0% found this document useful (0 votes)
35 views43 pages

DevSecOps - Disney+ Hotstart App in Kubernetes Monitor

The document outlines the development and deployment of a Disney+ Hotstar clone application using a DevSecOps CI/CD pipeline with tools like Jenkins, Kubernetes, and Docker. It details the setup process, including infrastructure configuration on AWS, security measures, and integration of various tools for monitoring and vulnerability scanning. The solution emphasizes automated, secure, and scalable application delivery, embodying best practices in cloud-native architecture.
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
35 views43 pages

DevSecOps - Disney+ Hotstart App in Kubernetes Monitor

The document outlines the development and deployment of a Disney+ Hotstar clone application using a DevSecOps CI/CD pipeline with tools like Jenkins, Kubernetes, and Docker. It details the setup process, including infrastructure configuration on AWS, security measures, and integration of various tools for monitoring and vulnerability scanning. The solution emphasizes automated, secure, and scalable application delivery, embodying best practices in cloud-native architecture.
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 43

Disney+ Hotstar 𝗖𝗹𝗼𝗻𝗲 𝗔𝗽𝗽 — 𝗘𝗻𝗱-𝘁𝗼-𝗘𝗻𝗱 𝗦𝗲𝗰𝘂𝗿𝗲 &

𝗦𝗰𝗮𝗹𝗮𝗯𝗹𝗲 𝗗𝗲𝗽𝗹𝗼𝘆𝗺𝗲𝗻𝘁 𝘄𝗶𝘁𝗵 𝗗𝗲𝘃𝗦𝗲𝗰𝗢𝗽𝘀 & 𝗝𝗲𝗻𝗸𝗶𝗻𝘀 !


Thrilled to showcase our latest project — a Hotstar 𝗖𝗹𝗼𝗻𝗲 𝗔𝗽𝗽𝗹𝗶𝗰𝗮𝘁𝗶𝗼𝗻 engineered with a
𝗗𝗲𝘃𝗦𝗲𝗰𝗢𝗽𝘀 𝗖𝗜/𝗖𝗗 𝗽𝗶𝗽𝗲𝗹𝗶𝗻𝗲 and powered by 𝗝𝗲𝗻𝗸𝗶𝗻𝘀 Parameterise Build to deliver fully automated,
secure, and scalable deployments.

Follow me for projects Links :


YouTube: https://youtu.be/VPJ4gesLXOc
Project GitHub Repo: https://github.com/Aseemakram19/hotstar-kubernetes.git
LinkedIn: Mohammed Aseem Akram
GitHub Account: Aseemakram19

If you found this tutorial helpful, don’t forget to:


Like the video
Comment your thoughts and questions
Subscribe to stay updated on Cloud & DevOps tutorials!

𝗧𝗲𝗰𝗵 𝗦𝘁𝗮𝗰𝗸 & 𝗞𝗲𝘆 𝗜𝗻𝘁𝗲𝗴𝗿𝗮𝘁𝗶𝗼𝗻𝘀:

Kubernetes & Docker — for seamless, containerized, and scalable application deployments
Jenkins — to enable reusable, standardized, and consistent CI/CD pipelines
SonarQube, Trivy, OWASP Dependency-Check — ensuring robust security, vulnerability scanning,
and code quality automation
Prometheus & Grafana — for comprehensive real-time monitoring and alerting
Gmail Email alerts and collaboration-driven notifications
Parameterized environment orchestration — for on-demand infrastructure setup and teardown

𝗞𝗲𝘆 𝗛𝗶𝗴𝗵𝗹𝗶𝗴𝗵𝘁𝘀 & 𝗧𝗮𝗸𝗲𝗮𝘄𝗮𝘆𝘀:

Security-by-design with integrated DevSecOps practices


Automated, reusable pipelines ensuring consistency and efficiency
Production-grade scalability leveraging Kubernetes
Rapid deployment lifecycle driven by modern CI/CD automation
This solution represents a blueprint for secure, scalable, and production-ready application delivery,
embodying best practices in DevSecOps, automation, and cloud-native architecture.

