Secure and Automate Kubernetes Deployments with ArgoCD and DevSecOps

8 min read
devsecops argocd kubernetes springboot gitops canary

In the world of cloud-native applications, speed and security are not mutually exclusive—they are essential partners. DevSecOps embeds security into every phase of the development lifecycle, while GitOps, powered by tools like ArgoCD, brings automation and consistency to deployments. Combining these two practices creates a robust, secure, and efficient continuous delivery pipeline.

This article explores how to build a DevSecOps workflow around a Java Spring Boot application running on Kubernetes, using ArgoCD as the GitOps controller. We’ll cover CI security scanning, policy enforcement, secret management, and advanced deployment strategies like canary releases.

The Core Idea: GitOps and DevSecOps

DevSecOps is a cultural and technical shift that integrates security practices into the DevOps process. Instead of treating security as a final gate before release, it becomes a shared responsibility of development, security, and operations teams.

GitOps is an operational framework that takes DevOps best practices like version control, collaboration, CI/CD, and applies them to infrastructure automation. It uses a Git repository as the single source of truth for declarative infrastructure and applications. ArgoCD is a declarative, GitOps continuous delivery tool for Kubernetes that automates the deployment of applications and ensures the live state of your cluster matches the state defined in Git.

By marrying these two, we achieve a system where every change to our application and its environment is version-controlled, automatically scanned for security vulnerabilities, and safely rolled out to production.

Architecture Overview: Spring Boot App on Kubernetes

Let’s consider a typical microservices setup: a RESTful MVC Spring Boot application. To run it on Kubernetes, we need at least two main resources: a Deployment to manage the application pods and a Service to expose them.

Here is a high-level view of our target architecture:

Kubernetes Cluster

Application Namespace

Pushes code/config

Accesses

ArgoCD Controller

Syncs

App Manifests in Git

Manages

Deployment

ReplicaSet

Pods: Spring Boot App

Service

Developer

User

Step 1: Integrating Security into the CI Pipeline

Before ArgoCD deploys anything, we must ensure the application code and container image are secure. This is where a robust CI (Continuous Integration) pipeline comes in.

Our CI pipeline, triggered on every commit, should perform several automated security checks:

  1. Static Application Security Testing (SAST): Scans the source code for vulnerabilities like SQL injection, cross-site scripting (XSS), and insecure configurations. Tools like SonarQube or Snyk Code are excellent for this.
  2. Software Composition Analysis (SCA): Analyzes dependencies (pom.xml in our case) for known vulnerabilities (CVEs). OWASP Dependency-Check or Snyk Open Source can automate this.
  3. Container Image Scanning: Once the application is packaged into a container image, tools like Trivy or Clair scan the image layers for OS and library vulnerabilities.

Here’s what that CI pipeline looks like:

B(CI Pipeline Starts)

B —> C{Build & Unit Test} C —> D{SAST Scan} D —> E{SCA Scan} E —> F(Build Container Image) F —> G{Image Scan} G —> H(Push to Registry) subgraph “Security Gates” direction LR D — Fails? —> X(Block & Alert) E — Fails? —> X G — Fails? —> X end

style X fill:#f00,color:#fff

-->

If any scan fails to meet the configured security threshold, the pipeline stops, preventing the insecure artifact from ever reaching a container registry.

## Step 2: Declarative Deployments with ArgoCD

With a secure image in our registry, we can now use ArgoCD to deploy it. First, we define our Spring Boot application as an ArgoCD `Application` custom resource.

