 Hello, Vancouver. My name is Christina Andonoff. I'm a senior specialist solutions architect at AWS Where I help organizations adopt get-offs For services as well as infrastructure and related open-source software. And here with me today is Carlos Santana. I'm Carlos Santana I'm a EKS specialist with AWS and I work with customers on helping them build platforms internal developer platforms as well as working with EKS and Today we're going to talk about Values of get-offs. We're going to talk about four most most common misconceptions. We hear from organizations I'm going to show you a live demo and send you off with some tips So by now we're because we're at CityCon get-offs con I know you have seen this slide so many times and I promise I'm not gonna go over Over them over the The get-offs principles, but however we have to talk about the values of get-offs because tomorrow and next week You're gonna go back home, and you're gonna say Get-offs is great. You're gonna be all pumped up and let's implement it And the business will say well Okay, but why do we have to change our tooling our everything is working as this and you like look It's great that does pull it does consistent continuously reconcile and they're like That's not justification enough. So I think we talked about the principle of get-offs and to us as engineers this Speaks a lot, but to a business person. This doesn't mean much. So what is the value? What is the value of being able to express the system declaratively? Well, we all know the story about we've worked out somebody pushed the wrong button and they brought production down And they were able to bring it back within 40 minutes So what does this do it reduces business risk even if you don't have a disaster recovery You can bring up services in matter 40 minutes in that case the second one if We can version the whole system and we can track those versions and who did what when? Well, that they has this audit ability. So our compliance team should be happy Next It's a pool based system. So here we go into the pool versus push. What is the benefit of using pool over push when when you use push You have to expose an API a endpoint to push into Hopefully that API endpoint is also protected by some credentials and those credentials are stored somewhere outside of your system So if you don't have to push you have to pull we don't have to expose That endpoint you don't have to store credentials it boosts security. So security team should be happy using get ups So what is the value of continuously? Reconciling the state. Oh Well, let me tell you in the previous life. I've been a necessary I held a pager and At 2 a.m. I promise you I'm not my highest self if I can do a manual change and go to sleep one minute early I'll do it so Continuous reconciliation enforces the whole process and keeps it keeps it all together So they're organizations that do know what the benefits of this is and I talk to them on daily basis and Keep in mind those are organizations that are doing PCI compliance. Keep a compliance. Talk to compliance and Then you learn I'm like, so you're doing get ups. Well, we're doing parts of it, but not the whole thing And it's like you do know like your audit process your compliance process has been go better Yes, but this is not gonna work for our process Like really why why? Well, what they tell us is we kind of summarize it and for most common misconceptions And Carlos is gonna go over them Thank you Christina So let's start with we pick four and this is based on customer interactions and users of Enterprises that they want to modernize the platform Wait, so we pick four of the most common Things that these end users tell us when we talk to them about modernizing their Platform or modernizing their SRE or modernizing their their basically how they deploy software and It's it's very useful to hear the same story over and over is similar stories. So these four stories are happening In the conversation comes they come up and it comes from a misconception or their perception of what get-up is Because they're they have not done it. They want they always say they want to do the get-ups They think they there is in the plan. So it's in the backlog. It's usually in the backlog But they want to do it So we try to Clarify some of the misconceptions that they have when they're working with get-up So first one is that they think that get-ups means once they code like the Python code the go code gets Merging to get it goes straight to production. That's the perception like We've been using get and they the before get that we're not using it, right? So they went to get the building software and they think that it will go to production and we try to Say well Actually the code doesn't go to production What goes into production is the configuration of the application the how the How the configuration of the of the application meaning like the how much memory what are the requirements? What are the dependencies and also like what is the version of the application that you want to deploy? So it's the configuration that we're talking about that you that's the Artifact or the configuration is the one going to production. So it's the definition. So that's the first one the second one is Get-ups cannot contain manner of city gates and what we when we talk about city gates is An opportunity to have control because that's how they do things today Usually they they don't want to change something that they're due today, right? They can improve they know they know they have they can improve but they're averse or have Friction to change so they also