Praduman's blog

Hosting GitLab on Your Private Server with CI/CD: A How-To Guide

Praduman Prajapati — Tue, 20 May 2025 12:38:07 GMT

Self-hosting GitLab on a private server gives you full control over your code, repositories, and CI/CD pipelines. It’s a great solution for teams needing privacy and customization. In this guide, I’ll walk you through setting up GitLab with CI/CD using Docker, based on a project I recently completed.

Why Self-Host GitLab?

Privacy: Keep your code and data on your own infrastructure.
Customization: Tailor GitLab to your team’s needs.
CI/CD: Automate builds, tests, and deployments with GitLab Runners.

Prerequisites

A server with 8 vCPU, 7.2GB RAM, and 50GB+ disk space (e.g., Ubuntu 22.04).
Root or sudo access.
A domain name (e.g., git.example.com) or static IP.

Creating an EC2 server

Go to AWS console → EC2 → Instances
Click on Launch Instance
Fill the requirements
- Name: GitLab Server
- AMI: Ubuntu Server 24.04
- Instance type: t2.2xlarge
- Create a new key pair and save it
- Configure the Network settings
- Configure storage (set 50+ GiB of storage)
- Launch the Instance

Connect to the `Gitlab Server` using `SSH`

Copy the public IP of the Server
Open Your local terminal
Connect to the Instance via ssh command:
```
 ssh -i  ubuntu@
```
Congrats! 🎉 Gitlab server is now connected to the local server via SSH

Step 1: Prepare the Server

Start by updating your server and installing dependencies:

sudo apt-get update && sudo apt-get upgrade -y
sudo apt-get install -y curl openssh-server ca-certificates tzdata perl

Optionally, install Postfix for email notifications:

sudo apt-get install -y postfix

Select Internet Site and enter your server’s domain or IP.

Step 2: Install Docker

Install Docker to run GitLab in a container:

curl -fsSL https://get.docker.com -o get-docker.sh
sudo sh get-docker.sh
sudo usermod -aG docker $USER

Log out and back in, then verify Docker:

docker --version

Log out and back in for the group change to take effect.

Step 3: Deploy GitLab

Create directories for persistent storage:

mkdir -p /srv/gitlab/config /srv/gitlab/logs /srv/gitlab/data

Run the GitLab container:

sudo docker run --detach \
  --hostname git.example.com \
  --publish 443:443 --publish 80:80 --publish 22:22 \
  --name gitlab \
  --restart always \
  --volume /srv/gitlab/config:/etc/gitlab \
  --volume /srv/gitlab/logs:/var/log/gitlab \
  --volume /srv/gitlab/data:/var/opt/gitlab \
  gitlab/gitlab-ce:latest

Replace git.example.com with your domain or server IP.

Wait 5-10 minutes for GitLab to initialize.

Check container status:

docker ps

Step 4: Secure the Instance

Access GitLab: Navigate to http:// or https://git.example.com.
Set a password for the root user when prompted.
Log in: Use username root and the password you set.

Enable HTTPS by editing /srv/gitlab/config/gitlab.rb:

external_url 'https://git.example.com'
letsencrypt['enable'] = true
letsencrypt['contact_emails'] = ['your-email@example.com']

Reconfigure GitLab:

sudo docker exec -it gitlab gitlab-ctl reconfigure

Restrict access (optional): In the GitLab UI, go to Admin Area > Settings > General > Sign-up restrictions and disable sign-ups for a private setup.

Step 5: Set Up CI/CD with GitLab Runner

Install GitLab Runner:

curl -L "https://packages.gitlab.com/install/repositories/runner/gitlab-runner/script.deb.sh" | sudo bash
sudo apt-get install -y gitlab-runner

Register the Runner:

In GitLab UI, go to Settings > CI/CD > Runners to get the registration token and URL.
Register the runner:

sudo gitlab-runner register \
  --url https://git.example.com \
  --token  \
  --description my-runner \
  --tag-list docker-runner \
  --executor docker \
  --docker-image alpine:latest

Verify Runner:

sudo gitlab-runner status

Test CI/CD with a Pipeline

Create a .gitlab-ci.yml file in your project to test the pipeline:

stages:
  - build
  - test

build:
  stage: build
  tags:
    - docker-runner
  script:
    - echo "Building the project..."
    - mkdir -p builds
    - touch builds/app.txt
  artifacts:
    paths:
      - builds/

test:
  stage: test
  tags:
    - docker-runner
  script:
    - echo "Running tests..."
    - test -f builds/app.txt

Push the file and check the pipeline in CI/CD > Pipelines

Conclusion

You now have a self-hosted GitLab instance with CI/CD, ready for private development and automation. Secure it with a firewall (ufw) and regular backups:

sudo ufw allow OpenSSH
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable

sudo docker exec -it gitlab gitlab-backup create

Capstone DevOps Project: Enterprise-Grade CI/CD Pipeline with Kubernetes on AWS, Jenkins, Helm, Ingress, and Monitoring

Praduman Prajapati — Fri, 18 Apr 2025 22:18:58 GMT

Introduction 🚀

In today’s fast-paced software development world, automating the process of building, testing, and deploying applications is essential for delivering features quickly and reliably. That’s where CI/CD pipelines come into play.

In this project, I’ve built a complete, production-grade CI/CD pipeline using Jenkins, Kubernetes (EKS), and various open-source DevOps tools — all deployed on AWS. This setup not only automates the deployment of applications but also integrates monitoring (with Prometheus & Grafana) and secure ingress access with HTTPS using Nginx Ingress Controller and Cert-Manager.

Whether you're a DevOps beginner looking to understand real-world pipelines or a professional aiming to implement enterprise-grade CI/CD systems, this blog will walk you through every step — from infrastructure setup to continuous delivery and monitoring.

By the end of this guide, you'll have a fully functional, cloud-native CI/CD pipeline with all the essential components configured, deployed, and running on Kubernetes.

Architecture Diagram of the Project

📌 Source Code & Project Repositories

To keep things simple and organized, I’ve divided the entire project into three separate repositories, each focusing on a different part of the DevSecOps workflow:

🔧 Project Repository (CI Repo)

https://github.com/praduman8435/Capstone-Mega-DevOps-Project

🚀 CD Repository

https://github.com/praduman8435/Capstone-Mega-CD-Pipeline.git

☁️ Infrastructure as Code (IaC) — Terraform for EKS

https://github.com/praduman8435/EKS-Terraform.git

🔒 Configure AWS Security Group

A Security Group in AWS acts like a virtual firewall. It controls what kind of traffic can come into or go out of your EC2 instances or services—keeping your infrastructure secure.

For this project, we'll either create a new security group or update an existing one with the required rules.

📌 Essential Security Group Rules for Kubernetes Cluster

Port(s)	Purpose	Why It’s Needed
`587`	SMTP (Email Notifications)	To allow tools like Jenkins to send email notifications
`22`	SSH Access	For secure shell access to EC2 instances (use with caution)
`80` and `443`	HTTP & HTTPS	For serving web traffic (Ingress, Jenkins, ArgoCD UI, etc.)
`3000 - 11000`	App-Specific Ports	For apps like Grafana (3000), Prometheus, and others

✅ Best Practices for Security Group Setup

🔐 Follow Least Privilege
Only open the ports that your application actually needs. Avoid exposing everything “just in case.”
🛑 Restrict SSH Access (Port 22)
Limit SSH access to your IP or admin IPs only. Never leave it open to the entire internet (0.0.0.0/0)—this is a big security risk. (I have done this for demo purpose only).

Create EC2 Instances for Required Tools

To run essential DevOps tools like Nexus, SonarQube, Jenkins, and manage infrastructure, you'll need to create four separate EC2 instances on AWS.

📋 What You’ll Be Creating:

Instance Name	Purpose
`Nexus`	Artifact repository to store JAR files, and other build artifacts
`SonarQube`	Static code analysis and code quality scanning
`Jenkins`	CI/CD automation server for building, testing, and triggering deployments
`InfraServer`	Used to provision the EKS cluster and manage infrastructure via Terraform

🔧 Step 1: Launch EC2 Instances

Go to the AWS EC2 Dashboard
Click “Launch Instance”

⚙️ Step 2: Configure Instance

Set the number of instances to 4
AMI (Amazon Machine Image): Select the latest Ubuntu (e.g., Ubuntu 22.04 LTS)
Instance Type: Choose t2.large (2 vCPU, 8 GB RAM)
Key Pair: Select an existing key pair or create a new one to access your instances via SSH
Storage: Set root volume to at least 25 GB
Security Group: Use the security group you configured earlier (with necessary ports open)
Click Launch Instance
Tags: Add a Name tag to each instance to identify them easily

Instance	Name Tag
1	`Nexus`
2	`SonarQube`
3	`Jenkins`
4	`InfraServer`

🔗 Connecting to EC2 Instances via SSH

Once your EC2 instances are up and running, you can connect to them securely using SSH (Secure Shell) from your local terminal.

🧩 What You Need:

The .pem file (private key) you downloaded or created while launching the EC2 instances
The public IP address of each EC2 instance (you’ll find it in the EC2 dashboard)

💻 SSH Command

ssh -i  ubuntu@

Replace with the path to your .pem file
Replace with the public IP of the instance you want to access

Repeat this for each instance:

Nexus

SonarQube

Jenkins

InfraServer
ssh -i  ubuntu@
ssh -i  ubuntu@
ssh -i  ubuntu@
ssh -i  ubuntu@

Configure each server

To ensure your server is up to date, run the following command:

sudo apt update

This will refresh the package list and update any outdated software.

Configure the Infrastructure Server

Now, we need to make sure that the server has the necessary permissions to create resources on AWS.

Create an IAM Role in AWS:
- Go to the AWS Management Console.
- In the navigation bar, search for IAM and select Roles.
- Click on Create role.
Set the Trusted Entity:
- Trusted Entity Type: Select AWS service.
- Use Case: Select EC2 (this allows EC2 instances to assume this role).

Attach Policies:
- Click Next: Permissions.
- In the search bar, search for AdministratorAccess.
- Check the box next to AdministratorAccess to give the EC2 instance full permissions.

Assign a Role Name:
- Choose a role name
- Click Create role to finish creating the IAM role.

Attach the IAM Role to the EC2 Instance

Now that your IAM role is created, it’s time to attach it to your EC2 instance.

Go to the EC2 Dashboard in AWS.
Find the InfraServer instance and click on it to open the instance details.
Click Actions → Security → Modify IAM Role.
Under the IAM role section, select the role you just created.
Click Update IAM role to apply the changes.

InfraServer now has the necessary permissions to create AWS resources. 🚀

Install AWS CLI on the Infra Server

To manage AWS resources from your server, you need to install the AWS Command Line Interface (CLI).

Download AWS CLI: Run the following command to download the AWS CLI installation package:
```
 curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
```
Install unzip (if not already installed):
```
 sudo apt install unzip -y
```
Unzip the AWS CLI package:
```
 unzip awscliv2.zip
```
Install AWS CLI:
```
 sudo ./aws/install
```

Verify AWS CLI Installation

To ensure AWS CLI is installed correctly, run:

aws --version

This should display the installed version of AWS CLI.

Configure AWS CLI

Set the AWS region globally so that the AWS CLI knows where to create resources. Use the following command:

aws configure set region us-east-1

Replace us-east-1 with your preferred AWS region if needed.

Install Terraform

To use Terraform, follow these steps to install it on your InfraServer:

Update the server and install required dependencies:

 sudo apt-get update && sudo apt-get install -y gnupg software-properties-common

Download the HashiCorp GPG key:

 wget -O- https://apt.releases.hashicorp.com/gpg | \
 gpg --dearmor | \
 sudo tee /usr/share/keyrings/hashicorp-archive-keyring.gpg > /dev/null

Verify the GPG key:

 gpg --no-default-keyring \
 --keyring /usr/share/keyrings/hashicorp-archive-keyring.gpg \
 --fingerprint

Add the HashiCorp repository:

 echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] \
 https://apt.releases.hashicorp.com $(lsb_release -cs) main" | \
 sudo tee /etc/apt/sources.list.d/hashicorp.list

Update the package list:
```
 sudo apt update
```
Install Terraform:
```
 sudo apt-get install terraform
```

Verify Terraform Installation

To confirm that Terraform is installed, run:

terraform -version

This will display the installed version of Terraform.

Clone the Infrastructure as Code (IaC) Repository

Clone GitHub repository to the InfraServer where the Terraform configuration files are stored.

Clone the repository:

 git clone https://github.com/praduman8435/EKS-Terraform.git

Navigate into the repository directory:
```
 cd EKS-Terraform
```

Create Resources on AWS Using Terraform

Initialize Terraform:

Before applying the configuration, you need to initialize the Terraform working directory:
```
 terraform init
```
Check the Resources Terraform Will Create:

Run the following command to see a preview of the resources Terraform will create:
```
 terraform plan
```
Apply the Terraform Configuration:

Once you’re ready to create the resources, apply the configuration:
```
 terraform apply --auto-approve
```
This command will automatically approve the changes without prompting for confirmation.

Now, sit back and relax for approximately 10 minutes as Terraform creates the resources in AWS. You can monitor the progress in the terminal.

Set Up the Jenkins Server

Now infrastructure is ready, let's set up Jenkins server. Jenkins will be the core tool for automating our CI/CD pipeline.

Step 1: Install Java

Jenkins requires Java to run. We’ll install OpenJDK 17 (a stable, widely-used version):

sudo apt install openjdk-17-jre-headless -y

Step 2: Install Jenkins

Add the Jenkins repository key:

 sudo wget -O /usr/share/keyrings/jenkins-keyring.asc \
 https://pkg.jenkins.io/debian-stable/jenkins.io-2023.key

Add the Jenkins repository to your system:

 echo "deb [signed-by=/usr/share/keyrings/jenkins-keyring.asc] \
 https://pkg.jenkins.io/debian-stable binary/" | sudo tee \
 /etc/apt/sources.list.d/jenkins.list > /dev/null

Update your package list:
```
 sudo apt-get update
```
Install Jenkins:
```
 sudo apt-get install jenkins -y
```

Step 3: Access Jenkins Web UI

Get the Jenkins Server’s Public IP from the AWS EC2 dashboard.
In your browser, go to:
```
 http://:8080
```
Important: Make sure port 8080 is open in the security group attached to your Jenkins EC2 instance.
- Go to EC2 → Security Groups → Edit inbound rules.
- Add a rule to allow TCP traffic on port 8080 from your IP or anywhere (0.0.0.0/0) for testing.

Unlock Jenkins

On the Jenkins setup page, it will ask for the initial admin password.

Run this command on your server to get it:

 sudo cat /var/lib/jenkins/secrets/initialAdminPassword

Copy the password and paste it into the browser.

Step 5: Install Plugins & Create Admin User

Click "Install Suggested Plugins" when prompted.
Once the plugins are installed, create your admin user (username, password, email).
Click "Save and Continue".
Then click "Save and Finish".

🎉 Jenkins is Ready!

You’ve successfully installed and configured Jenkins! You can now start creating jobs and automating your CI/CD pipeline.

Set Up the SonarQube Server

SonarQube is a powerful tool for continuously inspecting code quality and security. In this step, we’ll install Docker and run SonarQube as a container on our server.

Step 1: Update the Server

Let’s start by updating the system packages:

sudo apt update

Step 2: Install Docker on the Server

To run SonarQube as a container, we first need Docker installed.

Install required dependencies:

 sudo apt-get install ca-certificates curl -y

Add Docker’s official GPG key:

 sudo install -m 0755 -d /etc/apt/keyrings
 sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
 sudo chmod a+r /etc/apt/keyrings/docker.asc

Add the Docker repository:

 echo \
 "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] \
 https://download.docker.com/linux/ubuntu \
 $(. /etc/os-release && echo "${UBUNTU_CODENAME:-$VERSION_CODENAME}") stable" | \
 sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

Update your package index again:
```
 sudo apt-get update
```

Install Docker Engine and tools:

 sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin -y

Step 3: Enable Docker for Your User (Optional, but recommended)

To run Docker without sudo every time:

sudo usermod -aG docker $USER

⚠️ Important: You need to log out and log back in after running this command for the changes to take effect.

Step 4: Run SonarQube in a Docker Container

Now that Docker is ready, let’s launch SonarQube:

docker run -d --name sonarqube -p 9000:9000 sonarqube:lts

This command will:

Download the latest LTS (Long-Term Support) version of SonarQube.
Start it in a detached container.
Expose it on port 9000.

Step 5: Access SonarQube Web UI

Open your browser and go to:

http://:9000

Make sure port 9000 is allowed in the EC2 security group.

Use the default credentials to log in:

Username: admin
Password: admin

You’ll be prompted to change the password on your first login.

🎉 SonarQube is now up and running on your server!

Set Up the Nexus Server

Nexus is a repository manager where we can store and manage build artifacts like Docker images, Maven packages, and more. We’ll install and run Nexus in a Docker container.

Step 1: Update the System

Start by updating all the packages:

sudo apt update

Step 2: Install Docker

If Docker isn’t already installed on this server, follow these steps:

Install required packages:

 sudo apt-get install ca-certificates curl -y

Add Docker’s GPG key:

 sudo install -m 0755 -d /etc/apt/keyrings
 sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
 sudo chmod a+r /etc/apt/keyrings/docker.asc

Add the Docker repository:

 echo \
 "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] \
 https://download.docker.com/linux/ubuntu \
 $(. /etc/os-release && echo "${UBUNTU_CODENAME:-$VERSION_CODENAME}") stable" | \
 sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

Update package index:
```
 sudo apt-get update
```

Install Docker:

 sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin -y

Step 3: Run Docker Without `sudo` (Optional)

To avoid typing sudo before every Docker command:

sudo usermod -aG docker $USER

🔁 Log out and log back in to apply this change.

Step 4: Run Nexus in a Docker Container

Now that Docker is ready, let’s launch the Nexus container:

docker run -d --name nexus -p 8081:8081 sonatype/nexus3:latest

This runs Nexus in the background.
The web interface will be available on port 8081.

Step 5: Access Nexus Web Interface

In your browser, go to:
```
 http://:8081
```
Make sure port 8081 is allowed in your EC2 instance’s Security Group.

Step 6: Retrieve the Admin Password

To sign in, you need the initial admin password which is stored inside the container.

Here’s how to get it:

Find the container ID:
```
 docker ps
```
Access the container shell:
```
 docker exec -it  /bin/bash
```
Print the password:
```
 cat /nexus-data/admin.password
```
Copy the password and go back to the Nexus UI.

Username: admin
Password: (paste the password you retrieved)

After login, it will ask you to set a new admin password.

🎉 That’s it! Your Nexus repository manager is now ready to use.

Configure Jenkins Plugins and Docker

Now that Jenkins is up and running, let’s install the required plugins and set up Docker on the Jenkins server to enable full CI/CD functionality.

Step 1: Install Required Jenkins Plugins

Go to Jenkins Dashboard
→ Click Manage Jenkins
→ Click Manage Plugins
→ Go to the Available tab
Search and install the following plugins (you can select multiple at once):
- Pipeline Stage View
- Docker Pipeline
- SonarQube Scanner
- Config File Provider
- Maven Integration
- Pipeline Maven Integration
- Kubernetes
- Kubernetes CLI
- Kubernetes Client API
- Kubernetes Credentials
- Kubernetes Credentials Provider

Click Install without restart and wait for all plugins to be installed.
Once done, restart Jenkins to apply all changes

Step 2: Install Docker on Jenkins Server

We’ll now install Docker so Jenkins jobs can build Docker images directly.

Update and install required packages:

 sudo apt-get update
 sudo apt-get install ca-certificates curl -y

Add Docker's GPG key:

 sudo install -m 0755 -d /etc/apt/keyrings
 sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
 sudo chmod a+r /etc/apt/keyrings/docker.asc

Add the Docker repository:

 echo \
 "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] \
 https://download.docker.com/linux/ubuntu \
 $(. /etc/os-release && echo "${UBUNTU_CODENAME:-$VERSION_CODENAME}") stable" | \
 sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

Install Docker:

 sudo apt-get update
 sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin -y

Step 3: Allow Jenkins User to Run Docker

To allow Jenkins to run Docker without needing sudo every time:

sudo usermod -aG docker $USER

🔁 Log out and log back in (or reboot) for the group change to take effect.

Step 4: Configure Maven and Sonar Scanner in Jenkins

Go to Jenkins Dashboard → Manage Jenkins → Global Tool Configuration
Scroll down to the Maven section:
- Click Add Maven
- Name it: maven3
- Choose “Install automatically” (Jenkins will download it)
Scroll to the SonarQube Scanner section:
- Click Add SonarQube Scanner
- Name it: sonar-scanner
- Enable “Install automatically”
Click Save or Apply to finish.

🎉 Done! Jenkins is now fully equipped with all the tools you need to build, analyze, and deploy your applications in a modern DevOps workflow.

Create and Configure Jenkins Pipeline

Step 1: Create a New Pipeline

Go to Jenkins Dashboard
Click New Item
Enter a name
Choose Pipeline as the item type
Click OK
Under Build Discarder:
- Check Discard Old Builds
- Set Max # of builds to keep = 3
  (Keeps Jenkins light and fast)

Step 2: Install Trivy on Jenkins Server

Trivy is used for container vulnerability scanning.

Run the following commands on your Jenkins server:

sudo apt-get install wget apt-transport-https gnupg lsb-release -y

wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | \
gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null

echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] \
https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | \
sudo tee -a /etc/apt/sources.list.d/trivy.list

sudo apt-get update
sudo apt-get install trivy -y

Check if Trivy is working:

trivy --version

Step 3: Add SonarQube Credentials in Jenkins

Go to SonarQube UI → Click on Administration → Security → Users
Generate a new token

Now, add the token in Jenkins:

Go to Jenkins Dashboard → Manage Jenkins → Credentials
Click on (global) → Add Credentials
Fill the form:
- Kind: Secret Text
- Secret: (Paste the token copied from SonarQube)
- ID: sonar-token (We'll refer to this in the pipeline)

Click Create

Step 4: Configure SonarQube Server in Jenkins

Go to Jenkins Dashboard → Manage Jenkins → Configure System
Scroll to SonarQube servers section
Click Add SonarQube
Fill the details:
- Name: sonar
- Server Authentication Token: Choose sonar-token
- Server URL: http://:9000

Click Save

Write Your Pipeline Script

You’re now ready to write your pipeline script under Pipeline → Pipeline Script section of the job.

pipeline {
    agent any

    tools{
        maven 'maven3'
    }
    environment {
        SCANNER_HOME= tool 'sonar-scanner'
    }

    stages {
        stage('Git Checkout') {
            steps {
                git branch: 'main', url: 'https://github.com/praduman8435/Capstone-Mega-DevOps-Project.git'
            }
        }
        stage('Compilation') {
            steps {
                sh 'mvn compile'
            }
        }
        stage('Testing') {
            steps {
                sh 'mvn test -DskipTests=true'
            }
        }
        stage('Trivy FS Scan') {
            steps {
                sh 'trivy fs --format table -o fs-report.html .'
            }
        }
        stage('Code Quality Analysis') {
            steps {
                withSonarQubeEnv('sonar') {
                    sh ''' $SCANNER_HOME/bin/sonar-scanner -Dsonar-projectName=GCBank -Dsonar.projectKey=GCBank \
                            -Dsonar.java.binaries=target '''
                }
            }
        }
    }
}

Now, try to build pipeline and check till now everything works fine

Here, everything works as expected now move forward and add some more scripts inside pipeline

Implement Quality Gate Check

In SonarQube:

Go to: Administration → Configuration → Webhooks
Create New Webhook
- Name: sonarqube-webhook
- URL: http://:8080/sonarqube-webhook/

Click Create

This webhook will notify Jenkins once the SonarQube analysis is complete and the Quality Gate status is available.

Your Jenkins server should be publicly accessible (or at least reachable by the SonarQube server) on that webhook URL.

Update `pom.xml` with Nexus Repositories

In Nexus UI:

Browse → Select maven-releases and maven-snapshots
Copy both URLs (you’ll use them in pom.xml)

In your pom.xml: Search for block and update it like this:


    
        maven-releases
        http://:8081/repository/maven-releases/
    
    
        maven-snapshots
        http://:8081/repository/maven-snapshots/

💡 Don’t forget to:

Replace with your actual Nexus IP
Commit and push the change to GitHub

Configure Nexus Credentials in Jenkins via `settings.xml`

In Jenkins:

Go to: Manage Jenkins → Managed Files → Add a new Config File
Type: Global Maven settings.xml
ID: Capstone
click on next
Now, Inside Content generated find the section

📄 In the section, add:


  
    maven-releases
    admin
    heyitsme
  

  
    maven-snapshots
    admin
    heyitsme

Submit the changes

🔐 This ensures your Maven builds can authenticate with Nexus to deploy artifacts.

Add DockerHub Credentials in Jenkins

Go to: Manage Jenkins → Credentials → Global → Add Credentials
Kind: Username and Password
ID: docker-cred
Username: Your DockerHub username
Password: Your DockerHub password

💡 You’ll reference this ID in your pipeline when logging in to DockerHub.

Add Jenkins User to Docker Group

Run this on Jenkins server:

sudo usermod -aG docker jenkins

Then restart the server or run:

sudo systemctl restart jenkins

So Jenkins can access Docker without sudo

Update the pipeline Script

pipeline {
    agent any

    tools{
        maven 'maven3'
    }
    environment {
        SCANNER_HOME= tool 'sonar-scanner'
        IMAGE_TAG= "v${BUILD_NUMBER}"
    }

    stages {
        stage('Git Checkout') {
            steps {
                git branch: 'main', url: 'https://github.com/praduman8435/Capstone-Mega-DevOps-Project.git'
            }
        }
        stage('Compilation') {
            steps {
                sh 'mvn compile'
            }
        }
        stage('Testing') {
            steps {
                sh 'mvn test -DskipTests=true'
            }
        }
        stage('Trivy FS Scan') {
            steps {
                sh 'trivy fs --format table -o fs-report.html .'
            }
        }
        stage('Code Quality Analysis') {
            steps {
                withSonarQubeEnv('sonar') {
                    sh ''' $SCANNER_HOME/bin/sonar-scanner -Dsonar-projectName=GCBank -Dsonar.projectKey=GCBank \
                            -Dsonar.java.binaries=target '''
                }
            }
        }
        stage('Quality Gate Check'){
            steps{
                waitForQualityGate abortPipeline: false, credentialsId: 'sonar-token'
            }
        }
        stage('Build the Application'){
            steps{
                sh 'mvn package -DskipTests'
            }
        }
        stage('Push Artifacts to Nexus'){
            steps{
                withMaven(globalMavenSettingsConfig: 'Capstone', jdk: '', maven: 'maven3', mavenSettingsConfig: '', traceability: true) {
                    sh 'mvn clean deploy -DskipTests'
                }
            }
        }
        stage('Build & Tag Docker Image'){
            steps{
                script{
                    withDockerRegistry(credentialsId: 'docker-cred') {
                        sh 'docker build -t thepraduman/bankapp:$IMAGE_TAG .'
                    }
                }
            }
        }
        stage('Docker Image Scan') {
            steps {
                sh 'trivy image --format table -o image-report.html thepraduman/bankapp:$IMAGE_TAG'
            }
        }
        stage('Push Docker Image') {
            steps {
                script{
                    withDockerRegistry(credentialsId: 'docker-cred') {
                        sh 'docker push thepraduman/bankapp:$IMAGE_TAG'
                    }
                }
            }
        }
    }
}

Click on Build Now To check the pipeline successfully triggered or not

Automating Jenkins Pipeline Trigger with GitHub Webhook

Now that the CI pipeline is ready, let’s automate it so that it runs automatically every time new code is pushed to the GitHub repository. We’ll use the Generic Webhook Trigger plugin in Jenkins for this.

Install Generic Webhook Trigger Plugin

Go to Jenkins Dashboard → Manage Jenkins → Plugins
Under the Available plugins tab, search for Generic Webhook Trigger
Select it and click on Install
Restart Jenkins once the installation is complete

Configure Webhook Trigger in Your Pipeline

Go back to the Jenkins dashboard and open your pipeline job ( capstone_CI)
Click on Configure
Scroll down to the Build Triggers section and check the box for Generic Webhook Trigger
Under Post content parameters, add:
- Variable: ref
- Expression: $.ref
- Content-Type: JSONPath

Add a token:
- Token Name: capstone
(Optional) Add a filter to trigger the pipeline only for changes on the main branch:
- Expression: refs/heads/main
- Text: $ref

Click Save

Once saved, you’ll see a webhook URL under the token section, something like:

http://:8080/generic-webhook-trigger/invoke?token=capstone

Configure GitHub Webhook

Go to your GitHub repository (the one used in the pipeline)
Click on Settings → Webhooks → Add Webhook
Fill out the form as follows:
- Payload URL: Paste the webhook URL from Jenkins
- Content Type: application/json
- Leave the secret field blank (or add one and configure Jenkins accordingly)
- Choose Just the push event

Click on Add Webhook

That’s it! 🎉 Now, every time a new commit is pushed to the main branch, Jenkins will automatically trigger the pipeline.

Setting Up CD Pipeline

With our CI pipeline automated, it’s time to set up the CD pipeline. The first step is ensuring we can update the Docker image tag in the Kubernetes deployment every time a new image is built by the CI pipeline.

We’ll start by granting Jenkins access to CD GitHub repository and setting up email notifications so that you receive updates when your pipeline fails or succeeds.

Add GitHub Credentials to Jenkins

This will allow Jenkins to clone or push changes to your GitHub CD repository.

Go to Jenkins Dashboard → Manage Jenkins → Credentials
Click on (global)
Click on Add Credentials
Fill in the following:
- Kind: Username with password
- Scope: Global
- Username: Your GitHub username
- Password: Your GitHub password or personal access token (recommended)
- ID: github-cred

Click on Create

Configure Email Notifications in Jenkins

Generate Gmail App Password

To securely send emails from Jenkins, we’ll use a Gmail App Password instead of your actual Gmail password.

Log in to your Google account
Navigate to Security
Enable 2-Step Verification if it’s not already enabled
Scroll down to App Passwords
Generate a new app password:
- App name: capstone

Copy the generated token (you’ll need it in the next step)

Add Gmail Credentials to Jenkins

Go to Jenkins Dashboard → Manage Jenkins → Credentials
Click on (global) and then Add Credentials
Fill in the following:
- Kind: Username with password
- Scope: Global
- Username: Your Gmail address
- Password: The generated Gmail app password
- ID: mail-cred

Click Create

Configure Jenkins Mail Server

Go to Manage Jenkins → Configure System
Scroll to Extended E-mail Notification and fill out:
- SMTP Server: smtp.gmail.com
- SMTP Port: 465
- Credentials: Select mail-cred
- Check Use SSL

Scroll to E-mail Notification section:
- SMTP Server: smtp.gmail.com
- Use SMTP Authentication: ✅
- Username: Your Gmail address
- Password: Your Gmail App Password (recently generated)
- SMTP Port: 465
- Use SSL: ✅

Click Save

🛡️ Make sure ports 465 and 587 are open in the Jenkins server’s security group to allow email traffic.

✅ Test the Email Setup

In the Extended E-mail Notification section, click on Test configuration by sending a test e-mail
Enter a recipient email address
Click Test Configuration

If everything is set up correctly, you should receive an email confirming that the Jenkins email notification system is working! 🎉

Add the Email notification script in the CI pipeline

Add this inside the pipeline but outside the stages block

post {
    always {
        script {
            def jobName = env.JOB_NAME
            def buildNumber = env.BUILD_NUMBER
            def pipelineStatus = currentBuild.result ?: 'UNKNOWN'
            def bannerColor = pipelineStatus.toUpperCase() == 'SUCCESS' ? 'green' : 'red'

            def body = """
                
                    
                        ${bannerColor}; padding: 10px;">
                            ${jobName} - Build #${buildNumber}
                            ${bannerColor}; padding: 10px;">
                                ">Pipeline Status: ${pipelineStatus.toUpperCase()}
                            
                            Check the ${env.BUILD_URL}">Console Output for more details.
                        
                    
                
            """

            emailext(
                subject: "${jobName} - Build #${buildNumber} - ${pipelineStatus.toUpperCase()}",
                body: body,
                to: 'praduman.cnd@gmail.com',
                from: 'praduman.8435@gmail.com',
                replyTo: 'praduman.8435@gmail.com',
                mimeType: 'text/html',
                attachmentsPattern: 'fs-report.html'
            )
        }
    }
}

Now, The email successfully configured and sets up

🚀 Configure the InfraServer

Install Kubectl

curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"

curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl.sha256"

sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl

kubectl version --client

Update the Kubeconfig File

Connect your Jenkins server to the EKS cluster:

aws eks update-kubeconfig \
  --region us-east-1 \
  --name capstone-cluster

Install `eksctl`

eksctl is a CLI tool that simplifies EKS cluster operations.

curl -sLO "https://github.com/weaveworks/eksctl/releases/latest/download/eksctl_$(uname -s)_amd64.tar.gz"
tar -xzf eksctl_$(uname -s)_amd64.tar.gz
sudo mv eksctl /usr/local/bin

# Verify the installation
eksctl version

Install Helm

Helm is used for managing Kubernetes applications using Helm charts.

sudo apt update && sudo apt upgrade -y
curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash

Associate IAM OIDC Provider with the Cluster

This step is needed to create service accounts with IAM roles.

eksctl utils associate-iam-oidc-provider \
  --cluster capstone-cluster \
  --region us-east-1 \
  --approve

Create IAM Service Account for EBS CSI Driver

This enables your cluster to dynamically provision EBS volumes.

eksctl create iamserviceaccount \
  --name ebs-csi-controller-sa \
  --namespace kube-system \
  --cluster capstone-cluster \
  --region us-east-1 \
  --attach-policy-arn arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy \
  --approve \
  --override-existing-serviceaccounts

Deploy EBS CSI Driver

kubectl apply -k "github.com/kubernetes-sigs/aws-ebs-csi-driver/deploy/kubernetes/overlays/stable/ecr/?ref=release-1.30"

Install NGINX Ingress Controller

This is required for routing external traffic to your services inside Kubernetes:

kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/cloud/deploy.yaml

Install Cert-Manager (for TLS Certificates)

Cert-manager helps you manage SSL certificates inside Kubernetes:

kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.4/cert-manager.yaml

🔐 Configure RBAC (Role-Based Access Control)

To manage access control and permissions properly in your Kubernetes cluster, we’ll start by creating a dedicated namespace and then apply RBAC policies.

