End-to-End Netflix Clone Deployment with Kubernetes, SonarQube, Trivy, Jenkins, Prometheus, Grafana, Argo CD and Pixie observability

16 min read5 days ago

Introduction

Deploying applications on Kubernetes has become a cornerstone of modern DevOps practices, providing scalability and resilience. In this comprehensive guide, we’ll walk through deploying a Netflix clone on Kubernetes. We’ll cover essential steps to ensure robust security using SonarQube and Trivy, automate the deployment process with Jenkins, and implement effective monitoring with Prometheus and Grafana. By the end of this article, you’ll have a well-rounded understanding of how to leverage these powerful tools to build, secure, and maintain a high-quality application.

Completion Steps:

Phase 1: Deploy Netflix Locally on EC2 (t2.large)

Step 1: Setup EC2

Go to the AWS console and launch an Ubuntu 22.04 instance with the following specifications:

Instance type: t2.large
Storage: 25 GB
Ensure to enable the public IP in VPC settings

Connect to your EC2 instance via SSH using the following command:

ssh -i "Project_key.pem" ubuntu@ec2-54-234-198-229.compute-1.amazonaws.com

Run the following commands:

sudo su
cd 
apt update

Clone the GitHub repository:

git clone https://github.com/Subham966/Deploy-Netflix-Clone-on-Kubernetes.git

Create an Elastic IP address and associate it with your instance.

Step 2: Setup Docker and Build Images

Install Docker:

apt-get install docker.io 
usermod -aG docker $USER 
newgrp docker 
sudo chmod 777 /var/run/docker.sock

Build and run the Docker container:

docker build -t netflix .
docker run -d --name netflix -p 8082:80 netflix:latest

Open port 8082 in your EC2 security group by adding a custom TCP rule for port 8082.
Access your application by browsing to http://your_public_ip:8082. You should see a blank Netflix page due to the missing API.

Step 3: Setup Netflix API

Obtain an API key from TMDB:

Sign up on the TMDB website: https://www.themoviedb.org/
Navigate to your profile, select “Settings,” and then “API.”
Generate a new API key and accept the terms and conditions.

Copy the API key. **bde01169dee25c9a61d9edcc56fed014**

Delete the existing Docker image:

docker ps   #copy the <container_id>
docker stop <container_id> 
docker rmi -f netflix

Build and run the new Docker container with the API key:

docker build -t netflix:latest --build-arg TMDB_V3_API_KEY=bde01169dee25c9a61d9edcc56fed014 . 
docker run -d -p 8081:80 netflix

**Update the security group inbounf from 8082 to 8081**

Access the application again at http://your_public_ip:8081. The Netflix clone app should now display data from the TMDB API.

Phase 2: Implementation of Security with SonarQube and Trivy

what is sonarqube:→

SonarQube is like a “code quality detective” tool for software developers that scans your code to find and report issues, bugs, security vulnerabilities, and code smells to help you write better and more reliable software. It provides insights and recommendations to improve the overall quality and maintainability of your codebase.

what is trivy:→

Trivy is like a “security guard” for your software that checks for vulnerabilities in the components (like libraries) your application uses, helping you find and fix potential security problems to keep your software safe from attacks and threats. It’s a tool that scans your software for known security issues and provides information on how to address them.

Step 1: Setup SonarQube

Run the following command to install and run SonarQube on port 9000:

docker run -d --name sonar -p 9000:9000 sonarqube:lts-community

Restart the Existing Container:

If you want to use the existing container, you can simply restart it:

docker start sonar

List All Containers:

To see all containers and their statuses:

docker ps -a

**If Sonar is stopped ,do need to restart the sonar**

Open port 9000 in your EC2 security group.
Access SonarQube at http://your_public_ip:9000 with the default credentials (username: admin, password: admin).

**Open port 9000 in your EC2 security group**

To Reset username and password for SonarQube:(optional)

Security

SonarQube comes with a number of global security features.

docs.sonarsource.com

Step 2: Setup Trivy

Install Trivy:

sudo apt update
sudo apt install snapd
sudo snap install trivy
wget https://github.com/aquasecurity/trivy/releases/latest/download/trivy_0.41.0_Linux-64bit.deb
sudo dpkg -i trivy_0.41.0_Linux-64bit.deb
sudo /snap/bin/trivy --version

Scan your Docker image for vulnerabilities:

sudo /snap/bin/trivy image nginx:latest

Phase 3: Automate Deployment with Jenkins Pipeline

Step 1: Install and Configure Jenkins

Install Java and Jenkins:

sudo apt update 
sudo apt install fontconfig openjdk-17-jre 
java -version 
sudo wget -O /usr/share/keyrings/jenkins-keyring.asc https://pkg.jenkins.io/debian-stable/jenkins.io-2023.key 
echo deb [signed-by=/usr/share/keyrings/jenkins-keyring.asc] https://pkg.jenkins.io/debian-stable binary/ | sudo tee /etc/apt/sources.list.d/jenkins.list > /dev/null 
sudo apt-get update 
sudo apt-get install jenkins 
sudo systemctl start jenkins 
sudo systemctl enable jenkins

Access Jenkins at http://public_ip:8080.

copy the passowrd from **cat /var/lib/jenkins/secrets/initialAdminPassword**

Install the following plugins:

Eclipse Temurin Installer Plugin
SonarQube Scanner Plugin
NodeJs Plugin
Email Extension Template Plugin
OWASP Dependency-Check Plugin
Prometheus metrics Plugin
Docker-related plugins

After all Plugins successfully installed , do restart the Jenkins and Login again.

