CI/CD Pipeline for Kubernetes with the JFrog Platform

so yes sir thank you welcome actually to this webinar and thank you for joining us so today okay so we will see actually how you can use the default platform to implement stic D pipeline okay actually to deploy the application to the brightest so yeah a few words on me Jason solution engineer jfroy city now has been here for three years and my job is actually to hone these kind of events to webinars write blog post white papers running our products and to help our customers or prospective kids to integrate our products in their delivery process this is the agenda for today we will start basically to explain where you locate the digital platform okay which product services are available within this platform and I will drill down into almost each service of the platform okay so we’ll start with then without the factory the binary Manager then the third point here is the default x-ray the the security solution basically it will scan the batteries which are stored into artifactory and I will finish actually by doing okay a presentation on g4 pipelines which is the CIC server from jefra okay now let’s dive into the first first section okay the front platform overview so I will describe the platform by actually first okay briefly showing the it’s standard delivery process okay where it will start actually by having a VCS convertible system while you will store your your code into different source repositories in pack admit it lab yeah

during your process where you would mainly rely on build or package tools to perform the build okay so yeah I did some icons represent okay to write or client at the maven client Python tip command and client or JavaScript project small square in blue with to say is the new get plan for that net developers that’s one is ok : ok with the C++ community if you’re using you can use canal as the package would be to okay so then your processor case we will be building a railing on this tools edge tools some point where to perform continuous integration you will rely on this CI server okay to build regularly and a test also in your process especially if you’re doing and retooling to use abilities you use the cable so binary manager first to store your own application you know okay a component okay an NPM package when exact file could be so into storage in to publish it to binary manager will use it that you can use okay by my manager to use it as a proxy it reach there with dependencies from external representation then okay once you’ll be in the run some tests okay we will you need test them so we can whatever defecate with your food scanning quality good scanning you would like then okay to deploy what you have on to specific impairments runtime environment so you would rely on a only tool to perform the the continuous deployment and then we can run time environment so here in this way we now will be using a cube radius craft okay also in this in you may have which stay in your use case a distribution process where you like to I would say once it’s been deployed and tested in your in your own environment you would like to distribute your product to 202 your customers so these I will say standard delivery process and okay so now what is exactly the j4 platform so the j4 platform is actually composed of different services or products okay so the first one is actually artifactory which is the cool product yeah and it’s a binary manager you will tell you so ha okay during the analysis phase I have x-ray which will heat which will be here to scan the binary that you would store within artifact ring and then for the CI and CD phase you would use J for background we also have actually in the platform another product called J for distribution to really cover this distribution process so don’t get confused when I say let’s say this deployment or deployment and distribution process it’s two different I would say steps or phases okay so the the deployment is really when you would like to install or deploy an application to a run time and and fetch it for multi Factory and deploy the distribution process is more actually to ship a binary close to a consumer so you won’t deploy you install your banner you will actually feel the concept is ready to to create the networks the network Authority for instances you will have a source artifactory let’s say you would like to to distribute the battery to to Asia Japan so you have your susanti Factory in Europe and then the distribution process would be to send okay a binary from the source artifact for indie rock to another artifactory in in Japan

by this key but anyway so today it’s its focus on deployment to communities to humanities clusters so I won’t actually move the distribution the webinar but she will mainly cover ok these three components of three three C’s artifactory the banner manager x-ray the scanning solution to scan binaries and j-rok pipelines to cover CIN CB process

