Haripriya Veluchamy

Posted on Jul 24

My Netflix Clone DevSecOps Project on Azure: A Case Study

#devops #security #web #learning

Introduction

Hey there! I recently completed an exciting project where I deployed a Netflix clone using DevSecOps practices on Azure. I want to share my experience, the challenges I faced, and how I overcame them.

When I started, I had basic knowledge of CI/CD pipelines, but I wanted to dive deeper into DevSecOps. I found Cloud Champs' tutorial that demonstrated deploying a Netflix clone on AWS using DevSecOps principles. I decided to follow along but adapt it to Azure instead, which added an extra layer of challenge and learning.

My Project Setup

I chose to use Azure B-series VMs, which are equivalent to AWS t2.medium instances, for my infrastructure. One thing that made the Azure setup smoother was that public IPs are automatically assigned to VMs, unlike in AWS where you need to configure elastic IPs separately.

For my setup, I needed:

A VM for Jenkins and the associated security tools
A separate VM for monitoring tools
An Azure Kubernetes Service (AKS) cluster

I cloned the Netflix application repo and started setting up my pipeline. The app is a cool Netflix clone that uses the TMDB API to fetch movie data.

Building the CI/CD Pipeline

Setting up Jenkins was pretty straightforward. I installed all the required plugins and configured tools like JDK 17 and NodeJS 16. The fun part was creating the pipeline!

My Jenkins pipeline included:

Code checkout from my GitHub repo
SonarQube analysis for code quality
Quality gate verification
Dependency installation
OWASP Dependency Check for security vulnerabilities
Trivy filesystem scan for additional security checks
Docker image building and pushing to DockerHub
Trivy container scan
Deployment to a Docker container for testing

This pipeline ensured that every change went through proper quality and security checks before deployment.

Challenges I Faced

SonarQube Quality Gate Timeout

My first major roadblock came with the SonarQube quality gate stage. The pipeline kept hanging after the SonarQube analysis, and it wasn't moving forward. After some investigation, I realized that Jenkins wasn't receiving the completion signal from SonarQube.

I solved this by adding a timeout and sleep command in my pipeline:

stage("quality gate"){
   steps {
        script {
            // Added timeout to prevent pipeline from hanging
            timeout(time: 1, unit: 'MINUTES') {
                // Added sleep to give SonarQube time to process
                sleep(10)
                waitForQualityGate abortPipeline: false, credentialsId: 'Sonar-token' 
            }
        }
    } 
}

This small change made a huge difference! The pipeline now waits for 10 seconds, giving SonarQube enough time to process the results, and then continues with a timeout of 1 minute to prevent indefinite hanging.

Docker Authentication with PAT

Another issue I ran into was with Docker authentication. I kept getting authentication errors when trying to push my Docker image to DockerHub using my regular credentials.

After some googling, I discovered that DockerHub now prefers Personal Access Tokens (PATs) instead of passwords. I generated a PAT with read/write access and used that in my Jenkins credentials instead. Problem solved!

withDockerRegistry(credentialsId: 'docker', toolName: 'docker'){   
    sh "docker build --build-arg TMDB_V3_API_KEY=YOUR_TMDB_API_KEY -t netflix ."
    sh "docker tag netflix harivp1234/netflix:latest"
    sh "docker push harivp1234/netflix:latest"
}

I made sure to use my DockerHub username (harivp1234) in the tags.

Jenkins and Docker Permissions

I hit another snag when Jenkins couldn't interact with the Docker daemon due to permission issues. This was an easy fix:

sudo usermod -aG docker jenkins
sudo systemctl restart jenkins

This added the Jenkins user to the Docker group and gave it the necessary permissions.

Kubernetes Deployment with AKS

Setting up Kubernetes deployment was exciting! I created an AKS cluster using:

az aks create \
  --resource-group netflix-devsecops \
  --name netflix-cluster \
  --node-count 2 \
  --node-vm-size Standard_B2s \
  --generate-ssh-keys

Then, I set up ArgoCD for GitOps-style deployment. My GitHub repo contained the Kubernetes manifests (deployment.yaml, service.yaml, and node-service.yaml) for the Netflix application. ArgoCD continuously synced with my repo, automatically deploying any changes to the Kubernetes manifests.

To access my application, I configured a NodePort service that exposed it on port 30007. I had to make sure this port was open in the Azure Network Security Group:

az vm open-port --resource-group netflix-devsecops --name jenkins-vm --port 30007 --priority 1002

Seeing my application running on Kubernetes at http://node-ip:30007 was really satisfying!

Monitoring Setup

For monitoring, I set up Prometheus and Grafana on a separate VM. This was important to avoid resource contention with my Jenkins server.

I configured Prometheus to collect metrics from:

Node Exporter for system metrics
Jenkins for CI/CD pipeline metrics
My Netflix application

Setting up Grafana dashboards gave me a great visualization of system performance, Jenkins job statistics, and application metrics. It was like having a control center for my entire infrastructure!

Lessons Learned

This project taught me a lot about DevSecOps and cloud infrastructure:

Security integration is crucial - Integrating security checks at multiple stages caught issues early in the development cycle.
Cloud platform differences matter - While the principles remain the same, the implementation details differ between AWS and Azure. Understanding these differences was key to successfully adapting the project.
Troubleshooting is an essential skill - The ability to diagnose and fix issues like the SonarQube timeout and Docker authentication problems was crucial.
Infrastructure as Code simplifies management - Using code to define my infrastructure made it reproducible and easier to manage.
Monitoring provides valuable insights - The Prometheus and Grafana setup gave me visibility into my entire system, making it easier to identify potential issues.

Tips for Anyone Trying This Project

If you're planning to follow this project, here are some tips from my experience:

TMDB API Key Issue: If you're in India and using Jio network, you might face issues getting a TMDB API key. Try switching to a different network if you encounter problems.
Timeout for SonarQube: Always add a timeout and sleep for the SonarQube quality gate stage to prevent pipeline hangs.
Use Docker PAT: Use a Personal Access Token instead of a password for DockerHub authentication.
Separate VM for Monitoring: Deploy Prometheus and Grafana on a separate VM to avoid resource contention.
Check Network Security Group Rules: Make sure to open the necessary ports in Azure's Network Security Group for accessing your services.

Conclusion

This project was a fantastic learning experience. Adapting the AWS-based tutorial to Azure forced me to understand both platforms better and appreciate the flexibility of DevSecOps principles across different environments.

I now have a fully functional Netflix clone with a complete DevSecOps pipeline, deployed on Azure with Kubernetes orchestration and comprehensive monitoring. The skills I've gained from this project are invaluable for my career in cloud and DevOps.

If you're interested in checking out my implementation, you can find it on GitHub: https://github.com/Harivelu0/Netflix.git

Happy cloud computing!