#!/bin/bash # GitOps Deployment Script # Author: Mayur Gandhi # Purpose: Zero-downtime deployment with GitOps validation set -eo pipefail # Configuration APP_NAME="financial-service" NAMESPACE="production" REPO_URL="git@github.com:devopsmayur/financial-service.git" CHART_PATH="./helm" VALUES_PATH="./helm/values/production.yaml" TIMEOUT="5m" # Color codes for output GREEN='\033[0;32m' YELLOW='\033[1;33m' RED='\033[0;31m' NC='\033[0m' # No Color echo -e "${YELLOW}Starting GitOps deployment for ${APP_NAME}...${NC}" # Validate configuration echo "Validating Helm chart..." helm lint ${CHART_PATH} --values ${VALUES_PATH} # Validate Kubernetes manifests echo "Validating rendered Kubernetes manifests..." helm template ${APP_NAME} ${CHART_PATH} --values ${VALUES_PATH} | \ kubectl apply --dry-run=client -f - # Run security scan echo "Running security scan on Helm chart..." helm template ${APP_NAME} ${CHART_PATH} --values ${VALUES_PATH} | \ trivy config - --severity HIGH,CRITICAL # Check for existing failures FAILED_RELEASES=$(flux get helmreleases -n ${NAMESPACE} --status-selector ready=false -o json | jq -r '.items[].metadata.name') if [[ ! -z "$FAILED_RELEASES" ]]; then echo -e "${RED}Warning: Found failed releases in namespace:${NC}" echo $FAILED_RELEASES read -p "Continue anyway? (y/n) " -n 1 -r echo if [[ ! $REPLY =~ ^[Yy]$ ]]; then echo "Aborting deployment" exit 1 fi fi # Commit changes to GitOps repo echo "Committing changes to GitOps repository..." git clone ${REPO_URL} /tmp/gitops cp ${VALUES_PATH} /tmp/gitops/environments/${NAMESPACE}/values.yaml cd /tmp/gitops git add . git commit -m "Update ${APP_NAME} in ${NAMESPACE} - $(date)" git push # Wait for reconciliation echo "Waiting for Flux to reconcile changes..." kubectl wait --for=condition=Ready --timeout=${TIMEOUT} helmrelease/${APP_NAME} -n ${NAMESPACE} # Check deployment status DEPLOY_STATUS=$(kubectl get helmrelease ${APP_NAME} -n ${NAMESPACE} -o json | jq -r '.status.conditions[] | select(.type=="Ready") | .status') if [[ "$DEPLOY_STATUS" == "True" ]]; then echo -e "${GREEN}Deployment of ${APP_NAME} to ${NAMESPACE} successful!${NC}" # Get new pod status echo "New pods:" kubectl get pods -n ${NAMESPACE} -l app=${APP_NAME} -o wide # Run smoke tests echo "Running smoke tests..." ./tests/smoke-test.sh ${NAMESPACE} else echo -e "${RED}Deployment failed. Check Flux logs:${NC}" flux logs --level=error --tail=10 exit 1 fi # Custom Vault module for AWS, Azure and GCP secrets management locals { common_tags = { Environment = var.environment Project = var.project_name ManagedBy = "terraform" Owner = "devopsmayur" } } resource "aws_kms_key" "vault_seal" { description = "KMS Key for auto-unsealing Vault" deletion_window_in_days = 7 enable_key_rotation = true tags = local.common_tags } resource "aws_kms_alias" "vault_seal_alias" { name = "alias/vault-seal-${var.environment}" target_key_id = aws_kms_key.vault_seal.key_id } module "vault_cluster" { source = "./modules/vault-cluster" cluster_name = "vault-${var.environment}" cluster_size = var.vault_cluster_size instance_type = var.vault_instance_type vpc_id = var.vpc_id subnet_ids = var.private_subnet_ids allowed_inbound_cidr_blocks = var.allowed_inbound_cidr_blocks allowed_inbound_security_group_ids = var.allowed_inbound_security_group_ids auto_unseal_kms_key_arn = aws_kms_key.vault_seal.arn user_data = templatefile("${path.module}/templates/user-data-vault.sh.tpl", { aws_region = var.aws_region kms_key_id = aws_kms_key.vault_seal.id vault_version = var.vault_version vault_cluster_name = "vault-${var.environment}" enable_audit_logging = var.enable_audit_logging enable_ui = var.enable_ui }) tags = local.common_tags }

DevOpsMayur

Home Strategy Architecture Innovation Engineering

Terraform, Vault, and the Engineering of Trust in BFSI Cloud

Engineering in regulated industries isn’t just about building—it’s about securing, validating, and scaling. Here’s what I’ve learned building AI-ready and finance-grade platforms.

Terraform, Packer, and Vault in Action

Secure AI Environments

Managed secret access to Bedrock, Pinecone, Vertex AI. Applied encryption patterns to API-layer and inference security.

From Ansible to Nomad

Used Nomad to orchestrate microservices and GPU-based AI workloads while keeping IaC principles intact.

Mentoring the Next Generation

Designed and delivered workshops to BFSI engineers, helping them translate theory into cloud-native practice.

If it’s not secure, it’s not done. Engineering is trust made tangible.
Return to Home