A complete breakdown of how I automated code quality, security, containerization, GitOps deployment, and monitoring β using only open-source tools.
π Why I Built This Pipeline
In todayβs cloud-native era, simply deploying code isnβt enough.
We need to:
β
Ensure code quality
β
Scan for security vulnerabilities
β
Automate deployments
β
Monitor everything
β
Get feedback instantly
So, I decided to build a DevSecOps + GitOps pipeline that ties together:
π Jenkins for CI/CD
π¦ Docker + GitHub + DockerHub
π SonarQube, Trivy, OWASP Dependency Check
βΈοΈ Kubernetes + ArgoCD
π Prometheus, Grafana, Loki, Alertmanager
π¬ Slack + Gmail notifications
π₯ See It in Action
Watch the pipeline executing:
π§ Pipeline Flow Breakdown
Let's walk through each step in this real-world production-ready CI/CD setup.
π’ 1. Developer Pushes Code to GitHub
Triggers a Jenkins multibranch pipeline via GitHub webhook
π‘ 2. Jenkins CI Begins β With Parallel Security Gates
parallel {
stage('SonarQube') {
steps {
sh 'sonar-scanner -Dsonar.projectKey=my-app ...'
}
}
stage('Trivy Scan') {
steps {
sh 'trivy fs . --exit-code 1'
}
}
stage('OWASP Check') {
steps {
sh './dependency-check/bin/dependency-check.sh -s .'
}
}
}
β Code quality, container vulnerabilities, and dependency checks all run in parallel
π΅ 3. Docker Build + Push
docker build -t <image-name>:<Image-tage> .
docker push <image-name>:<Image-tage>
Built containers are pushed to DockerHub or any secure private registry.
π 4. Jenkins CD Updates Kubernetes Manifests
Jenkins updates the Kubernetes deployment.yaml with the new Docker image:
sed -i -E 's|^(\\s*tag:) .*|\\1 "${imageTag}"|' values.yaml
git commit -am "update image tag"
git push origin main
This commit lands in a separate Infra GitHub Repo, which is continuously watched by ArgoCD.
π΄ 5. ArgoCD (GitOps) Deploys to Kubernetes
- ArgoCD syncs automatically with the updated manifest repo.
- It deploys the new version into the Kubernetes cluster.
π£ 6. Monitoring & Logging Kicks In
Prometheus scrapes metrics from the cluster and app.
Grafana Dashboards display:
- Application performance
- Pod CPU/memory usage
- Business metrics
Loki collects logs
Alertmanager sends alerts on failure, high latency, etc.
π¨ 7. Instant Notifications
Pipeline stages notify:
β Gmail for critical alerts
β Slack #ci-cd for success/failure, build times
Example Slack message:
β Docker image built and pushed
π ArgoCD deployed version to cluster
π§ͺ Challenges I Faced
- Managing parallel Jenkins stages with proper failure handling
- Avoiding secret exposure in git history
- Setting up ArgoCD auto-sync correctly
- Tuning Prometheus scraping and Grafana alert rules
- Handling secure scanning without breaking pipelines
π‘ What I Learned
π Security gates should be integrated early (shift-left) in CI
βΈοΈ GitOps brings traceability and rollback safety
π Observability is critical for real production setups
π¬ Notifications save time during active development cycles
π Try It Yourself
- GitHub Infra Repo (with manifests): [https://github.com/Kapil-Bhalodiya/E-Commerce/infra]
- ArgoCD app config: [https://github.com/Kapil-Bhalodiya/E-Commerce/infra/config/applications.yaml]
π¬ Final Thoughts
This pipeline is more than a pet project β itβs a blueprint for building production-ready, secure, and scalable deployment workflows using only open-source tools.
If you're starting your DevOps journey or want to adopt GitOps at scale, this setup might help you avoid months of trial and error.
π¬ Feel free to drop your thoughts, suggestions, or questions in the comments.
Iβm open to feedback and collaborations!
Top comments (0)