okay so let’s actually start with artifactory which is the the battery manager is the universe tool actually binary manager because you will be able to standardize would your binaries into artifactory yeah you can see on this slide we are covering different package types okay so you know you scale you have ham will be using helm and charts dr. images you can see you can write a price because to show you job applications yeah it’s they may burn operator repositories NPM okay we know your NPM packages you get any kind of packages that you are using new will be able to store them into architecture if you have exact file or maybe a sky France toast you can use you can store them into generic people so when I will use the term binaries or packages would be which is a Java file or five and exact dynamic or static libraries to you even the document okay you can store your date you are I would say your data your data testing to general [ __ ] for instance your reporting as well you can store anything in faulty factory so you will also use artifactory as a single access point so here as I said you can use it to centralize all your binary from the organization to him let’s take this example why you have a gauge when you perform in the deal so you have to use cases for your binary Manager first to store I would say you are a new applications old you’ll build banner it as you can see your CI server will publish ok Wednesday after the bill it will touch the result of the build the binaries to a local repository okay so notice after you have the the concept of repositories to store binary binary will be a lot effect will be storing to specific people so when you’re publishing you with when you would like to improve to put the binary to artifactory you will actually upload to a local repository and if you Street down if you need to retrieve your binary to download it you can also down download your component from a locally you then have a second use case actually to use your factory as your binary manager is to use it as a proxy okay to fetch explore with the dependencies okay so when I said it depends it mean that you can actually rely on artifactory to pull its dependency that you would get from J Center if you’re doing Java Java project and p.m. registry and pmj s if you’re doing if you have a script in proper type ID at all if you do Python D proper so instead of directly reaching out to these external repo you will actually see the multi factor multi factory will first check in the banner this ability exists if it has had it if it’s not it will fetch it forward for you and it will store it proxy in cash so then if you have another developer or another bit which is requesting the same binary or the same currency it will go to artifactory and it will get in so it will be much more faster to retrieve retrieve it and to actually to speed up the build process when touching depends okay so in this context you will have actually to induce them in this slide you two repositories a local repository to be able to push to download from and the remote repository repository where you will actually only download okay component caster so two repositories two URLs one to download one not super convenient you will tell me so that’s why you have the concept of virtual repository which is a way to aggregate multiple repositories under a single URL so here again you are a build you build will actually only needs one URL to be able to download and to total it would be much more easier to do especially especially for the for the culture if you want to have a real life example so this is for docker okay so here I will have I will use for instance a one virtual repository which will aggregate 1dr remote repository which is pointing to that you had okay and on this right I have one but two repositories one I would say dedicated for deployment to by SH the environment is a system integration test and each deployment to my production interruption discussed the concept of repository doesn’t I will say imply doesn’t restrict the access the repositories is a way to organize your batteries then in artifactory that you have the concept of permissions where you can really assign per user service account groups when they can see what actually they can do it they can they have the read permission the upload permission okay so this will be managed by the permission model meaning that see okay if you’re using – Brent is you have two different stories to count one service exam to deploy to your voltage us type the timber this cluster a second one to deploy to your production I would stays internment they can actually use the same URL here the same with the virtual retreat the abductor virtual read 33 but based on the the permission that they will have they will be able to see with the AMC so if you for the service account for is si T te si T if you give give it the read permission on the abductor is that you local if it connects if he if he connects to the rotary pool abductor he will only see okay well with the sh t local repository even though the repo is aggregating civil repository as it’s got only the read access on the assignee locally will Pony City only see the content of this Triple A so ready make sure that you understand that there is separation between repositories and then you apply permissions to restrict access to so that’s why can’t if African be used as a single access point all your binary we also see okay Northey factory the concept of metadata which is a very powerful it’s a concept that you can use to basically a metadata is a key value pair that will apply to any binary artifact within artifact rain it will allows you to perform okay searches with easily so you don’t need the exact path instead to locate the battery you just need to specify the properties you need it’s it’s a real way to I would say to automate you process you can rely on properties to look for these artifact 90 that we also have the concept of page um or see Patrick image which is some kind of seafood with 40 vector that’s also okay to enrich the data on your berries you no need to have another document to explain specific features or characteristic on your battery you can direct directly to inject that as properties okay don’t worry so maybe today we save it I will show you that into the demo that you have the content of properties okay managed by artifactory and also custom properties that you can apply by yourself okay to implement your own process exactly how we get we are using this metadata drinkability so for this will be now it’s based on which abilities so you can use artifactory as your curated registry just to locate your hem charts to deploy them to your committees crafter story short you’re referencing of their images you’ll be able to store them as well in artifactory your dilemma geez is actually might be using okay with the home on packages applications and also with packages KGB on RPM and a fine packages so you will be able just to have everything in one place

