Roc Alayo Arnabat & Sergi Rosell Ferrer - GitOps in Modern Security-Compliant Environments

Security Devops

Discover how a company achieved high security standards by implementing GitOps in a monorepo environment, using Terraform for IaC and GitHub pipelines, with automated testing, validation, and deployment of changes, and UTF-8 complaint.

Key takeaways
  • The presentation discuss GitOps in modern security-compliant environment, specifically in a company that required high security standards.
  • The company opted for a monorepo approach using Terraform for infrastructure as code (IaC) and follows a similar pattern for application code with GitHub pipelines.
  • The company created a centralized NAT gateway to manage internal traffic and uses IAM roles instead of static credentials.
  • The security practices include tagging, naming conventions, access control, and versioning of infrastructure files.
  • The company uses a pipeline-centric approach with automated testing, validation and deploying of changes to the infrastructure.
  • Every change is tracked and logged, with Argo CD deploying changes detected by the pipeline.
  • The platform is divided into three concepts: capsule (high-level abstraction), module (middle-level abstraction), and runtime (low-level abstract).
  • The company uses Helm charts values versioning, but not for infrastructure yet.
  • The security team is aligned and involved in the configuration process.
  • Automatic testing is used to ensure deployment of changes without breaking dependencies.
  • The company uses TerraForm test new functionality for testing TerraForm configurations.
  • The presentation also discusses issues with versioning, especially related to Helm charts.
  • The pipelines are run in GitHub, and the CI/CD flow is unified for the infrastructure across the company.
  • The company is working with security to automate the process and include more checks and balances.
  • Users can be testers in the company platform and participate in the UX experience.
  • The company is using Istio for GRPC balancing in the Kubernetes cluster.

More talks

All You Need is Guest

How secure is your build/server? a story of packages and trust

Zero to Hero: How we make great Golang engineers at Luno - Andrew Wormald

Zen and the Art of Organizational Open Source - Paula Paul

"Don't Get Owned by Your Dependencies" by Shravan Narayan (Strange Loop 2022)

Lessons From Billions of Breached Records • Troy Hunt • GOTO 2022

Applying AI to Reimagine Your Product and Your Company to Make a Quantum Leap Forward in Tough Times

Devoxx Greece 2024 - Capture The Flag (CTF) By HackTheBox by Panos Petsanas