{"id":15118564,"url":"https://github.com/greyhats13/fta_gitops","last_synced_at":"2026-02-11T00:01:46.680Z","repository":{"id":257596519,"uuid":"858737486","full_name":"greyhats13/fta_gitops","owner":"greyhats13","description":null,"archived":false,"fork":false,"pushed_at":"2024-10-06T08:05:16.000Z","size":126,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-08-19T23:36:26.346Z","etag":null,"topics":["argocd","argocd-vault-plugin","devops","gitops","helm","kubernetes"],"latest_commit_sha":null,"homepage":"false","language":"Smarty","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/greyhats13.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-09-17T12:57:25.000Z","updated_at":"2024-10-06T08:05:19.000Z","dependencies_parsed_at":"2024-09-17T16:56:55.833Z","dependency_job_id":"5cc712f7-4ec9-4bb9-935f-4f5480e52a6c","html_url":"https://github.com/greyhats13/fta_gitops","commit_stats":null,"previous_names":["greyhats13/fta_gitops"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/greyhats13/fta_gitops","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/greyhats13%2Ffta_gitops","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/greyhats13%2Ffta_gitops/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/greyhats13%2Ffta_gitops/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/greyhats13%2Ffta_gitops/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/greyhats13","download_url":"https://codeload.github.com/greyhats13/fta_gitops/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/greyhats13%2Ffta_gitops/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29322733,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-10T20:44:44.282Z","status":"ssl_error","status_checked_at":"2026-02-10T20:44:43.393Z","response_time":65,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["argocd","argocd-vault-plugin","devops","gitops","helm","kubernetes"],"created_at":"2024-09-26T01:47:09.174Z","updated_at":"2026-02-11T00:01:46.274Z","avatar_url":"https://github.com/greyhats13.png","language":"Smarty","readme":"# FITA GitOps Repository\n\nWelcome to the `fta_gitops` repository! This repository manages the GitOps workflow for deploying Helm charts related to the `fta-users` application. Below, you'll find a detailed overview of our CI/CD processes and Helm chart configurations.\n\n## Table of Contents\n\n- [CI/CD GitOps](#cicd-gitops)\n  - [Pipeline Overview](#pipeline-overview)\n  - [Updating Helm Charts with New Image Tags](#updating-helm-charts-with-new-image-tags)\n  - [Automated Deployment with GitHub Actions and ArgoCD](#automated-deployment-with-github-actions-and-argocd)\n- [Helm Charts](#helm-charts)\n  - [Helm Charts Overview](#helm-charts-overview)\n  - [Managing Secrets with ArgoCD Vault Plugin](#managing-secrets-with-argocd-vault-plugin)\n  - [Mounting Kubernetes Secrets as Environment Files](#mounting-kubernetes-secrets-as-environment-files)\n  - [Workload Identity with Service Accounts](#workload-identity-with-service-accounts)\n  - [Automated DNS Records, SSL Certificates, and Ingress](#automated-dns-records-ssl-certificates-and-ingress)\n  - [Horizontal Pod Autoscaling (HPA) and Service Configuration](#horizontal-pod-autoscaling-hpa-and-service-configuration)\n\n---\n\n## CI/CD GitOps\n\n### Pipeline Overview\n\nOur CI/CD pipeline is designed to automate the build, tagging, and deployment of Docker images for the `fta-users` application. The workflow is triggered on pushes to the `main` and `dev` branches, as well as on tags matching the pattern `v*`. Here are the key stages of the pipeline:\n\n1. **Checkout Code**: The pipeline starts by checking out the latest code from the repository.\n2. **Set Up Docker Buildx**: Prepares the environment for building Docker images.\n3. **Login to Docker Hub**: Authenticates with Docker Hub using stored secrets.\n4. **Set Image Tag**: Determines the appropriate image tags based on the branch or tag being pushed.\n5. **Build, Tag, and Push**: Builds the Docker image, tags it, and pushes it to the Docker repository.\n6. **Retag and Push for Release**: Handles tagging for release versions.