Continuous integration and delivery
1. Continuous integration and delivery
A continuous integration and continuous delivery pipeline provides a stable, repeatable process for building and deploying your applications. Continuous integration occurs when developers commit their changes into a feature branch in a code repository, and a build service like Cloud Build is automatically triggered. Rules that you have established guide the generation of your application containers and executables. The application's artifacts are then stored in a repository like Artifact Registry. Continuous delivery is triggered when changes are pushed to the main branch in the repository. The build system builds the code and creates application images. The deployment system, like Cloud Deploy, then deploys application images to Cloud Run or GKE in the staging environment to automatically run integration and performance tests. If all tests pass, the build is tagged as a release candidate build. You can manually approve a release candidate build. This approval can trigger deployment to production environments as a canary or blue-green release. You can monitor the performance of your application in the production environment by using Cloud Monitoring. If the new deployment functions optimally, you can switch over all of your traffic to this new release. But if you discover problems, you can also quickly roll back to the last stable release. The continuous deployment workflow varies slightly in that there is no manual approval process. The deployment system automatically deploys release candidates to the production environment. When you first get started, this diagram shows a simple CI/CD pipeline that you might build. This type of pipeline provides an efficient and consistent build and deploy process. However, it's very important to consider security throughout the continuous integration and delivery process. Google Cloud provides several services that will help secure your builds and deployments. Google Cloud's Software Delivery Shield is a fully managed, end-to-end software supply chain security solution that protects every step of your CI/CD process. The Assured Open Source Software service lets you incorporate open Java and Python source packages that have been verified and tested by Google. These packages are built using Google's secure pipelines, and the packages are regularly scanned, analyzed, and tested for vulnerabilities. Google actively finds and fixes vulnerabilities in these packages. Cloud Build can import your source code and verified open source packages and execute your build on Google Cloud infrastructure. Cloud Build maintains verifiable metadata about the build, helping you to verify that a built artifact was created from trusted sources by a trusted build system. Artifact Registry lets you store, secure, and manage your build artifacts, and Artifact Analysis proactively detects vulnerabilities for artifacts in Artifact Registry. Artifact Analysis provides integrated on-demand and automated scanning for base container images and Maven and Go packages in containers. When you push a Java project to Artifact Registry, Artifact Analysis scans for vulnerabilities within the open source dependencies used by your Maven artifacts. After the initial scan, Artifact Analysis continuously monitors the metadata for scanned images in Artifact Registry for new vulnerabilities. Cloud Deploy automates delivery of your applications to a series of target environments in a defined sequence. It supports continuous delivery directly to Cloud Run and GKE, with one-click approvals and rollbacks. It also displays security insights for deployed applications. Binary Authorization helps establish, maintain, and verify a chain of trust along your software supply chain. Binary Authorization collects attestations, which are digital documents that certify that an image was built by successfully executing a specific, required process. Binary Authorization ensures that an image is deployed only when the attestations meet your organization's policy, and it alerts you when policy violations are found. GKE and Cloud Run also contribute to your pipeline security. GKE can assess your container security and give active guidance around cluster settings, workload configuration, and vulnerabilities. It can evaluate your GKE clusters and workloads and provide you with actionable recommendations to improve security. Cloud Run also contains a security panel that displays security insights about your builds and vulnerabilities in running services. Software Delivery Shield helps you fully secure your CI/CD pipeline.2. Let's practice!
Create Your Free Account
or
By continuing, you accept our Terms of Use, our Privacy Policy and that your data is stored in the USA.