CircleCI – DevopsCurry

Devops Spinnaker

Shiwani Sharma — Wed, 17 Apr 2024 02:43:32 +0000

Introduction To Spinnaker

It’s an open-source CI platform that is a continuous platform that is developed by Netflix and created to increase the speed and decrease the trouble related to updating the application. A large community or an organization helped by Spinnaker that consists of SAP, Netflix, Google, AWS, Azure, Oracle etc. Spinnaker is similar to some of the cloud providers that are Google App Engine, Kubernetes, Microsoft Azure, AWS EC2, Openstack and Google Computer Engine. Netflix uses Spinnaker to regulate cloud VMS for the pipeline delivery process. One of the important objectives of Spinnaker is to create a reliable deployment. It generates a deployment that operates Continuous Integration that turns up as well down the group of servers. Several organization’s utilized Spinnaker in production that was used by testers, developers to automate their software delivery process. The JVM- based services and AngularJS UI organized Spinnaker.

Features of Spinnaker

Security

One of the important features of Spinnaker is security and its help for several authentication mechanisms that consists of X.509 certs, Google Group, LDAP, Azure Groups, Oauth and many more that permit effective isolation for ultimate security of projects.

Multicloud deployment

In multiple cloud providers, it is beneficial for deploying applications and it also helps in many cloud platforms such as Cloud Foundry, AWS, Oracle, Azure and in a private cloud-like Openshift. It has multi-cloud support that helps the users to utilized the application all over several cloud infrastructure with no vendor lock-in. Spinnaker also merge with IaC (Infrastructure as Code) tools such as AWS Cloud Formation and Terraform.

Flexibility

As per the necessity of organization, it is very simple to customize and inflate any ability. For the external tools and services, you can easily create connectors.

Automated Pipelines

To automate the continuous integration and continuous delivery workflow and transmit multi-service applications without manuscript and texts into target environments.

CI integration

Spinnaker robust can be effortlessly combined with other tools like Got event, Travis CI, CRON jobs and Jenkins. It permits the user to use it easily and effectively reach several tasks from the artifact collection.

Benefits of Spinnaker

The innovation and improvement of deployment pipelines by utilizing the basic interface are simple.
It has role-based access control.
One of the important benefits of Spinnaker is having deployment Techniques.
Easy to get notifications on Slack, email, SMS and Hipchat.
For the Admin and the users, it has CLI which means Command Line Interface.

Spinnaker In CI/CD Tool Chain

Image Credit: https://www.opsmx.com/what-is-spinnaker/

In the above image, you will get some idea about how Spinnaker fits in CI/CD tool chain. Here you will see the name of Jenkins, now we will understand these term, what it is and how it co-related with Spinnaker.

Jenkins

In the top priorities of CI/CD tools, Jenkins is also in a ranking which was inaugurated in 2011. It’s an open-source tool for on-premise CI automation and web-based that you can use for free. You can use this on Linux, macOS platforms and Windows. It can distribute automation of CI/CD in the cloud and which is formulated for cloud providers and Kubernetes clusters. For the improvement of building and testing, it has the power of the development of machine networks.

Difference Between Spinnaker and Jenkins

S.No.	Spinnaker	Jenkins
01	It’s an open-source multi-cloud continuous delivery platform.	It’s an open-source automation server.
02	It is formulated for Continuous Delivery.	It is formulated for Continuous Integration.
03	Across Stack Overflow you can question anything about Spinnaker and you will get your answer through the team.	Across Reddit Thread you can question anything related to Jenkins and in a very short time, you will get the answer from the team.
04	Some of the tools that can be integrated with Focker, GitHub, Amazon EC2, Docker and this is right for your project and it is sure upon the requirement of the project.	Some of the tools that can be integrated with some tools like Azure DevOps, Slack, Browser Stack, Date of and this is right for your project and it is sure upon the requirement of the project.
05	Bamboo, Apache Maven and Teamcity are options for Spinnaker.	Travis CI and Circle CI are the opportunities for Jenkins.

Conclusion: Spinnaker is the best tool in the realm of Continuous delivery & it generates a deployment that operates Continuous Integration that turns up as well down the group of servers. There are many organization’s that utilized Spinnaker in production that was used by testers, developers to automate their software delivery process. The JVM- based services and AngularJS UI organized Spinnaker.

