Projet integre : deployer une application complete 30 min de lecture

Pipeline CI/CD, Keycloak et monitoring

Etape 3 : Le pipeline CI/CD complet

# .gitlab-ci.yml - Pipeline du projet integre
stages:
  - test
  - security
  - build
  - deploy-staging
  - integration-test
  - deploy-production

variables:
  DOCKER_IMAGE: $CI_REGISTRY_IMAGE
  APP_VERSION: $CI_COMMIT_SHORT_SHA

# ── Tests ──
test-api:
  stage: test
  image: node:18-alpine
  script:
    - cd api/
    - npm ci
    - npm run lint
    - npm run test
  artifacts:
    reports:
      junit: api/test-results.xml

test-frontend:
  stage: test
  image: node:18-alpine
  script:
    - cd frontend/
    - npm ci
    - npm run lint
    - npm run test

# ── Securite ──
sast:
  stage: security
  image: returntocorp/semgrep
  script:
    - semgrep --config auto --json --output semgrep-results.json .
  artifacts:
    reports:
      sast: semgrep-results.json
  allow_failure: true

container-scan:
  stage: security
  image: aquasec/trivy
  script:
    - trivy image $DOCKER_IMAGE/api:$APP_VERSION
    - trivy image $DOCKER_IMAGE/frontend:$APP_VERSION
  allow_failure: true

# ── Build Docker ──
build-api:
  stage: build
  image: docker:24
  services:
    - docker:24-dind
  script:
    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
    - docker build -t $DOCKER_IMAGE/api:$APP_VERSION ./api/
    - docker push $DOCKER_IMAGE/api:$APP_VERSION

build-frontend:
  stage: build
  image: docker:24
  services:
    - docker:24-dind
  script:
    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
    - docker build -t $DOCKER_IMAGE/frontend:$APP_VERSION ./frontend/
    - docker push $DOCKER_IMAGE/frontend:$APP_VERSION

# ── Deploy Staging ──
deploy-staging:
  stage: deploy-staging
  image: bitnami/kubectl:latest
  script:
    - kubectl set image deployment/api api=$DOCKER_IMAGE/api:$APP_VERSION -n staging
    - kubectl set image deployment/frontend frontend=$DOCKER_IMAGE/frontend:$APP_VERSION -n staging
    - kubectl rollout status deployment/api -n staging --timeout=120s
    - kubectl rollout status deployment/frontend -n staging --timeout=120s
  environment:
    name: staging
    url: https://staging.example.com

# ── Tests d'integration ──
integration-test:
  stage: integration-test
  image: cypress/included:13
  script:
    - npx cypress run --config baseUrl=https://staging.example.com
  artifacts:
    when: always
    paths:
      - cypress/screenshots/
      - cypress/videos/

# ── Deploy Production ──
deploy-production:
  stage: deploy-production
  image: bitnami/kubectl:latest
  script:
    - kubectl set image deployment/api api=$DOCKER_IMAGE/api:$APP_VERSION -n production
    - kubectl set image deployment/frontend frontend=$DOCKER_IMAGE/frontend:$APP_VERSION -n production
    - kubectl rollout status deployment/api -n production --timeout=180s
    - kubectl rollout status deployment/frontend -n production --timeout=180s
  environment:
    name: production
    url: https://app.example.com
  when: manual
  only:
    - main

Etape 4 : Integrer Keycloak dans l'application

# Configuration de l'API pour utiliser Keycloak
# api/config/keycloak.js
module.exports = {
  realm: "devops-platform",
  authServerUrl: "https://auth.example.com",
  clientId: "webapp-api",
  clientSecret: process.env.KEYCLOAK_CLIENT_SECRET,

  // Middleware Express
  protect: (requiredRole) => (req, res, next) => {
    const token = req.headers.authorization;
    // Verifier le JWT avec la cle publique de Keycloak
    // Verifier que l'utilisateur a le role requis
    // ...
  }
};

// Utilisation dans les routes
app.get("/api/admin", keycloak.protect("admin"), (req, res) => {
  res.json({ message: "Bienvenue, admin !" });
});

Etape 5 : Verifier le monitoring

# Checklist post-deploiement :

# 1. Verifier que les pods sont en cours d'execution
kubectl get pods -n production
kubectl get pods -n auth
kubectl get pods -n monitoring

# 2. Verifier les metriques dans Prometheus
# PromQL : up{namespace="production"} == 1

# 3. Verifier les dashboards Grafana
# - Kubernetes cluster overview
# - Application metrics (requetes/s, latence, erreurs)
# - Keycloak metrics (connexions, tokens emis)

# 4. Tester l'authentification
curl -X POST https://auth.example.com/realms/devops-platform/protocol/openid-connect/token \
  -d "grant_type=password" \
  -d "client_id=webapp-api" \
  -d "username=testuser" \
  -d "password=testpass"

# 5. Verifier les logs
# Dans Grafana > Explore > Loki :
# {namespace="production"} |= "started"

Resume : le flux complet

+------+     +---------+     +--------+     +------+
| Code | --> | GitLab  | --> | Docker | --> | K8s  |
|      |     | CI/CD   |     | Build  |     |      |
+------+     +---------+     +--------+     +------+
                                               |
                              +----------------+----------------+
                              |                |                |
                        +-----------+   +----------+   +-----------+
                        | Keycloak  |   | Prometheus|   | Loki     |
                        | (auth)    |   | + Grafana |   | (logs)   |
                        +-----------+   +----------+   +-----------+

Terraform cree le cluster.
Ansible installe les outils.
GitLab CI/CD automatise le deploiement.
Docker empaquete les applications.
Kubernetes orchestre tout.
Keycloak protege les acces.
Prometheus + Grafana + Loki surveillent.
Felicitations ! Vous avez maintenant une vision complete de l'ecosysteme DevOps. Chaque outil a un role precis, et c'est leur integration qui cree la valeur. Le parcours avance approfondira chaque composant.
Connectez-vous pour suivre votre progression Atelier : Deployer le projet DevOps complet