HEPiX Spring 2024 Workshop

Towards a DevSecOps approach in the CICD pipelines for the INFN Information System apps

16 Apr 2024, 11:35

25m

Amphithéatre Buffon (Laboratoire Astroparticule et Cosmologie (APC) de l'Université Paris-Cité)

Basic and End-User IT Services Basic and end-user IT services

Speaker

Giuseppe Misurelli (INFN)

Description

The INFN Information System project was established in 2001 with the aim of computerizing and standardizing the administrative processes of the Institute and gradually moving towards dematerialization and digitization of documents. During these two decades the aim of the project has been accomplished by a series of web applications (what we call sysinfo apps) serving INFN researchers, technologists as well as administratives and human resource teams for activities like business trips, buying computing facilities, managing the recruitment process, accounting.

Those sysinfo apps are developed by a Development team and operated by a Platform team that manages also the underlying infrastructure as well as all the processes to enable the Development team in their activities. In the last four years both teams have been involved in the re-architecting of those apps towards the so-called microservices architecture. One of the main effort has been put in place to rethink the Continuous Integration and Continuous Delivery/Deployment (CICD) pipelines towards a DevSecOps approach based on three guiding principles:

1. Platform and Development teams must agree on a contract (formalized both at project repository and CICD infrastructure levels) on how to develop, build, test, deliver and deploy software.
2. Platform team is the owner to the governance and security of the CICD pipelines.
3. Introduce shift left testing stages as early as possible in the software development life cycle.

In this presentation we will go through the implementation of the aforementioned guiding principles, describing how we leveraged the GitLab-CI pipeline profiles/templates concept to provide end-to-end CICD workflows applying to well defined project’s structures and languages. Moreover, focusing on the Continuous Deployment side, we will describe the GitOps approach, driven by the ArgoCD tool, to deploy microservices in our Kubernetes clusters.

Finally we will highlight how moving towards this DevSecOps approach allows us to keep a baseline of governance and security with the agile development while dealing with the challenge of migrating, at first, and evolving the INFN sysinfo apps in microservices architecture and container orchestration contexts.

Presentation materials

devsecops-infn-sysinfo-apps-hepix-spring-2024.pdf