Skip to content

mck21/devsecops-platform

Repository files navigation

DevSecOps Platform

Kubernetes Terraform GitHub Actions ArgoCD

Istio SonarQube Prometheus Grafana Loki

Production-grade DevSecOps platform on AWS using Kubernetes, Terraform, GitHub Actions, ArgoCD, Istio, SonarQube, Prometheus, Grafana and Loki.

The application is a Feature Flag Service — manage feature toggles per environment with Redis-cached reads and PostgreSQL audit logging. Similar to LaunchDarkly or Unleash, it serves as the demo workload for the full DevSecOps pipeline.

Want to build this yourself? Follow the Step-by-Step Guide — a full walkthrough from empty AWS account to working GitOps pipeline, illustrated with evidence captured while this pipeline ran live.

For AI agents: start with AGENTS.md and STATUS.md. Deploy issues: TROUBLESHOOTING.md.


Project Status

Phase Focus Status
1 AWS Infrastructure (Terraform) Done
2 Kubernetes base (Minikube + Istio) Done
3 Feature Flag Service + K8s manifests Done
4 CI Pipeline (GitHub Actions, SonarCloud, ECR) Done
5 CD Pipeline & GitOps (ArgoCD, staging-first) Done — validated on staging EKS
6 Security hardening (Kyverno, Cosign, NetworkPolicy, External Secrets) Done
7 Monitoring & SRE (Prometheus, Grafana, Loki, SLOs) Done
8 DR & resilience (Velero, k6) Done
9 Docs, ADRs, cost Done

All phases are complete. The pipeline was validated live on staging EKS — evidence is in images/phase-N/. The AWS environment has since been decommissioned; staging was the only counted runtime, and production remains a Git mirror that stays off. Full tracker: STATUS.md · Roadmap: PLAN.md


Local Development

The same application can run in two independent ways. They are alternatives, not layers — pick one per session and do not run both at once (they compete for ports 3000, 5432, and 6379).

Mode What runs Best for
Docker Compose Three containers on your machine: postgres, redis, backend Day-to-day API work, quick smoke tests, no Kubernetes needed
Minikube (Kubernetes) Pods inside a local K8s cluster: postgres, redis, backend (+ Istio sidecar, HPA) Testing k8s/ manifests, Istio, HPA, and the Phase 3 deploy path

kubectl does not run pods itself — it is the CLI that talks to the cluster. Minikube is the local Kubernetes cluster; pods live inside it.

When to use Docker Compose

  • Developing or debugging the NestJS API
  • Running integration tests against a full stack without K8s overhead
  • You only need curl http://localhost:3000/health and do not care about manifests
docker compose up --build          # start
curl http://localhost:3000/health
docker compose down                # stop (add -v to remove DB volumes)

Containers use restart: unless-stopped, so they may come back after a reboot if Docker Desktop is still running.

When to use Minikube (Kubernetes)

  • Validating Kustomize overlays under k8s/overlays/dev/
  • Testing Istio sidecar injection, TCP routing, HPA, ResourceQuota, etc.
  • Reproducing the deployment model used before EKS (staging/production)

Prerequisites: Minikube running, Istio injection enabled on the dev namespace. Full steps and gotchas: k8s/README.md.

minikube start                                                     # once, or after minikube stop
kubectl apply -f k8s/namespaces/namespaces.yaml
docker build -t backend:latest ./app/backend
minikube image load backend:latest
kubectl apply -k k8s/overlays/dev
kubectl get pods -n dev
kubectl port-forward svc/backend -n dev 3000:80                    # separate terminal
curl http://localhost:3000/health

To tear down:

kubectl delete -k k8s/overlays/dev   # remove dev resources from the cluster
minikube stop                        # shut down the entire local cluster

Optional: backend on the host (hot reload)

For the fastest edit-run loop, run only postgres and redis via Compose (or install them locally), then start the API with Bun:

docker compose up postgres redis -d
cd app/backend && bun run start:dev

See app/backend/README.md for .env and Prisma setup.


Architecture

flowchart LR
    dev[Developer] -->|git push| GH[GitHub]
    GH -->|CI: lint, test, Sonar, Trivy, build, sign| ECR[(ECR)]
    GH -->|CD: GitOps bump| GH
    subgraph AWS[AWS - staging EKS]
      ArgoCD -->|sync| ns[staging namespace]
      ns --> bg[Blue/Green Deployments]
      bg --> istio[Istio VirtualService]
      bg --> pg[(PostgreSQL)]
      bg --> redis[(Redis cache)]
      ECR -.image.-> bg
      kyverno[Kyverno admission] -. verify .-> bg
      prom[Prometheus] --> graf[Grafana]
      bg -.metrics.-> prom
    end
    ArgoCD -. watches .-> GH
Loading

Detailed diagrams (AWS infra, CI/CD flow, Kubernetes layout) and rationale: docs/architecture.md. Decision records: docs/adr/.


Tech Stack

Layer Tool
Application NestJS 11, Bun, TypeScript, Prisma 7
Data PostgreSQL, Redis
Cloud AWS (account 125156866917)
IaC Terraform
Containers Docker
Orchestration Kubernetes (Minikube dev / EKS staging+prod)
CI/CD GitHub Actions (Phase 4)
GitOps ArgoCD (Phase 5)
Service Mesh Istio
Code Quality SonarCloud
Security Trivy, Checkov, Gitleaks, Cosign (Phases 4–6)
Monitoring Prometheus, Grafana, Loki (Phase 7)

Repository Structure

app/backend/       NestJS Feature Flag API
infrastructure/    Terraform modules and environments
k8s/               Kustomize manifests (base + overlays)
images/phase-N/    Screenshot evidence per phase
docs/              Full documentation (Phase 9)

Documentation

Start here → Step-by-Step Guide — rebuild the whole platform phase by phase, with real evidence at every step.

Guides & concepts

Topic Doc
Build it yourself (with screenshots) docs/step-by-step.md
Architecture & diagrams docs/architecture.md · docs/diagrams/
Deployment quick reference (Minikube + EKS) docs/deployment-guide.md · k8s/README.md
Security hardening docs/security.md
Monitoring & observability docs/monitoring.md · monitoring/README.md
SRE — SLI/SLO/error budget docs/sre.md
SonarCloud quality gate docs/sonarqube.md
Cost estimates docs/cost.md
Architecture Decision Records docs/adr/

Runbooks

Topic Doc
Disaster recovery docs/disaster-recovery.md
Resilience testing docs/resilience-testing.md
Staging-only showcase (re-lift the runtime) docs/showcase-staging-only.md
Production promotion (reference — off) docs/cd-production-promotion.md
EKS staging bootstrap k8s/argocd/install-notes.md
Troubleshooting (Istio, Prisma, Minikube, CD) TROUBLESHOOTING.md

Project meta

Topic Doc
Phase tracker STATUS.md
Original roadmap (historical) PLAN.md
AI agent entry point AGENTS.md
Contributing CONTRIBUTE.md
Backend internals app/backend/README.md
Evidence screenshots images/phase-N/ per phase

Contributing

See CONTRIBUTE.md for branch strategy, commit conventions, and PR workflow.


License

MIT

About

Production-grade DevSecOps platform on AWS with GitOps CI/CD and a Feature Flag microservice.

Resources

Security policy

Stars

1 star

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors