Source code: Just put it in git, right? Scale? Github! 1000's of repos? No problem! Bitbucket Server! Now: Add PCI & SOX.. Audit. SSO. SSH key management. DR. Geo diversity. This starts where the vendor stop- workflows to keep work moving, security & audit to ensure code integrity. Talk presented at DevopsDays Boston 2016.

1. Enterprise Git - the hard bits
Matthew Barr, Architect

2. ©2016 AKAMAI | FASTER FORWARD
TM
Overview
●Introduction
●Git hosting options
●o18n
●Safety & Best Practices

3. ©2016 AKAMAI | FASTER FORWARD
TM
Admissions

4. Lawyer
Not

5. Compliance
Not

6. Internal Audit
Not

7. PCI Assessor (QSA)
Not

8. the Mama.
Not
© Disney/Henson
Sorry, you don’t get to see the cute picture from the Dinosaurs TV show.

10. ©2016 AKAMAI | FASTER FORWARD
TM
Me:
SysAdmin / DevOps Engineer for 20 years
● Lehman Bros, MarkitServ
● Community Connect, Snap Interactive
● Nokia
Focus @ Akamai: Developer Productivity
● Provide tools for our engineers
● SCM, Build, CI & Test systems
● Current project: Horizontally scalable build farm w/ Docker agents

11. So you want to be
a hero
store your code in Git

12. ©2016 AKAMAI | FASTER FORWARD
TM
GitHub or Bitbucket
●Hosted
●Great features
●Low overhead
●Great for small teams
●Even medium size

13. ©2016 AKAMAI | FASTER FORWARD
TM
Self hosted options
●GitLab
●Gitolite
●cgit

14. ©2016 AKAMAI | FASTER FORWARD
TM
Enterprise
●Github Enterprise
●Bitbucket Server (Atlassian) (née Stash)
●Gitlab Enterprise
●Perforce GitSwarm

15. ©2016 AKAMAI | FASTER FORWARD
TM
Git @ Akamai
● Currently: 6000+ repositories, 115+ Projects/Organizations
○ Not primary code repository (yet)
• Relaunched 1 year ago
• Stash Data Center Edition
• 2 sites
● 2 App Servers
● 2 DB nodes
● Netapp filer & load balancer

16. ©2016 AKAMAI | FASTER FORWARD
TM
o16n (Operationalization)*
* Gordon Marx

17. ©2016 AKAMAI | FASTER FORWARD
TM
HA, DR, GeoDiversity & Backups
● Varies by product
● Github Enterprise
○ Clustering
○ Active / Passive Node
○ Point in time snapshots
● Bitbucket Server
○ Self Service Backups, DB replication, Snapshots
○ Improvement in Bitbucket Server (Stash)
■ Smart Mirrors
■ Zero Downtime Backups

18. ©2016 AKAMAI | FASTER FORWARD
TM
Authentication for the enterprise
● Mandate: No passwords
● 3 types of access
○ WebUI
○ Git (SSH, HTTPS)
○ API
● SAML for WebUI
● SSH key sync script from LDAP
● X.509 Client auth for API

19. ©2016 AKAMAI | FASTER FORWARD
TM
Safety & Best Practices

20. ©2016 AKAMAI | FASTER FORWARD
TM
PCI, SOX, etc.
Boils down to:
●Prevent unauthorized changes
●Review change!

21. ©2016 AKAMAI | FASTER FORWARD
TM
Code Review - Pull Requests
●Sign offs - +1, approvers
●Prevent merges without PR’s
●Merge commits
○ Audit points, in git log

22. ©2016 AKAMAI | FASTER FORWARD
TM
Code Integrity
● Branching workflow
○ Combination Gitflow + Feature Branch (Github)
■ No Develop branch, but flexibility for QA
■ Can be CD
● Protected branches
○ Limited users can merge
● No force push / rewriting history
● Unapprove PR’s when modified
○ Really? Provided by optional plugin?

23. ©2016 AKAMAI | FASTER FORWARD
TM
Q: Who wrote that code?
● Pusher != committer
● Committer
$ git config --global user.name "John Doe"
$ git config --global user.email johndoe@example.com
● GPG?
● Log all commits/pusher?

24. ©2016 AKAMAI | FASTER FORWARD
TM
Access Control
● 1000’s of repos = 1000’s of ACLs
● Organizations / Projects
● LDAP groups?
● Access Controls
○ Who manages, approves access?
○ Audits access, quarterly?
● Separation of Concerns
○ Ops can’t modify code
○ Prove it!

25. ©2016 AKAMAI | FASTER FORWARD
TM
Automation
• API’s!
• Configure
• External Front Ends
● User Mgmt
● Webhooks
● Audit settings

26. ©2016 AKAMAI | FASTER FORWARD
TM
References
• Github Enterprise Documentation
• Bitbucket Server Documentation

27. ©2016 AKAMAI | FASTER FORWARD
TM
Matthew Barr
• https://www.akamai.com
• mbarr@akamai.com
• @matthewbarr - Twitter & Github:
• mbarr@mbarr.net