Secure observable Flask application for a multi-repository GitOps Kubernetes platform.
This repository contains the application layer of Project 4: application code, tests, CI, container build logic, image publishing, security scanning, and Prometheus instrumentation.
The Kubernetes environment and deployment governance are intentionally separated into a dedicated environment repository:
This separation reflects a production-style GitOps model where application delivery and environment governance have different responsibilities.
gitops-observability-platform-app is responsible for:
- Flask application source code
- automated tests
- Docker image build
- immutable image publishing to GHCR
- GitHub Actions CI
- Trivy container image scanning
- Python dependency scanning with
pip-audit - Prometheus application metrics
It does not own:
- Kubernetes manifests
- environment overlays
- ArgoCD Applications
- RBAC / NetworkPolicy / Ingress / TLS configuration
- cluster-side deployment governance
Those responsibilities belong to gitops-observability-platform-env.
Developer
|
| push code
v
GitHub repository: gitops-observability-platform-app
|
| GitHub Actions
| - tests
| - Docker build
| - Trivy image scan
| - GHCR push
v
GHCR image: ghcr.io/bynflow/gitops-observability-platform-app:sha-*
|
| selected by env repo
v
gitops-observability-platform-env
|
| ArgoCD reconciliation
v
Kubernetes runtime
The application repository produces immutable artifacts. The environment repository decides which artifact runs in each environment.
| Endpoint | Purpose |
|---|---|
/ |
Main Flask application page |
/health |
Health check endpoint |
/metrics |
Prometheus metrics endpoint |
The application exposes Prometheus-compatible metrics through:
/metrics
Implemented metrics include:
- request counters
- error counters
- request latency histograms
This provides a first application-level observability baseline based on golden signals:
- traffic
- errors
- latency
Example metrics:
app_requests_total
app_errors_total
app_request_duration_seconds
This repository includes a minimal but real DevSecOps baseline:
- Trivy image vulnerability scanning
- GitHub Actions security gate for critical vulnerabilities
- Python dependency audit using
pip-audit - generated dependency lock file excluded from Git
- immutable image tags based on commit SHA
The security model distinguishes between:
Image scan → container artifact vulnerabilities
Dependency scan → Python library vulnerabilities
Secret handling → managed at Kubernetes runtime in gitops-observability-platform-env
The GitHub Actions pipeline performs:
- Python test execution
- Docker image build
- immutable image tagging
- GHCR image publishing
- Trivy container image scan
Images are published using SHA-based tags:
ghcr.io/bynflow/gitops-observability-platform-app:sha-<commit>
This enables deterministic promotion through the GitOps environment repository.
Run tests:
python -m pytest -qRun the application locally:
python -m app.appCheck health:
curl http://localhost:5000/healthCheck metrics:
curl http://localhost:5000/metricsgitops-observability-platform-app/
├── app/
│ ├── app.py
│ └── templates/
├── tests/
├── Dockerfile
├── requirements.txt
├── pytest.ini
└── .github/workflows/
This repository demonstrates:
- application-level CI
- containerized Python application delivery
- immutable artifact production
- Prometheus application instrumentation
- security scanning in CI
- separation between application ownership and environment ownership
- portfolio-grade DevOps workflow design
Environment and GitOps governance repository: