This project is part of the ISEC6000 Secure DevOps assignment focused on building a microservice-based e-commerce application using DevOps practices. The application used is Saleor, an open-source Python-based platform that represents a real-world e-commerce solution. It incorporates best practices in infrastructure setup, microservices architecture, containerization, and security measures. This repository serves as a step-by-step guide for building, deploying, and securing the application in a cloud-based environment.
The primary objective of this project is to automate the deployment of Saleor, leveraging Kubernetes, Docker, and cloud-based infrastructure on Google Kubernetes Engine (GKE). The project follows DevOps principles to streamline the deployment and secure the infrastructure. The implementation includes configuring Kubernetes clusters, deploying microservices, and applying security measures like non-root containers and vulnerability scanning using Trivy.
- Infrastructure Setup: A Kubernetes cluster is deployed on Google Kubernetes Engine (GKE), and resources are configured using
kubectland Docker. - Microservices Architecture: The Saleor platform is decomposed into microservices for the API, dashboard, worker, and other components.
- Containerization: Docker is used to containerize the microservices, with Docker Compose orchestrating multi-container services.
- Security: Implementations include running containers as non-root users, using secure base images, and performing vulnerability scanning using Trivy.
- Automation: CI/CD pipeline automation using GitHub actions and Docker-based deployment into Kubernetes.
- Docker 1.25+ installed
- Kubernetes (kubectl) installed
- Google Cloud account for GKE
- GitHub account for repository management
-
Log into Google Cloud Platform.
-
Create a new project and navigate to the Kubernetes Engine.
-
Set up a Kubernetes cluster using the following commands in Cloud Shell:
bash gcloud init gcloud config set project [PROJECT_ID] gcloud container clusters create saleor-cluster
-
Configure
kubectlto manage the cluster.
Fork the repository and clone it into your local environment using:
bash git clone https://github.com/arbinijam/ISEC6000-SecureDevOps.git cd ISEC6000-SecureDevOps
Run the following commands to deploy the application using Docker Compose:
bash docker-compose up -d
Once the application is running, you can access the Saleor dashboard via http://localhost:9002/ and the API at http://localhost:8000/.
The following security measures are implemented:
- Running all Docker containers as non-root users.
- Setting resource limits for containers.
- Using secure, minimal base images for all services.
- Performing vulnerability scans using Trivy.
To scan the containers with Trivy, run the following command:
bash trivy image [image_name]
To deploy the microservices in a Kubernetes environment, follow these steps:
-
Push your Docker images to a container registry (such as Docker Hub or Google Container Registry).
-
Apply Kubernetes manifests to deploy the application on the GKE cluster:
bash kubectl apply -f kubernetes/
-
Monitor the deployment with the following commands:
bash kubectl get pods kubectl get services
-
Expose the necessary services using:
bash kubectl expose
- Google Kubernetes Engine (GKE): For container orchestration and managing microservices.
- Kubernetes: For scaling and managing microservices.
- Docker: For containerizing the Saleor platform components.
- Trivy: For container vulnerability scanning.
- Saleor: An open-source e-commerce platform as the main application.
- GitHub Actions: For automating the CI/CD pipeline.
This project demonstrates how to deploy a microservice-based e-commerce application using Docker, Kubernetes, and Google Kubernetes Engine (GKE), while incorporating essential security measures. Further improvements can be made by optimizing the CI/CD pipeline and introducing advanced security mechanisms.