GitOps-driven deployment with Kubernetes, ArgoCD, and Security Scanning
Automated infrastructure deployment using:
- GitOps (ArgoCD syncs Kubernetes manifests from Git)
- Security Scanning (Trivy in CI/CD to block vulnerable images)
- Monitoring (Prometheus + Grafana)
- Minikube (or any Kubernetes cluster)
minikube start --driver=virtualbox
- kubectl & Helm
- GitHub/GitLab Account (for GitOps repo)
git clone https://github.com/Bchkh/gitops-project.git
cd gitops-projectkubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yamlkubectl apply -f argocd/apps/ -n argocdTrivy scans container images on every git push and blocks deployments if critical vulnerabilities are found.
- Pass: Deployment proceeds if no critical issues.
- Fail: Workflow blocks and logs vulnerabilities (e.g.,
CVE-2024-45491).
- Edit manifests in
apps/(e.g., changereplicasindeployment.yaml). - Push to Git → ArgoCD auto-syncs changes to Kubernetes.
kubectl port-forward svc/argocd-server -n argocd 8080:443 # Access ArgoCD UI- Prometheus:
kubectl port-forward svc/prometheus-server -n monitoring 9090:80
- Grafana:
kubectl port-forward svc/grafana -n monitoring 3000:80
- Default credentials:
admin/admin
- Default credentials:
- Pinned Image Tags:
nginx:1.25.4-alpine(notlatest) - Network Policies: Default-deny all pod traffic.
| Issue | Solution |
|---|---|
| Trivy fails with CVEs | Upgrade base images or suppress false positives with --ignore-unfixed |
| ArgoCD out of sync | Check argocd app get <app-name> for errors |
| No metrics in Prometheus | Verify ServiceMonitor labels match Prometheus config |
MIT © Bouchra EL KHARRAZ
---
### **Key Features Highlighted**
1. **Trivy Scanning**: Clear explanation of CI/CD blocking logic.
2. **GitOps Workflow**: Simple push-to-deploy model.
3. **Security Focus**: Pinned images, network policies, RBAC.
4. **Troubleshooting Table**: Quick fixes for common issues.