DEVOPS D-DAY 2023, an iconic event in the DevOps field, marked a turning point with the participation of 1,200 IT professionals, 20 partners, 35 sessions, and 40 speakers. This eighth edition, held atthe Orange Vélodrome, was a platform for discussion and discovery of the latest advances in DevOps, cloud computing, and open source technologies.
Tristan Nitot: A Critical Reconsideration of Moore's Law
Tristan Nitot, renowned for his major contributions to projects such as Mozilla and Cozy Cloud, offered a unique perspective, combining technology and sustainability in his keynote speech. His active commitment to combating climate change and his varied professional background served as the foundation for his presentation.
IT performance review
Nitot questioned Moore's Law, a historic paradigm centered on the doubling of processor capacity every two years. He emphasized the urgency of revising this standard in light of current environmental challenges.
In an innovative move, Nitot introduced the concept of eroom, advocating for improvements in software efficiency rather than simply increasing hardware power. This approach aims to double software efficiency every year, marking a radical departure from the traditional Moore's Law.
Pragmatic approaches and concrete measures
He emphasized the importance of reducing the carbon footprint in the IT sector. He compared the carbon footprint of servers, cars, and airplanes, illustrating the substantial impact of the IT industry on the environment.
When discussing data centers, he emphasizes improving their PUE (Power Usage Effectiveness). He cites examples where PUE has been reduced from 2.4 to 1.2, resulting in a significant decrease in energy consumption and, consequently, environmental impact.
Tristan Nitot recommends tangible actions such as repairing existing IT equipment, rigorously assessing carbon footprints, and adopting eco-responsible behaviors. He encourages participation in workshops on climate and digital issues and highlights the importance of raising awareness through podcasts and specialized training courses.
This conference served as a catalyst for a profound reassessment of technological practices in the IT sector. By focusing on pragmatic actions and changes in development and operational methodologies, Nitot charts a course toward a future where DevSecOps transcends technical performance to fully embrace environmental responsibility. This innovative vision offers DevSecOps professionals an opportunity to align technological goals with sustainable practices, paving the way for a greener and more viable future for the IT industry.
Development of a SecNumCloud-ready PaaS solution by Cloud Temple
In a fascinating presentation, Alexandru Lata from Cloud Temple explored the complex process of developing a SecNumCloud-ready PaaS solution. This session revealed the challenges and crucial steps involved in creating a PaaS offering that aligns with contemporary security and performance standards.
Taking up the SecNumCloud challenge
The workshop began with an analysis of market demand for SecNumCloud-certified PaaS offerings. Lata highlighted a significant gap in the current offering of SecNumCloud-qualified PaaS, emphasizing the crucial importance of this project in meeting security and digital sovereignty requirements.
Close collaboration with DINUM (Direction Interministérielle du NUMérique) and DGE was essential to align the offering with national security standards, similar to ISO 27001. It took three years to complete this project, demonstrating the commitment and complexity of this undertaking.
The Cloud Temple team chose OpenShift as its cloud-native platform, guided by the imperative to provide high-performance, secure digital services. The hardware and software architecture was meticulously designed to meet the criteria of the SecNumCloud reference framework.
The implementation of this offering involved several phases, including the selection of appropriate technologies for the deployment and management of customer clusters, and the integration of threat modeling techniques such as STRITE. A target availability of 99.99% underscored the importance of the solution's reliability.
An internal monitoring system, using tools such as VictoriaMetrics and Elastic for log management, has been developed for effective, real-time system monitoring.
Audit and qualification process
Preparation for the SecNumCloud qualification audit required an in-depth risk analysis and the establishment of rigorous controls. The internal audit and PASSI played a decisive role in identifying and rectifying potential weaknesses.
Cloud Temple's DevSecOps approach, focused on the concept of "shift left security," emphasized the importance of integrating security from the very beginning of the development process. The use of Security Champions, pair programming, and automation strengthened both the security and efficiency of the solution.
The project's results were extremely positive, with customer feedback highlighting significant improvements in terms of performance and security. Cloud Temple's SecNumCloud-ready PaaS platform has established itself as a viable and competitive solution, successfully meeting rigorous security and digital sovereignty requirements.
Alexandru Lata's workshop provided a clear overview of the challenges and difficulties involved in developing a SecNumCloud-ready PaaS offering. This successful project embodies the importance of innovation, cross-sector collaboration, and commitment to security and performance in the evolving field of DevOps. For DevSecOps experts, this case study represents an exemplary model for designing solutions that comply with the most stringent security standards while meeting contemporary business and technical needs.
