 Good afternoon and This is bill by the way. I'm Sean. I don't want to I don't want to be mistaken for my manager And we got a joke there. All right, let's go. So the first thing we're actually going to do today Just just as a quick intro for us as a team with the developer and cloud advocacy team at VMware We run a website called Cloud Journey IO. It's a little bit different There's absolutely no mention of vSphere or VMs anywhere on this thing. So it's a little bit different for VMware And so that's why we tend to push it pretty hard But we're a small team and really we're excited to be here today To talk about the journey of continuous verification. So before we jump into the slides I'm absolutely going to show you a live demo Of our pipeline. So let me jump over here. So this is what we are looking at today in GitLab This is actually our application as a microservices based application And I know we'll talk a little bit more about it There are multiple services associated with it I'm going to make a modification to the cart service just to kick off the pipeline And then I'll come back a little bit later on and do a little bit further demo at it So let me jump over to vS code And I will just make sure I'm in the right directory perfect So I'm going to make a modification to the Docker file because they don't let me touch production code It's true So let me jump down here real quick So I'm going to delete this and insert London commit Perfect It's all the fun stuff we have to do and now I did not document that properly you'll get over it Push All right, so I am now pushing this come on internet work with me There we go. If I jump back over to GitLab You should see let's double check Just now so we're now kicking off the pipeline and I'm about right there just so everybody sees it's going and then I'm going to turn it over to Bill And I will come back a little bit later on and show you the stages as they run Absolutely, I can do that that better Perfect. Thank you for Being an interactive audience Thank you So thanks Sean. So as the pipeline is kind of moving along here I'm going to talk a little about what we're showing right what is a concept and it goes back to the title of this talk Which is continues verification. We'll come back to the pipeline in a few minutes, right? And we'll take a look at some of the bits But let me give you a little bit of background on it and what that means You know If we kind of think about where we've evolved from and where we are evolving to right Lots of different types of applications. The architectures have changed significantly, right? So you're no longer on the stack based environment. You're looking at lampstacks or other types of component architectures today you've got a myriad of different Languages databases different environments that you're running on to right from Amazon to on-prem to Kubernetes and serverless, right? And so the combinations are endless the ability to kind of manage that and Actually work through it is mind-boggling right in actually getting control of it But if we think about how to get control of it, right? The application is first and foremost the key or actually as we think about it the unit of measure now because those environments are varied And in order to kind of get that control, right? The CI CD pipeline is as I as we think about it is the vehicle right for getting that control There's a lot of the processes and the components that you are going to implement are going to be in and out of that pipeline, right? So, you know, we talk about two parts of it, right, which is a CI and then the CD components and at the end of the day You're gonna have a significant portion of the CI that'll go and cover things like sas-dast and we talked a little bit earlier You know about the security components But there's a lot of bits that you could do in the CD portion also And if we think about what those bits are right you have to think about how you're managing your processes today You're gonna have a set of guidelines or guardrails and components that you think about if I go and deploy an application I want to make sure that I have enough capacity in Amazon I want to ensure that I have a significant set of security Qualifications that are done before and after it goes into let's say the endpoint and a lot of these checks that we do on a regular basis are done sort of Post deployment in some cases pre right there may be sneaker net right you kind of going on checking the application and the Actual deployment architecture where it goes and double-checking those configurations Prior to it and in some cases we're gonna go post a lot of times We find issues right post because something has changed something has not been accounted for at the end of the day and You know this causes issues with respect to how we actually manage and where we spend our time Now ideally, you know if we think about this pipeline That we're managing and it's it has to be efficient and effective right from end to end a good analogy that I can draw for you is think about a car factory right and If you think about cars being manufactured today, they are done very effectively and efficiently right There's a lot of components that are reused a lot of components that are checked on a regular basis And if you if you think about that There's people that are they're checking the quality of that car is it going through and the failure rates are you know Yes, we do have recalls right, but if we only Given the number of cars that are produced the quality is pretty high for that complex of a product right and We can only aspire to have software development producing our end applications at that level right and If you think about where the efficiency comes when we think about that Pipeline right it really comes through the reuse of components if you think about We'll take forward as an example. You know the different or Toyota right? I mean a Camry, you know Couple of other cars are based off the same platform, so they're