โ ๏ธ Disclaimer: The Blog app is not my application. The MERN blog app was cloned from GitHub. My goal here was to practice DevOps with a full CI/CD workflow code quality checks, security audits, containerization, Kubernetes deployment, and monitoring.
๐งฑ App Overview
- Frontend: React (served via Nginx)
- Backend: Node.js + Express
- Database: MongoDB
- CI/CD: GitHub Actions
- Container Registry: DockerHub
- Deployment: Kubernetes (AKS/EKS)
- Monitoring: Prometheus + Grafana
- Security/Code Quality: SonarQube + Trivy + ESLint
๐ง Goals
โ
Set up CI/CD pipelines
โ
Apply security scanning tools
โ
Push images to DockerHub
โ
Deploy automatically to Kubernetes
โ
Monitor workloads
โ
Do all this with free-tier constraints (Azure/AWS)
๐ ๏ธ CI Workflow โ GitHub Actions
โ What We Did
- Lint both frontend & backend with ESLint
- Code Quality Check with self-hosted SonarQube
- Vulnerability Scanning with Trivy
- Build & Push Docker Images to DockerHub
โ๏ธ SonarQube Setup (Azure & AWS)
- Launch a Linux VM
- Allow port 9000 in inbound firewall rules
- Add your user to Docker group:
sudo usermod -aG docker $USER
- Start SonarQube container:
docker run -d --name sonarqube -p 9000:9000 sonarqube
- Access:
http://<VM_PUBLIC_IP>:9000 - Generate token โ Save in GitHub Secrets:
SONAR_TOKENSONAR_HOST_URL
โ๏ธ CD Workflow โ GitHub Actions
We created a second GitHub Actions workflow that triggers only after CI succeeds using workflow_run.
๐งโ๐ป AKS Setup
- Use
az login, create AKS via CLI or portal - Create a Service Principal
- Store creds in GitHub Secret:
AZURE_CREDENTIALS - In GitHub Action:
az aks get-credentials --name blog-cluster --resource-group blogdeploy
kubectl apply -f deploy/base/
๐งโ๐ป EKS Setup (Alternative)
- Create EKS with
eksctl:
eksctl create cluster --name blog-cluster ...
- Configure AWS access:
- Store
AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY -
Use:
- uses: aws-actions/configure-aws-credentials@v1 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} region: us-east-1
- Add kubeconfig for EKS:
aws eks update-kubeconfig --name blog-cluster
- Then apply:
kubectl apply -f deploy/base/
โ Full CD YAML Snippet
on:
workflow_run:
workflows: ["CI-Ffor blog"]
types: [completed]
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Azure Login
uses: azure/login@v1
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
- name: Set AKS Context
run: |
az aks get-credentials --resource-group blogdeploy --name blog-cluster --overwrite-existing
- name: Deploy
run: kubectl apply -f deploy/base/
๐ Kubernetes Setup
We used manifest-based deployment instead of Helm.
- MongoDB
- blog-server (Node)
- blog-client (React + Nginx)
- Services (ClusterIP + LoadBalancer)
For full YAMLs:
๐ GitHub Repo: https://github.com/Harivelu0/Blog-App-using-MERN-stack
๐ฆ Docker & Image Strategy
Both client and server had custom Dockerfile.
In CI, we built and pushed them:
docker build -t <username>/blog-client ./client
docker push <username>/blog-client
Great catch! Here's the ArgoCD-specific flow you can insert into your diagram and blog under the "CD & GitOps" section.
๐ GitOps Deployment with ArgoCD
Once the CI pipeline builds and pushes Docker images and updates the manifests in the GitHub repo (deploy/base/), ArgoCD handles the automated syncing and deployment into your Kubernetes cluster.
๐น Flow:
- ArgoCD App Definition
- Points to your GitHub repo and
deploy/base/folder. -
Deployed using:
kubectl apply -f argocd-app.yaml
- ArgoCD Syncs Automatically
- Detects changes in the GitHub repo (new images, manifest edits).
- Applies updates to the AKS/EKS cluster without manual
kubectl apply.
- ArgoCD UI
-
Accessed via port-forward:
kubectl port-forward svc/argocd-server -n argocd 8080:443 -
Login with:
- Username:
admin - Password: from initial pod logs or custom setup
- Username:
- Health Monitoring
- ArgoCD continuously monitors health and sync status of the app.
- If app is OutOfSync or Degraded, it provides logs and status for debugging.
๐ Monitoring
Installed Prometheus + Grafana via Helm:
helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
helm install prometheus prometheus-community/kube-prometheus-stack \
--namespace monitoring --create-namespace
Port-forward locally:
kubectl port-forward svc/grafana -n monitoring 3001:80
kubectl port-forward svc/prometheus-server -n monitoring 9090:80
โ ๏ธ No alerts configured in this project due to focus/time โ will cover alerting in a future one.
Final DAeployed App in K8
๐งช Common Issues We Solved
| Issue | Fix |
|---|---|
| App blank on root | Removed homepage from package.json and rebuilt |
ErrImageNeverPull |
Set imagePullPolicy: Always
|
| SonarQube not reachable | Opened port 9000 on VM |
| Port limitations on Azure | Used port-forwarding instead of multiple LoadBalancers |
| Kustomization error | Installed required CRDs for Kustomize |
๐งน Cleanup
Azure
az aks delete --name blog-cluster --resource-group blogdeploy --yes
az group delete --name blogdeploy --yes
AWS
eksctl delete cluster --name blog-cluster
Also delete:
- DockerHub images
- SonarQube VM
- GitHub Secrets
โ Final Summary
โ
CI: ESLint + SonarQube + Trivy + Docker
โ
CD: GitHub Actions to AKS (or EKS)
โ
Monitoring: Prometheus + Grafana
โ
K8s: Manifest-based setup
โ
Port-forwarding to work around public IP limits
โ Alerting skipped for now (to be covered in future project)
Top comments (1)
Amazing! ๐