At last, Spinnaker is an open source nature that has huge community and CD (Continuous Development) make it convincing for organization just to raise up there DevOps practices.

The post Devops Spinnaker appeared first on DevopsCurry.

Securing your CI/CD pipelines with DevSecOps in 2023

Tue, 09 Mar 2021 17:03:38 +0000

Injecting Security in your CI/CD pipelines

DevOps is well known for the path-breaking changes it has brought in the software industry. The most prominent one is to bring the Dev and Ops team together, to work in sync at all times throughout the application development lifecycle. And the second is to automate pretty much the entire CI/CD pipeline. These two have been the most remarkable transformation brought to us by the DevOps process.

DevOps has been constantly finding ways to make the CI/CD pipeline more efficient and better. Today we cipf-es.org are going to discuss DevSecOps; the process aims to put a security blanket around the entire lifecycle.

In the older processes, the security check-in the older processes for the application used to happen at the later stages usually before the deployment. This practice would result in fixing last-minute code and testing issues which in turn delays the product release.

So, to accelerate the whole process DevOps uses the ‘Shift Left’ approach. The method focuses on bringing the security practice right from the early stages of the DevOps lifecycle. The key is to incorporate test and security at the beginning ensures speedy process.

Securing the application is not which means to be done at a certain point it needs to be done at every step throughout the process. Securing the application is a continuous process that’s why it’s called Continuous Assurance.

Now the question arises what do we need to check for the security?

Automated CI/CD processes are a critical component of DevOps infrastructure. CI/CD orchestration tools like Jenkins, CicleCI, Bamboo, TeamCity,Travis,Buddy etc are increasingly deployed in DevOps processes to improve processes, facilitate faster deployment of software and product delivery, and provide continuous cost reduction.

But we also need to keep in mind that these CI/CD tools are the biggest consumers of secret and confidential data and have access to a lot of sensitive resources such as other apps and services and information like codebases, credentials and databases.

Ensuring that our CI/CD pipelines are protected and secured and cannot be compromised, is a must.Hence we need to think about the ways to protect the pipeline itself.

Security Checks for CI/CD Pipelines

There are several security checks that needs to be performed:

Source Code Vulnerabilities– This check is related to security of the software. If the source code is not protected might be subjected to potential malicious attacks.

OSS Library Vulnerabilities– Well not just source-code, there are high chances that the open source library used in the application can have vulnerabilities.

OSS Version– Open-source libraries come in handy, but there are chances that after a few years that version may be deprecated. If deprecated then there might not be any maintenance or any replacement for the library.

Identifying Compromising Credentials- there is always a possibility of human error when dealing with secrets and credentials within your CI/CD pipeline. However we now have many tools that can scan for secrets and credentials which can be accidentally committed to a source code repository.

There are several other vulnerabilities that the application might be exposed to due to libraries, code infrastructure, or any exposures. So here are some ways as how do we check for Security?

Static Application system Testing (SAST)- The testing is primarily done before code compilation. The testing method analyses the code security vulnerabilities. It is also known as white-box testing. This test happens very early in the SDLC as it helps to fix the code issues.

Active and Passive penetration test (Dynamic Analysis) – The test is described as a dynamic analysis because it checks the system response to variables/parameters that are not constant. In easy language, it checks the application behaviour with real-time values.

Infrastructure Analysis- This involves scanning the actual environment like configuration, server status to understand and analyse the actual drift and what could be the fix for the drift.

These are some of the checks that are performed by the Build/Devops team to ensure a secure CI/CD channel.

You can also refer to our posts on CI/CD, Why Jenkins is so popular and Alternatives to Jenkins.

Understanding CI/CD in a DevOps Toolchain

What makes Jenkins everyone’s favourite in 2020

Jenkins is getting Old, so what are the alternatives in 2021 ?

Security Tools for CI/CD Pipelines

There are many Devops tools available in the market to perform these tests. Let’s have a look at a few tools:

Checkmarx– Facilitates the SAST testing to analyze the code vulnerabilities in the early stages. It can be easily integrated with any CI/CD tool or environment.