Create a namespace with name webapps
```
  kubectl create ns webapps
```

Create a Service Account

  vim service-account.yaml

add the yaml file & save it

  apiVersion: v1
  kind: ServiceAccount
  metadata:
    name: jenkins
    namespace: webapps

  kubectl apply -f service-account.yaml

Create a Role

  vim role.yaml

add the yaml file & save it

  apiVersion: rbac.authorization.k8s.io/v1
  kind: Role
  metadata:
    name: jenkins-role
    namespace: webapps
  rules:
    - apiGroups:
          - ""
          - apps
          - networking.k8s.io
          - autoscaling
      resources:
        - secrets
        - configmaps
        - persistentvolumeclaims
        - services
        - pods
        - deployments
        - replicasets
        - ingresses
        - horizontalpodautoscalers
      verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

  kubectl apply -f role.yaml

Bind the role to service account

  vim role-binding.yaml

add the yaml file & save it

  apiVersion: rbac.authorization.k8s.io/v1
  kind: RoleBinding
  metadata:
    name: jenkins-rolebinding
    namespace: webapps 
  roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: Role
    name: jenkins-role 
  subjects:
  - namespace: webapps 
    kind: ServiceAccount
    name: jenkins

  kubectl apply -f role-binding.yaml

Create Cluster role

  vim cluster-role.yaml

add the yaml file & save it

  apiVersion: rbac.authorization.k8s.io/v1
  kind: ClusterRole
  metadata:
    name: jenkins-cluster-role
  rules:
  - apiGroups: [""]
    resources: 
       - persistentvolumes
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  - apiGroups: ["storage.k8s.io"]
    resources: 
       - storageclasses
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  - apiGroups: ["cert-manager.io"]
    resources: 
       - clusterissuers
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

  kubectl apply -f cluster-role.yaml

Bind cluster role to Service Account

  vim cluster-role-binding.yaml

add the yaml file & save it

  apiVersion: rbac.authorization.k8s.io/v1
  kind: ClusterRoleBinding
  metadata:
    name: jenkins-cluster-rolebinding
  subjects:
  - kind: ServiceAccount
    name: jenkins
    namespace: webapps
  roleRef:
    kind: ClusterRole
    name: jenkins-cluster-role
    apiGroup: rbac.authorization.k8s.io

  kubectl apply -f cluster-role-binding.yaml

Grant Jenkins Access to Kubernetes for Deployments

To allow Jenkins to deploy applications to your EKS cluster, we need to create a service account token and configure it in Jenkins.

Create a Kubernetes Token for Jenkins

Create a secret token that Jenkins will use to authenticate with your Kubernetes cluster.

Run the following command to create and open a token manifest:

vim token.yaml

Paste the following YAML content into the file:

apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
  name: jenkins-secret
  annotations:
    kubernetes.io/service-account.name: jenkins

Apply the secret to the webapps namespace:

kubectl apply -f token.yaml -n webapps

Now, retrieve the token using:

kubectl describe secret jenkins-secret -n webapps | grep token

Copy the generated token.

Add Kubernetes Token to Jenkins

Go to your Jenkins Dashboard → Manage Jenkins → Credentials.
Select the (global) domain and click Add Credentials.
Fill in the fields as follows:
- Kind: Secret text
- Secret: Paste the copied Kubernetes token
- ID: k8s-cred

Click Create.

Install `kubectl` on Jenkins Server

To let Jenkins execute Kubernetes commands, install kubectl on the Jenkins machine:

curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"

curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl.sha256"

sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl

Verify installation:

kubectl version --client

Setting Up the CD Pipeline in Jenkins

Now that CI is complete, let’s configure the Capstone Continuous Deployment (CD) Pipeline to automatically deploy your application to the Kubernetes cluster.

Step 1: Create a New Pipeline Job

Go to Jenkins Dashboard → New Item
Provide the following details:
- Name: capstone_CD
- Item Type: Select Pipeline
Click OK

Step 2: Configure Build Retention

Check the box "Discard old builds"
Set Max # of builds to keep to 3

This helps conserve resources by keeping only the latest builds.

Step 3: Add the Deployment Pipeline Script

Scroll down to the Pipeline section and paste the following script:

groovyCopyEditpipeline {
    agent any

    stages {
        stage('Git Checkout') {
            steps {
                git branch: 'main', url: 'https://github.com/praduman8435/Capstone-Mega-CD-Pipeline.git'
            }  
        }

        stage('Deploy to Kubernetes') {
            steps {
                withKubeConfig(
                    credentialsId: 'k8s-cred',
                    clusterName: 'capstone-cluster',
                    namespace: 'webapps',
                    restrictKubeConfigAccess: false,
                    serverUrl: 'https://D133D06C5103AE18A950F2047A8EB7DE.gr7.us-east-1.eks.amazonaws.com'
                ) {
                    sh 'kubectl apply -f kubernetes/Manifest.yaml -n webapps'
                    sh 'kubectl apply -f kubernetes/HPA.yaml'
                    sleep 30
                    sh 'kubectl get pods -n webapps'
                    sh 'kubectl get svc -n webapps'
                }
            }  
        }
    }

    post {
        always {
            echo "Pipeline execution completed."
        }
    }
}

Step 4: Save & Run

Click Save
Click Build Now to trigger the pipeline

If everything is set up correctly, Jenkins will pull the deployment manifests from the CD GitHub repository and deploy your app to the webapps namespace in the EKS cluster.

Verifying Kubernetes Resources & Enabling HTTPS with Custom Domain

After setting up the CI/CD pipeline, it’s time to make sure everything is working perfectly and your application is accessible securely over HTTPS with a custom domain.

Step 1: Verify All Resources in the Cluster

On your Infra Server, run:

kubectl get all -n webapps

You should see all your application pods, services, and other resources running successfully. If everything looks good, proceed to the next step.

Step 2: Create a ClusterIssuer Resource for Let’s Encrypt

We'll use Cert-Manager to automatically provision SSL certificates from Let’s Encrypt.

Create a file called cluster-issuer.yaml:

vim cluster-issuer.yaml

Paste the following configuration:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: praduman.cnd@gmail.com
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
    - http01:
        ingress:
          class: nginx

Apply the ClusterIssuer:

kubectl apply -f cluster-issuer.yaml

Step 3: Create an Ingress Resource for Your Application

Create an Ingress configuration file:

vim ingress.yaml

Paste the following content:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: bankapp-ingress
  namespace: webapps
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
  ingressClassName: nginx
  tls:
  - hosts:
    - www.capstonebankapp.in
    secretName: bankapp-tls-secret
  rules:
  - host: www.capstonebankapp.in
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: bankapp-service
            port:
              number: 80

Apply the ingress resource:

kubectl apply -f ingress.yaml

Check the status:

kubectl get ing -n webapps

Wait for a few moments, then run the command again. You’ll notice an external load balancer address (usually an AWS ELB) under the ADDRESS column.

Copy the bankapp ingress loadbalancer address

Step 4: Configure Your Custom Domain on GoDaddy

Log in to your GoDaddy account.
Navigate to My Products → DNS Settings for your domain (capstonebankapp.in).
Look for a CNAME record with name www and edit it.
In the Value field, paste the Load Balancer URL you got from the Ingress.
Save the changes.

⏳ Wait a few minutes for the DNS changes to propagate.

Step 5: Access Your Application

Open your browser and visit:

https://www.capstonebankapp.in/login

If everything was configured correctly, your application will now load securely over HTTPS with a valid Let’s Encrypt certificate.

Setup Monitoring with Prometheus & Grafana on EKS

After deploying your application, it's essential to monitor its health, performance, and resource usage. Let’s integrate Prometheus and Grafana into your Kubernetes cluster using Helm.

Add Prometheus Helm Repo

On your Infra Server, add the official Prometheus Community Helm chart repository:

helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
helm repo update

Create `values.yaml` for Custom Configuration

We'll define how Prometheus and Grafana should be deployed, what metrics to scrape, and how to expose the services.

Create a file called values.yaml:

vi values.yaml

Paste the following configuration:

# values.yaml for kube-prometheus-stack

alertmanager:
  enabled: false

prometheus:
  prometheusSpec:
    service:
      type: LoadBalancer
    storageSpec:
      volumeClaimTemplate:
        spec:
          accessModes:
            - ReadWriteOnce
          resources:
            requests:
              storage: 5Gi
  additionalScrapeConfigs:
    - job_name: node-exporter
      static_configs:
        - targets:
            - node-exporter:9100
    - job_name: kube-state-metrics
      static_configs:
        - targets:
            - kube-state-metrics:8080

grafana:
  enabled: true
  service:
    type: LoadBalancer
  adminUser: admin
  adminPassword: admin123

prometheus-node-exporter:
  service:
    type: LoadBalancer

kube-state-metrics:
  enabled: true
  service:
    type: LoadBalancer

Save and exit the file.

Install Monitoring Stack with Helm

helm upgrade --install monitoring prometheus-community/kube-prometheus-stack -f values.yaml -n monitoring --create-namespace

Patch Services to Use LoadBalancer

(Optional if already configured in values.yaml, but ensures services are exposed)

kubectl patch svc monitoring-kube-prometheus-prometheus -n monitoring -p '{"spec": {"type": "LoadBalancer"}}'
kubectl patch svc monitoring-kube-state-metrics -n monitoring -p '{"spec": {"type": "LoadBalancer"}}'
kubectl patch svc monitoring-prometheus-node-exporter -n monitoring -p '{"spec": {"type": "LoadBalancer"}}'

Check Services & Access Grafana

Get all resources in the monitoring namespace:

kubectl get all -n monitoring
kubectl get svc -n monitoring

You’ll find External IPs assigned to services like Grafana and Prometheus.

➤ Access Grafana

URL: http://
Username: admin
Password: admin123

➤ Access Prometheus

URL: http://:9090
Go to Status → Targets to see what’s being monitored.

Configure Grafana Dashboard

Open the Grafana dashboard.
Go to Connections → Data Sources → Add new.
Search for Prometheus and select it.
In the URL, enter your Prometheus service URL (e.g., http://:9090).
Click Save & Test.

🎯 View Dashboards

Go to Dashboards → Browse.
Explore default dashboards for Node Exporter, Kubernetes metrics, and more.

Now you have real-time observability into your EKS cluster!

✅ Conclusion

In this project, I've successfully built an enterprise-grade CI/CD pipeline from scratch using Jenkins, Kubernetes (EKS), Docker, GitHub, and other DevOps tools, all running on AWS.

I automated the entire workflow:

From building and pushing Docker images in the CI pipeline
To continuously deploying them into a secure, production-ready Kubernetes cluster via CD
With proper ingress routing, TLS certificates, and monitoring in place using Prometheus and Grafana

This setup demonstrates how modern DevOps practices can streamline software delivery and infrastructure management. It not only improves deployment speed but also ensures reliability, scalability, and observability of applications.

💡 Let’s connect and discuss DevOps, cloud automation, and cutting-edge technology

🔗 LinkedIn | 💼 Upwork | 🐦 Twitter | 👨‍💻 GitHub

Ultimate Corporate-Grade DevSecOps Pipeline: Automated Kubernetes Deployment with Security, CI/CD, and Monitoring on AWS

Praduman Prajapati — Tue, 25 Mar 2025 07:02:07 GMT

Introduction 🚀

In today’s fast-paced software development world, automation is the key to delivering high-quality applications efficiently. That’s why enterprises need a robust, scalable, and secure CI/CD pipeline to streamline development, testing, and deployment.

This project is all about building the Ultimate Corporate-Grade CI/CD Pipeline—a fully automated, production-ready pipeline that follows DevSecOps best practices and is designed to work with Kubernetes on AWS.

What This Pipeline Covers?

✅ Kubernetes Cluster Setup – Using kubeadm to configure a highly available Kubernetes cluster on AWS EC2.
✅ Code Integration & Testing – Automating builds, tests, and security scans.
✅ Containerization & Orchestration – Using Docker and Kubernetes (EKS) for scalability.
✅ Automated Deployments – Implementing GitOps with ArgoCD for zero-downtime releases.
✅ Security & Compliance – Integrating Trivy, SonarQube, and Prometheus for DevSecOps.
✅ Observability & Monitoring – Setting up Grafana & Prometheus for real-time insights.

Why This Matters?

🔹 Enterprise-Grade Reliability – Built for scalability, high availability, and security.
🔹 Faster Releases – Automates everything from code commit to production deployment.
🔹 Cost-Effective – Optimized for AWS, reducing operational overhead.

By the end of this project, we’ll have a bulletproof CI/CD pipeline, complete with a Kubernetes cluster set up using kubeadm, ensuring a fully automated and secure software delivery process. Let’s dive in! 🚀

Source Code and Project Repository 📌

https://github.com/praduman8435/Boardgame

🚀 Setting Up Your Kubernetes Cluster with Kubeadm

🔒 Configure AWS Security Group

Before deploying Kubernetes on AWS, you need to configure security groups to control inbound and outbound traffic. Security groups act as a firewall, ensuring that only necessary connections are allowed while keeping your cluster protected.

You can either create a new security group or modify an existing one with the essential rules listed below:

📌 Essential Security Group Rules for Kubernetes

Port(s)	Purpose	Use Case
30000-32767	NodePort Access	Expose apps without Ingress
465, 25	SMTP (Secure & Standard)	Email notifications
22 (Use with caution)	SSH Access	Remote troubleshooting
443, 80	HTTPS & HTTP	Secure and standard web traffic
6443	Kubernetes API Server	kubectl, CI/CD tools, ArgoCD
10250-10259	Internal Kubernetes Communication	Control plane ↔ Worker nodes
2379-2380	etcd Communication	Stores cluster data
3000-10000	App-Specific Traffic	Databases, Prometheus, Grafana
53	Cluster DNS (CoreDNS)	Internal service discovery
8285, 8286, 5473	Flannel
4789	Calico
6783-6784	CNI Networking	Enables pod communication

✅ Best Practices

Follow Least Privilege: Only open the ports your cluster needs.
Restrict SSH Access: Limit port 22 to specific IPs to enhance security.
Secure API Server: Only allow trusted IPs for port 6443 to prevent unauthorized access.

Once your security groups are configured, you're now ready to initialize your Kubernetes cluster using Kubeadm! 🎯

🖥️ Create Virtual Machines (EC2 Instances) for the Cluster

To set up a Kubernetes cluster on AWS, you need to create three EC2 instances:

One Master Node (Control Plane): Manages the cluster, schedules workloads, and maintains the desired state.
Two Worker Nodes: Run application workloads and handle deployments.

🔧 Step 1: Launch EC2 Instances

Open the AWS Console and navigate to the EC2 Dashboard.
Click Launch Instance to create virtual machines.

⚙️ Step 2: Configure the Instances

Set the number of instances → 3 (1 Master + 2 Workers).
Choose Amazon Machine Image (AMI) → Latest Ubuntu AMI (recommended for Kubernetes).
Select an instance type → t2.xlarge
Assign Security Group → Use the previously configured security group to allow necessary traffic.
Set Storage → Minimum 30GB (for Kubernetes components, logs, and workloads).
Click Launch Instance to provision the virtual machines.

🏷️ Step 3: Naming the Instances

For easy identification, name your instances as follows:

🖥️ ControlPlane → Master Node
📦 WorkerNode1 → First Worker Node
📦 WorkerNode2 → Second Worker Node

Connecting to EC2 Instances via SSH

Once your EC2 instances are running, connect to them using SSH

Connect to the Control Plane Node

ssh -i  ubuntu@

Connect to Worker Nodes

ssh -i  ubuntu@
ssh -i  ubuntu@

🔹 Replace:

→ Your private key file path
→ The public IP address of each instance

Once your instances are up and running, you're ready to initialize the Kubernetes cluster with Kubeadm! 🚀

🔧 Updating and Installing Kubernetes on All Nodes

Before initializing your Kubernetes cluster, it's crucial to update your virtual machines, configure system settings, and install essential dependencies. This ensures a stable, secure, and well-optimized Kubernetes environment across all nodes.

Step 1: Disable Swap

Kubernetes requires swap to be disabled for optimal performance. Run the following commands on each node:

swapoff -a
sudo sed -i '/ swap / s/^\(.*\)$/#\1/g' /etc/fstab

This disables swap immediately and ensures it remains disabled after a reboot.

Step 2: Enable IP Forwarding and Allow Bridged Traffic

To enable proper Kubernetes networking, configure IP forwarding and iptables:

cat <


Now, set up required system parameters and apply them:
cat <

✅ Verification
Ensure the necessary modules are loaded
lsmod | grep br_netfilter
lsmod | grep overlay

Check if system variables are correctly set
sysctl net.bridge.bridge-nf-call-iptables net.bridge.bridge-nf-call-ip6tables net.ipv4.ip_forward

Step 3: Update System Packages
Keeping your system updated ensures compatibility with the latest Kubernetes components. Run the following command on all nodes
sudo apt update && sudo apt upgrade -y

Step 4: Install Container Runtime (containerd)
Kubernetes requires a container runtime to manage containers. We'll use containerd

Install containerd


curl -LO https://github.com/containerd/containerd/releases/download/v1.7.14/containerd-1.7.14-linux-amd64.tar.gz
sudo tar Cxzvf /usr/local containerd-1.7.14-linux-amd64.tar.gz


Set up containerd as a service


curl -LO https://raw.githubusercontent.com/containerd/containerd/main/containerd.service
sudo mkdir -p /usr/local/lib/systemd/system/
sudo mv containerd.service /usr/local/lib/systemd/system/
sudo mkdir -p /etc/containerd
containerd config default | sudo tee /etc/containerd/config.toml


Enable systemd as the cgroup driver


sudo sed -i 's/SystemdCgroup \= false/SystemdCgroup \= true/g' /etc/containerd/config.toml


Restart containerd and verify its status


sudo systemctl daemon-reload
sudo systemctl enable --now containerd
systemctl status containerd

Step 5: Install runc (Container Runtime Interface - CRI)
runc is required to run containers inside containerd. Install it using
curl -LO https://github.com/opencontainers/runc/releases/download/v1.1.12/runc.amd64
sudo install -m 755 runc.amd64 /usr/local/sbin/runc


Step 6: Install CNI (Container Network Interface) Plugins
CNI plugins allow pod-to-pod communication within the cluster. Install them with
curl -LO https://github.com/containernetworking/plugins/releases/download/v1.5.0/cni-plugins-linux-amd64-v1.5.0.tgz
sudo mkdir -p /opt/cni/bin
sudo tar Cxzvf /opt/cni/bin cni-plugins-linux-amd64-v1.5.0.tgz

Step 7: Install Required Dependencies
Install essential tools for secure communication and package management
sudo apt install -y apt-transport-https ca-certificates curl gpg
sudo mkdir -p -m 755 /etc/apt/keyrings


Step 8: Install Kubernetes Components

Add the Kubernetes repository key and repository


curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.29/deb/Release.key | sudo gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg

echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.29/deb/ /' | sudo tee /etc/apt/sources.list.d/kubernetes.list



Update the package list


sudo apt update


Install Kubernetes Tools (kubeadm, kubelet, kubectl)


sudo apt-get install -y kubelet=1.29.6-1.1 kubeadm=1.29.6-1.1 kubectl=1.29.6-1.1 --allow-downgrades --allow-change-held-packages



Prevent accidental updates that could break the cluster


sudo apt-mark hold kubeadm kubelet kubectl


Step 9: Configure crictl to Work with containerd
Set up crictl (a tool for interacting with container runtimes) to use containerd
sudo crictl config runtime-endpoint unix:///var/run/containerd/containerd.sock

🎯 Your Kubernetes Cluster is Ready for Initialization! 🚀

With all nodes updated and configured, your Kubernetes cluster is now ready for initialization using kubeadm in the next step!

🚀 Initializing the Kubernetes Cluster (Master Node Only)
Now that Kubernetes is installed on all nodes, it's time to initialize the cluster on the master node (Control Plane). This process sets up the control plane and defines the pod network, which is essential for communication between pods.
Step 1: Initialize the Kubernetes Control Plane
On the master node, run the following command to start the Kubernetes cluster:
sudo kubeadm init --pod-network-cidr=192.168.0.0/16 --apiserver-advertise-address= --node-name controlplane


🔹 Replace  with the actual private IP of your Control Plane instance.
🔹 The --pod-network-cidr=192.168.0.0/16 flag specifies the pod network range.

Network CNI Options:

Calico: 192.168.0.0/16 (default in this example)

Flannel: 10.244.0.0/16

Cilium: 10.217.0.0/16



✅ This command does the following:

Sets up the Kubernetes control plane

Defines the pod network for inter-pod communication

Generates a join command to add worker nodes to the cluster


Step 2: Save the Worker Node Join Command
Once initialization is complete, Kubernetes will generate a command similar to this
sudo kubeadm join :6443 --token  --discovery-token-ca-cert-hash sha256:<hash>


Copy and save this command—you will need it to connect worker nodes later.

Step 3: Configure kubectl on the Master Node
To start using Kubernetes, configure kubectl with the admin credentials
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config



This allows you to run kubectl commands without root privileges.

Verify that the Control Plane is Running
kubectl get nodes


The master node should appear as NotReady—this is expected until a network plugin is installed.

Step 4: Deploy a Network Plugin (CNI)
Kubernetes requires a Container Network Interface (CNI) to enable pod-to-pod communication. Choose a networking solution and apply the corresponding configuration.
Install Calico (Recommended for Production)
Calico provides robust networking and security policies for Kubernetes clusters.
Run the following commands on the master node
kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.28.0/manifests/tigera-operator.yaml
curl -O https://raw.githubusercontent.com/projectcalico/calico/v3.28.0/manifests/custom-resources.yaml
kubectl apply -f custom-resources.yaml


This enables networking between pods across all nodes.

Verify Calico Installation
kubectl get pods -n calico-system

Step 5: Deploy the NGINX Ingress Controller
To manage external access to services inside the cluster, deploy the NGINX Ingress Controller:
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/baremetal/deploy.yaml

🎯 Your Kubernetes Control Plane is Ready! 🚀

At this point:

The control plane is up and running.

Networking is configured, allowing pods to communicate.

Ingress controller is deployed for external access.



🚀 Joining Worker Nodes to the Kubernetes Cluster
After setting up the control plane, the next step is to add worker nodes to the cluster. This allows them to host workloads and be managed by the master node.
Step 1: Join the Worker Nodes
Run the following command on each worker node to connect them to the Kubernetes cluster
sudo kubeadm join 172.31.38.39:6443 --token  \
    --discovery-token-ca-cert-hash sha256:




Replace  and  with the values generated during kubeadm init.

✅ This command does the following:

Connects worker nodes to the Kubernetes control plane.

Allows the master node to schedule and manage workloads on worker nodes.


Once executed on all worker nodes, your Kubernetes cluster will be fully formed! 🎉
Step 2: Verify the Cluster Setup
To ensure that all nodes are properly connected, run the following command on the master node
kubectl get nodes


If everything is working correctly, you should see all three nodes (one master, two workers) in a Ready state.

Step 3: Verify All Pods Are Running
Check if all cluster components and networking pods are operational
kubectl get pods -A


✔ If all pods are running correctly, your cluster is now stable.

If some Calico pods are not running, follow the troubleshooting steps below.

Step 4: Disable Source/Destination Checks (AWS Only)
AWS enforces Source/Destination Checks, which can interfere with Kubernetes networking, especially when using Calico, Flannel, or Cilium CNIs.
To disable this check on all nodes (master + workers):

Go to AWS EC2 Dashboard → Instances

Select all Kubernetes nodes (master & workers)

Click Actions → Networking → Change Source/Destination Check

Select Disable and confirm ✅



🔍 Why Disable Source/Destination Checks?

Kubernetes networking often involves asymmetric routing (packets leave from one interface but return through another).

AWS blocks asymmetric routing by default, which breaks pod communication.

Disabling this allows proper routing across nodes.


Step 5: Allow Bidirectional Traffic on TCP Port 179 (Calico CNI Only)
If using Calico CNI, you need to allow BGP (Border Gateway Protocol) traffic between nodes on TCP port 179.
Configure Security Group Rules

Go to AWS EC2 Dashboard → Security Groups

Find the security group attached to your Kubernetes nodes

Click on Inbound Rules → Edit Inbound Rules → Add Rule



Type: Custom TCP Rule

Protocol: TCP

Port Range: 179

Source:

0.0.0.0/0 (not recommended for production)

OR Your VPC CIDR (e.g., 10.0.0.0/16)





Click Save Rules ✅

Now, edit Outbound Rules:



Click Outbound Rules → Edit Outbound Rules → Add Rule

Type: Custom TCP Rule

Protocol: TCP

Port Range: 179

Destination:

0.0.0.0/0 (for all hosts)

OR Your VPC CIDR (for internal traffic)




6️⃣ Click Save Rules ✅
🎯 Final Step: Verify Everything is Running
Run the following command again to ensure that all pods are running successfully:
kubectl get pods -A


🎉 Congratulations! Your Kubernetes Cluster is Now Fully Functional and Ready for Workloads! 🚀

Your Kubernetes cluster is now complete with a fully operational control plane and worker nodes. You’re now ready to deploy applications and manage workloads effectively.

🔒 Perform a Security Audit Using Kubeaudit
To ensure the security of your Kubernetes cluster, use Kubeaudit—a security auditing tool developed by Shopify. It helps identify misconfigurations, security vulnerabilities, and best practice violations in your cluster.
Step 1: Install Kubeaudit on Ubuntu
Run the following commands on your control plane (master node)
wget https://github.com/Shopify/kubeaudit/releases/download/v0.22.2/kubeaudit_0.22.2_linux_amd64.tar.gz
tar -xzf kubeaudit_0.22.2_linux_amd64.tar.gz  # Extract the tar.gz file
sudo mv kubeaudit /usr/local/bin/             # Move the binary to a system path
rm kubeaudit_0.22.2_linux_amd64.tar.gz        # Cleanup the tar.gz file
kubeaudit version                             # Verify installation


This will install Kubeaudit and verify that it's correctly set up.

Step 2: Scan the Cluster for Security Issues
Run the following command to audit the cluster and check for security misconfigurations
kubeaudit all

📌 What does this command do?

Scans all Kubernetes objects for security vulnerabilities

Detects misconfigurations in RBAC, PodSecurity, and container settings

Provides remediation steps to fix issues



🛠 Setup SonarQube and Nexus Server
To implement code quality analysis (SonarQube) and artifact management (Nexus Repository Manager) in your CI/CD pipeline, follow these steps.
Launch EC2 Instances for SonarQube and Nexus

Go to AWS Console → Click Launch an Instance

Configure two EC2 instances:

AMI: Ubuntu

Instance Type: t2.medium
  

Storage: 20 GiB or more
  

Number of Instances: 2
  



Click Launch Instance

Rename instances to:

SonarQube

Nexus




    
Connect to Instances via SSH
Connect to each instance from your terminal:
ssh -i  ubuntu@

Once connected, update the system:
sudo apt update

Install Docker on Both Servers
Step 1: Install Dependencies
sudo apt-get update
sudo apt-get install -y ca-certificates curl

Step 2: Add Docker's Official GPG Key
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc

Step 3: Add the Docker Repository
echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
  $(. /etc/os-release && echo "${UBUNTU_CODENAME:-$VERSION_CODENAME}") stable" | \
  sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

sudo apt-get update


Step 4: Install Docker
sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin


Step 5: Allow Docker Without sudo
sudo chmod 666 /var/run/docker.sock

Deploy SonarQube on the SonarQube Server
Run the following command on the SonarQube EC2 instance
docker run -d --name sonar -p 9000:9000 sonarqube:lts-community



Access SonarQube Dashboard
📌 Open your browser and go to:
http://:9000
Default Credentials

Username: admin

Password: admin




After logging in, update the default password for security



Deploy Nexus on the Nexus Server
Run this command on the Nexus EC2 instance:
docker run -d --name nexus -p 8081:8081 sonatype/nexus3



Access Nexus Dashboard
📌 Open your browser and go to: http://:8081

Retrieve Admin Password
To log in, first find the default admin password:
docker exec -it nexus /bin/bash
cat sonatype-work/nexus3/admin.password


Use this admin password to log in.

Username: admin

Password: (from the above command)



Set a new password and enable anonymous access if needed.


Configure Nexus Repository in pom.xml

Go to Nexus Web UI

Click Browse → Look for:

Maven Releases
  

Maven Snapshots
  



Copy the repository URL

Add it to your project's pom.xml file:



    
        nexus-releases
        http://:8081/repository/maven-releases/
    
    
        nexus-snapshots
        http://:8081/repository/maven-snapshots/
    



🎯 Final Verification

Check if SonarQube is Running:
 docker ps | grep sonar


You should see the sonarqube container running.


Check if Nexus is Running:
 docker ps | grep nexus


You should see the nexus container running.


Test SonarQube Web Access:
 Open: http://:9000

Test Nexus Web Access:
 Open: http://:8081


🎉 SonarQube and Nexus Are Now Set Up! 🚀

SonarQube is ready for code quality analysis

Nexus is ready for artifact storage



🚀 Set Up Jenkins Server on AWS
Jenkins is a powerful automation server widely used for CI/CD pipelines. This guide will help you set up Jenkins on an AWS EC2 instance, install necessary dependencies, and configure it for seamless use.
Launch an EC2 Instance for Jenkins

Go to AWS Console → Click Launch an Instance
 

Configure the instance:

Name: Jenkins Server

AMI: Ubuntu (latest LTS recommended)
  

Instance Type: t2.large (At least 2 vCPUs and 8 GB RAM for smooth builds)
  

Storage: 30 GiB (Jenkins jobs & artifacts require storage)

Number of Instances: 1



Click Launch Instance
 

Once running, copy the public IP of the Jenkins instance from the AWS Console.


Connect to the Jenkins Server via SSH
Use SSH to connect from your local machine:
ssh -i  ubuntu@

Replace  with your private key path and  with your instance's public IP.
Update the System
To ensure the latest security patches and package versions, run:
sudo apt update && sudo apt upgrade -y

Install Jenkins
Step 1: Install Java (Required for Jenkins)
sudo apt install -y openjdk-17-jdk-headless

Step 2: Install Jenkins Using Official Repository
# Add Jenkins repository key
sudo wget -O /usr/share/keyrings/jenkins-keyring.asc \
  https://pkg.jenkins.io/debian-stable/jenkins.io-2023.key

# Add Jenkins repository to sources list
echo "deb [signed-by=/usr/share/keyrings/jenkins-keyring.asc] \
  https://pkg.jenkins.io/debian-stable binary/" | sudo tee \
  /etc/apt/sources.list.d/jenkins.list > /dev/null

# Update package lists and install Jenkins
sudo apt-get update
sudo apt-get install -y jenkins

Step 3: Start & Verify Jenkins Service
sudo systemctl start jenkins
sudo systemctl enable jenkins
sudo systemctl status jenkins

Install Docker (for Running Jenkins Builds in Containers)
Step 1: Install Dependencies
sudo apt-get install -y ca-certificates curl

Step 2: Add Docker’s Official GPG Key
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc

Step 3: Add Docker Repository
echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] \
  https://download.docker.com/linux/ubuntu $(. /etc/os-release && echo "${UBUNTU_CODENAME:-$VERSION_CODENAME}") stable" | \
  sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

Step 4: Install Docker
sudo apt-get update
sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

Step 5: Allow Jenkins to Use Docker Without sudo
sudo chmod 666 /var/run/docker.sock

Install kubectl (for Kubernetes Integration)
Run the following command on the Jenkins server:
curl -o kubectl https://amazon-eks.s3.us-west-2.amazonaws.com/1.19.6/2021-01-05/bin/linux/amd64/kubectl
chmod +x ./kubectl
sudo mv ./kubectl /usr/local/bin
kubectl version --short --client


Access Jenkins Web Interface
Jenkins runs on port 8080 by default.
📌 Open your browser and visit: http://:8080

Retrieve Initial Admin Password
Run this command:
sudo cat /var/lib/jenkins/secrets/initialAdminPassword


Copy the admin password and paste it into the Jenkins web interface.
Jenkins Setup Wizard

Install Suggested Plugins (Recommended for most setups).
 
 
 

Create an Admin User (Set username, password, and email).
 

Start Using Jenkins 🎉
 


Install Required Jenkins Plugins
To enhance CI/CD functionality, install these plugins:
Step 1: Navigate to Plugin Manager

Manage Jenkins → Manage Plugins → Available Plugins
  


Step 2: Install the Following Plugins

Eclipse Temurin Installer (Installs required Java versions)

Config File Provider (Manages configuration files for builds)

Pipeline Maven Integration (For running Maven builds inside pipelines)

SonarQube Scanner (For static code analysis integration)

Docker (Integrates Docker with Jenkins)

Docker Pipeline (Allows defining Docker containers in pipelines)

Kubernetes (For running Jenkins on Kubernetes)

Kubernetes CLI (Provides kubectl inside Jenkins)

Kubernetes Credentials (Manages Kubernetes authentication)

Kubernetes Client API (Allows Jenkins to interact with Kubernetes clusters)

Maven Integration (For building Java projects)




Click Install and wait for the installation to complete.