that what they want and they pick the tool actually they have picked the tool Some other tools give you kind of a plan or a manual steps that they can check of like well I'm going to verify that they that the change that is going to happen I have control that I can expect them manually. I can check and verify and we can tell them What would get ups you can actually have An opportunity to do the manner check and it's called Merge request for whoever use kit lab or pull request for k-hop and it's the same comes It's like the the aspect of having an opportunity of like this is the proposal This is the proposal of the change This is your opportunity to run see eyes and do see see the gates and also manually Decide that you want to you don't want to push to production today because today is Tuesday They want to wait on to Friday at 5 p.m. Right like always you always push at 5 p.m. So you can have that's where like people are like getting into like oh, so there's actually a management aspect of shifting left of managing that that was happening in production It's like a projection of like the software being delivered Managing now from get so they need to learn like the kid tools the kid workflows That they that developers use and these are people that are don't do developments most of the time These are platform folks or DevOps engineers that their role is make sure that the software gets delivered released right and they they don't Usually we have seen personally people that don't work with get they start learning get as they they come into Kubernetes and start working get-ups. It's the first time they have worked with pull requests and GitHub actions and things like that. We'll see you get our actions in the demo The third one is get ups cannot integrate with existing ticketing system So they say like a ha we can I found a way right? They always try to find a way of saying like we cannot use get up because x or y So this is one that they come in saying we cannot use get up because we use Jira or we use service now or we use our own Ticketing system internally and they have been working for up for years and we have already passed regulations and Validations and compliance So we have a ticket assistant that this is how we really suffer How can we just drop that and do get ups and what we tell them is you can actually Incorporate the ticketing system into the get ups workflow by having the CR the the get ups Workflow interact with the ticketing system and you will see that in the in the demo and the last one There's many misconception by the way. It can go forever But these are the four the the last one is they don't have control of promoting from deaf a stage and proud and I Don't I don't know if I want to ask but many many organization has two prouds They have proud and pre-proud and I always a smile because I kind of like a UAT The word they do Integration test, but I ultimately the software runs in one in one cluster. They don't have to so but they call it pre-proud Because they make it feel good, but at the end of the day We get up you can do a rollout in a in a in a orchestration way And this is kind of like the demo that we're going to do of doing that Like this and this is a pattern that you you can implement it with any backend system So here you see the dead Change going to dev stage and production In essence of time in a live demo, we're going to remove the stage, but you have imagination. So imagine it's still there For some reason so here I wanted to point out in this diagram it doesn't say The code is stored in github. It doesn't say we're gonna use For CI we're gonna use github actions. It doesn't say for CD. We're gonna use the Argo CD This is because this is a pattern you can plug and play any of the Get repositories like it will work with github get lab code commit It's gonna work with pretty much any CI system. We can do our workflows Tecton whatever you wish and then for CD. You can you might as well use Flux and then for the ticketing system, we're gonna use JIRA, but it can be service now any Ticketing system with API can do this. We're just hitting the API no further ado Let's move on to the demo So how a code change starts if you're a regulated organization. It usually starts with a ticket and right now We have a ticket Change welcome message and I'm gonna sign it to myself. So usually this is my personal JIRA Account, but if you're an organization, there's this github toolkit here that you can enable that would That can connect your github account with JIRA, which means if you prefix a branch With the ticket name so I can I can say, you know, this is demo 11 Welcome message change branch It's automatically gonna show up here and it's gonna show me all the commits and everything else I need to know so okay and Then I'm gonna start working on it. I'm gonna move it to in progress. Great. So right now I am Imagining I'm a developer So this is my application here and this is where I'm gonna do the code change and we're gonna go over the repo after that So this is my code and I'm gonna change the welcome message French with demo and I'll say and Here you do have someone who would review the pool requests Should not be the same person opening it for the purposes of demo. That's me and I'll say this is for demo 11 So I'm gonna merge the change So while this is Going on on the back. So the what this changed it is just it just kicked off GitHub workflow and that workflow is gonna go and it's gonna use this Docker file and go release her to go and build a Docker image. It's gonna version it That's gonna bump the version. So right now it's dot 