[GitLab merge request] -- push deployment timing --> Pushgateway[Pushgateway] Pushgateway --> Prometheus Grafana[Grafana] -- query --> Prometheus endDeployment Evidence
Section titled “Deployment Evidence”Security
Section titled “Security”- HTTPS is terminated at Traefik.
- The frontend and WAF share the public network.
- The backend is only reachable from the application network.
- The frontend proxy adds the internal service token when calling the backend.
Observability
Section titled “Observability”- Prometheus scrapes application and synthetic health metrics.
- Grafana visualizes deployment timing and service health.
- GitLab pushes deployment timing to the Pushgateway for MTTP tracking.
Kubernetes Alignment
Section titled “Kubernetes Alignment”- The Kubernetes target keeps the same security intent with Ingress, NetworkPolicies, External Secrets and policy enforcement.
- Runtime secrets move from deployment variables to platform-managed secret injection.
- Image promotion moves toward immutable artifacts and signed supply-chain evidence.