🎯 Final Verification

Check Jenkins Service

sudo systemctl status jenkins


You should see "active (running)" status.


Check Docker Installation

docker --version


It should display the installed Docker version.


Check kubectl Installation

kubectl version --short --client


It should show the Kubernetes client version.


Test Jenkins Web Access
 Open: http://:8080

🎉 Jenkins is Now Fully Set Up on AWS! 🚀

Jenkins is installed & running

Docker is set up for containerized builds

kubectl is installed for Kubernetes integration

Essential plugins are installed



Start Creating CI/CD Pipelines! 🚀
Jenkins is now fully set up! You can start creating Jenkins Pipelines to automate builds, tests, and deployments for your applications.
Step 1: Configure Essential Tools in Jenkins
1. Install Required Plugins
Install JDK

Navigate to Manage Jenkins → Tools
  

Under JDK, click Add JDK

Name: jdk17

Check Install automatically

Installer: adoptium.net

Version: jdk-17



Install SonarQube Scanner

Under SonarQube Scanner, click Add SonarQube Scanner

Name: sonar-scanner

Check Install automatically

Choose the latest version



Install Maven

Under Maven, click Add Maven

Name: maven3

Check Install automatically

Choose the latest version



Install Docker

Under Docker, click Add Docker

Name: docker

Check Install automatically

Installer: Download from docker.com




Once these tools are set up, you are ready to create a pipeline.

Step 2: Create a Jenkins Pipeline
A Jenkins pipeline automates the software development lifecycle, including building, testing, and deploying applications.
1. Access Jenkins Dashboard

Log in to Jenkins using your browser.

On the Jenkins Dashboard, click New Item to create a new job.


2. Define Pipeline Details

Enter an Item Name (Example: BoardGame).

Select Item Type → Choose Pipeline.
  

Click OK to proceed.


3. Add GitHub Token in Jenkins Credentials

Go to Jenkins Dashboard → Manage Jenkins → Credentials.
  

Click on global → Add Credentials.
  
  

Fill the details:

Kind: Username & Password

Scope: Global

Username: GitHub username

Password: Personal Access Token from GitHub

ID: git-cred




    

Click Create.

4. Install Trivy on the Jenkins Instance
sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null
echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy -y


5. Add SonarQube Credentials in Jenkins

Go to SonarQube Server → Administration → Security → Users.
  
  

Update the token.

Set a name and expiry date of the token and click on generate.
  

Go to Jenkins Dashboard → Manage Jenkins → Credentials.

Click global → Add new Credential.

Kind: Secret text

Scope: Global

Secret: 

ID: sonar-token
  

Click Create.


6. Set Up SonarQube Server in Jenkins

Go to Jenkins Dashboard → Manage Jenkins → System.
  

Click Add SonarQube:

Name: sonar

Server URL: :9000

Authentication Token: sonar-token




    

Apply and Save.

7. Configure SonarQube Webhook

Go to SonarQube Server → Administration → Configuration → Webhook.
  

Create a new webhook:

URL: :8080/sonarqube-webhook
  



Click Create.


8. Add Nexus Repository Credentials

Go to Jenkins Dashboard → Manage Jenkins → Managed files.
  

Add a new config: Global Maven settings.xml.
  

ID: global-settings.
  

In the content section, update :
  
      maven-releases
      nexus-username
      nexus-password
  
  
      maven-snapshots
      nexus-username
      nexus-password
  

  
  

Click Submit.
  


9. Add DockerHub Credentials

Go to Jenkins Dashboard → Manage Jenkins → Credentials.

Click global → Add Credential.
  
  

Kind: Username with Password

Scope: Global

Username: DockerHub-username

Password: DockerHub-password

ID: docker-cred
  

Click Create.


10. Create a Kubernetes Service Account
Create Namespace
kubectl create ns webapps


Create Service Account
apiVersion: v1
kind: ServiceAccount
metadata:
   name: jenkins
   namespace: webapps


kubectl apply -f svcacc.yaml


11. Create a Role using in kubernetes cluster

create a role.yaml configuration file
  apiVersion: rbac.authorization.k8s.io/v1
  kind: Role
  metadata:
    name: app-role
    namespace: webapps
  rules:
    - apiGroups:
          - ""
          - apps
          - autoscaling
          - batch
          - extensions
          - policy
          - rbac.authorization.k8s.io
      resources:
        - pods
        - secrets
        - componentstatuses
        - configmaps
        - daemonsets
        - deployments
        - events
        - endpoints
        - horizontalpodautoscalers
        - ingress
        - jobs
        - limitranges
        - namespaces
        - nodes
        - pods
        - persistentvolumes
        - persistentvolumeclaims
        - resourcequotas
        - replicasets
        - replicationcontrollers
        - serviceaccounts
        - services
      verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]


create the role using the command
  kubectl apply -f role.yaml




12. Bind Role to Service Account

create a bind.yaml configuration file
  apiVersion: rbac.authorization.k8s.io/v1
  kind: RoleBinding
  metadata:
    name: app-rolebinding
    namespace: webapps 
  roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: Role
    name: app-role 
  subjects:
  - namespace: webapps 
    kind: ServiceAccount
    name: jenkins


create the rolebinding using the command
  kubectl apply -f bind.yaml




13. Create Kubernetes Secret for Jenkins

Create a secret resource configuration file: secrets.yaml
  apiVersion: v1
  kind: Secret
  metadata:
     name: mysecretname
     annotations:
        kubernetes.io/service-account.name: jenkins
  type: kubernetes.io/service-account-token


Create secret using the kubectl command
  kubectl apply -f secrets.yaml -n webapps

  

Get the token to connect to jenkins and copy that
  kubectl describe secret mysecretname -n webapps

  

Copy the token and add it to Jenkins Credentials.

Add the token in the jenkins credentials

Go to Jenkins Dashboard → Manage Jenkins → Credentials

Click on Global and Add a new credential

Kind: secret text

scope: global

secret: token-that-you-copied

ID: k8s-cred




    
Step 3: Configure Mail Notification
1. Generate Gmail App Password

Search for App Password on any browser.
  

Create a new App password with the name: Jenkins.
  

Copy the generated token.


2. Add Gmail Credentials to Jenkins

Go to Jenkins Dashboard → Manage Jenkins → Credentials.

Click on Global and add a new credential:

Kind: Username with password

Scope: Global

Username: your-gmail

Password: generated token

ID: mail-cred




    
3. Configure Mail Server in Jenkins

Go to Jenkins Dashboard → Manage Jenkins → System.

Search for Extended E-mail Notification.
  

Fill in the details:

SMTP server: smtp.gmail.com

SMTP port: 465

Credentials: Choose mail-cred

Check Use SSL



Find the E-mail Notification section and configure
  

SMTP server: smtp.gmail.com

SMTP port: 465

Check Use SSL

Check Use SMTP Authentication

Username: email ID

Password: copied app token




    

Save the changes.

Step 4: Create a Jenkins Pipeline
A Jenkins pipeline automates the software development lifecycle, including building, testing, and deploying applications.
1. General Settings

Check Discard Old Builds to limit stored build history.

Configure:

Max builds to keep: 10

Max days to keep builds: 30




    
    
2. Define the Pipeline Script
pipeline {
    agent any

    tools{
        jdk 'jdk17'
        maven 'maven3'
    }
    environment {
        SCANNER_HOME= tool 'sonar-scanner'
    }

    stages {
        stage('Git Checkout') {
            steps {
                git credentialsId: 'git-cred', url: 'https://github.com/praduman8435/Boardgame.git'
            }
        }
        stage('Compile') {
            steps {
                sh "mvn compile"
            }
        }
        stage('Test') {
            steps {
                sh "mvn test"
            }
        }
        stage('File System Scan') {
            steps {
                sh "trivy fs --format table -o trivy-fs-report.html ."
            }
        }
        stage('Code Quality Analysis') {
            steps {
                withSonarQubeEnv('sonar') {
                    sh ''' $SCANNER_HOME/bin/sonar-scanner -Dsonar-projectName=BoardGame -Dsonar.projectKey=BoardGame \
                            -Dsonar.java.binaries=. '''
                }
            }
        }
        stage('Quality Gate') {
            steps {
                script {
                    waitForQualityGate abortPipeline: false, credentialsId: 'sonar-token'
                }
            }
        }
        stage('Build') {
            steps {
                sh "mvn package"
            }
        }
        stage('Publish Artifacts to Nexus') {
            steps {
                withMaven(globalMavenSettingsConfig: 'global-settings', jdk: 'jdk17', maven: 'maven3', mavenSettingsConfig: '', traceability: true) {
                    sh "mvn deploy"
                }
            }
        }
        stage('Build & Tag Docker Image') {
            steps {
                script {
                    withDockerRegistry(credentialsId: 'docker-cred', toolName: 'docker') {
                        sh "docker build -t thepraduman/boardgame:latest ."
                    }
                }
            }
        }
        stage('Docker Image Scan') {
            steps {
                sh "trivy image --format table -o trivy-image-report.html  thepraduman/boardgame:latest"
            }
        }
        stage('Push Docker Image') {
            steps {
                script {
                    withDockerRegistry(credentialsId: 'docker-cred', toolName: 'docker') {
                        sh "docker push thepraduman/boardgame:latest"
                    }
                }
            }
        }
        stage('Deploy to k8s') {
            steps {
                withKubeConfig(caCertificate: '', clusterName: 'kubernetes', contextName: '', credentialsId: 'k8s-cred', namespace: 'webapps', restrictKubeConfigAccess: false, serverUrl: 'https://172.31.39.125:6443') {
                    sh "kubectl apply -f k8s-manifest"
                }
            }
        }
        stage('Verify the deployment') {
            steps {
                withKubeConfig(caCertificate: '', clusterName: 'kubernetes', contextName: '', credentialsId: 'k8s-cred', namespace: 'webapps', restrictKubeConfigAccess: false, serverUrl: 'https://172.31.39.125:6443') {
                    sh "kubectl get pods -n webapps"
                    sh "kubectl get svc -n webapps"
                }
            }
        }
    }
}

3. Build the Pipeline

Click on Build Now to build the pipeline



Check the SonarQube Dashboard



Setup Monitoring (Prometheus & Grafana)
Create an EC2 Instance for Monitoring

Go to AWS console and launch an EC2 instance.
 

Instance Name: Monitoring

AMI: Ubuntu
 

Instance Type: t2.large
 

Key-Pair: Create a new key-pair or use an existing one.

Security Group: Use the previously created one.

Storage: 20 GiB
 

Click Launch Instance.


SSH into the Monitoring Server

Copy the public IP of the monitoring server.
 

Connect via SSH from your local machine:
 ssh -i  ubuntu@


Update the server:
 sudo apt update



Install Prometheus

Download Prometheus:
 wget https://github.com/prometheus/prometheus/releases/download/v3.2.1/prometheus-3.2.1.linux-amd64.tar.gz

 

Extract the tar file:
 tar -xvf prometheus-3.2.1.linux-amd64.tar.gz

 

Navigate to the Prometheus directory:
 cd prometheus-3.2.1.linux-amd64

 

Run Prometheus in the background:
 ./prometheus &

 

Access Prometheus at:
 http://:9090

 


Install Grafana

Install dependencies:
 sudo apt-get install -y adduser libfontconfig1 musl


Download and install Grafana:
 wget https://dl.grafana.com/enterprise/release/grafana-enterprise_11.5.2_amd64.deb
 sudo dpkg -i grafana-enterprise_11.5.2_amd64.deb

 

Start Grafana:
 sudo systemctl start grafana-server


Access Grafana at:
 http://:3000

 

Default credentials:

Username: admin

Password: admin (Change it after logging in)




    
Install Blackbox Exporter

Download Blackbox Exporter:
 wget https://github.com/prometheus/blackbox_exporter/releases/download/v0.26.0/blackbox_exporter-0.26.0.linux-amd64.tar.gz

 

Extract the tar file:
 tar -xvf blackbox_exporter-0.26.0.linux-amd64.tar.gz

 

Navigate to the directory:
 cd blackbox_exporter-0.26.0.linux-amd64


Run Blackbox Exporter:
 ./blackbox_exporter &

 

Access at:
 http://:9115

 


Configure Prometheus

Edit prometheus.yml:
 vim prometheus.yml


Add Blackbox Exporter job:
 - job_name: 'blackbox'
   metrics_path: /probe
   params:
     module: [http_2xx]  # Look for a HTTP 200 response.
   static_configs:
     - targets:
       - http://prometheus.io    # Target to probe with http.
       - https://prometheus.io   # Target to probe with https.
       - http://example.com:8080 # Target to probe with http on port 8080.
   relabel_configs:
     - source_labels: [__address__]
       target_label: __param_target
     - source_labels: [__param_target]
       target_label: instance
     - target_label: __address__
       replacement: 127.0.0.1:9115  # The blackbox exporter's real hostname:port.


Restart Prometheus:
 pgrep prometheus

 kill 

 ./prometheus &


Check Prometheus Dashboard → Status → Target.
 


Add Prometheus as DataSource in Grafana

Go to Grafana Dashboard.

Click Data Sources under Connections.
 

Search and select Prometheus.
 

Add a new data source and enter the Prometheus server URL.
 

Click Save & Test.


Import Grafana Dashboard

Go to Grafana Home Page.

Click + (Add) → Import Dashboard.
 

Enter 7587 as the dashboard ID and click Load.
 

Select Prometheus as the data source and click Import.
 


Install Prometheus Plugin on Jenkins

Go to Jenkins Dashboard → Manage Jenkins → Plugins.

Search for Prometheus and install it.
 

Restart Jenkins.


Install Node Exporter on Monitoring Server

Download Node Exporter:
 wget https://github.com/prometheus/node_exporter/releases/download/v1.9.0/node_exporter-1.9.0.linux-amd64.tar.gz

 

Extract the tar file:
 tar -xvf node_exporter-1.9.0.linux-amd64.tar.gz

 

Navigate to the directory:
 cd node_exporter-1.9.0.linux-amd64/

 

Run Node Exporter:
 ./node_exporter &

 

Access at:
 http://:9100

 


Configure Prometheus for Jenkins

Go to Jenkins Dashboard → Manage Jenkins → System
 

search for prometheus section
 

Check if other things required or leave it default and save it


Edit the prometheus.yml file in monitoring server

Edit prometheus.yml:
 vim prometheus.yml


Add the following jobs:
 - job_name: node
   static_configs:
     - targets: [':9100']
 - job_name: jenkins
   metrics_path: '/prometheus'
   static_configs:
     - targets: [':8080']


Restart Prometheus:
 pgrep prometheus

 kill 

 
 ./prometheus &

 

Verify in Prometheus → Status → Target Health.
 


Import Node Exporter Dashboard in Grafana

Go to Grafana Dashboard → Import.
 

Enter ID: 1860 and click Load.
 

Select Prometheus as the data source and import.
 



Monitoring setup with Prometheus, Grafana, and Jenkins is now complete! 🚀

Enjoyed the post? to support my writing!

Conclusion
This project covered the complete setup of a DevSecOps pipeline, from infrastructure provisioning to CI/CD automation, security, and monitoring. We deployed a Kubernetes cluster on AWS, automated deployments using Jenkins, Terraform, and ArgoCD, and integrated security tools like Trivy and SonarQube. For monitoring, we set up Prometheus and Grafana along with Node Exporter and Blackbox Exporter. By combining these tools, we built a secure, automated, and scalable environment that ensures smooth deployments, security compliance, and real-time monitoring.


💡 Let’s connect and discuss DevOps, cloud automation, and cutting-edge technology
🔗 LinkedIn | 💼 Upwork | 🐦 Twitter | 👨‍💻 GitHub



Ultimate DevSecOps Project: End-to-End Kubernetes Three-Tier Deployment on AWS EKS with ArgoCD, Prometheus, Grafana & Jenkins
Praduman Prajapati — Thu, 06 Mar 2025 16:57:06 GMT
Introduction: Why DevSecOps?
In today’s fast-paced tech world, speed and security go hand in hand. You can’t just build and deploy apps quickly—you need to keep them secure from day one. That’s where DevSecOps comes in! It blends development, security, and operations into one seamless process, ensuring that security is baked into every stage of the pipeline instead of being an afterthought.
This Ultimate DevSecOps Project is all about deploying a three-tier application on AWS EKS with a fully automated CI/CD pipeline. The goal? To make sure every piece of code is secure, high-quality, and production-ready before it even goes live.

What’s Inside This Project?
We’ll be using some of the best DevSecOps tools out there to make this happen:
✅ Jenkins – Automates the entire CI/CD pipeline.
✅ SonarQube & OWASP Dependency-Check – Keep the code clean, secure, and compliant.
✅ Trivy – Scans container images for security vulnerabilities before deployment.
✅ Terraform – Automates infrastructure setup on AWS.
✅ ArgoCD – Ensures Kubernetes deployments stay in sync with Git (GitOps).
✅ Prometheus & Grafana – Provide real-time monitoring and insights.
By the end of this project, you’ll have a fully functional, security-first DevSecOps pipeline that not only deploys applications but also keeps them safe, scalable, and efficient.
🚀 Ready to dive in? Let’s build something amazing!

Source Code & Repository 👇
You can find the source code for this project here:
https://github.com/praduman8435/DevSecOps-in-Action/
 

Step 1: Set Up a Jenkins Server on AWS EC2
1. Log in to AWS and Launch an EC2 Instance

Go to the AWS Console.

Navigate to EC2 (Elastic Compute Cloud).

Click Launch Instance to create a new virtual machine.



2. Configure the EC2 Instance

AMI (Amazon Machine Image): Choose Ubuntu Server.


  Instance Type: Select t2.2xlarge (8 vCPUs, 32GB RAM) for better performance.


  Key Pair: No need to create a key pair (proceed without key pair).
  


3. Configure Security Group (Firewall Rules)
Set up inbound rules to allow required network traffic:




Port Protocol Purpose



8080 TCP Jenkins Web UI (Restrict access to trusted IPs or internal network).

50000 TCP Communication between Jenkins Controller and Agents (for distributed builds).

443 TCP HTTPS access (if Jenkins is secured with SSL).

80 TCP HTTP access (if using an Nginx reverse proxy for Jenkins).

9000 TCP SonarQube Access (for code analysis).




Note: For security, avoid opening all these ports to the public. Instead, restrict access to trusted IPs or internal networks.


Choose the created security group in Network setting


4. Configure Storage and IAM Role

Storage: Set at least 30 GiB.


  IAM Role: Attach an IAM profile with administrative access to allow Jenkins to manage AWS resources.

Create an IAM profile with Administrator Access and attach it to EC2 instance

  
  


5. Automate Installation with User Data
Instead of manually installing required tools, you can automate it using a User Data script. This script will automatically install:

Jenkins

Docker

Terraform

AWS CLI

SonarQube (running in a container)

Trivy (for security scanning)


#!/bin/bash
# For Ubuntu 22.04
# Intsalling Java
sudo apt update -y
sudo apt install openjdk-17-jre -y
sudo apt install openjdk-17-jdk -y
java --version

# Installing Jenkins
curl -fsSL https://pkg.jenkins.io/debian/jenkins.io-2023.key | sudo tee \
  /usr/share/keyrings/jenkins-keyring.asc > /dev/null
echo deb [signed-by=/usr/share/keyrings/jenkins-keyring.asc] \
  https://pkg.jenkins.io/debian binary/ | sudo tee \
  /etc/apt/sources.list.d/jenkins.list > /dev/null
sudo apt-get update -y
sudo apt-get install jenkins -y

# Installing Docker 
#!/bin/bash
sudo apt update
sudo apt install docker.io -y
sudo usermod -aG docker jenkins
sudo usermod -aG docker ubuntu
sudo systemctl restart docker
sudo chmod 777 /var/run/docker.sock

# If you don't want to install Jenkins, you can create a container of Jenkins
# docker run -d -p 8080:8080 -p 50000:50000 --name jenkins-container jenkins/jenkins:lts

# Run Docker Container of Sonarqube
#!/bin/bash
docker run -d  --name sonar -p 9000:9000 sonarqube:lts-community


# Installing AWS CLI
#!/bin/bash
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
sudo apt install unzip -y
unzip awscliv2.zip
sudo ./aws/install

# Installing Kubectl
#!/bin/bash
sudo apt update
sudo apt install curl -y
sudo curl -LO "https://dl.k8s.io/release/v1.28.4/bin/linux/amd64/kubectl"
sudo chmod +x kubectl
sudo mv kubectl /usr/local/bin/
kubectl version --client


# Installing eksctl
#! /bin/bash
curl --silent --location "https://github.com/weaveworks/eksctl/releases/latest/download/eksctl_$(uname -s)_amd64.tar.gz" | tar xz -C /tmp
sudo mv /tmp/eksctl /usr/local/bin
eksctl version

# Installing Terraform
#!/bin/bash
wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
sudo apt update
sudo apt install terraform -y

# Installing Trivy
#!/bin/bash
sudo apt-get install wget apt-transport-https gnupg lsb-release -y
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt update
sudo apt install trivy -y


# Intalling Helm
#! /bin/bash
sudo snap install helm --classic



Why use User Data?

Automates setup.

Ensures all required tools are installed before first login.

Saves time compared to manual installation.



6. Launch the Instance

Click Launch Instance to start your Jenkins server.

7. Connect to the Instance
Since SSH is disabled for security reasons, use the EC2 Instance Connect feature:

Go to the AWS EC2 Console.

Select your Jenkins instance.


  Click the "Connect" button at the top.

Choose the "EC2 Instance Connect" tab.


  Click "Connect" to open a web-based terminal directly in your browser.


8. Monitor Running Processes
To check what commands are running inside the instance, use:
htop


This command provides a real-time view of system performance and running processes.

Step 2: Set Up a Jenkins Pipeline to Deploy EKS and Networking Services
1. Access Jenkins

Open your browser and go to:
 http://:8080

 

Retrieve the initial Jenkins admin password by running the following command in the jenkins Instance:
 sudo cat /var/lib/jenkins/secrets/initialAdminPassword


Follow the setup wizard:

Install Suggested Plugins.


  Create an Admin Username & Password.

Complete the basic configuration.
  





Now, Jenkins is ready to use.

2. Install Required Plugins
To enable Jenkins to work with AWS and Terraform, install the following plugins manually:

Click on "Manage Jenkins" > "Plugins Manager".
 

Search for and install these plugins:

AWS Credentials → Securely stores AWS access keys.

Pipeline: AWS Steps → Adds built-in AWS-specific pipeline steps.

Terraform → Enables Terraform automation in Jenkins.

Pipeline: Stage View → Provides a visual representation of pipeline stages.




    
3. Configure AWS Credentials in Jenkins

Go to "Manage Jenkins" > "Credentials".


 Click "Global" > "Add Credentials".
 

Fill in the details:

Kind: AWS Credentials

Scope: Global

ID: aws-creds

Access Key ID: From your AWS IAM user

Secret Access Key: From your AWS IAM user




 Click "Create".



Note: Create an IAM User in AWS with Administrator Access and use its credentials here.

4. Configure Terraform in Jenkins

Go to "Manage Jenkins" > "Tools".

Scroll to Terraform Installation.
 

Provide:

Name: terraform

Installation Directory: Find Terraform’s installation path by running below command in jenkins instance:
  whereis terraform





 
 Click Save.


5. Create a New Jenkins Pipeline

In this pipeline i will use this repository here all the terraform source code present to create production grade infrastructure

https://github.com/praduman8435/Production-ready-EKS-with-automation
 

In Jenkins, go to Dashboard > New Item.


 Enter an item name.


 Select Pipeline and click OK.

Scroll to the Pipeline section:

Under Definition, select Pipeline script.

Copy and paste the following pipeline script:




    properties([
        parameters([
            string(
                defaultValue: 'dev',
                name: 'Environment'
            ),
            choice(
                choices: ['plan', 'apply', 'destroy'], 
                name: 'Terraform_Action'
            )
        ])
    ])

    pipeline {
        agent any
        stages {
            stage('Preparing') {
                steps {
                    sh 'echo Preparing'
                }
            }
            stage('Git Pulling') {
                steps {
                    git branch: 'main', url: 'https://github.com/praduman8435/Production-ready-EKS-with-automation.git'
                }
            }
            stage('Init') {
                steps {
                    withAWS(credentials: 'aws-creds', region: 'ap-south-1') {
                        sh 'terraform -chdir=eks/ init'
                    }
                }
            }
            stage('Validate') {
                steps {
                    withAWS(credentials: 'aws-creds', region: 'ap-south-1') {
                        sh 'terraform -chdir=eks/ validate'
                    }
                }
            }
            stage('Action') {
                steps {
                    withAWS(credentials: 'aws-creds', region: 'ap-south-1') {
                        script {    
                            if (params.Terraform_Action == 'plan') {
                                sh "terraform -chdir=eks/ plan -var-file=${params.Environment}.tfvars"
                            } else if (params.Terraform_Action == 'apply') {
                                sh "terraform -chdir=eks/ apply -var-file=${params.Environment}.tfvars -auto-approve"
                            } else if (params.Terraform_Action == 'destroy') {
                                sh "terraform -chdir=eks/ destroy -var-file=${params.Environment}.tfvars -auto-approve"
                            } else {
                                error "Invalid value for Terraform_Action: ${params.Terraform_Action}"
                            }
                        }
                    }
                }
            }
        }
    }

    
6. Finalize Pipeline Setup

Enable Groovy Sandbox: Check the box for "Use Groovy Sandbox".

Click "Save".


7. Run the Pipeline

Wait for a minute, then click "Build with Parameters".


 Select a Terraform action (plan, apply, or destroy).

Click "Build".


 
 Navigate to the Console Output to track progress.
 



What This Pipeline Does?

Connects Jenkins to AWS using stored credentials.

Fetches Terraform code from GitHub.

Initializes Terraform for EKS and networking setup.

Validates Terraform code before deployment.

Executes Terraform actions based on user selection (plan, apply, or destroy)




Step 3: Set Up the Jump Server
Why Do You Need a Jump Server?
Since your EKS cluster is inside a VPC, it cannot be accessed directly from the internet. A Jump Server (Bastion Host) acts as a secure gateway, allowing access to private resources within your VPC.
How It Works:

Your EKS cluster and other private resources don’t have public IPs, so they can't be accessed directly.

Instead of exposing these private resources, you connect to a Jump Server first.

The Jump Server has a public IP and is placed in a public subnet, acting as an intermediary to access the private cluster securely.


1. Create a Jump Server in AWS

Go to AWS EC2 Console and click "Launch Instance".

Configure the Instance:

Instance Name: jump-server


  AMI: Ubuntu
  

Instance Type: t2.medium

Key Pair: No need to attach a key pair (SSH disabled for security).
  

Network Settings:

VPC: Select the VPC created by the Jenkins Terraform pipeline.

Subnet: Choose any public subnet.



Storage: At least 30 GiB.


  IAM Role: Attach an IAM profile with administrative access.



Install required tools on the Jump Server automatically, by adding the following script in the User Data field:
 sudo apt update -y

 # Installing AWS CLI
 #!/bin/bash
 curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
 sudo apt install unzip -y
 unzip awscliv2.zip
 sudo ./aws/install

 # Installing Kubectl
 #!/bin/bash
 sudo apt update
 sudo apt install curl -y
 sudo curl -LO "https://dl.k8s.io/release/v1.28.4/bin/linux/amd64/kubectl"
 sudo chmod +x kubectl
 sudo mv kubectl /usr/local/bin/
 kubectl version --client

 # Intalling Helm
 #! /bin/bash
 sudo snap install helm --classic

 # Installing eksctl
 #! /bin/bash
 curl --silent --location "https://github.com/weaveworks/eksctl/releases/latest/download/eksctl_$(uname -s)_amd64.tar.gz" | tar xz -C /tmp
 sudo mv /tmp/eksctl /usr/local/bin
 eksctl version


Launch the Instance by clicking "Launch Instance".
 


2. Connect to the Jump Server and Verify Access
Once the instance is running, access it using EC2 Instance Connect:

Go to AWS EC2 Console.

Select your Jump Server instance.

Click "Connect" > "EC2 Instance Connect".


 Click "Connect" to open a web terminal.


3. Configure AWS Credentials on the Jump Server
To allow the Jump Server to interact with AWS services, configure AWS CLI:
aws configure


Enter AWS Access Key ID (from IAM user).

Enter AWS Secret Access Key (from IAM user).

Default region: Set your AWS region (e.g., us-east-1).

Output format: Press Enter (default is json).


4. Update kubeconfig to Access the EKS Cluster
Run the following command to configure kubectl for your EKS cluster:
aws eks update-kubeconfig --name  --region 


5. Verify the Cluster Connection
Check if the Jump Server can access the EKS cluster by listing the worker nodes:
kubectl get nodes


If you see the nodes, your Jump Server setup is successful! 🎉

Step 4: Set Up an AWS Load Balancer for EKS
In order to configure an AWS Load Balancer in our EKS cluster, we need a Service Account that allows Kubernetes to create and manage the load balancer automatically.
1. Create an IAM-Backed Service Account
The AWS Load Balancer Controller requires an IAM role with the necessary permissions to create and manage Elastic Load Balancers (ELB) in AWS.
Run the following command to create a service account with the required IAM role inside the EKS cluster:
eksctl create iamserviceaccount \
  --cluster= \
  --namespace=kube-system \
  --name=aws-load-balancer-controller \
  --role-name AmazonEKSLoadBalancerRole \
  --attach-policy-arn=arn:aws:iam:::policy/AWSLoadBalancerControllerIAMPolicy \
  --approve \
  --region=ap-south-1


📌 Explanation:

--cluster= → Name of your EKS cluster.

--namespace=kube-system → Deploys the service account in the kube-system namespace.

--name=aws-load-balancer-controller → Creates a service account with this name.

--role-name AmazonEKSLoadBalancerRole → Assigns an IAM role to the service account.

--attach-policy-arn=arn:aws:iam:::policy/AWSLoadBalancerControllerIAMPolicy → Attaches the AWS Load Balancer Controller IAM policy.

--approve → Automatically applies the changes.


2. Add the AWS EKS Helm Repository
To deploy the AWS Load Balancer Controller, we use Helm, a package manager for Kubernetes.
Add the official AWS EKS Helm repository:
helm repo add eks https://aws.github.io/eks-charts


This repository contains pre-packaged Helm charts for essential AWS EKS components such as:
✅ AWS Load Balancer Controller
✅ EBS CSI Driver (for dynamic volume provisioning)
✅ VPC CNI Plugin (for networking enhancements)
✅ Cluster Autoscaler (for automatic scaling)
Update the repository to get the latest charts:
helm repo update

3. Install the AWS Load Balancer Controller
Now, install the AWS Load Balancer Controller using Helm:
helm install aws-load-balancer-controller eks/aws-load-balancer-controller \
  --namespace kube-system \
  --set clusterName= \
  --set serviceAccount.create=false \
  --set serviceAccount.name=aws-load-balancer-controller

📌 Explanation:

--namespace kube-system → Deploys the controller in the kube-system namespace.

--set clusterName= → Associates it with your EKS cluster.

--set serviceAccount.create=false → Uses the existing IAM-backed service account.

--set serviceAccount.name=aws-load-balancer-controller → Specifies the service account created earlier.


4. Verify the AWS Load Balancer Controller
Check if the Load Balancer Controller is running correctly:
kubectl get pods -n kube-system | grep aws-load-balancer-controller


4. Fixing Pods in Error or CrashLoopBackOff
If your AWS Load Balancer Controller pods are in Error or CrashLoopBackOff, it’s likely due to misconfiguration. To fix this, upgrade the Helm release with the correct settings:
helm upgrade -i aws-load-balancer-controller eks/aws-load-balancer-controller \
  --set clusterName= \
  --set serviceAccount.create=false \
  --set serviceAccount.name=aws-load-balancer-controller \
  --set region= \
  --set vpcId= \
  -n kube-system


: VPC ID where your EKS cluster runs (e.g., vpc-0123456789abcdef0).

: Your EKS cluster name (e.g., dev-medium-eks-cluster).

: AWS region of your cluster (e.g., us-west-1).



What This Does?

Upgrades/Installs: Updates the Helm release or installs it if missing.

Configures Correctly: Ensures the controller uses the right cluster, service account, region, and VPC.



Check if the pods are running:
kubectl get pods -n kube-system -l app.kubernetes.io/name=aws-load-balancer-controller


🚀 Your AWS Load Balancer Controller is now ready to manage Kubernetes services! 🎉

Step 5: Set Up and Configure ArgoCD on EKS
ArgoCD is a GitOps continuous delivery tool that automates the deployment of applications to Kubernetes. We will install ArgoCD in our EKS cluster and expose its UI for external access.
1. Create a Separate Namespace for ArgoCD
To keep ArgoCD components organized, create a dedicated namespace:
kubectl create namespace argocd


2. Install ArgoCD Using Manifests
Apply the official ArgoCD installation YAML to deploy its components:
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml


This will install all necessary ArgoCD components inside the argocd namespace.
3. Verify ArgoCD Installation
Check if all ArgoCD pods are running:
kubectl get pods -n argocd


4. Expose ArgoCD Server
By default, ArgoCD runs as a ClusterIP service, meaning it is only accessible inside the cluster. To access the UI externally, change it to a LoadBalancer service:
kubectl patch svc argocd-server -n argocd -p '{"spec": {"type": "LoadBalancer"}}'

This will assign a public IP to the ArgoCD server, making it accessible via an Elastic Load Balancer (ELB) in AWS.
5. Retrieve the External IP of ArgoCD
Run the following command to get the external URL:
kubectl get svc -n argocd argocd-server


Look for the EXTERNAL-IP in the output. This is the URL you’ll use to access the ArgoCD UI.

