Continuous Delivery or Continuous Deployment?
The term CI/CD can be used to mean Continuous Integration and Continuous Delivery or go one step further and mean Continuous Integration and Continuous Deployment. Continuous Delivery extends Continuous Integration by utilising automation to deploy code changes to testing and production at the touch of a button. Continuous Deployment further harnesses automation to enable every change that goes through your production pipeline, and passes testing, to be released to your customers. It means developers can focus on the build, enabling rapid deployment and a fast customer feedback loop for a better customer experience (CX). For the purposes of this blog post, we will be using CI/CD to mean the wider Continuous Integration and Continuous Deployment pipeline, looking at how this DevOps way of working is currently evolving and demonstrating how it can benefit your business.
CI/CD - High Speed Low Risk
From a business perspective, CI/CD ultimately gives you a competitive advantage. It brings together the different aspects of what it takes to build and run software from a DevOps perspective. The benefit of doing CI/CD well is that it enables you to work in a fast-paced way, but also keeps the whole process low-risk, giving confidence that what’s produced and what your customer receives, will be free from errors and secure. The value of enabling a CI/CD pipeline makes the case for adoption a no-brainer.
Building a Better CI/CD Pipeline
One of the biggest mistakes that I’ve seen in the creation of CI/CD pipelines is the mindset that reaching the “finish line” and getting your code deployed somewhere fast is the main success factor. When your pipeline appears to be deploying your software and reaching the end goal it is tempting to think that you’ve reached the desired outcome. However, if you want to ensure that quality and security are embedded into your product and it meets and exceeds your customers’ expectations, how you get there is just as important as actually getting there. You need to look at the pipeline as a whole and carefully plan all the steps that need to happen before a deployment, including for example rigorous testing, QA and security scanning. This will help you to build the most robust pipeline possible. CI/CD is based on a set of principles that should be shared, understood and agreed to enable a way of working that if executed properly, will deliver the desired result.
The main principles are:
- Create reliable and repeatable processes
- Automate wherever possible
- Create version control with a shared code base
- Embed testing and quality assurance in every step
- Prioritise the hardest parts and avoid procrastination
- Every team member accepts responsibility and accountability
- Focus on the customer
- Define “done” as when the whole team’s work is complete and the customer has the software in their hands
- Go beyond Continuous Integration, Continuous Delivery and Continuous Deployment to achieve Continuous Improvement.
One of the challenges I see for a lot of our clients' teams is that, over time, they become over reliant on their tools and forget the principles. It’s important to remember that the tools are only in place to enable the principles in action. To gain a competitive advantage, teams need to adjust their mindset and focus on these principles. Introducing Continuous Improvement is an excellent way to challenge ways of thinking and advise new, better, behaviours and practices, enabling a highly automated, secure pipeline that rapidly delivers the kind of quality software that genuinely delights customers.
Keeping Your CI/CD Pipeline Secure
There are many great tools out there that can be integrated into the CI/CD pipeline to conduct security testing for you. However, one of the biggest security considerations when building a CI/CD pipeline is the attitude of the developers. Unfortunately, in some instances, developers overlook the importance of security in favour of increasing the ease of working on the pipeline and providing quick access to other developers. The pipeline is a high-risk threat vector to a company, so to prevent compromising data and to mitigate potential risks, it’s helpful to treat the pipeline like any other customer-facing service and then apply the same IT Security policies to it. Companies should also frequently update their Information Security Management System (ISMS) and, as part of that, include role-based permissions around the pipeline and infrastructure that it has access to. Ultimately, security has to be a top priority.
The CI/CD Skills Gap Challenge
The biggest challenge facing CI/CD today is the skills gap. With a growing number of tools and guides on the market, CI/CD is more accessible than ever. Pipelines are becoming easier to setup without requiring much knowledge or experience. The problem then is, when developers don't find a tool to do a particular job, that job often gets missed from the pipeline, which can reduce the quality of controls, or require manual workarounds.
It's really important that developers understand it's their pipeline. They are accountable for it and have to improve and develop it just as they would any other software. They need an attitude of relentless automation so they can solve problems themselves and automate steps that don't have any existing tools available. You need multi-skilled engineers.
To combat these challenges, when hiring, look for those with the aspiration to learn new aspects of the CI/CD pipeline. While you can hire individuals with specialisms, it needs to be made clear that their knowledge needs to be shared among the wider group. Not only does this help to avoid bottlenecks if certain issues start to stack up in a particular area it also helps to advance the team’s overall understanding of the whole CI/CD process, while improving the entire pipeline.
What’s one way CI/CD pipelines are evolving?
Previously developers owned and set up all the Continuous Integration and Continuous Deployment infrastructure themselves. The modern approach is not to build the CI/CD pipeline from scratch. The most successful teams are developing robust and sustainable CI/CD pipelines through cloud providers like GitLab, Bitbucket or Github. As the number of tools and third-party integrations available in the market-place increase, we need to be flexible and open to changing the processes we use to create, execute and improve the CI/CD pipeline. Whereas previously software engineers would collect results and store the data of each step in the build ourselves, we are now relying on third party services to handle this aspect, enabling us to focus better on the code, the end product and the customer.
While these third-party services increase the speed of delivery, I do have concerns that it can sometimes further shift the emphasis onto development and the rapid shipping of code at the expense of the Operations aspect of DevOps. To assuage this concern, when the Catapult CX team implements a CI/CD pipeline for a client, we create service dashboards with real time data, plus metrics denoting the service level. This helps to ensure that Operations are an integral part of the feedback loop and improves the efficacy of DevOps and ultimately the quality of the product delivered to our clients’ customers.
If you want to benchmark your current DevOps performance check out our DevOps Capability Assessment
Craig Cook, Principal Engineer, Catapult CX
DevOps Institute Ambassador