Part -1 .Executing DevSecOps Strategies: Launching a Replica of Netflix Application on Amazon Web Services Elastic Kubernetes Service
Initiating a clone of Netflix-like application on Amazon Web Services’ Elastic Kubernetes Service (AWS EKS) demands more than merely executing code; it requires fostering a culture that prioritizes security, teamwork, and innovation. We will delve into the nuances of DevSecOps and employ advanced tools to develop, safeguard, and deploy an efficient application.
Our venture begins with Jenkins, which serves as the cornerstone for our continuous integration pipeline. We utilize Docker for application containerization and DockerHub as our storage repository. Sonarqube is deployed to perform in-depth code analysis to guarantee essential security. To protect our containers against potential threats and ensure deployment reliability, we rely on our vigilant vulnerability scanner, Trivy.
By harnessing the capabilities of Prometheus and Grafana, we achieve real-time monitoring and visualization, which provides insights into the health of our AWS EKS cluster, EC2 Servers, and Jenkins pipeline. We employ Helm, a package manager for Kubernetes, to mitigate deployment challenges. In conjunction, with our continuous delivery mechanism, ArgoCD, and Helm work together to enhance and structure our deployment process efficiently.
Cloud security is paramount, and AWS EKS provides a scalable, sturdy foundation for our application modeled after Netflix. Yet, adopting this approach requires a culture shift, embracing both innovative tools and methodologies. Our deployment process is enhanced with automated email notifications through our pipeline, fostering a spirit of unity and open communication among team members.
Now that we’ve briefly outlined our pipeline architecture, it’s time to embark on the project.
Step 1: Infrastructure Provisioning
a.Launch ec2 t2.large as a spot instance to manage with low-cost usage
b.Install Jenkins and configure the basic settings
sudo apt update -y
sudo apt install fontconfig openjdk-17-jre -y
java -version
sudo wget -O /usr/share/keyrings/jenkins-keyring.asc \
https://pkg.jenkins.io/debian-stable/jenkins.io-2023.key
echo deb [signed-by=/usr/share/keyrings/jenkins-keyring.asc] \
https://pkg.jenkins.io/debian-stable binary/ | sudo tee \
/etc/apt/sources.list.d/jenkins.list > /dev/null
sudo apt-get update -y
sudo apt-get install jenkins -y
sudo systemctl start jenkins
sudo systemctl enable jenkinsStep 2: Security Implementation
For this phase, we will be leveraging two powerful tools, Sonarqube and Trivy.
SonarQube is tailored for the continuous inspection and evaluation of code quality within software projects. It makes use of static code analysis methods to pinpoint and rectify problems concerning code quality, security flaws, and compliance with coding standards. Offering support for a variety of programming languages, SonarQube acts as an all-encompassing solution for encouraging best coding practices and ensuring superior code quality throughout the lifecycle of software development.
Before starting Sonarqube, need to install docker components using the below command
sudo apt-get update -y
sudo apt-get install docker.io -y
sudo usermod -aG docker ubuntu
newgrp docker
sudo chmod 777 /var/run/docker.sockTo deploy Sonarqube, we will utilize the official docker image and execute it in a containerized environment.
docker run -d --name sonar -p 9000:9000 sonarqube:lts-communityIt can be accessed via the public IP at port 9000, with ‘admin’ serving as both the default username and password.
Trivy
On the other hand, Trivy serves as a scanner for vulnerabilities, specifically crafted for environments based on containers, with a particular emphasis on container images and applications. It aids in the discovery of security vulnerabilities within container images by scrutinizing their components and dependencies. Through the use of a comprehensive database of vulnerabilities, Trivy scans for established security issues, such as outdated components, widespread vulnerabilities, and exposures (CVEs), along with other security threats.