6. Get the ArgoCD Admin Password
By default, ArgoCD generates an admin password stored as a Kubernetes secret. Retrieve it using:
kubectl get secret argocd-initial-admin-secret -n argocd -o jsonpath="{.data.password}" | base64 --decode

Use this password to log in as the admin user.
7. Access the ArgoCD UI
Now, you can access the UI of argoCD using the elastic loadbalancer created on the aws
Login using:

Username: admin

Password: (retrieved from the secret above)




ArgoCD is now ready! You can start managing your Kubernetes deployments using GitOps. 🚀


Step 6: Configure SonarQube for DevSecOps Pipeline
SonarQube is a crucial tool for static code analysis, ensuring code quality and security in your DevSecOps pipeline. We will configure it within Jenkins for automated code scanning.
1. Verify if SonarQube is Running
Since SonarQube is running as a Docker container on the Jenkins server, check its status with:
docker ps


You should see a running SonarQube container exposed on port 9000.
2. Access SonarQube UI
Open any web browser and visit:
http://:9000


Log in using the default credentials:

Username: admin

Password: admin


Once logged in, set a new password for security.

3. Generate an Authentication Token
Jenkins needs a token to authenticate with SonarQube for automated scans.

Go to Administration → Security → Users.


 
 Click on Update Token.

Provide a name and set an expiration date (or leave it as "No Expiration").
 

Click Generate Token.

Copy and save the token securely (you will need it for Jenkins).


4. Create a Webhook for Jenkins Notifications
A webhook will notify Jenkins once SonarQube completes an analysis.

Navigate to Administration → Configuration → Webhooks.


 Click Create Webhook.
 

Enter the details:

Name: Jenkins Webhook


  URL: http://:8080/sonarqube-webhook

Secret: (Leave blank)



Click Create.
 



Now, the webhook will trigger Jenkins when a project analysis is complete.

5. Create a SonarQube Project for Code Analysis
SonarQube will analyze the frontend and backend code separately.
Frontend Analysis Configuration

Go to Projects → Manually → Create a New Project.


 Fill in the required details (Project Name, Key, etc.).


 Click Setup.

Choose Analyze Locally.

Select Use an Existing Token and paste the token generated earlier.


 Choose Other if your build type is not listed.


 Select OS: Linux.


 SonarQube will generate a command for analysis—copy and save it.
 

Add the command to your Jenkins pipeline


Backend Analysis Configuration
Repeat the same steps for the backend project:

Go to Projects → Create a New Project.
 

Fill in the required details.


 Click Setup → Analyze Locally.

Use the previously generated token.


 Choose Other as the build type if needed.

Select OS: Linux.

Copy the generated analysis command and save it.


 Add the command to your Jenkins pipeline


6. Final Verification
At this point:
✅ SonarQube is running and accessible.
✅ Jenkins has an authentication token to interact with SonarQube.
✅ A webhook is set up to notify Jenkins about completed scans.
✅ Projects are created, and analysis commands are ready for Jenkins execution.
Now, whenever Jenkins runs the pipeline, SonarQube will analyze the code and report quality & security issues. 🎯 ✅

Step 6: Create an ECR Repository for Docker Images
Amazon Elastic Container Registry (ECR) will store the frontend and backend Docker images used for deployment. Let's configure it and store necessary credentials in Jenkins.
1. Create Private ECR Repositories

Open AWS Console and navigate to the ECR service.


 Click Create Repository.

Choose Private Repository.

Repository Name: frontend.


 Repeat the same steps to create a backend repository.
 



2. Store Credentials in Jenkins
To integrate Jenkins with SonarQube, AWS ECR, and GitHub, we need to store various credentials securely.
a) Store SonarQube Token in Jenkins

Go to Jenkins Dashboard → Manage Jenkins → Credentials.


 Select the appropriate Global credentials domain.
 
 

Click Add Credentials and fill in the details:

Kind: Secret Text

Scope: Global

Secret: 

ID: sonar-token

Click Create.




    
b) Store AWS Account ID in Jenkins

Go to Credentials → Add Credentials.

Enter the details:

Kind: Secret Text

Scope: Global

Secret: 


  ID: Account_ID
  

Click Create.




c) Store ECR Repository Names in Jenkins
For Frontend Repository:

Add New Credential:

Kind: Secret Text

Scope: Global

Secret: frontend

ID: ECR_REPO1

Click Create.




For Backend Repository:

Add New Credential:

Kind: Secret Text

Scope: Global

Secret: backend

ID: ECR_REPO2
  

Click Create.




d) Store GitHub Credentials in Jenkins

Add New Credential:

Kind: Username with Password

Scope: Global

Username: 

Password: 

ID: GITHUB-APP




e) Store GitHub Personal Access Token in Jenkins

Add New Credential:

Kind: Secret Text

Scope: Global

Secret: 

ID: github





here all required credentials are get added


Final Confirmation
✅ ECR Repositories Created
✅ SonarQube Token Stored in Jenkins
✅ AWS Account ID Saved
✅ ECR Repository Names Stored
✅ GitHub Credentials & Token Added
With these credentials configured, Jenkins can authenticate and push Docker images to AWS ECR seamlessly. 🎯
Install and Configure Essential Plugins & Tools in Jenkins
To ensure seamless containerized builds, security analysis, and CI/CD automation, install and configure the necessary Jenkins plugins and tools.
1. Install Required Plugins
Navigate to Jenkins Dashboard → Manage Jenkins → Plugins → Available Plugins, then search and install the following:
✅ Docker – Enables Docker integration.
✅ Docker Pipeline – Provides Docker support in Jenkins pipelines.
✅ Docker Commons – Manages shared Docker images.
✅ Docker API – Allows interaction with Docker daemon.
✅ NodeJS – Supports Node.js builds.
✅ OWASP Dependency-Check – Detects security vulnerabilities in dependencies.
✅ SonarQube Scanner – Enables code quality analysis with SonarQube.


Once installed, restart Jenkins to apply changes.
2. Configure Essential Tools in Jenkins
a) NodeJS Installation

Go to Manage Jenkins → Tools

Under NodeJS, click Add NodeJS.

Fill in the required details.

Check the box Install Automatically.


 Click Save.


b) SonarQube Scanner Installation

Under Tools Configuration, go to SonarQube Scanner.

Click Add SonarQube Scanner.

Fill in the required details.

Check Install Automatically.


 Click Save.


c) OWASP Dependency Check Installation

Under Tools Configuration, go to Dependency Check.

Click Add Dependency Check.

Check Install Automatically from GitHub.


 Click Save.


d) Docker Installation

Under Tools Configuration, go to Docker.

Click Add Docker.

Fill in the required details.

Check Install Automatically from Docker.com.


 Click Save & Apply.


3. Configure SonarQube Webhook in Jenkins
To enable SonarQube notifications in Jenkins, configure the webhook.
Add SonarQube Server in Jenkins

Navigate to Manage Jenkins → Configure System.

Scroll to the SonarQube installation section.

Click Add SonarQube and enter:

Name: sonar-server

Server URL: http://:9000

Server Authentication Token: 




 Click Apply & Save.



Jenkins is now fully equipped to handle Docker builds, security analysis, and SonarQube scanning in the DevSecOps pipeline. 🚀


Step 7: Create a Jenkins Pipeline for Frontend
This pipeline automates the frontend build, security analysis, Docker image creation, and deployment updates for the DevSecOps pipeline.
1. Create a New Pipeline in Jenkins

Navigate to Jenkins Dashboard → New Item.

Enter a Pipeline Name (e.g., frontend-pipeline).

Select Pipeline as the item type.


 Click OK to proceed.

Scroll down to the Pipeline section and choose Pipeline script.


2. Add the Pipeline Script
Copy and paste the following Jenkinsfile:
pipeline {
    agent any 
    tools {
        nodejs 'nodejs'
    }
    environment {
        SCANNER_HOME = tool 'sonar-scanner'
        AWS_ACCOUNT_ID = credentials('Account_ID')
        AWS_ECR_REPO_NAME = credentials('ECR_REPO1')
        AWS_DEFAULT_REGION = 'ap-south-1'
        REPOSITORY_URI = "${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_DEFAULT_REGION}.amazonaws.com/"
    }
    stages {
        stage('Cleaning Workspace') {
            steps {
                cleanWs()
            }
        }
        stage('Checkout from Git') {
            steps {
                git credentialsId: 'GITHUB-APP', url: 'https://github.com/praduman8435/DevSecOps-in-Action.git', branch: 'main'
            }
        }
        stage('SonarQube Analysis') {
            steps {
                dir('frontend') {
                    withSonarQubeEnv('sonar-server') { // Use withSonarQubeEnv wrapper
                        sh '''
                        $SCANNER_HOME/bin/sonar-scanner \
                        -Dsonar.projectName=frontend \
                        -Dsonar.projectKey=frontend \
                        -Dsonar.sources=.
                        '''
                    }
                }
            }
        }
        stage('Quality Check') {
            steps {
                script {
                    waitForQualityGate abortPipeline: false, credentialsId: 'sonar-token'
                }
            }
        }
        stage('OWASP Dependency-Check Scan') {
            steps {
                dir('Application-Code/backend') {
                    dependencyCheck additionalArguments: '--scan ./ --disableYarnAudit --disableNodeAudit', odcInstallation: 'DP-Check'
                    dependencyCheckPublisher pattern: '**/dependency-check-report.xml'
                }
            }
        }
        stage('Trivy File Scan') {
            steps {
                dir('frontend') {
                    sh 'trivy fs . > trivyfs.txt'
                }
            }
        }
        stage('Docker Image Build') {
            steps {
                script {
                    dir('frontend') {
                        sh 'docker system prune -f'
                        sh 'docker container prune -f'
                        sh 'docker build -t ${AWS_ECR_REPO_NAME} .'
                    }
                }
            }
        }
        stage('ECR Image Pushing') {
            steps {
                script {
                    sh 'aws ecr get-login-password --region ${AWS_DEFAULT_REGION} | docker login --username AWS --password-stdin ${REPOSITORY_URI}'
                    sh 'docker tag ${AWS_ECR_REPO_NAME} ${REPOSITORY_URI}${AWS_ECR_REPO_NAME}:${BUILD_NUMBER}'
                    sh 'docker push ${REPOSITORY_URI}${AWS_ECR_REPO_NAME}:${BUILD_NUMBER}'
                }
            }
        }
        stage('Trivy Image Scan') {
            steps {
                sh 'trivy image ${REPOSITORY_URI}${AWS_ECR_REPO_NAME}:${BUILD_NUMBER} > trivyimage.txt'
            }
        }
        stage('Update Deployment File') {
            environment {
                GIT_REPO_NAME = "DevSecOps-in-Action"
                GIT_USER_NAME = "praduman8435"
            }
            steps {
                dir('k8s-manifests/frontend') {
                    withCredentials([string(credentialsId: 'github', variable: 'GITHUB_TOKEN')]) {
                        sh '''
                        git config user.email "praduman.cnd@gmail.com"
                        git config user.name "praduman"
                        BUILD_NUMBER=${BUILD_NUMBER}
                        imageTag=$(grep -oP '(?<=frontend:)[^ ]+' deployment.yaml)
                        sed -i "s/${AWS_ECR_REPO_NAME}:${imageTag}/${AWS_ECR_REPO_NAME}:${BUILD_NUMBER}/" deployment.yaml
                        git add deployment.yaml
                        git commit -m "Update deployment image to version ${BUILD_NUMBER}"
                        git push https://${GITHUB_TOKEN}@github.com/${GIT_USER_NAME}/${GIT_REPO_NAME} HEAD:main
                        '''
                    }
                }
            }
        }
    }
}


3. Build the Pipeline

Click Save & Apply.

Click Build Now to start the pipeline.
 
 


4. Verify SonarQube Analysis

Open SonarQube UI:
 http://:9000

 

Check if the SonarQube scan results appear in the UI under the frontend project.


Pipeline Workflow Summary
✅ Code Checkout from GitHub.
✅ SonarQube Scan for code quality analysis.
✅ Security Scans using OWASP Dependency-Check and Trivy.
✅ Docker Build & Push to Amazon ECR.
✅ Deployment Update in Kubernetes manifests.
The frontend pipeline is now fully automated and integrated into the DevSecOps workflow! 🚀

Step 8: Create a Jenkins Pipeline for Backend
This pipeline automates the backend build, security scanning, Docker image creation, and Kubernetes deployment updates for the DevSecOps pipeline.
1. Create a New Pipeline in Jenkins

Go to Jenkins Dashboard → New Item.

Enter a Pipeline Name (e.g., backend-pipeline).

Select Pipeline as the item type.


 Click OK to proceed.

Scroll to the Pipeline section and choose Pipeline script.


2. Add the Pipeline Script
Copy and paste the following Jenkinsfile:
pipeline {
    agent any 
    tools {
        nodejs 'nodejs'
    }
    environment {
        SCANNER_HOME = tool 'sonar-scanner'
        AWS_ACCOUNT_ID = credentials('Account_ID')
        AWS_ECR_REPO_NAME = credentials('ECR_REPO2')
        AWS_DEFAULT_REGION = 'ap-south-1'
        REPOSITORY_URI = "${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_DEFAULT_REGION}.amazonaws.com/"
    }
    stages {
        stage('Cleaning Workspace') {
            steps {
                cleanWs()
            }
        }
        stage('Checkout from Git') {
            steps {
                git credentialsId: 'GITHUB-APP', url: 'https://github.com/praduman8435/DevSecOps-in-Action.git', branch: 'main'
            }
        }
        stage('SonarQube Analysis') {
            steps {
                dir('backend') {
                    withSonarQubeEnv('sonar-server') { // Use withSonarQubeEnv wrapper
                        sh '''
                        $SCANNER_HOME/bin/sonar-scanner \
                        -Dsonar.projectName=backend \
                        -Dsonar.projectKey=backend \
                        -Dsonar.sources=.
                        '''
                    }
                }
            }
        }
        stage('Quality Check') {
            steps {
                script {
                    waitForQualityGate abortPipeline: false, credentialsId: 'sonar-token'
                }
            }
        }
        stage('OWASP Dependency-Check Scan') {
            steps {
                dir('backend') {
                    dependencyCheck additionalArguments: '--scan ./ --disableYarnAudit --disableNodeAudit', odcInstallation: 'DP-Check'
                    dependencyCheckPublisher pattern: '**/dependency-check-report.xml'
                }
            }
        }
        stage('Trivy File Scan') {
            steps {
                dir('backend') {
                    sh 'trivy fs . > trivyfs.txt'
                }
            }
        }
        stage('Docker Image Build') {
            steps {
                script {
                    dir('backend') {
                        sh 'docker system prune -f'
                        sh 'docker container prune -f'
                        sh 'docker build -t ${AWS_ECR_REPO_NAME} .'
                    }
                }
            }
        }
        stage('ECR Image Pushing') {
            steps {
                script {
                    sh 'aws ecr get-login-password --region ${AWS_DEFAULT_REGION} | docker login --username AWS --password-stdin ${REPOSITORY_URI}'
                    sh 'docker tag ${AWS_ECR_REPO_NAME} ${REPOSITORY_URI}${AWS_ECR_REPO_NAME}:${BUILD_NUMBER}'
                    sh 'docker push ${REPOSITORY_URI}${AWS_ECR_REPO_NAME}:${BUILD_NUMBER}'
                }
            }
        }
        stage('Trivy Image Scan') {
            steps {
                sh 'trivy image ${REPOSITORY_URI}${AWS_ECR_REPO_NAME}:${BUILD_NUMBER} > trivyimage.txt'
            }
        }
        stage('Update Deployment File') {
            environment {
                GIT_REPO_NAME = "DevSecOps-in-Action"
                GIT_USER_NAME = "praduman8435"
            }
            steps {
                dir('k8s-manifests/backend') {
                    withCredentials([string(credentialsId: 'github', variable: 'GITHUB_TOKEN')]) {
                        sh '''
                        git config user.email "praduman.cnd@gmail.com"
                        git config user.name "praduman"
                        BUILD_NUMBER=${BUILD_NUMBER}
                        imageTag=$(grep -oP '(?<=backend:)[^ ]+' deployment.yaml)
                        sed -i "s/${AWS_ECR_REPO_NAME}:${imageTag}/${AWS_ECR_REPO_NAME}:${BUILD_NUMBER}/" deployment.yaml
                        git add deployment.yaml
                        git commit -m "Update deployment image to version ${BUILD_NUMBER}"
                        git push https://${GITHUB_TOKEN}@github.com/${GIT_USER_NAME}/${GIT_REPO_NAME} HEAD:main
                        '''
                    }
                }
            }
        }
    }
}


3. Build the Pipeline

Click Save & Apply.

Click Build Now to trigger the pipeline.
 


4. Verify SonarQube Analysis

Open SonarQube UI:
 http://:9000



 Check the SonarQube scan results under the backend project.


Pipeline Workflow Summary
✅ Code Checkout from GitHub.
✅ SonarQube Scan for code quality analysis.
✅ Security Scans using OWASP Dependency-Check and Trivy.
✅ Docker Build & Push to Amazon ECR.
✅ Deployment Update in Kubernetes manifests.
The backend pipeline is now fully automated and integrated into the DevSecOps workflow! 🚀

Step 9: Setup Application in ArgoCD
In this step, we will deploy the application (frontend, backend, database, and ingress) to the EKS cluster using ArgoCD.
1. Open ArgoCD UI

Get the ArgoCD server External-IP:
 kubectl get svc -n argocd argocd-server

 

Access the ArgoCD UI using EXTERNAL-IP in the output.

Login using username and password created by you previously.



2. Connect GitHub Repository to ArgoCD

Go to Settings → Repositories.


 Click "Connect Repository using HTTPS".

Enter:

Project: default

Repository URL: https://github.com/praduman8435/DevSecOps-in-Action.git

Authentication: None (if public repo)




 Click "Connect".


3. Create Kubernetes Namespace for Deployment

Open terminal and run:
 kubectl create namespace three-tier


Verify the namespace:
 kubectl get namespaces

 


4. Deploy Database in ArgoCD

In ArgoCD UI, go to Applications → Click New Application.

Fill in the following details:

Application Name: three-tier-database

Project Name: default

Sync Policy: Automatic

Repository URL: https://github.com/praduman8435/DevSecOps-in-Action.git

Path: k8s-manifests/database

Cluster URL: https://kubernetes.default.svc

Namespace: three-tier




 Click Create.





5. Deploy Backend in ArgoCD

Go to Applications → Click New Application.

Fill in:

Application Name: three-tier-backend

Project Name: default

Sync Policy: Automatic

Repository URL: https://github.com/praduman8435/DevSecOps-in-Action.git

Path: k8s-manifests/backend

Cluster URL: https://kubernetes.default.svc

Namespace: three-tier




 Click Create.



6. Deploy Frontend in ArgoCD

Go to Applications → Click New Application.

Fill in:

Application Name: three-tier-frontend

Project Name: default

Sync Policy: Automatic

Repository URL: https://github.com/praduman8435/DevSecOps-in-Action.git

Path: k8s-manifests/frontend

Cluster URL: https://kubernetes.default.svc

Namespace: three-tier



Click Create.



7. Deploy Ingress in ArgoCD

Go to Applications → Click New Application.

Fill in:

Application Name: three-tier-ingress

Project Name: default

Sync Policy: Automatic

Repository URL: https://github.com/praduman8435/DevSecOps-in-Action.git

Path: k8s-manifests

Cluster URL: https://kubernetes.default.svc

Namespace: three-tier



Click Create.




8. Verify Deployment in ArgoCD

Go to Applications in ArgoCD UI.

Check if all applications are Synced and Healthy.

If needed, Manually Sync any pending application.



🎉 Congratulations! Your application is now fully deployed using ArgoCD! 🚀 and can be accessed at http://3-111-158-0.nip.io/



Step 10: Configure Monitoring using Prometheus and Grafana
In this step, we will install and configure Prometheus and Grafana using Helm charts to monitor the Kubernetes cluster.
1. Add Helm Repositories for Prometheus & Grafana
Run the following commands to add and update the Helm repositories:
helm repo add stable https://charts.helm.sh/stable
helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
helm repo add grafana https://grafana.github.io/helm-charts
helm repo update


2. Install Prometheus and Grafana using Helm
helm install prometheus prometheus-community/kube-prometheus-stack \
  --set prometheus.server.persistentVolume.storageClass=gp2 \
  --set alertmanager.alertmanagerSpec.persistentVolume.storageClass=gp2 \

3. Access Prometheus UI

Get the Prometheus service details:
  kubectl get svc 
  #look for prometheus-kube-prometheus-prometheus svc


Change the serveice type from ClusterIP to Loadbalancer
  kubectl edit svc  prometheus-kube-prometheus-prometheus


Find the line type: ClusterIP and change it to type: LoadBalancer.


You can now access the prometheus server using external-IP of prometheus-kube-prometheus-prometheus svc
  kubectl get svc prometheus-kube-prometheus-prometheus



  Open :9999 in your browser.




Click on Status and select Target. You'll see a list of Targets displayed. In Grafana, we'll use this as a data source.
  


4. Access Grafana UI

Get the Grafana service details
  kubectl get svc
  #look for the prometheus-grafana svc




By default, it uses ClusterIP. Change it to LoadBalancer:
  kubectl edit svc prometheus-grafana


Find the line type: ClusterIP and change it to type: LoadBalancer.



    

Get the external IP of Grafana:
  kubectl get svc prometheus-grafana

  

Open  in your browser.



5. Get Grafana Admin Password
kubectl get secret grafana -n default -o jsonpath="{.data.admin-password}" | base64 --decode



Username: admin

Password: (output from the above command)



6. Configure Prometheus as a Data Source in Grafana

Login to Grafana UI.

Go to Connections → Data Sources.


 
 Click Data source → Select Prometheus
 

Provide the Prometheus URL (:9090) if not get provided.

Click Save & Test.
 



🎉 Congratulations! Your Kubernetes cluster is now being monitored using Prometheus & Grafana!

7. Setting Up Dashboards in Grafana for Kubernetes Monitoring
Grafana allows us to visualize Kubernetes cluster and resource metrics effectively. We’ll set up two essential dashboards to monitor our cluster using Prometheus as the data source.
Dashboard 1: Kubernetes Cluster Monitoring
This dashboard provides an overview of the Kubernetes cluster, including node health, resource usage, and workload performance.
Steps to Import the Dashboard:

Open the Grafana UI and navigate to Dashboards.


  Click on New → Import.
  
  

In the Import via Grafana.com field, enter 6417 (Prometheus Kubernetes Cluster Monitoring Dashboard).
  

Click Load.

Select Prometheus as the data source.

Click Import.
  



You should now see a comprehensive dashboard displaying Kubernetes cluster metrics.

Dashboard 2: Kubernetes Resource Monitoring
This dashboard provides insights into individual Kubernetes resources such as pods, deployments, and namespaces.
Steps to Import the Dashboard:

Open the Grafana UI and navigate to Dashboards.

Click on New → Import.

Enter 17375 (Kubernetes Resources Monitoring Dashboard).

Click Load.

Select Prometheus as the data source.


 select the data source i.e. prometheus and click on import

Click Import.
 



Now, you have two powerful dashboards to monitor both the overall cluster health and specific Kubernetes resources in real-time.


Enjoyed the post? to support my writing!

Conclusion
This Ultimate DevSecOps Project is all about bringing security into the DevOps pipeline while deploying a scalable, secure, and fully automated three-tier application on AWS EKS. By combining the power of Jenkins, SonarQube, Trivy, OWASP Dependency-Check, Terraform, ArgoCD, Prometheus, and Grafana, we've built a robust CI/CD pipeline that ensures code quality, security, and smooth deployments—without any manual headaches!
With SonarQube and OWASP Dependency-Check, we keep our code secure and compliant. Trivy scans our Docker images before they even reach AWS ECR, blocking vulnerabilities before they hit production. Jenkins takes care of automation, while ArgoCD ensures our Kubernetes deployments stay in perfect sync. And of course, Prometheus and Grafana give us full visibility into system health and performance, so we're always on top of things.
This project isn't just a DevSecOps tutorial—it's a real-world playbook for modern software delivery. Whether you're a DevOps pro, security enthusiast, or just diving into cloud automation, this guide sets you up with the tools and best practices to master DevSecOps in Kubernetes.
🚀 Ready to take your DevSecOps game to the next level? Let’s build, secure, and deploy—without limits! 🔐🎯

💡 Let’s connect and discuss DevOps, cloud automation, and cutting-edge technology
🔗 LinkedIn | 💼 Upwork | 🐦 Twitter | 👨‍💻 GitHub




Deploying an Application on AWS EKS with Ingress: A Step-by-Step Guide
Praduman Prajapati — Fri, 21 Feb 2025 19:12:49 GMT
In this guide, we'll walk through the steps to set up an Amazon Elastic Kubernetes Service (EKS) cluster using Fargate (a serverless compute engine for containers). We'll also deploy a sample application and configure an Application Load Balancer (ALB) to make the app accessible. Let’s get started!
Step 1: Install Required Tools
Before we begin, you’ll need to install three essential tools:

kubectl: A command-line tool for managing Kubernetes clusters. It allows you to deploy applications, inspect resources, and manage cluster operations.

eksctl: A tool specifically designed for Amazon EKS. It simplifies the process of creating, managing, and scaling EKS clusters.

AWS CLI: A command-line interface for interacting with AWS services. It’s used to configure and manage AWS resources.


Run the following command to install these tools on an Arch Linux-based system (or use the appropriate package manager for your OS):
sudo pacman -Sy kubectl aws-cli eksctl

Step 2: Configure AWS CLI
Once the tools are installed, you need to configure the AWS CLI with your credentials. This allows you to interact with your AWS account.
Run the following command and provide your Access Key ID, Secret Access Key, AWS Region, and preferred output format when prompted:
aws configure


Step 3: Create an EKS Cluster
Now, let’s create an EKS cluster using eksctl. We’ll use Fargate to run our workloads, which means we don’t need to manage EC2 instances—AWS handles the underlying infrastructure for us.
Run the following command to create a cluster named alpha in the ap-south-1 region:
eksctl create cluster --name alpha --region ap-south-1 --fargate


This process may take 10–15 minutes. Once completed, your EKS cluster will be up and running.
Step 4: Update kubeconfig
To interact with your EKS cluster using kubectl, you need to update your kubeconfig file. This file contains the necessary information to connect to your cluster.
Run the following command:
aws eks update-kubeconfig --name alpha --region ap-south-1

Step 5: Deploy the Application
We’ll deploy a simple game called 2048 as our sample application. To do this, we’ll use a pre-configured YAML file that defines the deployment, service, and ingress resources.
Run the following command to deploy the application:
kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.5.4/docs/examples/2048/2048_full.yaml


Step 6: Create a Fargate Profile
Fargate profiles determine which pods should run on Fargate. Let’s create a Fargate profile for our application.
Run the following command:
eksctl create fargateprofile --cluster alpha --region ap-south-1 --name alb-sample-app --namespace game-2048

Step 7: Set Up IAM OIDC Provider
To allow the AWS Load Balancer (ALB) Controller to communicate with AWS resources, we need to configure an IAM OIDC provider for the cluster.
Run the following command:
eksctl utils associate-iam-oidc-provider --cluster alpha --approve


Step 8: Install the ALB Controller
The ALB Controller is responsible for creating and managing Application Load Balancers for your Kubernetes applications. To install it, follow these steps:

Download the IAM Policy:
 curl -O https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.11.0/docs/install/iam_policy.json


Create the IAM Policy:
 aws iam create-policy \
     --policy-name AWSLoadBalancerControllerIAMPolicy \
     --policy-document file://iam_policy.json

 

Create an IAM Role for the ALB Controller: Replace  and  with your actual cluster name and AWS account ID.
 eksctl create iamserviceaccount \
   --cluster=alpha \
   --namespace=kube-system \
   --name=aws-load-balancer-controller \
   --role-name AmazonEKSLoadBalancerControllerRole \
   --attach-policy-arn=arn:aws:iam:::policy/AWSLoadBalancerControllerIAMPolicy \
   --approve


Install the ALB Controller using Helm: Helm is a package manager for Kubernetes. Run the following commands to add the Helm repository and install the ALB Controller:
 helm repo add eks https://aws.github.io/eks-charts
 helm repo update eks
 helm install aws-load-balancer-controller eks/aws-load-balancer-controller \
   -n kube-system \
   --set clusterName=alpha \
   --set serviceAccount.create=false \
   --set serviceAccount.name=aws-load-balancer-controller \
   --set region=ap-south-1 \
   --set vpcId=

 


Step 9: Verify the Deployment
To ensure everything is working correctly, check the status of the ALB Controller deployment:
kubectl get deployment -n kube-system aws-load-balancer-controller



Step 10: Access the Application
Once everything is set up, the ALB Controller will create a load balancer for your application. You can access the game using the DNS name of the load balancer. For example:
http://k8s-game2048-ingress2-067ca5a9c2-1851598133.ap-south-1.elb.amazonaws.com



Conclusion
Congratulations! You’ve successfully set up an EKS cluster using Fargate, deployed a sample application, and configured an Application Load Balancer. This setup is ideal for running serverless Kubernetes workloads without worrying about managing the underlying infrastructure.

💡 Let’s connect and discuss DevOps, cloud automation, and cutting-edge technology
🔗 LinkedIn | 💼 Upwork | 🐦 Twitter | 👨‍💻 GitHub




Mastering DevOps: Transforming a Go Web App with End-to-End Automation
Praduman Prajapati — Mon, 17 Feb 2025 20:01:19 GMT
In this article, we’ll implement end-to-end DevOps practices for a Go web application that currently lacks any DevOps methodologies. We’ll cover everything from containerizing the app with Docker to deploying it on a Kubernetes cluster using EKS, Helm, GitHub Actions, and ArgoCD. Let’s dive in!
Source Code & Repository 👇
You can find the source code for this project here:
https://github.com/praduman8435/go-web-app
 
Steps We’ll Follow

Containerize the application using a multistage Dockerfile.

Create Kubernetes manifests for deployment, service, and ingress.

Set up Continuous Integration (CI) using GitHub Actions.

Implement Continuous Deployment (CD) using GitOps with ArgoCD.

Deploy the application on an AWS EKS cluster.

Use Helm charts for environment-specific deployments.

Configure an ingress controller to make the app accessible via a load balancer.



Step 1: Containerize the Go Web App with Docker
We’ll start by creating a multistage Dockerfile to containerize the application. This ensures a lightweight and secure final image.
Create a Dockerfile
# Build stage
FROM golang:1.22 as base
WORKDIR /app
COPY go.mod .
RUN go mod download
COPY . .
RUN go build -o /app/main .

# Final stage - distroless image
FROM gcr.io/distroless/base
COPY --from=base /app/main .
COPY --from=base /app/static ./static
EXPOSE 8080
CMD ["./main"]

Build and Run the Docker Image
docker build -t thepraduman/go-web-app:v1 .
docker run -p 8080:8080 -it thepraduman/go-web-app:v1

Once the container is running, you can access the app at http://localhost:8080/home.


Step 2: Deploy on Kubernetes with YAML Manifests
Next, we’ll create Kubernetes manifests to deploy the app on a Kubernetes cluster.
Push the Docker Image
Before deploying, push the Docker image to a container registry:
docker push thepraduman/go-web-app:v1


Create Kubernetes Manifests
Create a folder k8s/manifest and add the following files:

deployment.yaml:
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: go-web-app
   labels:
     app: go-web-app
 spec:
   replicas: 2
   selector:
     matchLabels:
       app: go-web-app
   template:
     metadata:
       labels:
         app: go-web-app
     spec:
       containers:
       - name: go-web-app
         image: thepraduman/go-web-app:v1
         ports:
         - containerPort: 8080


service.yaml:
 apiVersion: v1
 kind: Service
 metadata:
   name: go-web-app
   labels:
     app: go-web-app
 spec:
   type: ClusterIP
   selector:
     app: go-web-app
   ports:
     - protocol: TCP
       port: 80
       targetPort: 8080


ingress.yaml:
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: go-web-app
   annotations:
     nginx.ingress.kubernetes.io/rewrite-target: /
 spec:
   ingressClassName: nginx
   rules:
   - host: "go-web-app.local"
     http:
       paths:
       - pathType: Prefix
         path: "/"
         backend:
           service:
             name: go-web-app
             port:
               number: 80



Apply the Manifests
kubectl apply -f k8s/manifest



Step 3: Set Up an EKS Cluster
To deploy the app on Kubernetes, we’ll use Amazon EKS. Ensure you have awscli, eksctl, and kubectl installed.
Create an EKS Cluster
eksctl create cluster --name demo-cluster --region ap-south-1


Step 4: Configure the Ingress Controller
At the moment, the resources aren't accessed directly through ingress because we need an ingress controller. This controller helps assign an address for the ingress resource. To make the app accessible, we’ll install the NGINX Ingress Controller.


First, let's make sure the service is running smoothly without using ingress. To check this, we'll change the service type from ClusterIP to NodePort.
  

Run this command after you've changed the service type to find out the NodePort where your application is running.
  kubectl get svc

  

Take a look at the external IP for the nodes in the Kubernetes cluster
  kubectl get nodes -o wide

  

You can now check out the application at http://13.126.11.218:31296/home.
  