reusing those components, but also during their build processes they're reusing a lot of those bits to right from the checks to the actual parts itself and The checks are the important piece because that's what helps improve the quality right and there's a process of actually thinking about those checks And if we take the same concept on that thought process from a car manufacturing line and we apply it to Our CI CD pipeline right You know we live and breathe in this Kind of flow that's highlighted here, and that's standard where we live nowadays but if we take that analogy back to the Automotive industry and that pipeline and we add similar sort of checks Right, we certainly extend that pipeline now We have an ability to do different sort of checks on a regular basis and those checks will check for anything from you know budget performance or security and That is what we call Continuous verification It's effectively the ability to query external systems to get information about what is happening Currently and then taking that information and reformulating another sort of guardrail or Policy and then continuously working through that right on a regular basis because things are changing right If you look at our output from your or your endpoints Amazon you got features coming in on what daily basis, right? So there's it is going to be a continuous process. You can't just Set it and forget right it's a constant learning process But the fact that you can use these external actors is Important because that gives you the information to act upon Issues that could potentially crop up and so what does that mean for us, right? That means as dev ops people right get more time off you get more time to relax And your life should improve right Ideally so what we'll show today is How you can use? Specific external actors in the pipeline and in particular we'll show Ones that are highlighted here in circle and purple which are the ones at VMware offers But there's a myriad of options that you can choose from and If you look at some of the categorizations that we have here, right? It is sort of endless, but we picked a few that we thought were important obviously based on some of the products that we have Cost utilization being one of them And that we have a product called cloud health Compliance is huge right now. There's some open source tools. There's also Off-the-shelf ones like red lock or our product secure state and we'll show you a little bit of that You have image security right Claire as an example. Let's open source and and and get lab integrates with that We also have bit now me on our side And then you have access and authorization. How would I do that? We're definitely going to use API calls into Amazon You'll use Things like turbot, which is a an off-the-shelf product also and then performance detection You have way front another product of ours and so on and so forth What you pick and choose is all up to you in this pipeline, right? These are just some categories There's no necessarily sense that you have to pick everything But that's really based on your processes and what you choose as an SLA To make sure that that gets checked before something goes into staging or production, right? And so that that that list of categories could be endless what you pick and how you utilize in what combination? It's all up to you. There's no SLA right or wrong The fact is that you need to be adding this to help make it efficient, right? And that's what we we call contused verification. So So I think what we'll do now is to switch back into the scenario that Sean kicked off and we'll kind of work through that Can you hear me? Okay, perfect. There we go. Apparently me coming back on the stage was not in the plan So I do want to look at this real quick So in in the broader case of our application that we've built you see a bunch of microservices Then on the left-hand side obviously into the build stage for the sake of time I only chose to modify the cart service and have a kickoff its process It takes about nine to ten minutes depending on the scenario the back end just so you're aware as Azure AKS Obviously from a Kubernetes perspective and so let's jump into let's jump back in to get lab here And I'll show you a little bit of what is going on from this particular process It actually succeeded and it only took seven minutes. It's faster over here apparently You can tell I ran it the other day and it failed miserably Well because of me but anyway, so in this case, here's my pipeline I show all of the stages that are complete so I'm actually going to walk through a little bit of this to help us understand Really the power of get lab Along with the idea of continuous verification. So in this case, I'm obviously building the cart service Pretty simple stuff here. You can see all the output. Yes, we need to upgrade pip. I understand that And really this is meant to fail in a couple of ways But who's it? You know quick example of the build I'll jump back in to the overall pipeline. So we broke this down into stages and in some cases We are running simultaneously. So our scanning stage is I The next one we will be two things at once, but this is the container scanning stage focused on Claire and Yes, we do have some unapprovals and yes, I use the power of get lab to override My failures. This is meant to be a demo. I think everybody understands that Not a real production app, right? I have to clarify that every time I talk about it Because it might be running on something on VMware. But anyway, so in this case, here's all my CVs that have failed But this is the power of get lab obviously in integrations with Claire And you know personally for me when looking at get lab and utilizing get lab in this case I actually live the simplicity of the output really from a From a terminal perspective and obviously it's tied to my commit if I would have labeled it properly read it just says London Now let me jump into the next stage So this one's a little bit fun in this