Install Trivy using these commands
sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update -y
sudo apt-get install trivy -y
using the above command cross check the installed Trivy tools
Step 3: CI/CD Setup
For this phase, we’re deploying Jenkins. Recognized for its open-source nature, Jenkins serves as a pivotal tool in the realm of continuous integration and continuous delivery (CI/CD). It facilitates the automated processes of compiling, testing, and deploying software solutions, thus enhancing the efficiency of development and deployment cycles. Moreover, Jenkins offers compatibility with a wide array of version control systems, construction tools, security and testing frameworks, and deployment environments. This versatility enables teams to forge customized automated pipelines that align perfectly with their unique project requirements.
sudo systemctl status jenkins
Jenkins runs on port 8080 by default. Let’s navigate to it, set it up, and start integrating some of the needed tools for our pipeline. From the Jenkins Dashboard, navigate to Manage Jenkins →Plugins → Available Plugins. We’ll install the following plugins:
1. Eclipse Temurin Installer (Install without restart)
2. SonarQube Scanner (Install without restart)
3. NodeJs Plugin (Install Without restart)
Configure Java and Nodejs in Global Tool Configuration,choose Jdk-17.0.8.1+1 and nodeJS 16.2.0 versions
Configure Sonar Server in Jenkins
We’ll next go to our Sonarqube Server. Click on Administration → Security → Users → Click on Tokens and Update Token → Give it a name → and click on Generate Token. We’ll copy the token.
Back to our Jenkins Server, Jenkins Dashboard → Manage Jenkins → Credentials → Add Secret Text, we’ll paste the Sonarqube token in ‘Secret’ and use sonar-token as our ‘ID’ and ‘Description’.
Moving on, we head back to Manage Jenkins → System → Sonarqube Installations like so:
Then, Manage Jenkins → Tools → Sonarqube Scanner installations:
It’s time to create the CI/CD pipeline in Jenkins to automate the deployment of our application.
Paste the following as the pipeline script:
pipeline {
agent any
tools {
jdk 'jdk17'
nodejs 'node16'
}
environment {
SCANNER_HOME = tool 'sonar-scanner'
}
stages {
stage('clean workspace') {
steps {
cleanWs()
}
}
stage('Checkout from Git') {
steps {
git branch: 'main', url: 'https://github.com/muthucholan/DevSecOps-Project.git'
}
}
stage("Sonarqube Analysis") {
steps {
withSonarQubeEnv('sonar-server') {
sh '''$SCANNER_HOME/bin/sonar-scanner -Dsonar.projectName=Netflix \
-Dsonar.projectKey=Netflix'''
}
}
}
stage("quality gate") {
steps {
script {
waitForQualityGate abortPipeline: false, credentialsId: 'sonar-token'
}
}
}
stage('Install Dependencies') {
steps {
sh "npm install"
}
}
}
}Setup Projects in Sonarqube for Jenkins
Go to Projects → Create Manually → Locally → Project display name (Netflix) → Setup → Generate new project token → Continue → Run analysis on your project (Choose ‘Other…’) → OS (for our case we’ll choose Linux).
We’ll head over to Jenkins and hit ‘Build Now’. For me, 1st build was stuck on the Quality gate for more than 7 minutes. so I stopped the execution and tried agon. So pipeline executed successfully on 2nd build.
Sonarqube should now have the analysis results with vulnerabilities and suggestions to checkmate them. The detailed report can be found under ‘issues’.
Step 4: Configure Jenkins Email Notification
We are integrating an email notification feature as a subsequent step in our pipeline to alert us about the status of the build and to furnish us with the essential details needed for either troubleshooting or evaluating the build outcomes.
Initially, enabling Two-factor Authentication on our email is necessary. Subsequently, we will proceed to create a Gmail App Password by adhering to the following procedure: Navigate to our Gmail account → Settings → Use the search function for “app password” → Assign it a name → Hit Create.
Then, we return to the Jenkins Dashboard → Opt for Manage Jenkins → Navigate to Credentials → Choose System → Select Global credentials (unrestricted) → Click on Add Credentials → Proceed to establish a new set of credentials defined as Email and Password → Enter the email and the newly generated password → Click Save.
