This project demonstrates a robust DevSecOps CI/CD pipeline for a Java-based application ("BoardGame"). It automates the entire software delivery lifecycle—from infrastructure provisioning to production deployment and monitoring—using industry-standard tools.
The infrastructure is hosted on AWS, provisioned via Terraform, configured using Ansible, and orchestrated by Jenkins. The application is deployed to a Kubernetes cluster with integrated monitoring and security scanning.
| Category | Tools Used |
|---|---|
| Cloud Provider | AWS (EC2, VPC, Security Groups) |
| IaC (Infrastructure as Code) | Terraform |
| Config Management | Ansible |
| CI/CD Orchestration | Jenkins (Declarative Pipeline) |
| Containerization | Docker |
| Orchestration | Kubernetes (Self-managed Cluster with Kubeadm) |
| Build Tool | Maven (JDK 17) |
| Code Quality | SonarQube |
| Security Scanning | Trivy (Filesystem & Image Scan) |
| Artifact Management | Nexus Repository Manager |
| Monitoring | Prometheus & Grafana (Helm Stack) |
We used Terraform to provision 5 AWS EC2 instances and Ansible to configure software dependencies (Java, Docker, Kubeadm, etc.) on them.
The 5 Instances:
- Jenkins Server: The heart of the CI/CD pipeline.
- SonarQube Server: Dedicated server for static code analysis.
- Nexus Server: Centralized artifact repository for storing JARs and dependencies.
- K8s Master Node: Control plane for the Kubernetes cluster.
- K8s Worker Node: Compute node where the application runs.
The pipeline is defined in a Jenkinsfile using Groovy syntax. It implements a "Build Once, Deploy Anywhere" strategy with integrated security gates.
- Git Checkout: Pulls the latest source code from the
mainbranch. - Compile: Compiles the Java source code using Maven.
- Unit Test: Runs unit tests (
mvn test) to ensure code integrity. - Trivy FS Scan: Scans the filesystem for vulnerabilities before building (Security First).
- SonarQube Analysis: Performs static analysis to detect bugs, code smells, and vulnerabilities.
- Quality Gate: Stops the pipeline if the code fails the defined quality rules in SonarQube (e.g., coverage < 80%).
- Build: Packages the application into a
.jarfile (mvn package). - Publish to Nexus: Uploads the generated
.jarto the Nexus Repository for version control. - Docker Build & Tag: Builds the container image
akbar00/boardgame:latest. - Docker Image Scan: Uses Trivy to scan the final Docker image for OS/Library vulnerabilities.
- Push Docker Image: Pushes the secure image to Docker Hub.
- Deploy to Kubernetes:
- Connects to the K8s Master.
- Deploys the application to the
webappsnamespace usingdeployment-service.yaml. - Updates the deployment with the new image.
- Email Notifications: Automatically sends an email with the build status (Success/Failure) and a link to the console logs.
- Reports: Attaches the Trivy vulnerability report (
trivy-image-report.html) to the email.
We implemented a full observability stack directly on the Kubernetes cluster using Helm.
- Prometheus: Scrapes metrics from the cluster, nodes, and pods.
- Grafana: Visualizes the data with rich dashboards.
- Cluster Monitoring: CPU/Memory usage of Master/Worker nodes.
- Workload Monitoring: Real-time status of the
boardgamepods. - Network I/O: Visualizing traffic spikes during load testing.
> *Automated pipeline showing successful execution of all stages from Checkout to Deployment.*
> *Code passed the strict Quality Gate with 0 bugs and 0 vulnerabilities.*
> *Snapshot versions of the application JAR stored securely in Nexus.*
> *Real-time monitoring of Kubernetes cluster resources.*
- Infrastructure:
cd terraform/ terraform init terraform apply --auto-approve - Configuration:
ansible-playbook -i inventory.ini playbook.yml
- Deployment:
- Commit changes to the repository.
- Jenkins automatically triggers the pipeline.
- Access the app at
http://<WORKER-NODE-IP>:30005.
Md Akbar