GIDS - Secure Cloud Native CI/CD with Tekton and ArgoCD

Transcript

1. www.developersummit.com Securing Cloud Native CI/CD with the Dynamic Duo of

   Tekton and ArgoCD Kevin Dubois Principal Developer Advocate Red Hat

2. @kevindubois Kevin Dubois ★ Principal Developer Advocate at Red Hat

   ★ Java Champion ★ Based in Belgium 󰎐 ★ Speak English, Dutch, French, Italian ★ Open Source Contributor (Quarkus, Camel, Knative, ..) @[email protected] youtube.com/@thekevindubois linkedin.com/in/kevindubois github.com/kdubois @kevindubois.com

3. @kevindubois

4. @kevindubois

5. @kevindubois

6. @kevindubois Developer Flow Outer loop Inner loop Pull/Merge Request Production

   Build / Package Code Push Debug Code Review Build Deploy Security Tests Compliance Inner loop Outer loop Developer Test

7. @kevindubois Outer Loop Development Outer loop Pull/Merge Request Production Outer

   loop Code Review Build Deploy Security Tests Compliance

8. @kevindubois Love Thy Mono Every 4 months Every week/day/hour

9. @kevindubois CI - CD - CD Build Test Security Checks

   Release Ready Deploy Stage Deploy Prod Continuous Integration Continuous Delivery Continuous Deployment Manual Auto

10. @kevindubois Continuous Delivery… of a racing game :)

11. @kevindubois The application Push to give energy windmill Kafka Topic

    2.Sends the interaction Dashboard: Green Energy Nickname Team Push/Tap to generate energy Cars that needs energy Two teams competing (top 5 players) First wins

12. @kevindubois Architecture 3: Generate power (REST) Game Dashboard 1: Assign

    player Name & Team (REST) 6: Update dashboard (SSE) 2: Increment player cluster counter 4: Send power event 5: Receive power events

13. @kevindubois YOU PLAY! Scan the QR Code with your phone

    to play

14. @kevindubois What if we added a new feature?

15. @kevindubois Dev Ops Friday | 4:45 PM Wall of confusion

16. @kevindubois

17. @kevindubois Developer Flow Outer loop Inner loop Pull/Merge Request Production

    Build / Package Code Push Debug Code Review Build Deploy Security Tests Compliance Inner loop Outer loop Developer Test

18. @kevindubois Cloud-Native CI/CD Containers Built for container apps and runs

    on Kubernetes Designed with microservices and distributed teams in mind DevOps Serverless Runs serverless with no CI/CD engine to manage and maintain

19. @kevindubois Why Cloud-Native CI/CD? Traditional CI/CD Cloud-Native CI/CD Designed for

    Virtual Machines Designed for Containers and Kubernetes Require IT Ops for CI engine maintenance Pipeline as a service with no Ops overhead Plugins shared across CI engine Pipelines fully isolated from each other Plugin dependencies with undefined update cycles Everything lifecycled as container images No interoperability with Kubernetes resources Native Kubernetes resources Admin manages persistence Platform manages persistence Config baked into CI engine container Configured via Kubernetes ConfigMaps Declarative !

20. @kevindubois Tekton is a Graduated Continuous Delivery Foundation project and

    follows the OpenSSF best practices. Contributions from Google, Red Hat, Cloudbees, IBM, Elastic, Puppet, and many more An open-source project for providing a set of shared and standard components for building Kubernetes-style CI/CD systems https://tekton.dev

21. @kevindubois Declarative Composable Cloud Native Reproducible

22. @kevindubois Task step step Task step Task step step Task

    step step Pipeline Tekton Concepts step

23. @kevindubois Tekton Architecture Pipeline Task Task Define pipeline Run pipelines

    Pipeline Controllers (Tekton, ext, ...) pipeline-pod-a pipeline-pod-b PipelineRun TaskRun TaskRun pipeline-pod-c

24. @kevindubois apiVersion: tekton.dev/v1beta1 kind: Pipeline metadata: name: wind-turbine-pipeline spec: params:

    - name: MANIFESTS_GIT_REPO type: string tasks: - name: git-clone params: - name: url value: $(params.GIT_REPO) workspaces: - name: output workspace: source workspaces: - name: source

25. @kevindubois 25 Tekton Hub Search, discover and install Tekton Tasks

    hub.tekton.dev

26. @kevindubois Part of the Tekton ecosystem A Kubernetes controller that

    watches TaskRun and PipelineRun resources Depending on its configuration, it does the following: • Signing TaskRun results with user provided cryptographic keys, including TaskRuns themselves and OCI Images • Attestation formats like intoto • Signing with a variety of cryptographic key types and services (x509, KMS) • Support for multiple storage backends for signature Tekton Chains

27. @kevindubois An in-toto attestation is authenticated metadata about one or

    more software artifacts, as per the SLSA Attestation Model. • Sign OCI image • Create signed SLSA Provenance attestation for TaskRuns and PipelineRuns https://tekton.dev/docs/chains/

28. @kevindubois Tekton CLI(tkn) •List and Describe • Pipeline • Resource

    • Task • Task Run • Pipeline Run •View logs • Task Run • Pipeline Run •https://github.com/tektoncd/cli

29. @kevindubois Gitops

30. @kevindubois What is GitOps? Treat everything as code Git is

    the single source of truth Operations through Git workflows

31. @kevindubois CI/CD Engines Jenkins Spinnaker Tekton Concourse CI …... CI/CD

    versus GitOps 31 Desired State Cluster State Observe State Take Action GitOps Engines ACM, ArgoCD, FluxCD Razee, Faros Desired State Cluster State

32. @kevindubois Let’s deploy our new feature in a Modern, Automated,

    Gitops way!

33. @kevindubois Live Coding

34. @kevindubois Source Git Repository Image Registry CI GitOps Application Delivery

    Model

35. @kevindubois Source Git Repository Image Registry CI Config Git Repository

    Kubernetes CD Pull Request / Commit Push Pull GitOps Application Delivery Model

36. @kevindubois GitOps Application Delivery Model Push Pull Pull Request Source

    Git Repository Image Registry Config Git Repository Kubernetes Deploy Monitor Detect drift CD Take action

37. @kevindubois ArgoCD Sync Monitor Detect drift Take action Argo CD

    is a declarative, GitOps continuous delivery tool for Kubernetes. Cluster and application configuration versioned in Git Automatically syncs configuration from Git to clusters Drift detection, visualization and correction

38. @kevindubois 38 V2 Scan the QR Code with your phone

    to play

39. @kevindubois Start exploring in the OpenShift Sandbox. Learn containers, Kubernetes,

    and OpenShift in your browser. developers.redhat.com/developer-sandbox Try Red Hat's products and technologies without setup or configuration.

40. @kevindubois Free Developer e-Books & Tutorials! developers.redhat.com/eventtutorials

41. @kevindubois https://red.ht/gitops-cookbook

42. @kevindubois https://red.ht/modernize-enterprise-java

43. @kevindubois Thank you! @[email protected] youtube.com/@thekevindubois linkedin.com/in/kevindubois github.com/kdubois @kevindubois.com

44. @kevindubois Join Red Hat Developer. Build here. Go anywhere. facebook.com/RedHatDeveloper

    youtube.com/RedHatDevelopers twitter.com/rhdevelopers linkedin.com/showcase/red-hat-developer