The presentation discusses the use of open source tools and templates to create a supply chain for DevOps workflows, with a focus on security and compliance.
- The presentation demonstrates a live demo of a basic GitOps workflow using open source tools such as Flux CD, Tecton, and K-PAX.
- The use of templates allows for flexibility in tool selection and easy swapping of tools.
- Security and compliance are embedded into the supply chain through signing images, scanning for vulnerabilities, and generating S-bombs for auditing purposes.
- The centralized metadata store allows for easy querying of results and sharing with developers and auditors.
The presenter emphasizes the importance of capturing outputs and using them for security purposes. The supply chain generates an OCI compliant image and a configuration that are put into a container repo and a Git repo, respectively. These outputs can be scanned for vulnerabilities and stored in a centralized metadata store for easy querying and auditing.
Kubernetes has become a popular choice for container orchestration as enterprises embark on their cloud-native application journey. We have observed that while enterprises quickly adopt Kubernetes by building and deploying microservices-based applications, full software development lifecycle (SDLC) considerations such as continuous integration and deployment (CI/CD) are often an afterthought. What does it take to incorporate DevSecOps practices into your CI/CD pipelines to deliver enterprise-grade cloud-native applications that adhere to best practices, and ensure a frictionless handoff between developers, operations and security? How do you make sure that your development, test, and production environments are consistent to deliver high-quality, secure, and reliable code at the velocity demanded by your business? In this talk, we will present all aspects of defining, building, and managing a secure software supply chain within your organization to deploy cloud-native applications into Kubernetes using a set of open standard based Tanzu Application Platform and DevSecOps best practices. We will also cover how supply chain choreography helps you define a delivery system with infrastructure as code while keeping it tools and programming language agnostic.