DevSecOps Overview
An Overview of what DevSecOps is, and how it can help you speed up you cloud native solution delivery
One of the patterns emerging with development teams is the ability to use CNCF Tools as part of a more open multi cloud CI/CD strategy. This approach is aligning around the Kubernetes platform. The IBM Cloud supports both upstream Kubernetes for advanced cutting edge workloads and Red Hat OpenShift the proven mutli cloud distribution of Kubernetes that can install on IBM Cloud, Azure, AWS, VMWare and on Premise and many more places. This approach removes cloud vendor lock in around CI/CD tools and enables development teams to be more flexible and the target cloud they focus on deploying and developing with.
There are two patterns from this approach:
- There are a core set of Development Tools that are installed inside the Kubernetes environment with the use of Operators the management and support of these tools can be controlled with centralized operations teams
- Integration of centralized operations tools like Source Code Management, Artifact Management, Image Management, Logging and Monitoring
This model enables agile cloud native development teams to execute quickly while also conforming to the enterprise standards required for CI/CD. This pattern also enable the reduction of costs of managing expensive centralized multi tenant CI services and enables the development teams to use a percentage of their development cluster to support CI activities. This approach with Tekton enable the centralized operations teams to impose specific pipeline tasks that need to be supported by development teams without the complex
Overview
This short video introduces the cloud native concepts of CI/CD DevOps with Red Hat OpenShift:
Each Cluster can have a selection of CNCF DevSecOps tools installed using IasC(Infrastrcture As Code) using Terraform. The cluster then turns from a production state cluster into a cluster that is used for multi tenant development teams.
The following describes the requirements:
- Installation: Install the CNCF Tools using Terraform this create a new Developer Environment
- Cluster: A Kubernetes or Red Hat OpenShift cluster that both hosts the tools and itself is a deployment target for application builds
- Software Delivery Lifecycle: Deployment target environments that support the application development lifecycle: dev, test, and staging
- Backend services: Cloud services commonly required by cloud-native applications for monitoring, security, and persistence
- CI/CD: A prebuilt, ready-to-run continuous delivery pipeline incorporating best-of-breed open source software tools supporting
Jenkins,Tektonfor CI andArgoCDfor CD - Code Patterns: Prebuilt code templates for common application components and tasks incorporating best practices that developers can add to their codebase as needed
- Dashboard: Integration of the tools into the OpenShift dashboard, and a centralized developer dashboard to help developers use the environment’s capabilities
A core set of tools are sourced from the IBM Cloud Catalog that can be found in the IBM Cloud. This approach helps assemble these reliable open source development tools into an end-to-end developer experience that is fully integrated with IBM Cloud’s managed container orchestration services.
the tools can also be source from the Operator Hub and the Redhat Marketplace. The Operations team that owns the IasC can decide the best approach to install the tools either using Helm3 or Operators
Typically a Cloud System Admin installs and sets up a new Developer Environment, providing a place for the developers to start developing the minimum viable product (MVP). The objective is to reduce the time required for a team to configure and prepare their development environment. The key benefit is to make the end-to-end CI/CD development lifecycle consistent across each platform and make the out-of-the-box developer experience as simple as possible.
The installation is performed using Terraform, driven by scripts with a modular configuration so unneeded tools can be easily disabled or new tools added. The combination of tools selected are proven in the industry to deliver real value for modern cloud-native development.
Environment components
After installation, the Developer Environment consists of a set of CNCF tools installed into your nominated kubernetes cluster.
This diagram illustrates the Developer Environment:
The diagram shows the components in the environment: the cluster, the deployment target environments, the cloud services, and the tools.
Development cluster
The heart of the is a cluster:
- An or 3-node cluster
- Cluster namespace that encapsulates the tooling installed in the cluster: tools
- Cluster namespaces for deployment target environments: dev, test, and staging
The following IBM Cloud services are created and bound to the cluster:
| Capability | Service | Description |
|---|---|---|
| Logging | LogDNA Logging | Manage app logging LogDNA |
| Monitoring | SysDig Monitoring | Manage monitoring of apps with SysDig |
| AppID | AppID Application Authentication | Secure your apps, APIs and Kubernetes Ingress end points |
| Cloudant | Cloudant NoSQL Database | NoSQL Database commonly used for data persistence |
| Cloud Object Storage | Cloud Object Storage Storage | Storage service commonly used for binary content |
| PostreSQL | PostgreSQL (used by SonarQube) | SQL Database used for structure data persistence |
Continuous delivery tools
The following best-of-breed open source software tools are installed in the cluster’s tools namespace:
| Capability | Tool | Bitnami | Description |
|---|---|---|---|
| Continuous Integration | Jenkins CI | Yes | Jenkins is a common tool for Continuous Integration |
| Continuous Integration | Tekton CI | Tekton is an emerging tool for Continuous Integration with Kubernetes and OpenShift | |
| Code Analysis | SonarQube | Yes | SonarQube can scan code and display the results in a dashboard |
| Artifact and Helm Storage | Artifactory | Yes | Artifactory is an artifact storage and Helm chart repository |
| Continuous Deployment | ArgoCD | ArgoCD support Continuous Delivery with GitOps | |
| Contract API Testing | Pact | Pact enables API contract testing | |
| Code Ready Workspace | Eclipse CHE | IDE for editing and managing code in a web browser |
If you want to find out more about IBM assets that help you get these common tools installed