CLICK HERE FOR GITHUB REPO


https://github.com/Aseemakram19/hotstar-kubernetes.git

Now, let’s get started and dig deeper into each of these steps: -

I. Configure Infrastructure In AWS Cloud


1. Launch an EC2 Instance Ubuntu (22.04) T3 X Large Instance
• Go to the AWS Management Console → EC2 → Instances.
• Click Launch Instance.
• Set the following configurations:
o Name: <Your_Instance_Name>
o AMI (Amazon Machine Image): Ubuntu Server 22.04 LTS (HVM), SSD Volume Type
o Instance Type: t3.xlarge (4 vCPUs, 16 GB RAM)
o Key Pair: Select an existing key pair or create a new one.
o Storage: Default (e.g., 30GB GP3 SSD, adjust as needed).
2. Configure Security Group
Create or modify a security group to allow the following ports:
Port Protocol Description
22 TCP SSH (for remote access)
80 TCP HTTP (Web traffic)
443 TCP HTTPS (Secure web traffic)
8080 TCP Web applications (Tomcat, etc.)
587 TCP SMTP (Email sending)
465 TCP SMTP over SSL
3000 TCP Web apps (Grafana, Node.js, etc.)
9000 TCP SonarQube/Web apps
• Set the Source to Anywhere (0.0.0.0/0, ::/0) unless you want to restrict access.

3. Launch & Connect with Mobaxterm App


• Click Launch Instance.
• Once the instance is running, connect using:

• Install Jenkins, Docker , awscli, terraform, kubectl , eksctl and Trivy,


Clone the GITHUB Project repositories https://github.com/Aseemakram19/hotstar-
kubernetes.git

cd hotstar-kubernetes/scripts/

• Install the TOOLS in the VM machine via Scrtipts . add executable permission to shell script
chmod +x *.sh
Install Tools

• Access Jenkins in your browser:

http://<PUBLIC_IP>:8080
• Unlock Jenkins using an administrative password and install the suggested plugins.
Retrieve the initial admin password:

sudo cat /var/lib/jenkins/secrets/initialAdminPassword

Unlock Jenkins using an administrative password and install the suggested


plugins.

• Create a user click on save and continue.


• Jenkins Getting Started Screen.
• Follow the setup wizard and install recommended plugins.

Install Plugins like JDK, SonarQube Scanner, NodeJs, OWASP Dependency Check
Goto Manage Jenkins →Plugins → Available Plugins →
Install below plugins
1. Eclipse Temurin Installer (Install without restart)
2. SonarQube Scanner (Install without restart)
3. NodeJs Plugin (Install Without restart) – 16.20.2
4. OWASP Dependency Check Plugins
5. Stage view
6. jdk
Docker plugin
7. Docker
8. Docker Commons
9. Docker Pipeline
10. Docker API
11. docker-build-step
• Setup SonarQube Server
we create a sonarqube container
docker run -d --name sonar -p 9000:9000 sonarqube:lts-community

Now our Sonarqube is up and running


Enter username and password, click on login and change password

username admin
password admin
Update New password, This is Sonar Dashboard.
B. - Create Sonar token in order to connect with Jenkins
Click on Administration → Security → Users → Click on Tokens and Update Token → Give it a
name → and click on Generate Token

Create a token with a name and generate

Now, go to Dashboard → Manage Jenkins → System and Add like the below image.

Add Credentials → Add Secret Text. It should look like this


You will this page once you click on create

The Configure System option is used in Jenkins to configure different server


Global Tool Configuration is used to configure different tools that we install using Plugins
We will install a sonar scanner in the tools.
Manage Jenkins –> Tools –> SonarQube Scanner
In the Sonarqube Dashboard add a quality gate also
Administration–> Configuration–>Webhooks

• webhook - http://34.228.235.18:8080/sonarqube-webhook/

Setup Jenkins GitHub token inorder to connect with Private Registry -

Generate Classic GitHub Token


Go to GitHub → Settings → Developer Settings → Personal Access Tokens.
Click Generate new token (classic).
Set Expiration (or No Expiration if required).
Set Scopes:
o repo → Full control of private repositories.
o admin:repo_hook → Manage repository webhooks.
o workflow → Required for GitHub Actions (optional).
Click Generate token and copy the token.

