The latest articles on Forem by Rihab Haddad (@rihab_haddad_5a138728dcc2). https://forem.com/rihab_haddad_5a138728dcc2 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2411388%2Fb333b311-c032-4611-bf87-9777ae3d2518.png https://forem.com/rihab_haddad_5a138728dcc2 en Rihab Haddad Mon, 05 May 2025 12:02:00 +0000 https://forem.com/rihab_haddad_5a138728dcc2/building-a-production-ready-devsecops-pipeline-using-jenkins-argocd-trivy-and-vault-a-hands-on-4i00 https://forem.com/rihab_haddad_5a138728dcc2/building-a-production-ready-devsecops-pipeline-using-jenkins-argocd-trivy-and-vault-a-hands-on-4i00 <p>In a world where security breaches and unstable deployments can instantly ruin user trust, building a secure and automated CI/CD pipeline is no longer optional - <strong>it's essential</strong>.</p> <p>In this hands-on guide, you'll walk through a real-world DevSecOps pipeline integrating powerful open-source tools like Jenkins, ArgoCD, Trivy, SonarQube, and Vault, enhanced with Prometheus and Grafana for monitoring.</p> <p>By the end of this guide, you'll be able to:</p> <ul> <li>Automate Builds, Tests, and Deployments using <strong>Jenkins</strong> and GitOps with <strong>ArgoCD</strong> </li> <li>Enforce Security and Code Quality with <strong>SonarQube</strong> and <strong>Trivy</strong> </li> <li>Manage Secrets Securely using <strong>HashiCorp Vault</strong> </li> <li>Deploy Declaratively with <strong>GitOps</strong>, enabling rollbacks and auditability</li> <li>Gain Real-Time Visibility with <strong>Prometheus</strong> and <strong>Grafana</strong> </li> </ul> <h2> What We'll Cover: </h2> <ul> <li> <strong>GitOps Foundation</strong>: Setting up our Git repositories</li> <li> <strong>Jenkins Automation</strong>: Configuring Jenkins to drive our pipeline</li> <li> <strong>Docker and Initial Security</strong>: Containerizing our app and scanning</li> <li> <strong>Pipeline Deep Dive</strong>: Building, scanning, and pushing our Docker image</li> <li> <strong>GitOps Deployments</strong>: Automating deployments with ArgoCD</li> <li> <strong>Vault Secrets</strong>: Securely managing credentials</li> <li> <strong>Real-Time Monitoring</strong>: Using Prometheus and Grafana for observability</li> </ul> <h2> Architecture Overview </h2> <p>Our architecture combines the strengths of Continuous Integration (CI), Continuous Delivery (CD), GitOps, and DevSecOps principles to create a secure and automated workflow. Here's a visual representation of the key components and their interactions:</p> <ul> <li> <strong>Jenkins</strong> - Automates the pipeline: build, test, scan, deploy</li> <li> <strong>Docker</strong> - Builds and runs containerized apps</li> <li> <strong>Trivy</strong> - Scans code and images for vulnerabilities</li> <li> <strong>SonarQube</strong> - Analyzes code quality and security</li> <li> <strong>Vault</strong> - Securely store and manage credentials and other sensitive data</li> <li> <strong>ArgoCD</strong> - Syncs Kubernetes clusters from Git repositories</li> <li> <strong>Prometheus + Grafana</strong> - Provides real-time monitoring of the application and system</li> </ul> <blockquote> <p>Note: During the project implementation, you will likely face issues that you will need to solve independently. Use the official documentation, Google, Stack Overflow, or ChatGPT to find solutions. This is a normal part of the learning process and reflects real-world DevOps challenges. Developing your ability to find necessary information is a crucial skill for a DevOps engineer.</p> </blockquote> <h2> Prerequisites </h2> <p>Before diving into the implementation, ensure the following tools are installed and configured on your local environment:</p> <ul> <li>Git, Docker, Jenkins, kubectl</li> <li>Minikube (for local Kubernetes)</li> <li>SonarQube, Trivy, Vault CLI</li> <li>Visual Studio Code (or preferred IDE)</li> <li>Helm (optional, for ArgoCD/Vault)</li> </ul> <blockquote> <p>💡 Glossary Reminder: If you encounter unfamiliar terms, please refer to the glossary at the end of the article.</p> </blockquote> <h2> Step 1: Create Two GitHub Repositories </h2> <p>To establish a clean and modular CI/CD pipeline aligned with GitOps best practices, we'll begin by creating two distinct GitHub repositories.</p> <h3> DevSecOps-pipeline </h3> <p>This repository will house your application's source code, the Dockerfile defining how to containerize your application, and the Jenkinsfile which outlines the automation pipeline.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>DevSecOps-pipeline/ ├── Dockerfile ├── Jenkinsfile ├── src/ └── ... (your application source code) </code></pre> </div> <h3> GitOps </h3> <p>This repository will serve as the single source of truth for your Kubernetes cluster's desired state. It will contain Kubernetes manifests (e.g., deployment.yaml, service.yaml) and any application-specific configuration.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>GitOps/ ├── config/ │ └── app.yaml │ └── k8s/ ├── deployment.yaml ├── service.yaml └── ... (other Kubernetes manifests) </code></pre> </div> <blockquote> <h3> Why this structure? </h3> <p>Keeping source code and deployment configuration in separate repositories enables GitOps best practices and promotes clear separation of concerns.</p> </blockquote> <h2> Step 2: Installing and Configuring Jenkins </h2> <p>Jenkins will act as the central orchestrator of our CI/CD pipeline, automating the build, test, scan, and deployment processes.</p> <h3> Required Jenkins Plugins </h3> <p>Go to Manage Jenkins &gt; Plugins and install:</p> <ul> <li>Docker Pipeline</li> <li>Git Plugin</li> <li>SonarQube Scanner</li> <li>Trivy Plugin</li> <li>HashiCorp Vault Plugin</li> </ul> <p>Instead of adding secrets manually under Manage Jenkins &gt; Credentials, we now store all sensitive data in Vault and retrieve it dynamically during pipeline execution using the <code>withVault</code> block.</p> <h3> Secrets managed in Vault: </h3> <ul> <li>GitHub Access Token → <code>secret/github</code> </li> <li>Docker Hub credentials → <code>secret/dockerhub</code> </li> <li>SonarQube Token → <code>secret/sonarqube</code> </li> <li>GitOps SSH Key → <code>secret/gitops</code> </li> <li>MongoDB Credentials → <code>secret/mongodb</code> </li> </ul> <blockquote> <p>Each of these is fetched securely from Vault at runtime using the AppRole authentication method. This eliminates the need to hardcode or store secrets in Jenkins and ensures better traceability and secret rotation.</p> </blockquote> <h3> Configure Vault Plugin in Jenkins: </h3> <p>Navigate to Manage Jenkins &gt; Configure System &gt; Vault Plugin:</p> <ul> <li>Vault URL: <code>https://vault.your-domain:port</code> </li> <li>Credential Type: AppRole</li> <li>Vault AppRole Role ID: <code>&lt;your-role-id&gt;</code> (configured in Vault later)</li> <li>Vault AppRole Secret ID: <code>&lt;your-secret-id&gt;</code> (configured in Vault later)</li> </ul> <p>Once configured, Jenkins is ready to securely communicate with Vault and fetch secrets during pipeline execution.