{"id":30217012,"url":"https://github.com/sandesh300/devsecops-pipeline-on-aws-eks","last_synced_at":"2026-02-12T19:02:34.237Z","repository":{"id":307878416,"uuid":"1027200986","full_name":"sandesh300/DevSecOps-Pipeline-on-AWS-EKS","owner":"sandesh300","description":"An end-to-end Banking Application Deployment using DevSecOps practices on AWS EKS, featuring CI/CD automation, GitOps deployment, security scanning, observability, and scalable Kubernetes infrastructure.","archived":false,"fork":false,"pushed_at":"2026-02-05T07:59:36.000Z","size":3572,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"master","last_synced_at":"2026-02-05T19:45:34.127Z","etag":null,"topics":["argocd","aws-ec2","aws-eks","docker","github","grafana","jenkins","kubernetes","linux","prometheus","terraform"],"latest_commit_sha":null,"homepage":"","language":"HTML","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sandesh300.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-07-27T14:28:02.000Z","updated_at":"2026-02-05T10:32:04.000Z","dependencies_parsed_at":"2025-08-02T20:49:15.504Z","dependency_job_id":null,"html_url":"https://github.com/sandesh300/DevSecOps-Pipeline-on-AWS-EKS","commit_stats":null,"previous_names":["sandesh300/devsecops-pipeline-on-aws-eks"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/sandesh300/DevSecOps-Pipeline-on-AWS-EKS","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sandesh300%2FDevSecOps-Pipeline-on-AWS-EKS","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sandesh300%2FDevSecOps-Pipeline-on-AWS-EKS/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sandesh300%2FDevSecOps-Pipeline-on-AWS-EKS/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sandesh300%2FDevSecOps-Pipeline-on-AWS-EKS/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sandesh300","download_url":"https://codeload.github.com/sandesh300/DevSecOps-Pipeline-on-AWS-EKS/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sandesh300%2FDevSecOps-Pipeline-on-AWS-EKS/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29377911,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-12T18:59:55.292Z","status":"ssl_error","status_checked_at":"2026-02-12T18:59:44.289Z","response_time":55,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["argocd","aws-ec2","aws-eks","docker","github","grafana","jenkins","kubernetes","linux","prometheus","terraform"],"created_at":"2025-08-14T04:36:05.713Z","updated_at":"2026-02-12T19:02:34.230Z","avatar_url":"https://github.com/sandesh300.png","language":"HTML","funding_links":[],"categories":[],"sub_categories":[],"readme":"#  DevSecOps Mega Project – Spring Boot BankApp on AWS EKS\r\n\r\nAn end-to-end **Banking Application Deployment** using **DevSecOps practices** on AWS EKS, featuring CI/CD automation, GitOps deployment, security scanning, observability, and scalable Kubernetes infrastructure.\r\n\r\n---\r\n\r\n##  Project Overview\r\n\r\nThis project demonstrates how to build, secure, deploy, and monitor a **multi-tier Spring Boot banking application** using modern DevSecOps tooling:\r\n\r\n- Infrastructure as Code with Terraform  \r\n- Kubernetes on AWS EKS  \r\n- Jenkins CI pipeline  \r\n- GitOps with ArgoCD  \r\n- Container security with Trivy  \r\n- Code quality via SonarQube  \r\n- Monitoring with Prometheus \u0026 Grafana  \r\n- HTTPS via Cert-Manager  \r\n- Auto-scaling using HPA  \r\n\r\n---\r\n\r\n##  Architecture Highlights\r\n\r\n- **CI Pipeline:** Jenkins → SonarQube → Trivy → DockerHub  \r\n- **CD Pipeline:** GitHub → ArgoCD → EKS  \r\n- **Ingress:** NGINX Controller + ALB  \r\n- **Security:** IAM, SSL, Image Scanning  \r\n- **Observability:** Prometheus + Grafana  \r\n- **Scaling:** HPA with Metrics Server  \r\n\r\n---\r\n\r\n##  Tools \u0026 Technologies\r\n\r\n| Category | Tools |\r\n|---------|------|\r\n| Cloud | AWS |\r\n| IaC | Terraform |\r\n| CI | Jenkins |\r\n| CD | ArgoCD |\r\n| Containers | Docker |\r\n| Orchestration | Kubernetes (EKS) |\r\n| Security | Trivy, SonarQube, Cert-Manager |\r\n| Monitoring | Prometheus, Grafana |\r\n| Ingress | NGINX |\r\n| Package Mgmt | Helm |\r\n\r\n---\r\n\r\n##  Architecture Diagram\r\n\u003cimg width=\"1536\" height=\"1024\" alt=\"aws-eks\" src=\"https://github.com/user-attachments/assets/934d2213-91b3-4d05-bcda-a4294a5e976f\" /\u003e\r\n\r\n## End-to-End Flow\r\n\r\n## 🧑‍💻 1. Developer → Git Repository\r\n\r\nDevelopers push code into **GitHub**.