MIOM's Open-Source DevSecOps Platform
DEVOPS D-DAY 2023 featured a remarkable presentation on the Ministry of the Interior's (MIOM) open-source DevSecOps platform, led by Thibault Colin, Lead Developer at the Ministry, and Akram Blouza from WeScale, who together bring a wealth of experience in various technical environments. This initiative represents a turning point in the French government's digital transformation, illustrating the importance of open-source and cross-sector collaboration.
The vision and expertise behind the platform
Thibault Colin, with six years of experience in the public sector, sees open source as key to effective cooperation between the public sector and digital industry players. His commitment to the public interest is reflected in his approach to development. Akram Blouza, meanwhile, brings more than fifteen years of experience in managing industrial-scale IT programs, contributing to the sharing of technical knowledge and the advancement of the community.
Transformation and innovation at the heart of the platform
The "Cloud Pi Native" platform, developed in collaboration with the Ministry of the Interior, offers cutting-edge digital services on an automated and sovereign cloud. Based on RedHat OpenShift and Kubernetes, it aims to improve the quality of services in the public sector. The open-source nature of the platform is strategic, ensuring security, transparency, and interconnection with state environments, while reducing organizational friction.
The platform ecosystem consists of tools such as Gitlab, Harbor, ArgoCD, Nexus OSS, and Trivy, which support a proactive (shift left) security approach in the DevSecOps toolchain. This approach reinforces the commitment to environmental responsibility and collaborative innovation.
Prospects for growth and expansion
MIOM plans to expand the platform's service catalog, introduce white label capabilities on the user interface, and ensure full compatibility with Kubernetes. Integrating MLOps capabilities and resilience are also key goals for the future.
The presentation of this open-source DevSecOps platform highlighted the positive impact of open-source and collaboration in modernizing digital services in the public sector. This initiative marks an important step in the French government's digital transformation, affirming a strong commitment to security, transparency, and innovation.
Advanced Software Supply Chain Security: Perspectives from jFrog
Hamza Zaoui from JFrog led an essential conference focused on securing dependencies in the software supply chain. With fifteen years of experience in software industrialization, Zaoui shared key strategies for strengthening and optimizing the software supply chain in the face of current challenges.
Security challenges in the software supply chain
Zaoui emphasized that application dependencies have become significant attack vectors, making it more complex to secure software supply chains. He stressed the critical importance of understanding and managing these risks to maintain the security and efficiency of the software development process.
Five key strategies for effective management
- Establishing governance and standards : It was recommended that robust governance and clear rules be put in place to manage the application portfolio. This process includes classifying applications and assessing the impact of policies on individual projects.
- Prioritizing security by design : The "Shift Left" approach to security, advocated by Zaoui, involves integrating security from the earliest stages of development. This includes creating versioned stacks, providing templates, and installing firewalls to filter malicious requests and packets.
- Secure developer integration : Effective integration of developers into security processes is vital. Zaoui discussed contextual analysis in the IDE and aligning security policies with developer practices, also emphasizing the importance of clearly communicating remediation standards.
- Publication-oriented strategy : Issuing a Software Bill of Materials (SBOM) throughout the development pipeline is essential. This strategy facilitates dependency tracking and reduces heavy reliance on public repositories, thereby enhancing security and transparency.
- Continuous monitoring and risk assessment : Continuous monitoring is essential to respond quickly to emerging vulnerabilities (CVEs) and to assess the impact of governance policies. This proactive approach to risk management is based on a detailed analysis of impact and security.
Hamza Zaoui from jFrog's presentation at DEVOPS D-DAY 2023 provided fundamental insights into securing the software supply chain. Adopting these five strategies not only strengthens security, but also improves agility and efficiency in software development. This comprehensive approach highlights the importance of proactive prevention and risk management tailored to the realities of modern DevSecOps.
CI/CD Transformation at Bedrock: Moving to GitHub Actions for Greater Flexibility
Timothée Aufort and Jean-Yves Camier presented their journey from an obsolete CI/CD infrastructure to GitHub Actions for a team of 280 developers. Their presentation detailed the challenges encountered and the strategies implemented to revitalize Bedrock's CI/CD pipeline.
Context and initial challenges
Faced with a Jenkins DevFactory that had become too restrictive, the Bedrock team opted to migrate to GitHub Actions. This change was intended to rejuvenate the existing infrastructure and resolve a significant portion of the technical debt accumulated by the company.
The ambition was to position ourselves as a more dynamic and efficient service provider, capable of supporting rapid growth and adapting to the changing requirements of development teams.
