🚀 Built during the TrainWithShubham Hackathon to demonstrate modern cloud-native DevOps, Kubernetes, and GitOps practices on AWS.
SkillPulse is a production-oriented, cloud-native three-tier application deployed on Amazon EKS using modern DevOps and GitOps practices.
The application enables users to track the skills they are learning along with the time invested in developing each skill.
The application stack consists of:
- Go backend API
- Vanilla JavaScript frontend served through Nginx
- MySQL database
Beyond the application itself, the primary focus of this repository is the Kubernetes platform engineering ecosystem built around it, including:
- Amazon EKS
- Terraform infrastructure provisioning
- GitOps deployments using ArgoCD
- GitHub Actions CI/CD automation
- AWS-native ingress, storage, and secret management
- Monitoring and observability
- Security automation and vulnerability scanning
├── .github/
│ └── workflows/
│ ├── ci.yml
│ └── cd-k8s.yml
│
├── argocd/
│ └── application.yaml
│
├── backend/
│ ├── database/
│ ├── handlers/
│ ├── models/
│ ├── Dockerfile
│ ├── go.mod
│ ├── go.sum
│ └── main.go
│
├── docs/
│ ├── images/
│ ├── deployment.md
│ ├── destroy.md
│ ├── github-actions.md
│ ├── infra.md
│ ├── pdf-style.css
│ ├── prerequisites.md
│ ├── skillpulse-cicd-guide.md
│ ├── skillpulse-cicd-guide.pdf
│ ├── skillpulse-kubernetes-guide.md
│ └── skillpulse-kubernetes-guide.pdf
│
├── frontend/
│ ├── css/
│ │ └── style.css
│ │
│ ├── js/
│ │ └── app.js
│ │
│ ├── Dockerfile
│ ├── index.html
│ └── nginx.conf
│
├── k8s/
│ ├── 00-namespace.yaml
│ ├── 01-storageclass.yaml
│ ├── 02-serviceaccount.yaml
│ ├── 03-secretproviderclass.yaml
│ ├── 04-mysql-configmap.yaml
│ ├── 05-mysql-service.yaml
│ ├── 06-mysql-statefulset.yaml
│ ├── 07-backend-service.yaml
│ ├── 08-backend-deployment.yaml
│ ├── 09-backend-hpa.yaml
│ ├── 10-frontend-service.yaml
│ ├── 11-frontend-deployment.yaml
│ └── 12-skillpulse-ingress.yaml
│
├── kind/
│ └── kind-config.yaml
│
├── mysql/
│ └── init.sql
│
├── terraform/
│ ├── argocd-monitoring/
│ │ ├── argocd.yaml
│ │ └── monitoring.yaml
│ │
│ ├── eks/
│ │ ├── env/
│ │ │ ├── dev.tfvars
│ │ │ ├── prod.tfvars
│ │ │ └── staging.tfvars
│ │ │
│ │ ├── 1_versions.tf
│ │ ├── 2_variables.tf
│ │ ├── 3_remote-state.tf
│ │ ├── 4_locals.tf
│ │ ├── 5_eks_tags.tf
│ │ ├── 6_eks_cluster_iamrole.tf
│ │ ├── 7_eks_cluster.tf
│ │ ├── 8_eks_nodegroup_iamrole.tf
│ │ ├── 9_eks_nodegroup_private.tf
│ │ ├── 10_eks_outputs.tf
│ │ ├── 11_podidentityagent.tf
│ │ ├── 12_helm_and_k8_providers.tf
│ │ ├── 13_podidentityagent_assumerole.tf
│ │ ├── 14_lbc_iam_policy_datasource.tf
│ │ ├── 15_lbc_iam_policy_and_role.tf
│ │ ├── 16_lbc_eks_pod_identity_association.tf
│ │ ├── 17_lbc_helm_install.tf
│ │ ├── 18_ebscsi_iam_policy_and_role.tf
│ │ ├── 19_ebscsi_eks_pod_identity_association.tf
│ │ ├── 20_ebscsi_eksaddon.tf
│ │ ├── 21_eksaddon_metrics_server.tf
│ │ ├── 22_secretstoresci-helm-install.tf
│ │ ├── 23_secretstoresci-aspc-helm-install.tf
│ │ ├── 24_argocd.tf
│ │ ├── 25_monitoring.tf
│ │ ├── terraform.tfvars
│ │ │
│ │ └── iam-policy-json-files/
│ │ ├── skillpulse-secret-policy.json
│ │ └── trust-policy.json
│ │
│ ├── vpc/
│ │ ├── modules/
│ │ │ ├── datasources-and-locals.tf
│ │ │ ├── main.tf