okay so now it’s time for a demo so we’ll share my screen

alright so my artifact train which will come in in a minute okay hopefully you can see my screen so this is all the factory ok d home Conti factory which I should say the J front platform now you can see the ok all the services on the Left panel okay you have multi factory J for distribution that we won’t actually talk today about J for backgrounds and extract okay and you actually need a specific a subscription to not each project so okay I talked about different repositories and so we actually do whether it explained okay next slide so in order to factory okay have the concept of repositories okay so we have different repositories here wonderful doctor okay you can see this is a virtual repo because it includes local repository are actually two local repositories and the psyche in the remote you have the same okay for work for docker for hand or yeah that’s actually you have the same concept fool with any kind of package type if you have again I get to look cool – look who’s that one remove it’s up to you to decide how many blue cool moves you’d like to include obviously into virtual repositories and you have also the same concept for container 8 and 8 p.m. so if I let’s say I move into my local repository I will see all my home Charlotte and story I’m using 3 will switch a tree to layer in charge so here you can see ok when I click on these the engine shop actually I can also expand and see what’s within buy em shop which is double okay

different DM old file you can even actually look into the airport file see if you can see this content file so here ok you can see for each file how the general tab with the ok decide the path name of downloads and etc if I also attack for here for the Henry Poole

display and we say the content of the chart that yellow fine ok you can see for any artifact who can existed who can access it ok users groups ok the different factions

simple groups and in which I would say pollution this ripple is involved with dilution targets which are actually relying on targeting these people yes so you so how old school okay and I mentioned the properties so you can really apply properties as you want here these are actually properties extracted by auntie factory from the extracted by auntie factory from the shop okay you have submitted it as well now if I want to follow it’s a ham chart I couldn’t use again you can rely on this purpose is to also add your whole if you want but if you want you can also have it so that’s why it’s also good for donations you can really create update metadata you have the same concept of just stealing the two varieties world so you have the same concept for the remedies can we take this one this is an image tag so on the latest AG you can see all the veneers actually the new year’s know

same cage on tab effective permissions if I go to the properties here actually it’s ready for tea and that’s the issues on the network so bear with me okay this is the property that I want to keep from yeah that’s the effect just wait

okay so whatever I will just click here if I want to see the properties she’ll have to click on these prints for a bit so she’ll come on I’m clicking on the manifested chase done for darker image and if I click on the properties yes now you can see it okay you can see the properties extracted from the from doctor image I will play the latest adjacent and you have the same that now so we will show you a last example so here this is the hand shot the doctor image and if I take it still okay a general people we are considering anything anything I want okay we’ll take okay a binary I treat this is a application and you can see here I have again specific properties related to the build itself so the idea in artifact is really to understand which very are used and why would you have them into artifact right so I know that for this binary which an exaction and exactly okay it was generated by this specific job name will be named this specific run at this specific time and you have as well not if a tree the build tab we I can see that okay this binary was actually produced by a specific job in such news it’s not too deep and still a little bit if I click on this bill I’m actually okay lead to the build will be info section so in order fact we had the concept of building for where it’s a bit of material it’s a bomb where you can see okay what has been with stage a ideal for your build and consume it so here for instance is will go up binary which rewrite from these three it’s good modules s who you can also so the building foo is actually okay generated on the CI side we are the artifact free games for Gen teens or Azure developed team Sydney you can also use the Jeff Fox CLI if at this point I’m using actually I used a four pack trends which is behind this thing using the Jeff Fox chair this winter billions cylinder in the bidding fully have the notion of what has been built and the notion of depends you can also capture the environment for our valuable during your bill okay Linux windows session will come to city x-ray and we come to these issues you can also capture okay we said II think it commits mistake you know so I can extract the JIRA your juror tickets from the commit message used to have okay Northy factory it’s also possible to perform a kill promotion here you will be able to move promotion is to move banner right from the source triple to don’t get people so this is what you can get from multi factory I will switch back to my slide

okay so basically what I’ve shown you is that you can decorate everything all the batteries into your tea factory it’s gonna be the single source of truth for your batteries okay using remote to be able to rely entirely on multi Factory and with the permission model you can really restrict the access to we were like to and okay into artifactory you would like actually to get some insight on these batteries because you would actually fetch it fetch them from the internet or from external repositories so that’s why I have J Frank x-ray so we x-ray okay to scan what within or thief actory in order to detect vulnerabilities onto your packages and you also detect the license is used by this bucket okay so let’s frame will perform it’s the erector Steve and continue scanning readers basically meaning that it will be selectively skeletal image it will open each darker layer and look for any sub component that it will be able to find or PM packages I’ll find packages didn’t packages Java component in p.m. so you can see actually the whole list on the on the right okay which component can be detected by extra in a recursive way and continue scanning you mean that actually you don’t need to actually trigger a scan each time that you’re publishing or downloading I would say the dependency from the remote so the the scan is triggered omnibus if you have a new vulnerability which is the ID to the extra memory database a scan will run to make sure that what has been actually scan before is still the same second events is when you’ve actually approving a new component or the factory well when you are downloading a new dependencies the new dependencies from external repositories Gary okay so it’s recursive and go to the skin we will see that we can also luxury yeah will so integrate an extra scan during your CI sed pipeline and you can okay relies on policies to warn you from post actions when x-ray tech vulnerability or a non-compliant eyes