Configure Jenkins with GitHub Token


Add Credentials in Jenkins
1. Go to Jenkins Dashboard → Manage Jenkins → Manage Credentials.
2. Click Global Credentials (Unrestricted) → Add Credentials.
3. Select:
o Kind: Username and password
o Username: Your GitHub username
o Password: Paste your GitHub Token
o ID: github-token
o Description: GitHub Classic Token
4. Click Save.
Create Job for Hotstar
Let’s add a pipeline , to test the Github Clone stage of Private Registry

Apply and Save and click on Build

Add docker Credentials


Create a Gmail SMTP App Password
An App Password is a 16-character password that allows third-party applications (like
Jenkins) to send emails using Gmail SMTP securely.

Step 1: Enable 2-Step Verification


Before generating an App Password, you must enable 2-Step Verification in your Google
Account.
1. Go to Google Account Security:
Google My Account
2. Scroll to "Signing in to Google".
3. Click "2-Step Verification" → Click "Get Started".
4. Follow the steps to set up 2-Step Verification (via SMS or Authenticator App).

Step 2: Generate an App Password


1. Go to App Passwords Page:
Google App Passwords
2. Sign in with your Google Account.
3. Under "Select app", choose "Mail".
4. Under "Select device", choose "Other (Custom Name)" and enter "Jenkins SMTP".
5. Click "Generate".
6. Copy the 16-character App Password (e.g., abcd efgh ijkl mnop).
Add credentials as Username and password in jenkins

7.

Step 3: Configure Gmail SMTP in Jenkins


1. Go to Jenkins Dashboard → Manage Jenkins → Configure System.
2. Scroll to "E-mail Notification".
3. Set the following:
o SMTP Server: smtp.gmail.com
o Use SMTP Authentication: Checked
o User Name: Your Gmail ID ([email protected])
o Password: Paste the App Password
o SMTP Port: 587
o Use TLS: Checked
4. Click Save.

Email Extension Plugin


xsuc kxeb xcvk xqkf

1. Basic Email Notification


SMTP Server: smtp.gmail.com
Email Suffix: @gmail.com (default user email domain)
SMTP Authentication: Enabled
Username: Your Gmail address
Password: Your Gmail password or App Password (for 2-factor authentication)
Use TLS: Checked
SMTP Port: 587
Reply-To Address: Your email address
Charset: UTF-8

2. Extended Email Notification


SMTP Server: smtp.gmail.com
SMTP Port: 465 (for tls)
Use SSL: Checked
Credentials: Select from the
And last

Register for NVD API for Dependency Check


The National Vulnerability Database (NVD) API provides access to security vulnerabilities (CVEs) and
is often used with tools like OWASP Dependency-Check to identify security risks in software
dependencies.

Step 1: Create an NVD API Key


1. Go to the NVD API Registration Page:
o Open: NVD API Registration
2. Sign In or Create an Account:
o Click Sign In (or create an account if you don’t have one).
3. Request an API Key:
o Provide your details and agree to the terms.
o Click Submit.
4. Receive API Key via Email:
o Once approved, you'll receive an API key.