Phase 4: Monitoring with Prometheus and Grafana

Step 1: Setup Another EC2 for Monitoring

Launch an Ubuntu instance with t2.medium specifications.

Step 2: Install Prometheus

Create a dedicated user and download Prometheus:

sudo su
cd
sudo useradd --system --no-create-home --shell /bin/false prometheus 
wget https://github.com/prometheus/prometheus/releases/download/v2.47.1/prometheus-2.47.1.linux-amd64.tar.gz 
tar -xvf prometheus-2.47.1.linux-amd64.tar.gz 
cd prometheus-2.47.1.linux-amd64/ 
sudo mkdir -p /data /etc/prometheus 
sudo mv prometheus promtool /usr/local/bin/ 
sudo mv consoles/ console_libraries/ /etc/prometheus/ 
sudo mv prometheus.yml /etc/prometheus/prometheus.yml 
sudo chown -R prometheus:prometheus /etc/prometheus/ /data/

Create a systemd service file for Prometheus:

sudo nano /etc/systemd/system/prometheus.service

Add the following content:

[Unit]
Description=Prometheus
Wants=network-online.target
After=network-online.target

StartLimitIntervalSec=500
StartLimitBurst=5

[Service]
User=prometheus
Group=prometheus
Type=simple
Restart=on-failure
RestartSec=5s
ExecStart=/usr/local/bin/prometheus \
  --config.file=/etc/prometheus/prometheus.yml \
  --storage.tsdb.path=/data \
  --web.console.templates=/etc/prometheus/consoles \
  --web.console.libraries=/etc/prometheus/console_libraries \
  --web.listen-address=0.0.0.0:9090 \
  --web.enable-lifecycle

[Install]
WantedBy=multi-user.target

Reload systemd and start Prometheus:

sudo systemctl daemon-reload
sudo systemctl start prometheus 
sudo systemctl enable prometheus
sudo systemctl status prometheus

Open port 9090 in your EC2 security group.

Access Prometheus at http://public_ip:9090.

**Copy the Public IP of Prometheus and Grafana server**

Step 3: Install Grafana

Download and install Grafana:

wget -q -O - https://packages.grafana.com/gpg.key | sudo apt-key add -
echo "deb https://packages.grafana.com/oss/deb stable main" | sudo tee -a /etc/apt/sources.list.d/grafana.list 
sudo apt-get update
sudo apt-get -y install grafana
sudo systemctl start grafana-server 
sudo systemctl enable grafana-server
sudo systemctl status grafana-server

Open port 3000 in your EC2 security group.
Access Grafana at http://public_ip:3000 (default credentials: admin/admin).

Step 4: Integrate Prometheus with Grafana

Add Prometheus as a data source in Grafana:

Go to Configuration > Data Sources > Add data source.

Select Prometheus and enter http://localhost:9090.

Import the following dashboards for visualization:

Select “Dashboard.”
Click on the “Import” dashboard option.
Enter the dashboard code you want to import (e.g., code 1860).
Click the “Load” button.

Docker Dashboard (ID: 179)

Jenkins Dashboard (ID: 16527)

Prometheus 2.0 Overview (ID: 3662)

Phase 5: Deploy on Kubernetes (EKS)

Step 1: Create EKS Cluster

1.Add a name to your cluster

2.choose a service role if you don’t have then follow below documentation to create it:

https://docs.aws.amazon.com/eks/latest/userguide/service_IAM_role.html?source=post_page-----9ae6091b88bd--------------------------------

**Attach the IAM Role which created before**

click on create →

when your cluster is ready then go to compute option and add a node group →

Before that you need to create a IAM Role for EC2_Service_Role →

Remain everything as it is →click on create

Install AWS CLI:

sudo apt update
sudo apt install -y unzip curl
sudo apt install -y unzip curl
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install
aws --version

aws configure

aws eks update-kubeconfig --name MyEKS_cluster_For_Netflix --region us-east-1

This command is used to update the Kubernetes configuration (kubeconfig) file for an Amazon Elastic Kubernetes Service (EKS) cluster named “Netflix_cluster” in the “us-east-” region, allowing you to interact with the cluster using kubectl.