</p> <h2> Configure SonarQube Scanner in Jenkins </h2> <ol> <li>Go to Manage Jenkins &gt; Configure System.</li> <li> <p>Scroll to SonarQube servers and click Add SonarQube:</p> <ul> <li>Name: SonarQube</li> <li>Server URL: <code>http://&lt;your-sonarqube-url&gt;:9000</code> </li> <li>Check Enable injection of SonarQube server configuration as build environment variables</li> </ul> </li> <li><p>Go to Manage Jenkins &gt; Global Tool Configuration.</p></li> <li><p>Scroll to SonarQube Scanner and click Add SonarQube Scanner:</p></li> <li><p>Name: SonarScanner</p></li> <li><p>Check Install Automatically (or specify a local path)</p></li> </ol> <h2> Configure Trivy Plugin in Jenkins </h2> <ol> <li>Navigate to Manage Jenkins &gt; Configure System.</li> <li>Scroll to the Trivy section and click Add Trivy Installation:</li> <li>Name: Trivy</li> <li>Check Install automatically (or specify the path to an existing Trivy binary)</li> </ol> <p>Now Trivy is ready to scan Docker images for vulnerabilities as part of your pipeline.</p> <h2> Step 3: Containerize the Application (Multi-Stage Dockerfile) </h2> <h3> Why Dockerize? </h3> <p>Docker ensures that your app runs in a consistent environment across all stages of development, testing, and production.</p> <p>In your app repo (<code>DevSecOps-pipeline/</code>), create the following Dockerfile:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="c"># -------- STAGE 1: Build --------</span> <span class="k">FROM</span><span class="w"> </span><span class="s">node:18-bullseye</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="s">build</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="c"># Copy package definition files</span> <span class="k">COPY</span><span class="s"> package*.json ./</span> <span class="c"># Install system and Node.js dependencies required for build</span> <span class="k">RUN </span>apt-get update <span class="o">&amp;&amp;</span> apt-get <span class="nb">install</span> <span class="nt">-y</span> <span class="se">\ </span> python3 <span class="se">\ </span> build-essential <span class="se">\ </span> libssl-dev <span class="se">\ </span> curl <span class="se">\ </span> <span class="o">&amp;&amp;</span> <span class="nb">rm</span> <span class="nt">-rf</span> /var/lib/apt/lists/<span class="k">*</span> <span class="c"># Install Node dependencies</span> <span class="k">RUN </span>npm <span class="nb">install</span> <span class="nt">--legacy-peer-deps</span> <span class="c"># Copy full application source code</span> <span class="k">COPY</span><span class="s"> . .</span> <span class="c"># -------- STAGE 2: Runtime --------</span> <span class="k">FROM</span><span class="s"> node:18-slim</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="c"># Copy only the build artifacts and necessary files from previous stage</span> <span class="k">COPY</span><span class="s"> --from=build /app .</span> <span class="c"># Expose the app port</span> <span class="k">EXPOSE</span><span class="s"> 3001</span> <span class="c"># Launch the Node.js application</span> <span class="k">CMD</span><span class="s"> ["npm", "start"]</span> </code></pre> </div> <h3> Local Testing (Optional but Recommended) </h3> <p>Before integrating the Docker build into the Jenkins pipeline, it's a good practice to validate the image locally:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker build <span class="nt">-t</span> my-node-app <span class="nb">.</span> docker run <span class="nt">-p</span> 3001:3001 my-node-app </code></pre> </div> <p>Visit <a href="http://localhost:3001" rel="noopener noreferrer">http://localhost:3001</a> to verify your app runs correctly in the container.</p> <h2> Step 4: Pipeline Breakdown: Jenkinsfile Configuration </h2> <p>The Jenkins pipeline outlined here automates the process of building, testing, scanning, and deploying your containerized application. The pipeline includes stages for each of these tasks.</p> <h3> Set Environment Variables </h3> <p>We define global environment variables at the start of our Jenkinsfile. These variables store reusable values like image names, repository URLs, and Vault secret paths. This makes the pipeline more readable and easier to maintain:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight groovy"><code><span class="n">environment</span> <span class="o">{</span> <span class="n">IMAGE_NAME</span> <span class="o">=</span> <span class="s2">"rihab26/nodejs-app"</span> <span class="n">REGISTRY</span> <span class="o">=</span> <span class="s2">"docker.io"</span> <span class="n">GIT_REPO</span> <span class="o">=</span> <span class="s2">"https://github.com/RihabHaddad/DevSecOps-pipeline.git"</span> <span class="n">GITOPS_REPO</span> <span class="o">=</span> <span class="s2">"git@github.com:RihabHaddad/GitOps.git"</span> <span class="n">VAULT_SECRET_GITHUB</span> <span class="o">=</span> <span class="s1">'secret/github'</span> <span class="n">VAULT_SECRET_DOCKERHUB</span> <span class="o">=</span> <span class="s1">'secret/dockerhub'</span> <span class="n">VAULT_SECRET_SONAR</span> <span class="o">=</span> <span class="s1">'secret/sonarqube'</span> <span class="n">VAULT_SECRET_GITOPS</span> <span class="o">=</span> <span class="s1">'secret/gitops'</span> <span class="o">}</span> </code></pre> </div> <h3> Code Checkout </h3> <p>The pipeline begins by retrieving source code securely from GitHub. Credentials are retrieved dynamically from Vault to avoid storing secrets in Jenkins.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight groovy"><code><span class="n">stage</span><span class="o">(</span><span class="s1">'Checkout Code'</span><span class="o">)</span> <span class="o">{</span> <span class="n">steps</span> <span class="o">{</span> <span class="n">script</span> <span class="o">{</span> <span class="k">try</span> <span class="o">{</span> <span class="n">withVault</span><span class="o">([</span><span class="nl">vaultSecrets:</span> <span class="o">[[</span><span class="nl">path:</span> <span class="s2">"${VAULT_SECRET_GITHUB}"</span><span class="o">,</span> <span class="nl">secretValues:</span> <span class="o">[[</span><span class="nl">envVar:</span> <span class="s1">'GITHUB_TOKEN'</span><span class="o">,</span> <span class="nl">vaultKey:</span> <span class="s1">'token'</span><span class="o">]]]])</span> <span class="o">{</span> <span class="n">checkout</span> <span class="nl">scm:</span> <span class="o">[</span> <span class="n">$class</span><span class="o">:</span> <span class="s1">'GitSCM'</span><span class="o">,</span> <span class="nl">branches:</span> <span class="o">[[</span><span class="nl">name:</span> <span class="s1">'*/main'</span><span class="o">]],</span> <span class="nl">userRemoteConfigs:</span> <span class="o">[[</span> <span class="nl">url:</span> <span class="s2">"${GIT_REPO}"</span><span class="o">,</span> <span class="nl">credentials:</span> <span class="o">[</span><span class="nl">username:</span> <span class="s1">'rihabhaddad'</span><span class="o">,</span> <span class="nl">password:</span> <span class="s2">"${GITHUB_TOKEN}"</span><span class="o">]</span> <span class="o">]]</span> <span class="o">]</span> <span class="o">}</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="n">Exception</span> <span class="n">e</span><span class="o">)</span> <span class="o">{</span> <span class="n">currentBuild</span><span class="o">.