\n7. **Update Helm Chart**: Updates the Helm chart with the new image tag and pushes the changes to the GitOps repository.\n\n### Updating Helm Charts with New Image Tags\n\nAfter successfully building, tagging, and pushing the Docker image, the pipeline proceeds to update the Helm charts with the new image tag. This involves:\n\n- **Modifying `values.yaml`**: The `values.yaml` file within the Helm chart is updated to reference the new Docker image repository.\n- **Updating `Chart.yaml`**: The `appVersion` field in `Chart.yaml` is set to the new image tag, ensuring that the Helm chart reflects the latest application version.\n\nThese updates ensure that the deployment configurations are always in sync with the latest Docker images.\n\n### Automated Deployment with GitHub Actions and ArgoCD\n\nOnce the Helm charts are updated, the changes are pushed to the GitOps repository using GitHub Actions. ArgoCD monitors this repository and automatically synchronizes the application state with the Kubernetes cluster. The synchronization process involves:\n\n1. **Pushing Updates**: GitHub Actions commits and pushes the updated Helm charts to the specified branch in the GitOps repository.\n2. **ArgoCD Sync**: ArgoCD detects the changes and initiates a synchronization process to apply the updated configurations to the Kubernetes cluster, ensuring the application is deployed with the latest Docker image.\n\nThis seamless integration between GitHub Actions and ArgoCD facilitates continuous deployment with minimal manual intervention.\n\n---\n\n## Helm Charts\n\n### Helm Charts Overview\n\nOur Helm charts are structured to support three distinct environments:\n\n- **Incubator**: Used for development purposes.\n- **Test**: Serves as the staging environment.\n- **Stable**: Dedicated to production deployments.\n\nThis separation ensures that each environment can be managed independently, allowing for controlled testing and deployment processes.\n\n### Managing Secrets with ArgoCD Vault Plugin\n\nTo handle sensitive information securely, we utilize the ArgoCD Vault Plugin. Here's how secrets are managed:\n\n- **Secret Placeholders**: Within the `values.yaml` file, secrets are defined using placeholders. For example:\n\n  ```yaml\n  appSecret:\n    secrets:\n      username: \u003cfta-dev-svc-users | jsonPath {.USERNAME}\u003e\n      password: \u003cfta-dev-svc-users | jsonPath {.PASSWORD}\u003e\n      # Additional secrets...\n  ```\n\n- **Vault Replacement**: During deployment, the ArgoCD Vault Plugin replaces these placeholders with actual values retrieved from the Google Secret Manager. This approach ensures that sensitive data is not stored directly in the repository.\n\n### Mounting Kubernetes Secrets as Environment Files\n\nTo provide the application with necessary configuration parameters, Kubernetes secrets are mounted as environment files within the pods. This is achieved by:\n\n- **Defining a Secret**: The `secret.yaml` file creates a Kubernetes Secret containing the environment variables.\n\n  ```yaml\n  stringData:\n    .env: |-\n      username='actual_username'\n      password='actual_password'\n      # Additional variables...\n  ```\n\n- **Volume Mounting**: In the `deployment.yaml`, the secret is mounted as a file at `/app/.env` inside the container.\n\n  ```yaml\n  volumeMounts:\n    - name: env-secret\n      mountPath: \"/app/.env\"\n      subPath: .env\n      readOnly: true\n  ```\n\n- **Usage by Application**: The `fta-users` application reads the `.env` file during runtime to access the necessary environment variables.\n\n### Workload Identity with Service Accounts\n\nWe employ Workload Identity to enhance security and manage permissions effectively:\n\n- **Service Account Configuration**: The `serviceaccount.yaml` defines a Kubernetes Service Account with annotations linking it to a Google Cloud service account.\n\n  ```yaml\n  annotations:\n    iam.gke.io/gcp-service-account: \"fta-svc-users@fta-platform.iam.gserviceaccount.com\"\n  ```\n\n- **Workload Identity Integration**: This setup allows the Kubernetes pods to assume the identity of the specified Google Cloud service account, enabling secure access to Google Cloud resources without managing long-lived credentials.