`argocd-app.yaml`:
```yaml
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: springboot-mvc-app
  namespace: argocd
spec:
  project: default
  source:
    repoURL: 'https://github.com/your-org/k8s-configs.git' # Your config repository
    path: 'apps/springboot-mvc-app'
    targetRevision: HEAD
  destination:
    server: 'https://kubernetes.default.svc'
    namespace: my-app-ns
  syncPolicy:
    automated:
      prune: true
      selfHeal: true

This tells ArgoCD to monitor the apps/springboot-mvc-app directory in the specified Git repository and keep the my-app-ns namespace in sync with the manifests defined there.

Step 3: Enforcing Policies with OPA

While CI scans check our artifacts, what about the Kubernetes manifests themselves? Are they secure? Do they comply with company policy? This is where Open Policy Agent (OPA) comes in.

OPA is an admission controller that intercepts requests to the Kubernetes API server and validates them against policies written in a language called Rego. We can write policies to enforce rules like:

  • All container images must come from a trusted registry.
  • Containers must not run as the root user.
  • Every Deployment must have resource limits defined.

Example Rego Policy (deny non-HTTPS ingress):

package kubernetes.admission

deny[msg] {
  input.request.kind.kind == "Ingress"
  not input.request.object.spec.tls
  msg := "Ingress must have TLS configured."
}

ArgoCD works seamlessly with OPA. If a developer commits a manifest that violates a policy, the git push succeeds, but ArgoCD’s sync operation will fail because the OPA admission controller rejects the non-compliant resource. This provides a crucial runtime security gate.

Step 4: Secure Secret Management

Storing secrets like API keys or database passwords in plain text in Git is a major security risk. Two popular solutions in a GitOps world are Bitnami Sealed Secrets and the ArgoCD Vault Plugin (AVP).

Let’s look at Sealed Secrets. It encrypts a standard Kubernetes Secret into a SealedSecret custom resource, which is safe to commit to Git. Only the controller running in the cluster can decrypt it.

Workflow:

  1. Create a regular Secret YAML file.
  2. Use the kubeseal CLI to encrypt it: kubeseal < secret.yaml > sealed-secret.yaml
  3. Commit sealed-secret.yaml to your Git repository.
  4. ArgoCD applies the SealedSecret, and the controller decrypts it into a standard Secret in the cluster.

This way, your secrets are secured both in Git and in transit.

Step 5: Advanced Deployments - Canary Releases with Argo Rollouts

Standard Kubernetes deployments are effective but limited. A rolling update, for instance, replaces pods incrementally but doesn’t offer fine-grained control or automated analysis.

Argo Rollouts is a progressive delivery controller that replaces the standard Deployment object with an advanced Rollout object. It supports strategies like canary and blue-green deployments.

A canary release directs a small percentage of traffic to the new version while keeping the stable version running. We can analyze performance and error metrics from the canary before gradually increasing traffic or rolling back if issues arise.

Example Rollout Manifest for our Spring Boot App:

apiVersion: argoproj.io/v1alpha1
kind: Rollout
metadata:
  name: springboot-mvc-rollout
spec:
  replicas: 5
  strategy:
    canary:
      steps:
      - setWeight: 20 # Send 20% of traffic to the new version
      - pause: { duration: 5m } # Wait 5 minutes for analysis
      - setWeight: 50
      - pause: { duration: 10m }
      # ... more steps until 100%
  # ... rest of the pod template

Argo Rollouts integrates with metrics providers like Prometheus to perform automated analysis. It can query Prometheus for metrics like HTTP error rates or request latency. If these metrics exceed a defined threshold, the rollout is automatically aborted.

Canary Deployment Flow:

Metrics OK?

Metrics Bad?

Start Rollout

Canary Deployed at 1 Replica

Traffic Split: 95% Stable, 5% Canary

Analysis: Monitor Metrics

Promote: Increase Traffic

Rollback: Terminate Canary

Repeat until 100% Traffic

Old Version Retired

The Complete DevSecOps Workflow

Bringing it all together, our complete workflow from code to production looks like this:

  1. Commit: A developer pushes code or a Kubernetes manifest change to a feature branch.
  2. CI & Security: The CI pipeline runs, performing SAST, SCA, and image scans.
  3. Merge: Upon success, the code is merged to the main branch.
  4. ArgoCD Sync: ArgoCD detects the change in the Git repository.
  5. OPA Validation: As ArgoCD applies the manifests, OPA validates them against security policies.
  6. Argo Rollouts: Argo Rollouts initiates a canary release.
  7. Analysis: The rollout is paused for automated analysis of key performance metrics.
  8. Promote or Rollback: Based on the analysis, the new version is either fully promoted or automatically rolled back.

This end-to-end automation ensures that every change is version-controlled, thoroughly vetted for security, and deployed in a safe, controlled manner.

Conclusion

By combining DevSecOps principles with the power of ArgoCD and its ecosystem, we can build a highly automated, secure, and resilient deployment pipeline for our Spring Boot applications. This GitOps-centric approach not only improves security posture by shifting security left but also enhances developer productivity and operational stability. It turns your Git repository into a comprehensive, auditable, and actionable record of your entire application lifecycle.

References