www.developersummit.com Securing Cloud Native CI/CD with the Dynamic Duo of Tekton and ArgoCD Kevin Dubois Principal Developer Advocate Red Hat

@kevindubois Kevin Dubois ★ Principal Developer Advocate at Red Hat ★ Java Champion ★ Based in Belgium 󰎐 ★ Speak English, Dutch, French, Italian ★ Open Source Contributor (Quarkus, Camel, Knative, ..) @[email protected] youtube.com/@thekevindubois linkedin.com/in/kevindubois github.com/kdubois @kevindubois.com

@kevindubois

@kevindubois

@kevindubois

@kevindubois Developer Flow Outer loop Inner loop Pull/Merge Request Production Build / Package Code Push Debug Code Review Build Deploy Security Tests Compliance Inner loop Outer loop Developer Test

@kevindubois Outer Loop Development Outer loop Pull/Merge Request Production Outer loop Code Review Build Deploy Security Tests Compliance

@kevindubois Love Thy Mono Every 4 months Every week/day/hour

@kevindubois CI - CD - CD Build Test Security Checks Release Ready Deploy Stage Deploy Prod Continuous Integration Continuous Delivery Continuous Deployment Manual Auto

@kevindubois Continuous Delivery… of a racing game :)

@kevindubois The application Push to give energy windmill Kafka Topic 2.Sends the interaction Dashboard: Green Energy Nickname Team Push/Tap to generate energy Cars that needs energy Two teams competing (top 5 players) First wins

@kevindubois Architecture 3: Generate power (REST) Game Dashboard 1: Assign player Name & Team (REST) 6: Update dashboard (SSE) 2: Increment player cluster counter 4: Send power event 5: Receive power events

@kevindubois YOU PLAY! Scan the QR Code with your phone to play

@kevindubois What if we added a new feature?

@kevindubois Dev Ops Friday | 4:45 PM Wall of confusion

@kevindubois

@kevindubois Developer Flow Outer loop Inner loop Pull/Merge Request Production Build / Package Code Push Debug Code Review Build Deploy Security Tests Compliance Inner loop Outer loop Developer Test

@kevindubois Cloud-Native CI/CD Containers Built for container apps and runs on Kubernetes Designed with microservices and distributed teams in mind DevOps Serverless Runs serverless with no CI/CD engine to manage and maintain

@kevindubois Why Cloud-Native CI/CD? Traditional CI/CD Cloud-Native CI/CD Designed for Virtual Machines Designed for Containers and Kubernetes Require IT Ops for CI engine maintenance Pipeline as a service with no Ops overhead Plugins shared across CI engine Pipelines fully isolated from each other Plugin dependencies with undefined update cycles Everything lifecycled as container images No interoperability with Kubernetes resources Native Kubernetes resources Admin manages persistence Platform manages persistence Config baked into CI engine container Configured via Kubernetes ConfigMaps Declarative !

@kevindubois Tekton is a Graduated Continuous Delivery Foundation project and follows the OpenSSF best practices. Contributions from Google, Red Hat, Cloudbees, IBM, Elastic, Puppet, and many more An open-source project for providing a set of shared and standard components for building Kubernetes-style CI/CD systems https://tekton.dev

@kevindubois Declarative Composable Cloud Native Reproducible

@kevindubois Task step step Task step Task step step Task step step Pipeline Tekton Concepts step

@kevindubois Tekton Architecture Pipeline Task Task Define pipeline Run pipelines Pipeline Controllers (Tekton, ext, ...) pipeline-pod-a pipeline-pod-b PipelineRun TaskRun TaskRun pipeline-pod-c

@kevindubois apiVersion: tekton.dev/v1beta1 kind: Pipeline metadata: name: wind-turbine-pipeline spec: params: - name: MANIFESTS_GIT_REPO type: string tasks: - name: git-clone params: - name: url value: $(params.GIT_REPO) workspaces: - name: output workspace: source workspaces: - name: source

@kevindubois 25 Tekton Hub Search, discover and install Tekton Tasks hub.tekton.dev

@kevindubois Part of the Tekton ecosystem A Kubernetes controller that watches TaskRun and PipelineRun resources Depending on its configuration, it does the following: ● Signing TaskRun results with user provided cryptographic keys, including TaskRuns themselves and OCI Images ● Attestation formats like intoto ● Signing with a variety of cryptographic key types and services (x509, KMS) ● Support for multiple storage backends for signature Tekton Chains

@kevindubois An in-toto attestation is authenticated metadata about one or more software artifacts, as per the SLSA Attestation Model. ● Sign OCI image ● Create signed SLSA Provenance attestation for TaskRuns and PipelineRuns https://tekton.dev/docs/chains/

@kevindubois Tekton CLI(tkn) •List and Describe • Pipeline • Resource • Task • Task Run • Pipeline Run •View logs • Task Run • Pipeline Run •https://github.com/tektoncd/cli

@kevindubois Gitops

@kevindubois What is GitOps? Treat everything as code Git is the single source of truth Operations through Git workflows

@kevindubois CI/CD Engines Jenkins Spinnaker Tekton Concourse CI …... CI/CD versus GitOps 31 Desired State Cluster State Observe State Take Action GitOps Engines ACM, ArgoCD, FluxCD Razee, Faros Desired State Cluster State

@kevindubois Let’s deploy our new feature in a Modern, Automated, Gitops way!

@kevindubois Live Coding

@kevindubois Source Git Repository Image Registry CI GitOps Application Delivery Model

@kevindubois Source Git Repository Image Registry CI Config Git Repository Kubernetes CD Pull Request / Commit Push Pull GitOps Application Delivery Model

@kevindubois GitOps Application Delivery Model Push Pull Pull Request Source Git Repository Image Registry Config Git Repository Kubernetes Deploy Monitor Detect drift CD Take action

@kevindubois ArgoCD Sync Monitor Detect drift Take action Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Cluster and application configuration versioned in Git Automatically syncs configuration from Git to clusters Drift detection, visualization and correction

@kevindubois 38 V2 Scan the QR Code with your phone to play

@kevindubois Start exploring in the OpenShift Sandbox. Learn containers, Kubernetes, and OpenShift in your browser. developers.redhat.com/developer-sandbox Try Red Hat's products and technologies without setup or configuration.

@kevindubois Free Developer e-Books & Tutorials! developers.redhat.com/eventtutorials

@kevindubois https://red.ht/gitops-cookbook

@kevindubois https://red.ht/modernize-enterprise-java

@kevindubois Thank you! @[email protected] youtube.com/@thekevindubois linkedin.com/in/kevindubois github.com/kdubois @kevindubois.com

@kevindubois Join Red Hat Developer. Build here. Go anywhere. facebook.com/RedHatDeveloper youtube.com/RedHatDevelopers twitter.com/rhdevelopers linkedin.com/showcase/red-hat-developer