Now, Install the Ingress Controller
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.11.1/deploy/static/provider/aws/deploy.yaml


Let's check if the ingress controller is up and running.
kubectl get pod -n ingress-nginx


Verify the Ingress
kubectl get ing


Here, we can see that the ingress controller is managing our ingress resource. It has assigned a domain name: adc73383deb374481a2ea5c3f048b7d2-181af1fd367d9cc8.elb.ap-south-1.amazonaws.com.

Wait a minute, what happens if we try to access the load balancer at adc73383deb374481a2ea5c3f048b7d2-181af1fd367d9cc8.elb.ap-south-1.amazonaws.com? Will we be able to reach our application?


In this scenario, the application is not accessible through adc73383deb374481a2ea5c3f048b7d2-181af1fd367d9cc8.elb.ap-south-1.amazonaws.com. This raises the question: why did this occur?The reason for this is that in the ingress configuration, we have specified that the load balancer should only accept requests if they are accessing the hostname go-web-app.local.

Map the load balancer’s DNS to go-web-app.local in your /etc/hosts file to access the app.


To obtain the IP address of adc73383deb374481a2ea5c3f048b7d2-181af1fd367d9cc8.elb.ap-south-1.amazonaws.com, execute the following command
  nslookup adc73383deb374481a2ea5c3f048b7d2-181af1fd367d9cc8.elb.ap-south-1.amazonaws.com

  

Now, let's link the IP of elastic loadbalancer address adc73383deb374481a2ea5c3f048b7d2-181af1fd367d9cc8.elb.ap-south-1.amazonaws.com with the host go-web-app.local.
  cat sudo vim /etc/hosts


You can now access the application at go-web-app.local! 🎉
  



Step 5: Simplify Deployments with Helm
When deploying an application across different environments, Helm becomes essential. So far, we've been using hard-coded configuration files for services, deployments, and more. Imagine we need the image go-web-app:dev for the development environment, go-web-app:prod for production, and go-web-app:qa for staging. Does this mean we have to create separate folders like k8s/dev, k8s/prod, and k8s/staging? Fortunately, no. Helm allows us to make these configurations variable, simplifying the process.
Create a Helm Chart

Make sure you have Helm installed on your computer.

helm create go-web-app-chart



Update the Helm Chart

Copy the Kubernetes manifests into the templates folder. before that delete everything from the template folder.
 cp k8s/manifest/ingress.yaml helm/go-web-app-chart/template
 cp k8s/manifest/service.yaml helm/go-web-app-chart/template
 cp k8s/manifest/deployment.yaml helm/go-web-app-chart/template

 

Replace the image tag in deployment.yaml present in template folder with {{ .Values.image.tag }}.
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: go-web-app
   labels:
     app: go-web-app
 spec:
   replicas: 2
   selector:
     matchLabels:
       app: go-web-app
   template:
     metadata:
       labels:
         app: go-web-app
     spec:
       containers:
       - name: go-web-app
         image: thepraduman/go-web-app:{{ .Values.image.tag }}
         ports:
         - containerPort: 8080


Now, whenever Helm runs, it checks the values.yaml file for the image tag.


Update values.yaml:
 # Default values for go-web-app-chart.
 # This is a YAML-formatted file.
 # Declare variables to be passed into your templates.

 replicaCount: 1

 image:
   repository: abhishekf5/go-web-app
   pullPolicy: IfNotPresent
   # Overrides the image tag whose default is the chart appVersion.
   tag: "v1"
   # When we set up CI/CD, 
   # we'll make the Helm values.yaml update automatically. 
   # Every time the CI/CD runs, 
   # it will refresh the Helm values.yaml with the newest image created in the CI. 
   # Then, using ArgoCD, that latest image with the newest tag will be deployed automatically.

 ingress:
   enabled: false
   className: ""
   annotations: {}
     # kubernetes.io/ingress.class: nginx
     # kubernetes.io/tls-acme: "true"
   hosts:
     - host: chart-example.local
       paths:
         - path: /
           pathType: ImplementationSpecific


To make sure ingress-nginx gets installed automatically as a dependency in your Helm chart, just add the following inside your Helm chart (./go-web-app-chart/Chart.yaml):
  dependencies:
   - name: ingress-nginx
     version: "4.10.0"  # Use latest stable version
     repository: "https://kubernetes.github.io/ingress-nginx"


Let's verify whether Helm is working accordingly or not.
 # lets delete all the resources and recreate them using helm chart
 kubectl delete deploy/go-web-app svc/go-web-app ing/go-web-app

 
 

Now, run the following command to create all the resources again with the Helm chart and watch the magic happen! 🚀



Deploy with Helm
helm install go-web-app ./go-web-app-chart




You can now access the application at go-web-app.local! 🎉
To uninstall everything, run the command
helm uninstall go-web-app


Here, we can say that Helm is working perfectly!


Step 6: Set Up CI with GitHub Actions

In CI, we will set up several stages:


Build and run unit tests.

Perform static code analysis.

Create a Docker image and push it.

Update Helm with the new Docker image.



Once this is complete, CD will take over:


When the Helm tag is updated, ArgoCD will pull the Helm chart and deploy it to the Kubernetes cluster.

To implement Continuous Integration (CI) using GitHub Actions, Add a file .github/workflows/ci.yaml :
name: CI/CD
# Exclude the workflow to run on changes to the helm chart
on:
  push:
    branches:
      - main
    paths-ignore:
      - 'helm/**'
      - 'k8s/**'
      - 'README.md'
jobs:
## stage 1
  build:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout repository
      uses: actions/checkout@v4
    - name: Set up Go 1.22
      uses: actions/setup-go@v2
      with:
        go-version: 1.22
    - name: Build
      run: go build -o go-web-app
    - name: Test
      run: go test ./...
## stage 2
  code-quality:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout repository
      uses: actions/checkout@v4
    - name: Run golangci-lint
      uses: golangci/golangci-lint-action@v6
      with:
        version: latest
## stage 3
  push:
    runs-on: ubuntu-latest
    needs: build
    steps:
    - name: Checkout repository
      uses: actions/checkout@v4
    - name: Set up Docker Buildx
      uses: docker/setup-buildx-action@v1
    - name: Login to DockerHub
      uses: docker/login-action@v3
      with:
        username: ${{ secrets.DOCKERHUB_USERNAME }}
        password: ${{ secrets.DOCKERHUB_TOKEN }}
    - name: Build and Push action
      uses: docker/build-push-action@v6
      with:
        context: .
        file: ./Dockerfile
        push: true
        tags: ${{ secrets.DOCKERHUB_USERNAME }}/go-web-app:${{github.run_id}}
## stage 4
  update-newtag-in-helm-chart:
    runs-on: ubuntu-latest
    needs: push
    steps:
    - name: Checkout repository
      uses: actions/checkout@v4
      with:
        token: ${{ secrets.TOKEN }}
    - name: Update tag in Helm chart
      run: |
        sed -i 's/tag: .*/tag: "${{github.run_id}}"/' helm/go-web-app-chart/values.yaml
    - name: Commit and push changes
      run: |
        git config --global user.email "abhishek@gmail.com"
        git config --global user.name "Abhishek Veeramalla"
        git add helm/go-web-app-chart/values.yaml
        git commit -m "Update tag in Helm chart"
        git push


Now that we've finished setting up the CI pipeline, let's check to make sure everything is working smoothly.
  git push


Head over to the GitHub repository and take a look at the Actions tab.

  



Here, the GitHub Action is working perfectly, and we've successfully completed the implementation of continuous integration! 🎉


Step 7: Implement CD with ArgoCD
Now, let's turn our attention to the ArgoCD component. Every time the CI pipeline runs, ArgoCD should spot the changes and deploy them to the Kubernetes cluster

Create a namespace called argocd and install ArgoCD there using a manifest file.


        kubectl create namespace argocd
        kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml


Access the Argo CD UI (Loadbalancer service).
  kubectl patch svc argocd-server -n argocd -p '{"spec": {"type": "LoadBalancer"}}'


Access the Argo CD UI (Loadbalancer service) -For Windows
  kubectl patch svc argocd-server -n argocd -p '{\"spec\": {\"type\": \"LoadBalancer\"}}


Get the Loadbalancer service IP
  kubectl get svc argocd-server -n argocd

  

Now you can access the ArgoCD UI at ae9f68624737e4e49a0bea0a56d 6dce4-1141447750.ap-south-1.elb.amazonaws.com. Enjoy exploring!



To log in to ArgoCD, simply use admin as the username, and you can get the password by running the following command.
  kubectl get secrets -n argocd
  kubectl edit secrets argocd-initial-admin-secret -n argocd

  

The password we got is in base64 format, so to decode it, just run this command.

  echo  | base64 --decode

  



We've got access to the ArgoCD UI! 🎉


Tap on the "New App" button and fill in the required details.
  
  

Once you've filled in all the details, just click on "Create".




Now, ArgoCD will look for all the files within the Helm chart in the GitHub repository. It will update the values.yaml file with all the necessary changes. If you click on the style you will able to see that argocd started deploying everything

So, we're all done, and guess what? We deployed the application using CI/CD! 🎉
Conclusion
By following these steps, we’ve successfully implemented end-to-end DevOps practices for our Go web app. From containerization to automated CI/CD pipelines, we’ve streamlined the deployment process and made it scalable and efficient.

💡 Let’s connect and discuss DevOps, cloud automation, and cutting-edge technology
🔗 LinkedIn | 💼 Upwork | 🐦 Twitter | 👨‍💻 GitHub




Kubernetes-part-10
Praduman Prajapati — Thu, 26 Sep 2024 07:17:43 GMT
Volumes
volumes are used to provide storage that pods and containers can access. Unlike regular container storage, which is ephemeral (lost when the container stops), volumes allow data to persist or be shared across containers in a pod. Volumes ensure that data survives container restarts and can be used to share data between containers within the same pod. Any no. of volumes can be attached to pod.
Types of volumes in Kubernetes

emptyDir

An emptyDir volume is created when a pod is assigned to a node and exists as long as the pod is running. Once the pod is deleted, the data in the emptyDir is also removed.

Use case: Temporary storage for data that needs to be shared between containers in the same pod.

Example:
  apiVersion: v1
  kind: Pod
  metadata:
    name: emptydir-pod
  spec:
    containers:
      - name: busybox
        image: busybox
        command: ['sh', '-c', 'echo "Writing data to /data/emptydir-volume..."; echo "Hello from Kubesimplify" > /data/emptydir-volume/hello.txt; sleep 3600']
        volumeMounts:
          - name: temp-storage
            mountPath: /data/emptydir-volume
    volumes:
      - name: temp-storage
        emptyDir: {}


The YAML configuration defines a Kubernetes pod named emptydir-pod that uses an emptyDir volume for temporary storage. A container running the busybox image executes a command to write "Hello from Kubesimplify" to a file named hello.txt at /data/emptydir-volume. This volume is created when the pod starts and exists only as long as the pod is running; all data is deleted when the pod is terminated, making it ideal for temporary storage needs.

  apiVersion: v1
  kind: Pod
  metadata:
    name: emptydir-pod
  spec:
    containers:
      - name: busybox
        image: busybox
        command: ['sh', '-c', 'echo "Writing data to /data/emptydir-volume..."; sleep 3600']
        volumeMounts:
          - name: temp-storage
            mountPath: /data/emptydir-volume
    volumes:
      - name: temp-storage
        emptyDir:
          medium: Memory
          sizeLimit: 512Mi


This pod runs a busybox container that writes data to a temporary, memory-based volume mounted at /data/emptydir-volume inside the container. The volume is limited to 512 MiB and will be deleted once the pod stops.




hostPath

A HostPath volume mounts a file or directory from the node’s filesystem (the host) into the pod, allowing the container to access or write data directly on the host.

Use case: Accessing specific files or logs on the host node.

Example:
  apiVersion: v1
  kind: Pod
  metadata:
    name: hostpath-pod
  spec:
    containers:
      - name: busybox
        image: busybox
        command: ['sh', '-c', 'echo "Writing data to /data/hostpath-volume..."; echo "Hello from Kubesimplify" > /data/hostpath-volume/hello.txt; sleep 3600']
        volumeMounts:
          - name: host-storage
            mountPath: /data/hostpath-volume
    volumes:
      - name: host-storage
        hostPath:
          path: /tmp/hostpath
          type: DirectoryOrCreate


The HostPath Volume mounts the directory /tmp/hostpath from the node's filesystem into the container at /data/hostpath-volume. The pod writes the text "Hello from Kubesimplify" to a file named hello.txt inside the container at /data/hostpath-volume/hello.txt. Since this is a HostPath volume, the file is actually created in /tmp/hostpath/hello.txt on the host node. Additionally, the data stored in the HostPath volume will persist even if the pod is deleted, as it is stored directly on the host node’s filesystem.




Persistent Volume (PV)

It is a piece of storage in a Kubernetes cluster that has been provisioned by an administrator or dynamically provisioned using Storage Classes.

PVs are cluster resources that exist independently of any individual pod and are designed for long-term data storage.

They can be backed by various types of storage systems, such as NFS, iSCSI, cloud storage (like AWS EBS, Google Persistent Disk), or local storage.

PVs have a lifecycle that is separate from the pods that use them, allowing data to persist even if pods are deleted or moved.




    Persistent Volume Claim (PVC):

A Persistent Volume Claim (PVC) is a request for storage by a user or a pod.

It specifies the desired storage size and access modes (e.g., ReadWriteOnce, ReadOnlyMany) and can also include specific storage class requirements.

When a PVC is created, Kubernetes looks for a matching PV that satisfies the request. If a suitable PV is found, it is bound to the PVC, allowing pods to use that storage.

If no matching PV is available, Kubernetes may dynamically provision a new PV if a Storage Class is specified in the PVC.





Kubernetes-part-9
Praduman Prajapati — Mon, 23 Sep 2024 18:30:00 GMT
Understanding Role-Based Access Control (RBAC) in Kubernetes
Role-Based Access Control (RBAC) is a way to manage who can do what in a system by assigning roles to users. So, instead of giving each user individual access permissions, you give them a role, and the role controls what they can or can't do. This makes it easier to manage security in big systems since you only need to change the permissions for a role, not every user.
Roles and RoleBindings are key components of the RBAC system. They control access to resources based on user roles. There are two main types of Roles and RoleBindings
Defining Roles in Kubernetes: Role vs. ClusterRole
1. Role

Limited to a specific namespace

Used to define permissions (like read, write, update, delete) on resources within a specific namespace.

Example: A role that allows access to resources like Pods, Services, and ConfigMaps within the dev namespace.



Example Role YAML
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: dev
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list", "watch"]

In this example, the pod-reader role allows the user to get, list, and watch Pods within the dev namespace.

2. ClusterRole

It defines permissions across the entire cluster

Used for cluster-wide resources like nodes or persistentvolumes, it can also be used within specific namespaces if bound with a RoleBinding

Example: A role that gives access to cluster-level resources such as nodes, storage, or the ability to manage namespaces.



Example ClusterRole YAML
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-admin
rules:
- apiGroups: [""]
  resources: ["nodes", "namespaces"]
  verbs: ["get", "list", "watch", "create", "delete"]

In this example, the cluster-admin role allows access to nodes and namespaces across the entire cluster.

1. RoleBindings: Assigning Permissions in Kubernetes

Namespaced

A RoleBinding grants a Role's permissions to users, groups, or service accounts within a specific namespace. It binds a Role to a user or group in that namespace.

Example: Bind the pod-reader role to a specific user or service account in the dev namespace.



Example RoleBinding YAML
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods-binding
  namespace: dev
subjects:
- kind: User
  name: praduman
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

In this example, the RoleBinding grants the user praduman the pod-reader role's permissions within the dev namespace.

2. ClusterRoleBindings: Cluster-Wide Permission Management

Cluster-wide

A ClusterRoleBinding grants a ClusterRole's permissions to users, groups, or service accounts across the entire cluster or across all namespaces.

Example: Bind the cluster-admin role to a user or group across the whole cluster.



Example ClusterRoleBinding YAML
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-binding
subjects:
- kind: User
  name: praduman
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io

In this example, the ClusterRoleBinding grants the user john the cluster-admin permissions across the entire cluster.



Create a service account (sa.yaml)
  apiVersion: v1
  kind: ServiceAccount
  metadata:
    name: deployment-manager

  kubectl apply -f sa.yaml

  

Create a Role (role.yaml)
  apiVersion: rbac.authorization.k8s.io/v1
  kind: Role
  metadata:
    namespace: default
    name: deployment-creator
  rules:
  - apiGroups: ["apps"]        # mention the group of resource
    resources: ["deployments"]
    verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]


verbs define what user can do

  kubectl apply -f role.yaml

  



To list all the resource types that are available in the cluster
kubectl api-resources


To see the groups & version of a specific resource
kubectl explain name>




Create RoleBinding (rb.yaml)
  apiVersion: rbac.authorization.k8s.io/v1
  kind: RoleBinding
  metadata:
    name: deployment-manager-binding
    namespace: default
  subjects:
  - kind: ServiceAccount
    name: deployment-manager
    namespace: default
  roleRef:
    kind: Role
    name: deployment-creator
    apiGroup: rbac.authorization.k8s.io

  kubectl apply -f rb.yaml

  

To see about how a specific resource is defined
kubectl explain 

Example: To see what we can fill inside kind section of rolebinding
kubectl explain RoleBinding.subjects.kind




Create a deployment using the service account that is created (deploy.yaml)
  apiVersion: apps/v1
  kind: Deployment
  metadata:
    name: nginx-deployment
  spec:
    replicas: 1
    selector:
      matchLabels:
        app: nginx
    template:
      metadata:
        labels:
          app: nginx
      spec:
        serviceAccountName: deployment-manager
        containers:
        - name: nginx
          image: nginx
          ports:
          - containerPort: 80

  kubectl apply -f deploy.yaml

  

Try to create the service or pod using the service account
  kubectl expose deployment nginx-deployment --port=80 --as=system:serviceaccount:default:deployment-manager

  kubectl run nginx --image=nginx --as=system:serviceaccount:default:deployment-manager

  

This will not created as we didn’t give that user permission to do this


To check if a service account can perform a task
  kubectl auth can-i create deployments --as=system:serviceaccount:default:deployment-manager
  kubectl auth can-i create secrets --as=system:serviceaccount:default:deployment-manager
  kubectl auth can-i list services --as=system:serviceaccount:default:deployment-manager

  


Admission Controllers: Ensuring Security and Compliance in Kubernetes
It validate and mutate the request coming to the API server. It is important for keeping security, rules and operations in check. They work like gatekeepers, making sure that any changes to the cluster follow the rules, whether it's about security, limits on resources, or specific business guidelines. You can use the built-in admission controllers or create custom ones with webhooks to fit your needs.
Types of Admission Controllers: Validating vs. Mutating

Validating Admission Controllers:

These controllers are used to validate incoming requests. If a request fails validation, it is rejected.

Example: You might use a validating admission controller to ensure that all Pods have certain labels or annotations.



Mutating Admission Controllers:

These controllers can modify incoming requests before they are stored. For instance, they can add default values or modify fields in the request.

Example: A mutating admission controller might automatically add resource limits to containers if they are not specified.





On creating a namespace a service account with default name is created




To create a token for a service account

before kubernetes V1.24 a token get automatically generated when we create a service account. but now we need to create it manually. For pod the token get generated automatically with the validation for 1 hour by default

  kubectl create token 

  

You can check the Token validity on jwt.io





Practical Demo: Implementing RBAC in Kubernetes

Create a namespace
  kubectl create ns praduman


Create a ServiceAccount
  kubectl create sa my-sa -n praduman


Create a Role
  kubectl create role my-role --verb=create --resource=deployments.apps -n pradumankubectl create role my-role --verb=create --resource=deployments.apps -n praduman


Create a RoleBinding
  kubectl create rolebinding my-rolebinding --role=my-role --serviceaccount=praduman:my-sa -n praduman

  

Check the permission
  

Create a token for the ServiceAccount
  kubectl create token my-sa -n praduman

  


Authenticating with Kubernetes: A Step-by-Step Demo

View Kubernetes Configuration
  kubectl config view



  Find the Cluster Name from Kubeconfig
  export CLUSTER_NAME=name>


Get the API Server Endpoint
  export APISERVER=$(kubectl config view -o jsonpath='{.clusters[0].cluster.server}')


This retrieves the URL of the Kubernetes API server from your kubeconfig file and stores it in the APISERVER environment variable.


Make a Request to the API Server
  curl --cacert /etc/kubernetes/pki/ca.crt $APISERVER/version


This curl command attempts to query the API server for its version, using the CA certificate to verify the server's identity. The --cacert option points to the CA certificate used by the Kubernetes control plane to authenticate requests.


Attempts to get a list of deployments
  curl --cacert /etc/kubernetes/pki/ca.crt $APISERVER/apis/apps/v1/deployments


However, this request will likely fail without proper authentication, as the Kubernetes API requires either a client certificate, a bearer token, or some other authentication method.


Using Client Certificates for Authentication
  Extract and decode the client certificate and key

These are base64-encoded, so they need to be decoded using base64 -d

  echo "" | base64 -d > client
  echo "" | base64 -d > key


Use the certificate and key with curl to make the request
  curl --cacert /etc/kubernetes/pki/ca.crt --cert client --key key $APISERVER/apis/apps/v1/deployments


This authenticates the request using the client certificate and key, allowing you to retrieve a list of deployments.



Validating Admission Policies with CEL in Kubernetes
Validation Admission Policies are like rules for your Kubernetes cluster. They decide if changes to the cluster are okay or not. CEL(Common Expression Language) is a special language used to write these rules. It's like a recipe book for the policy. You can customize these rules a lot. You can make them specific to certain things in your cluster or even change them based on different situations. You can use CEL to create rules that control what can and can't be done in your Kubernetes cluster. These rules can be very flexible and tailored to your specific needs.

Create a validating admission policy and validating admission policy binding

apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicy
metadata:
  name: "demo-policy.example.com"
spec:
  failurePolicy: Fail
  matchConstraints:
    resourceRules:
    - apiGroups:   ["apps"]
      apiVersions: ["v1"]
      operations:  ["CREATE", "UPDATE"]
      resources:   ["deployments"]
  validations:
    - expression: "object.spec.replicas <= 5"

---

apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicyBinding
metadata:
  name: "demo-binding-test.example.com"
spec:
  policyName: "demo-policy.example.com"
  validationActions: [Deny]
  matchResources:
    namespaceSelector:
      matchLabels:
        environment: test



Lable the namespace
  kubectl label ns default environment=test


Try to run replicas
  kubectl create deploy nginx --image=nginx --replicas=6

  


Enforcing Image Policies with ImagePolicyWebhook in Kubernetes
The ImagePolicyWebhook is an admission controller that inspects image metadata when a pod is being created. It checks the image being used in the pod, evaluates it against predefined rules, and decides whether to allow or deny the image. This is useful for enforcing security policies and ensuring that only authorized images are used in the cluster

Clone the GitHub Repository
  git clone https://github.com/saiyam1814/imagepolicy.git


This repository contains a sample implementation of the ImagePolicyWebhook


Create a Directory for the Demo
  mkdir /etc/kubernetes/demo


creates a directory at /etc/kubernetes/demo where you will store the ImagePolicyWebhook configuration and file


Copy Files to the Demo Directory
  cp -r imagepolicy/ /etc/kubernetes/demo


This command copies the imagepolicy directory to the /etc/kubernetes/demo directory. The -r flag ensures that everything inside the imagepolicy folder is copied


Navigate to the Demo Directory
  cd /etc/kubernetes/demo


Move Files to Parent Directory
  cd imagepolicy
  mv * ..
  cd ..


moving all files from the imagepolicy folder into the /etc/kubernetes/demo directory, then returning to the parent directory


View the admission.json File
  cat admission.json


This JSON file defines how the webhook interacts with the Kubernetes API server


View the Configuration File
  cat config


Edit the kube-apiserver.yaml File
  vi /etc/kubernetes/manifests/kube-apiserver.yaml


Add New Settings to Enable ImagePolicyWebhook

You need to add the following lines to the kube-apiserver.yaml file to enable the ImagePolicyWebhook

  - --enable-admission-plugins=NodeRestriction,ImagePolicyWebhook
  - --admission-control-config-file=/etc/kubernetes/demo/admission.json



The first line enables the ImagePolicyWebhook admission plugin along with NodeRestriction.

The second line specifies the path to the admission.json file you created earlier, which contains webhook rules.




Configuring Volume Mounts
  volumeMounts:
    - mountPath: /etc/kubernetes/demo
      name: admission
      readOnly: true


Adding the Volume
  volumes:
  - hostPath:
      path: /etc/kubernetes/demo
    name: admission


Run an Nginx Pod to Test the Policy
  kubectl run nginx --image=nginx


If the ImagePolicyWebhook is working, it will inspect the nginx image to see if it meets the defined policies. Based on the policy logic, it will either allow or deny the creation of the pod



Conclusion

In this article, we explored the intricacies of Role-Based Access Control (RBAC) in Kubernetes, delving into the definitions and differences between Roles and ClusterRoles, as well as RoleBindings and ClusterRoleBindings. We also examined the importance of Admission Controllers in maintaining security and compliance within a Kubernetes cluster, highlighting the roles of Validating and Mutating Admission Controllers. Additionally, we discussed the implementation of RBAC through practical demos, including creating namespaces, service accounts, roles, and role bindings. Finally, we touched on advanced topics like Validating Admission Policies with CEL and enforcing image policies using ImagePolicyWebhook. By understanding and implementing these concepts, you can significantly enhance the security and manageability of your Kubernetes environments


💡 Let’s connect and discuss DevOps, cloud automation, and cutting-edge technology
🔗 LinkedIn | 💼 Upwork | 🐦 Twitter | 👨‍💻 GitHub



Kubernetes-part-8
Praduman Prajapati — Sat, 21 Sep 2024 09:31:32 GMT
Understanding Kubernetes Services: A Comprehensive Guide
A Kubernetes Service is an object that helps you expose an application running in one or more Pods in your cluster. Since pod IP addresses can change when pods are created or destroyed, a service provides a stable IP that doesn't change. This ensures that both internal and external users can always connect to the right application, even if the pods behind it are constantly changing. By default the service that is created is clusterIP, it is useful for communication within the cluster.

To create a service (default: ClusterIP)
  kubectl expose  --port=80


To see the services
  kubectl get svc -owide

  


What Are Endpoints in Kubernetes?
Endpoints are objects that list the IP addresses and ports of the pods associated with a specific service. When you create a service in Kubernetes, it uses a selector to determine which pods it should communicate with. The Endpoints object automatically updates as pods are added or removed, ensuring that the service always knows where to send traffic. It play a crucial role in connecting services to the pods they manage.

Viewing Endpoints
kubectl get endpoints 



Exploring Different Types of Kubernetes Services

ClusterIP

NodePort

LoadBalancer

ExternalName

Headless

ExternalDNS


Networking Fundamentals in Kubernetes: A Deep Dive
Inside each node, there's always a veth(Virtual Ethernet) pair for networking. When a pod runs, a special container called the pause container is also created. For example, if you create a pod with two containers, like busybox and nginx, there will actually be three containers: the two you defined and the pause container. The pod gets its own IP, and this IP is connected to an interface called eth0(Ethernet interface) inside the pod using CNI.

Create a multi-container pod (mcp.yml)
  apiVersion: v1
  kind: Pod
  metadata:
    name: shared-namespace
  spec:
    containers:
      - name: p1
        image: busybox
        command: ['/bin/sh', '-c', 'sleep 10000']
      - name: p2
        image: nginx

  kubectl apply -f mcp.yml

  

To see the pod’s IP
  kubectl get pod shared-namespace -owide

  

Check the node where the pod is running and SSH into it
  ssh node01

  

To view the network namespaces created
  ip netns list

  

To find the pause container
  lsns | grep nginx

  

Get details of the pause container's namespaces (net, ipc, uts)
  lsns -p 

  

To check the list of all network namespaces
  ls -lt /var/run/netns

  

Exec into the namespace or into the pod to see the ip link
  ip netns exec  ip link
  kubectl exec -it  -- ip addr

  

Find the veth Pair

Once you run the above command, you may see an interface with a name like eth@9. The number after @ represents the identifier of the virtual Ethernet (veth) pair interface.

To find the corresponding link on the Kubernetes node, you can search using this identifier. For example, if the number is 9, run the following on the node




    ip link | grep -A1 ^9


This will show the details of the veth pair on the node


Inter Node communication
  



Here, Traffic(packet) goes to eth0 and then veth1 acts as tunnel and traffic goes to root namespace and bridge resolve the destination address using the ARP table then Veth1 send traffic(packet) to pod B. This all only happens if there is a single node


StatefulSet: Managing Stateful Applications in Kubernetes
It helps manage stateful applications where each pod needs a unique identity and keeps its own data. It makes sure pods are started, updated, and stopped one by one, in a set order. Each pod has a fixed name and can keep its data even if it is restarted or moved to another machine. This is useful for apps like databases, where data and order matter.
Key Differences Between Deployments and StatefulSets




Feature Deployment StatefulSet



Use Case For stateless applications For stateful applications

Pod Identity Pods are interchangeable and do not have stable identities Pods have unique, stable identities (e.g., pod-0, pod-1)

Storage Typically uses ephemeral storage, data is lost when a pod is deleted Each pod can have its own persistent volume attached

Scaling Behavior Pods are scaled simultaneously and in random order Pods are scaled sequentially (e.g., pod-0 before pod-1)

Pod Updates All pods can be updated concurrently Pods are updated sequentially, ensuring one pod is ready before moving to the next

Order of Pod Creation/Deletion No specific order in pod creation or deletion Pods are created/deleted in a specific order (e.g., pod-0, pod-1)

Network Identity Uses a ClusterIP service, no stable network identity Typically uses a headless service, giving each pod a stable network identity

Examples Microservices, stateless web apps Databases (MySQL, Cassandra), distributed systems requiring unique identity or stable storage

Use of Persistent Volumes Persistent volumes are shared across pods (if needed) Each pod gets a dedicated persistent volume



The Service that is created in StatefulSet is the ClusterIP: none i.e., (headless service)


StatefulSet example for deploying a MySQL database in Kubernetes
  apiVersion: apps/v1
  kind: StatefulSet
  metadata:
    name: mysql
  spec:
    serviceName: "mysql-service"
    replicas: 3
    selector:
      matchLabels:
        app: mysql
    template:
      metadata:
        labels:
          app: mysql
      spec:
        containers:
        - name: mysql
          image: mysql:5.7
          ports:
          - containerPort: 3306
            name: mysql
          volumeMounts:
          - name: mysql-storage
            mountPath: /var/lib/mysql
    volumeClaimTemplates:
    - metadata:
        name: mysql-storage
      spec:
        accessModes: ["ReadWriteOnce"]
        resources:
          requests:
            storage: 1Gi


Each pod will have its own persistent storage (mysql-storage).

Pods will have stable network names (mysql-0, mysql-1, etc.), and their data will persist even if they restart.



Create a StatefulSet
  cat < | kubectl apply -f -
  apiVersion: apps/v1
  kind: StatefulSet
  metadata:
  name: postgres
  spec:
  serviceName: "postgres"
  replicas: 3
  selector:
  matchLabels:
  app: postgres
  template:
  metadata:
  labels:
  app: postgres
  spec:
  containers:
  - name: postgres
  image: postgres:13
  ports:
  - containerPort: 5432
  name: postgres
  env:
  - name: POSTGRES_PASSWORD
  value: "example"
  volumeMounts:
  - name: postgres-storage
  mountPath: /var/lib/postgresql/data
  volumeClaimTemplates:
  - metadata:
  name: postgres-storage
  spec:
  accessModes: [ "ReadWriteOnce" ]
  resources:
  requests:
  storage: 1Gi
  EOF

  

A persistent volume and persistent volume claim is also created
  kubectl get pv

  
  kubectl get pvc

  

Check for pods that is created
  

Create a service (svc.yml)
  apiVersion: v1
  kind: Service
  metadata:
    name: postgres
    labels:
      app: postgres
  spec:
    ports:
    - port: 5432
      name: postgres
    clusterIP: None
    selector:
      app: postgres

  
  

Increase the replicas and you will see the each pod have a ordered and fixed name
  kubectl scale statefulset postgres --replicas=6

  kubectl get pod

  

If you delete a pod a new pod with the same name again created
  kubectl delete pod postgres-3

  

Check if the service is working or not
  kubectl exec -it postgres-0 -- psql -U postgres



NodePort: Exposing Your Kubernetes Application
A NodePort is a way to let people from outside the cluster access your app. It opens a specific port on every node in the cluster, allowing you to reach the app using the node's IP and the assigned port. This port is a number in the range 30000–32767. You can access your application by visiting :, where NodeIP is the IP address of any node in the cluster, and NodePort is the port assigned by Kubernetes.
Where it's useful ?

For testing and development: You can quickly share access to apps without need of extra networking setup.

For small or internal projects: If a company doesn't use cloud-based load balancers or advanced setups, NodePort is a simple solution to expose an app.



YAML configuration for a NodePort service that exposes an nginx deployment or pod
apiVersion: v1
kind: Service
metadata:
  name: nginx-nodeport
  labels:
    app: nginx
spec:
  type: NodePort  # Specify the service type as NodePort
  selector:
    app: nginx  # This must match the labels of the nginx pods
  ports:
    - protocol: TCP
      port: 80  # The port the service will listen on
      targetPort: 80  # The port the nginx container is listening on
      nodePort: 30008  # NodePort exposed (optional, Kubernetes can assign one if omitted)


Create a Pod and expose it using NodePort service
kubectl run nginx --image=nginx
kubectl expose pod nginx --type=NodePort --port 80


Access the Server http://192.168.1.4:32613


Check NodePort and KUBE Rules

to check the rules in the iptables firewall configuration related to Kubernetes NodePort services

  sudo iptables -t nat -L -n -v | grep -e NodePort -e KUBE

  

Check Specific NodePort Rules
  sudo iptables -t nat -L -n -v | grep 32613

  

This indicates that traffic coming to port 32613 (your NodePort) is being redirected properly to the appropriate service.