│ │ │ ├── outputs.tf
│ │ │ └── variables.tf
│ │ │
│ │ ├── 1_versions.tf
│ │ ├── 2_variables.tf
│ │ ├── 3_vpc.tf
│ │ ├── 4_outputs.tf
│ │ └── terraform.tfvars
│ │
│ ├── create_infra.sh
│ └── destroy_infra.sh
│
├── .env.example
├── .gitignore
├── docker-compose.yml
├── Makefile
└── README.md
This repository is derived from LondheShubham153/github-actions-kubernetes-masterclass, which originally provided:
- Dockerfile for the Go backend service
- Dockerfile for the Nginx frontend service
docker-compose.ymlfor local development- A basic GitHub Actions pipeline
- SSH-based deployment workflow using Docker Compose on a remote VM
The original implementation has since been extensively redesigned into a production-style Kubernetes and GitOps platform running on Amazon EKS.
This repository significantly extends and redesigns that baseline application into a production-oriented Kubernetes platform by implementing:
- Terraform-based AWS infrastructure provisioning
- Amazon EKS cluster automation
- GitHub OIDC authentication with AWS IAM
- GitOps deployments using ArgoCD
- Kubernetes-native deployment architecture
- AWS Secrets Manager integration via CSI Driver and ASCP
- EBS CSI dynamic persistent storage provisioning
- Horizontal Pod Autoscaling
- AWS Load Balancer Controller ingress management
- Route53 + ACM TLS integration
- Centralized monitoring stack deployment
- Security scanning pipelines using:
- Gitleaks
- Hadolint
- Govulncheck
- Trivy
- Immutable image versioning using Git commit SHAs
- Fully automated CI/CD workflows using GitHub Actions
The result is a complete cloud-native deployment platform that reflects modern DevOps and GitOps operational practices rather than a simple containerized application deployment.
┌─────────────────────────────────────────────────────────────────────────────┐
│ EXTERNAL ENDPOINTS (Internet) │
├─────────────────────────────────────────────────────────────────────────────┤
│ ┌────────────────────────────────┐ ┌────────────────────────────────┐ │
│ │ skillpulse.cloud2devops.online │ │ argocd.cloud2devops.online │ │
│ └────────────────────────────────┘ └────────────────────────────────┘ │
│ │
│ ┌────────────────────────────────┐ │
│ │ grafana.cloud2devops.online │ │
│ └────────────────────────────────┘ │
│ ↓ │
│ ┌───────────────────────────────────────────────────────────────────────┐ │
│ │ Amazon Route53 (DNS) + AWS ACM (TLS Certificates) │ │
│ └───────────────────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────────────────┘
↓
┌─────────────────────────────────────────────────────────────────────────────┐
│ AWS REGION (ap-south-1) - VPC Infrastructure │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌──────────────────────────────────────────────────────────────────────┐ │
│ │ AWS Application Load Balancer (ALB) │ │
│ │ [Shared ALB Group - cloud2devops-ingress-alb] │ │
│ │ Managed by AWS Load Balancer Controller (LBC) │ │
│ └──────────────────────────────────────────────────────────────────────┘ │
│ Routes traffic based on hostname rules │
│ │
│ ┌──────────────────────────────────────────────────────────────────────┐ │
│ │ Amazon EKS Cluster │ │
│ │ (Kubernetes Control Plane - AWS Managed) │ │