\r\n\r\nThe repository contains:\r\n\r\n- Spring Boot application source code  \r\n- Dockerfile  \r\n- Kubernetes manifests  \r\n- Helm charts  \r\n- ArgoCD configurations  \r\n- Terraform Infrastructure-as-Code  \r\n\r\nA **webhook** triggers Jenkins automatically on every commit.\r\n\r\n---\r\n\r\n## ⚙️ 2. Jenkins CI Pipeline (Build + Security)\r\n\r\nJenkins executes the Continuous Integration workflow:\r\n\r\n### Pipeline Steps\r\n\r\n- ✅ Compile \u0026 test Java application  \r\n- 🔍 SonarQube → code quality scan  \r\n- 🛡️ Trivy → container vulnerability scan  \r\n- 🐳 Build Docker image  \r\n- 📤 Push image to Docker Hub  \r\n\r\nOnly **secure and compliant images** move forward in the pipeline.\r\n\r\n---\r\n\r\n## ☁️ 3. Infrastructure Provisioning with Terraform on AWS\r\n\r\nTerraform provisions cloud infrastructure on **Amazon Web Services**:\r\n\r\n### Resources Created\r\n\r\n- VPC \u0026 networking  \r\n- EC2 bastion / master host  \r\n- IAM roles \u0026 policies  \r\n- EKS cluster  \r\n- Node groups  \r\n- Security groups  \r\n\r\nFrom the EC2 machine:\r\n\r\n- `eksctl` and `kubectl` are used to manage the Kubernetes cluster.\r\n\r\n---\r\n\r\n## 🚀 4. GitOps Deployment using ArgoCD\r\n\r\nDeployment is fully GitOps-driven using **ArgoCD**.\r\n\r\n### Flow\r\n\r\n- ArgoCD monitors GitHub repository  \r\n- Syncs Kubernetes manifests  \r\n- Deploys into EKS  \r\n- Auto-heals configuration drift  \r\n- Prunes deleted resources  \r\n\r\n**Helm charts** are used for templating and versioning.\r\n\r\n---\r\n\r\n## ☸️ 5. Kubernetes Runtime + Traffic Handling\r\n\r\nInside Kubernetes (EKS):\r\n\r\n- BankApp pods run in namespaces  \r\n- HPA scales pods automatically  \r\n- Metrics Server provides CPU/memory metrics  \r\n- Cert-Manager handles TLS certificates  \r\n- NGINX Ingress or NodePort exposes services  \r\n\r\n### Traffic Path :\r\n- User → Load Balancer / Ingress → Service → Pods\r\n\r\n---\r\n\r\n## 📊 6. Monitoring \u0026 Observability\r\n\r\nObservability stack includes:\r\n\r\n- Prometheus → metrics scraping  \r\n- Grafana → dashboards \u0026 visualization  \r\n\r\n### Metrics Tracked\r\n\r\n- Pod health  \r\n- CPU \u0026 memory usage  \r\n- Request latency  \r\n- Node status  \r\n- Auto-scaling behavior  \r\n\r\n---\r\n\r\n##  Summary\r\n\r\n**Developers push code to GitHub, Jenkins runs CI with SonarQube and Trivy, builds Docker images and pushes them to Docker Hub. Terraform provisions AWS infrastructure including EKS. ArgoCD performs GitOps-based deployment into Kubernetes using Helm. Traffic reaches the application through Ingress or Load Balancer, HPA auto-scales pods, and Prometheus–Grafana provide monitoring.**\r\n\r\n---\r\n\r\n## Step 1: Creating an IAM User with Administrator Permissions\r\n\r\n1. **Login to AWS Console:** Open the [AWS Management Console](https://aws.amazon.com/console/).\r\n    \r\n2. **Navigate to IAM:** Go to the Identity and Access Management (IAM) service.\r\n    \r\n3. **Create User:**\r\n    \r\n    * Click on **Users** \u0026gt; **Add Users**.\r\n        \r\n    * Enter a username, e.g., `mega-project-user`.\r\n        \r\n    * Select **Programmatic access** to generate an access key.\r\n        \r\n4. **Attach Permissions:** Attach the policy `AdministratorAccess`.\r\n    \r\n5. **Generate Access Key:**\r\n    \r\n    * In the Security tab, create an access key.\r\n        \r\n    * Save the **Access Key ID** and **Secret Access Key** securely.\r\n        \r\n\r\n---\r\n\r\n## Step 2: Setting Up Visual Studio Code (VSCode)\r\n\r\n### Adding Linux Terminal in VSCode (Windows Users)\r\n\r\n---\r\n\r\n## Step 3: Fork and Clone the Project Repository\r\n\r\n1. **Fork the Repository:**\r\n    \r\n    * Open the repository on GitHub.\r\n        \r\n    * Click **Fork** to create a copy in your GitHub account.\r\n        \r\n2. **Clone the Repository:**\r\n    \r\n    * Open the terminal in VSCode.