On 24th September 2019, I went to the Yalla DevOps Event held by JFrog and I would like to share some insights from this special event.
The event focused on DevOps which is the industry trend as a solution to real-world complex software problems. In this blog I’m going to share answers to the following questions:
What is DevOps? What are the challenges we are facing? What are the technologies we should use to achieve the DevOps culture?
DevOps drives change in IT culture due to the new emerging technologies like CI/CD tools, Kubernetes (K8S), and Docker. These technologies bring development and operation teams together within a company to develop and deploy software, with maximum efficiency, strong security checks, and especially automation tools that can leverage the life cycle management process.
As the development process is changing to become faster and more secure, the number of companies adopting a process of continuous delivery and continuous deployment such as DevOps is growing. By 2020 you will see DevOps clearly everywhere – continuous updates will transform the way software is delivered.
As applications are growing much faster than before, improving code security requires more than just regular code testing. Many security tools are available from various vendors, but developers need a different set of tools when it comes to DevOps and application security, because security must be continuous as well, says Derek Weeks, Vice President and DevOps advocate for Sonatype.
However, applying a DevOps culture in companies brings a lot of challenges. John Willis – Founder and Author of the DevOps Handbook – discussed the “DevOps’ Seven Deadly Diseases” by describing his personal experience consulting organizations running the DevOps culture. In addition, he talks about the process of finding out how people work and the clear patterns that he recognizes.
The first disease, “invisible work” raises the fact that most large companies only capture on average 50% of their work. But, if you’re not seeing the other 50% of the work that’s going on in your organization, you’re doing surgery in the dark. You must go talk to people across the organization to find out how work actually gets done, so that you can capture it.
The rest of the diseases are – in short:
- Management System Toil refers to the numerous, disparate management systems (JIRA, SharePoint, Remedy, etc.).
- Tribal Knowledge is all about information living in silos.
- Misalignment of Incentives.
- Incongruent Organizational Design.
- Managing Complexity.
- Security and Compliance Theater.
These seven deadly diseases are related to cybersecurity, risk, and compliance.
The following sections provide examples of technologies and solutions used to achieve a DevOps culture. The event included three main tracks: DevSecOps, CI/CD, and Cloud-Native/Containers. The following sections describe topics that were interesting to me within these tracks.
GitOps is centered around using a version control system (such as Git) to house all information, documentation, and code for Kubernetes deployment, and then use automated directors to deploy changes to the cluster.
Jenkins-x provides pipeline automation, built-in GitOps, and preview environments to help teams collaborate and accelerate their software delivery at any scale.
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes.
Software development has moved to microservices. The main challenges are the networking of microservices, and how to provide security, control, and observability into your microservices application. This is where Istio and Envoy come in to solve these challenges. Here you can find the presentation slides. This link explains what service mesh is all about.
Jessica Deen from Microsoft presented the From Zero to DevOps Superhero: The Container Edition session. This session helped minimize the learning curve regarding container orchestration, specifically Kubernetes, by discussing DevOps best practices. One of the tools that simplifies the process is Draft – a tool for developers to create cloud-native applications that run on Kubernetes.
Kubernetes plugin for Jenkins: Jenkins plugin to run dynamic agents in a Kubernetes/Docker environment.
Vulnerabilities and License Violations
JFrog Xray is a universal impact analysis product that includes VersionEye technology and a database. The main purpose of this system is to track open source libraries and alert developers in real-time to key information such as security vulnerabilities, license violations, and outdated dependencies.
Shift lift to reduce failure. This term refers to a practice in software development in which teams focus on quality. This requires two DevOps practices: continuous testing and continuous deployment.
Before closing this blog, I would like to say that SAP is one of the leading companies moving to the DevOps culture.
My team is responsible for developing the SAP Business Application Studio, which is a tool for building application extensions or new applications running in the cloud. These applications run on K8S applying the CI/CD process mentioned above to achieve a continuous delivery. ArgoCD is used as GitOps; Istio and Envoy are used to solve the microservice networking problem. Checkmarx, Protecode, Sonar Quality Gate and Open Source (for licensing risks and security vulnerabilities) are used for security and code analysis as a quality gate.
Hope you have enjoyed these insights from the Yalla DevOps event.
Stay tuned for my next blog post.
Ahmad Haj Ali