Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Feb 2019: Azure@Helsana: Enterprise Level Azure DevOps bei Helsana by Christian Waha

Feb 2019: Azure@Helsana: Enterprise Level Azure DevOps bei Helsana by Christian Waha

Die Helsana IT-Strategie erfordert die hundertprozentige Automatisierung aller Entwickungen des Azure Teams. Im Sinne von aktiv gelebtem DevOps übernimmt das Team die volle Verantwortung von CRMa über den gesamten Software-Lifecycle. In dieser Session wird aufgezeigt, wie die Helsana ihre komplette CRMa Lösung automatisiert per Knopfdruck auf unterschiedliche Umgebungen deployen kann. Dabei werden die organisatorischen und technischen Herausforderungen, sowie die eingesetzten Werkzeuge (Azure DevOps, ARM, Jenkins, Powershell) erläutert.

Christian Waha ist Microsoft MVP mit Spezialgebiet Azure und unterstützte die Helsana beim Aufbau der Azure Release Infrastruktur. Alles zu Christian gibt es hier: https://about.me/christian.waha

Azure Zurich User Group

February 05, 2019
Tweet

More Decks by Azure Zurich User Group

Other Decks in Programming

Transcript

  1. REAL WORLD SCENARIO AZURE DEVOPS Azure DevOps @Helsana, how we

    work, what problems we are facing and more.
  2. CHRISTIAN WAHA Prinicpal Cloud Consultant Education: Study of Computer Science

    FH Landshut Work: Industrial Holographics LLC cwlabs consulting services GmbH Projects with: Helsana, Leica, T-Systems, UniCredit, Technolas, 1&1, Microsoft, BMW, Daimler Community: Azure Munich Meetup (Lead), HoloLens Meetup Germany (Lead), Windows Client & Server Meetup (Lead), Coding Dojo Munich (Former Lead) 2016, 2017, 2017-2018, 2018-2019 2017, 2018, 2019
  3. HELSANA Problem to solve: Move existing system from Jenkins and

    internal Gitlab to Azure DevOps Reduce the Time to Market
  4. WHAT IS NECESSARY TO BRING THE HELSANA TO A CI/CD

    ABLE ORGANIZATION • We need a full integrated system • Build pipeline • Release pipeline which can deliver to all stages • Artifact repository • Save and reliable storage for secrets
  5. SECURITY • User-Management • Secrets safe storage • Access External

    Systems • Ensure safe connection to Azure DevOps
  6. USERMANAGEMENT What is our way to ensure that every user

    can easily get access and work rights, without high administrative workload. 1. We connect our Azure DevOps to our Azure Active Directory 2. We grant rights only to AAD Usergroups
  7. USER-MANAGEMENT What is our way to ensure that every user

    can easily get access and work rights, without high administrative workload. 1. We connect our Azure DevOps to our Azure Active Directory 2. We grant rights only to AAD Usergroups 3. Users will be added to AAD Usergroups automated by our IAM Management Tool 4. We made for different access levels different Usergroups
  8. STORAGE FOR SECRETS Recommended for storage of application secrets are

    KeyVaults. We use them on different Levels. 1. Application Secrets for deployment 2. Application Secrets on runtime Also important to us is the time to keep secrets, we change application secrets in defined time periodes, to be always safe that they can not become abused. We are also able to change a secret in a time period which we need to create, add to keyvault and a complete release chain needs. Which is on the longest running application 3 hours. (Without testing)
  9. ACCESS EXTERNAL SYSTEMS We also need to reach different external

    systems and use there many Connectors. We use there connectors to: • External Git • Microsoft AppStudio • Apple Marketplace • Google Playstore • Many others To be sure that there is no security problem we update the token keys to this systems also periodical
  10. ENSURE SAFE CONNECTION TO AZURE DEVOPS To fulfill security guidelines

    it is only allowed to access at the moment Azure DevOps from the internal Helsana Network. How we solve this guideline: 1. All traffic to Azure DevOps is routed over our ExpressRoute Connection 2. User must authenticate against our SAS Token Provider 3. In future for external usage it is necessary to authenticate with our external token service portal.
  11. BUILD PIPELINES The Build pipelines we use are as simple

    as possible, most of the complexity is in the release pipelines. We have different types of projects to build. • .net applications • .net core applications • IOS based apps • Android based apps • Typescript Webapps • NoJS Webapps • ARM Templates for Azure • and more …
  12. RELEASE PIPELINES Most of the complexity of our environments and

    stages is reflected in the release pipelines. We ensure that only on this steps secrets are provided for the delivery of the applications. We deliver to: • Azure • Native Windows and Linux Servers • Apple Marketplace • Google Playstore • Artifakt Storages
  13. BUILD AND RELEASE AGENTS We use Azure DevOps at the

    moment only to deliver content outside of the internal Helsana IT Infrastructure. So it is not necessary to use an internal Build Agent. For our development Teams we have a calculation rule for build agents: Developer * Active Queues(Build + Release) % 90 = Necessary Build Agents
  14. EXTENSIONS We are facing in the last period of the

    problem that we need some functionality which is not provided by Azure DevOps. Sometimes it is possible to solve it by Powershell Commandlets, but it is not easy to maintain or understand this by everyone who build pipelines. So build some extensions to solve this. • Cleanup Azure Resourcegroup deployments (Limited to 800) • Convert ARM JSON output to a usable variable in DevOps • Get secrets for different type of just created Azure Resources • Cosmos DB was not able to create Databases or Collections by PowerShell or Build / Release tasks, so we build dotnetcore console applications which we integrated in an extension
  15. EXTENSION SOURCE CODE The extenstion source code is also available

    on GITHUB https://www.github.com/christianwaha
  16. CHRISTIAN WAHA Prinicpal Cloud Consultant Education: Study of Computer Science

    FH Landshut Work: Industrial Holographics LLC cwlabs consulting services GmbH Projects with: Helsana, Leica, T-Systems, UniCredit, Technolas, 1&1, Microsoft, BMW, Daimler Community: Azure Munich Meetup (Lead), HoloLens Meetup Germany (Lead), Windows Client & Server Meetup (Lead), Coding Dojo Munich (Former Lead) 2016, 2017, 2017-2018, 2018-2019 2017, 2018, 2019