IMMUNIO- The tool provides cloud based solution to protect the web application from malicious attacks. The tools is unique because it does not continuously scan the application instead it focuses on possible vulnerabilities.

Aqua Security- The tool gives the security for containers throughout the CI/CD pipeline. The main feature is that it works with all platforms and clouds very well.Aqua security helps save the day, providing container security throughout the DevSecOps pipeline.

OWASP Zed Attack Proxy (ZAP) – One of the most popular tools to protect the web applications from potential threats. It produces ZAP Docker weekly which has all the common vulnerabilities listed.

Twistlock – A multifaceted tool which offers security to containers, hosts, and serverless components.

CyberArk: CyberArk provides a way to keep secrets out of your Jenkins master, off disk, and also out of source control. CyberArk provides a Jenkins plugin which can be uses to provide credentials to your Jenkins jobs at runtime. The plugin securely provides credentials that are stored in Conjur to Jenkins jobs.

WhiteSource: Another type of security risk for your CI/CD pipelines is the open-source vulnerabilities.WhiteSource is a tool that integrates into the DevOps pipeline, and runs continuously in the background, tracking the security, licensing, and quality of open source components and matching them against WhiteSource’s comprehensive database of open source repositories to provide real-time alerts

Chef InSpec: Inspec from Chef is also recommended for scanning your applications and infrastructure. Chef InSpec is an open-source (OSS) automated testing tool for integration, compliance, security, and other policy requirements.

Fortify Webinspect (MicroFocus): Fortify WebInspect is another dynamic application security testing (DAST) security tools that finds and prioritizes exploitable vulnerabilities in your web applications.

The list goes on as there are many more Devops tools available as per the need of the application.

Conclusion

So we now realise that baking security within your Devops CI/CD process is the need of the hour. With more and more organisations adopting and integrating CI/CD tools for their build, release and deployment process, keeping your CI/CD pipelines secure is more important than ever before.

In today’s world, just like quality, security is also a shared responsibility.

In this above post we have tried talking about importance of DevSecOps in your CI/CD pipeline and covered ways and tools that can help you implement standard security measures for pipeline security.

The post Securing your CI/CD pipelines with DevSecOps in 2023 appeared first on DevopsCurry.

Jenkins is getting Old, so what are the alternatives in 2021 ?

Namrata Joshi — Thu, 22 Oct 2020 08:43:33 +0000

Why You Should Look For Jenkins Alternative? Best Alternatives for Jenkins in 2020-21

Jenkins has been a de-facto standard tool for CI/CD in the Devops pipeline for many years now.However over the last couple of years , it looks like Jenkins is loosing is luster and sheen, especially with the world showing a fast adaptability for technologies like docker and kubernetes.

So is Jenkins going to be a dead and lost tool soon?

Well, its too early to comment or assume such theories, but definitely as the DevOps people we need to keep an eye on the Continuous Change and Continuous Evolvement of new and better tools in the ecosystem.

Jenkins as a CI tool and common issues

Jenkins is one of the essential CI/CD tool for DevOps professionals. It is one of the most trusted and well-known open-source tools. Jenkins is used for building and testing software projects continuously which makes it easy for developers to integrate changes in a project. Jenkins is a continuous integration software tool.

However, since the last few years, Jenkins has been losing its shine and reputation. Jenkins enjoys a lots of love and support from the community and also many plugins to support the Jenkins ecosystem.

Off-late a lot of Jenkins plugins have become redundant, and are no longer maintained.Also not all plugins are compatible with the new Declarative style of pipelines. Jenkins again is an old tool and was not designed for the new container age technologies. Jenkins also does not get well with a microservices kind of architecture.

In general Jenkins as a tool still holds value for following use-cases:

You are using an on-premise solution.
Most of your codebase is hosted in-house.
You have a big team to take care of and manage Jenkins pipelines dedicatedly.
You are tight on budget, and looking for free open-source CI solutions.
You still follow the legacy monolithic approach and are away from microservices , containers etc

Why we should look for Jenkins alternatives?

Jenkins is the most popular and widely used CI/CD tool , and an important reason for that is, Jenkins is free.

