Creating a Fully Automated DevSecOps CI/CD Pipeline

Customer Profile

Loves Cloud’s customer is one of the largest business conglomerates in India, with business verticals including telecom, retail, petrochemicals among others. They started their digital transformation journey by embracing open source tools, cloud computing, agile and DevOps. Alongside, they also focused on “shift left” policy for integrating security into their processes.

Goal

During our discussion with customer AVP-DevOps, we zeroed in for the following goals:

  1. Integration of Jira with various Tools used in their entire product development life cycle
  2. Remove Manual Build and Deploy Process
  3. Embed security into their DevOps pipeline
  4. Implement efficient, continuous, automated and secure development and deployment process

Solution

By using best practices of DevSecOps, Loves Cloud implemented an end to end secure continuous integration and continuous deployment pipeline for our customer. We took the following steps to achieve our goals:

  1. Implemented DevSecOps in Product Development Lifecycle
  2. Implemented Continuous Integration and Continuous Deployment (CI/CD) pipeline with Jenkins
  3. Integrated Jira with GitHub
  4. Integrated Jira with Jenkins
  5. Integrated Jira with Sonarqube
  6. Configured Jenkins for Maven
  7. Integrated Jenkins with Sonarqube
  8. Integrated Jenkins with Nexus Repository Manager
  9. Integrated Jenkins with Docker
  10. Integrated Jenkins with CLAIR
  11. Integrated Jenkins with Azure
  12. Implemented build notification on emails and slack
  13. Integrated Jenkins with Email and Slack
  14. Used Jenkins Pipeline and implemented Groovy code thus giving us flexibility to have Jenkins as a Code/Pipeline as a Code (JaaC/PaaC) as well.

Tech Stack

This solution used following tools, platforms and services:

  1. Azure-Public Cloud Platform. Following services are prominently used:
    • Virtual Machine: for hosting Jenkins, SonarQube and Sonartype Nexus Repository Manager
    • Azure Kubernetes Service (AKS): for creating Kubernetes cluster
  2. GitHub-for source code management
  3. Maven-for building java application
  4. Junit-for unit test cases
  5. Jira-for implementing end to end project workflow
  6. Jenkins –Open source continuous Integration tool, used for creating CI/CD Pipeline
  7. SonarQube-for static code analysis
  8. Docker-for containerizing the application
  9. Sonatype Nexus Repository Manager-for storing docker images
  10. Clair-for vulnerability scanning of docker images
  11. Scripting Language-Groovy
Tech Stack

Solution Architecture

Click to see large view

Results

Following are some of the direct and major results of implementing DevSecOps:

  1. Exponential reduction in deployment time
  2. Entire commit to deployment cycle gets completed in couple of minutes
  3. Achieved multiple stable deployments on any given day
  4. Predictable deployments; if tests are failing, nothing gets deployed
  5. GitHub Branch Creation from Jira
  6. Commits in GitHub can be viewed in Jira
  7. Pull Request in GitHub can be created from Jira
  8. Jenkins Build Status can be viewed in Jira
  9. SonarQube Analysis Report can be viewed in Jira
  10. Clair Docker image scanning reports with vulnerabilities can be viewed
  11. Testing included in CI workflow to ensure the stability of each build.
  12. Slack integration notifies everybody for successful and broken builds.
  13. Improved developer’s productivity due to continuous integration and timely failure notifications.
  14. Development Team getting notifications when a build passes or fails and cannot be deployed.