基于二进制包DevSecOps落地实践 刘永强

Razor

2019/10/19 发布于 技术 分类

文字内容
1. fe DevSecOps
3. 0 IB t H A ml n a t p
4. P JM 01 02 fe 03 0 IB 04 e u /! gmb P JM
5. DevOps
6. DevOps Stroy
7. : n TFS / ALM Octane n Sonarcube & Fortify n JFrog Xray & BlackDuck & WebInspect & AppScan & U • • • • • • • • • • Software Tools:'>Tools:'>Tools:'>Tools:'>Tools:'>Tools:'>Tools:'>Tools: P aP A E T T O B B c P • • P KMP C Docker / Kubernetes / Openshift Device42 Jenkins Ansible / Chef / Puppet • • • o FU IntelliJ, Eclipse, VS Gitlab / SVN SonarCube/Fortify Jenkins Artifactory Gerrit Junit / TestNG • Software Tools:'>Tools:'>Tools:'>Tools:'>Tools:'>Tools:'>Tools:'>Tools: • • • • • • • P p • • • • • • • K r e n v P D S / tk P C P KM • • • • • • • Jira / Confluence Viso Axure TFS/RTC/Polarion Jira Zephyr / TestLink • • • • aP Software Tools:'>Tools:'>Tools:'>Tools:'>Tools:'>Tools:'>Tools:'>Tools: Software Tools:'>Tools:'>Tools:'>Tools:'>Tools:'>Tools:'>Tools:'>Tools: • • • • • • • • • • • • • • • • • KM I n d n A n a n n n d n KM n A r • • • • • • • UFT AppScan JFrog Xray Newman Jmeter / oadRunner Selenium / ppnium TestLink S n Kubernetes / Openshift Zabbix Spring Cloud ELK Spinnaker Prometheus Grafana Istio Grafana / Hygieia / Artifactory metadata DialogFlow / Slack / HipChat
8. OPS / 1 2 3 / / 01 02 4 …… 1 2 3 4 5 …… SUCCESS 1 2 / 3 4 5 …… / 04 DEV 03 / 1 2 3 4 ……
9. 55 h Profect KF p i
10. Test Env App-1.0 C-1 bugfix test C-1 Vcs C-3 C-2 C-3 Devlop Tag or Release Vcs Master Prod Env C-1 C-1 T-1.0 T-1.0 App-1.0 T-1.0 App-1.0 T-2.0
11. Test Env App-1.0 C-1 C-3 c-4 bugfix test C-1 Vcs C-5 test C-3 C-2 C-5 Devlop Tag or Release Vcs Master C-1 C-1 T-1.0 Prod Env App-1.0 hotfix T-1.0 T-1.0 App-1.0 T-2.0
12. Ø Ø ODF? / JFI ? G DF OJFI ? 5 I? / VCS CI/CD P FIJ G P H MDN P FIJ G P H O N P FIJ G P H J I?
13. v c PAAS CI Build CD Pipeline to sit 集成测试 测试环境黑盒 CI Build CD Pipeline to UAT 审批上线 上线清单 生产环境 生产环境黑盒 组件1-1.0 (plugin1) 组件1 CI Build CD Pipeline to Prod 组件2-2.0 组件1.0.0 Etc… Etc… 组件3-1.0 组件1.0.0 组件4-3.0 Deploy plugin1 Project 隔离 人工沟通 产品 Deploy plugin2 组件1.1.0 组件2 组件1.0.0 隔离 组件3 目标: 1.规范和减少流水线 2.CI/CD对开发透明 Deploy plugin3 组件2.0.0 组件2.0.0
14. /
15. Dev and DevOps Timeline r SOURCE CONTROL & CI/CD BUILD/PKG 1990 2000 2010 e BINARIES FIO? DEPLOY METHOD Now ow Waterfall Agile/Scrum Kanban DevOps (tools) & NDP
16. fe CD : Continuous deployment CD : Continuous Deliver CI/CD 标准交付件 Build Stage 对开发透明 1.1 版本控制 3. 3.1 开发环境 2.1 环境创建 Run Stage 2.2 服务器自动化 2. 从 Artifact 仓库到可运行的服务 1.2 持续集成服务 1.3 Artifact 仓库 gmp + 1. 从 code 到 Artifact 仓库 基础数据 2.3 代码部署 2.4 服务监控 3.2 测试环境 3.3 准生产环境 3.4 生产环境 3. 从开发环境到生产环境
17. T 应用与配置分离 n CI __dep1.jar __dep2.jar app.war app.war Dep:'>Dep: dep1.jar Dep:'>Dep: dep1.jar Conf:'>Conf: Conf-tpl.xml Conf:'>Conf: Conf -tpl.xml projectA/test projectA/prod Conf-test.xml Conf-prod.xml CMDB/ db.ip=172.0.0.128 /Confg Center db.ip=202.14.32.231 db.ip=172.0.0.128 Etc… __app.war __dep1.jar __conf-tpl.xml + conf.xml h db.ip= 202.14.32.231 Etc… __app.war __dep1.jar __conf-prod.xml
18. f fe Vs CI/CD Based on Sources A D ops-less y A s Based on Binaries CI/CD Per Branch Per Pipeline and Env commit or tag i d I P O CMDB OI O