Now lets us try looking at some of the challenges when using Jenkins:

Jenkins has an old and outdated interface and not as user friendly as compared to other tools.
As a regular Jenkins user, it is very common to get challenged and frustrated by some missing functionality,a lot of maintenance issues, broken pipelines, Jenkins dependencies and not to forget scaling issues.
Also with the world moving towards AI/ML based solutions, Jenkins still does not provide analytics for the end-to-end metrics.
Jenkins doesn’t allow a developer to see the commits done by another team member, readily.
When using Jenkins,a common problem is tracking and accountability of the changes made by the various members of the development team.All the traceability is only at the code level provided by a source control tool like GIT.

Hence we should be on a lookout for other possible Continuous Integration solutions because of these drawbacks of Jenkins.

So we are trying to share some Jenkins alternatives that are definitely worth exploring in 2021.

Here is a list of Jenkins like tools for the developers to give a try in 2021 :

1. Buddy

Buddy is the open-source CI/CD tool. It removes the chores of configuring and managing Jenkins with a smart UI-UX. Buddy makes it easy to build, test and deploy quality software faster( with an average time of 12 seconds)

Features

- Full docker & Kubernetes support
- Supports all programming languages and frameworks.
- Integrates with AWS, google cloud, azure, digital ocean, etc.
- 15-minute configuration via GUI
- Offers 46X more frequent deployments compared to workflow with no automation.
- Offers a customizable & reusable build and test environment.

2. Cruise control

It’s both a continuous integration tool and an extensible framework to create a custom continuous built process. Cruise control is written in JAVA. it has many plug-ins for a variety of source controls. It can also be used to build technology and notification schemes like emails and instant messaging.

Features

- Allows to build multiple projects on a single server.
- Provides support for remote management.
- Integration with many source control systems like VSS, CSV, SVN, git, hg, perforce, etc.
- Integration with other external tools like NAnt, Ndeopend, Nunit, MSBuild, MBunit, Visual studio

3. GoCD

GoCD is a free and open-sources CI/CDserver.It helps organizations easily model and visually complex workflows. This CI tool allows continuous delivery & offers an initiative interface to build CD pipelines.

Features

- Numerous plugins to enhance functionality.
- Visualize end-to-end workflow in real-time with a value stream map.
- Keep orderly configurations.
- Supports parallel and sequential execution.
- Allows pipeline configurations to be reused.
- Increases reliability of pushing to production & empower QA teams by offering easy rollback.

4. Urban code

It’s a CI/CD application by IBM. Urban code releases management tools to help organizations to deliver better software faster. It combines robust visibility, traceability, and auditing feature into a single package.

Features

- Reduce deployment features.
- Drag-and-Drop automation.
- Enterprise level security and scalability
- Increase the frequency of software delivery.
- Hybrid cloud environment modeling.
- Creates a reusable lifecycle template to help describe the path of a build.

5. CircleCI

It’s a cloud-native CI tool that oversees the setup, security & maintenance of instances. It is a flexible CI tool that runs in any environment. This tool reduces bugs and improves the quality of the app.

Features

- Supports multiple languages like C++, JAVA script, .NET, PHP, Python & Ruby.
- Allows selecting a Build environment.
- Improve Android & iOS store ratings by shipping bug-free apps.
- Provides an interactive dashboard with critical insights on the build.
- Offers automatic upgrades & instance access to feature releases.
- Optimal caching and parallelism for fast performance.

6. Buildkite

It’s a reliable and cross-platform CI tool. It makes it easy to run automated builds on your infrastructure. Buildkite is an open-source platform for running CI pipelines that are fast, secure & scalable.

Features

- Treats infrastructure as code with scheduled builds, separate agents.
- Offers source control integration chat support & doesn’t need source code access.
- Runs on a wide range of Operating systems.
- Offers stable infrastructure.
- It can run code from any version control system.
- It can integrate with tools like slack, campfire & Hipchat.

There are many other alternatives for Jenkins which work effectively as well. You can experiment with different tools to improve your work and making it more reliable. Choose the best Jenkins alternative for your team and workflows.

The post Jenkins is getting Old, so what are the alternatives in 2021 ? appeared first on DevopsCurry.