</span><span class="na">result</span> <span class="o">=</span> <span class="s1">'FAILURE'</span> <span class="n">error</span> <span class="s2">"Checkout failed: ${e.message}"</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>The <code>IMAGE_TAG</code> is dynamically generated using the latest commit hash to ensure that each build has a unique and traceable Docker image tag.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight groovy"><code><span class="n">stage</span><span class="o">(</span><span class="s1">'Prepare'</span><span class="o">)</span> <span class="o">{</span> <span class="n">steps</span> <span class="o">{</span> <span class="n">script</span> <span class="o">{</span> <span class="k">try</span> <span class="o">{</span> <span class="n">env</span><span class="o">.</span><span class="na">IMAGE_TAG</span> <span class="o">=</span> <span class="n">sh</span><span class="o">(</span><span class="nl">script:</span> <span class="s2">"git rev-parse --short HEAD"</span><span class="o">,</span> <span class="nl">returnStdout:</span> <span class="kc">true</span><span class="o">).</span><span class="na">trim</span><span class="o">()</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="n">Exception</span> <span class="n">e</span><span class="o">)</span> <span class="o">{</span> <span class="n">currentBuild</span><span class="o">.</span><span class="na">result</span> <span class="o">=</span> <span class="s1">'FAILURE'</span> <span class="n">error</span> <span class="s2">"Failed to determine image tag: ${e.message}"</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h2> Static Code Analysis (SonarQube) </h2> <h3> Why use SonarQube? </h3> <p>It detects bugs, vulnerabilities, and code smells.</p> <p>Create a <code>docker-compose.yml</code> file to launch SonarQube in a container:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">3'</span> <span class="na">services</span><span class="pi">:</span> <span class="na">sonarqube</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">sonarqube:latest</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">sonarqube</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">9000:9000"</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">SONAR_ES_BOOTSTRAP_CHECKS_DISABLE=true</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">sonarqube_data:/opt/sonarqube/data</span> <span class="pi">-</span> <span class="s">sonarqube_extensions:/opt/sonarqube/extensions</span> <span class="na">volumes</span><span class="pi">:</span> <span class="na">sonarqube_data</span><span class="pi">:</span> <span class="na">sonarqube_extensions</span><span class="pi">:</span> </code></pre> </div> <p>Run the following command to launch SonarQube in detached mode:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker-compose up <span class="nt">-d</span> </code></pre> </div> <p>Access: <a href="http://localhost:9000" rel="noopener noreferrer">http://localhost:9000</a> - login with admin/admin</p> <h3> Jenkins Stage </h3> <p>The SonarQube Analysis stage scans the application's source code for quality and security issues using SonarQube. The stage dynamically retrieves the SonarQube token from Vault, ensuring that no sensitive information is stored in Jenkins. It performs the analysis on the entire codebase, excluding Java files, and reports any potential issues or vulnerabilities found.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight groovy"><code><span class="n">stage</span><span class="o">(</span><span class="s1">'SonarQube Analysis'</span><span class="o">)</span> <span class="o">{</span> <span class="n">steps</span> <span class="o">{</span> <span class="n">script</span> <span class="o">{</span> <span class="k">try</span> <span class="o">{</span> <span class="n">withVault</span><span class="o">([</span><span class="nl">vaultSecrets:</span> <span class="o">[[</span><span class="nl">path:</span> <span class="s2">"${VAULT_SECRET_SONAR}"</span><span class="o">,</span> <span class="nl">secretValues:</span> <span class="o">[[</span><span class="nl">envVar:</span> <span class="s1">'SONAR_TOKEN'</span><span class="o">,</span> <span class="nl">vaultKey:</span> <span class="s1">'token'</span><span class="o">]]]])</span> <span class="o">{</span> <span class="kt">def</span> <span class="n">scannerHome</span> <span class="o">=</span> <span class="n">tool</span> <span class="nl">name:</span> <span class="s1">'SonarQube Scanner'</span><span class="o">,</span> <span class="nl">type:</span> <span class="s1">'hudson.plugins.sonar.SonarRunnerInstallation'</span> <span class="n">withSonarQubeEnv</span><span class="o">(</span><span class="s1">'SonarQube'</span><span class="o">)</span> <span class="o">{</span> <span class="n">sh</span> <span class="s2">""" ${scannerHome}/bin/sonar-scanner \ -Dsonar.projectKey=nodejs-app \ -Dsonar.sources=. \ -Dsonar.exclusions=**/*.java \ -Dsonar.login=$SONAR_TOKEN """</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="n">Exception</span> <span class="n">e</span><span class="o">)</span> <span class="o">{</span> <span class="n">currentBuild</span><span class="o">.</span><span class="na">result</span> <span class="o">=</span> <span class="s1">'FAILURE'</span> <span class="n">error</span> <span class="s2">"SonarQube analysis failed: ${e.message}"</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h2> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2ef53altv3v81s0mzmgw.png" alt="Image description" width="800" height="317"> </h2> <h2> Security Scanning with Trivy </h2> <h3> Why Scan Code and Images? </h3> <p>You need to scan both your code and Docker images to catch known vulnerabilities before they reach production.</p> <h3> Filesystem Scan </h3> <p>Scans the application's filesystem for known vulnerabilities using Trivy. The <code>--severity HIGH,CRITICAL</code> flag ensures that only high and critical vulnerabilities are reported. The <code>|| true</code> allows the pipeline to continue even if vulnerabilities are found (you can adjust this to fail the build if necessary).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight groovy"><code><span class="n">stage</span><span class="o">(</span><span class="s1">'Security Scan with Trivy (FS)'</span><span class="o">)</span> <span class="o">{</span> <span class="n">steps</span> <span class="o">{</span> <span class="n">script</span> <span class="o">{</span> <span class="k">try</span> <span class="o">{</span> <span class="n">sh</span> <span class="s1">'trivy fs --scanners vuln --no-progress --severity HIGH,CRITICAL --format table --output trivy-fs-report.txt . || true'</span> <span class="n">sh</span> <span class="s1">'cat trivy-fs-report.txt'</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="n">Exception</span> <span class="n">e</span><span class="o">)</span> <span class="o">{</span> <span class="n">currentBuild</span><span class="o">.