Continuous Delivery Foundation / CD Summit 2022 - Detroit

For more Continuous Delivery Foundation content, check out our blog: https://cd.foundation/blog/

An OSS project's attempt to secure it's supply chain - Ankit Mohapatra, Berkshire Grey

Jenkins X is a cloud native CI/CD platform built on top of kubernetes with out of the box support for gitops, secrets management, preview environments, chatops and much more.
In order to provide all these functionalities, Jenkins X uses many open source projects as part of it's supply chain in the form of go modules, npm packages, helm charts, docker images and terraform modules to name a few.
In the light of the recent high profile supply chain exploits and attacks (solarwinds, codecov etc), securing the open source supply chain becomes critical for us and our end users.
But how do we even keep track of all the packages that make up our supply chain and then secure it?
We started by generating SBOMs (Software Bill Of Materials) for our artifacts and using vulnerability scanners to identify potential vulnerabilities.
Currently, we are in the process of integrating with tekton chains.
This talk is an attempt to summarize our supply chain security journey and what we plan to achieve in the future.
We will explore the fascinating world of SBOMs, SLSA (Supply chain Levels for Software Artifacts) levels and in-toto attestations.
More importantly, there will be some practical examples of the abstract concepts around supply chain security and how Jenkins X attempts to make a secure supply chain accessible to everyone.

For more Continuous Delivery Foundation content, check out our blog: https://cd.foundation/blog/

Bringing Continuous Delivery to Open Source - Sudhindra Rao, JFrog

Open-source software plays an essential role in the supply chain of modern software development. Proprietary software is typically composed of 75% or more open-source dependencies. In open source software we rely on ad-hoc methods of software process and quality control.

A few of those ad-hoc methods have received much attention in the last few years - need of MFA on source repositories, need of signing every binary, need for verifying such signatures and building trust in open source packages.

In this talk we want to cover different tools that help in making these methods easy to implement and help you decide which ones fit your way of working. We will talk about the recent attacks on the open source software, SLSA framework, Sigstore, Notary, Pyrsia. We will also highlight how the Continuous Delivery of open source often does not receive the same attention and rigor as compared to proprietary software. We discuss how to apply this rigor and enjoy the same benefits with open source.

For more Continuous Delivery Foundation content, check out our blog: https://cd.foundation/blog/

Bringing Shipwright to Beta - and Beyond! - Adam Kaplan, Red Hat

Shipwright will soon unveil a beta API that brings stronger guarantees of support and stability. The project began as an experiment to simplify container image builds, and its graduation to beta marks a significant milestone in its maturity. As Shipwright evolved, the community strove to balance simplicity, flexibility, and security in its feature set. This lightning talk will highlight which features are graduating to beta, which features are not graduating, and how the Shipwright community came together to make these decisions. Come see how Shipwright will help teams deliver cloud-native applications on the cloud-native infrastructure!

For more Continuous Delivery Foundation content, check out our blog: https://cd.foundation/blog/

CDEvents Roadmap - Andrea Frittoli, IBM

CDEvents is a common specification for Continuous Delivery events. 2022 has been an exciting year for the project: we implemented SDKs for golang, python and java and worked with various communities like Tekton, Spinnaker and Keptn. Whether you’re interested in adopting CDEvents, contributing to it or simply curious about the project, join this lighting talk to learn about CDEvents, what we are working on and what we are planning for the upcoming year.

For more Continuous Delivery Foundation content, check out our blog: https://cd.foundation/blog/

Canary Deployments for Infrastructure Upgrades - Stephen Atwell, Armory

Canary and Blue-green deployments have become more commonplace when deploying end-user applications because they can decrease the risk of frequent deployments. This talk explores why these deployment methodologies matter for infrastructure tooling as well.

I will tell the story of why I started managing my prometheus upgrades via canary and later blue/green deployments, how I use them to ensure that none of my application monitoring breaks anytime I upgrade prometheus, and the challenges I conquered along the way.

benefits:
Understand the benefits of applying canary deployments and automated canary analysis to an unusual problem space, and how doing so can increase the stability of your infrastructure platform.

For more Continuous Delivery Foundation content, check out our blog: https://cd.foundation/blog/

Closing the Supply Chain Security Loop with Rust & Pyrsia - Stephen Chin, JFrog & Joel Marcey, Rust Foundation

Rust is the most loved and most wanted programming language today, and the community has nearly quadrupled in the last two years to 2.2 million. With over 85,000 packages built by thousands of contributors across world, Rust is the definition of open and inclusive. We are going to talk about one project that is leveraging Rust to enhance supply chain security for open source projects just like the ones that make Rust Rust. Pyrsia will address one of the security challenges we all face: using secure packages in our development. Join us for an informative and interactive session on Rust, Pyrsia, and how their communities are working together to secure the software supply chain.

For more Continuous Delivery Foundation content, check out our blog: https://cd.foundation/blog/

Decoupling DevSecOps from CI/CD Pipelines - Kayra Otaner & Jeff Woods, ADP

Having a monolithic CI/CD pipeline for CI & CD and Security (SAST/DAST/SCA) is very common, however maintaining single CI/CD to take care of all security needs for app dev is becoming an anti-pattern. Security slows down CI & CD, and creating friction between Sec * Dev needs. Creating completely separate/shadow/parallel universal pipeline for DevSecOps needs seems like working for enterprises like ADP.

