►
From YouTube: Developer Enablement through a GitOps Driven IaC Control Plane... Jesse Sanford & Manabu McCloskey
Description
For more Continuous Delivery Foundation content, check out our blog: https://cd.foundation/blog/
Developer Enablement through a GitOps Driven IaC Control Plane at Autodesk - Jesse Sanford, Autodesk & Manabu McCloskey, AWS
At this point GitOps is a well understood concept amongst DevOps practitioners. Talks and posts promising magnifications of developer enablement through GitOps abound. However, they rarely focus on the intersection of dev enablement and security/compliance. In this talk Jesse Sanford and Manabu McCloskey will walk through a recent PoC done at Autodesk that flexes GitOps for the delivery of compliant infrastructure as code using Managed Delivery and Crossplane. The PoC focused on using Crossplane to split the responsibilities over the ownership of the IaC and separating the concerns to the appropriate stakeholders in the organization. Security team members can develop security controls alongside platform and product engineers who develop capabilities and functionality on top of them. Additionally, using Spinnaker Keel, all parties can work through a unified git driven workflow where PRs serve as our change requests and merges trigger the updates to secure infrastructure across the organization. Finally, novel approaches for wiring up Keel with Crossplane through the use of the K8s plugin, and sharing of secrets between Clouddriver and Flux through a custom sidecar will be discussed.
A
All
right,
I,
I'm
Jesse
and,
as
you
saw
earlier
in
the
keynote
I'm
senior
principal
software
architect
at
Autodesk
and
I'm,
currently
working
the
juncture
of
our
security
compliance
teams
and
our
developer
enablement
team.
When
I'm
not
in
front
of
my
computer,
I'm,
absolutely
dependent
upon
to
be
a
continuously
delivering
parent.
A
All
right
so,
first,
a
quick
agenda.
We're
gonna
look
at
acdp,
which
is
our
Autodesk
cloud
deployment
platform,
which
we
call
Cloud
OS
and
then
go
into
some
of
our
IAC
pain
points
specifically,
which
drove
some
of
the
work
that
you
were
about
to
show
you
guys
and
then
we're
going
to
look
at
the
architecture
of
the
solution
that
we
came
up
with
and
then
manabu
is
going
to
give
a
deep
dive
on
how
everything
works.
A
So
the
Autodesk
cloud
deployment
platform
or
what
we
call
Cloud
OS,
is
our
current
attempt
at
consolidating
our
continuous
delivery
Primitives
used
to
ship
Autodesk
software.
About
four
years
ago,
we
produced
an
internal
strategy
at
Autodesk
about
how
we
should
start
doing.
Modern
delivery
of
our
software
to
the
cloud
quicker
was
core
to
that
strategy,
as
were
the
basic
tenets
of
get
Ops.
Although
get
Ops
is
still
a
little
bit
of
an
experiment
for
us
still
not
truly
commit
to
production.
A
We've
been
using
Spinnaker
for
about
three
and
three
and
a
half
years
now
in
much
of
the
early
ux
for
this
platform
was
informed
by
our
previous
homegrown
CD
Cloud
orchestration
tool
and
to
ease
our
users
transition
onto
our
Spinnaker
based
solution.
An
abstraction
layer
was
built
to
match
that
prior
experience.
A
A
You
know
the
the
imperative
pipelines
that
we're
producing
are
a
combination
of
Spinnaker
native
stages
and
and
terraform,
and
also
ad
hoc
containers
mixed
in
the
terraform
stages,
use
arm-rays
terraformer
to
invoke
a
curated
set
of
terraform
modules,
but
because
of
the
diversity
that
our
product
teams
need
to
to
to
to
be
able
to
do
the
products
they're
building.
We
must
also
allow
for
a
bring
your
own
terraform
path
as
well,
and
the
unfortunate
side
effect
of
that
is.
A
It
allows
for
a
lot
of
diversity
in
the
module
of
design
as
well,
which
is
an
issue
for
our
security
and
compliance
teams.
How
can
we
know
that
the
infrastructure
and
the
modules
that
they're
producing
meet
our
regulatory
requirements?
How
can
we
alleviate
our
developers
from
having
to
think
about
how
to
implement
those
controls
into
all
of
their
modules
right?
There's
a
developer
enablement
play
there
too,
and
our
security
and
compliance
team
want
to
help.