Migration process
The migration was characterized by rigorous planning and careful implementation, with a constant focus on minimizing disruption for developers. Close collaboration facilitated the transition to the new GitHub Actions environment.
Technical Innovations Adopted:
- Docker Buildx Bake: Used to optimize multi-step builds, improving efficiency and shortening build times.
- Helmfile and Go Templates : Used to deploy a series of Helm charts, leveraging Go templates for increased flexibility.
- Secret Management : Implementation of SOPS (Secrets OPerationS) for file encryption, in collaboration with AWS KMS and HashiCorp Vault, increasing the security of sensitive data.
- Renovate and Kics Checkmarx: Integrated for dependency management and SAST analysis.
- Release Management with release-please : Adopted to structure and automate the release management process.
- Gitleaks : Used for preventive detection of secrets in code.
Bedrock Streaming's transition to GitHub Actions marked a turning point in their DevOps evolution. By adopting cutting-edge technologies and methods, the team not only overcame technical challenges but also laid the foundation for a solid future. This shift to a more flexible and secure CI/CD infrastructure ideally positions Bedrock to meet the growing needs and specific challenges of the streaming industry. Their experience provides a valuable case study for other entities considering modernizing their CI/CD processes, highlighting the critical importance of planning, collaboration, and technological innovation.
The Evolution of the CI/CD Experience: Turning Challenges into Opportunities
Frédéric Leger, DevOps/SRE specialist, shared his in-depth expertise in a talk entitled "Level up your CI experience: Navigating beyond frustration when implementing CI/CD pipelines." This session focused on the difficulties commonly encountered when implementing CI/CD pipelines and presented innovative solutions to optimize the developer experience.
Current challenges facing CI/CD
Frédéric explained how current CI/CD procedures can often cause frustration among developers, citing unnecessary back-and-forth communication, insufficient constructive feedback, and the inherent complexity of YAML files. He highlighted that these issues not only result in wasted time and financial resources, but also negatively impact the overall developer experience.
The lack ofstandardization has also been highlighted in CI/CD tools, leading to increased dependence on proprietary technologies and solutions that are not very flexible.
CI eXperience (CIX)
The concept of CIX (CI Experience) was presented, aiming to apply developer experience principles, such as Environments as a Service via an IDP (Internal Developer Platform), to CI. It recommended the use of hooks and pre-commit for faster and more efficient integrations, aiming to lighten the workload of developers in CI.
The use of containers in CI is also highly recommended, allowing for increased flexibility and portability of applications, libraries, and middleware. CI templates, available on GitLab and the GitHub Actions marketplace, offer pre-built solutions to streamline the CI/CD process.
To overcome portability issues, Frédéric suggested using solutions such as Drone CI and Kubernetes with CRDs (Custom Resource Definitions), which allow CI to be simulated locally and ensure broad compatibility.
Innovative tools such as Dagger, Werf, and Earthly were cited as promising solutions for increasing CI/CD flexibility and efficiency. Dagger, for example, offers portable, multilingual CI with the creation of reusable modules. Werf complies with CNCF standards and focuses on Kubernetes workflows, while Earthly provides a framework for reproducible builds.
Frédéric Leger's presentation highlighted innovative techniques and tools that can transform CI/CD challenges into an enriching experience for developers. By adopting these methods, organizations can not only accelerate and simplify their CI/CD processes, but also significantly improve the satisfaction and efficiency of their development teams. This comprehensive approach is crucial for successfully navigating the ever-changing field of DevOps.
CI/CD renewal thanks to InnerSource
Sébastien Longo from Klanik and Aurelien Coget from R2DEVOPS shared their innovative journey in adopting InnerSource to address the challenges of CI/CD pipelines. Their talk, entitled "CI/CD is no longer my problem! InnerSource is our friend," highlighted the transformation brought about in CI/CD process management thanks to this method. Sébastien Longo described the growing complexity of CI/CD pipeline management. Faced with the need to constantly create and update templates, as well as manage heterogeneous configurations, Longo found himself spending a lot of time and resources on this task.
The InnerSource strategy
Sébastien recounted his journey toward integrating InnerSource, an approach that promotes developer autonomy in creating and maintaining their own CI/CD pipelines. The use of standardized CI/CD libraries was key to simplifying and streamlining the development of these pipelines.
Aurelien Coget also emphasized the importance of restructuring CI/CD templates in a monorepo system, thereby enabling the unification of build and deployment methods. This standardization has greatly facilitated pipeline management and automation, resulting in greater efficiency and responsiveness in DevOps projects.
The R2Devops platform, with its advanced tools and features, has been designed to integrate seamlessly into an InnerSource environment, promoting closer collaboration and greater agility within development teams.