Let’s add a pipeline of Project


pipeline{
agent any
tools{
jdk 'jdk'
nodejs 'node'
}
environment {
SCANNER_HOME=tool 'sonar-scanner'
}
stages {
stage('clean workspace'){
steps{
cleanWs()
}
}
stage('Checkout from Git'){
steps{
git branch: 'main', credentialsId: 'github-token', url:
'https://github.com/Aseemakram19/hotstar-kubernetes.git'
}
}
stage("Sonarqube Analysis "){
steps{
withSonarQubeEnv('SonarQube') {
sh ''' $SCANNER_HOME/bin/sonar-scanner -Dsonar.projectName=Hotstar \
-Dsonar.projectKey=Hotstar '''
}
}
}
stage("quality gate"){
steps {
script {
waitForQualityGate abortPipeline: false, credentialsId: 'Sonar-token'
}
}
}
stage('Install Dependencies') {
steps {
sh "npm install"
}
}
stage('OWASP FS SCAN') {
steps {
dependencyCheck additionalArguments: '--scan ./ --disableYarnAudit --disableNodeAudit --
nvdApiKey d7e8c629-7da9-4f96-8a4a-a45fd3f213ba', odcInstallation: 'DC'
dependencyCheckPublisher pattern: '**/dependency-check-report.xml'
}
}
stage('TRIVY FS SCAN') {
steps {
sh "trivy fs . > trivyfs.txt"
}
}
stage("Docker Build & Push"){
steps{
script{
withDockerRegistry(credentialsId: 'docker', toolName: 'docker'){
sh "docker build -t hotstar ."
sh "docker tag hotstar aseemakram19/hotstar:latest "
sh "docker push aseemakram19/hotstar:latest "
}
}
}
}
stage("TRIVY"){
steps{
sh "trivy image aseemakram19/hotstar:latest > trivyimage.txt"
}
}
stage('Deploy to container'){
steps{
sh 'docker run -d --name hotstar -p 3000:3000 aseemakram19/hotstar:latest'
}
}

}
post {
always {
script {
def buildStatus = currentBuild.currentResult
def buildUser = currentBuild.getBuildCauses('hudson.model.Cause$UserIdCause')[0]?.userId
?: 'Github User'

emailext (
subject: "Pipeline ${buildStatus}: ${env.JOB_NAME} #${env.BUILD_NUMBER}",
body: """
<p>This is a Jenkins HOTSTAR CICD pipeline status.</p>
<p>Project: ${env.JOB_NAME}</p>
<p>Build Number: ${env.BUILD_NUMBER}</p>
<p>Build Status: ${buildStatus}</p>
<p>Started by: ${buildUser}</p>
<p>Build URL: <a href="${env.BUILD_URL}">${env.BUILD_URL}</a></p>
""",
to: '[email protected]',
from: '[email protected]',
replyTo: '[email protected]',
mimeType: 'text/html',
attachmentsPattern: 'trivyfs.txt,trivyimage.txt'
)
}
}

Apply and Save and click on Build


stage view
You can see the report has been generated and the status shows as passed. You can see that there
are 943 lines it scanned. To see a detailed report, you can go to issues.
You will see that in status, a graph will also be generated and Vulnerabilities.

<public-ip:3000>
Our Applciation is live with this output
Email alert with Post build

Open Files trivy as attached to view vulnerabilities

Lets fix the Dependency DP stage now


fix with __nvdApikey syntax error , use api to

Rerun the Pipeline with above fix

Pipeline is successful
EKS cluster Step on aws
How to create an EKS cluster using AWS Console | Create node group | Configure Kubernetes cluster

# Step - 1 : Create EKS Management Host in AWS #

Prerequisites is done already


1. AWS Account: Make sure you have an AWS account and configure one ec2 instance
2. kubectl: Install kubectl.
3. AWS CLI: Install and configure the AWS CLI.
4. eksctl: Install eksctl.

# Step - 1 : Create User & add policies as below


Create USER with IAM role & attach to EKS Management Host #

Create user
bingouser

1) Create New Role using IAM service ( Select Usecase - ec2 )


2) Add below permissions for the role <br/>
- IAM - fullaccess <br/>
- VPC - fullaccess <br/>
- EC2 - fullaccess <br/>
- CloudFomration - fullaccess <br/>
- Administrator - acces <br/>

3) Create credentials to connect with your aws account

AWS_ACCESS_KEY_ID

AWS_SECRET_ACCESS_KEY
Aws configure in VM

# Step - 3 : Create EKS Cluster using eksctl #


**Syntax:**

eksctl create cluster --name cluster-name \


--region region-name \
--node-type instance-type \
--nodes-min 2 \
--nodes-max 2 \
--zones <AZ-1>,<AZ-2>