Next, Jenkins Dashboard → Manage Jenkins → System → Email Notification.
Update the pipeline with the following script and build the pipeline one more time, changing the required email ID.
pipeline{
agent any
tools{
jdk 'jdk17'
nodejs 'node16'
}
environment {
SCANNER_HOME=tool 'sonar-scanner'
}
stages {
stage('clean workspace'){
steps{
cleanWs()
}
}
stage('Checkout from Git'){
steps{
git branch: 'main', url: 'https://github.com/muthucholan/DevSecOps-Project.git'
}
}
stage("Sonarqube Analysis "){
steps{
withSonarQubeEnv('sonar-server') {
sh ''' $SCANNER_HOME/bin/sonar-scanner -Dsonar.projectName=Netflix \
-Dsonar.projectKey=Netflix '''
}
}
}
stage("quality gate"){
steps {
script {
waitForQualityGate abortPipeline: false, credentialsId: 'sonar-token'
}
}
}
stage('Install Dependencies') {
steps {
sh "npm install"
}
}
}
post {
always {
emailext attachLog: true,
subject: "'${currentBuild.result}'",
body: "Project: ${env.JOB_NAME}<br/>" +
"Build Number: ${env.BUILD_NUMBER}<br/>" +
"URL: ${env.BUILD_URL}<br/>",
to: 'example@gmail.com',
attachmentsPattern: 'trivyfs.txt,trivyimage.txt'
}
}
}build results
Step 5: Build Netflix clone docker image.
clone the repo
git clone https://github.com/muthucholan/DevSecOps-Project.gitRun these commands to build a docker image and remove it for further building again with API key in next step.
docker build -t netflix .
docker run -d --name netflix -p 8081:80 netflix:latest
#to delete
docker stop <containerid>
docker rmi -f netflixWith the public ip of the EC2 and port 8081, navigate to the application. Oh crap! It failed to load because a TMDB API key is required for the app to run properly.
Fetching the TMDB API Key
- Open a web browser and navigate to TMDB (The Movie Database) website.
- Click on “Login” and create an account.
- Once logged in, go to your profile, and select “Settings.”
- Click on “API” from the left side panel.
- Create a new API key by clicking “Create” and accepting the terms and conditions.
- Provide the required basic details and click “Submit.”
- You will receive your TMDB API key.
Afterward, remove the current Docker image and generate a new one using the provided API key.
docker build --build-arg TMDB_V3_API_KEY=<your-tmdb-api-key> -t netflix .
Run a new container from the new image and we should have a working application like above screenshot. Awesome!
Install the Dependency-Check Plugin and Docker Tools in Jenkins:
- Navigate to Jenkins Dashboard.
- Head to “Manage Jenkins” → “Manage Plugins.”
- Switch to the “Available” tab and search for “OWASP Dependency-Check.”
- Select the checkbox next to “OWASP Dependency-Check.”
- Switch to the “Available” tab again and search for “Docker.”
- Check the following Docker-related plugins:
— Docker
— Docker Commons
— Docker Pipeline
— Docker API
— docker-build-step - Click on the “Install without restart” button.
After installing the plugins, we’ll need to configure them. Navigate to Dashboard → Manage Jenkins → Global Tool Configuration. Find the section for Dependency-Check. Add the tool’s name, e.g: “DP-Check”, then Apply and Save your settings.
After installing and configuring the Dependency-Check plugin, adding Docker-related plugins, and setting up our DockerHub credentials in Jenkins, we are ready to configure our Jenkins pipeline. We’ll ensure we update the TMDB_V3_API_KEY=<your TMDB API key> in the Docker build and push stage of the pipeline script below in accordance with our API key.
Please check out the Part-2 link given below to install monitoring tools such as Prometheus and Grafana on EC2 instances.
Happy Learning.