LoadBalancer: Making Your Application Public
It allows your application to be accessible to the public over the internet. When you create a service of this type, Kubernetes asks your cloud provider (like AWS, GCP, or Azure) to set up a load balancer automatically.
This service type is ideal when you want to expose an application, such as a web server, to users outside your cluster. The cloud provider provides an external IP address, which users can use to access your application.
The load balancer automatically distributes incoming traffic to all the pods running the service. This helps spread the traffic evenly and avoid overloading any single pod.

LoadBalancer YAML file
apiVersion: v1
kind: Service
metadata:
  name: nginx-loadbalancer
spec:
  type: LoadBalancer  # This makes it a LoadBalancer service
  selector:
    app: nginx  # This selects the nginx pods
  ports:
    - protocol: TCP
      port: 80         # Exposes port 80 (HTTP) to the public
      targetPort: 80   # The port on the nginx container

How It Works:

You create the LoadBalancer service.

Kubernetes communicates with the cloud provider, and a load balancer is created.

The load balancer assigns an external IP address.

Traffic from the external IP is sent to your service, which distributes it to the nginx pods.




Creating a LoadBalancer service in minikube
  kubectl run nginx --image=nginx
  kubectl expose pod nginx --type=LoadBalancer --port=80

  

Creates a network tunnel, making your LoadBalancer service accessible
  minikube tunnel

  
  

Access the Service at External-ip
  


Why Avoid LoadBalancer in Production?

Cost: LoadBalancers can be expensive, as cloud providers charge for them.

Scalability Problems: They might struggle with sudden increases in traffic.

Single Point of Failure: If the LoadBalancer fails, all services using it can go down.

Limited Flexibility: They have fixed rules, making it hard to manage complex traffic needs.

Performance Delays: They can add extra time (latency) to how quickly users access your services.

Dependence on Cloud Services: If the cloud provider has issues, your services might become unavailable.

Complex Setup: Managing LoadBalancers can complicate your system, especially with multiple clusters.


Alternatives to LoadBalancer for Kubernetes

Ingress Controllers: These are cheaper and allow more flexible traffic management.

Service Mesh: They help manage traffic and improve observability without needing a LoadBalancer.


ExternalName: Mapping Services to External DNS Names
The ExternalName service type is a special kind of service in Kubernetes that allows you to map a service to an external DNS name. Instead of using a cluster IP, it returns a CNAME record with the specified external name. We use it when we need to communicate to an external service (like external API or database) without changing your application code. Using this we can also communicate with services that is present in other namespaces.

Example: Two services within two other namespaces communicate with each other
Use This file to get the Sourcecode


Create two namespace
  kubectl create ns database-ns
  kubectl create ns application-ns


Create the database pod and service
  
  
  kubectl apply -f db.yaml
  kubectl apply -f db_svc.yaml


Create ExternalName service
  
  kubectl apply -f externam-db_svc.yaml


Create Application to access the service Docker build
  docker build --no-cache --platform=linux/amd64 -t ttl.sh/saiyamdemo:1h .


Create the pod
  
  kubectl apply -f apppod.yaml


Check the pod logs to see if the connection was successful
  kubectl logs my-application -n application-ns



Ingress: Controlling User Access to Kubernetes Applications
It is a way to control how users access your applications running in Kubernetes. Think of it as a gatekeeper that directs traffic to the right place. To use ingress we firstly need to deploy an Ingress Controller on the cluster and the Ingress are implemented through Ingress Controller. Ingress controllers are the open source project of many companies such as NGINX, Traefik, Istio Ingress, etc.
Now, we create a service using ClusterIP and a resource using Ingress. User request firstly goes to ingress controller then ingress controller send it to ingress then after it goes to the clusterIP service configured by us and at last it goes to the pod. Here we deploy Ingress Controller as the LoadBalancer.
Why Use Ingress?

Single Address: Instead of having different addresses for each app, you can use one address for everything.

Routing by URL: You can send users to different apps based on the URL they visit. For example, /app1 goes to one app and /app2 goes to another.

Secure Connections: Ingress can handle secure connections (HTTPS) easily, so your apps are safe to use.

Balancing Traffic: It spreads out incoming traffic evenly, so no single app gets overloaded.



Example
Imagine you have two apps:

A website

An API


You can set up Ingress to route traffic like this:

If someone goes to /, they get the website.

If they go to /api, they get the API.


Here’s how you might set it up:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: example-ingress
spec:
  rules:
  - host: "my-app.com"
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: website-service
            port:
              number: 80
      - path: /api
        pathType: Prefix
        backend:
          service:
            name: api-service
            port:
              number: 80



Create a deployment (deploy.yaml)
  apiVersion: apps/v1
  kind: Deployment
  metadata:
     name: nginx-deployment
  spec:
     replicas: 1
     selector:
     matchLabels:
        app: nginx
     template:
        metadata:
           labels:
             app: nginx
        spec:
           containers:
           - name: nginx
             image: nginx:latest
             ports:
             - containerPort: 80
             volumeMounts:
             - name: config-volume
               mountPath: /etc/nginx/nginx.conf
               subPath: nginx.conf  # Ensure this matches the filename in the ConfigMap
             volumes:   
             - name: config-volume
               configMap:
               name: nginx-config

  kubectl apply -f deploy.yaml


Create a clusterIP service (svc.yaml)
  apiVersion: v1
  kind: Service
  metadata:
     name: nginx-service
  spec:
     selector:
        app: nginx
      ports:
      - protocol: TCP
        port: 80
        targetPort: 80

  kubectl apply -f svc.yaml


verify the service is created
  kubectl get svc


Create a nginx.conf file
  user  nginx;
  worker_processes  auto;

  error_log  /var/log/nginx/error.log notice;
  pid        /var/run/nginx.pid;

  events {
  worker_connections  1024;
  }

  http {
  include       /etc/nginx/mime.types;
  default_type  application/octet-stream;

  log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
  '$status $body_bytes_sent "$http_referer" '
  '"$http_user_agent" "$http_x_forwarded_for"';

  access_log  /var/log/nginx/access.log  main;

  sendfile        on;
  #tcp_nopush     on;

  keepalive_timeout  65;

  #gzip  on;

  server {
  listen       80;
  server_name  localhost;

  location / {
  root   /usr/share/nginx/html;
  index  index.html index.htm;
  }

  location /public {
  return 200 'Access to public granted!';
  }

  error_page   500 502 503 504  /50x.html;
  location = /50x.html {
  root   /usr/share/nginx/html;
  }
  }
  }


Create a ConfigMap
  kubectl create configmap nginx-config --from-file=nginx.conf


Access the server
  curl 

  
  



Now we need to access this application from outside the cluster without using NodePort and LoadBalancer service


Install Ingress controller first
  kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.9.4/deploy/static/provider/cloud/deploy.yaml


Create a Ingress object (ingress.yaml)
  apiVersion: networking.k8s.io/v1
  kind: Ingress
  metadata:
    name: bootcamp
  spec:
    ingressClassName: nginx
    rules:
    - host: "kubernetes.hindi.bootcamp"
      http:
        paths:
        - path: /
          pathType: Prefix
          backend:
            service:
              name: nginx-service
              port:
                number: 80
        - path: /public 
          pathType: Prefix
          backend:
            service:
              name: nginx-service
              port:
                number: 80


ssh onto the node where the pod is deployed and the change the /etc/hosts file
  # add this in file
   
   kubernets.hindi.bootcamp

  
  
  

Now apply the create ingress.yaml file
  kubectl apply -f ingress.yaml

  
  

We need to connect user to the ingress controller
  
  curl kubernetes.hindi.bootcamp:30418

  
  
  


ExternalDNS: Connecting Kubernetes to DNS Providers
ExternalDNS is a Kubernetes-native solution that automatically manages DNS records for services and ingress resources within Kubernetes clusters. It simplifies the process of associating a Kubernetes service with a domain name, ensuring that services deployed in Kubernetes are easily accessible from outside the cluster via friendly domain names rather than IP addresses.
How ExternalDNS Works
ExternalDNS continuously monitors Kubernetes resources such as Service and Ingress objects. It then communicates with a DNS provider to ensure that the corresponding DNS records reflect the current state of the Kubernetes cluster. The typical workflow is as follows:

Service or Ingress Resource Created: When a new service or ingress resource is deployed in Kubernetes, it usually exposes an external IP or hostname.

DNS Record Creation: ExternalDNS detects the new service and automatically creates the corresponding DNS record in the external DNS provider (e.g., AWS Route 53).

Dynamic Updates: If the service’s external IP changes (e.g., due to a rolling update or scaling event), ExternalDNS updates the DNS record accordingly.

Resource Deletion: When a service or ingress resource is removed, ExternalDNS also deletes the associated DNS records.


Use Cases for ExternalDNS

Public Service Exposure: ExternalDNS is ideal for exposing services running inside Kubernetes clusters to the public via user-friendly domain names.

Multi-Cloud Deployments: In multi-cloud environments, ExternalDNS helps manage DNS across different cloud platforms, ensuring consistent access to services regardless of the underlying infrastructure.

Blue-Green Deployments: When performing blue-green or canary deployments, ExternalDNS can help dynamically switch DNS records as traffic is gradually routed to new versions of an application.

Private DNS Management: For internal DNS setups, ExternalDNS can manage private DNS records for services in a non-public namespace, ensuring services are accessible within a private network.


Conclusion

In this article, we explored various aspects of Kubernetes, including services, networking fundamentals, StatefulSets, and different types of services like NodePort, LoadBalancer, ExternalName, Ingress, and ExternalDNS. We delved into the specifics of how each service type functions, their use cases, and provided practical examples to illustrate their implementation. Understanding these components is crucial for effectively managing and deploying applications in a Kubernetes environment. By mastering these concepts, you can ensure your applications are scalable, resilient, and efficiently managed within your Kubernetes clusters.


💡 Let’s connect and discuss DevOps, cloud automation, and cutting-edge technology
🔗 LinkedIn | 💼 Upwork | 🐦 Twitter | 👨‍💻 GitHub



A Complete Guide to Terraform: Automate Your Infrastructure
Praduman Prajapati — Thu, 19 Sep 2024 18:45:08 GMT
Why Use Terraform for Infrastructure as Code (IaC)?
Imagine you’re a DevOps engineer and you’re assigned a simple task to create an S3 bucket in AWS. Normally, you would log in to your AWS account, search for the S3 service, and manually create the bucket by filling in the necessary details. This works fine if you're only creating one bucket.
But what if you need to create 100 or even 1,000 S3 buckets? Doing this manually would take a lot of time and effort. In situations like this, you’d want a more programmatic approach—using the AWS CLI or scripting to interact with AWS APIs. With these tools, you could create all the required buckets in seconds. However, this requires good programming knowledge, and things get complicated when you need to create multiple resources together, like a VPC, EC2 instances, and S3 buckets.
To address these challenges, cloud providers offer Infrastructure as Code (IaC) tools. These tools let you define your infrastructure in code, using formats like YAML or JSON, and automate the provisioning of resources. AWS, for example, provides CloudFormation, which allows you to define AWS resources in templates.
Here are some examples of IaC tools:

AWS CloudFormation (for AWS)

Azure Resource Manager (for Azure)

Heat Template (for OpenStack)


Why Terraform?
With so many IaC tools available, why use Terraform? The answer lies in its flexibility and universal approach.
Let’s say you’re working with AWS and using CloudFormation, but later you switch to an organization that uses Azure. You would then need to learn Azure’s IaC tool. While you can certainly learn these tools, it can be a complex and time-consuming process.
Terraform solves this problem by providing a cloud-agnostic IaC tool. It allows you to manage infrastructure across multiple cloud platforms using a single language—HashiCorp Configuration Language (HCL). This means you don’t need to learn different IaC tools for different clouds. Just learn Terraform, and you can work with any cloud provider.
This is why Terraform has become such a popular and essential tool for DevOps and cloud engineers.


Install Terraform & aws cli on your system using official documentation

How to Configure AWS CLI with Access Keys

Go to your AWS account and find the secuirity credentials option
  

Inside Security Credentials, create a new Access Key. This will provide you with an Access Key ID and a Secret Access Key
  

Open your terminal and run the following command
  aws configure


You will be prompted to enter the Access Key ID and Secret Access Key. Paste the keys you just created to connect your AWS account to the CLI


To ensure everything is working, run
  aws s3 ls


This command will list all the S3 buckets in your AWS account

  


Create an EC2 instance using terraform

Create a Terraform Configuration File (main.tf)
  provider "aws" {
      region = "us-east-1"  # Set your desired AWS region
  }

  resource "aws_instance" "example" {
      ami           = "ami-0c55b159cbfafe1f0"  # Specify an appropriate AMI ID
      instance_type = "t2.micro"

  

Run the following command to initialize your Terraform project
  terraform init

  This command prepares the working directory by downloading the necessary provider plugins (in this case, for AWS) and setting up the environment


Preview Changes Using terraform plan
  terraform plan

  This command will show you the "execution plan"—detailing what resources Terraform will create, modify, or destroy. It helps you confirm that everything looks correct before applying changes
  

Apply Changes Using terraform apply
  terraform apply

  It is used to execute the changes described in your configuration files and actually create, modify, or delete infrastructure resources. After running terraform plan to preview the changes, terraform apply makes those changes happen

If you encounter an error like this

This happens because the AMI ID provided may not be valid in your AWS region


To resolve this Error

Go to your AWS account

In the EC2 Dashboard, search for a valid AMI ID

Copy the correct AMI ID

Replace the invalid AMI ID in the main.tf file with the correct one




    
    

Once you have the correct AMI ID, run the terraform apply command again to create the EC2 instance
  

If the command runs successfully, an EC2 instance will be created in your AWS account



Run terraform destroy to delete all infrastructure resources that Terraform has created and is managing. This command will remove everything that is defined in your state file, essentially tearing down your entire infrastructure
  


Terraform State
Terraform keeps a file called a "state file" that stores the current setup of your infrastructure. This file helps Terraform figure out what changes need to be made by comparing the setup you want with what already exists. It uses this information to apply updates correctly.

Terraform Providers
In Terraform, providers are plugins that allow Terraform to communicate with cloud platforms, services, or other APIs. Providers essentially tell Terraform which services to interact with, such as AWS, Azure, Google Cloud, etc.
When setting up infrastructure, you define providers in your configuration file using the provider block. This tells Terraform what cloud services you are going to use and sets necessary parameters such as region or authentication information.
Some examples of providers:

azurerm - for Azure

google - for Google Cloud Platform

kubernetes - for Kubernetes

openstack - for OpenStack

vsphere - for VMware vSphere



Single Provider Example (AWS)
If you want to use Terraform to manage infrastructure on AWS, you first define the AWS provider
provider "aws" {
  region = "us-east-1"  # Specify the AWS region
}

Here, the region us-east-1 is specified, which tells Terraform that resources should be created in the US East region.

Multiple Region Setup
Terraform supports setting up resources across multiple regions within the same cloud provider by using the alias keyword. This allows you to define multiple instances of the same provider, each targeting a different region.
provider "aws" {
  alias  = "us-east-1"  # Alias to identify this provider instance
  region = "us-east-1"
}

provider "aws" {
  alias  = "us-west-2"  # Alias for another region
  region = "us-west-2"
}

resource "aws_instance" "east_instance" {
  ami           = "ami-0123456789abcdef0"
  instance_type = "t2.micro"
  provider      = "aws.us-east-1"  # Use the east region provider
}

resource "aws_instance" "west_instance" {
  ami           = "ami-0123456789abcdef0"
  instance_type = "t2.micro"
  provider      = "aws.us-west-2"  # Use the west region provider
}



You can check the ec2 instance is created in both us-east-1 & us-west-2 region




In this example

Two provider blocks are created for AWS, one for the US East region and one for the US West region.

The alias keyword helps Terraform distinguish between different instances of the same provider.

Each resource (EC2 instance) is tied to a specific provider using the provider attribute.ami-0123456789abcdef0



Multi-Cloud Setup
Terraform allows you to use multiple providers in one project, enabling you to manage infrastructure across different cloud platforms simultaneously. Here's how you can set this up ?

Create a providers.tf File
  Begin by creating a providers.tf file in the root directory of your Terraform project. This file will define the cloud providers that you want to use.

Define Providers in providers.tf
  In the providers.tf file, define the providers for AWS and Azure.
  provider "aws" {
    region = "us-east-1"
  }

  provider "azurerm" {
    subscription_id = "your-azure-subscription-id"
    client_id       = "your-azure-client-id"
    client_secret   = "your-azure-client-secret"
    tenant_id       = "your-azure-tenant-id"
  }


This configuration sets up AWS and Azure as providers in your project. Replace the placeholder values with your actual credentials.


Use Providers in Resource Definitions
  Once you've configured the providers, you can create resources in AWS and Azure within the same project.
  resource "aws_instance" "example" {
    ami           = "ami-0123456789abcdef0"
    instance_type = "t2.micro"
  }

  resource "azurerm_virtual_machine" "example" {
    name     = "example-vm"
    location = "eastus"
    size     = "Standard_A1"
  }


In this example

An EC2 instance is provisioned in AWS using the aws_instance resource.

A virtual machine is provisioned in Azure using the azurerm_virtual_machine resource.





Terraform Variables
Terraform variables make your configuration more dynamic, reusable, and flexible. Instead of hardcoding values directly in your code, you define variables that can be reused across your configuration. This makes it easier to adapt the same infrastructure for different environments or teams.
Types of Variables

Input Variables
 It allow you to parameterize your Terraform configurations. This means you can pass values into your modules or configurations from the outside (for example, when running terraform apply). Input variables can be defined at both the module level and the root level.

Defining Input Variables
You can define an input variable in Terraform like this
variable "instance_type" {
  description = "EC2 instance type"  # A description for documentation
  type        = string               # The expected type (string, number, list, etc.)
  default     = "t2.micro"           # Default value if not provided
}

This block defines an input variable instance_type, which can be set when running the configuration, or it will use the default value of "t2.micro" if not provided
Using Input Variables
After defining a variable, you can reference it using the var keyword inside your configuration
resource "aws_instance" "example_instance" {
  ami           = var.ami_id         # Referencing the variable value
  instance_type = var.instance_type  # Referencing another variable
}

When you run terraform apply, you can pass the value of the input variables through the command line or in a .tfvars file


Output Variables
 Output variables are used to display values after the execution of a configuration. These are useful for retrieving key information from your infrastructure, such as the IP address of a created instance or resource IDs.

Defining Output Variables
You can define an output variable like this
output "public_ip" {
  description = "Public IP address of the EC2 instance"
  value       = aws_instance.example_instance.public_ip  # The value to output
}

In this case, after Terraform finishes creating the EC2 instance, it will display the public IP address of the instance as part of the output



Organizing Terraform Files
When working on large projects, it’s important to organize your Terraform files for better readability and maintenance. A typical structure might look like this:

providers.tf: Contains provider configurations.

variables.tf: Defines all input variables.

outputs.tf: Defines output variables.

main.tf: Contains the core infrastructure resources.


For projects involving multiple environments (development, production, staging), use a terraform.tfvars file to separate the actual values of the variables
Conditional Expressions
Conditional expressions in Terraform allow you to define dynamic behavior based on conditions. They work similarly to ternary operators (? :) in programming languages. You can use them to decide whether resources should be created or how they should be configured based on variable values or other conditions.
Syntax of Conditional Expressions
The syntax of a conditional expression in Terraform is
condition ? true_value : false_value

This evaluates the condition. If it’s true, it returns the true_value, otherwise, it returns the false_value.
Conditional Resource Creation
You can conditionally create resources using the count attribute:
resource "aws_instance" "example" {
  count = var.create_instance ? 1 : 0  # Create instance if create_instance is true

  ami           = "ami-0123456789abcdef0"
  instance_type = "t2.micro"
}

In this example, the instance will only be created if the variable create_instance is set to true. If false, Terraform will create 0 instances.
Conditional Resource Configuration
You can use conditional expressions within resource configuration blocks to dynamically adjust settings:
resource "aws_security_group" "example" {
  name        = "example-sg"
  description = "Example security group"

  ingress {
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = var.enable_ssh ? ["0.0.0.0/0"] : []  # Conditionally allow SSH
  }
}

In this example, SSH access is only allowed if the variable enable_ssh is set to true. Otherwise, the security group won’t allow any incoming SSH connections.
Terraform Built-in Functions
Terraform has a set of built-in functions that make it easier to manipulate and transform data in your configuration. These functions allow you to perform operations on lists, strings, and maps
Common Built-in Functions

concat(list1, list2, ...) Combines multiple lists into a single list.
 variable "list1" {
   type    = list
   default = ["a", "b"]
 }

 variable "list2" {
   type    = list
   default = ["c", "d"]
 }

 output "combined_list" {
   value = concat(var.list1, var.list2)  # Returns ["a", "b", "c", "d"]
 }


element(list, index) Retrieves an element from a list based on the given index.
 variable "my_list" {
   type    = list
   default = ["apple", "banana", "cherry"]
 }

 output "selected_element" {
   value = element(var.my_list, 1)  # Returns "banana"
 }


length(list) Returns the number of elements in a list.
 variable "my_list" {
   type    = list
   default = ["apple", "banana", "cherry"]
 }

 output "list_length" {
   value = length(var.my_list)  # Returns 3
 }


lookup(map, key) Retrieves the value from a map by the specified key.
 variable "my_map" {
   type    = map
   default = {
     name  = "Alice"
     age   = 25
   }
 }

 output "value" {
   value = lookup(var.my_map, "name")  # Returns "Alice"
 }


join(separator, list) Joins the elements of a list into a single string, separated by the specified separator.
 variable "my_list" {
   type    = list
   default = ["apple", "banana", "cherry"]
 }

 output "joined_string" {
   value = join(", ", var.my_list)  # Returns "apple, banana, cherry"
 }




Module in Terraform
In Terraform, modules are like building blocks that help organize and reuse your infrastructure code. Instead of writing the same code over and over, you can group related resources into a module and use it multiple times. It make your Terraform setup easier to manage, reuse, and scale without duplicating code.

Provisioners in Terraform



Kubernetes-part-7
Praduman Prajapati — Tue, 17 Sep 2024 16:05:37 GMT
Understanding ConfigMap: Simplify Your Kubernetes Configuration Management
It is used to store non-confidential configuration data in key-value pairs. It keep configuration separate from the application code, that makes it easier to manage and update without redeploying the entire application

Example 1: Passing Database User to MySQL Pod Using ConfigMap


Create the ConfigMap (cm1.yaml): The ConfigMap will contain the database user and password
  # cm1.yaml
  apiVersion: v1
  kind: ConfigMap
  metadata:
    name: bootcamp-configmap
  data:
    username: "saiyam"
    database_name: "exampledb"

  kubectl apply -f cm1.yaml


Create the Pod (pod1.yaml): The Pod will run a MySQL container and use the environment variables from the ConfigMap
  # pod1.yaml
  apiVersion: v1
  kind: Pod
  metadata:
    name: mysql-pod
  spec:
    containers:
    - name: mysql
      image: mysql:5.7
      env:
        - name: MYSQL_USER
          valueFrom:
            configMapKeyRef:
              name: bootcamp-configmap
              key: username
        - name: MYSQL_DATABASE
          valueFrom:
            configMapKeyRef:
              name: bootcamp-configmap
              key: database_name
        - name: MYSQL_PASSWORD
          value: demo123  # Specify a strong password.
        - name: MYSQL_ROOT_PASSWORD
          value: demo345 # You should change this value.
      ports:
        - containerPort: 3306
          name: mysql
      volumeMounts:
        - name: mysql-storage
          mountPath: /var/lib/mysql
    volumes:
      - name: mysql-storage
        emptyDir: {}

   kubectl apply -f pod1.yaml


Access the MySQL Pod: Once the Pod is running, connect to the MySQL container and verify the user setup
  kubectl exec -it mysql-pod -- mysql -u root -p


If asks for password , Use that defined in the ConfigMap


Run MySQL Commands: Inside the MySQL prompt, run the following commands to verify the users and databases:
  SELECT user FROM mysql.user;
  SHOW DATABASES;




Example 2: Managing Dev/Prod Properties with ConfigMap


Create the ConfigMap (cm2.yaml)
  apiVersion: v1
  kind: ConfigMap
  metadata:
    name: app-config-dev
  data:
    settings.properties: |
      # Development Configuration
      debug=true
      database_url=http://dev-db.example.com
      featureX_enabled=false

  ---

  apiVersion: v1
  kind: ConfigMap
  metadata:
    name: app-config-prod
  data:
    settings.properties: |
      # Production Configuration
      debug=false
      database_url=http://prod-db.example.com
      featureX_enabled=true

  kubectl apply -f cm2.yaml


Create the Pod (pod2.yaml)
  apiVersion: apps/v1
  kind: Deployment
  metadata:
    name: my-web-app
  spec:
    replicas: 1
    selector:
      matchLabels:
        app: my-web-app
    template:
      metadata:
        labels:
          app: my-web-app
      spec:
        containers:
        - name: web-app-container
          image: nginx  
          ports:
          - containerPort: 80
          env:
          - name: ENVIRONMENT
            value: "development"  
          volumeMounts:
          - name: config-volume
            mountPath: /etc/config
        volumes:
        - name: config-volume
          configMap:
            name: app-config-dev

  kubectl apply -f pod2.yaml


Verify the ConfigMap is Mounted: After the Pod is running, you can check if the settings.properties file has been correctly mounted and read its contents
  kubectl exec -it app-pod -- cat /etc/config/settings.properties

  This should display the content of the settings.properties file:
  # Development Configuration
  debug=true
  database_url=http://dev-db.example.com
  featureX_enabled=false


Switch to Production: To use the production configuration instead, update the Deployment to mount app-config-prod.
  Change this part in pod2.yaml:
  configMap:
    name: app-config-prod

  Reapply the deployment
  kubectl apply -f pod2.yaml

  Now, if you check the configuration inside the pod, you’ll see the production settings:
  # Production Configuration
  debug=false
  database_url=http://prod-db.example.com
  featureX_enabled=true




Example 3: Accessing ConfigMap Programmatically with Python


read_config.py: This Python script reads and prints the contents of the app-config ConfigMap in the default namespace
  from kubernetes import client, config

  def main():
      # Load the Kubernetes configuration
      config.load_incluster_config()

      v1 = client.CoreV1Api()
      config_map_name = 'app-config'
      namespace = 'default'

      try:
          # Read the ConfigMap
          config_map = v1.read_namespaced_config_map(config_map_name, namespace)
          print("ConfigMap data:")
          for key, value in config_map.data.items():
              print(f"{key}: {value}")
      except client.exceptions.ApiException as e:
          print(f"Exception when calling CoreV1Api->read_namespaced_config_map: {e}")

  if __name__ == '__main__':
      main()


Dockerfile: This Dockerfile builds the image that runs the Python script.
  # Use a lightweight Python image
  FROM python:3.8-slim

  # Install the Kubernetes Python client
  RUN pip install kubernetes

  # Copy the Python script
  COPY read_config.py /read_config.py

  # Set the command to run the script
  CMD ["python", "/read_config.py"]


Build the Docker Image: Build the Docker image using the provided Dockerfile and push it to a public image registry (in this case, ttl.sh)
  docker build -t ttl.sh/hindi-boot:1h .
  docker push ttl.sh/hindi-boot:1h


app.yaml: This YAML file defines all the Kubernetes resources: the ConfigMap, Deployment, Role, and RoleBinding.
  # ConfigMap storing some example properties
  apiVersion: v1
  kind: ConfigMap
  metadata:
    name: app-config
    namespace: default
  data:
    example.property: "Hello, world!"
    another.property: "Just another example."
  ---
  # Deployment to run the Python script in a pod
  apiVersion: apps/v1
  kind: Deployment
  metadata:
    name: config-reader-deployment
    namespace: default
  spec:
    replicas: 1
    selector:
      matchLabels:
        app: config-reader
    template:
      metadata:
        labels:
          app: config-reader
      spec:
        containers:
        - name: config-reader
          image: ttl.sh/hindi-boot:1h
          imagePullPolicy: Always
  ---
  # Role granting read access to ConfigMaps in the default namespace
  apiVersion: rbac.authorization.k8s.io/v1
  kind: Role
  metadata:
    namespace: default
    name: config-reader
  rules:
  - apiGroups: [""]
    resources: ["configmaps"]
    verbs: ["get", "list", "watch"]
  ---
  # RoleBinding to attach the Role to the default ServiceAccount
  apiVersion: rbac.authorization.k8s.io/v1
  kind: RoleBinding
  metadata:
    name: read-configmaps
    namespace: default
  subjects:
  - kind: ServiceAccount
    name: default 
    namespace: default
  roleRef:
    kind: Role
    name: config-reader
    apiGroup: rbac.authorization.k8s.io


Apply the Kubernetes Resources: Deploy the ConfigMap, Deployment, and RBAC resources to Kubernetes.
  kubectl apply -f app.yaml


Check the Logs: After the pod is running, you can check the logs to see if the ConfigMap has been read successfully.
  kubectl logs -l app=config-reader

  The output should display the content of the ConfigMap
  ConfigMap data:
  example.property: Hello, world!
  another.property: Just another example.



Secrets in Kubernetes: Securely Manage Sensitive Information
When deploying applications in Kubernetes, you often need to handle sensitive information such as passwords, API keys, or tokens. Storing these directly in your code or configuration files can be insecure. Kubernetes Secrets provide a way to securely store and manage sensitive information.
Unlike ConfigMaps (which store non-sensitive configuration data), Secrets are designed for security. They store data in an encoded format (Base64) and can be mounted into Pods or accessed as environment variables.
Types of Kubernetes Secrets: Opaque, TLS, and Docker Registry

Opaque Secret: General-purpose secret, commonly used for storing credentials.

TLS Secret: Specifically for storing SSL/TLS certificates.

Docker Registry Secret: For storing Docker registry credentials, used for pulling private images.


Example 1: Creating a Kubernetes Secret Using YAML


Encode your values in Base64
  echo -n 'my-db-username' | base64
  echo -n 'my-db-password' | base64

  This will return
  bXktZGItdXNlcm5hbWU=
  bXktZGItcGFzc3dvcmQ=


Create the Secret YAML file (secret.yaml)
  apiVersion: v1
  kind: Secret
  metadata: 
    name: db-secret
  type: opaque
  data: 
    username: bXktZGItdXNlcm5hbWU=
    password: bXktZGItcGFzc3dvcmQ=

  Apply the secret
  kubectl apply -f secret.yaml


To view the secret
  kubectl get secret


To decrypt the encrypted data
  echo "put-encrypted-data" | base64 -d




Example 2: Creating a Kubernetes Secret from the Command Line
kubectl create secret generic db-secret \
  --from-literal=username=my-db-username \
  --from-literal=password=my-db-password

Using Secrets in a Pod: Environment Variables and Volume Mounts
Once the Secret is created, you can use it in a Pod as either environment variables or mounted as files

Example: Using a Secret as Environment Variables
  apiVersion: v1
  kind: Pod
  metadata:
    name: db-app
  spec:
    containers:
    - name: app-container
      image: my-app:latest
      env:
      - name: DB_USERNAME
        valueFrom:
          secretKeyRef:
            name: db-secret
            key: username
      - name: DB_PASSWORD
        valueFrom:
          secretKeyRef:
            name: db-secret
            key: password


Here, the username and password from the Secret are injected into the container as environment variables


Example: Mounting a Secret as a Volume
  apiVersion: v1
  kind: Pod
  metadata:
    name: app-with-secret
  spec:
    containers:
    - name: app-container
      image: my-app:latest
      volumeMounts:
      - name: secret-volume
        mountPath: /etc/secrets
        readOnly: true
    volumes:
    - name: secret-volume
      secret:
        secretName: db-secret


This will mount the Secret’s data into /etc/secrets/ inside the container



Storing SSH Private Keys in Kubernetes Secrets
kubectl create secret generic my-ssh-key-secret \
--from-file=ssh-privatekey=/path/to/.ssh/id_rsa \
--type=kubernetes.io/ssh-auth


--from-file=ssh-privatekey=/path/to/.ssh/id_rsa:

--from-file: Specifies that the content for the Secret should come from a file.

ssh-privatekey: The key under which the private key will be stored in the Secret.

/path/to/.ssh/id_rsa: Path to the actual SSH private key file (usually located in ~/.ssh/id_rsa).


--type=kubernetes.io/ssh-auth:

This specifies that the Secret is of type kubernetes.io/ssh-auth, which is used for SSH authentication.


Managing SSL/TLS Certificates with Kubernetes TLS Secrets
kubectl create secret tls my-tls-secret \
--cert=path/to/cert/file \
--key=path/to/key/file


--cert=path/to/cert/file:

This specifies the path to the TLS certificate file. Replace path/to/cert/file with the actual path to your .crt (certificate) file.

--key=path/to/key/file:

This specifies the path to the TLS private key file. Replace path/to/key/file with the actual path to your private key file (typically .key).


