This project transforms a legacy Java Spring Boot monolithic application from a manually managed VM deployment to a modern, cloud-native Kubernetes-based architecture. The solution implements a comprehensive 6-stage CI/CD pipeline with security-first principles, leverages CloudNativePG for database management, and integrates with existing infrastructure (HashiCorp Vault, self-hosted SonarQube, observability stack) while delivering enterprise-grade security, developer experience, and operational excellence.
- Containerized Application: Multi-stage Docker build with eclipse-temurin:21-jdk-jammy and distroless runtime
- Kubernetes Platform: Kustomize-based deployments with environment-specific overlays
- 6-Stage CI/CD Pipeline: GitHub Actions with comprehensive security scanning, testing, and GitOps deployment
- Database Management: CloudNativePG Operator for automated PostgreSQL lifecycle management
- Observability Stack: Integration with existing Prometheus, Grafana, Loki, Tempo, and Mimir
- Security Framework: External Secrets Operator with Vault, self-hosted SonarQube, and multi-layered security scanning
- GitOps Deployment: ArgoCD with ApplicationSets for ephemeral PR environments
- Security-First: Multi-layered security with TruffleHog, Trivy, OWASP, CodeQL, and self-hosted SonarQube
- Automated Database Management: CloudNativePG Operator with automated failover, backups, and PITR
- Comprehensive CI/CD: 6-stage pipeline with security gates (0 critical, ≤5 high vulnerabilities)
- Quality Assurance: ≥80% code coverage requirement with JUnit/JaCoCo and Testcontainers
- Multi-Architecture Support: AMD64/ARM64 container builds with semantic versioning
- Ephemeral Environments: Automatic PR environments with ArgoCD ApplicationSets
- Enterprise Integration: Seamless integration with existing Vault, SonarQube, and observability stack
spring-boot-app/
├── design.md # Comprehensive architecture design
├── readme.md # The project overview
└── examples/ # Implementation examples and templates
├── Dockerfile # Multi-stage container build
├── ci-cd-pipeline.yaml # 6-stage GitHub Actions pipeline with security scanning
├── sonar-project.properties # Self-hosted SonarQube configuration
├── monitoring-stack.yaml # ServiceMonitor, PrometheusRule, dashboards
├── security-policies.yaml # RBAC, NetworkPolicy, Pod Security
├── local-development.md # Local dev setup with observability stack
└── k8s/ # Kustomize-based Kubernetes manifests
├── base/ # Base application manifests
├── database/base/ # PostgreSQL base manifests
└── overlays/ # Environment-specific configurations
├── pr-template/ # Ephemeral PR environments (1 replica, debug logging)
├── staging/ # Staging environment (2 replicas, info logging)
└── production/ # Production (5 replicas, HA, CloudNativePG cluster)
- Create multi-stage Dockerfile with eclipse-temurin:21-jdk-jammy and distroless runtime
- Implement 6-stage GitHub Actions pipeline: scan-and-lint, build-and-sast, pre-tests, image-and-push, deploy, post-tests
- Configure TruffleHog, Trivy, OWASP Dependency Check, CodeQL, and self-hosted SonarQube integration
- Set up Testcontainers for integration testing with PostgreSQL 18
- Implement semantic versioning with GitHub Flow strategy
- Deploy CloudNativePG Operator for automated PostgreSQL lifecycle management
- Create Kustomize base manifests with CloudNativePG Cluster, ScheduledBackup, and ObjectStore
- Configure External Secrets Operator integration with existing Vault
- Set up ServiceMonitor and PrometheusRule for existing observability stack
- Implement network policies and RBAC with Pod Security Standards
- Configure ArgoCD ApplicationSets for ephemeral PR environments
- Create staging and production Kustomize overlays with environment-specific scaling
- Implement horizontal pod autoscaling and pod disruption budgets
- Set up automated CloudNativePG backups with S3-compatible storage (MinIO/Ceph)
- Configure multi-architecture container builds (AMD64/ARM64)
- Deploy to production with CloudNativePG cluster (3 instances with automated failover)
- Configure comprehensive monitoring dashboards and alerting rules
- Implement post-deployment testing (smoke, load, E2E, UAT tests)
- Set up disaster recovery with point-in-time recovery capabilities
- Performance tuning and comprehensive documentation
- Runtime: Java 21 (eclipse-temurin:21-jdk-jammy), Spring Boot 3.x
- Container: Docker with multi-stage builds and distroless runtime (gcr.io/distroless/java21-debian12:nonroot)
- Orchestration: Kubernetes 1.28+ with Kustomize for configuration management
- Database: CloudNativePG Operator managing PostgreSQL 18 clusters with automated failover
- Testing: JUnit 5 with JaCoCo coverage, Testcontainers for integration testing with real PostgreSQL
- Versioning: Semantic versioning from Maven project version with GitHub Flow strategy
- CI/CD: 6-stage GitHub Actions pipeline + ArgoCD GitOps with ApplicationSets
- Secrets Scanning: TruffleHog for detecting exposed secrets in source code
- Vulnerability Scanning: Trivy for filesystem and container image scanning
- Dependency Security: OWASP Dependency Check with CVSS ≥7.0 threshold
- Static Analysis: CodeQL with security-extended queries
- Code Quality: Self-hosted SonarQube with quality gates and 300s timeout
- Secret Management: External Secrets Operator (ESO) with existing HashiCorp Vault
- Access Control: Kubernetes RBAC with least privilege and Pod Security Standards
- Network Security: Network Policies for micro-segmentation
