You’ve now got a CI/CD pipeline—that’s awesome! But you may be wondering what to add next. In this blog post, we will explore some quick off-the-shelf tools you can quickly add to your pipelines to add value. I will list them by category based on their functions and give you a few examples commonly used in each one.
#1: Tools for Deploying
The very first things you need to have in your pipeline are the tools to deploy where your software is going to live. Because Kubernetes is hugely popular right now, let’s first explore tools that may be used there.
Helm would be the first tool you would explore when managing deployments. Helm provides a way to manage all of the different configuration files needed to deploy to Kubernetes. It also provides a way to deploy the manifests themselves.
Another tool like Helm that helps manage your Kubernetes manifests is Kustomize. Kustomize also helps manage the manifests, but instead of using a templating language, it leverages merging different configuration files. This allows you to provide a base configuration layout and to only tweak what you need for each environment you deploy to. Some may find this easier to use than Helm’s templating language, and both tools are worth exploring to see what fits your needs and workflow.
The next thing to look at in deployment is making sure you can deploy safely and reliably, and a tool to help you do that is Spinnaker. Spinnaker can help you manage your pipeline and enables you to roll out deployments with confidence. It helps ensure the pipelines deploy to where you need them to. And it can help you detect if things go wrong and roll back. If you haven’t adopted a lot of these techniques inside of your pipeline already, it’s worth exploring what Spinnaker can do and using the operations it provides as a guide to what your pipeline may need.
#2: Tools for Testing
Now that we have a pipeline that can deploy things, let’s start adding tools that can ensure the quality of the code we’re deploying. The next tools we need in a pipeline are testing tools. These tools will look at the artifacts that are going to deploy and make sure that they are operating correctly. They report back problems if they don’t adhere to what we expect, which allows us to quickly nail down the problems when they are introduced into the system.
The first tool you will need is a unit testing tool. The tool you pick will depend on which language you are using. For instance, with Java, you’ll want to explore JUnit. For PHP, try PHPUnit. Go has its own built-in testing tool. Whatever language you have, explore the unit testing tools for the language. They are your first chance at ensuring the code you have produces the software you expect.
The next tools you will want to have are a set of integration tools. Now, these tools can be the same as the ones that do your unit testing, but I would recommend separating them from your codebase. This is because these tests will be different from your unit tests. Unit tests test at a method level. Integration tests test at a feature level. They do different things. You want to be thinking at a higher level when you are doing integration tests. Python is a great language for this, along with the pytest framework. You can deploy your code to whatever testing environment you have and run pytest against it to verify that the features are indeed working.
#3: Tools for Security
Now that we are reasonably confident our code is working, it’s a great time to ensure that we are also secure. There has been an explosion recently of very good automated security tools that you can drop in places to check that your code is reasonably secure. These tools don’t guarantee you are secure, but they do help you catch common known issues and even verify that your dependencies are as up-to-date as possible.
The first tool to look at is Snyk. Snyk can be integrated with several ways to ensure that your code is secure. It can be used as a passive monitor where it will pull your code down and scan it periodically, letting you know if there are any problems. Or you can set it as an active monitor and scan your codebase for known issues on every commit.
Another tool for security is Twistlock. Twistlock scans your full Docker container and lets you know about any vulnerabilities that could be inside. It is designed to be inside your CI/CD pipeline as a step and ensures that anything that is going to production is safe and without any known vulnerabilities.
#4: Tools for Linting
The next tools to add are those that make sure your code quality is good and keep it that way. Linting tools help keep your code at a standard that you or someone else has defined. And then they keep that quality there in the codebase. It’s important to have a tool to enforce it because then your code will be as uniform as it can be. Everyone has a certain style, and linting tools help ensure that those styles are of decent quality.
The first tool you would want to look at depends on which language you are using. For example, Node.js has a tool called ESLint. Java has two tools called Checkstyle and Findbugs. Go has one built in.
Whatever your language is, find the tool that is built for that language to keep your code consistent. This helps improve the readability down the road. And it may even help you out with spotting a bug or two that comes from badly formatted code.
#5: Tools for Dockerization
The last tools help you put your code in Docker. Docker has exploded in use lately because it helps to create a universal package that can be deployed to almost any cloud platform out there now. So to help us get our code into a Docker container, there are now a few tools to help you do this without you having to fiddle with the Dockerfile or other bits.
For example, Java has a tool called Jib. It figures out how to put your Java application inside the container without you ever having to write any sort of Dockerfile. It also uses a more secure base image that doesn’t include many tools or libraries. This limits a hacker’s attack area by limiting the number of tools or libraries they can exploit. So even if an attacker did get onto the container, they wouldn’t be able to do much. To achieve this, they use the distroless base images that Google has provided. They support a handful of languages and are worth looking into for whatever language you use.
Skaffold is another tool to look at. This tool helps speed up your workflow if you deploy to Kubernetes. It provides a set of tools that can help push your local code into a Kubernetes instance, along with being put in a CI/CD pipeline to do the same thing. This way, you have a common set of tools and commands to deploy instead of having to figure out how to build, push a Docker image, and release into a Kubernetes instance.
Now that your toolbox has the right tools, let Cprime help you fully implement that pipeline. Their course will guide you through where to put all of these tools together to create a first-class delivery system that will help you deliver quality code on time. All of these tools and techniques will allow you to get your best software delivered to your customers in a quick and valuable way.