A
They
want
to
be
partners
so
they've,
even
go
so
far
as
to
produce
a
reference
set
of
hard
modules,
for
teams
to
use
like
like
Cole,
also
showed
a
little
bit
earlier.
However,
those
hard
modules
are
not
over,
not
not
a
requirement
right
now.
They're,
not
it's
not
compulsory
to
use
them
and
adoption
is
still
a
little
bit
best
effort.
A
A
This
will
not
really
cause
this
drift
to
occur
in
these
Dynamic
Cloud
environments,
but
also
limits
how
quickly
we
can
respond
to
mandated
changes.
Company-Wide
enter
Crosslink
right,
a
kubernetes
operator
based
control
plane
for
apis,
be
the
cloud
provider
apis
like
AWS,
Azure
or
gcp,
or
your
own
internal
apis.
A
This
means
that
we
can
build
a
library
of
curated
Primitives
and
nurture
an
ecosystem
of
higher
level
abstractions
like
Autodesk
compliant
database
that
mask
away
a
lot
of
the
toilsum
Nuance
that
comes
from
working
with
High
Fidelity
tooling.
This
is
what
developer
enablement
starts
to
look
at
look
like.
A
A
A
All
the
way
down
during
this
bootstrapping
phase
of
the
new
client
account
Spinnaker
writes
those
cross-plane
crds,
representing
the
desired
state
of
those
new
client
clusters
directly
into
the
cross
plane.
That's
co-tenented
on
it
in
that
Central
cluster,
see
that
little
lollipop
there
in
the
middle
I
want
to
point
out
that
this
crossbite
instance
will
need
AWS
API
permissions
on
these
client
accounts
client
accounts
to
allow
it
to
build
those
new
case
clusters
right.
A
Spinnaker,
however,
in
the
middle,
there
will
retain
those
permissions
to
be
able
to
write
objects
out
to
those
case
clusters,
so
that
keto
can
continuously
write
manifests
to
them.
This
allows
for
managed
delivery
to
continuously
deliver
the
crossband
crd
artifacts
from
our
client
GitHub
repos
that
represent
our
client
apps
to
those
client
clusters
in
those
client
accounts.
A
The
client
cross-plane
instances
will
then
build
and
continuously
reconcile
the
infrastructure
required
by
our
client.
Apps.
Remember
that
that
centralized
Spinnaker
does
not
need
to
have
Cloud
driver
permissions
to
those
AWS
accounts
anymore.
It
just
needs
Cloud
driver
Kate's
credentials
to
be
able
to
write
to
those
Kate's
API
servers
in
those
those
accounts
around
the
edges.
B
B
I
know
you
get
all
that
manifests
to
the
cluster
close
bank
and
the
cross
brain
is
going
to
do
its
magic
and
then
create
the
you
know
the
infraction
that
is
needed
for
client
account
to
function
and
as
a
result
of
the
reconciliation
process.
It's
going
to
create
a
brand
new
case
cluster
with
cross
brain
installed,
and
then
finally,
you
have
an
application
repository,
that's
you
know,
has
a
code
and
you
know
artifacts
and
everything
that's
defined
and
you
have
to
be.
B
B
So
you
know
that
this
application
repository
might
contain
some.
You
know
information
about
infrastructures
as
well.
So
in
that
case
you
just
submit
that
to
crossbank
and
the
crossbank
is
going
to
create
S3
packets,
easy
to
instance,
whatever
right
you
name
it,
and
then
you
can
also
deploy
all
these
applications
into
the
KH
cluster
in
itself
as
well.
B
Okay.
So
this
is
a
little
complicated
right.
It's
got
a
lot
of
workflow
going,
so
I
am
just
going
to
simplify
that
into
just
four
steps,
so
the
first
step
just
create
a
cluster
right.
You
just
ask
that
cross
plane
in
the
hub
cluster
to
to
create
a
brand
new
cluster
and
then
cross
brain
is
going
to
reach
out
to
the
client
account
and
then
create
the
eks
cluster
with
crossband
installed
and
then
cross
brain
comes
back
to
Spinnaker
and
just
say:
hey
this
class
is
now
ready.
B
B
B
Okay,
so
we
now
know
how
to
correct
or
connect
to
the
infection
repository
and
then
deploy,
and
then
you
know
corresponding
is
going
to
provision
right,
so
that
workflow
would
look
something
like
this.
You'd
have
a
GitHub
or
you
have
a
git
repository
that
has
a
q
manifest
stored
in
this
case,
we're
just
using.