\r\n        \r\n    * Clone the repository:\r\n        \r\n        ```bash\r\n        git clone https://github.com/\u003cyour-username\u003e/DevOps-mega-project.git\r\n        ```\r\n        \r\n    * Switch to the project branch:\r\n        \r\n        ```bash\r\n        git checkout project\r\n        ```\r\n        \r\n\r\n---\r\n\r\n## Step 4: Installing AWS CLI and Configure It\r\n\r\n1. **Install AWS CLI:**\r\n    \r\n    ```bash\r\n    sudo apt update\r\n    sudo apt install awscli -y\r\n    ```\r\n    \r\n2. **Configure AWS CLI:**\r\n    \r\n    ```bash\r\n    aws configure\r\n    ```\r\n    \r\n    * Enter the Access Key ID and Secret Access Key.\r\n        \r\n    * Specify your preferred AWS region (e.g., `eu-west-1`).\r\n        \r\n\r\n---\r\n\r\n## Step 5: Building and Pushing Docker Image\r\n\r\n1. **Build the Docker Image:**\r\n    \r\n    ```bash\r\n    docker build -t \u003cdockerhub-username\u003e/bankapp:latest .\r\n    ```\r\n    \r\n2. **Login to DockerHub:**\r\n    \r\n    ```bash\r\n    docker login\r\n    ```\r\n    \r\n3. **Push the Image to DockerHub:**\r\n    \r\n    ```bash\r\n    docker push \u003cdockerhub-username\u003e/bankapp:latest\r\n    ```\r\n    \r\n4. **Update Deployment File:**\r\n    \r\n    * Update the `bankapp-deployment.yml` file to use your Docker image.\r\n        \r\n\r\n---\r\n\r\n## Step 6: Setting Up Infrastructure with Terraform\r\n\r\n1. **Generate SSH Key:**\r\n    \r\n    ```bash\r\n    ssh-keygen\r\n    ```\r\n    \r\n    * Enter a name as `mega-project-key`.\r\n        \r\n    * Update the `variable.tf` file with the key name , if you have entered another key name.\r\n        \r\n2. **Initialize Terraform**: Run the initialization command to download provider plugins and prepare your working directory:\r\n    \r\n    ```bash\r\n    terraform init\r\n    ```\r\n    \r\n3. **Plan Terraform Execution**: Preview the resources Terraform will create:\r\n    \r\n    ```bash\r\n    terraform plan\r\n    ```\r\n    \r\n4. **Apply Terraform Configuration**: Deploy the infrastructure using:\r\n    \r\n    ```bash\r\n    terraform apply --auto-approve\r\n    ```\r\n    \r\n5. **Connect to EC2 Instance**: Once the infrastructure is created, connect to your EC2 instance:\r\n    \r\n    ```bash\r\n    ssh -i mega-project-key.pem ubuntu@\u003cinstance-public-ip\u003e\r\n    ```\r\n    \r\n\r\n---\r\n\r\n## Step 7: Install Essential DevOps Tools on created Instance.\r\n\r\n* AWS CLI\r\n    \r\n* kubectl\r\n    \r\n* eksctl\r\n    \r\n\r\n### Install eksctl:\r\n\r\n```bash\r\nARCH=amd64\r\nPLATFORM=$(uname -s)_$ARCH\r\n\r\ncurl -sLO \"https://github.com/eksctl-io/eksctl/releases/latest/download/eksctl_$PLATFORM.tar.gz\"\r\ntar -xzf eksctl_$PLATFORM.tar.gz -C /tmp \u0026\u0026 rm eksctl_$PLATFORM.tar.gz\r\nsudo mv /tmp/eksctl /usr/local/bin\r\n```\r\n\r\n---\r\n\r\n## Step 8: Create Kubernetes Cluster\r\n\r\n1. **Create EKS Cluster:**\r\n    \r\n    ```bash\r\n    eksctl create cluster --name bankapp-cluster --region eu-west-1 --without-nodegroup\r\n    ```\r\n    \r\n2. **Verify Cluster Creation:**\r\n    \r\n    ```bash\r\n    eksctl get clusters\r\n    ```\r\n    \r\n3. **Associate IAM OIDC Provider:**\r\n    \r\n    ```bash\r\n    eksctl utils associate-iam-oidc-provider --region=eu-west-1 --cluster=bankapp-cluster --approve\r\n    ```\r\n    \r\n4. **Create Node Group:**\r\n    \r\n    ```bash\r\n    eksctl create nodegroup \\\r\n      --cluster=bankapp-cluster \\\r\n      --region=eu-west-1 \\\r\n      --name=bankapp-ng \\\r\n      --node-type=t2.medium \\\r\n      --nodes=2 \\\r\n      --nodes-min=2 \\\r\n      --nodes-max=2 \\\r\n      --node-volume-size=15 \\\r\n      --ssh-access \\\r\n      --ssh-public-key=mega-project-key\r\n    ```\r\n    \r\n\r\n---\r\n\r\n## Step 9: Setting Up ArgoCD\r\n\r\n#### Step 1: Create a Namespace for ArgoCD\r\n\r\nTo ensure ArgoCD has its own isolated environment within your Kubernetes cluster, create a dedicated namespace.\r\n\r\n```bash\r\nkubectl create ns argocd\r\n```\r\n\r\n---\r\n\r\n#### Step 2: Installing ArgoCD\r\n\r\nUse the official installation manifest from ArgoCD’s GitHub repository to deploy it to your cluster.\r\n\r\n```bash\r\nkubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml\r\n```\r\n\r\nThis command installs all required ArgoCD components in the `argocd` namespace.