16. So it's gonna bump it version it release it It's gonna be dot 17. It's gonna push it to my ECR Docker repository and then I have two Helm values file So I have a helm chart and that's in a different repo on purpose that is managed by the platform team This is the development team owning this And I have one values file per environment Earlier today, I heard it's a good idea to do this in folders. So having The folder and production folder and then putting your values there because later on you might need to add I don't know some infrastructure YAML so my GitHub actions pipeline See I will go build this image push it to ECR and come here and it's gonna update this tag Once it's done and one once it's updated Argo CG will pick that up So it picks the helm chart plus that values file and it deploys my application which Actually, it did get updated and let me make this bigger Because it says hello Vancouver. I do have another Um The my production is still not updated. It's it says hello world. All right, let's go back here So when this pipeline runs and it updated a few seconds ago On a successful deploy I have set a posting hook and that hook is supposed to go back to github actions to my CI and trigger another workflow However, there is a currently a bug And you have to actually click the sync button for that hook to run Sorry, I I did speak to some Argo folks and they picked up that bug so it would be fixed Shortly, so right now that you saw that get a post hook run And what it did it it came here and I Should have a pull request and it opened a pull request for me. So this is my manual gate This is where I come and I review the change and I say, okay, I'm that I'm updating to the next version And I can say yes Sure my production I tested this it's good to go to production and this I'll say this is for Demo 11 and I'm gonna merge we go production on Tuesdays Okay, so yes, we go production on Tuesdays at 5 30 p.m. Because we like to keep people awake So coming back here my My production app should update shortly, but let's go back and check on that geretic, right? Look see it's done and let's go back and let's trace what happened Okay, so Christina pushed Created this new version built and pushed to registry then deployed it to dev and then deployed it to prod and then The ticket is done because it's successfully deployed to production and let's see this is prod So it's successfully deployed Yes, hello Vancouver and that is our demo Don't clap for the demo Wi-Fi whoever set up the Wi-Fi. Thank you so much And I'll hand it off to Carlos to do the tips. Yes to do the tips Okay so a few tips were For for git is to use authentication for your your teams and you can use things like Go owners, but authentication meaning that if you're using a git repository How are go get it will connect to that git repository and in enterprises usually what they do is They don't use username passwords. They use SSH keys. Also in some organizations They like to run their own for example give a github enterprise So they have to set up their own TLS and CAs and have that authentication and Have that authentication and also He's in in Argo. There's also the other way around GitHub contacting Argo for the webhook. There's a webhook instead of Argo Going every 30 minutes to check if there's a change you can configure for example, like your git System github or whatever it is git lab to talk to Argo It's a does a best practices to configure it with a secret and and having TLS Please do not set up. We see this a lot setting Argo with a self-signed certificate and Clicking that like ignore TLS That's that's very bad because somebody can trigger something to pull from some other branch or or another repo Branch protection that's a feature. I don't think github has it but github has brand protection where you can configure Many rules after a few years. They have they started with a basic protection, but they has now I've been using it in open source like Kubernetes Upstream we used it a lot tech ton we said a lot Argo There's many CI gates that are come as a protection of that git branch And also like for somebody that doesn't you don't want anyone to remove or delete the main branch and the last one is code owners Actually github didn't have this was a feature that was implemented in the community and then the added co-owners where You can have everyone has access to the git repo to work on it but usually is through pull requests and Merging reviewing or merging you can configure of folders for example who owns which folder based on code owners and that's some some Small tips on there, but the the big one is When you're working with organizations that are like apprehensive or they have restriction The resistance to adopt github's. There's a path. There's a there's our patterns Like Christina show one of the patterns of like you can orchestrate the CI gates You can you can interact you can integrate your your ticketing system you can add Automation to a certain levels of Deployments or like dev and stage and then have manner controls like that's okay to have manner controls The idea is to make the system the process better than it was last week or yesterday, right? We don't have to do full automation they want, but if they want that control they can have that control until they spills Maybe they go to production for the next year having that manner process that they at the end They they they do that manner pull requests, but automate enough that they can feel comfortable adopting github's I don't want you to summarize Yeah, so last one on out and merging PRs if you have a