Loves Cloud’s customer is one of the largest business conglomerates in India, with business verticals including telecom, retail, petrochemicals among others. They started their digital transformation journey by embracing open source tools, cloud computing, agile and DevOps. Alongside, they also focused on “shift left” policy for integrating security into their processes.
During our discussion with customer AVP-DevOps, we zeroed in for the following goals:
- Integration of Jira with various Tools used in their entire product development life cycle
- Remove Manual Build and Deploy Process
- Embed security into their DevOps pipeline
- Implement efficient, continuous, automated and secure development and deployment process
By using best practices of DevSecOps, Loves Cloud implemented an end to end secure continuous integration and continuous deployment pipeline for our customer. We took the following steps to achieve our goals:
- Implemented DevSecOps in Product Development Lifecycle
- Implemented Continuous Integration and Continuous Deployment (CI/CD) pipeline with Jenkins
- Integrated Jira with GitHub
- Integrated Jira with Jenkins
- Integrated Jira with Sonarqube
- Configured Jenkins for Maven
- Integrated Jenkins with Sonarqube
- Integrated Jenkins with Nexus Repository Manager
- Integrated Jenkins with Docker
- Integrated Jenkins with CLAIR
- Integrated Jenkins with Azure
- Implemented build notification on emails and slack
- Integrated Jenkins with Email and Slack
- Used Jenkins Pipeline and implemented Groovy code thus giving us flexibility to have Jenkins as a Code/Pipeline as a Code (JaaC/PaaC) as well.
This solution used following tools, platforms and services:
- Azure-Public Cloud Platform. Following services are prominently used:
- Virtual Machine: for hosting Jenkins, SonarQube and Sonartype Nexus Repository Manager
- Azure Kubernetes Service (AKS): for creating Kubernetes cluster
- GitHub-for source code management
- Maven-for building java application
- Junit-for unit test cases
- Jira-for implementing end to end project workflow
- Jenkins –Open source continuous Integration tool, used for creating CI/CD Pipeline
- SonarQube-for static code analysis
- Docker-for containerizing the application
- Sonatype Nexus Repository Manager-for storing docker images
- Clair-for vulnerability scanning of docker images
- Scripting Language-Groovy
Click to see large view
Following are some of the direct and major results of implementing DevSecOps:
- Exponential reduction in deployment time
- Entire commit to deployment cycle gets completed in couple of minutes
- Achieved multiple stable deployments on any given day
- Predictable deployments; if tests are failing, nothing gets deployed
- GitHub Branch Creation from Jira
- Commits in GitHub can be viewed in Jira
- Pull Request in GitHub can be created from Jira
- Jenkins Build Status can be viewed in Jira
- SonarQube Analysis Report can be viewed in Jira
- Clair Docker image scanning reports with vulnerabilities can be viewed
- Testing included in CI workflow to ensure the stability of each build.
- Slack integration notifies everybody for successful and broken builds.
- Improved developer’s productivity due to continuous integration and timely failure notifications.
- Development Team getting notifications when a build passes or fails and cannot be deployed.