Install helm:

# Add the Helm GPG key
curl https://baltocdn.com/helm/signing.asc | gpg --dearmor | sudo tee /usr/share/keyrings/helm.gpg > /dev/null

# Install apt-transport-https package
sudo apt-get install apt-transport-https --yes

# Add the Helm repository
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://baltocdn.com/helm/stable/debian/ all main" | sudo tee /etc/apt/sources.list.d/helm-stable-debian.list

# Update package list and install Helm
sudo apt-get update
sudo apt-get install helm

Installing Node Exporter:

Create a dedicated system user for Node Exporter. This user will not have a home directory and cannot log in to the shell:

sudo useradd --system --no-create-home --shell /bin/false node_exporter

Download Node Exporter:

Download the Node Exporter tarball from the official GitHub repository.

wget https://github.com/prometheus/node_exporter/releases/download/v1.6.1/node_exporter-1.6.1.linux-amd64.tar.gz

Extract Node Exporter Files:

Extract the downloaded tarball, move the binary to /usr/local/bin/, and clean up the extracted files.

tar -xvf node_exporter-1.6.1.linux-amd64.tar.gz
sudo mv node_exporter-1.6.1.linux-amd64/node_exporter /usr/local/bin/
rm -rf node_exporter-1.6.1.linux-amd64*

Create a Systemd Unit File for Node Exporter:

Create a systemd service file to manage the Node Exporter service.

sudo nano /etc/systemd/system/node_exporter.service

Add the following configuration to the node_exporter.service file:

[Unit]
Description=Node Exporter
Wants=network-online.target
After=network-online.target

StartLimitIntervalSec=500
StartLimitBurst=5

[Service]
User=node_exporter
Group=node_exporter
Type=simple
Restart=on-failure
RestartSec=5s
ExecStart=/usr/local/bin/node_exporter --collector.logind

[Install]
WantedBy=multi-user.target

Save and close the file (press Ctrl+O to save and Ctrl+X to exit).

Enable and Start Node Exporter:

Enable the Node Exporter service to start on boot and then start the service.

sudo systemctl enable node_exporter
sudo systemctl start node_exporter

Check Node Exporter Status:

Verify that Node Exporter is running correctly.

sudo systemctl status node_exporter

You should see an output indicating that the Node Exporter service is active and running.

allow the 9100 port in security group to see the netflix metrics

Deploy Application with ArgoCD:

Argo CD is a tool that helps software developers and teams manage and deploy their applications to Kubernetes clusters more easily. It simplifies the process of keeping your applications up to date and in sync with your desired configuration by automatically syncing your code with what’s running in your Kubernetes environment. It’s like a traffic cop for your applications on Kubernetes, ensuring they are always in the right state without you having to manually make changes.

Add the Argo CD Helm Repository

**inside the prometheus and Grafana server**

# Add the Argo CD Helm repository:
helm repo add argo-cd https://argoproj.github.io/argo-helm

# Update Your Helm Repositories:
helm repo update

# Create a Namespace for Argo CD:
kubectl create namespace argocd

# Install Argo CD Using Helm:
# Install Argo CD in the argocd namespace:
helm install argocd argo-cd/argo-cd -n argocd

# Verify the Installation:
kubectl get all -n argocd

# Expose argocd-server:
# By default argocd-server is not publicaly exposed. For the purpose of this workshop, we will use a Load Balancer to make it usable:

kubectl patch svc argocd-server -n argocd -p '{"spec": {"type": "LoadBalancer"}}'

sudo apt install jq

export ARGOCD_SERVER=`kubectl get svc argocd-server -n argocd -o json | jq — raw-output ‘.status.loadBalancer.ingress[0].hostname’`

**copy the loadbalancer Ingress Url and try to hit ,you will see the Argocd page**

**To Enter inside the Argocd need to know the username and password**

# To know the password of Argocd 
kubectl get -o yaml secret -n argocd argocd-initial-admin-secret

username is admin & copy the password : 5ttmiIxs3hqp2Xzr

Deploy Application with ArgoCD

**you will see nodeport is setted at 30007**

just allow the 30007 port and copy the public ip of that grafana and promethues server with this port and Hit you will se the content.

By following these steps, you will have successfully deployed a Netflix clone application on Kubernetes with added security measures, continuous deployment, and monitoring.

Conclusion and Next Steps

In this guide, we successfully deployed a Netflix clone on Kubernetes and incorporated various security and monitoring tools like SonarQube, Trivy, Jenkins, Prometheus, and Grafana. These tools ensure our application is secure, continuously deployed, and monitored effectively.

Follow-up Guide: Enhancing Your Deployment with Pixie Observability

To take your deployment to the next level, check out our follow-up guide on :

https://medium.com/@subhampradhan966/enhancing-netflix-clone-deployment-with-pixie-observability-bb33021acc56

Enhancing Netflix Clone Deployment with Pixie Observability. In this guide, you’ll learn how to integrate Pixie, an advanced observability tool, into your Kubernetes cluster to gain real-time insights and debugging capabilities.

By following these steps, you can ensure your application is not only secure and well-monitored but also optimized for performance with detailed observability.