it’s a little now switch to x-ray

actually so now I will jump to my artifactory major platform at discussion say this time to share okay so I will now show you exactly extra scan so you can have extra scans at different levels at two levels a tree at the package level binary level and at the building for them so we’ll show you one actually for a at the package level for dr. image yes I will go to the interview sorry

so we take this one okay so you can see if key on the package view like it looks for this different doctor image I can see it’s been scan by x-ray that it nine tags and I’m versions and already succeeded if I get right into a glue to into this doctor image I can see that it’s been scanned by x-ray all my tags would work and I can have okay this graph trends okay for each day I can see how many weeks evaluations what were erased or detected through tag and if I drill down to an imager will be able to see this one the list of capability so here I’m at the package level the duplication by the drainage I’ve got the violations tab okay we will come to it just after the different tabs actually violations security and license so they will explain what is different between the boom ability and violation just after that I explain you okay show you the different tabs so yeah got okay 204 vomit is detected in my daughter image from different component okay so here mainly some deviant packages oh yeah joined by their careers I can see that for specific okay a package its x-ray display look at the fixed version to them to which you need to get rid of this for mobility it’s a high one so if I click on this one you will be able to have some information regarding this boom ability okay the CV the identifier of the variability facility it’s a high mobility a small salary okay and actually the impact of well this / K she’s infected okay so this didn’t package your current is in this specific layer which is used in this baby see this you can really also have the notion of license so XY detect the licensees in two different packages okay your job file didn’t package and so on page okay when it cannot actually detect a license you can still okay to play it manually released a pre-configured license I still apply you can also actually inject your customize

and yo see on this time it’s pretty interesting to see actually what does the this requesting system okay here it’s a doctor image I’ve got different layers and for each layer x-ray managed to detect specific packages you can package cheese and then it can tell me is you can tell me okay which one are infected package cheese and chocolate okay so you have he okay so I explained the patient consent so here a violation is actually triggered by either the detection of ability or the detection of a non compliant license okay so I will explain how you can implement this basically violation is triggered by a combination of a policy where we define when to raise the violation and what to do and the watch these two concepts are here just before drilling down into this one I told you a treat that you can have okay x-ray scan at two levels here the package label if she okay you also have a scan at the we said to be level if I take so he actually produced a Python billing for using today foxy I and I publish it to artifact train okay I’ve got actually you one package Python package and I used all these special packages drink my beer so what I’m showing you a four foot Python you can do it for dotnet we don’t get client okay with maven right over even dr. begin for you can do and it’s the same concept to get a buildable you can really see actually which one abilities and license this will I used drink appeal for specific bill so here to national because I it’s exactly this thing like information at the buildable that package level and desk and it’s set on the bill it will scan all the binaries which are listed into your billing for dependencies and also general teacher if I go to descendant okay maybe info okay guaranteed package and and x-ray scandal can you also have the concept of violation now I will explain what is the valuation so in the concept of violation you need to actually to to exchange it’s a combination between the policy and a watch okay so first what is a watch a watch allows you actually to give a scope to your scan so you can have I would say scans through project or team that’s why we create a watch okay on this basic project let’s say whether we do is actually to say I will say I want to scan for my specific project nice my project is actually relay is using these repositories and info okay and so this is the scope of the scan and then I will attach the policy to mention when to write the evaluation and based on this definition which action I can trigger okay so here that’s why with the policy section and you have a bunch of choices what you have to create them I guess we have to of policies security and license policies basically security policy mean that when extra detect a vulnerability on this specific package it will raise the relish license policies to write the relation when extract detect and then comprehend complaint exits and it can be up to you to define what is okay and then compliant license we are by using with say wasting electricity so here it’s only a waste and then stop we like so you have okay to construct a rule within a lies within a policy to define different actions if I will change another policy let’s see this security policy so here okay based on the criteria on the severity level of the divinity I will actually perform different actions if it’s it states if it’s only hi violation hi violation yes race by – by the hind album ability I want to write the violation and to fail a bit so yes because you can also integrate okay next for scan at Build time as well basically you can specify the criteria based on the CVC school version – and you define the due to the automatic actions approval if you’d like to tribute when x-ray right the violation no t5 okay your team members the email address will be specified into the watch also the deploy or if in your watch you think we need okay a repo you can block the download okay we don’t want actually to let other consumers you have decent effective a package from these because for distribution and you can also fail you build okay so the idea is to say when I’m pushing a new package 40 factory then I want actually during my CI a to scan it and if there is a violation detected I want to stop my right okay you see what you can get with them with extra basically to detect vulnerabilities and complete license okay generate violation and then act but on the result so then now that that actually talked about okay introducing an x-ray scan at CI doing this is the process so then I will actually talk about Gerald paper so now I’m back to my slider okay so it’s the pipeline different pipelines is this yes sir as I said before so it’s days is to buy products good okay so to describe your pipeline you would use a jumble file and indium will file you will actually chain with steps which are actions and resources so resource and that resource can be billing for okay it can be also be triple it can be have different types of resources that you can use to actually trade your pipe okay Jeff a pipeline also have the concept of native integration if you like let’s say to to trigger a bill based on commits on your SEM okay it is possible you can integrate you or the other registry with Jenny Kings actually we have a way to perform to link them okay there are table books 0 if you’d like to fire create your a ticket for this demo as well we show you how to integrate with abilities but it’s also possible with pipelines to deploy to component to the end and in fact I also have the concept of security at different levels McCabe you can really define who can access this specific pipeline these specific integrations and I will show you that you can also perform x-ray scans within your pipeline and also stores some secrets okay in volt in the club like the one from AWS