case. I am actually doing a couple of governance checks Now as Bill mentioned in this idea of continuous verification We used a couple of VMware solutions in this particular case, but you can use your own We've actually seen some very unique scenarios where a single customer may have a wavefront and Prometheus or wavefront Data dog right this the idea and really the power of get lab behind it allows you to have Really your organization's context in mind. So in this case, I'm going to do a quick budget check now In our example, we are making an API call wrapped in a Python to cloud health But it's very simple. We're looking to see if I have budget for this particular use case And and for this particular project and in some cases you may not be doing this yet But when I've started talking with customers over the past few months They said, you know, we don't really do budget checks. We don't do cost analysis from a CICD perspective You know, the line of business owner actually does care But it is a manual step and like, you know, we can actually automate this And so it's just getting it's really getting you thinking about ways to improve the overall processes And I call automate all the things Automate all of the manual things and in this case, it's a simple one about doing a simple budget check. Is it within budget? We wrapped like I said, we wrapped it in Python Made the necessary check the seconds the second check in this phase is a security check Now in this in this example, we are using the more secure state Obviously, I did the same thing as you see earlier. I'm running a VSS findings Python example, and I am really looking for is is there any violations found? So I do want to say there is a violation found in this particular example So let me jump back into secure state real quick. I'm looking at all the violations. This is a graphical representation But let me let me Remove my provider real quick Just to show you we're looking at you know, we can look at both AWS and Azure from an example perspective And look at different things like port 22 that you know is RDS accessible. Do I have encryption? Right? There's so many different things we could check for but in this example I did know it down and we're looking if port 22 is open and so this is the graphical view But for me, you know, I don't really care about this view, right? We made sure that we wrapped up the security check from a GitLab perspective in Python Rain the quick validation got some output from the From this particular case and then decided we're okay with the failures and continue on in the GitLab perspective Now, I do want to show you what we did from a cloud health point of view as well So here is the graphical representation who shows my budgeting from an Azure perspective Obviously, I have a plethora of ways to look at this I'm showing you kind of the broader view I could launch directly into AKS or the Azure Kubernetes service and show You what my expenses are really this is meant to highlight really the power and really your options So we're looking at the overall Azure expense overall in a month But you could get very granular right you could do it at a project-based level. You could do it an application But we want to put it back in your hands And really this is the you know from an API perspective We're giving you options and so however you want to run the the the cost check is really up to you And this is just meant to be a simple example, okay? So if I jump back lastly from a pipeline view, I see a couple more stages. I See my deployment stage obviously it's past You know these really this is the the simple piece right? We're just continuing the process of building out And here's all of my You know here's my create namespace GitLab username login one of the unique things that we've done our team We have a couple of Kubernetes clusters running in AKS And for each of us when we kick off this pipeline We actually have it auto creating a namespace for us And so I have my own namespace bill has his own the rest of the team And this allows us to do some fun things and get creative, right? We're just using the power of variables Within GitLab to to highlight really the simplification of our process really depending on our needs And so this is just one of the examples right there That's why you see GitLab user log and that would be me. I already had it populated So that's why it took only seven minutes to recreate the cart service But the overall process takes about 20 minutes and deploying the seven different services So lastly I'll show you one more We see the overall, you know, excuse me one more check. This is our performance check We're doing two things in this particular stage We're actually running locus from a traffic generation perspective and then we are You know running a quick test to do some you know simple, you know User performance testing right obviously you can expand this you're probably doing a lot more than we are in this pretty simple view But then we call wave front now wave front right Prometheus wave front data dog as an example We're running a very simple check here. You see we're checking the kubernetes pod container CPU usage rate Right, we're looking for it to be at a specific a level and in our case We're not really doing anything because it's not a real production app, but it's spun up locust did a couple of tests It's fine and obviously it spins back out and says hey, we're good. You're gonna go ahead and continue In and allow this particular check to run through Now isn't it you know for us and I'll do this later on I don't know why I didn't add it to the deck and we have all of our kind of test checks that we have running We can actually I'll push those out to a repair and make those available off. I'll put it out on Twitter Is it to make it available to everyone just kind of see what we're doing as a kind of a simplification of the process and Obviously, we deployed a production from there. So overall You know, it is build engine. This