Slide 1

Slide 1 text

www.developersummit.com Securing Cloud Native CI/CD with the Dynamic Duo of Tekton and ArgoCD Kevin Dubois Principal Developer Advocate Red Hat

Slide 2

Slide 2 text

@kevindubois Kevin Dubois ★ Principal Developer Advocate at Red Hat ★ Java Champion ★ Based in Belgium 󰎐 ★ Speak English, Dutch, French, Italian ★ Open Source Contributor (Quarkus, Camel, Knative, ..) @[email protected] youtube.com/@thekevindubois linkedin.com/in/kevindubois github.com/kdubois @kevindubois.com

Slide 3

Slide 3 text

@kevindubois

Slide 4

Slide 4 text

@kevindubois

Slide 5

Slide 5 text

@kevindubois

Slide 6

Slide 6 text

@kevindubois Developer Flow Outer loop Inner loop Pull/Merge Request Production Build / Package Code Push Debug Code Review Build Deploy Security Tests Compliance Inner loop Outer loop Developer Test

Slide 7

Slide 7 text

@kevindubois Outer Loop Development Outer loop Pull/Merge Request Production Outer loop Code Review Build Deploy Security Tests Compliance

Slide 8

Slide 8 text

@kevindubois Love Thy Mono Every 4 months Every week/day/hour

Slide 9

Slide 9 text

@kevindubois CI - CD - CD Build Test Security Checks Release Ready Deploy Stage Deploy Prod Continuous Integration Continuous Delivery Continuous Deployment Manual Auto

Slide 10

Slide 10 text

@kevindubois Continuous Delivery… of a racing game :)

Slide 11

Slide 11 text

@kevindubois The application Push to give energy windmill Kafka Topic 2.Sends the interaction Dashboard: Green Energy Nickname Team Push/Tap to generate energy Cars that needs energy Two teams competing (top 5 players) First wins

Slide 12

Slide 12 text

@kevindubois Architecture 3: Generate power (REST) Game Dashboard 1: Assign player Name & Team (REST) 6: Update dashboard (SSE) 2: Increment player cluster counter 4: Send power event 5: Receive power events

Slide 13

Slide 13 text

@kevindubois YOU PLAY! Scan the QR Code with your phone to play

Slide 14

Slide 14 text

@kevindubois What if we added a new feature?

Slide 15

Slide 15 text

@kevindubois Dev Ops Friday | 4:45 PM Wall of confusion

Slide 16

Slide 16 text

@kevindubois

Slide 17

Slide 17 text

@kevindubois Developer Flow Outer loop Inner loop Pull/Merge Request Production Build / Package Code Push Debug Code Review Build Deploy Security Tests Compliance Inner loop Outer loop Developer Test

Slide 18

Slide 18 text

@kevindubois Cloud-Native CI/CD Containers Built for container apps and runs on Kubernetes Designed with microservices and distributed teams in mind DevOps Serverless Runs serverless with no CI/CD engine to manage and maintain

Slide 19

Slide 19 text

@kevindubois Why Cloud-Native CI/CD? Traditional CI/CD Cloud-Native CI/CD Designed for Virtual Machines Designed for Containers and Kubernetes Require IT Ops for CI engine maintenance Pipeline as a service with no Ops overhead Plugins shared across CI engine Pipelines fully isolated from each other Plugin dependencies with undefined update cycles Everything lifecycled as container images No interoperability with Kubernetes resources Native Kubernetes resources Admin manages persistence Platform manages persistence Config baked into CI engine container Configured via Kubernetes ConfigMaps Declarative !

Slide 20

Slide 20 text

@kevindubois Tekton is a Graduated Continuous Delivery Foundation project and follows the OpenSSF best practices. Contributions from Google, Red Hat, Cloudbees, IBM, Elastic, Puppet, and many more An open-source project for providing a set of shared and standard components for building Kubernetes-style CI/CD systems https://tekton.dev

Slide 21

Slide 21 text

@kevindubois Declarative Composable Cloud Native Reproducible

Slide 22

Slide 22 text

@kevindubois Task step step Task step Task step step Task step step Pipeline Tekton Concepts step