</span><span class="na">result</span> <span class="o">=</span> <span class="s1">'FAILURE'</span> <span class="n">error</span> <span class="s2">"Trivy scan failed: ${e.message}"</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h3> Build Docker Image </h3> <p>Builds the Docker image using the Dockerfile in the repository, tagging it with the generated <code>IMAGE_NAME</code> and <code>IMAGE_TAG</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight groovy"><code><span class="n">stage</span><span class="o">(</span><span class="s1">'Build Docker Image'</span><span class="o">)</span> <span class="o">{</span> <span class="n">steps</span> <span class="o">{</span> <span class="n">script</span> <span class="o">{</span> <span class="k">try</span> <span class="o">{</span> <span class="n">sh</span> <span class="s2">"docker build -t ${IMAGE_NAME}:${IMAGE_TAG} ."</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="n">Exception</span> <span class="n">e</span><span class="o">)</span> <span class="o">{</span> <span class="n">currentBuild</span><span class="o">.</span><span class="na">result</span> <span class="o">=</span> <span class="s1">'FAILURE'</span> <span class="n">error</span> <span class="s2">"Docker build failed: ${e.message}"</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h3> Image Scan </h3> <p>Scans the newly built Docker image for vulnerabilities using Trivy. The <code>--timeout</code> flag prevents the scan from running indefinitely. The build will fail if high or critical vulnerabilities are detected.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight groovy"><code><span class="n">stage</span><span class="o">(</span><span class="s1">'Scan Docker Image'</span><span class="o">)</span> <span class="o">{</span> <span class="n">steps</span> <span class="o">{</span> <span class="n">script</span> <span class="o">{</span> <span class="k">try</span> <span class="o">{</span> <span class="kt">def</span> <span class="n">exitCode</span> <span class="o">=</span> <span class="n">sh</span><span class="o">(</span> <span class="nl">script:</span> <span class="s2">""" trivy image --timeout 10m \ --scanners vuln \ --no-progress \ --severity HIGH,CRITICAL \ --format table \ --output trivy-report.txt \ ${IMAGE_NAME}:${IMAGE_TAG} """</span><span class="o">,</span> <span class="nl">returnStatus:</span> <span class="kc">true</span> <span class="o">)</span> <span class="n">sh</span> <span class="s1">'cat trivy-report.txt'</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="n">Exception</span> <span class="n">e</span><span class="o">)</span> <span class="o">{</span> <span class="n">currentBuild</span><span class="o">.</span><span class="na">result</span> <span class="o">=</span> <span class="s1">'FAILURE'</span> <span class="n">error</span> <span class="s2">"Docker image scan failed: ${e.message}"</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h2> Push Docker Image to Registry </h2> <p>The built and scanned Docker image is then pushed to Docker Hub. Vault credentials for Docker Hub are securely retrieved to log in to the registry and push the image.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight groovy"><code><span class="n">stage</span><span class="o">(</span><span class="s1">'Push Image to Docker Hub'</span><span class="o">)</span> <span class="o">{</span> <span class="n">steps</span> <span class="o">{</span> <span class="n">script</span> <span class="o">{</span> <span class="k">try</span> <span class="o">{</span> <span class="n">withVault</span><span class="o">([</span><span class="nl">vaultSecrets:</span> <span class="o">[[</span><span class="nl">path:</span> <span class="s2">"${VAULT_SECRET_DOCKERHUB}"</span><span class="o">,</span> <span class="nl">secretValues:</span> <span class="o">[</span> <span class="o">[</span><span class="nl">envVar:</span> <span class="s1">'DOCKER_USER'</span><span class="o">,</span> <span class="nl">vaultKey:</span> <span class="s1">'username'</span><span class="o">],</span> <span class="o">[</span><span class="nl">envVar:</span> <span class="s1">'DOCKER_PASS'</span><span class="o">,</span> <span class="nl">vaultKey:</span> <span class="s1">'password'</span><span class="o">]</span> <span class="o">]]])</span> <span class="o">{</span> <span class="n">sh</span> <span class="s1">'echo $DOCKER_PASS | docker login -u $DOCKER_USER --password-stdin'</span> <span class="n">sh</span> <span class="s2">"docker push ${IMAGE_NAME}:${IMAGE_TAG}"</span> <span class="o">}</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="n">Exception</span> <span class="n">e</span><span class="o">)</span> <span class="o">{</span> <span class="n">currentBuild</span><span class="o">.</span><span class="na">result</span> <span class="o">=</span> <span class="s1">'FAILURE'</span> <span class="n">error</span> <span class="s2">"Docker push failed: ${e.message}"</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h2> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5az8omhk4e4r9oq7cfns.png" alt="Image description" width="800" height="143"> </h2> <h2> GitOps Update and ArgoCD Sync </h2> <p>Here, we update the GitOps repository with the new image tag. This update triggers ArgoCD to synchronize the Kubernetes cluster with the GitOps repository, ensuring that the latest image is deployed.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight groovy"><code><span class="n">stage</span><span class="o">(</span><span class="s1">'GitOps Update'</span><span class="o">)</span> <span class="o">{</span> <span class="n">steps</span> <span class="o">{</span> <span class="n">script</span> <span class="o">{</span> <span class="k">try</span> <span class="o">{</span> <span class="n">withVault</span><span class="o">([</span><span class="nl">vaultSecrets:</span> <span class="o">[[</span><span class="nl">path:</span> <span class="s2">"${VAULT_SECRET_GITOPS}"</span><span class="o">,</span> <span class="nl">secretValues:</span> <span class="o">[[</span><span class="nl">envVar:</span> <span class="s1">'SSH_KEY'</span><span class="o">,</span> <span class="nl">vaultKey:</span> <span class="s1">'key'</span><span class="o">]]]])</span> <span class="o">{</span> <span class="n">sh</span> <span class="s1">'rm -rf temp-repo'</span> <span class="n">sh</span> <span class="s2">"mkdir -p ~/.ssh &amp;&amp; echo \"\$SSH_KEY\" &gt; ~/.ssh/id_rsa &amp;&amp; chmod 600 ~/.ssh/id_rsa"</span> <span class="n">sh</span> <span class="s2">"git clone ${GITOPS_REPO} temp-repo"</span> <span class="n">dir</span><span class="o">(</span><span class="s1">'temp-repo'</span><span class="o">)</span> <span class="o">{</span> <span class="n">sh</span> <span class="s2">"sed -i 's|image: .