\r\n\r\n---\r\n\r\n#### Step 3: Installing ArgoCD CLI\r\n\r\nTo interact with the ArgoCD server from your local machine or a terminal, install the ArgoCD command-line interface (CLI).\r\n\r\n```bash\r\ncurl -sSL -o argocd-linux-amd64 https://github.com/argoproj/argo-cd/releases/latest/download/argocd-linux-amd64\r\nsudo install -m 555 argocd-linux-amd64 /usr/local/bin/argocd\r\nrm argocd-linux-amd64\r\n```\r\n\r\nOnce installed, verify the installation using:\r\n\r\n```bash\r\nargocd version\r\n```\r\n\u003cimg width=\"1852\" height=\"832\" alt=\"added git repo secessfully\" src=\"https://github.com/user-attachments/assets/8d09e6c9-0905-41cb-bd6b-09b69fd80c58\" /\u003e\r\n\u003cimg width=\"1918\" height=\"910\" alt=\"added git repo secessfully-2\" src=\"https://github.com/user-attachments/assets/dea37b81-31fb-4860-9946-9dfb2bc1ce0c\" /\u003e\r\n\r\n---\r\n\r\n#### Step 4: Check ArgoCD Services\r\n\r\nTo confirm that ArgoCD services are running:\r\n\r\n```bash\r\nkubectl get svc -n argocd\r\n```\r\n\r\nThis lists all services in the `argocd` namespace. Take note of the `argocd-server` service, as it will be exposed in the next step.\r\n\r\n---\r\n\r\n#### Step 5: Expose ArgoCD Server Using NodePort\r\n\r\nBy default, the `argocd-server` service is of type `ClusterIP`, which makes it accessible only within the cluster. Change it to `NodePort` to expose it externally.\r\n\r\n```bash\r\nkubectl patch svc argocd-server -n argocd -p '{\"spec\":{\"type\": \"NodePort\"}}'\r\n```\r\n\r\nRetrieve the updated service information to identify the assigned NodePort:\r\n\r\n```bash\r\nkubectl get svc -n argocd\r\n```\r\n\r\nNote the port in the `PORT(S)` column (e.g., `30529`).\r\n\r\n---\r\n\r\n#### Step 6: Configure AWS Inbound Rule for NodePort\r\n\r\nIf your Kubernetes cluster is hosted on AWS, ensure that the assigned NodePort is accessible by adding an inbound rule to your security group. Allow traffic on this port from the internet to the worker node(s).\r\n\r\n---\r\n\r\n#### Step 7: Access ArgoCD Web UI\r\n\r\nWith the NodePort and the worker node’s public IP, access the ArgoCD web UI:\r\n\r\n```bash\r\nhttp://\u003cworker-node-public-ip\u003e:\u003cnode-port\u003e\r\n```\r\n\r\n\u003cimg width=\"1920\" height=\"1080\" alt=\"agrocd ui\" src=\"https://github.com/user-attachments/assets/cfe7d3de-4fa1-4259-b1fb-fe7a7f1eda23\" /\u003e\r\n\r\nFor the initial login:\r\n\r\n* **Username:** `admin`\r\n    \r\n* **Password:** Retrieve using the following command:\r\n    \r\n\r\n```bash\r\nkubectl get secret argocd-initial-admin-secret -n argocd -o jsonpath=\"{.data.password}\" | base64 -d\r\n```\r\n\r\nChange the password after logging in by navigating to the user info section in the ArgoCD UI.\r\n\r\n---\r\n\r\n#### Step 8: Log In to ArgoCD via CLI\r\n\r\nTo log in from the CLI, use the public IP and NodePort:\r\n\r\n```bash\r\nargocd login \u003cworker-node-public-ip\u003e:\u003cnode-port\u003e --username admin\r\n```\r\n\r\nFor example:\r\n\r\n```bash\r\nargocd login 54.154.41.147:30529 --username admin\r\n```\r\n\r\n---\r\n\r\n#### Step 9: Check ArgoCD Cluster Configuration\r\n\r\nTo view the cluster configurations managed by ArgoCD:\r\n\r\n```bash\r\nargocd cluster list\r\n```\r\n\r\n---\r\n\r\n#### Step 10: Add a Cluster to ArgoCD\r\n\r\nIf your cluster is not already added, first identify its context:\r\n\r\n```bash\r\nkubectl config get-contexts\r\n```\r\n\r\nThen, add the desired cluster to ArgoCD. Replace the placeholders with your actual cluster context and name:\r\n\r\n```bash\r\nargocd cluster add \u003ckube-context\u003e --name \u003cfriendly-name\u003e\r\n```\r\n\r\nFor example:\r\n\r\n```bash\r\nargocd cluster add mega-project-user@bankapp-cluster.eu-west-1.eksctl.io --name bankapp-cluster\r\n```\r\n\r\n#### Step 11: Adding Project Repository in ArgoCD UI\r\n\r\nTo integrate your Git repository with ArgoCD:\r\n\r\n1. Navigate to **Settings** \u0026gt; **Repositories** in the ArgoCD UI.\r\n    \r\n2. Click on **Connect Repo** and provide the appropriate repository URL.\r\n    \r\n3. Select the connection method as HTTPS. If the repository is private:\r\n    \r\n    * Enter your username and password to authenticate.