The world of DevOps is always changing, always evolving, and this means you need to stay on top of the key ideas of the day so you don’t fall behind. Organizations are implementing innovative new approaches to CI/CD to achieve greater release velocity and optimize their development and deployment workflow. In this post, we look at 4 such ideas that are having a massive impact on DevOps teams today.
What is GitOps?
GitOps is a practice where the desired state of your infrastructure is defined in a Git repository. This definition is used for provisioning your environment in the form of Infrastructure as Code. The core phrases behind GitOps are ‘desired/defined state’ and ‘current state’. The desired state is the original configuration as defined by a DevOps Engineer or Platform Engineer. The current state is the actual state of the system in production. With GitOps, an automated process ensures that your current production environment state matches your desired state in Git.
In a GitOps setup, to make a change in your current infrastructure, you would just have to create a new ‘pull request’ in the Git repository and this automatically triggers a new deployment.
How GitOps works
With Git as your single source of truth, the CI tool in your GitOps setup will use Git as the VCS (version control system), which will act as input for all build operations. As soon as any changes are made to the Git repo, the CI process will get triggered and the tool will run automated tests on the code. When the code is approved and validated through those tests, the image is built and deployed to the artifact repository.
This will trigger the CD process and consequent changes will be made to the configuration files, and based on this the obsolete cluster in your infrastructure will be updated with the latest changes.
Why should you implement GitOps?
Implementing a GitOps strategy over your traditional DevOps pipeline will provide you with multiple benefits like:
- High consistency and reliability for your deployments
- Roll back to the earlier version if any issues are detected
- All activities can be tracked through version control
- Lower possibility of attack surfaces
- Streamlined workflow
- Quicker and frequent deployment timelines
- Enhanced security
2. Infrastructure as code
What is Infrastructure as code (IaC) & how does it work?
Infrastructure as code is the process of deploying and managing your infrastructure through code instead of manual operations. In IaC, machine-readable configuration and definition files are stored in the form of source code in a repository. These are then used by an automated pipeline to run tests and then the code files are used to deploy the required infrastructure.
Declarative vs. Imperative IaC
Declarative and Imperative are the two approaches you can choose from while implementing IaC in your CI/CD pipeline. To describe this in simpler terms, in a declarative approach you define the final desired state of the infrastructure and your automation pipeline will handle the rest of the process, whereas, in an imperative approach, you also define the steps you want to take to obtain the desired outcome.
Modern-day IaC tools and solutions prefer a declarative approach, in this way, you can also implement more efficient deployment techniques like GitOps.
Benefits of IaC
Instead of manually managing and provisioning your infrastructure, IaC is a huge step up from the former approach. It offers multiple benefits like:
- Consistency & reliability
Unlike manual processes that are prone to human errors and untracked discrepancies, an automated pipeline with an IaC setup overcomes such flaws and provides unparalleled consistency. The config files act as the single source code for the entire process, which ensures the same code files are used during every deployment. This also ensures a reliable CI/CD pipeline.
- Tracking & auditing
IaC provides you with the ability to version control your code files every time any changes are made to them. This way you can track all differential changes from the previous version, basically enabling you to trace who did what, when and where.
- Lower operational costs
IaC reduces the infrastructure management cost drastically, as most of the operation is automated and fewer resources are required to manage processes.
The most important benefit you can get from IaC is an increased speed of operations. Not only can you use the pipeline to deploy on multiple environments, but you can do it all by running a simple initial process to trigger the CI/CD pipeline.
3. Supply chain security
What is a Supply Chain Attack?
A supply chain attack is when attackers exploit external or third-party service providers to obtain legitimate access to your company’s infrastructure and thereby compromise all sensitive data. Or if you provide software services to customers, attackers may use your software tools to gain access to your customers’ systems. The SolarWinds hack is the most infamous supply chain attack of recent times.
In your CI/CD pipeline, you might be using third-party commercial or open source solutions for different functionalities and requirements. These tools or solutions can often have access to the insides of your infrastructure to fulfill those requirements. Attackers try to take advantage of this dependability as it gives them limitless reach.