okay so forum for this demo basically I will do what I’m gonna do actually is to kick off I would stay a my pipeline okay my good pipeline by doing ultimate so it will create okay my micro application when it’s going to be done will then fire will trigger the the occupy time to actually containerize my application my qualification and when it’s done it will okay deploy to like register so again back to my strain so okay so on the on the Left panel now I can switch to j4 pipeline you can see my screen just make sure that you can see okay so yeah okay you can see now so on the Left panel cam pipeline that have different concept the concept of note pool basically pipelines is you have okay with people to control pain thing where you have all the metrics for your your pipelines and you have the concept of build nodes so your bill will be running on to actually doctor host okay and you can sort your doctor hosting to put into it put if you need to have specific machine specific bills on specific machine the pipeline sources so you’re the yeah more fight that I’ll explain which is describing your pipeline story into a key triple

you also have a as I explained the concept of integration okay so here basically for my chemo and we rely on all the factory to prove my good modules and traditional application to artifactory so we rely only on an artifact reintegration same food for daughter will will build and push my daughter image to ulti factory that I will use as my decorated registry okay for enfoque to grantees I will use a

different integration okay to be able to deploy to my right is the crystal so we’ll basically use a we you have to put again into an integration your chip complete ok 40 factory you have to specify I would say the the URL and you do dat of your user story structure

instead will now showing the apply prime

sticking sometimes I will use the example it’s my go application so you can see you have different pipelines

that capital fact I’m here I’m switching to the plane you can see by the way okay the different Python that we use this one identifier for them despite trying to build my application but kept to the pipeline to containerize my application by Google application and then deploy trying to deploy it to disk we have done everything into one by trying but for the sake of courage so so this is the

you can see ok my pipeline for for the fine so it starts with a resource which is okay actually my integration to make it a triple you can see the different commit who committed it and then the GU Israeli when I’m doing the community to fire okay the pipeline that’s here I will actually okay render good bill when it’s done I will publish it to my artifactory which is not only my banner it will publish a building full with my Michael Lewis and my exactly I will run then as soon as this publish I will scan this building for anyone abilities and when it’s done okay I want to promote this cool application to another review then I will have a care final resource which is the the promoted bill info that I will use okay in another pipeline to favorite what I’m going to do actually is to fire it now and I will describe get the pipeline to people okay so first what I’m gonna do freak so I will date okay pretty simple I will I change and push it that’s it forty to make it a triple so this should fire then the the pipeline