19. JFrog K8s CICD / /
20. JFrog CICD gmb – fK8s Ø Ø Ø Ø Ø e Ø Ø
21. JFrog CICD moduleA.jar gmb moduleA.jar Team A Libs-Snapshot-Repo Libs-Candidate-Repo –e moduleA.jar Latest.Release Release-Repo ……. App.jar App.jar ……. App-Candidate-RepoApp-Release-Repo moduleA.jar Team z moduleA.jar moduleA.jar Latest.Release Libs-Snapshot-RepoLibs-Candidate-Repo Release-Repo
22. JFrog gmb CICD 周期 weeks days – app-bundle-1.0 Micro-A-1.0 Micro-B-bundle-2.0 Metadata:'>Metadata:'>Metadata:'>Metadata: app-1.0.qa.test.result = OK App-pipeline Micro-A-pipeline UAT -> Pre-Prod->Prod Metadata SIT - > UAT -> Pre-Prod->Prod Micro-A—bundle-1.0 Front-1.0.tar Backend-2.0.jar Metadata:'>Metadata:'>Metadata:'>Metadata: micro-a-1.0.qa.test.result = OK Metadata … Hours Backend-A-pipeline … DevOps 包管理规范 Release History Local -> Dev backend-1.0.jar Metadata:'>Metadata:'>Metadata:'>Metadata: qa.test.result = OK qa.code.result = OK project.revision = ASDASSAC binary.config.path=backend/dev/1.0 deploy.pre-prod.result=OK
23. a FROM ubuntu Latest version RUN apt-get install -y python-software-properties python RUN apt-get install -y nodejs Latest version RUN mkdir /var/www ADD app.js /var/www/app.js Latest version CMD [“usr/bin/node”, “/var/www/app.js”] Latest version
29. - DevOps Ø Ø Ø Ø Artifact MetaData Metadata
30. gmp gm – SIT - > UAT -> Pre-Prod->Prod Micro-A—bundle-1.0 Front-1.0.tar Backend-2.0.jar Metadata:'>Metadata:'>Metadata:'>Metadata:'>Metadata:'>Metadata:'>Metadata:'>Metadata: micro-a-1.0.qa.test.result = OK backend-1.1.jar Metadata:'>Metadata:'>Metadata:'>Metadata:'>Metadata:'>Metadata:'>Metadata:'>Metadata: qa.test.result = OK qa.code.result = OK qa.if-test=true project.revision = ASDASSAC binary.config.path=backend/dev/1.0 deploy.pre-prod.result=OK backend-1.0.jar Metadata:'>Metadata:'>Metadata:'>Metadata:'>Metadata:'>Metadata:'>Metadata:'>Metadata: qa.test.result = error qa.code.result = OK project.revision = ASDASSAC binary.config.path=backend/dev/1.0 deploy.pre-prod.result=OK frontend-1.1.jar Metadata:'>Metadata:'>Metadata:'>Metadata:'>Metadata:'>Metadata:'>Metadata:'>Metadata: qa.test.result = OK qa.if-test=true qa.code.result = OK project.revision = ASDASSAC binary.config.path=backend/dev/1.0 deploy.pre-prod.result=OK
32. U d RR1O H N M G l Ø G l Ø G l G G B
33. p CNNJM !!BDNCO IG! IHN DH IFONDIHM!C FG GIHDNI https://github.com/Azure/draft.git
34. JFrog Kubernetesb –
35. JFrog Kubernetesb – CI/CD Kubernetes h Ø q T T Ø T Ø H G MJ Ø Helm Charts/ • . FG DHMN FF MN P H • • CNNJ !!BI F ! HN DI NDA NI 0 HN C
36. - DevSecOps
37. DevSecOps o n <0.1% p 0.1% 18.5% 3.8% 51.9% 25.7% Linux Landscape Node_modules Node.js Kubernetes
38. DevSecOps
39. DevSecOps
40. DevSecOps
41. DevSecOps
42. DevSecOps
43. DevSecOps
44. DevSecOps / 0I M /HA N ? DH
45. k Ø n k k T Ø k q V g Ø n k P H q Z Z q k P H ?I E SS k T k / T Z X I E SS k 0 HN I E .O SS +: O DN q : :OFH
46. i Ø T tT s g C k n h q Githubv 1.0 github.com …… k q k P H ?I E SS cr x.jar k / k P H Z X I E k 0 HN I E SS .O SS +: q : :OFH O DN l t -DN.O IO I?
47. DevSecOps Ø Ø Ø i Ø y
48. DevSecOps Scale Up