Netflix Clone — DevSecOps
Deploy Netflix Clone on AWS Cloud using DevSecOps Methodology.
Phase 1: Initial Setup and Deployment
Step 1: Launch EC2 (Ubuntu 22.04):
Start by provisioning an EC2 instance on AWS with Ubuntu 22.04 and connect to it using SSH.
# Replace <your-key.pem> and <your-ec2-ip> with your actual key and EC2 IP
ssh -i <your-key.pem> ubuntu@<your-ec2-ip>Step 2: Clone the Code:
Update packages and clone the project code.
sudo apt-get update
git clone https://github.com/N4si/DevSecOps-Project.git
cd DevSecOps-ProjectStep 3: Install Docker and Run the App Using a Container:
Set up Docker on the EC2 instance.
sudo apt-get install docker.io -y
sudo usermod -aG docker $USER
newgrp docker
sudo chmod 777 /var/run/docker.sock
docker build -t netflix .
docker run -d --name netflix -p 8081:80 netflix:latest
# To delete the container
# docker stop <containerid>
# docker rmi -f netflixStep 4: Get the API Key:
Obtain an API key from TMDB (The Movie Database).
- Visit TMDB website, log in, and go to your profile settings.
- Select “API” from the left panel, create a new API key, and note it down.
Now, recreate the Docker image with your API key:
docker build --build-arg TMDB_V3_API_KEY=<your-api-key> -t netflix .Phase 2: Security
Install SonarQube and Trivy:
Install SonarQube and Trivy for vulnerability scanning.
docker run -d --name sonar -p 9000:9000 sonarqube:lts-community
# Access SonarQube at: http://publicIP:9000 (default credentials: admin/admin)
# Install Trivy
sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy
# Scan Docker image using Trivy
trivy image <imageid>Integrate SonarQube and Configure:
Integrate SonarQube with your CI/CD pipeline and configure it for code analysis.
Phase 3: CI/CD Setup
Install Jenkins for Automation:
Install Jenkins on the EC2 instance for automation.
# Install Java
sudo apt update
sudo apt install fontconfig openjdk-17-jre
java -version
# Install Jenkins
sudo wget -O /usr/share/keyrings/jenkins-keyring.asc \
https://pkg.jenkins.io/debian-stable/jenkins.io-2023.key
echo deb [signed-by=/usr/share/keyrings/jenkins-keyring.asc] \
https://pkg.jenkins.io/debian-stable binary/ | sudo tee \
/etc/apt/sources.list.d/jenkins.list > /dev/null
sudo apt-get update
sudo apt-get install jenkins
sudo systemctl start jenkins
sudo systemctl enable jenkins
# Access Jenkins at: http://publicIp:8080
# Install Necessary Plugins
# Manage Jenkins → Plugins → Available Plugins
# Install:
# 1. Eclipse Temurin Installer
# 2. SonarQube Scanner
# 3. NodeJs Plugin
# 4. Email Extension Plugin
# Configure Java and Nodejs in Global Tool Configuration
# Manage Jenkins → Tools → Install JDK(17) and NodeJs(16)→ Click on Apply and Save
# SonarQube
# Create a token in Jenkins Dashboard → Manage Jenkins → Credentials → Add Secret Text
# Add Sonar token and configure Sonar in Jenkins → Configure SystemCreate a Jenkins pipeline:
# Jenkinsfile
pipeline {
agent any
tools {
jdk 'jdk17'
nodejs 'node16'
}
environment {
SCANNER_HOME = tool 'sonar-scanner'
}
stages {
stage('clean workspace') {
steps {
cleanWs()
}
}
stage('Checkout from Git') {
steps {
git branch: 'main', url: 'https://github.com/relaxms/DevSecOps-Project.git'
}
}
stage("Sonarqube Analysis") {
steps {
withSonarQubeEnv('sonar-server') {
sh '''$SCANNER_HOME/bin/sonar-scanner -Dsonar.projectName=Netflix \
-Dsonar.projectKey=Netflix'''
}
}
}
stage("quality gate") {
steps {
script {
waitForQualityGate abortPipeline: false, credentialsId: 'Sonar-token'
}
}
}
stage('Install Dependencies') {
steps {
sh "npm install"
}
}
# Continue with other stages (Dependency-Check, Trivy, Docker Build, etc.)
}
}Install Dependency-Check and Docker Tools in Jenkins:
Install Dependency-Check Plugin:
- Dashboard → Manage Jenkins → Manage Plugins
- Install “OWASP Dependency-Check”
- Configure the tool in Global Tool Configuration
Install Docker Tools and Docker Plugins:
- Dashboard → Manage Jenkins → Manage Plugins
- Install Docker-related plugins: Docker, Docker Commons, Docker Pipeline, Docker API, docker-build-step
- Add DockerHub credentials in Jenkins → Manage Jenkins → Manage Credentials
Continue with the Jenkins pipeline configuration.