For more Continuous Delivery Foundation content, check out our blog: https://cd.foundation/blog/

Hacking the OSS Supply Chain - Stephen Chin, JFrog

Developers depend upon an ecosystem of open-source technologies that fuel innovation and decrease time to market. A typical business application is composed of 80% open source code, so what happens when the open source software supply chain gets hacked and thousands of enterprises are left exposed to potentially devastating security exploits. The SolarWinds hack and log4shell exploits are just the tip of the iceberg on a much larger security concern that spans the industry affecting all programming languages, platforms, and cloud services. In this keynote we will expose security holes and exploits in the open source ecosystem as well as talk about Pyrsia, an OSS project that aims to secure the open source software supply chain at a fundamental level.

For more Continuous Delivery Foundation content, check out our blog: https://cd.foundation/blog/

How We Gained Observability Into Our CI/CD Pipeline - Dotan Horovits, Logz.io

We all know that observability is a must-have for operating systems in production. But we often neglect our own backyard - our software release process. That was our mistake, which led us to wasting time and energy in handling failures in the CI/CD pipeline, and made our Developer-on-Duty (DoD) shifts tedious.

On this talk I’d like to share how we built effective observability into our Jenkins pipeline using intelligent data collection, dashboarding and alerting, to boost our response to failures and improve our quality of life on the way.

This talk will give practical guidance on how to improve observability into your CI/CD pipeline. Whether you use Jenkins like we do, or other CI/CD tools, you’ll learn how to augment them and reach higher productivity.

For more Continuous Delivery Foundation content, check out our blog: https://cd.foundation/blog/

Keeping builds green at scale - Alec Stewart, Aviator

Most large scale companies struggle with Continuous delivery due to unstable build infrastructure.

Often, teams that work on a monorepo struggle with keeping their main branch stable, especially as the number of engineers merging changes (and consequently, the number of code-submissions per day) grows. This happens because incompatibilities emerge when multiple changes are combined, causing builds to break frequently.

Poly-repo setups present their own challenges: synchronizing merges when changes span multiple repositories, rolling back related changes across repos, and testing across multiple build/test pipelines can become coordination time-sinks for developers.

This talk will feature a distillation of various merge strategies that help teams scale, keeps builds stable and be production ready.

For more Continuous Delivery Foundation content, check out our blog: https://cd.foundation/blog/

MLOps with Spinnaker: through the eyes of a beginner - Shivay Lamba, Meilisearch

Today Machine learning can be seen in literally every aspect in life. Machine learning helps us make good decisions by learning from the existing data models and applying good predictions of the next output to give us suggestions and feedback over existing solutions.

Machine learning does differ from standard software development in terms of how the notebooks are processed. Thus the question arises about how to deploy production ready machine learning?
What all different strategies currently exist through which machine learning can also achieve CI/CD. How can we use Spinnaker to enable that.

To get answer of all these questions, please attend this lightning talk!

For more Continuous Delivery Foundation content, check out our blog: https://cd.foundation/blog/

Operating Tekton Efficiently and Securely for multi-team use cases - Wendy Dembowski, Google

Do you operate a Tekton Pipelines installation? Do you need to support multiple different teams using Tekton for CI/CD? In this talk I’ll discuss strategies for operating Tekton with workload isolation and user latency in mind. We’ll go into detail on strategies to avoid startup latency for Tekton PipelineRuns and TaskRuns while minimizing the number of nodes in your cluster to increase resource efficiency. We’ll also explore using the kubernetes autoscaler, caching strategies when the Docker sidecar prevents a Tekton Task from taking advantage of the Kubernetes node cache, and other cluster operation optimizations to support multi-team Tekton installation.

For more Continuous Delivery Foundation content, check out our blog: https://cd.foundation/blog/

Tekton State of the Union - Dibyo Mukherjee & Al Huizenga, Google Cloud

With the current spotlight on software supply chain security, you may have heard of Tekton - a cloud native open source framework for creating secure continuous delivery systems. In this session, we will share what is new and upcoming in Tekton as we make progress towards providing SLSA guarantees and releasing V1 of Tekton Pipelines.

For more Continuous Delivery Foundation content, check out our blog: https://cd.foundation/blog/

Welcome - Fatih Degirmenci, Continuous Delivery Foundation & Lori Lorusso, JFrog

For more Continuous Delivery Foundation content, check out our blog: https://cd.foundation/blog/

Why Kubernetes Applications Require a New Approach to Testing using Testkube - Bruno Lopes, Kubeshop

Microservices, CI/CD, DevOps, GitOps, cluster networking, etc… — more and more teams are building software fundamentally differently than they did even a few years ago. However, testing approaches and tooling have not caught up yet. At least not until now. What if you could apply the same type of GitOps and DevOps methodologies to your testing activities ? Tests could be deployed and stored in a Kubernetes cluster, they could decoupled from your CI/CD, orchestrated in the cluster in the same way you do with your applications and not in your CI/CD, publish results aggregated in a common format and triggered with a simple API request. Looks promising right ?
Let’s have a look at Testkube, an open-source framework that is moving to be the cloud-native testing framework for all your Tests in Kubernetes. Whether you are using Postman, Cypress, K6, SoapUI, or any other testing tool, Testkube can unlock all the capabilities of those tools that allow you to deliver code with confidence.

For more Continuous Delivery Foundation content, check out our blog: https://cd.foundation/blog/

Workflows - Quick, Easy CI with Tekton - Dibyo Mukherjee, Google

Do you want Tekton's flexibility and power without having to manage lots of YAML? Tekton Workflows is an experimental project that makes it simple to set up your most common CI workflows from a single place. In this talk, we'll describe why we decided to build the Workflow abstraction, how it builds on top of existing Tekton resources, and how it can simplify your Tekton usage for many common CI scenarios. We'll discuss how Workflows automates git based triggering, manages concurrent pipeline runs and provides status notifications while still allowing users to use the full power of Tekton Pipelines!