is really about you utilizing your solutions And tool sets right if it doesn't have an API right at write a wrapper or do something creative with it But at the end of the day our goal this really kind of as we've worked with customers Is we're saying more and more customers try to take those manual processes or enterprise IT centric processes And push them into the pipeline right in this case We're using some of our tooling some open-source tooling But it really comes back down to you and to your context in your organization as an example So with that I'm going to turn it back over to Bill and we're going to move on to the next stage Okay, thanks, John So hopefully they provide you a really good example a simple example of what continuous verification is and you know Specific checks that you can make and I don't think you always think about these sort of checks inside the CD environment But hopefully this gives you an idea to start adding some of these right Now apart from just implementing this There's something else you got to think about so let me run through the story with you guys right Think of DevOps as a border collie Okay, let's start with that concept And think about what a border collie actually goes and manages right as the devil's person it manages a couple of apps or sheep and Initially, it's kind of easy right and you're gonna be managing that pipeline and those applications are sheep in the space easy I got it not a problem Gets a little bit more Yeah, they grow. Yeah, I still have some control at this point right and this is okay, and I can still implement let's say CV Organization goes even further and oh god, we're just out of control now, right? and This is where you know implementing. Let's say CV takes on a whole different thought process It's not just about adding those checks, right? We'll talk about what that means in a minute So if we think about what we're trying to do is you know, if you think about the border collie and having to manage You know, you don't want them managing this this this sheep kind of going in all different directions, right? And having and taking control of that is pretty hard We've got significant herd now going out and actually going all over the place or running towards the lake but what you want to do is to be able to Have some control over them and how do you do that? Right? So if you look at the picture on the right, you know basically fencing them in creating some kind of control or gates and fences and gates as we call it to help control, right that those Those sheep and at the end what happens, right? You have a Border collie that is frustrated, right instead of this you're gonna get one that's very happy because hey now There's some control is not running around as much much happier. Okay, so If you think about this with respect to continuous verification, right? What you want to try to do is in the question for you guys is do you guys want to go chase the herd or? Do you actually want to go build what what I just mentioned is called fences and gates, right? And the implementation of continuous verification is not just adding those API calls that we talked about and what Sean showed It's about actually thinking about a full line of guard rails Right and those guard rails are what you have to manage to effectively make your operations more efficient, right? And those guard rails are what I will in this analogy what we call fences and gates So if you think about what we showed in that pipeline, right? We had a set of checks. Okay, you can call a policy I don't like using that term policy because it has so many different connotations. We use guard rails, right? that's why we pick fences and gates and We had a continuous security or a security check that he showed you we had a cost check that we actually implemented right and There's so many different variants of that right and we didn't want on performance, but managing those Guard rails you're going to keep that again in files I think he showed you one with cost where it was actually pulling out of a JSON file, right? And you're going to continuously iterate that but getting a good handle on what your policy is is the biggest Step it is probably the biggest hurdle right in understanding that and then having to iterate on that on a regular basis So it's not just going in okay We'll just go add these checks But you have to have an entire process put together and then iterating through your fences and gates It's probably the hardest one because it requires buy-in from You to think about it but buy-in from the actual app teams the security teams and then continuously Verifying and checking that and just iterating that on a regular basis, right? So those are the two pieces right continuous verification Includes the implementation of these guard rails So finally if we Just you know to conclude, you know, I think you know, hopefully what we've shown you today is that you know with a little bit of work a little bit of thought process and a Kind of introspection of what's happening in your processes and by adding these checks In an appropriate locations in particular read to this in the CDEAP component with GitLab as an example You can really achieve a really efficient and effective process on a regular basis and utilize information on a regular basis to continuously improve upon that process We particularly obviously showed you some of the some of the tools that we have here at VMware And hopefully, you know the combination of some of those like cloud health and secure state and wavefront in conjunction with GitLab In Bitnami will give you a really nice kind of solution You obviously can pick what you want from the outside. We hopefully this framework that we've showed you right is Making you guys think a little bit about hey, maybe I should go implement this right and kind of think about this And if that's the case, I think we've achieved at least the fall process today. So That's all we have and we'll open it up for some questions