*|image: ${IMAGE_NAME}:${IMAGE_TAG}|' k8s/deployment.yaml"</span> <span class="n">script</span> <span class="o">{</span> <span class="kt">def</span> <span class="n">changes</span> <span class="o">=</span> <span class="n">sh</span><span class="o">(</span><span class="nl">script:</span> <span class="s2">"git status --porcelain"</span><span class="o">,</span> <span class="nl">returnStdout:</span> <span class="kc">true</span><span class="o">).</span><span class="na">trim</span><span class="o">()</span> <span class="k">if</span> <span class="o">(</span><span class="n">changes</span><span class="o">)</span> <span class="o">{</span> <span class="n">sh</span> <span class="s2">"git add ."</span> <span class="n">sh</span> <span class="s2">"git commit -m 'Update image tag to ${IMAGE_TAG}'"</span> <span class="n">sh</span> <span class="s2">"git push origin main"</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="n">Exception</span> <span class="n">e</span><span class="o">)</span> <span class="o">{</span> <span class="n">currentBuild</span><span class="o">.</span><span class="na">result</span> <span class="o">=</span> <span class="s1">'FAILURE'</span> <span class="n">error</span> <span class="s2">"GitOps update failed: ${e.message}"</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>GitOps Update:</p> <ul> <li>Securely clones the GitOps repository using an SSH key retrieved from Vault.</li> <li>Updates the image tag in the <code>k8s/deployment.yaml</code> file of the cloned GitOps repository with the newly built <code>IMAGE_NAME</code> and <code>IMAGE_TAG</code>.</li> <li>Commits and pushes the changes to the GitOps repository. Crucially, it only adds the modified <code>deployment.yaml</code> file.</li> </ul> <p>Once the GitOps repo is updated, ArgoCD will automatically detect and sync the changes to your Kubernetes cluster:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight groovy"><code><span class="n">stage</span><span class="o">(</span><span class="s1">'Sync ArgoCD'</span><span class="o">)</span> <span class="o">{</span> <span class="n">steps</span> <span class="o">{</span> <span class="n">script</span> <span class="o">{</span> <span class="k">try</span> <span class="o">{</span> <span class="n">sh</span> <span class="s2">"argocd app sync nodejs-app"</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="n">Exception</span> <span class="n">e</span><span class="o">)</span> <span class="o">{</span> <span class="n">currentBuild</span><span class="o">.</span><span class="na">result</span> <span class="o">=</span> <span class="s1">'FAILURE'</span> <span class="n">error</span> <span class="s2">"ArgoCD sync failed: ${e.message}"</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h2> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F070pn2c1nl2mncv0demk.png" alt="Image description" width="800" height="100"> </h2> <h2> Step 5: Prepare Your GitOps Repository </h2> <p>The GitOps repository serves as the declarative source of truth for your Kubernetes cluster's desired state. ArgoCD continuously monitors this repository and automatically applies any changes to your cluster.</p> <h3> Example Kubernetes Deployment Manifest (<code>k8s/deployment.yaml</code>) </h3> <p>This manifest defines how your application will be deployed and managed in Kubernetes.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nodejs-app</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">app-ns</span> <span class="c1"># Ensure this matches the namespace in your ArgoCD Application</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">2</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">nodejs-app</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">nodejs-app</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">serviceAccountName</span><span class="pi">:</span> <span class="s">vault-app-access</span> <span class="c1"># Service account for Vault access (configured later)</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nodejs-app</span> <span class="na">image</span><span class="pi">:</span> <span class="s">rihab26/nodejs-app:latest</span> <span class="c1"># The image tag will be updated by Jenkins</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">3001</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">MONGODB_URI</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">secretKeyRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">mongodb</span> <span class="na">key</span><span class="pi">:</span> <span class="s">connection_string</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">node-exporter</span> <span class="na">image</span><span class="pi">:</span> <span class="s">prom/node-exporter</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">9100</span> </code></pre> </div> <h3> Key Points: </h3> <ul> <li>The <code>image</code> field will be dynamically updated by the Jenkins pipeline with the unique <code>IMAGE_TAG</code>.</li> <li>The namespace should match the one defined in your ArgoCD Application.</li> <li>The <code>serviceAccountName</code> will be used for authenticating with Vault from within the Kubernetes pod to access secrets.</li> </ul> <h3> Example ArgoCD Application YAML </h3> <p>To instruct ArgoCD to manage our application deployment, create an Application resource within your Kubernetes cluster (typically in the <code>argocd</code> namespace):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Application</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nodejs-app</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">argocd</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">project</span><span class="pi">:</span> <span class="s">default</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">server</span><span class="pi">:</span> <span class="s">https://kubernetes.default.svc</span> <span class="c1"># Your Kubernetes API server address</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">app-ns</span> <span class="na">source</span><span class="pi">:</span> <span class="na">repoURL</span><span class="pi">:</span> <span class="s1">'</span><span class="s">git@github.com:RihabHaddad/GitOps.git'</span> <span class="c1"># Replace with your GitOps repo URL</span> <span class="na">targetRevision</span><span class="pi">:</span> <span class="s">main</span> <span class="na">path</span><span class="pi">:</span> <span class="s">k8s</span> <span class="na">directory</span><span class="pi">:</span> <span class="na">recurse</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">exclude</span><span class="pi">:</span> <span class="s1">'</span><span class="s">*-secret.yaml'</span> <span class="na">syncPolicy</span><span class="pi">:</span> <span class="na">automated</span><span class="pi">:</span> <span class="na">prune</span><span class="pi">:</span> <span class="kc">true</span> <span class="c1"># Delete resources no longer in Git</span> <span class="na">selfHeal</span><span class="pi">:</span> <span class="kc">true</span> <span class="c1"># Revert changes made outside of Git</span> <span class="na">allowEmpty</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">syncOptions</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">CreateNamespace=true</span> <span class="c1"># Automatically create the destination namespace if it doesn't exist</span> <span class="pi">-</span> <span class="s">ServerSideApply=true</span> <span class="c1"># Use Server-Side Apply for better conflict management</span> <span class="pi">-</span> <span class="s">Replace=true</span> <span class="c1"># Replace resources instead of patching (use with caution)</span> </code></pre> </div> <h3> Explanation: </h3> <ul> <li> <code>destination</code>: Specifies the Kubernetes cluster and namespace where the application will be deployed.