This folder contains the implementation and documentation for Week 3, Day 4 of our DevOps training, introducing GitOps with ArgoCD and emphasizing security best practices. We’ve evolved the SaaS Task Manager project from a Jenkins-driven pipeline to a secure GitOps model, using ArgoCD for declarative deployments on AWS EC2 with Docker. Key enhancements include least-privilege IAM roles, post-deployment ECR updates, AWS Secrets Manager for credentials, and GitOps security principles, aligning with Fortune 100 standards.
- Transition Task Manager deployments to GitOps with ArgoCD, replacing Jenkins
deployEC2. - Secure EC2 access with a least-privilege IAM role for ECR push/pull.
- Update ECR repositories with the latest images post-deployment.
- Manage all secrets (e.g., GitHub token, SSH key) via AWS Secrets Manager.
- Implement multi-environment deployments (dev, staging, prod) with secure GitOps workflows.
week3-day4/
├── README.md # This index file
├── task-manager/ # Task Manager project source (updated)
│ ├── backend/ # Backend app (Node.js API)
│ │ ├── app.js
│ │ ├── package.json
│ │ ├── Dockerfile
│ │ └── .dockerignore
│ ├── frontend/ # Frontend app (Node.js UI)
│ │ ├── app.js
│ │ ├── package.json
│ │ ├── Dockerfile
│ │ └── .dockerignore
│ ├── scripts/ # Setup scripts for EC2 instances
│ │ ├── install_base.sh
│ │ ├── install_nginx.sh
│ │ ├── install_nodejs.sh
│ │ └── config_docker.sh
│ ├── Jenkinsfile # Updated pipeline with GitOps integration
│ ├── README.md # Project-specific README
│ └── .gitignore
├── pipeline-lib/ # Shared library (unchanged from Day 3)
│ ├── vars/
│ │ ├── buildDocker.groovy
│ │ ├── deployEC2.groovy
│ │ ├── scanImage.groovy
│ │ └── logToCloudWatch.groovy
│ ├── README.md
│ └── .gitignore
├── task-manager-gitops/ # New GitOps repo for declarative configs
│ ├── env/
│ │ ├── dev/
│ │ │ ├── backend.yaml
│ │ │ └── frontend.yaml
│ │ ├── staging/
│ │ │ ├── backend.yaml
│ │ │ └── frontend.yaml
│ │ └── prod/
│ │ ├── backend.yaml
│ │ └── frontend.yaml
│ ├── README.md # GitOps repo README
│ └── .gitignore
├── docs/ # Documentation
│ └── gitops-security.md # Notes on GitOps security best practices
└── setup-scripts/ # AWS setup commands
├── argocd-install.sh # ArgoCD EC2 setup
├── sync-ec2.sh # Custom ArgoCD sync script
└── iam-role-update.sh # IAM role update script
- Purpose: Shift to declarative deployments using Git as the source of truth.
- Implementation: ArgoCD syncs
task-manager-gitopsmanifests to EC2s. - Outcome: Automated, consistent deployments with drift detection.
- Least Privilege: Updated
JenkinsSlaveRolefor ECR access only (e.g.,ecr:PutImage). - Secrets Management: GitHub token, SSH key, and ArgoCD creds in AWS Secrets Manager.
- Immutable Artifacts: Post-deploy ECR updates with env-specific tags (e.g.,
prod-202503112359). - GitOps Security: Encrypted Git access, RBAC, and audit trails via Git/ArgoCD logs.
- Auditability: CloudTrail logs IAM/ECR actions, Git tracks manifest changes.
- Jenkinsfile: Builds images, updates
task-manager-gitops, triggers ArgoCD sync. - ECR Integration: Pushes latest images post-deploy with secure IAM perms.
- Secrets: Fetches SSH key from Secrets Manager for Git operations.
- Structure:
env/dev,env/staging,env/prodintask-manager-gitops. - Outcome: Isolated, secure deployments per environment.
- Script:
sync-ec2.shdeploys Docker containers, updates ECR, uses Secrets Manager for Nginx configs. - Outcome: Secure, non-Kubernetes deployment on EC2.
- AWS Account with IAM roles (
JenkinsSlaveRoleupdated). - GitHub repos:
task-manager,pipeline-lib,task-manager-gitops. - EC2 key pair (
<your-key>.pem). - S3 bucket (
<your-bucket>), ECR repos (task-backend,task-frontend), Secrets Manager secrets (github-token,jenkins-ssh-key,argocd-admin).
- IAM Role Update: Run
setup-scripts/iam-role-update.sh. - ArgoCD Setup: Run
setup-scripts/argocd-install.sh. - Secrets: Configure Secrets Manager with GitHub token, SSH key, ArgoCD creds.
- GitOps Repo: Push
task-manager-gitopsto GitHub, enable branch protection. - Pipeline: Update Jenkins with new
Jenkinsfile, buildmainforprod. - Test: Verify at
http://<frontend-ip>/tasks, check ECR tags.
- Theory: GitOps, ArgoCD, and security principles (least privilege, secrets, auditability).
- Practical: Secure Task Manager deployments with ECR updates and Secrets Manager.
- Real-World: Applies to SaaS, finance, retail for secure, automated CI/CD.
- Simulate a security breach (e.g., leaked secret in Git).
- Add automated Trivy scans in ArgoCD sync.
- Prepare for Day 5 (e.g., observability with Prometheus).