This document summarizes a presentation on making continuous delivery happen. It discusses how current "CI/CD" implementations often don't achieve true continuous delivery and instead just focus on tools and processes. True continuous delivery requires optimizing the value stream map to reduce wait times and repetition. It also requires automating gatekeeping checks to ensure code is always deployable and to align the sources of truth across business, development and operations teams. The presentation provides guidance on delivering reliable code through practices like branch-by-feature and automating tests and documentation.
Orlando’s Arnold Palmer Hospital Layout Strategy-1.pptx
Making cd happen thought works talks tech 27 march 2019
1. Making Continuous Delivery
happen
Sriram “Ram” Narayanan
ThoughtWorker
Twitter: @sriramnrn
www.sriramnarayanan.com
Presented at ThoughtWorks Talks Tech - 27th March 2019
2. Workshop
Making Continuous Delivery happen
Upcoming workshop: April 2019
Contact sriramnrn@gmail.com to indicate your interest
Book publication date: 30th April 2019
www.sriramnarayanan.com
4. @sriramnrn
www.sriramnarayanan.com
The current state of “CI/CD”
General Direction: We have to be Agile and we need “CI/CD”
The current state of “CI/CD”:
- Install a CI system
- Create a few jobs to build components, deploy apps, run tests
- Install all manner of integrations and plugins
- Trigger a “Prod Deployment” Job in the CI
- Mandate the same structure all across the org for every project
- Declare you have “CI/CD” in place
5. @sriramnrn
www.sriramnarayanan.com
- DevOps means writing Unit tests
- DevSecOps means having a CI/CD server with security scanners like Fortify
- “CI/CD” requires Microservices on Kubernetes
Other statements that we’ve encountered
6. @sriramnrn
www.sriramnarayanan.com
- There are still defects in production
- Lots of time between code commit to go-live
- Triaging defects continues to take time
- Integration between workstreams continues to be risky
- Fixing a defect doesn’t guarantee that nothing else got broken
- Changes pushed to prod often leads to failures
- What works in one environment doesn’t work in others
And yet….
7. @sriramnrn
www.sriramnarayanan.com
Current “CI/CD” implementations - Reality check
What business thinks they’ve funded What business actually gets
“Continuous Integration and Continuous
Delivery/Deployment”
Expensive Tools and Scrum
Implementations
“Zero Defects” Reports
Fast turn-around times New ways of achieving the same old delays
- There are still defects in production
- Lots of time between code-commit to go-live
- Triaging defects continues to take time
- Integration between workstreams continues to be risky
- Fixing a defect doesn’t guarantee that nothing else got broken
- Changes pushed to prod often leads to failures
- What works in one environment doesn’t work in others
10. @sriramnrn
www.sriramnarayanan.com
- Continuous Deployments (actually, a business decision)
- Only Continuous Integration on some arbitrary branch
- Only Automated Deployment to Prod
- Only Compilation and Packaging (Zero thought given to deployments)
What Continuous Delivery is not
11. @sriramnrn
www.sriramnarayanan.com
What
Ability to get software changes into production, or into the hands of users, safely and quickly in a sustainable way.
Decision to deliver is by a stakeholder group (often product management or business stakeholders)
Code is always in a deployable state (meets business acceptance criteria for deployment)
Why
○ Flexibility - working with smaller quicker releases allows for re-prioritization and change of direction
○ Higher Quality - automated process and keeping code in a deployable state encourages higher quality.
○ Smaller tasks/goals allow for better cost estimation and reduced deployment risk.
○ Shorter feedback cycle and faster response times
Continuous Delivery
14. @sriramnrn
www.sriramnarayanan.com
The Value Stream Map - what’s happening here
Process Process Process Process
Wait
time
Process
time
Repeats
Waiting on:
- Processes that are scheduled, not automated
- Infrastructure and dependencies that are shared
- Gatekeeping checks
Reasons for repetition:
- Misaligned dependencies
- Expectation mis-matches (e.g. failed
QA checks; security violations;
doesn’t work in an environment)
20. @sriramnrn
www.sriramnarayanan.com
Branching approaches that we’ve seen
What we’ve seen Why they want it Risks
Branch per story What went into a story? Merge issues between stories
Branch per environment What went into an environment? Large integration sets between
environments
Branch per release (with
features and fixes being ported
across branches)
What went into a release? Porting back and forth,
release-specific variants of the
same features!
23. @sriramnrn
www.sriramnarayanan.com
Sources of Truth
Entity Source of truth
Business Requirements verified in the UAT environment
and delivered “defect free” in the PROD
environment
Business Analysts Stories verified at Desk check and the UAT
environment
Devs Stories verified locally
QA Stories verified in the QA environment
Security, Ops Secure SDLC, Pen Testing, Static Analysis
Conform to Prod settings
24. @sriramnrn
www.sriramnarayanan.com
Sources of Truth - ensuring parity across them
Entity Source of truth Verification
Business Requirements verified in the
UAT environment and delivered
“defect free” in the PROD
environment
Requirements to workflows
Business Analysts Stories verified at Desk check
and the UAT environment
From workflows to stories (and
acceptance criteria for stories)
Devs Stories verified locally Automated tests that pass
QA Stories verified in the QA
environment
Verify that Acceptance criteria
have automated tests
Security, Ops Secure SDLC, Pen Testing,
Static Analysis
Verify that Acceptance criteria
have automated tests
25.
26. @sriramnrn
www.sriramnarayanan.com
Good health
- Sleep, exercise, nutrition, stress-management
- Do you say “jogging/good-health”?
Continuous Delivery
- More than just a CI tool and automated scans
- More than just Continuous Integration
The risk of saying “CI/CD”