Automatic DevOps - What would happen if DevOps becomes automatic?
Your team has automated its unit tests and deployments on a CI/CD tool, but strangely, the quality hasn’t improved. Worse still, your team’s velocity has decreased as it spends time undoing and redoing its scripts. The code coverage is disappointing and when you have two tests from start to finish you are happy. Let’s see What would happen if DevOps becomes automatic?
If only the team could focus on its code, then the application can manage automatically from start to finish. It is scanned for vulnerabilities that have been recognized from all angles. It can be deployed on a test environment with each change to be reviewed by a human, and even that is automatically supervised once deployed.
How does Automatic DevOps work?
The Auto DevOps is the use of a default CI pipeline, which will launch well-made jobs.
For starters, GitLab builds a container and pushes it into its built-in registry:
- They use herokuish, which reproduces Heroku’s behaviour, using his build packs unless a custom is put at the root of the project.Dockerfile
Buildpacks provide default orders at the launch of the container. It is also possible to replace it by creating a process in a file at the root of the project.RUNDockerfilewebProcfile
The test stage also relies on buildpacks. Orders launched vary depending on the language. You will find all the details in the documentation of Heroku-CI.
The code quality analysis is done through an image that reproduces the code climate’s behaviour. Its disadvantage is that it launches all the tools to control the earth, so its execution takes a lot of time.
Besides, it intends to calculate the level of maintainability of the code, not to interrupt the pipeline in the event of a syntax error. It will be up to the development team to educate themselves (looking at the outcome of the pipeline, for instance).
The implementation of these types of mechanisms can quickly become a full-time job, which is not possible in some teams/companies.
Static security analysis
This step involves launching a Docker SAST image, which will run the analysis tools on your code for each supported language. The principle of each of its tools is to read your code and detect certain syntaxes known as a security risk vector for your application.
The same principle is that a container created by GitLab is launched to check for known vulnerabilities in the application’s addictive packages. For most supported package managers, this is mainly Gemnasium, recently purchased and absorbed by GitLab.
The containers are made up of stack layers(layers), each is analyzed using Clair, and the vulnerabilities detected are reassembled.
The final steps are to put yourself in real conditions of use, to carry out the latest checks on the application, to deploy it, and to monitor its behavior in production.
This step is simply to deploy the application to a temporary environment so that stakeholders (product manager, security reference, etc.) can get an overview of the application eligible for deployment.
Dynamic security analysis
A scanning proxy – OWASP ZAProxy in this case – is launched to scan via HTTPs the application thus deployed, under the same conditions of use as a user/attacker.
In the same logic as the previous step, you can use sitespeed.io to measure the performance felt on the browser.
You can compare these measures with previous ones, and thus highlight the positive or negative impacts of changes to the code.
When the validation of changes is complete, you can deploy an application on the Kubernetes production environment.
It is possible to define a deployment on an additional recipe () environment.staging
Once your app is in production, you can supervise its activity automatically in Prometheus and you can follow:
- LATEncy and HTTP errors
- Use CPU and memory
Presented like this, it’s a dream. But the implementation is not completely automatic. It is necessary beforehand to have a complete infrastructure that consists of:
- The domain name and wildcard certificate (*.domain.tld)
You can also use cloud platforms, which are the most documented.
Depending on your applications and the languages used, you may need to add a little configuration for Herokuish and/or Code to find their little ones.
Although all the tools presented are available in open source, many of them offer a business variant that, if purchased, can quickly represent a budget.