│ ├──────────────────────────────────────────────────────────────────────┤ │
│ │ │ │
│ │ ┌────────────────────────────────────────────────────────────────┐ │ │
│ │ │ EKS Worker Nodes (Private) │ │ │
│ │ │ • Auto Scaling Groups • Pod Identity Agent • CloudWatch │ │ │
│ │ │ │ │ │
│ │ │ ┌────────────────────────┐ ┌───────────────────────────────┐ │ │ │
│ │ │ │ Skillpulse Namespace │ │ System & Addon Namespaces │ │ │ │
│ │ │ ├────────────────────────┤ ├───────────────────────────────┤ │ │ │
│ │ │ │ │ │ • kube-system │ │ │ │
│ │ │ │ Frontend Deployment │ │ • kube-public │ │ │ │
│ │ │ │ (Nginx + JavaScript) │ │ • argocd │ │ │ │
│ │ │ │ └─ Service (ClusterIP) │ │ • monitoring │ │ │ │
│ │ │ │ │ │ │ │ │ │
│ │ │ │ Backend Deployment │ │ Core Add-ons: │ │ │ │
│ │ │ │ (Go API) │ │ • AWS Load Balancer │ │ │ │
│ │ │ │ └─ Service (ClusterIP) │ │ Controller (LBC) │ │ │ │
│ │ │ │ └─ HPA (Horizontal │ │ • EBS CSI Driver │ │ │ │
│ │ │ │ Pod Autoscaling) │ │ • Metrics Server │ │ │ │
│ │ │ │ │ │ • Secrets Store CSI Driver │ │ │ │
│ │ │ │ MySQL StatefulSet │ │ • ASCP (AWS Secrets │ │ │ │
│ │ │ │ • Service (ClusterIP) │ │ Manager Provider) │ │ │ │
│ │ │ │ • PVC (EBS Volume) │ │ │ │ │ │
│ │ │ │ • ConfigMap │ │ ArgoCD: │ │ │ │
│ │ │ │ • ServiceAccount │ │ • argocd-server │ │ │ │
│ │ │ │ │ │ • argocd-repo-server │ │ │ │
│ │ │ │ └─ Secrets (from AWS │ │ • argocd-controller │ │ │ │
│ │ │ │ Secrets Manager) │ │ • argocd-dex-server │ │ │ │
│ │ │ │ │ │ • Ingress Resource │ │ │ │
│ │ │ │ Ingress Resource │ │ (argocd-ingress) │ │ │ │
│ │ │ │ (skillpulse-ingress) │ │ │ │ │ │
│ │ │ │ │ │ Monitoring Stack: │ │ │ │
│ │ │ │ │ │ • Prometheus │ │ │ │
│ │ │ │ │ │ • Grafana │ │ │ │
│ │ │ │ │ │ • Node Exporter │ │ │ │
│ │ │ │ │ │ • Kube-State-Metrics │ │ │ │
│ │ │ │ │ │ • Ingress Resource │ │ │ │
│ │ │ │ │ │ (grafana-ingress) │ │ │ │
│ │ │ └────────────────────────┘ └───────────────────────────────┘ │ │ │
│ │ │ │ │ │
│ │ │ ┌──────────────────────────────────────────────────────────┐ │ │ │
│ │ │ │ Kubernetes Add-ons & CSI Drivers │ │ │ │
│ │ │ │ • AWS Load Balancer Controller (LBC) │ │ │ │
│ │ │ │ • EBS CSI Driver (Dynamic Storage Provisioning) │ │ │ │
│ │ │ │ • Secrets Store CSI Driver + ASCP │ │ │ │
│ │ │ │ • Metrics Server (HPA & Resource Monitoring) │ │ │ │
│ │ │ │ • Pod Identity Agent (IAM for Pods) │ │ │ │
│ │ │ └──────────────────────────────────────────────────────────┘ │ │ │
│ │ └────────────────────────────────────────────────────────────────┘ │ │
│ │ │ │
│ │ ┌──────────────────────────────────────────────────────────────┐ │ │
│ │ │ VPC Networking │ │ │
│ │ │ • Private Subnets (2 AZs) for EKS Nodes │ │ │
│ │ │ • Public Subnets (2 AZs) for ALB & NAT Gateways │ │ │
│ │ │ • NAT Gateways for Egress Traffic │ │ │
│ │ │ • Security Groups for EKS & ALB │ │ │
│ │ └──────────────────────────────────────────────────────────────┘ │ │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────────────────────┐
│ AWS External Services & Storage │
├─────────────────────────────────────────────────────────────────────────────┤
│ • Amazon ECR (Elastic Container Registry) │
│ - Stores Docker images for backend & frontend │
│ │
│ • AWS Secrets Manager │
│ - Manages database credentials and secrets │
│ │
│ • Amazon EBS (Elastic Block Storage) │