\r\n        \r\n    * Otherwise, skip the authentication step for public repositories.\r\n        \r\n4. Choose the default project (or any specific project, if configured) and complete the setup.\r\n    \r\n\r\nOnce connected, your repository will be ready for deploying applications via ArgoCD.\r\n\u003cimg width=\"1850\" height=\"842\" alt=\"adding repo in agrocd-1\" src=\"https://github.com/user-attachments/assets/94a7fedc-b137-4d08-a4ac-36484466f34f\" /\u003e\r\n\r\n\u003cimg width=\"1847\" height=\"823\" alt=\"adding repo in agrocd-2\" src=\"https://github.com/user-attachments/assets/9c66755f-0baf-40a9-bc7c-a9c3e621b996\" /\u003e\r\n\r\n\u003cimg width=\"1852\" height=\"832\" alt=\"added git repo secessfully\" src=\"https://github.com/user-attachments/assets/a232b26c-d5cc-448d-9f55-a61a037f9226\" /\u003e\r\n\r\n\u003cimg width=\"1918\" height=\"910\" alt=\"added git repo secessfully-2\" src=\"https://github.com/user-attachments/assets/95ddfd1a-5d46-413c-bdbe-b8f457b0540c\" /\u003e\r\n\r\n\r\n\r\n---\r\n\r\n## Step 10: Installing Helm, Ingress Controller, and Setting Up Metrics for HPA in Kubernetes\r\n\r\n### 1\\. Install Helm\r\n\r\n**Helm** is a powerful Kubernetes package manager that simplifies the deployment and management of applications within your Kubernetes clusters. To get started, follow the steps below to install Helm on your local system:\r\n\r\n```bash\r\n# Download the Helm installation script\r\ncurl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3\r\n\r\n# Change script permissions to make it executable\r\nchmod 700 get_helm.sh\r\n\r\n# Run the installation script\r\n./get_helm.sh\r\n```\r\n\r\nAfter running the script, Helm will be installed, and you can start using it to deploy applications to your Kubernetes cluster.\r\n\r\n---\r\n\r\n### 2\\. Installing Ingress Controller Using Helm\r\n\r\nAn **Ingress Controller** is necessary to manage external HTTP/HTTPS access to your services in Kubernetes. In this step, we will install the NGINX Ingress Controller using Helm.\r\n\r\nTo install the NGINX Ingress Controller, execute the following commands:\r\n\r\n```bash\r\n# Add the NGINX Ingress controller Helm repository\r\nhelm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx\r\n\r\n# Update the Helm repository to ensure you have the latest charts\r\nhelm repo update\r\n\r\n# Install the ingress-nginx controller in the ingress-nginx namespace\r\nhelm install ingress-nginx ingress-nginx/ingress-nginx --namespace ingress-nginx --create-namespace\r\n```\r\n\r\nThis command installs the NGINX Ingress controller into your Kubernetes cluster, creating a new namespace called `ingress-nginx`. This Ingress controller will handle routing and load balancing for your services.\r\n\r\n---\r\n\r\n### 3\\. Apply Metrics Server for HPA\r\n\r\nTo enable **Horizontal Pod Autoscaling (HPA)** in your Kubernetes cluster, the **metrics-server** is required to collect resource usage data like CPU and memory from the pods. HPA scales your application based on these metrics.\r\n\r\nRun the following command to apply the **metrics-server**:\r\n\r\n```bash\r\n# Install metrics-server to collect resource usage metrics\r\nkubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml\r\n```\r\n\r\nOnce installed, the metrics-server will start collecting data from your Kubernetes nodes and pods, enabling you to configure HPA based on these metrics.\r\n\r\n---\r\n\r\n### 4\\. Install Cert-Manager for SSL/TLS Certificates\r\n\r\nFor securing application with **HTTPS** using custom domain name, you need to generate SSL/TLS certificates. **Cert-Manager** is a Kubernetes tool that automates the management and issuance of these certificates.\r\n\r\nTo install Cert-Manager, use the following command:\r\n\r\n```bash\r\n# Apply Cert-Manager components to your cluster\r\nkubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.16.2/cert-manager.yaml\r\n```\r\n\r\nOnce installed, Cert-Manager will be responsible for automatically issuing and renewing SSL/TLS certificates for your services. You can then configure Cert-Manager to issue a certificate for your application and configure HTTPS with your domain.\r\n\r\n---\r\n\r\n## Step 11: Creating an Application on ArgoCD\r\n\r\n### 1\\. General Section\r\n\r\n* **Application Name**: Choose a name for your application.