B
So
typically,
when
cross
pane
deploys
its
own
infrastructure
or
it
deploy
anything
in
there,
you'd
use
portal
right
so
IR
say
so:
it's
pretty
much
a
identity
assigned
to
rule
and
they
use
that
identity
to
assume
a
role,
and
then,
from
that
role
you
assume
another
role.
That's
usually
how
a
crossbanding
do
its
own.
You
know
when
you're
deploying
things
that's
how
they
do
it
problem
is
that
you
know
all
of
us
didn't
allow
it.
So
how
can
we
solve
this
right?
B
That's
mostly.
Yes,
let's
see
yeah.
So
in
this
new
model,
you
have
an
eks
oidc.
So
whenever
you
create
an
eks
cluster,
you
have
a
option
to
create
an
oidc
provider
right,
and
what
is
happening
in
here
is
that
client
account
is
trusting
that
Principle
as
an
oidc
yeah,
the
oedc
within
cross
brains
and
namespace.
B
B
Okay,
so
with
this
we
will
actually
be
able
to.
You
know,
create
the
cluster
and
then
come
back
to
Spinnaker
and
then
say:
hey
it's
ready
right,
but
that's
a
problem.
How
can
we
deploy
it
to
the
brand
new
account?
You
know
coming
back,
that's
like
really
no
information.
That's
given
to
you
right
like
we
need
the
information
like
what
what
server
are
we
going
to
be
able
to
do
what
credentials
are
we
going
to
use
to
deploy
to
right
all
that
information
is
still
not
there?
So
how
do
we
do
this?
B
Thankfully,
the
people
from
close
Spain
thought
of
all
this
right,
so
Crossbay
has
this
concept
called
connection
details
and
collection
details
allows
you
to
describe
certain
details
about
these
managed
resources,
so
managed
resources
could
be
like
you
know:
S3
packet,
dynamodb
table
easy
instance.
You
know.
B
That
right,
so
what
these
connection
details
hold
is
just
information
about
these
managed
resources.
So
when
you're
talking
about
you
know
S3
bucket,
it
could
be
like
you
know,
name
of
the
packet
which
region
it's
in.
You
know
Secrets
our
encryption
settings.
You
know
anything
like
that,
but
in
case
of
an
eks
cluster
you
are
actually
storing
and
it
could
config
file.
So
you,
as
you
most
of
you
probably
know,
could
config
is
used
to
connect
to
the
these
customers
right,
and
so
these
could
configures
are
available
as
a
secret
within
crossbones
namespace.
B
B
I'll
read
that
your
mobile,
you
know,
as
you
know,
the
containers
share
their
file
system
right
within
about,
and
this
Cloud
driver
has
its
own
plugin.
It's
the
external
account
plugin
I
think
this
was
developed
by
Omri
people.
What
this
plugin
is
going
to
do
it's
just
going
to
read
that
file
the
yaml
file
and
then
read
and
add
these
accounts
into
Spinnaker's
memory.
B
And
then
you
know,
if
you
remove
a
account
from
the
ml
file,
it's
also
be
going
to
be
removed
from
the
Spinnaker's
account
as
well.
One
thing
to
note
is
that
these
secrets
that's
maintained
by
crossbank.
They
actually
refresh
so
this.
You
know
the
tokens
included
in
Google
compute
file.
They
expire.
B
You
know
about
60
minutes
or
so
I
think
so,
every
time
it
expires
and
then
gets
refreshed,
it's
actually
written
by
the
society
guard
as
well,
and
it's
written
to
the
yaml
file
so
that
you
know
you
Spinnaker
has
the
latest
and
valid
token
to
use
and
every
time
it
needs
to
deploy
something
okay.
So
what
that
means
is
that
it
actually
now
allows
you
to
use
the
Spinnaker's
pipelines
right.
So
you.
C
B
B
So
to
do
that,
we
had
to
leverage,
kill,
heels
kubernetes
plugin
under
the
hood.
It
actually
uses
Flex.
For
those
of
you
who
do
not
know
what
flux
is
flux
is
a
toolkit
just
allows
you
to
have
the
enable
get
of
a
workflow
within
a
kubernetes
cluster.
So
it's
just
going
to
reach
out
to
the
git
Ops
get
gear
repository
fetch
all
the
information,
that's
necessary
and
then
finally
apply
that
to
the
brand
new
kubernetes
account,
but
there's
another
problem
again
right,
flux
and
spinning
guard.