One of the persistent challenges was tracking template adoption and ensuring automatic updates in application pipelines. Using this solution helped ensure governance. To remedy this, a CI pipeline monitoring dashboard was implemented, stimulating communication and collaboration between teams. The adoption of InnerSource improved technical debt management and streamlined the application pipeline creation process. It also promoted greater sharing of knowledge and resources within the company.
This experience proved the effectiveness of InnerSource in resolving CI/CD issues. By giving developers more responsibility and standardizing procedures, Klanik was able to overcome obstacles, thereby improving its operational efficiency and team synergy. This approach offers valuable lessons for other organizations facing similar challenges in their CI/CD processes.
GitOps in Operations: Redefining Application Deployment
Alexandre Gomez, SRE apprentice at Comwatt and DevOps engineering student at Polytechnicien Montpellier, took the floor to present an educational session on the application of GitOps in operations. Entitled "Deploying your application with the GitOps philosophy," this conference highlighted the methods and advantages of GitOps in the context of application deployment.
The GitOps philosophy
In his presentation, Gomez introduced GitOps as a revolutionary strategy for orchestrating and managing application deployments. Using the example of Nicolas, a developer who designed a multiservice application, Gomez demonstrated the effectiveness of GitOps in simplifying deployment, using Git as a central repository for infrastructure configuration and management.
Gomez highlighted the key benefits of GitOps: increased transparency, improved deployment efficiency, and systematic management of configuration changes.
Deployment Process with GitOps
Creating Infrastructure as Code : Gomez emphasized the vital importance of Infrastructure as Code (IaC), using Terraform to create and manage reusable modules. The use of Kubernetes for role and namespace management was also discussed, highlighting its role in facilitating resource management and infrastructure segmentation.
Secret management : Secret management, a crucial element in deploying secure applications, was discussed. Gomez explained the effective use of tools such as HashiCorp Vault for secret management tailored to the GitOps context.
Push and Pull Approaches : An important distinction was made between push approaches, using CI/CD pipelines via GitLab, and pull approaches, involving tools such as ArgoCD and Flux. Gomez highlighted the advantage of the pull approach, where servers retrieve the latest configurations from Git, ensuring finer control and increased security.
Gomez's presentation illustrated how GitOps can revolutionize application deployment, making the process more controllable, secure, and efficient. The emphasis on Git as the central source of truth, coupled with the use of modern IaC tools and secret management solutions, positions GitOps as a must-have practice for DevOps teams looking to optimize their operations. This approach not only simplifies the management of complex environments but also ensures traceability and consistency across all actions, closely aligning operations with development best practices.
Conclusion: DEVOPS D-DAY 2023, a reflection of the evolution of DevOps
DEVOPS D-DAY 2023 proved to be a mosaic of innovative ideas, concepts, and practices that are shaping the future of DevOps. The event brilliantly wove together various themes, demonstrating the ongoing adaptability and growth of the DevOps ecosystem.
The transition from Tristan Nitot's questioning of Moore's Law to Alexandre Gomez's advanced practice of GitOps highlighted the rapid pace of technological and methodological evolution in the field of DevOps. This progression, marked by an emphasis on software optimization and automation, as demonstrated by Bedrock Streaming's experience with CI/CD, points to a general trend toward continuous improvement and efficiency in the information technology sector.
JFrog's sessions, focused on security challenges in the software supply chain, resonated with advances in CI/CD and GitOps, where proactive security integration has become a recurring theme. This synergy between security and agility was reinforced by the InnerSource approach, which, in line with the collaborative and open initiative of MIOM's "Cloud Pi Native" platform, emphasized the importance of knowledge sharing and cooperation for the development of effective and secure solutions.
Each presentation at DEVOPS D-DAY 2023 represented a facet of the constant transition and transformation in the world of DevOps and IT security. These discussions not only reflected current trends, but also paved the way for future advances.
Outlook for the future
Despite the brilliance of the innovations and ideas presented at DEVOPS D-DAY 2023, there was sometimes a lack of technical depth and expertise that had characterized previous editions. Nevertheless, the overall level was satisfactory, with sessions covering a wide range of relevant topics. The presentations were accessible and offered a comprehensive introduction to the various aspects of DevOps, which proved beneficial for participants unfamiliar with the field.
In conclusion, the 2023 edition provided a solid and accessible foundation for exploring the vast universe of DevOps. Expectations are high for next year's edition, with content more focused on expertise and technical innovation.
Lionel GAIROARD
DevSecOps Practice Leader
