Skip to content

kovendhan5/SecureDeploy

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

66 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

SecureDeploy — Automated Azure DevSecOps Pipeline

CI - Build, Test & Scan CD - Deploy to AKS License: MIT


📋 Overview

SecureDeploy is a fully automated, production-ready CI/CD pipeline that builds, scans, and deploys a containerized Python FastAPI application to Azure Kubernetes Service (AKS) — with zero manual steps and zero secrets in code.

This project demonstrates DevSecOps best practices integrated at every stage:

  • Shift-left security with 3 automated scanning tools (GitLeaks, SonarCloud, Trivy)
  • 100% Infrastructure-as-Code using Terraform
  • Automated deployment with GitHub Actions
  • Live monitoring with Prometheus + Grafana on Kubernetes

What This Project Proves to Recruiters

Skill What You See
CI/CD End-to-end pipeline: git push → scan → build → deploy 🚀
Cloud 5 Azure services provisioned and integrated (AKS, ACR, Key Vault, VNet, Storage) ☁️
Security 3 security gates blocking bad code + running as non-root + secrets in vault 🔐
IaC 100% Terraform — all infrastructure versioned and repeatable 📋
Kubernetes Production-ready AKS deployment, rollback, autoscaling, probes 🎯
Observability Real-time monitoring dashboard with RED metrics 📊

🏗️ System Architecture

Developer Push (git commit)
        ↓
GitHub Actions CI Pipeline
  1. GitLeaks Secret Scan ─→ ❌ Blocks if secrets found
  2. Build & Unit Tests ─→ ❌ Blocks if tests fail
  3. SonarCloud SAST ─→ ❌ Blocks on quality gate failure
  4. Trivy Image Scan ─→ ❌ Blocks on HIGH/CRITICAL CVEs
  5. Push to Azure Container Registry
  6. GitHub Actions CD Pipeline
        ↓
Terraform provisions infrastructure
        ↓
kubectl deploys to AKS
  - 2 replicas with liveness/readiness probes
  - Auto-scaling based on CPU/memory
  - Rolling updates with zero downtime
        ↓
Prometheus scrapes metrics
Grafana visualizes in real-time dashboard

🛠️ Tech Stack

Layer Technology Purpose
CI/CD GitHub Actions Automated build & deployment pipeline
Security GitLeaks, SonarCloud, Trivy Secret detection, SAST, container scanning
Container Registry Azure Container Registry Private Docker image storage
Secrets Azure Key Vault Secure secrets at runtime
Infrastructure Terraform + Azure 100% IaC — AKS, VNet, NSG, etc.
Orchestration Kubernetes (AKS) Container orchestration
Monitoring Prometheus + Grafana Metrics collection & visualization
Application Python FastAPI Sample microservice

✨ Key Features

Zero Manual Deployments — Git push triggers full automated pipeline
Security Built-In — 3 scanning tools run on every commit
Infrastructure Repeatable — Destroy and recreate with one command
Kubernetes Production-Ready — Health probes, autoscaling, rolling updates
Cost Optimized — Runs on Azure Student free tier
Fully Documented — Every step explained, ready for learning & interviewing


🚀 Quick Start

Prerequisites

  • Azure Student subscription
  • GitHub account
  • Local tools: az, terraform, kubectl, docker, git

Steps

1. Clone & Setup Infrastructure (Day 1)

git clone https://github.com/kovendhan5/securedeploy.git
cd securedeploy

cd terraform
terraform init
terraform apply

2. Test App Locally (Day 2)

cd app
pip install -r requirements.txt
pytest tests/ -v
python -m uvicorn main:app --reload

3. Configure GitHub Secrets & Deployment (Days 3-7)

# Set these in GitHub repo Settings > Secrets:
ACR_LOGIN_SERVER
ACR_NAME
AKS_RESOURCE_GROUP
AKS_CLUSTER_NAME
AZURE_CREDENTIALS
SONAR_TOKEN

# Then push to main branch — workflow runs automatically!
git push origin main

→ Full Setup Guide — Detailed step-by-step for all 7 days


📊 Pipeline Stages

Stage Tool Success Criteria Fail Action
1. Secret Scan GitLeaks No credentials detected ❌ Block deployment
2. Build & Tests pytest + Docker All tests pass ❌ Block deployment
3. Code Quality SonarCloud Quality gate passes ❌ Block deployment
4. Image Scan Trivy No HIGH/CRITICAL CVEs ❌ Block deployment
5. Push Image ACR Image stored in registry ⏸️ Stop if failed
6. Deploy to AKS kubectl Pods healthy & ready ⏮️ Rollback if failed
7. Smoke Test curl GET /health returns 200 ⏮️ Rollback if failed

