Slide DevSecOps Microservices
0 likes1,086 views
The document discusses best practices for implementing DevSecOps for microservices architectures. It begins by defining microservices and explaining their advantages over monolithic architectures. It then covers challenges of microservices including communication between services, databases, testing, and deployment. The document recommends using a choreography pattern for asynchronous communication between loosely coupled services. It provides examples of event-driven architectures and deploying to Kubernetes. It also discusses technologies like Jenkins, Docker, Kubernetes, SonarQube, and Trivy that can help support continuous integration, deployment, and security in DevSecOps pipelines.
Slide DevSecOps Microservices
- 1. DevSecOps in the Real World: Best Practices for CI/CD and Microservices Hendri Karisma
- 2. Hello! my name is Hendri Karisma ● Technical Lead ● Working on platform system ● Before working for AI and DevEx
- 3. Micro-services an architectural style that structures an application as a collection of services ● Highly maintainable and testable ● Loosely coupled ● Independently deployable ● Organized around business capabilities ● Owned by a small team
- 4. Monolith vs Microservices? Monolith Architecture Microservices Architecture
- 5. Why microservices? Wish our system could : ● Small so more modular, tackles the complexity issue. Lightweight ● Reusability ● Reliable ● Each service independent : ○ loosely coupled ○ Scalability
- 6. Challenge microservices? ● Communication : Latency and complexity ● Database: each services have their own database, transaction ● Testing: Integration testing ● Changes: could impact multiple services ● Deployment: machines x services, configuration, secrets management, monitoring
- 9. Orchestration Entails actively controlling all elements and interactions like a conductor directs the musicians of an orchestra One service controller handles all communications between microservices, and directs each service to perform the intended function. Disadvantage : ● the controller needs to directly communicate with each service and wait for each service’s response ● impacted by downstream network and service availability (latency) ● More tight coupling then we could say it’s a distributed monolithic.
- 10. Choreography Asynchronous process: Each service works independently and consumes the data that relates to it to perform its task. ● Event Driven Architecture ● Decouples client from the service ● Message Buffering ● Flexible style Tech: RabbitMQ, Apache Kafka, ActiveMQ, etc
- 11. Event Driven #1
- 12. Event Driven #2 (communications)
- 13. Event Driven (Data Aggregation)
- 14. Event Driven (Data Logging)
- 15. Sample App Architecture 1 App / Service Database Message Queue RESTful / Request Push to message queue Other systems Data 9 Seach Engine Data Other systems Data
- 16. Configuration
- 17. Configuration #2
- 18. Configuration #3
- 19. Secrets
- 20. Deployment ● Classic : on top Bare metal server or VM ● Using Virtual machine for each instance (app node) ● Using Container and Container Orchrestation
- 21. Deployment #1
- 22. Deployment #2
- 23. Deployment #3
- 24. DevOps DevOps is the combination of cultural philosophies, practices, and tools that increases an organization's ability to deliver applications and services at high velocity: evolving and improving products at a faster pace than organizations using traditional software development and infrastructure management processes.
- 25. DevSecOps Now, in the collaborative framework of DevOps, security is a shared responsibility integrated from end to end. The term "DevSecOps" to emphasize the need to build a security foundation into DevOps initiatives. It also means automating some security gates to keep the DevOps workflow from slowing down.
- 26. Tech to Support DevSecOps ● Automation Server: Jenkins, Bamboo, Github Action, travis, circleci, ansible, etc ● Infrastructure as code / CLI: AWS SDK, GCP SDK, terraform, chef, etc ● Registry/Repository : docker hub, helm, GCR, etc ● Security scanner : Sonarqube, trivy, etc ● Container Orchestration: Kubernetes, Docker swarm ● Configuration & Secret : vault & consul ● Code Repository: bitbucket, github, gitlab, etc
- 27. Jenkins An open source extensible automation server. It helps automate the parts of software development related to building, testing, and deploying, facilitating continuous integration and continuous delivery.
- 28. Docker an open source containerization platform. It enables developers to package applications into containers—standardized executable components combining application source code with the operating system (OS) libraries and dependencies required to run that code in any environment.
- 29. Kubernetes Kubernetes is an open-source container orchestration system for automating software deployment, scaling, and management. Google originally designed Kubernetes, but the Cloud Native Computing Foundation now maintains the project. also known as K8s. K8s could automate the deployment, scaling, and management of containerized applications.
- 30. Kubernetes
- 31. Kubernetes
- 32. ● helps you manage Kubernetes applications — Helm Charts help you define, install, and upgrade even the most complex Kubernetes application. ● Helm Charts are simply Kubernetes YAML manifests combined into a single package that can be advertised to your Kubernetes clusters. Once packaged, installing a Helm Chart into your cluster is as easy as running a single helm install, which really simplifies the deployment of containerized applications. Helm and Helm Chart
- 33. Helm
- 34. Sonarqube SonarQube is a Code Quality Assurance tool that collects and analyzes source code, and provides reports for the code quality of your project. It combines static and dynamic analysis tools and enables quality to be measured continually over time.
- 35. Sonarqube SonarQube is a Code Quality Assurance tool that collects and analyzes source code, and provides reports for the code quality of your project. It combines static and dynamic analysis tools and enables quality to be measured continually over time.
- 36. Trivy ● Trivy (tri pronounced like trigger, vy pronounced like envy) is a simple and comprehensive scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues. ● Trivy detects vulnerabilities of OS packages (Alpine, RHEL, CentOS, etc.) and language-specific packages (Bundler, Composer, npm, yarn, etc.). ● In addition, Trivy scans Infrastructure as Code (IaC) files such as Terraform, Dockerfile and Kubernetes, to detect potential configuration issues that expose your deployments to the risk of attack. ● https://aquasecurity.github.io/trivy/v0.21.3/
- 37. Artifact and Image Repository ● For App Artifact could use Jfrog Artifactory, Nexus, devpi for python, etc ● Docker Image (registry) : GCR, ECR, GCR
- 38. Continuous Integration Part Pipeline CI/CD Checkout and Preparation Build Project Testing and Scanning Code & Secure Code Build Snapshot/ Release version Send to Artifactory Post Stage Send data to data pool Continuous Deployment Part Scanning Security for Image Create Docker Image Checkout and Preparation Update Param Create Chart Update Helm
- 39. Create Repository for Images ● Base Image for Build ● Base Image for Development ● Default base image ● Jenkins pipeline ● Create standard for the project structure
- 40. APM (Application Performance Management ● the monitoring and management of performance and availability of software applications. APM strives to detect and diagnose complex application performance problems to maintain an expected level of service. ● Tools: DataDog, New Relic, Splunk, ELK Stack (Elasticsearch Logstash Kibana), Grafana, Promotheus
- 41. ELK Stack #1
- 42. ELK Stack #2
- 43. ELK Stack #3
- 46. App Tech Stack ● Programming Language: java, kotlin, python, golang, php ● Database: mysql, postgre, sql server, mongodb, redis, etc ● Search engine: elasticsearch, solr ● Messaging app: RabbitMQ, Kafka
- 47. CI Pipeline DevSecOps Tech Stack CD Pipeline Checkout Build Test & Analysis Push To Artifactory Push to Image Registry Pull Image Update Config Helm upgrade Build Image & Scan Git Repo Scan Code coverage and secure code Scan Docker Image Save app artifact Live on to K8s Save the image Optional, pick 1
- 48. THANK YOU