│ - Persistent volumes for MySQL database │
│ │
│ • AWS S3 (Terraform State Backend) │
│ - Stores Terraform state files (vpc & eks) │
│ │
│ • AWS Systems Manager Parameter Store │
│ - Optional parameter storage alongside Secrets Manager │
└─────────────────────────────────────────────────────────────────────────────┘
Internet User
↓
skillpulse.cloud2devops.online
↓
Route53 DNS Resolution
↓
AWS Application Load Balancer (ALB)
├─ ACM TLS Certificate Attached
└─ TLS Termination Happens Here
↓
ALB Listener Rules (Host-based Routing)
↓
Kubernetes Ingress Resource
↓
Frontend Service (ClusterIP)
↓
Frontend Pod (Nginx + JavaScript)
↓
Backend Service (ClusterIP)
↓
Backend Pod (Go API)
↓
MySQL Service
↓
MySQL StatefulSet Pod
(Response travels back through Backend → Frontend → Services → Ingress → ALB)
↓
HTTPS Response Returned to User
Developer pushes code to GitHub
↓
GitHub Actions CI Pipeline Triggered
├─ Security Job
│ ├─ Checkout repository
│ ├─ Gitleaks secret scan
│ ├─ Hadolint scan (backend Dockerfile)
│ ├─ Hadolint scan (frontend Dockerfile)
│ ├─ Setup Go environment
│ └─ Govulncheck scan
│
├─ Build, Scan & Push Job (Matrix Strategy)
│ ├─ Services: backend, frontend
│ ├─ Docker Buildx setup
│ ├─ Generate image tag (Git commit SHA)
│ ├─ Configure AWS authentication (OIDC)
│ ├─ Login to Amazon ECR
│ ├─ Build Docker images
│ ├─ Trivy vulnerability scan
│ └─ Push images to Amazon ECR
│
└─ CI pipeline completed successfully
↓
GitHub Actions CD workflow triggered (workflow_run)
↓
Kubernetes manifests updated (image tag bump)
├─ Backend image updated
├─ Frontend image updated
└─ Commit SHA-based versioning applied
↓
Commit & push updated manifests to GitHub
↓
ArgoCD detects Git changes
↓
ArgoCD reconciles desired state
↓
Kubernetes applies updated manifests
├─ New pods deployed
├─ Old pods terminated
└─ HPA adjusts replicas automatically
↓
Application updated on Amazon EKS cluster
AWS Secrets Manager
↓
ASCP (AWS Secrets Manager Provider)
↓
Secrets Store CSI Driver
↓
SecretProviderClass Resource
↓
Mounted as Volume Inside Pod
↓
Backend Pod / MySQL StatefulSet Pod
↓
Backend / MySQL Access Credentials Available Securely
Kubernetes PersistentVolumeClaim (PVC)
↓
EBS CSI Driver
↓
Amazon EBS API
↓
Amazon EBS Volume (gp3) Provisioned
↓
PersistentVolume (PV) Created & Bound to PVC
↓
Mounted into MySQL StatefulSet Pod
↓
Persistent MySQL Storage
Kubernetes Cluster
↓
Metrics Exporters & Resource Metrics
├─ Application Metrics
├─ Node Exporter Metrics
├─ kube-state-metrics
└─ Kubernetes Metrics Server
↓
Prometheus Scrapes & Stores Metrics
↓
Grafana Pod Queries Prometheus
────────────────────────
DevOps Engineer
↓
grafana.cloud2devops.online
↓
Route53 DNS Resolution
↓
AWS Application Load Balancer (ALB)
├─ ACM TLS Certificate Attached
└─ TLS Termination Happens Here
↓
ALB Listener Rules (Host-based Routing)
↓
Grafana Ingress Resource
↓
Grafana Service
↓
Grafana Pod
↓
Grafana Dashboards Visualize Metrics
DevOps Engineer
↓
argocd.cloud2devops.online
↓
Route53 DNS Resolution
↓
AWS Application Load Balancer (ALB)
├─ ACM TLS Certificate Attached
└─ TLS Termination Happens Here
↓
ALB Listener Rules (Host-based Routing)
↓
ArgoCD Ingress Resource
↓
argocd-server Service
↓
argocd-server Pod
↓
ArgoCD Watches Git Repository
