Divue/jerney-cloud-native-devsecops

GitHub: Divue/jerney-cloud-native-devsecops

一个展示云原生 DevSecOps 最佳实践的端到端参考项目,覆盖从代码到基础设施的全链路安全防护。

Stars: 0 | Forks: 0

# ☸️ Jerney — Cloud Native DevSecOps
![Kubernetes](https://img.shields.io/badge/Kubernetes-EKS_Auto_Mode-326CE5?style=flat-square&logo=kubernetes&logoColor=white) ![Terraform](https://img.shields.io/badge/IaC-Terraform-7B42BC?style=flat-square&logo=terraform&logoColor=white) ![GitHub Actions](https://img.shields.io/badge/CI%2FCD-GitHub_Actions-2088FF?style=flat-square&logo=githubactions&logoColor=white) ![Docker](https://img.shields.io/badge/Containers-Docker-2496ED?style=flat-square&logo=docker&logoColor=white) ![Security](https://img.shields.io/badge/Security-DevSecOps-DC2626?style=flat-square&logo=shieldsdotio&logoColor=white) ![AWS](https://img.shields.io/badge/Cloud-AWS-FF9900?style=flat-square&logo=amazonaws&logoColor=white) ## 📐 架构 ``` ┌───────────────────────────────────────────────┐ │ GitHub │ │ │ │ Developer ──push──▶ GitHub Actions │ │ │ │ │ ┌─────────────┴──────────────┐ │ │ │ 7-Stage DevSecOps Pipeline │ │ │ │ Lint → SCA → Build → │ │ │ │ Scan → IaC → Dockerfile │ │ │ │ → Manifest Update │ │ │ └──────┬─────────────┬────────┘ │ │ │ │ │ │ push image commit new tag │ │ ▼ ▼ │ │ ┌──────────┐ ┌────────────────┐ │ │ │ GHCR │ │ k8s/jerney.yaml│ │ │ │(Registry)│ │ (GitOps src) │ │ │ └──────────┘ └────────────────┘ │ └───────────────────────────────────────────────┘ │ pull image │ kubectl apply ▼ ▼ ┌─────────────────────────────────────────────────────────────────────────┐ │ AWS (ap-south-1) │ │ │ │ ┌─────────────────────────────────────────────────────────────────┐ │ │ │ VPC 10.0.0.0/16 (Terraform managed) │ │ │ │ │ │ │ │ Public Subnets ×3 ──NAT──▶ Private Subnets ×3 │ │ │ │ (Load Balancers) (EKS Worker Nodes) │ │ │ │ │ │ │ │ ┌───────────────────────────────────────────────────────────┐ │ │ │ │ │ EKS Cluster "jerney-eks" (Auto Mode / Karpenter) │ │ │ │ │ │ │ │ │ │ │ │ ┌─────────── Namespace: jerney ─────────────────────┐ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ ┌──────────┐ NetworkPolicy ┌──────────┐ │ │ │ │ │ │ │ │ │ Frontend │────────────────▶│ Backend │ │ │ │ │ │ │ │ │ │ Nginx │ │ Node.js │ │ │ │ │ │ │ │ │ │ :8080 │ │ :5000 │ │ │ │ │ │ │ │ │ └──────────┘ └────┬─────┘ │ │ │ │ │ │ │ │ NetworkPolicy │ │ │ │ │ │ │ │ │ ▼ │ │ │ │ │ │ │ │ ┌──────────┐ │ │ │ │ │ │ │ │ │PostgreSQL│ │ │ │ │ │ │ │ │ │ :5432 │ │ │ │ │ │ │ │ │ │ EBS PVC │ │ │ │ │ │ │ │ │ └──────────┘ │ │ │ │ │ │ │ └───────────────────────────────────────────────────┘ │ │ │ │ │ └───────────────────────────────────────────────────────────┘ │ │ │ └─────────────────────────────────────────────────────────────────┘ │ └─────────────────────────────────────────────────────────────────────────┘ ``` ## 🗂️ 仓库结构 ``` jerney-cloud-native-devsecops/ (devops branch) │ ├── .github/workflows/ │ ├── ci-cd.yml # 7-stage DevSecOps pipeline definition │ └── notes.md # CI/CD pipeline concepts & every stage explained │ ├── frontend/ │ ├── src/ # React components & pages │ ├── nginx.conf # Custom Nginx config (non-root, port 8080) │ ├── Dockerfile # Multi-stage: Node build → Nginx serve │ ├── dockerfile_notes.md # Every line explained │ └── package.json │ ├── backend/ │ ├── src/ # Express routes, DB connection, health check │ ├── Dockerfile # Multi-stage: prod deps only + dumb-init │ ├── dockerfile_notes.md # Every line explained │ └── package.json │ ├── k8s/ │ ├── namespace/ # jerney namespace │ ├── secrets/ # PostgreSQL credentials (base64) │ ├── storage/ # StorageClass (EBS gp3) + PVC │ ├── database/ # PostgreSQL Deployment + ClusterIP Service │ ├── backend/ # Backend Deployment + ClusterIP Service │ ├── frontend/ # Frontend Deployment + NodePort Service │ ├── network/ # NetworkPolicy (zero-trust between pods) │ ├── jerney.yaml # Single combined manifest (all of the above) │ └── notes.md # Kubernetes from scratch — every concept explained │ ├── terraform/ │ ├── providers.tf # AWS provider, version constraints, S3 backend