Slide 23

Slide 23 text

@kevindubois Tekton Architecture Pipeline Task Task Define pipeline Run pipelines Pipeline Controllers (Tekton, ext, ...) pipeline-pod-a pipeline-pod-b PipelineRun TaskRun TaskRun pipeline-pod-c

Slide 24

Slide 24 text

@kevindubois apiVersion: tekton.dev/v1beta1 kind: Pipeline metadata: name: wind-turbine-pipeline spec: params: - name: MANIFESTS_GIT_REPO type: string tasks: - name: git-clone params: - name: url value: $(params.GIT_REPO) workspaces: - name: output workspace: source workspaces: - name: source

Slide 25

Slide 25 text

@kevindubois 25 Tekton Hub Search, discover and install Tekton Tasks hub.tekton.dev

Slide 26

Slide 26 text

@kevindubois Part of the Tekton ecosystem A Kubernetes controller that watches TaskRun and PipelineRun resources Depending on its configuration, it does the following: ● Signing TaskRun results with user provided cryptographic keys, including TaskRuns themselves and OCI Images ● Attestation formats like intoto ● Signing with a variety of cryptographic key types and services (x509, KMS) ● Support for multiple storage backends for signature Tekton Chains

Slide 27

Slide 27 text

@kevindubois An in-toto attestation is authenticated metadata about one or more software artifacts, as per the SLSA Attestation Model. ● Sign OCI image ● Create signed SLSA Provenance attestation for TaskRuns and PipelineRuns https://tekton.dev/docs/chains/

Slide 28

Slide 28 text

@kevindubois Tekton CLI(tkn) •List and Describe • Pipeline • Resource • Task • Task Run • Pipeline Run •View logs • Task Run • Pipeline Run •https://github.com/tektoncd/cli

Slide 29

Slide 29 text

@kevindubois Gitops

Slide 30

Slide 30 text

@kevindubois What is GitOps? Treat everything as code Git is the single source of truth Operations through Git workflows

Slide 31

Slide 31 text

@kevindubois CI/CD Engines Jenkins Spinnaker Tekton Concourse CI …... CI/CD versus GitOps 31 Desired State Cluster State Observe State Take Action GitOps Engines ACM, ArgoCD, FluxCD Razee, Faros Desired State Cluster State

Slide 32

Slide 32 text

@kevindubois Let’s deploy our new feature in a Modern, Automated, Gitops way!

Slide 33

Slide 33 text

@kevindubois Live Coding

Slide 34

Slide 34 text

@kevindubois Source Git Repository Image Registry CI GitOps Application Delivery Model

Slide 35

Slide 35 text

@kevindubois Source Git Repository Image Registry CI Config Git Repository Kubernetes CD Pull Request / Commit Push Pull GitOps Application Delivery Model

Slide 36

Slide 36 text

@kevindubois GitOps Application Delivery Model Push Pull Pull Request Source Git Repository Image Registry Config Git Repository Kubernetes Deploy Monitor Detect drift CD Take action

Slide 37

Slide 37 text

@kevindubois ArgoCD Sync Monitor Detect drift Take action Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Cluster and application configuration versioned in Git Automatically syncs configuration from Git to clusters Drift detection, visualization and correction

Slide 38

Slide 38 text

@kevindubois 38 V2 Scan the QR Code with your phone to play

Slide 39

Slide 39 text

@kevindubois Start exploring in the OpenShift Sandbox. Learn containers, Kubernetes, and OpenShift in your browser. developers.redhat.com/developer-sandbox Try Red Hat's products and technologies without setup or configuration.

Slide 40

Slide 40 text

@kevindubois Free Developer e-Books & Tutorials! developers.redhat.com/eventtutorials

Slide 41

Slide 41 text

@kevindubois https://red.ht/gitops-cookbook

Slide 42

Slide 42 text

@kevindubois https://red.ht/modernize-enterprise-java

Slide 43

Slide 43 text

@kevindubois Thank you! @[email protected] youtube.com/@thekevindubois linkedin.com/in/kevindubois github.com/kdubois @kevindubois.com

Slide 44

Slide 44 text

@kevindubois Join Red Hat Developer. Build here. Go anywhere. facebook.com/RedHatDeveloper youtube.com/RedHatDevelopers twitter.com/rhdevelopers linkedin.com/showcase/red-hat-developer