Phase 4: Monitoring
Install Prometheus and Grafana:
Prometheus:
# Install Prometheus
wget https://github.com/prometheus/prometheus/releases/download/v2.47.1/prometheus-2.47.1.linux-amd64.tar.gz
tar -xvf prometheus-2.47.1.linux-amd64.tar.gz
cd prometheus-2.47.1.linux-amd64/
sudo mkdir -p /data /etc/prometheus
sudo mv prometheus promtool /usr/local/bin/
sudo mv consoles/ console_libraries/ /etc/prometheus/
sudo mv prometheus.yml /etc/prometheus/prometheus.yml
sudo chown -R prometheus:prometheus /etc/prometheus/ /data/
# Create a systemd unit configuration file for Prometheus
sudo nano /etc/systemd/system/prometheus.serviceAdd the following content to prometheus.service:
[Unit]
Description=Prometheus
Wants=network-online.target
After=network-online.target
StartLimitIntervalSec=500
StartLimitBurst=5
[Service]
User=prometheus
Group=prometheus
Type=simple
Restart=on-failure
RestartSec=5s
ExecStart=/usr/local/bin/prometheus \
--config.file=/etc/prometheus/prometheus.yml \
--storage.tsdb.path=/data \
--web.console.templates=/etc/prometheus/consoles \
--web.console.libraries=/etc/prometheus/console_libraries \
--web.listen-address=0.0.0.0:9090 \
--web.enable-lifecycle
[Install]
WantedBy=multi-user.targetEnable, start and Verify Prometheus:
sudo systemctl enable prometheus
sudo systemctl start prometheus
sudo systemctl status prometheusAccess Prometheus at: http://<your-prometheus-ip>:9090
Node Exporter:
Follow the instructions for installing and configuring Node Exporter as mentioned in the initial instructions.
Configure Prometheus Plugin Integration:
Modify the prometheus.yml file to scrape metrics from Node Exporter and Jenkins. Example configuration:
global:
scrape_interval: 15s
scrape_configs:
- job_name: 'node_exporter'
static_configs:
- targets: ['localhost:9100']
- job_name: 'jenkins'
metrics_path: '/prometheus'
static_configs:
- targets: ['<your-jenkins-ip>:<your-jenkins-port>']Check the validity of the configuration file:
promtool check config /etc/prometheus/prometheus.ymlReload the Prometheus configuration without restarting:
curl -X POST http://localhost:9090/-/reloadAccess Prometheus targets at: `http://<your-prometheus-ip>:9090/targets `
Grafana:
Install Grafana
Enable, Start and verify status of Grafana.
# Install Grafana
sudo apt-get install -y apt-transport-https software-properties-common
wget -q -O - https://packages.grafana.com/gpg.key | sudo apt-key add -
echo "deb https://packages.grafana.com/oss/deb stable main" | sudo tee -a /etc/apt/sources.list.d/grafana.list
sudo apt-get update
sudo apt-get -y install grafana
sudo systemctl enable grafana-server
sudo systemctl start grafana-server
sudo systemctl status grafana-serverAccess Grafana at: http://<your-server-ip>:3000
- Default username:
admin - Default password:
admin
Change the default password upon login.
Add Prometheus as a data source:
- Configuration → Data Sources → Add Prometheus
- URL:
http://localhost:9090 - Save & Test
Import a pre-configured dashboard or create your own visualizations.
Phase 5: Notification
Implement Notification Services:
Set up email notifications in Jenkins or other notification mechanisms.
Full Jenkins Pipeline Code:
Here is the complete Jenkins pipeline code integrating the previous phases:
pipeline {
agent any
tools {
jdk 'jdk17'
nodejs 'node16'
}
environment {
SCANNER_HOME = tool 'sonar-scanner'
}
stages {
stage('clean workspace') {
steps {
cleanWs()
}
}
stage('Checkout from Git') {
steps {
git branch: 'main', url: 'https://github.com/relaxms/DevSecOps-Project.git'
}
}
stage("Sonarqube Analysis") {
steps {
withSonarQubeEnv('sonar-server') {
sh '''$SCANNER_HOME/bin/sonar-scanner -Dsonar.projectName=Netflix \
-Dsonar.projectKey=Netflix'''
}
}
}
stage("quality gate") {
steps {
script {
waitForQualityGate abortPipeline: false, credentialsId: 'Sonar-token'
}
}
}
stage('Install Dependencies') {
steps {
sh "npm install"
}
}
stage('OWASP Dependency-Check') {
steps {
dependencyCheck additionalArguments: '--scan ./ --disableYarnAudit --disableNodeAudit', odcInstallation: 'DP-Check'
dependencyCheckPublisher pattern: '**/dependency-check-report.xml'
}
}
stage('Trivy FS Scan') {
steps {
sh "trivy fs . > trivyfs.txt"
}
}
stage("Docker Build & Push") {
steps {
script {
withDockerRegistry(credentialsId: 'docker', toolName: 'docker') {
sh "docker build --build-arg TMDB_V3_API_KEY=<yourapikey> -t netflix ."
sh "docker tag netflix relaxms/netflix:latest "
sh "docker push relaxms/netflix:latest "
}
}
}
}
stage("Trivy Image Scan") {
steps {
sh "trivy image relaxms/netflix:latest > trivyimage.txt"
}
}
stage('Deploy to Container') {
steps {
sh 'docker run -d --name netflix -p 8081:80 relaxms/netflix:latest'
}
}
}
}Make sure to replace placeholders like <your-jenkins-ip>, <your-prometheus-ip>, and <yourapikey> with your actual values.
This pipeline includes stages for SonarQube analysis, quality gate, dependency-check, Trivy scans, Docker build and push, and deployment to a container. Adjust it based on your project’s specific needs and configurations.
Summary
This DevSecOps project automates deployment with Jenkins and Docker, ensuring code quality via SonarQube and Trivy for vulnerability checks. Containers, managed by Docker, provide consistent application delivery. Prometheus and Grafana offer real-time monitoring and performance insights. Security scanning tools strengthen the pipeline against vulnerabilities. Continuous Integration and Continuous Deployment (CI/CD) practices are implemented through Jenkins. The project emphasizes secure credential management and API key security. Infrastructure as Code (IaC) principles enhance scalability and consistency. Collaboration is facilitated through version control with Git. Webhooks trigger automated processes in response to code changes. Overall, this initiative integrates tools for efficient, secure, and collaborative software development.