Feb 2019: Azure@Helsana: Enterprise Level Azure DevOps bei Helsana by Christian Waha

Transcript

1. REAL WORLD SCENARIO AZURE DEVOPS Azure DevOps @Helsana, how we

   work, what problems we are facing and more.

2. CHRISTIAN WAHA Prinicpal Cloud Consultant Education: Study of Computer Science

   FH Landshut Work: Industrial Holographics LLC cwlabs consulting services GmbH Projects with: Helsana, Leica, T-Systems, UniCredit, Technolas, 1&1, Microsoft, BMW, Daimler Community: Azure Munich Meetup (Lead), HoloLens Meetup Germany (Lead), Windows Client & Server Meetup (Lead), Coding Dojo Munich (Former Lead) 2016, 2017, 2017-2018, 2018-2019 2017, 2018, 2019

3. HELSANA Problem to solve: Move existing system from Jenkins and

   internal Gitlab to Azure DevOps Reduce the Time to Market

4. WHAT IS NECESSARY TO BRING THE HELSANA TO A CI/CD

   ABLE ORGANIZATION • We need a full integrated system • Build pipeline • Release pipeline which can deliver to all stages • Artifact repository • Save and reliable storage for secrets

5. OUR MAIN REQUIREMENTS • Security • Pipelines • Extension

6. SECURITY Everything we thought about

7. SECURITY • User-Management • Secrets safe storage • Access External

   Systems • Ensure safe connection to Azure DevOps

8. USERMANAGEMENT What is our way to ensure that every user

   can easily get access and work rights, without high administrative workload. 1. We connect our Azure DevOps to our Azure Active Directory 2. We grant rights only to AAD Usergroups
9. None

10. USER-MANAGEMENT What is our way to ensure that every user

    can easily get access and work rights, without high administrative workload. 1. We connect our Azure DevOps to our Azure Active Directory 2. We grant rights only to AAD Usergroups 3. Users will be added to AAD Usergroups automated by our IAM Management Tool 4. We made for different access levels different Usergroups

11. STORAGE FOR SECRETS Recommended for storage of application secrets are

    KeyVaults. We use them on different Levels. 1. Application Secrets for deployment 2. Application Secrets on runtime Also important to us is the time to keep secrets, we change application secrets in defined time periodes, to be always safe that they can not become abused. We are also able to change a secret in a time period which we need to create, add to keyvault and a complete release chain needs. Which is on the longest running application 3 hours. (Without testing)
12. None

13. ACCESS EXTERNAL SYSTEMS We also need to reach different external

    systems and use there many Connectors. We use there connectors to: • External Git • Microsoft AppStudio • Apple Marketplace • Google Playstore • Many others To be sure that there is no security problem we update the token keys to this systems also periodical
14. None

15. ENSURE SAFE CONNECTION TO AZURE DEVOPS To fulfill security guidelines

    it is only allowed to access at the moment Azure DevOps from the internal Helsana Network. How we solve this guideline: 1. All traffic to Azure DevOps is routed over our ExpressRoute Connection 2. User must authenticate against our SAS Token Provider 3. In future for external usage it is necessary to authenticate with our external token service portal.

16. PIPELINES Build and Release

17. PIPELINES • Build Pipelines • Release Pipelines • Build and

    Release Agents

18. BUILD PIPELINES The Build pipelines we use are as simple

    as possible, most of the complexity is in the release pipelines. We have different types of projects to build. • .net applications • .net core applications • IOS based apps • Android based apps • Typescript Webapps • NoJS Webapps • ARM Templates for Azure • and more …
19. None
20. None

21. RELEASE PIPELINES Most of the complexity of our environments and

    stages is reflected in the release pipelines. We ensure that only on this steps secrets are provided for the delivery of the applications. We deliver to: • Azure • Native Windows and Linux Servers • Apple Marketplace • Google Playstore • Artifakt Storages
22. None
23. None

24. BUILD AND RELEASE AGENTS We use Azure DevOps at the

    moment only to deliver content outside of the internal Helsana IT Infrastructure. So it is not necessary to use an internal Build Agent. For our development Teams we have a calculation rule for build agents: Developer * Active Queues(Build + Release) % 90 = Necessary Build Agents

25. EXTENSIONS Build and Release

26. EXTENSIONS We are facing in the last period of the

    problem that we need some functionality which is not provided by Azure DevOps. Sometimes it is possible to solve it by Powershell Commandlets, but it is not easy to maintain or understand this by everyone who build pipelines. So build some extensions to solve this. • Cleanup Azure Resourcegroup deployments (Limited to 800) • Convert ARM JSON output to a usable variable in DevOps • Get secrets for different type of just created Azure Resources • Cosmos DB was not able to create Databases or Collections by PowerShell or Build / Release tasks, so we build dotnetcore console applications which we integrated in an extension
27. None
28. None
29. None

30. EXTENSION SOURCE CODE The extenstion source code is also available

    on GITHUB https://www.github.com/christianwaha
31. None

32. CHRISTIAN WAHA Prinicpal Cloud Consultant Education: Study of Computer Science

    FH Landshut Work: Industrial Holographics LLC cwlabs consulting services GmbH Projects with: Helsana, Leica, T-Systems, UniCredit, Technolas, 1&1, Microsoft, BMW, Daimler Community: Azure Munich Meetup (Lead), HoloLens Meetup Germany (Lead), Windows Client & Server Meetup (Lead), Coding Dojo Munich (Former Lead) 2016, 2017, 2017-2018, 2018-2019 2017, 2018, 2019