Open
Conversation
Contributor
Amitabh-DevOps
commented
Mar 19, 2026
Amitabh-DevOps
commented
- Used Kind cluster, DockerHub
- Gateway api with Envoy gateway routing
- Helm charts.
- Deployed to ArgoCD
- Removed ollama and used Gemini API Key
There was a problem hiding this comment.
Pull request overview
This PR transitions the project from an EC2/Ollama-based deployment to a Kind + Helm + ArgoCD GitOps workflow, and replaces the local Ollama integration with Google Gemini API calls from the Spring Boot service.
Changes:
- Tighten image vulnerability scanning by adding
HIGHseverity to Trivy configuration. - Replace Ollama configuration/integration with Gemini API configuration/integration (timeouts, model config) in the app.
- Add Kubernetes GitOps assets (Helm chart + ArgoCD Application) and update CI/CD to push to Docker Hub and commit Helm image tags.
Reviewed changes
Copilot reviewed 26 out of 58 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
| trivy.yaml | Expands scan severity to include HIGH vulnerabilities. |
| src/main/resources/application.properties | Replaces Ollama properties with Gemini + timeout settings. |
| src/main/java/com/example/bankapp/service/ChatService.java | Implements Gemini request/response handling and deterministic replies for balance/transactions. |
| scripts/ollama-setup.sh | Removes Ollama EC2 bootstrap script. |
| scripts/kind-setup.sh | Adds Kind cluster creation script with port mappings for Gateway API usage. |
| gitops/argocd-app.yaml | Adds ArgoCD Application definition pointing at the Helm chart. |
| docker-compose.yml | Removes Ollama services; adds Gemini env vars for local dev. |
| charts/bankapp/Chart.yaml | Adds Helm chart metadata. |
| charts/bankapp/values.yaml | Adds chart values for image, DB, Gateway API/Envoy, cert-manager, Gemini. |
| charts/bankapp/templates/*.yaml | Adds K8s resources: app + mysql + nginx, Gateway API + EnvoyProxy, cert-manager Issuer/Certificate. |
| app-tier.yml | Switches runtime image source to Docker Hub and swaps Ollama env vars for Gemini env vars. |
| README.md | Updates architecture and operational docs for Kind + ArgoCD + Helm + Gateway API + Gemini. |
| .github/workflows/devsecops-main.yml | Restricts trigger to main and updates permissions for GitOps commits. |
| .github/workflows/build.yml | Switches from ECR/OIDC to Docker Hub push. |
| .github/workflows/cd.yml | Replaces EC2 deploy/DAST with GitOps values.yaml update commit. |
| .dockerignore | Excludes charts/gitops/scripts/screenshots/CI metadata from Docker build context. |
| screenshots/* | Adds/updates documentation screenshots for the new workflow. |
Comments suppressed due to low confidence (1)
src/main/java/com/example/bankapp/service/ChatService.java:177
buildContext()includes sensitive customer data (balance, account ID, and potentially transaction history) in the prompt sent to the external Gemini API. Even with the deterministic reply path, this can transmit PII/financial data for unrelated queries. Consider data minimization (omit account ID, avoid sending balances/transactions unless needed, and/or mask values) before calling the external model.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
Comment on lines
+136
to
+137
| String endpoint = geminiApiUrl + "/" + geminiModel + ":generateContent?key=" + geminiApiKey; | ||
| Map<String, Object> response = restTemplate.postForObject(endpoint, request, Map.class); |
Comment on lines
+63
to
+68
| path: /actuator/health/liveness | ||
| port: http | ||
| initialDelaySeconds: 30 | ||
| readinessProbe: | ||
| httpGet: | ||
| path: /actuator/health/readiness |
| @@ -11,8 +11,7 @@ on: | |||
| - 'scripts/**' | |||
|
|
|||
Comment on lines
+28
to
+29
| git commit -m "chore: update image tag to ${{ github.sha }} [skip ci]" | ||
| git push |
Comment on lines
+34
to
+47
| host: "54.91.43.65.nip.io" # Update with your nip.io host (e.g., <PUBLIC_IP>.nip.io) | ||
| envoyProxy: | ||
| name: "bankapp-proxy-config" | ||
| serviceType: NodePort | ||
| nodePorts: | ||
| http: 30080 | ||
| https: 30443 | ||
| tls: | ||
| enabled: true | ||
| secretName: "bankapp-tls" | ||
| certManager: | ||
| enabled: true | ||
| issuerName: "letsencrypt-prod" | ||
| email: "[email protected]" # Update with your email for cert-manager notifications |
| spec: | ||
| project: default | ||
| source: | ||
| repoURL: https://github.com/Amitabh-DevOps/DevSecOps-Bankapp.git |
Comment on lines
+1
to
+11
| apiVersion: gateway.networking.k8s.io/v1 | ||
| kind: GatewayClass | ||
| metadata: | ||
| name: {{ .Values.gateway.className }} | ||
| spec: | ||
| controllerName: gateway.envoyproxy.io/gatewayclass-controller | ||
| parametersRef: | ||
| group: gateway.envoyproxy.io | ||
| kind: EnvoyProxy | ||
| name: {{ .Values.gateway.envoyProxy.name }} | ||
| namespace: {{ .Release.Namespace }} |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.