`
Option 1 for Asian Region ## Mumbai: <br/>
`
eksctl create cluster --name cloudaseem-cluster4 --region ap-south-1 --node-type t2.medium --
zones ap-south-1a,ap-south-1b
`
Option 2 for US ## N. Virgina: <br/>
`
eksctl create cluster --name cloudaseem-cluster4 --region us-east-1 --node-type t2.medium --zones
us-east-1a,us-east-1b
## Note: Cluster creation will take 5 to 10 mins of time (we have to wait). After cluster created we
can check nodes using below command.

Got to
project dir
cd hotstar-kubernetes/K8S/

File exist ,
Note to update this manifest.yml file with your Docker images name and apply

manifest.yml file
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: hotstar-deployment
spec:
replicas: 2
strategy:
type: RollingUpdate
selector:
matchLabels:
app: hotstar
template:
metadata:
labels:
app: hotstar
spec:
containers:
- name: hotstar-container
image: aseemakram19/hotstar
ports:
- containerPort: 3000
---
apiVersion: v1
kind: Service
metadata:
name: hotstar-service
spec:
type: LoadBalancer
selector:
app: hotstar
ports:
- port: 80
targetPort: 3000

and execute this command


kubectl apply -f manifest.yml

kubectl get all

TEST Kubernetes Auto Healing Function


Kubernetes has a built-in self-healing mechanism that automatically replaces failed or deleted
pods when they are managed by a Deployment, ReplicaSet, or StatefulSet.

kubectl delete pod <pod-name>


Look for a new pod with a different name but managed by the same
Deployment/ReplicaSet.

Application is accessible with Loadbalancer

You have successfully Deployed a Hotstar on Kubernetes with Loadbalancer Enabled with
AutoHealing.

Add Loadbalance in Cloudflare to apply domain and ssl to access by clinet with cname entry

Configure CNAME for Client Access


1. Go to Cloudflare DNS Settings.
2. Add a CNAME Record:
o Name: app.example.com
o Target: Load Balancer domain (e.g., lb.example.com)
o Proxy Status: Proxied (Orange Cloud) for Cloudflare SSL.
3. Save and Test.
You have successfully Deployed a Hotstar on Kubernetes with Loadbalancer Enabled and SSL
certificated

Monitoring Server setup with Jenkins + Terraform


add Secret in AWS credentials

I want to do this with build parameters to apply and destroy while building only.
you have to add this inside job like the below image
Note: Create Key pair to access monitoring server
Add script
pipeline {
agent any

environment {
AWS_ACCESS_KEY_ID = credentials('AWS_ACCESS_KEY_ID')
AWS_SECRET_ACCESS_KEY = credentials('AWS_SECRET_ACCESS_KEY')
}

parameters {
string(name: 'action', defaultValue: 'apply', description: 'Terraform action: apply or destroy')
}

stages {
stage('Checkout from Git') {
steps {
git branch: 'main', credentialsId: 'github-token', url:
'https://github.com/Aseemakram19/hotstar-kubernetes.git'
}
}

stage('Terraform version') {
steps {
sh 'terraform --version'
}
}

stage('Terraform init') {
steps {
dir('Terraform') {
sh '''
terraform init \
-backend-config="access_key=$AWS_ACCESS_KEY_ID" \
-backend-config="secret_key=$AWS_SECRET_ACCESS_KEY"
'''
}
}
}

stage('Terraform validate') {
steps {
dir('Terraform') {
sh 'terraform validate'
}
}
}

stage('Terraform plan') {
steps {
dir('Terraform') {
sh '''
terraform plan \
-var="access_key=$AWS_ACCESS_KEY_ID" \
-var="secret_key=$AWS_SECRET_ACCESS_KEY"
'''
}
}
}

stage('Terraform apply/destroy') {
steps {
dir('Terraform') {
sh '''
terraform ${action} --auto-approve \
-var="access_key=$AWS_ACCESS_KEY_ID" \
-var="secret_key=$AWS_SECRET_ACCESS_KEY"
'''
}
}
}
}

post {
success {
echo ' Terraform execution completed successfully!'
}
failure {
echo ' Terraform execution failed! Check the logs.'
}
}
}
Verify the Monitoring server

Installing Grafana and Prometheus for Monitoring


Grafana and Prometheus are commonly used for monitoring Kubernetes clusters, EC2 instances, and
other infrastructure components. Follow these steps to install them on an Ubuntu server.

