Streamlining DevSecOps with Canary and Parallel Deployments on GCP

Streamlining DevSecOps with Canary and Parallel Deployments on GCP

In today's fast-paced software development landscape, DevSecOps principles have become increasingly crucial for organizations to deliver secure, high-quality applications rapidly. Google Cloud Platform (GCP) offers a robust set of services and tools that enable seamless implementation of DevSecOps practices, including advanced deployment strategies like Canary and Parallel Deployments.

Service and Tools Used:

Cloud Source Repositories: It's a cloud-based source code management service provided by GCP. It provides a private and secure Git version control repository to store and manage source code versions of our projects, Disadvantage: Lack of PR or MR option;

Cloud Build: It's a continuous integration (CI) service provided by GCP. It allows to build, test, analyze and deploy applications on GCP using build and deployment workflows that we can configure according to our needs.

Cloud build Trigger: It's an event trigger that allows to automatically launch a build process in Cloud Build in response to a specific event such as the creation or modification of a file in a source repository or a new container image added to a container registry.

Artifact Registry: It's a cloud-based package storage service provided by GCP. It allows developers to store, manage and distribute packages such as JAR files, Python libraries and Docker images in a secure private repository.

IAM: Identity and access management service to manage permissions and roles.

Container Scanning API: It allows you to analyze container images stored in a private Artifact Registry repository to identify known security vulnerabilities. The service regularly scans the images stored in the repository to detect known vulnerabilities in the packages, libraries, and dependencies included in the container image.

Container Analysis API: It's a service offered by Google Cloud Platform (GCP) that allows you to analyze container images stored in Google Artifact or Container Registry or other compatible container registries.

Binary Authorization: Is a GCP service that allows you to verify and authorize container deployments in a GCP environment;

Google Kubernetes Engine (GKE): It's a cloud-based containerization service provided by Google Cloud Platform (GCP). It allows you to deploy, manage, and orchestrate Docker containers at scale on GCP.

Backup for GKE (Google Kubernetes Engine): Backup for GKE is a data backup service for Kubernetes clusters running on GKE, allowing users to protect their applications from data loss and simplify migration between clusters.

Cloud Deploy: It's a continuous deployment (CD) service that simplifies and automates the process of deploying applications on GCP.

Cloud Functions: Serverless platform for executing code on demand. Example: deploying notification email sending functions with node Js;

Cloud Storage: Object storage service to store and manage files.

Operations Suite: GCP Logging and Monitoring or monitoring and logging toolset for managing logs and alerts. Pub/Sub receives events published by Cloud Deploy and allows Cloud Functions to send notification emails to teams as needed (Notifications, Approve, Canary Step Progress);

Static IP Address: This is a fixed and persistent Internet IP address assigned to a resource hosted on Google Cloud Platform, which is publicly accessible on the Internet, typically used for resources such as virtual machine instances, load balancers or VPN gateways that need a persistent and publicly accessible IP address for clients to access them. Example: we use it for the load balancer on our different environments;

Google Cloud Load Balancer or load balancers: it is a load distribution service for managing network traffic. Example: Allow external Applications to interact with our service from an external Static IP address;

Pub/Sub: it's an asynchronous messaging service offered by GCP. It allows applications to communicate with each other by publishing and subscribing messages to "topics", which can be thematic broadcast channels.

KMS (Key Management Service): it's an encryption key management service offered by GCP. It allows you to create, store, manage and use encryption keys to protect data stored in the cloud. Example: store image keys to allow binary authorizations to verify containers before deployment;

Compute Engine: Google Compute Engine (GCE) is a cloud computing service offered by Google that allows users to rent virtual machines (VMs) on their cloud infrastructure. Example, in order not to use SonarCloud, we will use it to deploy Sonarqube;

Sonarqube: is an open-source platform for code quality management and static code analysis. It allows development teams to verify the quality of source code, detect security issues, identify potential bugs and measure code coverage;

Ansible: Ansible is an open-source configuration management, deployment automation and system orchestration tool. It allows you to centrally manage the configuration and deployment of a large number of machines, whether physical, virtual or in the cloud;

Docker Compose: Docker Compose is an open-source Docker container management tool. It allows you to define, configure and launch multiple Docker containers at the same time, using a YAML file to describe all the necessary services and configurations.

Check PoC video here in French

These strategies, combined with GCP's auto-scaling, load balancing, and traffic splitting capabilities, ensure a smooth, low-risk transition to newer application versions.

By embracing DevSecOps principles and leveraging GCP's powerful services, organizations can achieve faster time-to-market, improved security and compliance, and enhanced application resilience, enabling them to stay ahead in the competitive digital landscape.