CI/CD for Netflix Application (Part - 2)
sumit JeswaniPrerequisites:
Github
Dockerhub
EC2 instance with sonarqube
Kubernetes configured in local
Step 1: Clone Git Repo
git clone https://github.com/jeswanisumit1999/Netflix-clone
Step 2: Create a GitHub actions workflow yml file.
Create a file at the following location - Netflix-clone/.github/workflows/<filename>.yml
Step 3: Now open the workflow file we just created for writing CI/CD.
Declare the workflow name and trigger
name: CI # Name of workflow
on: [workflow_dispatch, push] # Manually run workflow and trigger on push
Job-1: Build
Steps:
Checkout repo: This step fetches the repository's code.
Set up Node: Configures the environment with the specified Node.js version.
Install dependencies: Installs project dependencies using npm.
Build project: Executes the npm script to build the project.
# Job-1 Build build: name: Build runs-on: ubuntu-latest steps: - name: Checkout repo uses: actions/checkout@v4 - name: Set up Node uses: actions/setup-node@v3 with: node-version: 18 - name: Install dependencies run: npm install - name: Build project run: npm run build
Job-2: Code_Scan
Steps:
Checkout repo: Fetches the repository's code again (it's a common step used in multiple jobs).
SonarQube Scan: Utilizes the SonarQube static code analysis tool to scan the code for issues. It's configured with the host and login information stored in GitHub secrets.
Trivy filesystem Scan: Installs and runs Trivy to scan the filesystem for vulnerabilities. Trivy is a vulnerability scanner for containers and filesystems.
# Job-2 Source Code Scan Code_Scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 with: # Disabling shallow clones is recommended for improving the relevancy of reporting fetch-depth: 0 - name: SonarQube Scan uses: kitabisa/sonarqube-action@v1.2.0 with: host: ${{ secrets.SONAR_HOST_URL }} login: ${{ secrets.SONAR_TOKEN }} - name: Trivy filesystem Scan run: | #install trivy sudo apt-get install wget apt-transport-https gnupg lsb-release -y wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list sudo apt-get update sudo apt-get install trivy -y #command to scan files trivy fs .
Job-3: Push_Image
Steps:
Set up QEMU: Sets up QEMU, a generic and open-source machine emulator and virtualizer.
Set up Docker Buildx: Configures Docker Buildx, which extends the capabilities of Docker for building container images.
Login to Docker Hub: Logs in to Docker Hub using the credentials stored in GitHub secrets.
Build and push: Builds the Docker image using Docker Buildx and pushes it to Docker Hub. It also tags the image with the commit SHA for versioning.
Run Trivy vulnerability scanner: Scans the Docker image for vulnerabilities using Trivy.
Checkout repo: Fetches the repository's code once again.
Update image in deployment.yaml: Updates the image tag in the deployment.yaml file, commits the changes, and pushes them back to the repository. This step ensures that the Kubernetes deployment uses the latest Docker image.
# Job-3 Push Docker image to Docker Hub and update image tag in deplyment.yml file Push_Image: runs-on: ubuntu-latest steps: - name: Set up QEMU uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Login to Docker Hub uses: docker/login-action@v3 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Build and push uses: docker/build-push-action@v5 with: push: true tags: sumitjeswani/netflix:${{ github.sha }} build-args: | TMDB_V3_API_KEY=${{ secrets.TMDB_API_KEY }} - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: image-ref: "docker.io/sumitjeswani/netflix:${{ github.sha }}" format: 'table' exit-code: '1' ignore-unfixed: true vuln-type: 'os,library' severity: 'CRITICAL,HIGH' - name: Trivi Image Scan if: false # This another way to scan using trivy run: | #install trivy sudo apt-get install wget apt-transport-https gnupg lsb-release -y wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list sudo apt-get update sudo apt-get install trivy -y #command to scan files trivy image docker.io/sumitjeswani/netflix:${{ github.sha }} - name: Checkout repo uses: actions/checkout@v3 - name: Update image in deployment.yaml working-directory: ./Kubernetes run: | sed -i 's|sumitjeswani/netflix:.*|sumitjeswani/netflix:'${{ github.sha }}'|' deployment.yml git config --global user.name 'Sumit Jeswani' git config --global user.email 'jeswanisumit1999@gmail.com' git add deployment.yml git commit -m "Update deployment.yml" git push
Summary: This GitHub Actions workflow is for continuous integration (CI) and involves three main jobs:
Build: This job runs on Ubuntu latest and involves setting up Node.js, installing dependencies, and building the project using npm.
Code_Scan: This job also runs on Ubuntu latest and performs code scanning using SonarQube and filesystem scanning using Trivy for vulnerabilities.
- Push_Image: This job involves building and pushing a Docker image to Docker Hub. It also runs Trivy vulnerability scanning on the Docker image and updates the image tag in the deployment.yaml file.
Overall, it automates the process of building, testing, and deploying the codebase.
Subscribe to my newsletter
Read articles from sumit Jeswani directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by