The types of supply chain attacks are as follows:
- Preinstalled malware on hardware devices
- Device firmware bundled with foreign code
- Stolen certificates
- Compromised applications or infrastructure
Supply Chain Components
By enhancing the security of your Supply chain, you will be able to identify, mitigate, remediate and reduce all associated risks and vulnerabilities in your third-party components within the CI/CD pipeline. Your supply chain components can include:
- Drivers, dependencies
- Open-source scripts
- Container registries
- Git and package management repositories
- Open-source or enterprise applications
- Secrets and key management services
- Cloud service providers, data center services
Best Practices for Optimum Supply Chain Security
You can protect your supply chain by following the security practices mentioned below:
- Get rid of all hard-coded secrets in code. Also, ensure that you routinely change the passwords and encryption keys of all applications and services using certificate managers and secrets management tools.
- Secure your secret management system by implementing authorization to access any secrets.
- Use the principle of least privilege that will prevent your systems from being compromised by an elevated privilege attack. All tools will either have restricted access or an authorized bare minimum access, as per requirements.
- Implement a vulnerability scanner in your pipeline that will alert you in case any vulnerabilities are detected in any of your systems. You can remediate those based on provided recommendations.
- Utilize code analysis tools to scan any code dependencies in the config, lock, or manifest files.
- Scan your build artifacts before they are pushed into the registry.
4. Multi/hybrid cloud
Ever since the acquisition of Red Hat by IBM, multicloud and hybrid cloud have been the focus of discussion as the cloud ecosystem is becoming more fragmented by the day. Organizations do not want to be locked into a single vendor, and see hybrid and multicloud as their ticket to freedom in the cloud. These infrastructure decisions have a bearing on CI/CD.
Public vs Private cloud
In a public cloud, service providers share resources with multiple users, like storage, processing, and so on. This makes the public cloud a multi-tenant architecture that is suitable for customers with a high user base and minimal cost.
A private cloud connection is supported through a private network that ensures data security as well. No resources are shared with anyone else. It is a single-tenant architecture which means all resources are solely dedicated to the one customer paying for it.
Multi-cloud vs Hybrid cloud
In a multi-cloud environment, an organization can use multiple cloud resources and services like IaaS, PaaS, and SaaS. They can be offered by different cloud service providers and are often publicly shared, like AWS, GCP, or Azure. Organizations can opt for multi-cloud for various reasons like custom requirements, low costs, better agility, avoiding any provider lock-in or reducing dependencies on any one provider.
A hybrid cloud is a combination of public cloud and private cloud as well as on-premises infrastructure. This provides the users with a high level of flexibility and portability. A hybrid cloud usually includes a private cloud. Examples of hybrid cloud strategies could be private-private, private-public, or public-public. This can also include on-prem data centers along with a private cloud provider.
Factors you should consider while choosing the type of cloud infrastructure
There are various factors that come into play while choosing a cloud infrastructure strategy. Those can consist of:
When choosing any form of cloud service and provider, one of the most important factors is security. As in the case of a public cloud, security is on the lower side when compared with a private cloud. Organizations that handle highly sensitive data, often adopt the hybrid cloud strategy, using their on-prem data center and private cloud, or a private-private cloud approach.
Another important factor is the cost of setting up and using the services and environments. As a public cloud has a multi-tenant architecture and its resources are shared, it provides services at low costs. In a private cloud, the dedicated resources increase the overall cost.
While choosing a cloud service and cloud provider, you have to also explore their compatibility and how you can integrate them. In the case of multi-cloud, if you are using services from different cloud providers, you should be able to integrate them within your pipeline. The same goes for hybrid cloud strategies like a public-private cloud.
IaC and GitOps are gradually becoming the centerpiece of recent CI/CD workflows due to their reliability, consistency, and efficiency. If you are already using a Git repo to manage CI/CD operations, or have already implemented IaC, you could well consider the GitOps approach to software delivery. Even if not to embrace every single aspect of GitOps and IaC, their principles will make a big difference if adopted in part, one step at a time.
Based on your requirements you can choose a multi or hybrid cloud strategy. Regardless of what you use, always ensure that the tools or solutions can be properly integrated with your existing CI/CD pipeline.
In the case of security, your pipeline will only be as strong as its weakest link. This is why you need to secure your supply chain and enhance the overall security of your CI/CD pipeline.
All these trends are shaping and influencing the conversation around CI/CD today. Leverage them to stay ahead of the curve with CI/CD.
If you have questions related to this topic, feel free to book a meeting with one of our solutions experts, mail to firstname.lastname@example.org.