B
They
don't
get
to
talk
to
each
other.
You
know
they
don't
really
know
how
to
talk
to
each
other,
and
you
know
explain,
exchange
information
about
these
accounts
so
flux.
So
it
knows
our
University
that
doesn't
know
how
to
connect
to
the
client
cluster
right.
It
was
just
created,
it
doesn't
know
anything
about.
You
know
crossbones,
you
know
Secrets
model
or
Spinnaker's
account
model.
So
to
solve
this,
we
just
expanded
that
Sidecar
to
just
read
from
the
secrets
in
the
closet.
B
B
B
B
Okay
and
then
so
this
manifest
gets
submitted
to
kill
and
kill,
is
going
to
do
its
own
thing
and
then
finally
ask
flux
to
deploy
using
Code,
configure
one
right
and
in
fact
it's
just
going
to
reach
out
to
the
the
secrets
in
within
its
own
file,
get
the
code
config
file.
Just
you
know,
read
it
and
okay
now,
I
know
where
I'm
supposed
to
be
deploying
and
then
finally,
it's
going
to
be
able
to
deploy
into
the
client's
AWS
account.
B
So
with
all
that
in
place.
We
now
have
this
nice
and
you
know
easy
to
read
our
model
right,
so
you
have
an
infrastructure
repository
that
defines
all
the
you
know.
Infractions
are
just
needed
for
the
client
account
and
then
it's
just
going
to
ask
cross
brain
to
deploy
it
and
then
finally,
the
cross
brain
just
comes
back
and
then
say:
hey
the
cluster
is
ready.
A
Okay,
yeah,
so
there's
a
timing,
a
timing,
question:
okay,
right,
yeah,
so
I
I
can
I
can
explain
it
a
little
bit
so
it
really.
It
really
depends
upon,
like
the
workflow
around
this
tool,
right
like
at
Autodesk,
we
we
still
have
kind
of
like
an
onboarding
of
of
clients
to
our
system.
It's
not
completely
self-service
yet,
however,
if
it
was
self-service,
there
would
be
some
sort
of
out-of-band
notification.
That
would
say
like
look.
Your
tenant
has
been
been
produced.
You
can
now
start
writing.
A
I
I
can
also
Imagine
a
situation
where
someone
comes
to
us
with
a
manifest
a
declarative,
manifest
in
keel's
world
that
they
want
to
deploy.
However,
they're
still
going
to
need
to
kind
of
onboard
somehow
like
it's
not
it's
not
the
case
that
they
can
just
say:
hey
I
have
this
repo
just
deploy
for
me.
They
still
need
to
have
an
account
and
VPC
that's
been
provisioned,
and
all
of
that
right
now,
actually
is
is
kind
of
done
out
of
band
process
at
Autodesk.
Is
that
is
that
sound
familiar
like?
A
Well,
so
so
let
me
let
me
I,
don't
want
to
ambiguate
here
three
happens
automatically
by
virtue
of
the
secret
and
the
coop
config
getting
written
back
to
Spinnaker
and
the
dynamic
accounts.
Plugin
then
sees
it
and
creates
a
new
account.
A
net
new
case
account
inside
of
Spinnaker.
Only
then
can
Spinnaker
actually
Target
that
account.
However,
if
someone
was
to
create
a
a
client
account
delivery
manifest
and
try
to
Target
it
before
that
was
written
back,
Spinnaker
would
just
say:
I,
don't
know
which
account
you're
trying
to
use
I
can't
write
that.
C
A
C
A
Of
them
it'll
be
really
quick
about
this,
so
that
has
a
lot
to
do
with
about
with
with
Autodesk
security
posture
right.
They
don't
want
to
necessarily
give
all
these
accounts.
All
these
client
clusters
access
to
be
able
to
actuate
all
their
changes
all
the
time
by
themselves,
entirely
right,
and
so
we
we
are
able
to
centralize
that
pipeline
of
the
delivery
of
this.
This
application,
manifest
the
you
know.
Ultimately,
the
the
declarative,
yaml.
A
That's
been
boiled
down
through
our
CD
system
and
it's
like
a
centralized
choke
point
right
like
we
can
say
this
is
not
allowed.
Don't
do
that,
but
but
you're
right,
you
know
you
know,
flux
could
be
distributed
and
then
just
rely
upon
the
localized
credentials
on
those
case
clusters
to
be
able
to
talk
to
the
Amazon
apis.
For
you
right.