📁 Project Structure

securedeploy/
├── .github/workflows/
│   ├── ci.yml                    # Build, test, scan pipeline
│   └── cd.yml                    # Deploy to AKS pipeline
├── app/
│   ├── main.py                   # FastAPI application
│   ├── Dockerfile                # Container image
│   ├── requirements.txt          # Python dependencies
│   └── tests/test_main.py        # Unit tests
├── terraform/                    # Infrastructure code
│   ├── main.tf                   # Root module
│   ├── backend.tf                # Remote state config
│   └── modules/
│       ├── aks/                  # AKS cluster module
│       ├── acr/                  # Container registry module
│       ├── keyvault/             # Secrets management module
│       └── network/              # VNet & networking module
├── k8s/                          # Kubernetes manifests
│   ├── deployment.yaml           # App deployment
│   ├── service.yaml              # LoadBalancer service
│   ├── hpa.yaml                  # Auto-scaling policy
│   └── networkpolicy.yaml        # Network access rules
├── monitoring/                   # Observability
│   ├── prometheus-values.yaml    # Prometheus/Grafana Helm config
│   ├── servicemonitor.yaml       # Prometheus metrics target
│   └── prometheusrule.yaml       # Alert rules
├── .gitleaks.toml                # Secret detection config
├── sonar-project.properties      # Code quality config
├── .trivyignore                  # CVE exceptions
├── SETUP.md                      # Step-by-step setup guide
└── README.md                     # This file

🔐 Security

Security Status:VERIFIED & APPROVED
Security Score: 95/100

This project implements enterprise-grade DevSecOps practices:

  • 🚫 Zero secrets in code — All credentials managed securely
  • 🔍 Shift-left security — Scans at every pipeline stage
  • 🔒 Container hardened — Non-root, read-only filesystem
  • 🛡️ RBAC enforced — Managed identities, principle of least privilege
  • Monitoring active — Real-time alerts and metrics

→ View Complete Security Audit (start here for security details)

Shift-Left Security Model

Code → [GitLeaks] → [Build & Tests] → [SonarCloud] → [Trivy] → Registry → [Deploy] → [Monitoring]
         ↓ Secrets      ↓ Failures        ↓ Issues        ↓ CVEs     ✓ Clean
      BLOCKED         BLOCKED          BLOCKED        BLOCKED    Image

Zero Secrets in Code

  • ✅ No .env files in repository
  • ✅ No hardcoded credentials
  • ✅ All secrets retrieved from Azure Key Vault at runtime
  • ✅ GitLeaks runs on every commit to catch leaks

Container Security

  • ✅ Runs as non-root user (UID 1000)
  • ✅ Read-only root filesystem
  • ✅ No privileged capabilities
  • ✅ Trivy scans every build for CVEs

🎯 Deployment & Autoscaling

Kubernetes Features:

  • 2 pod replicas (minimum) for high availability
  • Automatic scaling: 2-6 replicas based on CPU (>70%) / Memory (>80%)
  • Rolling updates: 0 downtime deployments
  • Health probes: Liveness (restart if dead) & Readiness (remove from load balancer)
  • Automatic rollback: Previous version restored if new version fails

📊 Monitoring & Observability

Metrics Collected

  • Request Rate (req/sec)
  • Error Rate (%)
  • Response Duration (latency)
  • Pod CPU/Memory usage
  • Node health status

Grafana Dashboard

Access via: kubectl port-forward svc/prometheus-grafana 3000:80
Login: admin / admin123


💰 Cost Optimization for Azure Student Tier

Current Monthly Estimate

  • AKS Cluster: ~$15 (Standard_B2s × 2 nodes)
  • ACR: ~$5 (Basic SKU)
  • Storage: ~$1
  • Other: ~$4
  • Total: < $30/month

Cost Saving Tips

  1. Destroy infrastructure at night: terraform destroy
  2. Use Standard_B2s (cheapest VM type)
  3. Monitor costs daily in Azure Portal
  4. Delete unused images from ACR

🧪 Testing & Validation

Run Locally

# Start app
cd app
python -m uvicorn main:app --reload

# In another terminal, test endpoints
curl http://localhost:8000/
curl http://localhost:8000/health
curl http://localhost:8000/metrics

Run Tests

cd app
pip install -r requirements.txt pytest
pytest tests/ -v --cov

Build Docker Image

cd app
docker build -t securedeploy:v1 .
docker run -p 8000:8000 securedeploy:v1

📝 Detailed Documentation

  • SETUP.md — Complete day-by-day setup guide
  • SecureDeploy_PRD.md — Full product requirements document
  • SECURITY_AUDIT.md — Security review & controls verification
  • PRE_DEPLOYMENT_CHECKLIST.md — Pre-deployment security checklist
  • Terraform Modules — Self-documented with comments within terraform/modules/
  • GitHub Actions — Inline documentation in .github/workflows/ci.yml and cd.yml

🎓 Learning Outcomes

After completing this project, you'll understand:

  • ✅ How to build production CI/CD pipelines
  • ✅ How to implement shift-left security (scanning at build time)
  • ✅ How to provision cloud infrastructure with Terraform
  • ✅ How to deploy to Kubernetes with zero downtime
  • ✅ How to monitor applications with Prometheus + Grafana
  • ✅ How to manage secrets securely in the cloud

👨‍💻 Author

Kovendhan P.
Aspiring Cloud & DevOps Engineer


📜 License

This project is licensed under the MIT License — see LICENSE file for details.


About

SecureDeploy is a fully automated, production-ready CI/CD pipeline that builds, scans, and deploys a containerized Python FastAPI application to Azure Kubernetes Service (AKS) — with zero manual steps and zero secrets in code.

Resources

License

Stars

Watchers

Forks

Packages

 
 
 

Contributors