How JFrog Makes Anthos DevOps Bloom

It must be spring, because Google has sprouted flowers, and JFrog is helping with the bouquet. At this year’s GCP Next, Google announced the rollout of Anthos (the Greek word for “flowers”), a powerful service to build and manage a modern hybrid cloud.

With Anthos (formerly Cloud Services Platform), your choices in a computing platform for cloud DevOps have gotten much richer. You don’t have to decide between Google Cloud Platform (GCP) with Google Kubernetes Engine (GKE), or GKE On-Prem. You can combine the two into a hybrid cloud managed by Anthos to gain the best characteristics of both.

Best of all, JFrog Artifactory and Xray can empower both GCP and GKE On-Prem for a complete, enterprise-class DevSecOps software delivery pipeline. A hybrid cloud DevOps system with Artifactory, Xray and Kubernetes at its heart can help development and operations teams deliver mission-critical software fast, safely, and at top quality.

With both JFrog Cloud Pro X and JFrog Artifactory Enterprise for GKE now available through Google Cloud Marketplace, you can swiftly build a fully cloud-native hybrid CI/CD pipeline on a consistent platform of Google technology under the unified management of Anthos.

Hybrid Cloud for Best of Google

Google Cloud Platform, the public cloud available to anyone through an internet connection, offers immediate infrastructure without the capital investment, to pay based on usage, and to scale on demand. GKE is the Kubernetes engine that can run on GCP enables containerized applications to run in nodes within a K8s cluster.

GKE On-Prem runs privately on your own servers with regulated access, so may be more appropriate for sensitive or regulated business-critical data that are protected behind a firewall.

Combining the two into a hybrid system means you can keep all your sensitive data and applications operating within your data center, and use the elastic scalability of the public cloud for everything else.

Anthos JFrog Diagram

A JFrog Enterprise solution relies on the Artifactory universal artifact manager at its heart to seamlessly bridge the two environments for safe, continuous delivery of production-ready applications to Kubernetes through GKE at enterprise scale.

Cloud DevOps in Anthos

Let’s describe a complete, enterprise-class DevSecOps software delivery pipeline for a cloud-native architecture using Anthos hybrid cloud that’s enabled by the JFrog Enterprise platform.

In our example, we’ll consider a financial services enterprise that needs to provide desktop and mobile access to individual accounts for reports and transactions. To comply with strict regulations, account data must be maintained in an encrypted database behind a secure firewall.

Summary

In this hybrid architecture, developers from multiple lines of business build their applications on Google Cloud Platform and validate them with test data. A hosted installation of Artifactory on GCP (either self-managed or SaaS) manages trusted repositories of builds as they stage through the software delivery pipeline. Here, they’re deemed functionally correct and an Xray scan verifies there are no known security vulnerabilities, and that all licenses comply with organization policies.

Once assured an application is compliant and secure, it’s promoted to Artifactory running in GKE On-Prem, where it can be safely deployed to production K8s clusters. Operating in the firm’s own data center, the application will have permissioned access to sensitive data secured behind a firewall, as government regulations require.

Google Hybrid Cloud DevOps Diagram

Walk-Through

The above diagram illustrates the flow through the CI/CD pipeline:

    1. A developer maintains application code in a version control system (e.g., GitHub)
    2. When the developer submits a code change (i.e., a “commit”) it triggers a new build task
  • On GCP with GKE:
    1. A CI server (e.g., Jenkins) performs the build procedures
    2. JFrog Artifactory:
      1. Pulls dependencies from a proxy repository stored in Google Cloud Storage
      2. Pushes intermediate artifacts and final build images to repositories stored in Google Cloud Storage
      3. Stores metadata (the “build information”) for each artifact into a Google Cloud SQL database for traceability of build images.
      4. Can be hosted on GCP either as a self-managed (BYOL) installation, or as SaaS.
    3. Artifactory is deployed in a high availability configuration of three or more load-balanced nodes to assure speedy response under high load and to be able to perform upgrades and maintenance with zero downtime.
    4. The CI server uses and maintains the Artifactory metadata to automate deployment of built images to test clusters through GKE.
    5. Once the build is successfully validated, the CI server promotes (copies or moves) the build to the next staging repository in Artifactory
    6. JFrog Xray:
      1. Scans the build image for security vulnerabilities and compliance of components with your organization’s license policies.
      2. Utilizes VulnDB, the most comprehensive and up-to-date vulnerability intelligence available, created and maintained by Risk Based Security.
      3. Sends alerts for violations detected. These alerts can trigger a webhook for action, or the violating image can be blocked from deployment.
    7. Artifactory pushes fully validated builds and Helm charts to a replicated Artifactory running as a self-managed (BYOL) installation on GKE on-prem.
  • On GKE On-Prem:
    1. A push-replication of Artifactory accepts release-quality build images from GCP.
    2. Spinnaker (or other continuous delivery tool)  drives the update of services/jobs, pulling the trusted build image and Helm chart from the repositories in Artifactory.
    3. GKE orchestrates the deployment of the build image to nodes in a K8s cluster.
    4. Xray scans build images when its database of known vulnerabilities updates. If an image already deployed is discovered to have a newly discovered vulnerability,

Alternative Configurations

Depending on your requirements, you may prefer to invert the architecture shown above, performing your development in the private GKE on-prem environment and promoting build images for release into the public GCP. You would do this if you need to produce your containerized cloud applications behind a firewall before deploying them at scale to the world. It would be the appropriate choice when you don’t need to protect sensitive data, but instead need to scale your applications globally on demand.

It’s also possible to maintain two co-equal CI/CD pipelines, one in GCP and another in GKE on-prem. This would require a CI server in both environments, configuring your VCS to trigger a build in the environment that application needs. The Artifactory installations in each platform can push and pull builds to each other as required.

Blossoming DevOps

As you can see, the JFrog Enterprise platform with Artifactory is the key component for enabling a fully automated DevSecOps pipeline for GKE in an Anthos hybrid cloud, providing several technical benefits:

  • Supports multiple programming languages and technologies
  • Supports multiple package management systems.
  • Enables DevOps automation of a CI/CD pipeline
  • Enables use of microservices, containerization, and Kubernetes
  • Maintains fast response during times of heavy load
  • Enables maintenance and upgrades with zero downtime

As a Google marketplace partner, JFrog makes it easy to install on both GCP and GKE on-prem, and to blend the benefits of both for safe, speedy releases and deployment at scale.