config │ ├── variables.tf # Input variable declarations │ ├── terraform.tfvars # Environment values (ap-south-1, dev) │ ├── main.tf # VPC module + EKS Auto Mode module │ ├── outputs.tf # Cluster name, endpoint, VPC ID │ └── notes.md # Terraform + AWS concepts explained │ ├── deploy/ # (from main branch) EC2 bare-metal deployment │ ├── setup.sh # One-click EC2 setup script │ └── jerney-nginx.conf # Nginx reverse proxy config │ ├── docker-compose.yml # Local development stack (all 3 services + network) ├── steps.md # Full implementation walkthrough — start to finish └── README.md # You are here ``` ## 🔒 各层安全 安全不是最后一步,而是融入到了技术栈的每一层中。 | Layer | Threat | Control | |---|---|---| | **代码** | Bug,不良实践 | 每次推送时运行 ESLint | | **依赖** | npm 包中的已知 CVE | `npm audit` — SCA 阶段 | | **Dockerfile** | 不安全的指令,不良实践 | Hadolint 代码检查 | | **容器镜像** | 有漏洞的 OS + 库包 | Trivy 镜像扫描 | | **IaC** | Terraform/K8s 配置错误 | Checkov 扫描 | | **容器运行时** | Root 提权,文件系统篡改 | `runAsNonRoot`,`readOnlyRootFilesystem`,`drop: ALL` capabilities | | **Pod 通信** | 服务间的横向移动 | NetworkPolicy — 仅允许 Frontend→Backend→DB,其他一律拒绝 | | **机密信息** | 明文凭证 | K8s Secrets + 通过 KMS 进行 EKS 信封加密 | | **AWS 网络** | 互联网直接访问节点 | Worker 节点位于私有子网 — 无公网 IP | ## 🚀 CI/CD 流水线 每次推送和拉取请求都会自动运行 **7 个阶段**。 ``` Push to any branch │ ├──▶ Stage 1 — Lint (ESLint) ←─ parallel ├──▶ Stage 6 — Dockerfile Lint (Hadolint) ←─ parallel │ ▼ needs: lint Stage 2 — Dependency Audit (npm audit / SCA) │ ▼ needs: sca Stage 3 — Build & Push (Docker Buildx → GHCR) │ ▼ needs: build ├──▶ Stage 4 — Image Scan (Trivy) ←─ parallel ├──▶ Stage 5 — IaC Scan (Checkov) ←─ parallel │ ▼ push events only (not PRs) Stage 7 — Update K8s Manifest (GitOps commit) ``` **实时运行历史:** [Actions 标签页 →](../../actions) ## 🛠️ 技术栈 | Category | Technology | |---|---| | **前端 (Frontend)** | React 18, Vite, Nginx Alpine | | **后端 (Backend)** | Node.js 20, Express | | **数据库** | PostgreSQL 16 | | **容器** | Docker, Docker Buildx, 多阶段构建 | | **编排** | Kubernetes, AWS EKS Auto Mode | | **IaC** | Terraform, `terraform-aws-modules/vpc`, `terraform-aws-modules/eks` | | **CI/CD** | GitHub Actions | | **镜像仓库** | GitHub Container Registry (GHCR) | | **安全扫描** | Trivy, Checkov, Hadolint, ESLint, npm audit | | **云平台** | AWS — EKS, VPC, EBS, KMS, CloudWatch Logs | ## ⚡ 快速开始 ### 使用 Docker Compose 在本地运行 ``` git clone cd jerney-cloud-native-devsecops git checkout devops docker compose up -d # Frontend → http://localhost:80 # Backend → http://localhost:5000 ``` ### 部署到 AWS EKS ``` # 1. Provision infrastructure (~10-15 min) cd terraform/ terraform init terraform plan terraform apply # 2. 将 kubectl 连接到新集群 aws eks update-kubeconfig --name jerney-eks --region ap-south-1 # 3. 验证集群是否就绪 kubectl get nodes # 4. 部署应用程序 kubectl apply -f k8s/ -R # 5. 访问 Frontend kubectl port-forward svc/jerney-frontend 8080:80 -n jerney # 打开:http://localhost:8080 ``` ### 完成后销毁资源(避免 AWS 收费) ``` kubectl delete -f k8s/ -R cd terraform/ && terraform destroy ``` ## 📖 笔记与文档 每个组件都有专门的笔记,从头开始解释每一个概念——这对面试以及任何想要重新实现该项目的人都很有用。 | File | What it covers | |---|---| | [`steps.md`](./steps.md) | 完整的实现演练 — 按顺序记录每一个决策 | | [`k8s/notes.md`](./k8s/notes.md) | Kubernetes — Pods, Deployments, Services, Storage, NetworkPolicy, Security | | [`terraform/notes.md`](./terraform/notes.md) | Terraform + AWS — VPC, subnets, EKS Auto Mode, modules, state | | [`frontend/dockerfile_notes.md`](./frontend/dockerfile_notes.md) | Frontend Dockerfile — multi-stage build, layer caching, non-root Nginx | | [`backend/dockerfile_notes.md`](./backend/dockerfile_notes.md) | Backend Dockerfile — dumb-init, custom user, prod-only dependencies | | [`.github/workflows/notes.md`](./.github/workflows/notes.md) | CI/CD pipeline — all 7 stages, GitOps pattern, security tools | *应用最初由开发团队在 `main` 分支上构建。此 `devops` 分支记录了在此基础上应用的完整 DevSecOps 转型。*
标签:AI应用开发, AWS, DevSecOps, Docker, DPI, EC2, ECS, EKS, GitHub Actions, Hadolint, IaC, MITM代理, NIDS, SAST, Terraform, 三层架构, 上游代理, 云安全监控, 云计算, 子域名突变, 安全扫描, 安全防御评估, 容器化, 文档安全, 时序注入, 测试用例, 清单文件, 盲注攻击, 端到端, 自动化运维, 自动笔记, 自定义脚本, 规则引擎, 请求拦截, 静态分析