Section 2.1 - Pipeline Planning
Where are you, or your team’s developers, storing their code? Ideally, there’s some source code management tool (SCM) that’s being used to centralize, share, and manage source code. The SDP takes advantage of these features of SCMs in your CI/CD pipelines.
Currently, the preferred SCM is GitHub, which is where the SDP keeps and maintains its source code.
A basic DevSecOps, CI/CD Pipeline will do three things: build, deploy, and test. It should take the raw source code and change it to a format that will run optimally on your platform. It should also take the output of the build and deploy it to your platform. Lastly it should be automatically testing various aspects of the application and all throughout the pipeline - anything from unit tests to penetration tests.
There are myriad ways to do any of these three tasks, but because it’s assumed you’ll be deploying on OpenShift we can make some assumptions about your pipeline.
Since OpenShift is a container application platform, and it’s assumed that your application is being deployed to OpenShift, it can also be assumed that your application running as (Docker) containers. The SDP’s Docker Library makes it easy to build images from your source code repository and store them in OpenShift’s built-in container registry.
OpenShift has some guidelines around creating container images that it’s important to be aware of. The section on supporting arbitrary user IDs is especially important.
The SDP currently has libraries for tools that run code quality tests, accessibility compliance (508) tests, penetration tests, and more. Which ones you should use depends on the needs of your application. Automated tests like these are useful for detecting issues earlier in a feature’s lifecycle, where it’s easier (and cheaper) to correct.
The OpenShift Library makes it easy to deploy to different OpenShift projects using Helm, a Kubernetes/OpenShift package manager and templating tool. How to deploy an application is defined in a Helm chart or charts, which is maintained in your SCM alongside your source code and pipeline configuration. This is covered in greater detail in Section 3.