\n\n### Automated DNS Records, SSL Certificates, and Ingress\n\nOur Helm charts automate several critical aspects of application networking and security:\n\n- **External DNS Records**: Annotations in `ingress.yaml` enable the creation of DNS records automatically.\n\n  ```yaml\n  annotations:\n    external-dns.alpha.kubernetes.io/hostname: \"users.dev.fta.blast.co.id\"\n    external-dns.alpha.kubernetes.io/ttl: \"300\"\n  ```\n\n- **SSL Certificates with Cert-Manager**: The `cert-manager` handles the issuance and management of SSL certificates.\n\n  ```yaml\n  annotations:\n    cert-manager.io/cluster-issuer: \"letsencrypt-fta\"\n  ```\n\n- **Ingress Configuration**: Using NGINX Ingress, the `ingress.yaml` defines routing rules and TLS settings to secure HTTP traffic.\n\n  ```yaml\n  spec:\n    ingressClassName: \"nginx\"\n    tls:\n      - secretName: users-tls\n        hosts:\n          - users.dev.fta.blast.co.id\n    rules:\n      - host: users.dev.fta.blast.co.id\n        http:\n          paths:\n            - path: /\n              pathType: ImplementationSpecific\n              backend:\n                service:\n                  name: fta-users\n                  port:\n                    number: 3000\n  ```\n\nThis automation ensures that networking and security configurations are consistently applied across environments.\n\n### Horizontal Pod Autoscaling (HPA) and Service Configuration\n\nTo ensure application scalability and reliability, we implement Horizontal Pod Autoscaling and define service exposure:\n\n- **Horizontal Pod Autoscaler (HPA)**: The `hpa.yaml` configures HPA to automatically adjust the number of pod replicas based on CPU and memory utilization.\n\n  ```yaml\n  spec:\n    minReplicas: 1\n    maxReplicas: 4\n    metrics:\n      - type: Resource\n        resource:\n          name: cpu\n          target:\n            type: Utilization\n            averageUtilization: 75\n      - type: Resource\n        resource:\n          name: memory\n          target:\n            type: Utilization\n            averageUtilization: 75\n  ```\n\n- **Service Exposure**: The `service.yaml` defines a Kubernetes Service that exposes the application on port `3000`.\n\n  ```yaml\n  spec:\n    type: ClusterIP\n    ports:\n      - port: 3000\n        targetPort: http\n        protocol: TCP\n        name: http\n    selector:\n      app: fta-users\n  ```\n\nThese configurations ensure that the `fta-users` application can scale according to demand while being reliably accessible within the Kubernetes cluster.\n\n---\n\n## Getting Started\n\nTo get started with the `fta_gitops` repository:\n\n1. **Clone the Repository**:\n\n   ```bash\n   git clone git@github.com:your-org/fta_gitops.git\n   ```\n\n2. **Configure GitHub Actions**: Ensure that the necessary secrets (e.g., `DOCKER_USERNAME`, `DOCKER_PASSWORD`, `GITOPS_SSH_PRIVATE_KEY`) are set in your GitHub repository settings.\n\n3. **Deploy with ArgoCD**: Make sure ArgoCD is configured to monitor the `fta_gitops` repository and the appropriate branches for deployment.\n\n4. **Customize Helm Charts**: Modify the Helm charts as needed for your specific environment or application requirements.\n\nFor detailed instructions, please refer to the [Contributing](CONTRIBUTING.md) and [Documentation](docs/) sections.\n\n---\n\n## Contributing\n\nWe welcome contributions! Please follow our [contribution guidelines](CONTRIBUTING.md) to submit issues or pull requests.\n\n## License\n\nThis project is licensed under the [MIT License](LICENSE).\n\n## Contact\n\nFor any inquiries or support, please contact [imam.arief.rhmn@gmail.com](mailto:imam.arief.rhmn@gmail.com).\n\n---\n\nThank you for using the `fta_gitops` repository! We strive to maintain a robust and secure deployment pipeline to ensure the reliability and scalability of the `fta-users` application.","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgreyhats13%2Ffta_gitops","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgreyhats13%2Ffta_gitops","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgreyhats13%2Ffta_gitops/lists"}