- Security Gates: 0 critical vulnerabilities, ≤5 high vulnerabilities allowed
- Metrics: Prometheus with remote write to Mimir for long-term storage
- Visualization: Grafana dashboards for application and infrastructure monitoring
- Logging: Loki for centralized log aggregation and querying
- Tracing: Tempo for distributed tracing with OpenTelemetry
- Alerting: AlertManager with existing escalation policies
- Database Migration: Use blue-green deployment strategy
- Performance Impact: Comprehensive load testing before production
- Security Vulnerabilities: Automated scanning and regular updates
- Configuration Drift: GitOps with automated synchronization
- Downtime: Rolling deployments with zero-downtime strategy
- Data Loss: Automated backups with point-in-time recovery
- Skill Gap: Comprehensive training and documentation
- Vendor Lock-in: Use of open-source technologies where possible
- Deployment Frequency: From weekly to daily deployments
- Lead Time: Reduce from days to hours
- MTTR: Reduce mean time to recovery by 30%
- Security Incidents: Zero critical security vulnerabilities
- Availability: 99.9% uptime SLA
- Performance: Sub-200ms response times
- Cost Optimization: 30% reduction in infrastructure costs
- Developer Productivity: 50% faster feature delivery
# Install CloudNativePG Operator
kubectl apply -f https://raw.githubusercontent.com/cloudnative-pg/cloudnative-pg/release-1.24/releases/cnpg-1.24.0.yaml
# Install External Secrets Operator
helm install external-secrets external-secrets/external-secrets -n external-secrets-system --create-namespace
# Configure Vault authentication
vault auth enable kubernetes
vault write auth/kubernetes/config token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
# Configure GitHub secrets for CI/CD
gh secret set SONAR_TOKEN --body "your-sonarqube-token"
gh secret set CONFIG_REPO_TOKEN --body "your-config-repo-token"# Create S3 credentials for backups
kubectl create secret generic s3local-eu-central \
--from-literal=ACCESS_KEY_ID=your-access-key \
--from-literal=ACCESS_SECRET_KEY=your-secret-key \
-n spring-app-production
# Deploy CloudNativePG cluster
kubectl apply -k examples/k8s/database/base/
# Verify cluster status
kubectl get cluster postgres-app-cluster -n spring-app-production# Store secrets in Vault
vault kv put secret/spring-app/database username=appuser password=secure-password
# Deploy ArgoCD ApplicationSets for PR environments
kubectl apply -f examples/argocd/applicationsets/pr-environments.yaml
# Deploy static environment applications
kubectl apply -f examples/argocd/applications/
# Verify deployments
kubectl get applications -n argocd
kubectl get applicationsets -n argocd- Deployment Guide: Complete deployment instructions
- Kubernetes Manifests: Kustomize structure and usage
- ArgoCD Configuration: GitOps setup with PR environments
- Testing Strategy: Testcontainers and CI/CD testing
- Local Development: Development environment setup
- Requirements: Detailed functional requirements
- Design: Architecture and technical design
- Tasks: Implementation task breakdown
| Feature | PR Environments | Staging | Production |
|---|---|---|---|
| Replicas | 1 | 2 | 5 |
| Resources | 256Mi/512Mi | 512Mi/1Gi | 1Gi/2Gi |
| Autoscaling | 1-3 pods | 2-5 pods | 5-20 pods |
| Database | Shared dev DB | Single instance | CloudNativePG cluster (3 instances) |
| Backup Strategy | None | Basic | Automated with S3, 7-day retention, PITR |
| Monitoring | Basic + PR labels | Full stack | Full stack + alerting + SLI/SLO |
| Security | Wildcard dev certs | Staging certs | Production certs + enhanced security |
| Lifecycle | Ephemeral (PR-based) | Long-running | Long-running |
| CI/CD Pipeline | All 6 stages | All 6 stages | All 6 stages + post-tests |
| Quality Gates | ≥80% coverage | ≥80% coverage | ≥80% coverage + security gates |
graph LR
A[scan-and-lint] --> B[build-and-sast]
B --> C[pre-tests]
C --> D[image-and-push]
D --> E[deploy]
E --> F[post-tests]
A --> A1[TruffleHog Secrets Scan]
A --> A2[Trivy FS Scan]
A --> A3[Checkstyle/PMD]
B --> B1[OWASP Dependency Check]
B --> B2[CodeQL Analysis]
B --> B3[Security Gates]
C --> C1[JUnit/JaCoCo Tests]
C --> C2[Testcontainers Integration]
C --> C3[SonarQube Quality Gates]
C --> C4[≥80% Coverage Gate]
D --> D1[Multi-arch Build AMD64/ARM64]
D --> D2[Container Security Scan]
D --> D3[GitHub Registry Push]
E --> E1[PR: ArgoCD ApplicationSet]
E --> E2[Main: GitOps PR Creation]
F --> F1[Smoke Tests]
F --> F2[Load Tests]
F --> F3[E2E Tests]
- Critical Vulnerabilities: 0 allowed
- High Vulnerabilities: ≤5 allowed
- Code Coverage: ≥80% required
- CVSS Threshold: <7.0
- SonarQube Quality Gate: Must pass with 300s timeout
- Infrastructure Setup: Deploy CloudNativePG Operator, configure Vault/ESO, and SonarQube integration
- Team Training: CloudNativePG, Kustomize, ArgoCD ApplicationSets, and 6-stage CI/CD pipeline workshop
- Pilot Deployment: Start with PR environment validation using ApplicationSet generator
- Staged Rollout: Progress through staging to production with comprehensive quality gates
- Continuous Improvement: Monitor SLI/SLO metrics, optimize CloudNativePG performance, and iterate
This modernization provides a production-ready, secure, and scalable foundation with automated database management, comprehensive security scanning, and ephemeral PR environments that integrates seamlessly with existing infrastructure while enabling rapid, reliable deployments through GitOps practices.