↓
Detects Kubernetes Manifest Changes
↓
ArgoCD Reconciles Desired State
↓
Kubernetes Cluster State Updated
| Category | Technology |
|---|---|
| Cloud Provider | AWS |
| Container Orchestration | Amazon EKS |
| Infrastructure as Code | Terraform |
| GitOps | ArgoCD |
| CI/CD | GitHub Actions |
| Container Registry | Amazon ECR |
| Backend | Go |
| Frontend | Nginx + JavaScript |
| Database | MySQL |
| Ingress | AWS Load Balancer Controller |
| Secrets Management | AWS Secrets Manager |
| Kubernetes Secrets Integration | Secrets Store CSI + ASCP |
| Persistent Storage | Amazon EBS CSI Driver |
| Monitoring | Prometheus + Grafana |
| DNS | Route53 |
| TLS Certificates | AWS ACM |
| Security Scanning | Trivy, Gitleaks, Hadolint, Govulncheck |
- Deployments
- StatefulSets
- Services
- Ingress Resources
- Horizontal Pod Autoscaler (HPA)
- PersistentVolumeClaims (PVC)
- ConfigMaps
- ServiceAccounts
- SecretProviderClass
- Terraform-managed AWS infrastructure
- Amazon EKS cluster provisioning
- GitOps-based Kubernetes deployments
- ArgoCD automated reconciliation
- GitHub Actions CI/CD pipelines
- Secure GitHub OIDC authentication
- AWS Application Load Balancer (ALB) ingress
- Route53 DNS integration
- ACM-managed HTTPS/TLS
- Secrets Manager integration using CSI Driver
- Dynamic EBS persistent storage provisioning
- Kubernetes Horizontal Pod Autoscaling
- Immutable Docker image deployments
- Security scanning integrated into CI
- Monitoring stack deployment with Grafana & Prometheus
- Production-style Kubernetes manifest orchestration using ArgoCD sync waves
- GitHub OIDC federation with AWS IAM
- No long-lived AWS credentials stored in GitHub
- Secrets stored securely in AWS Secrets Manager
- Pod-level IAM access using EKS Pod Identity
- Vulnerability scanning integrated into CI pipeline
- HTTPS enforced using ACM certificates
- Kubernetes readiness, liveness, and startup probes
- Immutable image deployments using commit SHAs
The cluster includes:
- Prometheus — Metrics collection and querying
- Grafana — Visualization dashboards
- Kubernetes Metrics Server — Resource utilization metrics
Monitoring dashboards are exposed securely through AWS ALB Ingress with HTTPS enabled using ACM certificates.
| Service | URL |
|---|---|
| SkillPulse Application | https://skillpulse.cloud2devops.online |
| ArgoCD Dashboard | https://argocd.cloud2devops.online |
| Grafana Dashboard | https://grafana.cloud2devops.online |
Note: Public endpoints are exposed securely through AWS ALB with HTTPS termination using ACM-managed TLS certificates.
- Prerequisites.md — Configure AWS OIDC, GitHub Secrets, Route53, ACM, ECR, S3, and Secrets Manager.
- Infra.md — Provision VPC and EKS cluster using Terraform.
- Deployment.md — Connect to EKS, verify add-ons, deploy ingress, configure IAM, and deploy the application via ArgoCD.
- Github-actions.md — Understand the CI/CD pipeline for automated builds and deployments.
- Destroy.md — Clean up all infrastructure resources created via Terraform and Kubernetes.
Extended by Sanket Dangat Originally forked from TrainWithShubham/github-actions-kubernetes-masterclass
If this helped you understand real-world GitOps end to end — star the repo and share it forward.