🤖 Automated CI/CD Orchestration: Flask & Kubernetes Pipeline

By Elijah Udom Mar. 1, 2025 7 min read

Contents

"Because manually deploying is like handing out free downtime coupons"

Ready to automate your deployments? This guide extends our Gitea setup with a robust CI/CD pipeline using Flask and Kubernetes. By the end, you'll have push-to-deploy magic! ✨

🔧 Pipeline Architecture

system-flow.md 
1. Developer pushes code → Triggers GitLab webhook
2. Orchestration server receives payload
   ↳ Validates request
   ↳ Extracts repo/branch info
3. Kubernetes test job starts
   ↳ Clones repository
   ↳ Runs tests
4. If tests pass → Deploy to production
5. Monitoring → Alert if health checks fail

Key Benefits

  • Full automation from code push to production
  • Isolated testing environment
  • Automatic rollback on failure

🚀 Core Components

orchestration.py 
from flask import Flask, request
import subprocess
import logging

app = Flask(__name__)
app.logger.setLevel(logging.INFO)

def trigger_pipeline(repo_url: str, branch: str):
    # Create Kubernetes test job
    result = subprocess.run([
        'kubectl', 'create', 'job', 'test-runner',
        '--image=python:3.9',
        '--namespace=test',
        '--', 'sh', '-c',
        f'git clone {repo_url} -b {branch} /app && cd /app && python *.py'
    ], capture_output=True, text=True)

    if result.returncode != 0:
        app.logger.error(f"Pipeline failed: {result.stderr}")
        return False
    return True

@app.route('/webhook', methods=['POST'])
def handle_webhook():
    # Validate webhook payload
    if not request.json.get('repository'):
        return "Invalid payload", 400
    
    repo_data = request.json['repository']
    success = trigger_pipeline(
        repo_url=repo_data['git_http_url'],
        branch=request.json['ref'].split('/')[-1]
    )
    
    return ("Pipeline started", 202) if success else ("Pipeline failed", 500)

What This Does:

  • Webhook endpoint for GitLab integration
  • Validates incoming payloads
  • Triggers Kubernetes test jobs
  • Handles errors gracefully
test-job.yaml 
apiVersion: batch/v1
kind: Job
metadata:
  name: test-runner
  namespace: test
spec:
  template:
    spec:
      containers:
      - name: tester
        image: python:3.9-slim
        command: ["sh", "-c"]
        args:
          - |
            git clone ${REPO_URL} /test-code
            cd /test-code
            pip install -r requirements.txt
            pytest tests/
        resources:
          limits:
            memory: "512Mi"
            cpu: "500m"
      restartPolicy: Never

Key Features:

  • Resource-constrained testing environment
  • Automatic dependency installation
  • Proper test isolation

⚙️ Infrastructure Configuration

security-setup.sh 
# Create namespaces
kubectl create namespace test
kubectl create namespace prod

# RBAC Configuration
kubectl create role orchestration-role \
  --verb=create,delete,list \
  --resource=jobs \
  --namespace=test

kubectl create rolebinding orchestration-binding \
  --role=orchestration-role \
  --serviceaccount=default:default \
  --namespace=test

Security Measures:

  • Namespace isolation
  • Least-privilege access
  • Service account constraints

🔗 GitLab Webhook Setup

webhook-config 
GitLab → Settings → Webhooks:
- URL: http://[ORCH_IP]:5000/webhook
- Secret Token: [GENERATE_SECURE_TOKEN]
- Trigger: Push events
- SSL Verification: Enabled

Best Practices:

  • Use HTTPS with valid certificate
  • Rotate secrets regularly
  • Monitor webhook deliveries

Ready to Automate Your Deployments?

Get the complete production-ready implementation including monitoring and alerting configurations.

Includes production-ready manifests and security policies