</li> <li> <code>source</code>: Points to your GitOps repository, the target revision (branch), and the path to the Kubernetes manifests (<code>k8s/</code>).</li> <li> <code>syncPolicy</code>: Configures how ArgoCD should synchronize the cluster with the Git repository. <code>automated</code> enables automatic syncing upon changes in the Git repository.</li> </ul> <h3> Create a Service Account for Vault Access in Kubernetes </h3> <p>To enable your application pods to securely access secrets from Vault, create a dedicated Service Account in your application namespace:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">vault-mongodb-access</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">app-ns</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">argocd.argoproj.io/sync-wave</span><span class="pi">:</span> <span class="s2">"</span><span class="s">-1"</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">vault-app-access</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">app-ns</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">argocd.argoproj.io/sync-wave</span><span class="pi">:</span> <span class="s2">"</span><span class="s">-1"</span> </code></pre> </div> <p>Apply this manifest using <code>kubectl apply -f file -n app-ns</code>.</p> <blockquote> <p>In the same directory (<code>..</code>), you'll also find other Kubernetes manifests (such as <code>rbac.yaml</code> and potentially others) that are necessary for configuring Vault access within your cluster. We will link this Service Account to a specific Vault policy later to control the secrets it can access."</p> </blockquote> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fobd1t9etnp5oxyr7ug6a.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fobd1t9etnp5oxyr7ug6a.png" alt="Image description" width="800" height="383"></a></p> <h2> Step 6: Secrets Management with HashiCorp Vault (Secure Credential Handling) </h2> <p>Managing secrets like API keys, database passwords, or tokens directly in source code is a serious security risk. Vault helps you store and access these secrets securely.</p> <h3> Why use Vault? </h3> <ul> <li>Centralized and secure storage of secrets</li> <li>Fine-grained access control (ACL policies)</li> <li>Dynamic secrets generation (e.g., DB credentials)</li> </ul> <h3> Installing Vault using Helm (Simplified Deployment) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl create namespace vault helm repo add hashicorp https://helm.releases.hashicorp.com helm repo update helm <span class="nb">install </span>vault hashicorp/vault <span class="nt">--namespace</span> vault </code></pre> </div> <h3> Initializing Vault (One-Time Setup) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">export </span><span class="nv">VAULT_ADDR</span><span class="o">=</span>http://&lt;your-vault-ip-or-hostname&gt;:8200 <span class="c"># Replace with your Vault service address</span> vault operator init </code></pre> </div> <p>Vault will return several Unseal Keys and a Root Token. Store these keys securely, as they are required for unsealing Vault and performing administrative actions.</p> <h3> Unseal Vault: </h3> <p>Vault is sealed by default for security reasons. You need to provide a minimum of 3 Unseal Keys (out of 5) to unseal Vault.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>vault operator unseal &lt;Unseal-Key1&gt; vault operator unseal &lt;Unseal-Key2&gt; vault operator unseal &lt;Unseal-Key3&gt; </code></pre> </div> <p>Login to Vault using the Root Token:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>vault login &lt;Root-Token&gt; </code></pre> </div> <h3> Enable the Key-Value Secrets Engine (v2) </h3> <p>Vault supports multiple secrets engines. Here, we use the KV (Key-Value) version 2 engine to store our secrets.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>vault secrets <span class="nb">enable</span> <span class="nt">-path</span><span class="o">=</span>secret kv-v2 </code></pre> </div> <h3> Storing Secrets in Vault </h3> <p>Now, securely store the necessary secrets under the <code>secret/</code> path:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>vault kv put secret/github <span class="nv">token</span><span class="o">=</span><span class="s2">"your_github_token"</span> vault kv put secret/dockerhub <span class="nv">username</span><span class="o">=</span><span class="s2">"your_docker_user"</span> <span class="nv">password</span><span class="o">=</span><span class="s2">"your_docker_pass"</span> vault kv put secret/sonarqube <span class="nv">token</span><span class="o">=</span><span class="s2">"your_sonar_token"</span> vault kv put secret/gitops <span class="nv">key</span><span class="o">=</span><span class="s2">"</span><span class="si">$(</span><span class="nb">cat</span> ~/.ssh/id_rsa<span class="si">)</span><span class="s2">"</span> <span class="c"># Ensure your SSH private key for GitOps is available</span> vault kv put secret/mongodb <span class="nv">username</span><span class="o">=</span><span class="s2">"your_username"</span> <span class="nv">password</span><span class="o">=</span><span class="s2">"your_password"</span> <span class="nv">connection_string</span><span class="o">=</span><span class="s2">"mongodb://username:password@mongo-service:27017"</span> </code></pre> </div> <h3> Configure AppRole Authentication (for Jenkins) </h3> <p>AppRole authentication allows Jenkins to securely authenticate with Vault using a <code>role_id</code> and <code>secret_id</code>.</p> <ol> <li> <strong>Enable AppRole Authentication:</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>vault auth <span class="nb">enable </span>approle </code></pre> </div> <ol> <li> <strong>Create a policy for Jenkins:</strong> Create a file named <code>jenkins-policy.hcl</code>: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># jenkins-policy.hcl</span> <span class="nx">path</span> <span class="s2">"secret/data/github"</span> <span class="p">{</span> <span class="nx">capabilities</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"read"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">path</span> <span class="s2">"secret/data/dockerhub"</span> <span class="p">{</span> <span class="nx">capabilities</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"read"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">path</span> <span class="s2">"secret/data/sonarqube"</span> <span class="p">{</span> <span class="nx">capabilities</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"read"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">path</span> <span class="s2">"secret/data/gitops"</span> <span class="p">{</span> <span class="nx">capabilities</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"read"</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>vault policy write jenkins-policy jenkins-policy.hcl </code></pre> </div> <ol> <li> <strong>Create an AppRole and bind the policy:</strong> This command creates an AppRole (<code>jenkins-role</code>) with the <code>jenkins-policy</code> that allows reading from the <code>secret/</code> path. </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>vault write auth/approle/role/jenkins-role <span class="se">\</span> <span class="nv">token_policies</span><span class="o">=</span><span class="s2">"jenkins-policy"</span> <span class="se">\</span> <span class="nv">token_ttl</span><span class="o">=</span>1h <span class="se">\</span> <span class="nv">token_max_ttl</span><span class="o">=</span>4h </code></pre> </div> <ol> <li> <strong>Retrieve Role ID and Secret ID</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>vault <span class="nb">read </span>auth/approle/role/jenkins-role/role-id vault write <span class="nt">-f</span> auth/approle/role/jenkins-role/secret-id </code></pre> </div> <p>The output of these commands provides the <code>role_id</code> and <code>secret_id</code> that you configured in the Jenkins Vault Plugin settings in Step 2.</p> <h3> Configure Vault Kubernetes Authentication for Dynamic Secrets Access </h3> <p>This allows your application pods running in Kubernetes to authenticate with Vault using their Service Account and retrieve secrets securely.</p> <ol> <li> <strong>Enable Kubernetes Authentication in Vault</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>vault auth <span class="nb">enable </span>kubernetes </code></pre> </div> <ol> <li> <strong>Configure Kubernetes Auth Backend</strong> This step allows Vault to authenticate Kubernetes service accounts. You'll need to provide details about your Kubernetes cluster. </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>vault write auth/kubernetes/config <span class="se">\</span> <span class="nv">kubernetes_host</span><span class="o">=</span><span class="s2">"https://&lt;KUBERNETES_API_SERVER&gt;:&lt;PORT&gt;"</span> <span class="se">\</span> <span class="nv">kubernetes_ca_cert</span><span class="o">=</span>@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt <span class="se">\</span> <span class="nv">token_reviewer_jwt</span><span class="o">=</span><span class="s2">"</span><span class="si">$(</span><span class="nb">cat</span> /var/run/secrets/kubernetes.io/serviceaccount/token<span class="si">)</span><span class="s2">"</span> <span class="se">\</span> <span class="nv">issuer</span><span class="o">=</span><span class="s2">"https://kubernetes.default.svc.cluster.local"</span> <span class="se">\</span> <span class="nv">disable_iss_validation</span><span class="o">=</span><span class="nb">true</span> </code></pre> </div> <ol> <li> <strong>Define a Vault Policy for Access Control (e.g., MongoDB Credentials):</strong> You'll define a Vault policy for controlling access to the MongoDB credentials. This policy ensures that only specific roles can access the sensitive data. </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>vault policy write mongodb - <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> path "secret/data/mongodb" { capabilities = ["read"] } </span><span class="no">EOF </span></code></pre> </div> <ol> <li> <strong>Create a Role for Kubernetes Authentication</strong> This role links the Kubernetes Service Account (<code>vault-mongodb-access</code> in the <code>app-ns</code> namespace) to the <code>mongodb</code> policy, allowing pods with this Service Account to read MongoDB credentials. </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>vault write auth/kubernetes/role/mongodb-role <span class="se">\</span> <span class="nv">bound_service_account_names</span><span class="o">=</span><span class="s2">"vault-mongodb-access"</span> <span class="se">\</span> <span class="nv">bound_service_account_namespaces</span><span class="o">=</span><span class="s2">"app-ns"</span> <span class="se">\</span> <span class="nv">policies</span><span class="o">=</span><span class="s2">"mongodb"</span> <span class="se">\</span> <span class="nv">ttl</span><span class="o">=</span><span class="s2">"24h"</span> </code></pre> </div> <p>Now, your application pods running with the <code>vault-app-access</code> Service Account in the <code>app-ns</code> namespace can authenticate to Vault using the Kubernetes Auth method and retrieve the MongoDB credentials defined in the <code>mongodb</code> policy. You would typically use a Vault client library within your application to perform this authentication and secret retrieval.</p> <h2> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7opvt80xbnzrqowwc4xp.png" alt="Image description" width="800" height="357"> </h2> <h2> Step 7: Monitoring with Prometheus &amp; Grafana </h2> <p>Implementing monitoring is crucial for gaining visibility into your application's performance and the health of your Kubernetes cluster. Prometheus will collect metrics, and Grafana will provide insightful visualizations through dashboards.</p> <p>You can find comprehensive configuration files for Prometheus and Grafana in the <code>monitoring/</code> folder of the example GitOps repository.</p> <h3> Exposing Application Metrics with ServiceMonitor </h3> <p>To enable Prometheus to scrape metrics from your Node.js application, you need to expose a <code>/metrics</code> endpoint and define a ServiceMonitor resource in Kubernetes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">monitoring.coreos.com/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceMonitor</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nodejs-app-monitor</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">monitoring</span> <span class="c1"># Ensure Prometheus is in the 'monitoring' namespace</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">release</span><span class="pi">:</span> <span class="s">prometheus</span> <span class="c1"># Label selector for Prometheus</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">endpoints</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="s2">"</span><span class="s">3001"</span> <span class="c1"># The port your application exposes metrics on</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/metrics</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">15s</span> <span class="na">namespaceSelector</span><span class="pi">:</span> <span class="na">matchNames</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">app-ns</span> <span class="c1"># Monitor services in your application namespace</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">nodejs-app</span> <span class="c1"># Select the service for your Node.js application</span> </code></pre> </div> <p>Apply this manifest to your Kubernetes cluster.