MySQL Example: Combining ConfigMap and Secrets in Kubernetes

create a configmap (myconfig.yaml)
  apiVersion: v1
  kind: configMap
  metadata:
     name: bootcamp-configMap
  data: 
     username: "praduman"
     database_name: "my-db"

  kubectl apply -f myconfig.yaml


create secrets (mysecret.yaml)
  echo -n 'rootPass' | base64
  echo -n 'userPass' | base64

  apiVersion: v1
  kind: Secret
  metadata: 
     name: mysql-root-pass
  type: Opaque
  data: 
     password: 
  ---
  apiVersion: v1
  kind: Secret
  metadata: 
     name: mysql-user-pass
  type: Opaque
  data: 
     password: 

  kubectl apply -f mysecret.yaml


YAML file of deployment using both configMap and Secret(deploy.yaml)
  apiVersion: apps/v1
  kind: Deployment
  metadata:
    name: mysql
  spec:
    selector:
      matchLabels:
        app: mysql
    template:
      metadata:
        labels:
          app: mysql
      spec:
        containers:
        - name: mysql
          image: mysql:5.7
          env:
            - name: MYSQL_ROOT_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: mysql-root-pass
                  key: password
            - name: MYSQL_USER
              valueFrom:
                configMapKeyRef:
                  name: bootcamp-configmap
                  key: username
            - name: MYSQL_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: mysql-user-pass
                  key: password
            - name: MYSQL_DATABASE
              valueFrom:
                configMapKeyRef:
                  name: bootcamp-configmap
                  key: database_name
          ports:
            - containerPort: 3306
          volumeMounts:
            - name: mysql-storage
              mountPath: /var/lib/mysql
        volumes:
          - name: mysql-storage
            emptyDir: {}

  kubectl apply -f deploy.yaml


Access the MYSQL pod
  kubectl exec -it  -- mysql -u root -p



Conclusion

In this article, we explored the essential concepts of Kubernetes ConfigMaps and Secrets, highlighting their importance in managing configuration data and sensitive information securely. ConfigMaps allow you to decouple configuration from application code, making updates seamless without redeploying the entire application. Secrets, on the other hand, provide a secure way to handle sensitive data like passwords and API keys, ensuring they are not exposed in your codebase.
We provided practical examples demonstrating how to use ConfigMaps and Secrets in various scenarios, such as passing database credentials to a MySQL Pod, managing environment-specific properties, and accessing configuration programmatically with Python. Additionally, we covered the different types of Secrets, including Opaque, TLS, and Docker Registry Secrets, and how to use them in Pods as environment variables or volume mounts.
By understanding and implementing these Kubernetes features, you can enhance the security and manageability of your applications, ensuring a more robust and flexible deployment process.


💡 Let’s connect and discuss DevOps, cloud automation, and cutting-edge technology
🔗 LinkedIn | 💼 Upwork | 🐦 Twitter | 👨‍💻 GitHub



Kubernetes-part-6
Praduman Prajapati — Mon, 16 Sep 2024 09:15:16 GMT
Ensuring Application Availability with ReplicaSets
It helps keep your application running by ensuring the correct number of pod replicas are always available, making it essential for scaling and reliability. ReplicaSets are often managed by Deployments, which provide more features like rolling updates. When you create a Deployment, it automatically creates a ReplicaSet for managing pod replicas.

Example:

If you set a ReplicaSet to have 3 pods, and one pod stops, the ReplicaSet will automatically create a new pod so that there are always 3 running.

Defining a ReplicaSet: YAML Example
  apiVersion: apps/v1
  kind: ReplicaSet
  metadata:
    name: nginx-rs
    labels:
      app: nginx
  spec:
    replicas: 3
    selector:
      matchLabels:
        app: nginx
    template:
      metadata:
        labels:
          app: nginx
      spec:
        containers:
        - name: nginx
          image: nginx:latest
          ports:
          - containerPort: 80

  This YAML file tells Kubernetes to create 3 identical pods running the nginx web server. It will automatically make sure there are always 3 pods running, so if one stops, Kubernetes will start another. Each pod runs on port 80, and all are labeled with app: nginx for identification.

Real-Time watch and monitor the status of your pods
  kubectl get pod -w


To see the ReplicaSet present
  kubectl get rs


To delete a replicaSet and all its pod
  kubectl delete rs 



Understanding Propagation Policies in Kubernetes
It is used to control how resources are deleted, especially when dealing with related resources like ReplicaSets and their pods. It decides whether the resources created by a ReplicaSet (like pods) should be deleted right away or left running when the ReplicaSet is removed.
Types of Propagation Policies:

Foreground: Pods are deleted first, then the ReplicaSet.
  kubectl delete replicaset nginx-rs --cascade=foreground


Another way: using kubectl proxy with a curl command to delete a ReplicaSet using the Kubernetes API and specify a propagationPolicy

Start the Kubernetes Proxy

kubectl proxy --port=8080

This command starts a local proxy that allows you to interact with the Kubernetes API at localhost:8080 without needing to authenticate with tokens.
kubectl proxy --port=8080
curl -X DELETE 'http://localhost:8080/apis/apps/v1/namespaces/default/replicasets/nginx-rs' \
     -d '{"kind":"DeleteOptions","apiVersion":"v1","propagationPolicy":"Foreground"}' \
     -H "Content-Type: application/json"



Background: ReplicaSet is deleted first, pods are deleted later.
  kubectl delete replicaset nginx-rs --cascade=background


Another way: using kubectl proxy with a curl command to delete a ReplicaSet using the Kubernetes API and specify a propagationPolicy

Start the Kubernetes Proxy

kubectl proxy --port=8080

This command starts a local proxy that allows you to interact with the Kubernetes API at localhost:8080 without needing to authenticate with tokens.
curl -X DELETE 'http://localhost:8080/apis/apps/v1/namespaces/default/replicasets/nginx-rs' \
     -d '{"kind":"DeleteOptions","apiVersion":"v1","propagationPolicy":"Background"}' \
     -H "Content-Type: application/json"



Orphan: ReplicaSet is deleted, but the pods remain running.
  kubectl delete replicaset nginx-rs --cascade=orphan


Another way: using kubectl proxy with a curl command to delete a ReplicaSet using the Kubernetes API and specify a propagationPolicy

Start the Kubernetes Proxy

kubectl proxy --port=8080

This command starts a local proxy that allows you to interact with the Kubernetes API at localhost:8080 without needing to authenticate with tokens.
curl -X DELETE 'http://localhost:8080/apis/apps/v1/namespaces/default/replicasets/nginx-rs' \
     -d '{"kind":"DeleteOptions","apiVersion":"v1","propagationPolicy":"Orphan"}' \
     -H "Content-Type: application/json"




Mastering Kubernetes Deployments
It is used to manage and automate the lifecycle of applications running in pods. It provides more advanced features than a ReplicaSet, such as rolling updates, rollback capabilities, and scaling.

Creating and Managing Deployments with YAML
  apiVersion: apps/v1
  kind: Deployment
  metadata:
    name: nginx-deployment
  spec:
    replicas: 3
    selector:
      matchLabels:
        app: nginx
    template:
      metadata:
        labels:
          app: nginx
      spec:
        containers:
        - name: nginx
          image: nginx:1.16.1
          ports:
          - containerPort: 80

  kubectl apply -f deployment.yaml


Get Deployment Status
  kubectl get deployments


Scaling Deployments for Optimal Performance
  kubectl scale deployment nginx-deployment --replicas=5


Updating Deployment Images
  kubectl set image deployment/nginx-deployment nginx=nginx:1.17.0


Checking Deployment Status
  kubectl rollout status deployment/nginx-deployment


Checking Rollout History
  kubectl rollout history deploy/nginx-deployment


View Specific Revision
  kubectl rollout history deploy/nginx-deployment --revision=2


Rolling Back to Previous Deployment Revisions
  kubectl rollout undo deployment/nginx-deployment --to-revision=1


Pause a Rollout
  kubectl rollout pause deployment/nginx-deployment


Edit Deployment Directly
  kubectl edit deployment/nginx-deployment



Recreate Strategy: Minimizing Downtime During Updates
With this strategy, when a new version of an application is deployed, Kubernetes first deletes all existing pods before creating the new ones. This can cause some downtime because there will be a gap between the old pods being terminated and the new ones starting.

Example YAML for Recreate Strategy
apiVersion: apps/v1
kind: Deployment
metadata:
  name: demo-deployment
spec:
  replicas: 3
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app: demo
  template:
    metadata:
      labels:
        app: demo
    spec:
      containers:
      - name: demo
        image: nginx:latest
        ports:
        - containerPort: 80

kubectl apply -f 

kubectl set image deploy/demo-deployment demo=nginx:14.0


Probes: Ensuring Pod Health and Readiness
This is used to check the health of pod. They help Kubernetes know when a pod is ready to start serving traffic or if it’s still alive and functioning correctly. If a probe fails, Kubernetes can take action like restarting the pod
Types of probes in Kubernetes

Liveness Probe: Checks if the pod is alive. Restarts it if it’s stuck.

Readiness Probe: Checks if the pod is ready to serve traffic. Stops sending traffic if it’s not ready.

Startup Probe: Gives the pod time to fully start. Ensures it isn’t marked as failed too early.



Implementing Probes in Deployment YAML
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
spec:
  replicas: 2
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:latest
        ports:
        - containerPort: 80
        livenessProbe:
          httpGet:
            path: /
            port: 80
          initialDelaySeconds: 15
          timeoutSeconds: 2
          periodSeconds: 5
          failureThreshold: 3
        readinessProbe:
          httpGet:
            path: /
            port: 80
          initialDelaySeconds: 5
          timeoutSeconds: 2
          periodSeconds: 5
          successThreshold: 1
          failureThreshold: 3
        startupProbe:
          httpGet:
            path: /
            port: 80
          initialDelaySeconds: 10
          periodSeconds: 5
          failureThreshold: 10

kubectl apply -f 



Liveness Probe: Checks if the container is still running. If it fails 3 times (every 5 seconds), the container is restarted.

Readiness Probe: Checks if the container is ready to serve traffic. If it fails 3 times, the container won’t receive traffic until it passes.

Startup Probe: Gives the container 10 chances (every 5 seconds) to start before other probes begin checking it.


Blue-Green Deployment: Minimizing Downtime and Risk

A strategy for deploying applications that minimizes downtime and risk.

It involves running two environments: Blue and Green

Blue represents the current version of the application that's live and handling user traffic.

Green is a new version of the application that is being prepared for release.


Example: You have an application running with version 1 (Blue) and want to deploy version 2 (Green)


Current Deployment (Blue) : This is the live version
  apiVersion: apps/v1
  kind: Deployment
  metadata:
    name: myapp-blue
  spec:
    replicas: 2
    selector:
      matchLabels:
        app: myapp
        version: blue
    template:
      metadata:
        labels:
          app: myapp
          version: blue
      spec:
        containers:
        - name: myapp
          image: myapp:1.0
          ports:
          - containerPort: 80


New Deployment (Green): This is the new version
  apiVersion: apps/v1
  kind: Deployment
  metadata:
    name: myapp-green
  spec:
    replicas: 2
    selector:
      matchLabels:
        app: myapp
        version: green
    template:
      metadata:
        labels:
          app: myapp
          version: green
      spec:
        containers:
        - name: myapp
          image: myapp:2.0
          ports:
          - containerPort: 80

  kubectl apply -f myapp-green.yaml


Service: The service will route traffic to the live version (initially Blue). Later, it will be updated to point to the Green version.
  apiVersion: v1
  kind: Service
  metadata:
    name: myapp-service
  spec:
    selector:
      app: myapp
      version: blue # Initially points to Blue
    ports:
    - protocol: TCP
      port: 80
      targetPort: 80
    type: LoadBalancer


Switch Traffic to Green: Update the service to point to the Green version
  apiVersion: v1
  kind: Service
  metadata:
    name: myapp-service
  spec:
    selector:
      app: myapp
      version: green # Now points to Green
    ports:
    - protocol: TCP
      port: 80
      targetPort: 80
    type: LoadBalancer

  kubectl apply -f myapp-service.yaml



To rollback to Blue, just update the service selector back to the Blue version

Canary Deployment: Gradual and Safe Application Updates
A strategy where a new version of an application is deployed to a small portion of users (e.g., 10%), while the rest continue using the old version. This allows you to test the new version in production with minimal risk. If it works well, you gradually increase its usage (e.g., 50%, then 100%) and If the canary version causes issues, you can quickly rollback and send all traffic back to the old version.
Example : Let's say you have version 1 of your app running and you want to canary release version 2


Existing Deployment (Version 1)
  apiVersion: apps/v1
  kind: Deployment
  metadata:
    name: myapp-v1
  spec:
    replicas: 4
    selector:
      matchLabels:
        app: myapp
        version: v1
    template:
      metadata:
        labels:
          app: myapp
          version: v1
      spec:
        containers:
        - name: myapp
          image: myapp:1.0
          ports:
          - containerPort: 80


Canary Deployment (Version 2)
  apiVersion: apps/v1
  kind: Deployment
  metadata:
    name: myapp-canary
  spec:
    replicas: 1 # Canary version has only 1 replica
    selector:
      matchLabels:
        app: myapp
        version: canary
    template:
      metadata:
        labels:
          app: myapp
          version: canary
      spec:
        containers:
        - name: myapp
          image: myapp:2.0
          ports:
          - containerPort: 80

  kubectl apply -f myapp-canary.yaml


Service: The service can be configured to split traffic between the two versions. Initially, it will send most traffic to version 1 (v1) and a small portion to the canary version
  apiVersion: v1
  kind: Service
  metadata:
    name: myapp-service
  spec:
    selector:
      app: myapp
      version: v1
    ports:
    - protocol: TCP
      port: 80
      targetPort: 80
    type: LoadBalancer


Update Service: Modify the service to route a small portion of traffic to the Canary deployment
  apiVersion: v1
  kind: Service
  metadata:
    name: myapp-service
  spec:
    selector:
      app: myapp
    ports:
    - protocol: TCP
      port: 80
      targetPort: 80
    type: LoadBalancer


You can use Kubernetes features like weighted routing in an Ingress controller, to route a portion of traffic to the Canary or manage it through a service mesh.


Monitor Canary: Check the performance and stability of the Canary version. If there are no issues, you can gradually increase the traffic directed to Canary.

Full Rollout: Once confident in the Canary’s stability, update the service selector to point to the new version and increase the replicas of the Canary deployment while reducing the replicas of the Stable deployment.

Cleanup: Remove the old stable deployment after the Canary version is fully rolled out and stable.



Canary deployments help ensure that new releases are stable and function correctly with minimal risk.
Conclusion

In this article, we explored various aspects of Kubernetes, including ReplicaSets, Deployments, Probes, and deployment strategies like Blue-Green and Canary deployments. Understanding these concepts is crucial for managing and scaling applications efficiently in a Kubernetes environment. By leveraging these tools and strategies, you can ensure high availability, reliability, and seamless updates for your applications, ultimately enhancing your overall DevOps practices.


💡 Let’s connect and discuss DevOps, cloud automation, and cutting-edge technology
🔗 LinkedIn | 💼 Upwork | 🐦 Twitter | 👨‍💻 GitHub



kubernetes-part-5
Praduman Prajapati — Sun, 15 Sep 2024 20:31:29 GMT
Efficient Kubernetes Scheduling with Kube-Scheduler
The kube-scheduler is Kubernetes default scheduler and part of the control plane. It selects the best node for new or unscheduled pods by filtering out nodes that don't meet the pod's requirements, known as feasible nodes. If no nodes are suitable, the pod remains unscheduled until one becomes available. The scheduler scores feasible nodes and selects the highest-scoring one to run the pod. This decision is then communicated to the API server in a process called binding. Custom schedulers can also be created if needed.
Mastering Labels and Selectors for Resource Grouping
Labels and Selectors are standard methods to group things together. Labels are properties attached to each resources. Selectors help you to filter these resources. Kubernetes uses labels to connect different objects together.

A pod definition file with labels
  apiVersion: v1
  kind: Pod
  metadata:
   name: simple-webapp
   labels:
     app: App1
     function: Front-end
  spec:
   containers:
   - name: simple-webapp
     image: nginx
     ports:
     - containerPort: 8080

  kubectl apply -f 


To select the pod with labels
  kubectl get pods --selector app=App1


To see the lable of a pod
  kubectl get pods name> --show-labels


To label a pod once it is created
  kubectl label pod name> key=value


To see pods with/without specific label
  kubectl get pod -l <key>=

  kubectl get pod -l <key>!=


Imperative way to create deployment
  kubectl create deploy bootcamp --image=nginx --replicas 3


Selection of pod using lable in replicasets
   apiVersion: apps/v1
   kind: ReplicaSet
   metadata:
     name: simple-webapp
     labels:
       app: App1
       function: Front-end
   spec:
    replicas: 3
    selector:
      matchLabels:
       app: App1
    template:
      metadata:
        labels:
          app: App1
          function: Front-end
      spec:
        containers:
        - name: simple-webapp
          image: simple-webapp


Selection of pod using lable in services
    apiVersion: v1
    kind: Service
    metadata:
     name: my-service
    spec:
     selector:
       app: App1
     ports:
     - protocol: TCP
       port: 80
       targetPort: 9376



Understanding Kubernetes Namespaces for Resource Isolation
Namespaces are a way to divide cluster resources between multiple users, teams, or projects. They provide a scope for names, allowing multiple users to share the same cluster without interfering with each other.
Kubernetes starts with four initial namespaces:

default: A space where you start working in Kubernetes right away

kube-node-lease: Keeps track of whether each node in the system is healthy or not

kube-public: A place where anyone, even without special access, can see certain information

kube-system: Where Kubernetes itself stores its important stuff



To see all namespaces
  kubectl get namespace


To create a namespace
  kubectl create ns <name-of-namespace>




Avoid creating namespaces with the prefix kube- since it is reserved for Kubernetes system namespaces


Creating two namespace and create deployment on each with nginx image and try to access the deployment on the other ns from the current ns
  kubectl create ns frontent

  kubectl create ns backend

  kubectl create deploy demo -n frontent --image=nginx

  kubectl create deploy demo -n backend --image=nginx

  kubectl get deployment -n frontent -owide


To switch to a namespace
  kubectl config set-context --current --namespace=backend



Managing Resource Quotas in Kubernetes
This is a way to manage and limit resource usage in a specific namespace. It ensures that no single team, application, or user can consume too many resources (like CPU, memory, storage, or the number of objects) in a shared cluster. This Prevent one team or application from using all the resources in the cluster and also Manage resources efficiently.
How Resource Quota Works
Administrators set quotas at the namespace level, and Kubernetes enforces them. When a Pod or object (like a Persistent Volume or Service) is created, Kubernetes checks the quota and ensures that the creation doesn't exceed the defined limits

Create a namespace
  kubectl create ns example-namespace


Create a resourceQuota
  apiVersion: v1
  kind: ResourceQuota
  metadata:
    name: example-quota
    namespace: example-namespace
  spec:
    hard:
      requests.cpu: "500m" # total amount of CPU that can be requested
      requests.memory: "200Gi" # total amount of memory that can be requested
      limits.cpu: "1" # total amount of CPU limit across all pods
      limits.memory: 400Gi # total amount of memory limit across all pods
      pods: "10" # total number of pods that can be created

  kubectl apply -f name.yaml>


To check resouceQuota
  kubectl get resourceQuota



Ensuring Pod Scheduling Readiness
Pod Scheduling Readiness is a feature that lets you control when a Pod is ready to be placed on a node. It adds a delay in scheduling the Pod until certain conditions are met, making sure the Pod is fully prepared. This is helpful when the Pod depends on other services or resources to be available before it can start running smoothly

Example: Waiting for a Service to Be Ready

Pod definition file that includes custom scheduling gates
  apiVersion: v1
  kind: Pod
  metadata:
    name: test-pod
  spec:
    schedulingGates:
    - name: example.com/service-ready
    containers:
    - name: pause
      image: registry.k8s.io/pause:3.6


Implement a Custom Controller
  # Pseudo-code for the custom controller
  if service_is_ready:
    remove_scheduling_gate(pod_name="test-pod", gate_name="example.com/service-ready")


Use the Custom Controller to Manage Scheduling
  The custom controller will ensure that the Pod is only scheduled when the specified service is confirmed to be ready. Until then, the Pod will remain unscheduled.



This approach ensures that the Pod will only be scheduled when the necessary conditions are met, providing a more controlled scheduling process

Enhancing Availability with Pod Topology Spread Constraints
It help to ensure high availability by spreading Pods across different nodes, zones, or regions. It also helps to maintain balanced load by evenly distributing Pods to prevent overloading any single node or domain. It Improve fault tolerance by avoiding concentration in a single location
Example

Kubernetes Deployment using Pod Topology Spread Constraints to evenly distribute Pods across different nodes

apiVersion: apps/v1
kind: Deployment
metadata:
  name: demo-app
spec:
  replicas: 4
  selector:
    matchLabels:
      app: demo-app
  template:
    metadata:
      labels:
        app: demo-app
    spec:
      containers:
      - name: app-container
        image: nginx
      topologySpreadConstraints:
      - maxSkew: 1
        topologyKey: "kubernetes.io/hostname"
        whenUnsatisfiable: DoNotSchedule
        labelSelector:
          matchLabels:
            app: demo-app


maxSkew: degree to which the pod is evenly distributed

topologyKey: key of node labels

whenUnsatisfiable: If the constraints cannot be met, DoNotSchedule or ScheduleAnyway

labelSelector: find maching pod



To scale this deployment
kubectl scale deployment demo-app --replicas=6


When you need to prevent new workloads from being scheduled on a node due to issues with that node, you can cordon the node. Cordon marks the node as unschedulable, ensuring that no new pods are scheduled to it.
kubectl cordon name>

To make that node again schedulable you need to uncordon that node
kubectl uncordon name>

Prioritizing Pods with Priority Classes
It helps the Kubernetes Scheduler decide which Pods should be scheduled first when resources are limited. Pods with higher priority values are scheduled before those with lower priority. Higher-priority Pods can displace lower-priority Pods if resources are scarce.
Example of priorityClass

Here’s how you can create a PriorityClass and use it with a Pod


Define a PriorityClass
  apiVersion: scheduling.k8s.io/v1
  kind: PriorityClass
  metadata:
    name: demo-priority
  value: 1000000
  globalDefault: false
  description: "This priority class is for critical workloads."


Use the PriorityClass in a Pod:
  apiVersion: v1
  kind: Pod
  metadata:
    name: high-priority-pod
  spec:
    priorityClassName: demo-priority
    containers:
      - name: my-container
        image: my-image



Understanding and Managing Pod Overhead
Pod Overhead is the extra amount of resources a Pod needs beyond what its containers require. It covers things like the Pod's management and networking needs. Pod Overhead helps ensure that enough resources are available for both the Pod and its additional needs, not just the containers inside it
How It Works

Container Requests: You specify how much CPU and memory a container needs

Add Overhead: Kubernetes adds extra resources for the Pod’s management and networking

Total Resources: The total resources needed are the sum of container requests plus Pod Overhead



Example: Specify Pod Overhead in a Pod’s resource request

Define a Pod with Overhead
apiVersion: v1
kind: Pod
metadata:
  name: my-pod
spec:
  containers:
  - name: my-container
    image: nginx
    resources:
      requests:
        memory: "512Mi"
        cpu: "500m"
  overhead:
    cpu: "100m"
    memory: "100Mi"

In this example:

Container Requests: The container requests 512 Mi of memory and 500 milliCPU.

Pod Overhead: An additional 100 Mi of memory and 100 milliCPU are reserved for the Pod’s overhead.


Conclusion

In this article, we delved into several advanced Kubernetes concepts, including scheduling, labels and selectors, namespaces, resource quotas, pod scheduling readiness, topology spread constraints, priority classes, and pod overhead. Mastering these features is essential for effectively managing and optimizing Kubernetes clusters. By utilizing these tools and techniques, you can ensure high availability, balanced resource usage, and controlled scheduling processes, ultimately leading to a more robust and resilient Kubernetes environment.


💡 Let’s connect and discuss DevOps, cloud automation, and cutting-edge technology
🔗 LinkedIn | 💼 Upwork | 🐦 Twitter | 👨‍💻 GitHub



kubernetes-part-4
Praduman Prajapati — Sat, 14 Sep 2024 18:30:00 GMT

Init container can be converted to sidecar container using restartpolicy: always

Example of a Sidecar Container
https://github.com/thockin/kubectl-sidecar/blob/main/example.yaml
 
# This is the identity the Pods will run as.
apiVersion: v1
kind: ServiceAccount
metadata:
  name: demo-kubectl-sidecar
  namespace: default
---
# This defines the namespace-scope permissions granted.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: demo-kubectl-sidecar
  namespace: default
rules:
- apiGroups:
  - ''
  resources:
  - pods
  verbs:
  - get
  - watch
---
# This joins the ServiceAccount to the Role above.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: demo-kubectl-sidecar
  namespace: default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: demo-kubectl-sidecar
subjects:
- kind: ServiceAccount
  name: demo-kubectl-sidecar
---
# This defines the cluster-scope permissions granted.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: demo-kubectl-sidecar
rules:
- apiGroups:
  - ''
  resources:
  - nodes
  verbs:
  - get
  - watch
---
# This joins the ServiceAccount to the ClusterRole above.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: demo-kubectl-sidecar
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: demo-kubectl-sidecar
subjects:
- kind: ServiceAccount
  name: demo-kubectl-sidecar
  namespace: default
---
# This is the actual workload.
apiVersion: apps/v1
kind: Deployment
metadata:
  name: demo-kubectl-sidecar
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      app: demo-kubectl-sidecar
  template:
    metadata:
      labels:
        app: demo-kubectl-sidecar
    spec:
      serviceAccountName: demo-kubectl-sidecar
      securityContext:
        # Set this to any valid GID, and two things happen:
        #   1) The volume "content" is group-owned by this GID.
        #   2) This GID is added to each container.
        fsGroup: 9376
      containers:
      - name: server
        image: nginx
        volumeMounts:
        - mountPath: /usr/share/nginx/html
          name: content
          readOnly: true
      initContainers:
      - name: sidecar
        image: thockin/kubectl-sidecar:v1.30.0-1
        restartPolicy: Always
        env:
          - name: MYPOD
            valueFrom:
              fieldRef:
                fieldPath: metadata.name
          - name: MYNS
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
          - name: MYNODE
            valueFrom:
              fieldRef:
                fieldPath: spec.nodeName
        args:
          - bash
          - -c
          - |
            while true; do
              kubectl -n $MYNS get pod $MYPOD -o json | jq '.status' > /data/this-pod-status.json
              kubectl get node $MYNODE -o json | jq '.status' > /data/this-node-status.json
              sleep 30
            done
        volumeMounts:
        - name: content
          mountPath: /data
        securityContext:
          # This doesn't need to run as root.
          runAsUser: 9376
          runAsGroup: 9376
      volumes:
      - name: content
        emptyDir: {}
      terminationGracePeriodSeconds: 5

kubectl apply -f 

kubectl port-forward deployment/demo-kubectl-sidecar 8080:80

curl http://localhost:8080/this-pod-status.json
curl http://localhost:8080/this-node-status.json


Understanding the Role of the Pause Container in Kubernetes
When we try to restart a container then its IP changes. But if a container inside a pod restart then the IP of the pod remains same, this is due to pause container present in kubernetes.
It holds the network namespace and IP address for the Pod, allowing the other containers within the Pod to communicate and share networking resources.
The pause container is automatically created by containerd when you start a Pod. It is not visible to kubectl, but you can see it using the ctr command.
How to View Pause Containers and Pod IPs

To see all pause containers on the node
  ctr --namespace k8s.io containers list | grep pause

  

To check the IP of the specific pod
  kubectl get pod  -owide

  


Kubernetes User Namespaces
User namespaces enhance security by isolating user IDs (UIDs) and group IDs (GIDs) inside containers from the host system. This means that a root user inside a container doesn't have root privileges on the host, reducing the risk if a container is compromised.
This feature helps limit the damage from attacks by keeping container permissions separate from host permissions. User namespaces are now more stable and widely available, supporting both stateless and stateful pods.
Pod Disruptions
Pods do not disappear until someone (a person or a controller) destroys them, or there is an unavoidable hardware or system software error.
Types: Voluntary and involuntary disruptions

Voluntary disruption

Deleting the deployment

Updating a deployment's pod template

Directly deleting a pod

Draining a node

Removing a pod from a node to allow something else to fit on that node



Non-voluntary disruption

Hardware failure

Cluster administrator deletes a VM (instance) by mistake

Cloud provider or hypervisor failure makes a VM disappear

Kernel panic

Node disappears from the cluster due to network partition

Eviction of a pod due to the node running out of resources




Here are some ways to reduce involuntary disruptions:

Ensure your pod requests the resources it needs.

Replicate your application if you need higher availability.

For even higher availability with replicated applications, spread them across racks (using anti-affinity) or across zones (if using a multi-zone cluster).


Pod disruption budgets (PDB)
It helps to keep your application running smoothly by limiting how many pods can be disrupted at once. They ensure that a minimum number of pods remain available during maintenance or updates. You set up a PDB to specify how many pods need to stay up and running, and Kubernetes follows these rules during planned disruptions but not during unexpected ones like crashes.

We use PDB only for high availability

Here is an example of a PDB configuration:

Create a deployment
  apiVersion: apps/v1
  kind: Deployment
  metadata:
    name: nginx-deployment
    labels:
      app: nginx
  spec:
    replicas: 3
    selector:
      matchLabels:
        app: nginx
    template:
      metadata:
        labels:
          app: nginx
      spec:
        containers:
        - name: nginx
          image: nginx:1.14.2
          ports:
          - containerPort: 80

  

Create PDB
  apiVersion: policy/v1
  kind: PodDisruptionBudget
  metadata:
    name: nginx-pdb
  spec:
    minAvailable: 2
    selector:
      matchLabels:
        app: nginx

  

Check available PDB
  kubectl get pdb

  

Do rolling updates (update nginx image)
  kubectl set image deployment/nginx-deployment nginx=nginx:1.16.1


Watch the pods now
  kubectl get pods -w

  


Setting Resource Requests and Limits for Efficient Resource Management
In Kubernetes, applications run as pods inside nodes. A node is a physical or virtual machine with specific configurations like CPU and memory. Each application consumes a certain amount of these resources.
Kubernetes uses the concepts of resource requests and limits to manage CPU and memory usage:

Resource Requests: The minimum amount of CPU and memory that a pod needs to run.

Resource Limits: The maximum amount of CPU and memory a pod is allowed to use.


These settings are crucial for scheduling because they help the scheduler find the best node to deploy a pod. For example, if a pod requires at least 2 CPUs and 1 GB of RAM, you set these values in the resource requests and limits. The scheduler then finds a suitable node that can accommodate these requirements.
When creating a highly available Kubernetes cluster, it's important to properly configure resource requests and limits to ensure efficient resource utilization and stability.
Understanding CPU Throttling in Kubernetes
CPU throttling means limiting a pod's CPU usage when it tries to use more than its allowed amount. This prevents one pod from using too much CPU and affecting other pods on the same node. If a pod reaches its CPU limit, Kubernetes slows it down to stay within the limit, which can make the pod run slower. This helps ensure that resources are shared fairly and the cluster stays stable.
Overutilization and Underutilization of Resources

Overutilization happens when a resource is used too much, exceeding its capacity. For example, if a CPU is consistently running at 100%, it can cause performance issues, slow down processes, or even crash the system because there's not enough capacity left for other tasks.

Underutilization occurs when a resource is used too little, meaning it's not being fully used even though it's available. For instance, if a server has a lot of memory but is only using a small portion of it, the rest of the memory is underutilized, leading to inefficient use of resources and potentially higher costs without any benefit.



we can specify the LimitRange of a namespace

apiVersion: v1
kind: LimitRange
metadata:
  name: example-limitrange
  namespace: default
spec:
  limits:
  - type: Pod
    max:
      cpu: "2"
      memory: "1Gi"
    min:
      cpu: "200m"
      memory: "100Mi"
  - type: Container
    max:
      cpu: "1"
      memory: "500Mi"
    min:
      cpu: "100m"
      memory: "50Mi"
    default:
      cpu: "300m"
      memory: "200Mi"
    defaultRequest:
      cpu: "200m"
      memory: "100Mi"


Now you can directly create pods without specifying limit and ranges it will automatically assigned to the pod

Quality of Service (QoS)
Quality of Service (QoS) in Kubernetes is a way to prioritize and manage resources for Pods to ensure they get the resources they need based on their importance and requirements. Kubernetes classifies Pods into different QoS tiers based on their resource requests and limits.

Pods that have both CPU and memory requests and limits set, and the requests are equal to the limits. These Pods get the highest priority for resources and known as guaranteed QOS.

Guaranteed QoS Example:
apiVersion: v1
kind: Pod
metadata:
  name: nginx-guaranteed
spec:
  containers:
  - name: nginx
    image: nginx
    resources:
      requests:
        memory: "256Mi"
        cpu: "500m"
      limits:
        memory: "256Mi"
        cpu: "500m"



Pods that have CPU and memory requests and limits set, but the requests and limits are not equal. These Pods get some level of resource assurance but can use more resources if available and known as burstable QOS.

Burstable QoS Example:
apiVersion: v1
kind: Pod
metadata:
  name: nginx-burstable
spec:
  containers:
  - name: nginx
    image: nginx
    resources:
      requests:
        memory: "256Mi"
      limits:
        memory: "512Mi"



Pods that do not specify any CPU or memory requests or limits. These Pods get the lowest priority for resources and can be easily evicted if the node is under resource pressure and known as besteffort QOS.

BestEffort QoS Example:
apiVersion: v1
kind: Pod
metadata:
  name: nginx-besteffort
spec:
  containers:
  - name: nginx
    image: nginx


  When k8s runs out of resource then on the basis of QOS class, first evict the BestEffort then Burstable and at last Guaranteed evicted


Understanding Kubernetes Downward API
Downward API is a useful feature that allows Pods to access information about themselves and the cluster environment. It helps applications running inside Pods to get metadata and resource details, which they might need to operate correctly or adjust their behavior.
The Downward API provides a way for Pods to obtain information about themselves, such as:

Pod Name: The name assigned to the Pod.

