Platform Architecture

Technology Selection

OpenObserve (formerly O2) is an open-source observability platform with significant advantages over traditional ELK solutions:

• Low resource consumption: Memory usage is only 1/10 of Elasticsearch, with 90% storage space saved
• High performance: Written in Rust, a single node can process 5TB+ logs/day
• Full-featured: Integrates logs, metrics, and distributed tracing, replacing Grafana+Loki+Tempo
• Strong compatibility: Supports Elasticsearch API, Prometheus API, and OpenTelemetry
• Easy deployment: Single binary file with no external dependencies

Fluent Bit is a cloud-native log collector:

I have been using Helm or native kubectl YAML combined with CI and ArgoCD to deploy applications for a long time. Recently, while deploying private services for a major financial client, I found the client’s environment to be quite complex, involving multiple countries and multiple sets of environments, such as Test, UAT, and Prod—about thirty environments in total. Modifying values and YAML files every time was exhausting. This time, I plan to use Kustomize to refactor our existing application deployment.

Comparison between ZStack and TStack (Tencent Cloud Private Cloud)

Due to the specific requirements of financial clients, a selection process for third-party private cloud platforms is necessary during private delivery. This comparison focuses primarily on ZStack and TStack:

In the private/hybrid cloud market, ZStack (Yunzhou Tech, backed by Alibaba Cloud) and TStack (Tencent Cloud’s proprietary full-stack cloud solution, now mostly integrated into the TCE/TCS ecosystem) represent two typical categories. The former is known for “productization, lightweight, independent vendor,” while the latter focuses on “full-stack capabilities, same source as public cloud, and big tech ecosystem.”

When working with Azure, Blob Storage is frequently used. This article documents several common approaches for accessing Blob Storage from applications running in production environments:

一、Accessing Blob Storage via a Microsoft Entra ID Application Account

Advantages:

• Works outside Azure environments (e.g., on-premises servers, AWS EC2)
• Supports cross-subscription and cross-tenant access

Disadvantages:

• Secrets must be securely stored (e.g., in Azure Key Vault)
• Manual secret rotation is required upon expiration; otherwise, the application will break
• Risk of credential leakage, especially if secrets are hardcoded in CI/CD pipelines

The specific configuration is as follows:

Project Background

Business Pain Points

With business growth, there are currently over a dozen independent private network environments (ZStack/TStack) overseas, for example:

• Overseas Private Network Region A
• Overseas Private Network Region B
• Overseas Private Network Region C

Each network is an independent entity requiring different VPN clients to dial in for resource access, posing significant challenges for daily O&M management:

• O&M personnel need to frequently switch between multiple VPN clients.
• Lack of unified permission management and access control.
• Complex network configuration and difficult troubleshooting.
• Inability to achieve cross-network automated O&M.

Solution

Adopting the Headscale (Server) + Tailscale (Client) architecture to build an enterprise-grade Zero Trust VPN network:

Introduction to WireGuard

WireGuard is a modern, fast, simple, and secure Virtual Private Network (VPN) protocol designed to replace traditional VPN technologies like IPsec and OpenVPN. It is faster, simpler, leaner, and more practical than IPsec, while avoiding massive amounts of trouble. It offers higher performance compared to OpenVPN. Originally released for the Linux kernel, it is now cross-platform (Windows, macOS, BSD, iOS, Android) and widely deployable. Although currently under active development, it is likely already considered the most secure, easiest to use, and simplest VPN solution in the industry.

What is Github Action?

GitHub Actions is a continuous integration and continuous delivery (CI/CD) platform that lets you automate your build, test, and deployment processes. You can create workflows to build and test every pull request to your repository, or deploy merged pull requests to production.

GitHub Actions is more than just DevOps; it lets you run workflows when other events happen in your repository. For example, you can run a workflow to automatically add appropriate labels when someone creates a new issue in your repository.

Previously, we used GitHub Actions to configure automated deployment for Hugo. Today, I’ll mainly document how to set up deployment to Tencent Cloud via SSH using GitHub Actions.

Since wnote.com uses DNS-based intelligent routing—serving GitHub Pages for overseas users and a containerized environment on a Tencent Cloud host for users in mainland China—it’s necessary to integrate GitHub Actions with Tencent Cloud.