\r\n    \r\n* **Project Name**: Select **default**.\r\n    \r\n* **Sync Policy**: Choose **Automatic**.\r\n    \r\n* Enable **Prune Resources** and **Self-Heal**.\r\n    \r\n* Check **Auto Create Namespace**.\r\n    \r\n\r\n---\r\n\r\n### 2\\. Source Section\r\n\r\n* **Repo URL**: Enter the URL of your Git repository.\r\n    \r\n* **Revision**: Select the branch (e.g., `main`).\r\n    \r\n* **Path**: Specify the directory containing your Kubernetes manifests (e.g., `k8s`).\r\n    \r\n\r\n---\r\n\r\n### 3\\. Destination Section\r\n\r\n* **Cluster**: Select your desired cluster.\r\n    \r\n* **Namespace**: Use `bankapp-namespace`.\r\n    \r\n\r\n---\r\n\r\n### 4\\. Create the Application\r\n\r\nClick **Create** to finish the setup and deploy your application.\r\n\r\n\u003cimg width=\"1915\" height=\"921\" alt=\"creating application in agrocd\" src=\"https://github.com/user-attachments/assets/3fb2cc20-6b47-4a03-af7a-d290df6fcbf4\" /\u003e\r\n\r\n\u003cimg width=\"1918\" height=\"956\" alt=\"creating application in agrocd-2\" src=\"https://github.com/user-attachments/assets/b1ade130-3669-4e8f-a7dd-24572d072cdb\" /\u003e\r\n\r\n\u003cimg width=\"1918\" height=\"941\" alt=\"application created sucessfully\" src=\"https://github.com/user-attachments/assets/f6e35555-718f-45e7-93a6-d05631e412b2\" /\u003e\r\n\r\n\u003cimg width=\"1850\" height=\"838\" alt=\"application-1\" src=\"https://github.com/user-attachments/assets/1ceda823-c9ff-431f-99d1-955287a75d0b\" /\u003e\r\n\r\n\u003cimg width=\"1912\" height=\"918\" alt=\"application-2\" src=\"https://github.com/user-attachments/assets/c8ef7fc6-2456-451b-81c8-1d466bad0a9b\" /\u003e\r\n\r\n---\r\n\r\n## Step 12: Exposing the Application via Ingress or NodePort\r\n\r\nIn this step, we will walk through two options to expose your application to the outside world: one using an **ALB** (Application Load Balancer) with a CNAME record and the other using **NodePort** if you don't have a domain.\r\n\r\n---\r\n\r\n###  Exposing via NodePort\r\n\r\nIf you don't have a domain, you can expose the service using **NodePort**.\r\n\r\n1. Before patching, check the existing services in the `bankapp-namespace`:\r\n    \r\n    ```bash\r\n    kubectl get svc -n bankapp-namespace\r\n    ```\r\n    \r\n2. Patch the **bankapp-service** to expose it via **NodePort**:\r\n    \r\n    ```bash\r\n    kubectl patch svc bankapp-service -n bankapp-namespace -p '{\"spec\": {\"type\": \"NodePort\"}}'\r\n    ```\r\n    \r\n3. After patching, check the service again to get the **NodePort**:\r\n    \r\n    ```bash\r\n    kubectl get svc -n bankapp-namespace\r\n    ```\r\n    \r\n4. Now, access your application in the browser using the URL format: `http://\u003cworker_node_public_ip\u003e:\u003cnodeport\u003e`\r\n\r\n    \r\n\u003cimg width=\"1851\" height=\"872\" alt=\"bankapp-deploy\" src=\"https://github.com/user-attachments/assets/74d2ce3a-8d39-4900-a7a5-70d708836896\" /\u003e\r\n\r\n---\r\n\r\n## Step 13: Setting Up Jenkins for Continuous Integration.\r\n\r\n### 1\\. Install Jenkins on the Master Node\r\n\r\nInstall **Jenkins** on the master node by following this blog: [How to Install Essential DevOps Tools on Ubuntu Linux](https://amitabhdevops.hashnode.dev/how-to-install-essential-devops-tools-on-ubuntulinux).\r\n\r\nAfter installation, open port **8080** on the master node and access Jenkins in your browser:\r\n\r\n```bash\r\nhttp://\u003cmaster-node-public-ip\u003e:8080\r\n```\r\n\r\nComplete the Jenkins setup by following the on-screen instructions to configure the admin username and password.\r\n\r\n\u003cimg width=\"1855\" height=\"897\" alt=\"jenkins-1\" src=\"https://github.com/user-attachments/assets/7dd8b281-bb9e-4b81-9262-b4f46b6e1bbf\" /\u003e\r\n\r\n\u003cimg width=\"1851\" height=\"870\" alt=\"jenkins-3\" src=\"https://github.com/user-attachments/assets/d9cf5264-9265-4234-a4b2-9186191ce3e5\" /\u003e\r\n\r\n\r\n---\r\n\r\n### 2\\. Install Docker and Configure User Permissions\r\n\r\nTo integrate Jenkins with Docker, you need to install **Docker** and add both the current user and the **Jenkins** user to the Docker group:\r\n\r\n1. Install Docker (if not already installed).