I got okay the hashtag let’s see 3811 if I switch back to my pipeline you can see that it started processing to run the build and the goal will be also at the end to get to deploy to my make ready press here actually I would say

53-inch laughs it’s going to be running it so we can have have a get that blood running for three hours it’s my paper is running would be standard you’re saying actually describing to this Yemen fine so he I’m my by default I’m running my Michael built into their image okay specific tax we are mounting actually yeah self signed certificate never I’ve got a second step which is Michael bill I define that it needs okay it has an input resource my it may get digression I can set environment variables I’m also too to be able to push into pool to my artifactory I can okay specify shell bash commands before the process friend it on start on success don’t figure you can really specify which you can rake estimize your you know your pipeline and then I’m chaining okay my this steps okay steps baby will be okay so it’s running and I’ve got what came back to risk an ultra so here you can see that everything passed should now if I go to my darker pipeline it should be running okay so it’s a bit fast but it went over the same pipeline and trading building pushing my image to tortilla factory you can see by the way the log files here if I click on it I will see exactly what’s happening steps which I am on this step action switch it permitted my degree image to another ripple same event which here you can see what happened to my scan system licenses but I didn’t I didn’t want to fail my bit okay and okay the entry of this this pipeline is actually the promoted bit info from I grew by try and intercept text okay if anything my dog outside I want also fire this pipeline and maybe 20 pitch first if I go to make him read his creditor okay so it was fired today and which way it went actually deployed by hem shot with my daughter image you can then run some tests if you like in peril or not and the regression test we hit the kid – – and to check if it’s been running hopefully get blood see it working I can read his gesture 1662 seconds so you can read you know try to show you that you can really with the default platform you can ready I would say use or rely on the Java platform from to trigger with say a deployment okay break it we don’t get back here you can see the hash the last commit and don’t really believe me if I do use crack

okay you will see that he’s been pulling the image from ulta factory again he actually I used which is the get commit hash as my type so this is my latest get okay so this is the pipeline so that you can implement which pipelines ready minister but with the pipeline you can really cover your entire CIA processing gear from from from building using the CI using your pipeline store all your artifacts and protect them can receive the access to them using artifactory and it’s fine that pollution model you can also scan okay add this security layer thanks to x-ray for extra security solution and also continue okay your pipeline by deploying to your cube relative to you can machine using pipeline the end if you have a distribution process you can also do it with j4 history so hopefully this is actually my webinar so never maybe you can start to get some questions we have a few questions so I’ll let you see which ones you would like to answer yes question please can you comment more on the promotion process if you already have a stations such as damn things how is the artifact removing three four five times okay but extra scans and training for promotion Fujin things there is no tape the artists factory they can spin for assured about the same we have the artifact redeveloped extension of them as well and that’s the I or inactions CI for instance you’ll have the difference Eli which is also called rain generating billing for telling them and promoting their pushes on playing house the car industry towards in factory it’s pretty straightforward okay documentation should do this basically one of the requirement would be to have a reverse proxy that way in front of multi factory URL rewriting between your client and architecture as well you know when using artifact free version 7 it’s actually the j4 fat

distribution you have to switch to subscribe to specific plan through addition you will penny lock doctor registries and pull the tree will record it rain if you like x-ray you have to defecate food great reflects we have a hands-on to deploy artifact responsibilities exogenous aggression fool we also have a an operator then x-ray x-ray be extending stand for escaping from ten and three landfill in factory so yes so you can restrict the content the extra scan using watch is

actually scan you need to register to index the repository and with which can be scanned by extra

crew to artifactory and we say that preventative artifactory this will be done that by x-ray but by the permission of the functional so let’s stay

understand that x-ray can scan only binaries which are in order it’s not possible to scan the image which is

collecting that region and I currently we have no question that time to go to them correct so I see a few more questions but as the unmentioned we’re also running out of time so we’ll make sure to get back to you by email so thank you again for this great presentation I just want to apologize for the small network issues we have as you may know this can happen during live demos sometimes but we’ll make sure to email you the recording of this webinar tomorrow and thank you once again for joining us and we hope to hear from you soon goodbye thank you