compliance process And that's a fair warning if anything is out to merging PRs in this case github actions Even though they're going to a dev cluster or a staging cluster Make sure you put it in the message and you state clearly that this is not for production if You decide to go full circle and are comfortable deploying to production without merging and you need to update your process Then you work with the compliance team. There is ways to do it And remove that manual gate like a human gate you got to update your process And that is a little bit more complicated when we talk about production You have to make sure You have documented the process of deploying to production meaning what tests are run before that What happens if the post test fail and the deployment is unsuccessful That's the chain is the change get rolled back who gets paged where does it send and so on Everything has to be documented if you're doing any type of compliance and using out to merging for production so with that I Don't know if you notice, but we talked about the city gates and How to put city gates and we put the city gates in the CI So that's where you put them And with that you can check out the EKS workshop. It has a get off section and Try it out and Thank you so much. Thank you I have time for questions. We have six minutes. Yeah, we have time for questions. Okay any questions Go ahead. Do you have any tips for how to deal with? commit signing in github's processes so the Because basically signing the reconciled commits in terms of For example, I could simply use the same GPG signing key and sign every Commit that's pushed back into the repo with that but that might be an issue from security perspective, right? Because they don't want me to use the same key for every for everything I Think that would depend How you structure or get repositories? if you divide your The changes to the to the demo files or the configurations that one repo and versus the one for the Code like your go code on your Java code in that respect We don't we haven't had that experience with customers in terms of Get signing, but I know that Billy is here from chain guard They have a lot of open source tools and he gave a talk that's a good question for him on on get signing versus They they really have strong opinions on either using SSH keys or GPG keys And if github are rendering them or not So that's basically my personal knowledge of working with with chain guard, but that will be a good Try to catch him today Great talk first of all One thing it's that you gave me an idea with adding dirty goods or some sort of city gates So how you tied for example when you have a pull request and you have also a dirty get because can be Like an item to try to tide the different in progress or to do or done and also The pull request if you are not using the automatic how you can For example tied to these different states So how do you tie it you have GitHub actions has actions for JIRA and Those are by Atlassian. So they're I try to use like mostly certified actions And they have an action where you can So one of the there are two ways to tie it right now if you use those actions one of the ways is to put the ticket in the commit message and the other one is to prefix the branch with the Ticket and and then grab it from the the branch name so we can either get us from the commit or the branch name Right. Thank you Any other questions One of presentation when you approve the PR I noticed your ticket moved from Improvisation done. Yes, is that a function of the action? Okay. Okay. Yes, it's so Essentially the ticket wasn't done we moved it to done with the action From the demo you might want to do that as a Argo posting hook because you really want to make sure it's deployed properly and then maybe run the validation test And then move it to them. So for the demo purposes. Yes, I did it with GitHub actions But if you want to do it Properly or better you can put it as an Argo posting hook Yeah, and this and the demo that Christiana did is in GitHub. Do you have a public? Yes, it is under your account under my account. Yeah, so it's a very simple example that you can build on top of it, but When you go, I mean this is you're not going to release like your enterprise banking software with with this Demo, right? But like Christina said Argo CD has And there's all the talks that have mentioned it the the hooks and they're very powerful the post sync hook is very powerful because I have used it in other enterprise customers where the post sync hook actually would Tell wouldn't Argo would know that the app is up and it's running you can actually go and run a Something like J meter, right Depending if it's staging and then do your testing that trigger things from posting So not that you're going to do all the work there But you can trigger something like tecton or trigger something like Argo workflow that actually does the validation and then you Be in one of those steps He will talk to Jira for example, but in this case we made it very simple as for someone that is never seen This much automation it feels comfortable like I can build on top of it by learning about the Argos Argo CD Hooks, there's different ones and I work for Atlassian partners So maybe I can get some input here and Jira actually has an automation engine built in and there You can say when a pull request is opened then do the following actions and the actions can be at a comment Transition an issue or log work assigned these users. Okay, you can figure anything And it works for kid lab kid have a guitar bent Okay, great. Thank you. Thank you so much