1. Grafana installation
Access and create a garafan.sh , add permission , and xecute it
#!/bin/bash
# Script to install Grafana on a Linux instance

# Update package list and install dependencies


sudo apt-get install -y apt-transport-https software-properties-common wget

# Create a directory for Grafana's GPG key


sudo mkdir -p /etc/apt/keyrings/

# Add Grafana's GPG key


wget -q -O - https://apt.grafana.com/gpg.key | gpg --dearmor | sudo tee
/etc/apt/keyrings/grafana.gpg > /dev/null
# Add Grafana's repository to the sources list
echo "deb [signed-by=/etc/apt/keyrings/grafana.gpg] https://apt.grafana.com stable main" |
sudo tee -a /etc/apt/sources.list.d/grafana.list

# Update package lists


sudo apt-get update -y
# Install the latest OSS release of Grafana
sudo apt-get install grafana -y

# Start and enable Grafana service


sudo systemctl start grafana-server
sudo systemctl enable grafana-server

Open ports in SG group

After installation, you can access Grafana at:


# http://your-server-ip:3000 (default user: admin, password: admin)
2. Install Prometheus

Install Blackbox exporter

Step 1: Edit prometheus.yml


Open the Prometheus configuration file:

Add the following scrape jobs at the end of the file:

- job_name: 'blackbox'
metrics_path: /probe
params:
module: [http_2xx] # Look for a HTTP 200 response.
static_configs:
- targets:
- http://prometheus.io # Target to probe with HTTP.
- http://IP:3000 # Target to probe with HTTPS.
relabel_configs:
- source_labels: [__address__]
target_label: __param_target
- source_labels: [__param_target]
target_label: instance
- target_label: __address__
replacement: 13.232.214.2:9115 # The blackbox exporter's real hostname.

- job_name: node_exporter
static_configs:
- targets:
- 'IP:9100'
Save the file (CTRL + X, then Y, and Enter).

Step 2: Restart Prometheus to Apply Changes

pgrep Prometheus and kill PID

restart
./Prometheus &

Step 3: Connect Prometheus to Grafana


1. Login to Grafana (http://<your-server-ip>:3000).
2. Go to Configuration → Data Sources → Add Data Source.
3. Select Prometheus.
4. Set Prometheus URL: http://localhost:9090.
5. Click Save & Test.

Add
Go to Dashboards → Import.
Enter Dashboard ID: 13659 (Prometheus Blackbox Exporter).
Click Load.
Select Prometheus as the Data Source.
Click Import.
## Step - 4 :
1. Delete Monitoring Server with Jenkins pipeline with action as destroy

2. delete Cluster and other resources we have used in AWS Cloud to avoid billing ##

eksctl delete cluster --name cloudaseem-cluster4 --region ap-south-1


Congratulations! You have successfully deployed Hotstar on Kubernetes with:
Load Balancer Enabled
SSL Certificates Configured
Monitoring Setup Complete
If you found this tutorial helpful, don’t forget to:
Like the video
Comment your thoughts and questions
Subscribe to stay updated on Cloud & DevOps tutorials!
Follow me for more updates on Cloud & DevOps:
YouTube: Cloud DevOps with Aseem - https://www.youtube.com/@clouddevopswithaseem
LinkedIn: Mohammed Aseem Akram - www.linkedin.com/in/mohammed-aseem-akram
GitHub: Aseemakram19
Stay tuned for more DevOps insights!
#Cloud #DevOps #Technology #Kubernetes

You might also like