Namespace: The namespace in which the Pod is running.

Pod Labels and Annotations: Metadata attached to the Pod.

Resource Limits and Requests: Information about how much CPU and memory the Pod has been allocated.


How to Use the Downward API
The Downward API provides this information through environment variables or files within the Pod. Here’s a simple example of how to use it:

Using Environment Variables:
 You can define environment variables in your Pod spec to expose metadata from the Downward API:
 apiVersion: v1
 kind: Pod
 metadata:
   name: my-pod
 spec:
   containers:
   - name: my-container
     image: my-image
     env:
     - name: POD_NAME
       valueFrom:
         fieldRef:
           fieldPath: metadata.name
     - name: POD_NAMESPACE
       valueFrom:
         fieldRef:
           fieldPath: metadata.namespace

 In this example:

The POD_NAME environment variable will be set to the Pod's name.

The POD_NAMESPACE environment variable will be set to the Pod's namespace.



Using Volumes:
 You can also expose metadata through files in a volume:
 apiVersion: v1
 kind: Pod
 metadata:
   name: my-pod
 spec:
   containers:
   - name: my-container
     image: my-image
     volumeMounts:
     - name: pod-info
       mountPath: /etc/podinfo
   volumes:
   - name: pod-info
     downwardAPI:
       items:
       - path: "name"
         fieldRef:
           fieldPath: metadata.name
       - path: "namespace"
         fieldRef:
           fieldPath: metadata.namespace

 In this example:

The Pod’s name and namespace will be available as files in /etc/podinfo within the container.



Conclusion

In conclusion, this article delves into essential Kubernetes concepts, including the transformation of init containers to sidecar containers, the critical role of the pause container in maintaining network namespaces, and the security benefits of user namespaces. It also covers the different types of pod disruptions and how to manage them using Pod Disruption Budgets (PDB). Additionally, the article explains the importance of setting resource requests and limits for efficient resource utilization and stability, and it categorizes the different Quality of Service (QoS) classes in Kubernetes. Practical examples and YAML configurations are provided to help illustrate these concepts, making it a comprehensive guide for managing Kubernetes environments effectively.


💡 Let’s connect and discuss DevOps, cloud automation, and cutting-edge technology
🔗 LinkedIn | 💼 Upwork | 🐦 Twitter | 👨‍💻 GitHub



kubernetes-part-3
Praduman Prajapati — Fri, 13 Sep 2024 18:30:00 GMT
Imperative vs. Declarative: Two Approaches to Kubernetes Infrastructure Management

Imperative: Directly command Kubernetes to perform actions step-by-step

To create a pod in imperative way we need to run a single command kubectl run my-pod —image=nginx


Declarative: Define the desired state in a configuration file and let Kubernetes manage it

To create a pod in imperative way we need to write a pod definition file( a yaml file ) first
apiVersion: v1
kind: Pod
metadata:
  name: nginx
spec:
  containers:
  - name: my-container
    image: nginx

then run command kubectl apply -f filename.yaml



Understanding YAML: The Backbone of Kubernetes Configuration

YAML stands for (YAML Ain't Markup Language)

It is easy & comes with human-readable format

Indentation matters alot

It is used for configuring Kubernetes resources

It allows you to define and organize settings in a structured way

It makes easy to create and manage complex configurations


YAML file to create a pod
apiVersion: v1
kind: Pod
metadata:
  name: my-pod
spec:
  containers:
  - name: my-container
    image: nginx


Command used to apply a YAML configuration :
kubectl apply -f filename.yaml


This command tells Kubernetes to create or update resources based on the specifications defined in the YAML file
Key Concepts in YAML: Objects, Lists, Comments, and Multi-line Strings

Objects: Collections of key-value pairs, similar to dictionaries in Python. They are defined using indentation.
 Example:
 person:
   name: Alice
   age: 30
   city: New York

 In this example, person is an object with three key-value pairs: name, age, and city.

Lists: Sequences of items, where each item is prefixed by a hyphen (-) and space.
 Example:
 yamlCopy codefruits:
   - Apple
   - Banana
   - Cherry

 Here, fruits is a list containing three items: Apple, Banana, and Cherry.

Comments: YAML allows comments, start with a #. These are ignored by YAML and are used for adding explanations.
 Example:
 # This is a comment
 server:
   host: localhost
   port: 8080


Multi-line Strings: YAML provides ways to handle multi-line strings using | (literal block) or > (folded block).
 Literal Block (|):
 description: |
   This is a multi-line
   string that preserves newlines.

 Folded Block (>):
 description: >
   This is a multi-line
   string that folds into a single line.



Pods in Kubernetes: The Fundamental Unit of Deployment

Application runs as a pod in kubernetes


Pod is the smallest unit in kubernetes

Inside pod the containers run

It holds one or more containers that works together

No two similar kind of container can run in a single pod

Each Pod gets its own IP address

Containers in the same Pod can communicate with each other using localhost

Pods can have storage that containers in the Pod can use to share files


Example: YAML file to create a Pod
apiVersion: v1
kind: Pod
metadata:
  name: my-pod
spec:
  containers:
  - name: my-container
    image: nginx
    ports:
    - containerPort: 80

This file creates a Pod called my-pod with a single container that runs the nginx web server.

Creating same pod in imperative way
kubectl run my-pod --image=nginx --port=80



Command to list all the pods running in the cluster is kubectl get pods

If you want more information about a specific pod the use kubectl describe pod pod-name


Pod Lifecycle: From Creation to Termination
It represents the different phases a pod goes through from creation to termination.

Pending

The pod is created but not yet running. It’s waiting for the scheduler to assign it to a node or for container images to be pulled


Running

The pod is assigned to a node, and at least one container is running. However, the container might face issues like:

CrashLoopBackOff: The container repeatedly crashes and restarts

Error: The container terminates with an error





Succeeded

All containers in the pod have finished successfully and won't restart


Failed

One or more containers in the pod have terminated with an error, and the pod is not being restarted.




Termination:
When a pod is deleted, it enters in Terminating state, where Kubernetes stops and removes its containers

Namespaces in Kubernetes: Organizing and Isolating Resources
namespaces are used to organize and isolate resources within a cluster. They allow different teams, projects, or environments (like dev, test, and prod) to run without conflicts. Each namespace has its own resources, and you can apply resource limits and access controls per namespace. It makes easier to manage and separate resources in a large Kubernetes cluster
Key commands:

Create a namespace
  kubectl create namespace my-namespace


List resources in a specific namespace
  kubectl get pods -n my-namespaceview all namespaces


view all namespaces
  kubectl get ns



Init Containers: Setting Up Your Pod for Success
Init Container is like a helper that runs before the main part of your app starts in a pod. It’s used to perform setup tasks or ensure certain conditions are met before the main container runs

Init containers always run before any other container in the pod

A pod can have one or more init containers

The main container will not start until the Init container completes finishes successfully

If a pod’s init container fails, the kubelet repeatedly restart that init container untill it succeeds

If the pod has a restartpolicy of never, and an init container fails during startup of the pod, kubernetes treats overall pod as failed

The regular init containers do not support the lifecycle, livenessProbe, readinessProbe or startupProbe fields



Init container definition file
apiVersion: v1
kind: Pod
metadata:
  name: bootcamp-pod
spec:
  volumes:
  - name: shared-data
    emptyDir: {}
  initContainers:
  - name: bootcamp-init
    image: busybox
    command: ['sh', '-c', 'wget -O /usr/share/data/index.html http://kubesimplify.com']
    volumeMounts:
    - name: shared-data
      mountPath: /usr/share/data
  containers:
  - name: nginx
    image: nginx
    volumeMounts:
    - name: shared-data
      mountPath: /usr/share/nginx/html

Multiple init containers definition file
apiVersion: v1
kind: Pod
metadata:
  name: init-demo-2
spec:
  initContainers:
  - name: check-db-service
    image: busybox
    command: ['sh', '-c', 'until nslookup db.default.svc.cluster.local; do echo waiting for db service; sleep 2; done;']
  - name: check-myservice
    image: busybox
    command: ['sh', '-c', 'until nslookup myservice.default.svc.cluster.local; do echo waiting for db service; sleep 2; done;']
  containers:
  - name: main-container
    image: busybox
    command: ['sleep', '3600']

Definition file of services for multiple init container
apiVersion: v1
kind: Service
metadata:
  name: db
spec:
  selector:
    app: demo1
  ports:
  - protocol: TCP
    port: 3306
    targetPort: 3306
---
apiVersion: v1
kind: Service
metadata:
  name: myservice
spec:
  selector:
    app: demo2
  ports:
  - protocol: TCP
    port: 80
    targetPort: 80


Sidecar Containers: Enhancing Your Main Application
Sidecar Container is an additional container that runs alongside the main container in a pod. It helps enhance or support the main container’s functionality

The sidecar container runs in the same pod as the main container, sharing the same network and storage resources

It can act as a proxy server to handle communication between the main container and external services



Example of multiple container with a sidecar container
apiVersion: v1
kind: Pod
metadata:
  name: multi-container-pod
spec:
  volumes:
  - name: shared-data
    emptyDir: {}
  initContainers:
  - name: meminfo-container
    image: alpine
    restartPolicy: Always
    command: ['sh', '-c', 'sleep 5; while true; do cat /proc/meminfo > /usr/share/data/index.html; sleep 10; done;']
    volumeMounts:
    - name: shared-data
      mountPath: /usr/share/
data
  containers:
  - name: nginx-container
    image: nginx
    volumeMounts:
    - name: shared-data
      mountPath: /usr/share/nginx/html

Example of a pod with a sidecar container
apiVersion: v1
kind: Pod
metadata:
  name: sidecar-example
spec:
  containers:
    - name: main-container
      image: main-app-image
      ports:
        - containerPort: 80
    - name: sidecar-container
      image: logging-agent-image
      volumeMounts:
        - name: shared-storage
          mountPath: /logs
  volumes:
    - name: shared-storage
      emptyDir: {}



Main Container: Runs the primary application

Sidecar Container: Runs a logging agent that collects logs from the shared storage directory


Conclusion

In conclusion, Kubernetes offers a robust and flexible platform for managing containerized applications. By understanding the different ways to define and manage infrastructure, such as imperative and declarative approaches, users can choose the method that best suits their needs. YAML plays a crucial role in configuring Kubernetes resources, providing a human-readable format that simplifies the creation and management of complex configurations. Pods, as the smallest unit in Kubernetes, encapsulate containers and their lifecycle, ensuring efficient resource utilization and communication. Namespaces help in organizing and isolating resources, making it easier to manage large clusters. Additionally, init containers and sidecar containers extend the functionality of pods, allowing for more sophisticated application setups. By mastering these concepts, users can effectively leverage Kubernetes to deploy, scale, and manage their applications in a cloud-native environment.


💡 Let’s connect and discuss DevOps, cloud automation, and cutting-edge technology
🔗 LinkedIn | 💼 Upwork | 🐦 Twitter | 👨‍💻 GitHub



Kubernetes-Part-2
Praduman Prajapati — Thu, 12 Sep 2024 18:30:00 GMT
Kubernetes tools for creating clusters

kubeadm

kops

ksctl


when you create a cluster using these tools, it is called a self-managed Kubernetes cluster
Some managed kubernetes cluster

EKS - AWS

GKE - GCP

Redhat - OpenShifts

AKS - Azure

DKE - Digital Ocean


we generally create self-managed k8s cluster if we have our own servers
Tools for running Kubernetes clusters in a local environment:

kind

minikube

rancher desktop

docker desktop


Understanding Kubernetes Architecture: Master and Worker Nodes
Kubernetes architecture is divided into master nodes and worker nodes, each with specific components that handle different tasks.

Master Node
The master node is the control center of the Kubernetes cluster. It manages the cluster and coordinates all activities.

ETCD: A key-value store that keeps all the cluster's data and configuration. It is crucial for maintaining the cluster's state.

Kube-API Server: The main management point for the cluster. It handles requests from users, other components, and external agents, and updates the cluster's state.

Kube-Scheduler: Assigns tasks to worker nodes based on available resources and needs, making sure resources are used efficiently.

Controller Manager: Keeps the cluster in the desired state by managing various controllers, like the replication controller and endpoint controller.

Cloud Controller Manager: Handles cloud-specific tasks. It allows Kubernetes to interact with cloud provider APIs for things like load balancers and storage.


Worker Node
Worker nodes run the applications. They handle the workload by running pods, which are the smallest deployable units in Kubernetes.

Kubelet: An agent on each worker node that makes sure containers are running in pods as they should.

Kube-Proxy: Manages network communication for the pods, ensuring proper routing within the cluster and to external networks.

Container Runtime Interface (CRI): The software that runs the containers, like Docker or containerd, managing their lifecycle.

Pod: The smallest deployable unit in Kubernetes, consisting of one or more containers that share storage, network, and configuration. Pods are scheduled on worker nodes and managed by the kubelet.


Step-by-Step Guide: K8s Installation Using KOPS on EC2
Create an EC2 instance and connect it to your local machine or use your personal laptop.
Required dependencies:

Python3

AWS CLI

kubectl


KOPS Installation
curl -LO https://github.com/kubernetes/kops/releases/download/$(curl -s https://api.github.com/repos/kubernetes/kops/releases/latest | grep tag_name | cut -d '"' -f 4)/kops-linux-amd64

chmod +x kops-linux-amd64

sudo mv kops-linux-amd64 /usr/local/bin/kops

Set up AWS CLI configuration on your EC2 Instance or Laptop.
Run aws configure
Kubernetes Cluster Installation
Follow these steps carefully and read each command before executing.

Create an S3 bucket to store KOPS objects:
 aws s3api create-bucket --bucket kops-abhi-storage --region us-east-1


Create the cluster:
 kops create cluster --name=demok8scluster.k8s.local --state=s3://kops-abhi-storage --zones=us-east-1a --node-count=1 --node-size=t2.micro --master-size=t2.micro --master-volume-size=8 --node-volume-size=8


Edit the configuration:

Important: Edit the cluster configuration as there are multiple resources created that won't fall into the free tier.

 kops edit cluster demok8scluster.k8s.local


Build the cluster:
 kops update cluster demok8scluster.k8s.local --yes --state=s3://kops-abhi-storage


This will take a few minutes to complete.


Verify the cluster installation:
 kops validate cluster demok8scluster.k8s.local



kubectl commands

Nodes present in the cluster
  kubectl get nodes


Create a pod
  kubectl run nginx --image=nginx




How kubectl Commands Work: Behind the Scenes
when we give a command, we are generally communicate with the cluster
How we did that ?
using the config file, which are present inside the .kube folder on the controlplane
cat .kube/config

How things work

Let's say we need to create a pod using a command
kubectl run my-pod --image=nginx

when we want to do any work using kubectl command. firstly, they make a RestAPI call to API server. After that 3 more things happen :

Authentication

Authorization

Admission



To ensure the request is valid and the person making the request is authorized to perform the task without violating any policies.

The scheduler looks for the best node based on taints/tolerations, affinity, and node selector to run the workload. Then, kubelet runs the workload and talks to CRI to pull the image and start it. The status is updated. Kube-proxy acts like iptables, and your workload runs. Health checks pass and inform the API server that the pod is running, and data is stored in ETCD.
Inside kubeconfig file we have :

user information

cluster information

context information




Inside context, we define which user is connected to which cluster.

Inside users, we define the users present.

Inside clusters, we define the clusters present.



Command to view config file :

kubectl config view



Command to view contexts :

kubectl config get-contexts



Command to view the users :

kubectl config get-users



Creating a New User in Kubernetes: A Detailed Guide

Create a private key using openssl
  openssl genrsa -out praduman.key 2048

  openssl req -new -key praduman.key -out praduman.csr -subj "/CN=praduman/O=group1"

  

Encode created CSR to base64
  cat praduman.csr | base64 | tr -d '\n'

  

Create CSR
  vi csr.yaml

  apiVersion: certificates.k8s.io/v1
  kind: CertificateSigningRequest
  metadata:
      name: praduman
  spec:
      request:  CSR>
      signinerName: kubernetes.io/kube-apiserver-client
      usages:
      - client auth


Replace base64_csr with the previous output


Apply yaml file and approve the certificate to the user
  kubectl apply -f csr.yaml
  kubectl certificate approve praduman

  

Get the crt specific to the user using jsonpath
  kubectl get csr praduman -o jsonpath='{.status.certificate}' | base64 --decode > praduman.crt


a praduman.crt file is created


Create a role and role binding
  vim role.yaml

   kind: Role
   apiVersion: rbac.authorization.k8s.io/v1
   metadata:
     namespace: default
     name: pod-reader
   rules:
   - apiGroups: [""]
     resources: ["pods"]
     verbs: ["get", "watch", "list"]
  ---
   kind: RoleBinding
   apiVersion: rbac.authorization.k8s.io/v1
   metadata:
     name: read-pods
     namespace: default
   subjects:
   - kind: User
     name: praduman
     apiGroup: rbac.authorization.k8s.io
   roleRef:
     kind: Role
     name: pod-reader
     apiGroup: rbac.authorization.k8s.io

  kubectl apply -f role.yaml

  

Set credentials
  kubectl config set-credentials praduman --client-certificate=praduman.crt --client-key=praduman.key


Create context
  kubectl config set-context praduman-context --cluster=kubernetes --namespace=default --user=praduman


view contexts
  kubectl config get-contexts




you will see a context with name praduman-context in the default namespace and kubernetes cluster


use the created context
  kubectl config use-context praduman-context




a new user is now created and now you can use it


How kubectl command works

Firstly, it searches for the kubeconfig file.

If you set this variable in the current shell, then it first looks for the config file that you provide.
  export KUBECONFIG=path-to-your-config-file


Another way to do this is to provide the kubeconfig file path along with the command.
  kubectl get pod --kubeconfig ~/.kube/config




Let's say you have 3 clusters. Each cluster must have its own kubeconfig file. How will you merge all the config files?


first method
  export KUBECONFIG=/path/to/first/config:/path/to/second/config:/path/to/third/config


second method (use kubectx tool)

we use kubectx when we have multiple cluster, users and context for Faster way to switch between clusters (context) in kubectl

  # switch to another cluster that's in kubeconfig
  $ kubectx minikube
  Switched to context "minikube".

  # switch back to previous cluster
  $ kubectx -
  Switched to context "oregon".

  # rename context
  $ kubectx dublin=gke_ahmetb_europe-west1-b_dublin
  Context "gke_ahmetb_europe-west1-b_dublin" renamed to "dublin".




GVR (Group-Version-Resource)
Think of GVR as the address for finding a type of resource in Kubernetes

Group: A broad category (like a section in a library)

Version: A specific edition within that category (like a book edition)

Resource: The actual item you want (like a specific book)


Example: apps/v1/deployments

Group: apps (the section for applications)

Version: v1 (the first edition of this section)

Resource: deployments (the specific item you’re looking for, like a book on deployments)


GVK (Group-Version-Kind)
GVK is similar, but it focuses on the type of item you’re working with

Group: Same broad category

Version: Same specific edition

Kind: The specific type or class of the item


Example: apps/v1/Deployment

Group: apps

Version: v1

Kind: Deployment (the exact type of item you’re dealing with, like a specific chapter in the book)




GVR tells you where to find the resource (apps/v1/deployments)

GVK tells you exactly what the resource is (apps/v1/Deployment)




Communicate with the API server without using kubectl and kubeconfig

wanted to talk to kubernetes api server without kubectl or kubeconfig ?
we will talk to kubernetes directly through api server


create a service account
  kubectl create serviceaccount praduman -n default


create cluster role binding
  kubectl create clusterrolebinding praduman-clusteradmin-binding --clusterrole=cluster-admin --serviceaccount=default:praduman


create a token
  kubectl create token praduman

  Token=

  APISERVER=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}')


create deployment
  curl -X POST $APISERVER/apis/apps/v1/namespaces/default/deployments \
    -H "Authorization: Bearer $TOKEN" \
    -H 'Content-Type: application/json' \
    -d @deploy.json \
    -k


list pods
  curl -X GET $APISERVER/api/v1/namespaces/default/pods \
    -H "Authorization: Bearer $TOKEN" \
    -k



Conclusion

In conclusion, this article provides a detailed exploration of Kubernetes, covering its architecture, tools for creating and managing clusters, and practical steps for setting up a Kubernetes cluster using KOPS on EC2. It distinguishes between self-managed and managed Kubernetes clusters, highlights tools for local development, and delves into the components of master and worker nodes. Additionally, it offers commands and procedures for cluster creation, configuration, and user management, including direct interaction with the Kubernetes API server using REST calls. This comprehensive guide serves as a valuable resource for anyone looking to understand and implement Kubernetes effectively.


💡 Let’s connect and discuss DevOps, cloud automation, and cutting-edge technology
🔗 LinkedIn | 💼 Upwork | 🐦 Twitter | 👨‍💻 GitHub



Kubernetes-Part-1
Praduman Prajapati — Wed, 11 Sep 2024 18:30:00 GMT
Understanding Kubernetes: The Container Orchestration Powerhouse
Kubernetes, also known as k8s, is an open-source system that helps automate the deployment, scaling, and management of applications in containers. It is a container orchestration platform.
When you install Kubernetes, you create a cluster, which is a group of nodes. Nodes are physical or virtual machines that helps to run your containers.
Virtual machines can also be orchestrated through Kubernetes by installing KubeVirt.
Kubernetes are:

CNCF Graduated Project

Inspired by Borg and Omega

Launched in 2014

Designed for Scale

Run Anywhere


Why Choose Kubernetes? Unleashing the Power of Container Management
Kubernetes is popular because it offers powerful features:

Autoscaling: Automatically adjusts the number of running containers based on current demand, ensuring efficient resource usage and optimal performance.

Autohealing: Detects and replaces failed containers to maintain the health and availability of applications.

Scheduling: Efficiently allocates containers to nodes based on resource requirements and constraints, optimizing resource usage.

Load Balancing: Distributes network traffic across multiple containers to ensure no single container is overwhelmed.

Storage Orchestration: Automatically mounts the necessary storage systems, whether local, cloud-based, or network storage.

Deployment Automation: Automates the deployment, scaling, and rollback of applications, ensuring smooth updates and maintaining high availability.

Monitoring and Logging Integration: Provides integration with various tools for monitoring and logging, offering insights into application performance and health.


Docker's Drawbacks: Why Kubernetes is the Superior Choice
Docker is a platform for running containers, which are lightweight temporary by nature.
Here are some key issues with Docker:

Ephemeral Nature: Containers have short lifespans. If a container stops or crashes, the application inside becomes inaccessible until someone restarts it.

Single Host Limitation: Docker manages containers on a single machine, making it difficult to handle large-scale deployments.

Manual Monitoring: Monitoring and managing a large number of containers manually is impractical. Running commands like docker ps to check container states isn't feasible at scale.

Handling Traffic: When a container experiences a surge in traffic, Docker lacks built-in mechanisms to automatically distribute the load or scale up the number of containers, leading to potential performance issues.


How Kubernetes Helps
Kubernetes addresses these problems with features like:

Autohealing: Automatically detects and restarts failed containers, ensuring applications remain accessible without manual intervention.

Autoscaling: Automatically adjusts the number of running containers based on traffic demand, ensuring that applications can handle increased traffic without performance degradation.

Multi-Host Orchestration: Manages containers across multiple machines, enabling large-scale deployments and better resource utilization.



Step-by-Step Guide: Creating a Container Using Docker
firstly make sure you have installed Docker on your server

Pull nginx image from dockerHub on your local.
  docker run -d --name my-nginx-container --memory 512m --cpus 1 nginx

  

check image are running
  docker ps

  

print process id (PID) of container nginx
  docker inspect --format '{{.State.Pid}}' my-nginx-container

  (or)

  ps aux | grep '[n]ginx' | sort -n -k 2 | head -n 1 | awk '{print $2}'

  

list namespaces of a process of linux
  lsns -p 

  



Conclusion

Kubernetes, or k8s, revolutionizes the way applications are deployed, scaled, and managed by automating these processes within containerized environments. Its robust features, such as autoscaling, autohealing, efficient scheduling, load balancing, and storage orchestration, make it an indispensable tool for modern DevOps practices. Unlike Docker, which is limited to single-host container management and requires manual intervention for scaling and monitoring, Kubernetes excels in multi-host orchestration and automatic management of container health and scaling. By leveraging Kubernetes, organizations can achieve greater efficiency, reliability, and scalability in their application deployments.


💡 Let’s connect and discuss DevOps, cloud automation, and cutting-edge technology
🔗 LinkedIn | 💼 Upwork | 🐦 Twitter | 👨‍💻 GitHub



How to Create an IAM in AWS: A Step-by-Step Guide
Praduman Prajapati — Mon, 20 May 2024 19:14:48 GMT
AWS IAM (Identity and Access Management) is a service provided by Amazon Web Services (AWS) that helps you manage access to your AWS resources, acting like a security system for your AWS account.
IAM allows you to create and manage users, groups, and roles.
Users: IAM users are individual people or entities (like applications or services) that use your AWS resources. Each user has a unique name and security credentials (password or access keys) for authentication and access control.
Groups: IAM groups are collections of users with similar access requirements. Instead of managing permissions for each user individually, you can assign permissions to groups, making it easier to manage access control. Users can be added or removed from groups as needed.
Roles: IAM roles give temporary access to AWS resources. They are usually used by applications or services that need to access AWS resources for users or other services. Roles have policies that specify what actions and permissions are allowed.
With IAM, you can control and define permissions through policies.
IAM policies are JSON documents that define permissions, specifying the actions that can be performed on AWS resources and the resources to which the actions apply. These policies can be attached to users, groups, or roles to control access. IAM provides both AWS managed policies (predefined policies maintained by AWS) and customer managed policies (policies created and managed by you).
Overall, IAM is a key part of AWS security. It gives you detailed control over who can access your AWS account and resources, lowers the risk of unauthorized access, and helps keep your environment secure.

Create an IAM role in AWS

Login to AWS account using root user and search for IAM service




Tap on users and create a new user

Enter user name

click on i want to create a new user

Autogenrate password(user can create password by themselves when they login ones)






set permissions

Attach policy directly or add them to a group where policies are already attached. I am attaching policies directly.


go to the next step by attaching reqired policies. you will see summary



User is created. Save and share the .csv file to the person who is going to use this



login as IAM user



reset password



you are now logged in as a new user and can do the work permissiion you have





How to Connect to EC2 Instance Easily Without Password
Praduman Prajapati — Sat, 18 May 2024 18:39:30 GMT
First, you need to Create an EC2 instance and connect it to the local terminal


Now, open a new terminal on local and run the command:

ssh-keygen -t rsa



Open the ".ssh" folder and copy the content from the "id_rsa.pub" file.

cat .ssh/id_rsa.pub



Open the EC2 instance you want to connect to and access the .ssh folder there.



Now, open the authorized_keys file and paste the content you copied from your local terminal inside the authorized_keys at the end, then save the file.

vim authorized_keys



You can now SSH to the EC2 instance without a password from your local terminal. Just use the private IP address of your EC2 instance.



copy your EC2 instance private IPv4 address and paste it in your local terminal using the command

ssh 

Congrats! You can now connect to your instance without using a password



Setting Up Docker Containers as Jenkins Build Agents
Praduman Prajapati — Sat, 27 Apr 2024 12:00:20 GMT

Firstly, Create an EC2 instance

Then setup jenkins on it


When the above steps done, then wait for the Jenkins to be started

Docker Slave Configuration

To install Docker, run the command below on the EC2 instance terminal
  sudo apt update && upgrade
  sudo apt install docker.io

  

Grant Jenkins user and ubuntu user permission to docker daemon and restart docker
  sudo su-
  usermod -aG docker jenkins
  usermod -aG docker ubuntu
  systemctl restart docker

  

Switch to the Jenkins user
  su jenkins


Check if the Jenkins user can run containers
  docker run hello-world

  


Sometimes jenkins might not pickup these changes. So, just restart your jenkins

To restart Jenkins, simply go to your browser and type
  http://<your-EC2-public-ip>:8080/restart




Install the Docker pipeline plugin in jenkins
We should install the Docker pipeline plugin so that Jenkins can work with Docker as an agent. This means that when running a job, Jenkins needs to know that if a user provides a Jenkins file to run a specific job on Docker, the configuration is in place

Click on Manage Jenkins


  Click on plugins and install Docker pipeline plugin

Restart Jenkins after the installation is finished



Congratulations! You are now ready to begin creating your pipelines.

Port	Protocol	Purpose
8080	TCP	Jenkins Web UI (Restrict access to trusted IPs or internal network).
50000	TCP	Communication between Jenkins Controller and Agents (for distributed builds).
443	TCP	HTTPS access (if Jenkins is secured with SSL).
80	TCP	HTTP access (if using an Nginx reverse proxy for Jenkins).
9000	TCP	SonarQube Access (for code analysis).

Feature	Deployment	StatefulSet
Use Case	For stateless applications	For stateful applications
Pod Identity	Pods are interchangeable and do not have stable identities	Pods have unique, stable identities (e.g., `pod-0`, `pod-1`)
Storage	Typically uses ephemeral storage, data is lost when a pod is deleted	Each pod can have its own persistent volume attached
Scaling Behavior	Pods are scaled simultaneously and in random order	Pods are scaled sequentially (e.g., `pod-0` before `pod-1`)
Pod Updates	All pods can be updated concurrently	Pods are updated sequentially, ensuring one pod is ready before moving to the next
Order of Pod Creation/Deletion	No specific order in pod creation or deletion	Pods are created/deleted in a specific order (e.g., `pod-0`, `pod-1`)
Network Identity	Uses a ClusterIP service, no stable network identity	Typically uses a headless service, giving each pod a stable network identity
Examples	Microservices, stateless web apps	Databases (MySQL, Cassandra), distributed systems requiring unique identity or stable storage
Use of Persistent Volumes	Persistent volumes are shared across pods (if needed)	Each pod gets a dedicated persistent volume

Praduman's blog

Hosting GitLab on Your Private Server with CI/CD: A How-To Guide

Why Self-Host GitLab?

Prerequisites

Creating an EC2 server

Connect to the Gitlab Server using SSH

Step 1: Prepare the Server

Step 2: Install Docker

Step 3: Deploy GitLab

Step 4: Secure the Instance

Step 5: Set Up CI/CD with GitLab Runner

Test CI/CD with a Pipeline

Conclusion

Capstone DevOps Project: Enterprise-Grade CI/CD Pipeline with Kubernetes on AWS, Jenkins, Helm, Ingress, and Monitoring

Introduction 🚀

Architecture Diagram of the Project

📌 Source Code & Project Repositories

🔧 Project Repository (CI Repo)

🚀 CD Repository

☁️ Infrastructure as Code (IaC) — Terraform for EKS

🔒 Configure AWS Security Group

📌 Essential Security Group Rules for Kubernetes Cluster

✅ Best Practices for Security Group Setup

Create EC2 Instances for Required Tools

📋 What You’ll Be Creating:

🔧 Step 1: Launch EC2 Instances

⚙️ Step 2: Configure Instance

🔗 Connecting to EC2 Instances via SSH

🧩 What You Need:

💻 SSH Command

Configure each server

Configure the Infrastructure Server

Attach the IAM Role to the EC2 Instance

Install AWS CLI on the Infra Server

Verify AWS CLI Installation

Configure AWS CLI

Install Terraform

Verify Terraform Installation

Clone the Infrastructure as Code (IaC) Repository

Create Resources on AWS Using Terraform

Set Up the Jenkins Server

Step 1: Install Java

Step 2: Install Jenkins

Step 3: Access Jenkins Web UI

Unlock Jenkins

Step 5: Install Plugins & Create Admin User

🎉 Jenkins is Ready!

Set Up the SonarQube Server

Step 1: Update the Server

Step 2: Install Docker on the Server

Step 3: Enable Docker for Your User (Optional, but recommended)

Step 4: Run SonarQube in a Docker Container

Step 5: Access SonarQube Web UI

Step 6: Login and Change Default Password

🎉 SonarQube is now up and running on your server!

Set Up the Nexus Server

Step 1: Update the System

Step 2: Install Docker

Step 3: Run Docker Without sudo (Optional)

Step 4: Run Nexus in a Docker Container

Step 5: Access Nexus Web Interface

Step 6: Retrieve the Admin Password

Step 7: Login & Set a New Password

🎉 That’s it! Your Nexus repository manager is now ready to use.

Configure Jenkins Plugins and Docker

Step 1: Install Required Jenkins Plugins

Step 2: Install Docker on Jenkins Server

Step 3: Allow Jenkins User to Run Docker

Step 4: Configure Maven and Sonar Scanner in Jenkins

Create and Configure Jenkins Pipeline

Step 1: Create a New Pipeline

Step 2: Install Trivy on Jenkins Server

Step 3: Add SonarQube Credentials in Jenkins

Step 4: Configure SonarQube Server in Jenkins

Write Your Pipeline Script

Now, try to build pipeline and check till now everything works fine

Implement Quality Gate Check

Update pom.xml with Nexus Repositories

Configure Nexus Credentials in Jenkins via settings.xml

Add DockerHub Credentials in Jenkins

Connect to the `Gitlab Server` using `SSH`

Step 3: Run Docker Without `sudo` (Optional)

Update `pom.xml` with Nexus Repositories

Configure Nexus Credentials in Jenkins via `settings.xml`

Install `eksctl`

Install `kubectl` on Jenkins Server

Create `values.yaml` for Custom Configuration