Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Fine-tuning DevOps for People over Perfection

F4612f9492cccc0c61c9b5f80d0ca8a1?s=47 jng
March 23, 2022

Fine-tuning DevOps for People over Perfection

Demand for DevOps has increased in recent years as more organizations adopt cloud native technologies. Complexity has also increased and a "zero to hero" mentality leaves many people chasing perfection and FOMO.

This session focusses instead on why maybe we shouldn't adopt a technology practice and how sometimes teams can achieve the same results by **prioritizing people over ops automation & controls**. Let's look at amounts of and fine-tuning everything as code, pull requests, DevSecOps, Monitoring and more to prioritize developer well-being over optimization perfection. It can be a valid decision to deploy less and sleep better. And finally we'll examine how manual practice and discipline can be the key to superb products and experiences.

DevOps.js Conference
24 March 2022

F4612f9492cccc0c61c9b5f80d0ca8a1?s=128

jng

March 23, 2022
Tweet

More Decks by jng

Other Decks in Technology

Transcript

  1. Fine-tuning DevOps for People over Perfection Julie Ng Engineer, Microsoft

    DevOps.js Conference 24 March 2022
  2. Disclaimer All opinions my own, not of my employers past

    and present. Examples not exhaustive or comprehensive. Chosen for human value.
  3. About Me 👩‍💻 Making for the web (full-stack) since 1999

    🚀 Failed Entrepreneuer 💶 Former Enterprise Architect (Allianz Germany) ☁️ Engineer, FastTrack for Azure (Microsoft)
  4. DevOps is a journey

  5. Pull Requests Best Practice…

  6. Pull Request Workflow git checkout main && git merge feature

    git push Open a Pull Request #signoff #signoff #signoff Give Up 🤷‍♀️ & (don't) Close Pull Request
  7. Slow Pull Requests git push waiting for build agent…30 sec

    waiting for build agent…30 sec opens Twitter 60 minutes later… Build Failed. No deployment, no value add 🤷‍♀️
  8. None
  9. None
  10. Stuck in a Loop?

  11. Lower Velocity, Less Business Value

  12. How to Deploy Everyday

  13. Team Decides Team choosing to deploy outside of business hours?

  14. DevSecOps

  15. in real life… No one in webinar commented on the

    security warnings 🤔
  16. High Alert 🚨 There's 3 Dependabots? alerts, security updates and

    version updates 🤔
  17. Ok, help me 🤖

  18. OK, let's try it "devDependencies": { "glob-parent": ">=5.1.2" } $

    npm update
  19. 🤨 npm WARN … npm WARN … removed 27 packages,

    and audited 1742 packages in 51s 213 packages are looking for funding run `npm fund` for details 15 vulnerabilities (7 moderate, 8 high) To address all issues, run: npm audit fix Run `npm audit` for details. 15 Vulnerabilities? 😧 Dependabot said 2 high vulnerabilities 🙁
  20. $ npm audit fix 🤨 still 15? glob-parent <5.1.2 Severity:

    high Regular expression denial of service - https://github.com/advisories/GH fix available via `npm audit fix` node_modules/watchpack-chokidar2/node_modules/glob-parent chokidar 1.0.0-rc1 - 2.1.8 Depends on vulnerable versions of glob-parent node_modules/watchpack-chokidar2/node_modules/chokidar watchpack-chokidar2 * Depends on vulnerable versions of chokidar # … # … 15 vulnerabilities (7 moderate, 8 high) To address all issues, run: npm audit fix
  21. $ npm audit fix --force 😫 still 15 glob-parent <5.1.2