\r\n    \r\n2. Add the current user to the Docker group:\r\n    \r\n    ```bash\r\n    sudo usermod -aG docker $USER \u0026\u0026 newgrp docker\r\n    ```\r\n    \r\n3. Add the **Jenkins** user to the Docker group:\r\n    \r\n    ```bash\r\n    sudo usermod -aG docker jenkins\r\n    ```\r\n    \r\n4. Restart Jenkins:\r\n    \r\n    ```bash\r\n    sudo systemctl restart jenkins\r\n    ```\r\n    \r\n\r\n---\r\n\r\n### 3\\. Add DockerHub Credentials\r\n\r\n\u003cimg width=\"1812\" height=\"845\" alt=\"jenkins-7-dockerhub\" src=\"https://github.com/user-attachments/assets/385e1932-f5f4-42d0-ae2c-55359ed1b7b9\" /\u003e\r\n\r\n---\r\n\r\n### 4\\. Add GitHub Credentials\r\n\r\nAdd **GitHub** credentials to Jenkins as well to enable seamless integration with GitHub repository.\r\n\r\n---\r\n\r\n### 5\\. Setting Up Webhook for Continuous Integration\r\n\r\nTo automatically trigger Jenkins builds on changes in your GitHub repository, set up a webhook.\r\n---\r\n\r\n### 6\\. Create a Jenkins Pipeline Job\r\n\r\nWhile creating the job, ensure that you check the box for **This project is parameterized** to allow dynamic configuration during the build.\r\n\r\n---\r\n\r\n### 7\\. Building the Pipeline\r\n\r\nOnce everything is set up, trigger the pipeline build by selecting **Build with Parameters**. Enter the required parameters and start the build process. Monitor the build logs for any errors. If any issues arise, resolve them.\r\n\r\n* Check the **Docker Hub** for the tagged images after the build.\r\n    \r\n* Ensure that the **bankapp-deployment** is using the correct image tag from **Docker Hub**. take a reference of below image\r\n\r\n\r\n\u003cimg width=\"1843\" height=\"867\" alt=\"jenkins-10-creating-pipeline\" src=\"https://github.com/user-attachments/assets/1f28a628-b2d6-49ea-a3da-ccad1df42d69\" /\u003e\r\n\r\n\u003cimg width=\"1861\" height=\"892\" alt=\"jenkins-10-creating-pipeline-2\" src=\"https://github.com/user-attachments/assets/64683429-228d-494f-8d80-45adefe1347b\" /\u003e\r\n\r\n\u003cimg width=\"1848\" height=\"876\" alt=\"jenkins-10-creating-pipeline-3\" src=\"https://github.com/user-attachments/assets/ed16cc44-2229-4f76-97d9-ad04db228e57\" /\u003e\r\n\r\n\u003cimg width=\"1852\" height=\"872\" alt=\"jenkins-10-creating-pipeline-4\" src=\"https://github.com/user-attachments/assets/217959cc-538f-449c-9f18-fa950b6accde\" /\u003e\r\n\r\n\u003cimg width=\"1853\" height=\"842\" alt=\"jenkins-pipeline-created\" src=\"https://github.com/user-attachments/assets/0b1bdd1f-8c9a-4711-8e76-673186324d70\" /\u003e\r\n\r\n\r\n---\r\n## Install and configure SonarQube (Master machine)\r\n    docker run -itd --name SonarQube-Server -p 9000:9000 sonarqube:lts-community\r\n\r\n\u003cimg width=\"1852\" height=\"862\" alt=\"sonarqube-1\" src=\"https://github.com/user-attachments/assets/72dc3e3d-04e7-4da6-8656-006922795903\" /\u003e\r\n\r\n\u003cimg width=\"1857\" height=\"877\" alt=\"sonarqube-2\" src=\"https://github.com/user-attachments/assets/23b431f8-ba50-4615-976c-371174fa0c2d\" /\u003e\r\n\r\n\u003cimg width=\"1841\" height=\"863\" alt=\"sonarqube-3\" src=\"https://github.com/user-attachments/assets/3ac6fe6e-0c16-45a6-9487-441d2f20ae9b\" /\u003e\r\n\r\n\u003cimg width=\"1848\" height=\"856\" alt=\"sonarqube-4\" src=\"https://github.com/user-attachments/assets/e15edc8f-de3f-43a1-8312-c8d1df9c42df\" /\u003e\r\n\r\n\u003cimg width=\"1852\" height=\"872\" alt=\"sonarqube-5\" src=\"https://github.com/user-attachments/assets/094ad08d-a68c-45a3-bfbb-ef4727ce8fa2\" /\u003e\r\n\r\n\u003cimg width=\"1856\" height=\"850\" alt=\"sonarqube-6\" src=\"https://github.com/user-attachments/assets/b140136f-97be-4815-9ccc-8ce4d1e55bf4\" /\u003e\r\n\r\n\u003cimg width=\"1845\" height=\"865\" alt=\"sonarqube-7\" src=\"https://github.com/user-attachments/assets/a5c0551d-3b96-4b2a-8e10-b1e62ecb4249\" /\u003e\r\n\r\n\u003cimg width=\"1790\" height=\"795\" alt=\"sonarqube-9\" src=\"https://github.com/user-attachments/assets/37a32c2f-0b08-4ec1-b4d5-83b052cd39bc\" /\u003e\r\n\r\n\u003cimg width=\"1848\" height=\"872\" alt=\"sonarqube-10\" src=\"https://github.com/user-attachments/assets/3a8b5b1a-cb47-4a19-aae6-e4eeabc6d686\" /\u003e\r\n\r\n\u003cimg