</p> <p>This connects Prometheus to your app's <code>/metrics</code> endpoint on port 3001</p> <h3> Prometheus Setup with RBAC &amp; ConfigMap </h3> <p>Prometheus needs specific permissions to discover and scrape metrics. The configuration is typically defined in a ConfigMap. The example <code>prometheus.yml</code> in the GitOps repository demonstrates how to configure Prometheus to scrape metrics from Kubernetes pods based on labels:</p> <p>Here's a snippet from the <code>prometheus.yml</code> ConfigMap:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">prometheus-config</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">monitoring</span> <span class="na">data</span><span class="pi">:</span> <span class="na">prometheus.yml</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">global:</span> <span class="s">scrape_interval: 15s</span> <span class="s">scrape_configs:</span> <span class="s">- job_name: 'nodejs-app'</span> <span class="s">kubernetes_sd_configs:</span> <span class="s">- role: pod</span> <span class="s">relabel_configs:</span> <span class="s">- source_labels: [__meta_kubernetes_pod_label_app]</span> <span class="s">action: keep</span> <span class="s">regex: nodejs-app</span> </code></pre> </div> <p>You can extend this config to monitor:</p> <ul> <li>Kubernetes API servers</li> <li>Node Exporters</li> <li>kube-state-metrics</li> </ul> <p>Prometheus is also granted access via ServiceAccount, ClusterRole, and ClusterRoleBinding defined in the same GitOps folder.</p> <h3> Deploying Grafana and Accessing Dashboards </h3> <p>Grafana provides a user-friendly interface for visualizing the metrics collected by Prometheus. Deploy Grafana to your Kubernetes cluster (refer to the example GitOps repository for the Deployment and Service manifests).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">grafana-deployment</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">monitoring</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">1</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">grafana</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">grafana</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">grafana</span> <span class="na">image</span><span class="pi">:</span> <span class="s">grafana/grafana</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">3000</span> </code></pre> </div> <p>You can access Grafana by port-forwarding the Grafana service:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl port-forward svc/grafana-service <span class="nt">-n</span> monitoring 3000:3000 </code></pre> </div> <p>Then, open your web browser and navigate to <a href="http://localhost:3000" rel="noopener noreferrer">http://localhost:3000</a>. The default login credentials are admin / admin. Change these immediately in a production environment.</p> <p>Once logged in:</p> <ol> <li><p><strong>Add Prometheus as a Data Source:</strong><br> Navigate to Configuration &gt; Data sources.<br> Click Add data source and select Prometheus.<br> In the HTTP Settings section, enter the Prometheus service URL: <code>http://prometheus-service.monitoring.svc:9090</code>.<br> Click Save &amp; test.</p></li> <li> <p><strong>Import Dashboards:</strong><br> Navigate to Create &gt; Import.<br> You can import pre-built dashboards from the Grafana community by entering their ID:</p> <ul> <li>Node.js app metrics: Dashboard ID 1860</li> <li>Kubernetes cluster overview: Dashboard ID 315 or 6417</li> <li>Node Exporter full metrics: Dashboard ID 1860</li> </ul> </li> </ol> <p>Alternatively, you can create your own custom dashboards tailored to your specific monitoring needs.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fh72wdxeh2ce8eas84mkn.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fh72wdxeh2ce8eas84mkn.png" alt="Image description" width="800" height="477"></a></p> <blockquote> <p>Note: You can also deploy the entire Prometheus + Grafana stack using Helm for a quick, modular, and maintainable setup:</p> <pre class="highlight shell"><code>helm repo add prometheus-community https://prometheus-community.github.io/helm-charts helm repo update helm <span class="nb">install </span>monitoring prometheus-community/kube-prometheus-stack </code></pre> <p>This installs Prometheus, Grafana, Alertmanager, node-exporter, and more directly into your Kubernetes cluster.</p> </blockquote> <h2> 📚 Glossary </h2> <ul> <li> <strong>CI/CD</strong>: Practices to automate building, testing, and deploying software changes.</li> <li> <strong>DevSecOps</strong>: Integrating security practices into the DevOps lifecycle.</li> <li> <strong>GitOps</strong>: Using Git as the source of truth for infrastructure and deployments.</li> <li> <strong>Jenkins</strong>: Open-source server for managing CI/CD pipelines.</li> <li> <strong>Docker</strong>: Platform for building and running applications in containers.</li> <li> <strong>Trivy</strong>: Vulnerability scanner for containers and repositories.</li> <li> <strong>SonarQube</strong>: Tool for continuous code quality inspection.</li> <li> <strong>ArgoCD</strong>: GitOps tool for Kubernetes continuous delivery.</li> <li> <strong>Vault</strong>: Secret management system for storing sensitive information.</li> <li> <strong>Prometheus</strong>: Monitoring and alerting toolkit for time-series data.</li> <li> <strong>Grafana</strong>: Visualization platform for metrics and logs.</li> <li> <strong>kubectl</strong>: Command-line tool for managing Kubernetes clusters.</li> <li> <strong>Minikube</strong>: Tool for running a local Kubernetes cluster.</li> <li> <strong>Helm</strong>: Package manager for Kubernetes apps.</li> </ul> <p>This tutorial walked you through building a secure, production-grade DevSecOps pipeline using Jenkins, ArgoCD, Trivy, SonarQube, and Vault, creating a foundation for rapid, reliable, and secure software delivery.</p> <p>Remember, security is a continuous journey - keep refining your pipeline and adapting to evolving best practices.</p> <p>I'm committed to continuous improvement. To that end, I plan to:</p> <ul> <li>Add GitHub Actions for CI (to showcase pipeline flexibility)</li> <li>Investigate canary/blue-green deployments (for enhanced release reliability)</li> </ul> <p>Let's work together to make DevOps more secure and accessible. Contributions and discussions are welcome!</p> <p>Reach out with questions or collaboration ideas - or just drop a ⭐️ if you find it useful!</p> <p>GitHub Repositories:<br> 🔗 [App code]: <a href="https://github.com/RihabHaddad/DevSecOps-pipeline" rel="noopener noreferrer">DevSecOps - pipeline</a><br><br> 🔗 [GitOps config]: <a href="https://github.com/RihabHaddad/GitOps" rel="noopener noreferrer">GitOps</a></p> <p>Find me on LinkedIn: <a href="https://www.linkedin.com/in/rihab-haddad/" rel="noopener noreferrer">Rihab Haddad</a> or email [<a href="mailto:rihabhaddad26@gmail.com">rihabhaddad26@gmail.com</a>]</p> devops devsecops cicd security