    Severity: high Regular expression denial of service - https://github.com/advisories/GH fix available via `npm audit fix` node_modules/watchpack-chokidar2/node_modules/glob-parent chokidar 1.0.0-rc1 - 2.1.8 Depends on vulnerable versions of glob-parent node_modules/watchpack-chokidar2/node_modules/chokidar watchpack-chokidar2 * Depends on vulnerable versions of chokidar # … 15 vulnerabilities (7 moderate, 8 high) To address all issues, run: npm audit fix
  22. Now What? Tools optimize for knowing … Humans optimize for

    learning
  23. npm overrides but requires update to npm v8, i.e. node

    v17 { "overrides": { "glob-parent": "6.0.2", "nth-check": "2.0.1" } }
  24. Let's upgrade node Update .nvmrc Update Dockerfile node-engine in package.json

    npm run preflight && git push ✅
  25. But CI says ⛔️ Upsupported Open SSL? No Thanks. ℹ

    Compiling Client node:internal/crypto/hash:67 this[kHandle] = new _Hash(algorithm, xofLen); Error: error:0308010C:digital envelope routines::unsupported at new Hash (node:internal/crypto/hash:67:19) // … at FSReqCallback.readFileAfterClose [as oncomplete] (node:internal/ opensslErrorStack: [ 'error:03000086:digital envelope routines::initi library: 'digital envelope routines', reason: 'unsupported', code: 'ERR_OSSL_EVP_UNSUPPORTED' } Node.js v17.7.1 The command '/bin/sh -c npm ci --production && npm run nuxt:build' retu
  26. Nevermind. Revert.

  27. Sorry, gotta deploy but thanks for the alert 😉 #

    github workflow steps: - run: npm audit --audit-level=moderate continue-on-error: true
  28. You too Defender Scan Thanks for the alert 🤗 steps:

    - uses: Azure/container-scan@v0 continue-on-error: true with: image-name: ${{ env.image-name }}:dev-${{ inputs.git-sha }} severity-threshold: WARN
  29. Microsoft Defender Results

  30. Does it even matter? Builds running again Now, let's reflect

    on our decision to ignore a vulnerability What is `glob-parent` and how is it used? What is the Open SSL issue and how is that used? What is this app even trying to do? 🤔
  31. None
  32. DDoS via slowing it down.

  33. What are we globbing for? Interactive (not a checklist) App

  34. None
  35. Headless CMS --- title: Mult-tenant Cluster description: Cluster is used

    to host multiple workloads and/or multiple complexity: 100 security: -25 cost: 0 operations: 100 --- Multi-tenancy is incredibly complex. For example, Ingress, which manage
  36. What we're Globbing . ├── index.md └── requirements ├── dr.md

    ├── factors │ ├── dr-active-active.md │ ├── dr-active-passive.md │ ├── dr-redeploy.md │ ├── dr-wait.md │ ├── multi-tenant.md │ └── single-tenant.md └── tenancy.md Missing Security Context App has no user input App has a build process
  37. Conclusion? tooling is about knowing tools are stupid. can't think

    for themselves but they will not teaching you thinking, learning tooling does not give you context context is experience can't run a marathon without first running, 5k, 10k, half marathon too many notifications
  38. When Security becomes a todo…

  39. Craftsmanship & the Art of DevOps

  40. What does your git history look like? update Readme.md update

    Readme.md update Readme.md update Readme.md update content update Readme.md wip update link
  41. Why does it matter? Common challenge - versioning, esp. with

    "microservices"
  42. ProTip - Conventional Commits git commit -m "feat(aad): add owners

    to application objects #49" git commit -m "feat(azuread-provider)s: upgrade to v2 #49" git commit -m "feat(devops): mask tenant and user principal ids" git commit -m "feat(pipeline): load kv based on branch in scheduled drift detection (#31)"
  43. Acknowledge Others Extra 30 seconds goes a long way for

    team culture
  44. Document for Humans 30 minutes right now saves hours *

    10 teammates in future
  45. Time to Mastery? Years

  46. Craftsmanship is an Investment in yourself and your teams

  47. Thank you More Cloud Engineering in real life Twitter YouTube.com/c/JulieNgTech

    @jng5