To Do:

• Configure ArgoCD for GitOps-driven Kubernetes deployments
• Implement Gatekeeper policies for security enforcement
• Integrate Trivy in GitHub Actions for container scanning
• Deploy Prometheus for metrics
• Deploy Grafana for dashboard
• Set up Alertmanager with Telegram notifications
• Deploy Grafana Loki for centralized log aggregation
• Containerize sample app with /health, /metrics endpoints
• Demonstrate self-healing: pod failure → auto-recovery
• GitHub Actions

GitShield – GitOps Infrastructure with Monitoring and Alerting

A Kubernetes-based infrastructure project that demonstrates GitOps principles, automated deployments, monitoring, and Telegram notifications for alerts. Built as part of a university DevOps course.

---

Table of Contents

• Overview
• Prerequisites
• Access Services
• Configuration
  • Telegram Bot Setup
  • Secrets Management
• Project Structure

---

Overview

GitShield is a proof-of-concept infrastructure that combines:

• GitOps workflow with ArgoCD for declarative deployments
• Monitoring stack (Prometheus, Grafana, Loki) for observability
• Alerting via Alertmanager with Telegram notifications
• CI/CD pipeline using GitHub Actions and Trivy for security scanning
• Self-healing capabilities through Kubernetes controllers

The project runs entirely locally using Minikube, making it suitable for learning and demonstration purposes.

---

Prerequisites

Before you begin, ensure you have the following installed:

Tool	Version	Purpose
Docker	≥ 20.10	Container runtime
Minikube	≥ 1.30	Local Kubernetes cluster
kubectl	≥ 1.28	Kubernetes CLI
Helm	≥ 3.12	Package manager for Kubernetes
Git	≥ 2.30	Version control
Task (optional)	≥ 3.20	Task runner (see Taskfile.yaml)

Install and run the Application:

# Start minikube
minikube start --cpus=4 --memory=8g

task deploy:all

Access Services

Quick setup with convenient ports:

Service	Command to activate UI	Link to UI	Login and password
ArgoCD	task argocd:ui	http://localhost:8080	task argocd:info
Grafana	task grafana:ui	http://localhost:3000	login: admin, password: admin
Prometheus	kubectl port-forward svc/kube-prometheus-kube-prome-prometheus -n monitoring 9090:9090	http://localhost:9090	-
Alertmanager	kubectl port-forward svc/alertmanager -n monitoring 9093:9093	http://localhost:9093	-

Configuration

Telegram Bot Setup

1. Create a telegram bot
2. Get your chat ID
3. Create Kubernetes secret with bot token:

kubectl create secret generic alertmanager-telegram-secret \
  --from-literal=bot_token='YOUR_BOT_TOKEN_HERE' -n monitoring

4. Update Alertmanager config: Replace chat_id with actual ID
5. Commit and push changes
6. Restart alertmanager

kubectl delete pod -l app.kubernetes.io/name=alertmanager -n monitoring

7. Try test notification:

kubectl apply -f - <<EOF
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
  name: test-telegram-alert
  namespace: monitoring
  labels:
    release: kube-prometheus
spec:
  groups:
  - name: test.rules
    interval: 30s
    rules:
    - alert: TelegramNotificationTest
      expr: vector(1) == 1
      for: 10s
      labels:
        severity: critical
      annotations:
        summary: "Test Alert"
        description: "Verifying Telegram integration"
EOF

8. Check your telegram

Secrets Managment

• Bot tokens and sensitive data are stored in Kubernetes Secrets, not in Git
• Secrets are mounted as files inside pods (e.g., /etc/alertmanager/secrets/bot_token)
• Applications read tokens from files, not environment variables

Create a secret:

kubectl create secret generic <name> --from-literal=key=value -n <namespace>

Project Structure

gitshield/
├── .github/
│   └── workflows/
│       └── ci.yml                             # GitHub Actions CI/CD pipeline
├── apps          
│   ├── alertmanager.yaml                      # Alertmanager Helm configuration
│   ├── gatekeeper-policies.yaml               # ArgoCD Application manifest that deploys Gatekeeper constraint templates and constraints
│   ├── gatekeeper.yaml                        # ArgoCD Application manifest that installs the OPA Gatekeeper Helm chart (controllers, audit, webhooks)
│   ├── gitshield-app.yaml                     # Main application ArgoCD deployment
│   ├── grafana.yaml                           # Grafana Helm configuration
│   └── loki.yaml                              # Loki stack configuration
├── cmd/                 
│   └── main.go                                # Go application entry point
├── k8s/                 
│   ├── alert-rules.yaml                       # Prometheus alerting rules
│   ├── deployment.yaml                        # Kubernetes deployment manifest
│   ├── gatekeeper-constraint-template.yaml    # Defines custom Rego policy templates (CRDs) for admission control (e.g., allowed registries, resource quotas, non-root)
│   ├── gatekeeper-constraints.yaml            # Instantiates the templates with actual enforcement rules, namespace/kind matchers, and exemptions
│   ├── hpa.yaml                               # Horizontal Pod Autoscaler
│   ├── service.yaml                           # Kubernetes service manifest
│   └── servicemonitor.yaml                    # Prometheus ServiceMonitor
├── Dockerfile                                 # Container image definition
├── go.mod                                     # Go module dependencies
├── go.sum                                     # Go module checksums
├── root-app.yaml                              # ArgoCD root application (App-of-Apps)
├── Taskfile.yml                               # Task definitions for automation
└── README.md                                  # This file