width=\"1850\" height=\"867\" alt=\"sonarqube-webhook\" src=\"https://github.com/user-attachments/assets/45a7f45c-77f1-4de5-be34-d0807cb20f6a\" /\u003e\r\n\r\n\u003cimg width=\"1917\" height=\"912\" alt=\"webhook added sucessfully\" src=\"https://github.com/user-attachments/assets/b3229be6-4c3a-4804-aa83-175ae64a96a9\" /\u003e\r\n\r\n\r\n## Install Trivy (Jenkins Worker)\r\n   sudo apt-get install wget apt-transport-https gnupg lsb-release -y\r\n   wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -\r\n   echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list\r\n   sudo apt-get update -y\r\n   sudo apt-get install trivy -y\r\n\r\n\r\n\r\n## Step 14: Setting Up Observability with Prometheus and Grafana\r\n\r\n### 1\\. Adding Prometheus Helm Repository\r\n\r\nStart by adding the **Prometheus** Helm repository:\r\n\r\n```bash\r\nhelm repo add prometheus-community https://prometheus-community.github.io/helm-charts\r\n```\r\n\r\n---\r\n\r\n### 2\\. Creating the Prometheus Namespace\r\n\r\nCreate a dedicated namespace for Prometheus:\r\n\r\n```bash\r\nkubectl create namespace prometheus\r\n```\r\n\r\n---\r\n\r\n### 3\\. Installing Prometheus\r\n\r\nInstall the **Prometheus** and **Grafana** stack using Helm in the `prometheus` namespace:\r\n\r\n```bash\r\nhelm install stable prometheus-community/kube-prometheus-stack -n prometheus\r\n```\r\n\r\n---\r\n\r\n### 4\\. Get Services in the Prometheus Namespace\r\n\r\nTo view the services running in the `prometheus` namespace, use the following command:\r\n\r\n```bash\r\nkubectl get svc -n prometheus\r\n```\r\n\r\n---\r\n\r\n### 5\\. Exposing Grafana via NodePort\r\n\r\nExpose **Grafana** through **NodePort** by patching the service:\r\n\r\n```bash\r\nkubectl patch svc stable-grafana -n prometheus -p '{\"spec\": {\"type\": \"NodePort\"}}'\r\n```\r\n\r\nRun the following command again to get the **NodePort** and open it in your browser using the **Master Node's Public IP**:\r\n\r\n```bash\r\nkubectl get svc -n prometheus\r\n```\r\n\r\n---\r\n\r\n### 6\\. Access Grafana\r\n\r\nTo access **Grafana**, use the **admin** username and retrieve the password by running the following command:\r\n\r\n```bash\r\nkubectl get secret --namespace prometheus stable-grafana -o jsonpath=\"{.data.admin-password}\" | base64 --decode ; echo\r\n```\r\n\r\n---\r\n\r\n### 7\\. Monitoring Your Application\r\n\r\nNow that **Prometheus** and **Grafana** are set up, you can use **Grafana** to monitor your application metrics. Grafana will pull metrics from **Prometheus**, and you can create dashboards to visualize various aspects of your application’s performance.\r\n\r\n\u003cimg width=\"1918\" height=\"938\" alt=\"grafana\" src=\"https://github.com/user-attachments/assets/66607874-d793-41b6-90aa-ee806981cae2\" /\u003e\r\n\r\n\u003cimg width=\"1853\" height=\"861\" alt=\"grafana-\" src=\"https://github.com/user-attachments/assets/7731b5cc-95e2-468f-9aec-3278eee933d5\" /\u003e\r\n\r\n\u003cimg width=\"1852\" height=\"863\" alt=\"grafana-1\" src=\"https://github.com/user-attachments/assets/eaee187b-04b0-401e-bd70-21aed3511a15\" /\u003e\r\n\r\n\u003cimg width=\"1856\" height=\"871\" alt=\"grafana-2\" src=\"https://github.com/user-attachments/assets/e3b6fc62-bc4f-47f4-9d65-5a0035669f5c\" /\u003e\r\n\r\n---\r\n\r\n## Conclusion\r\n\r\nIn conclusion, your DevSecOps Mega Project showcases a well-structured and automated pipeline using industry-standard tools. You've effectively integrated AWS, Docker, Kubernetes (EKS), Helm, and ArgoCD for deployment automation. By leveraging Terraform for infrastructure as code and implementing security best practices like IAM roles, SSL certificates, and Horizontal Pod Autoscaling, your setup ensures a secure, scalable, and efficient environment. The project demonstrates strong knowledge in cloud infrastructure, containerization, and CI/CD practices, positioning you well for real-world DevSecOps implementation.\r\n\r\n---\r\n\r\n\r\n\r\n\r\n\r\n\r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsandesh300%2Fdevsecops-pipeline-on-aws-eks","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsandesh300%2Fdevsecops-pipeline-on-aws-eks","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsandesh300%2Fdevsecops-pipeline-on-aws-eks/lists"}