DevOps Mutualization - How are banks orchestrating DevOps and the 'Glue' utilised to create existing self-service workflows?

[mcleo-d]

Description

This issue has been created to discuss the 'Glue' and 'Self-Service Workflow Automation' that banking teams have produced to ensure proper controls are created and laid down to deliver software whilst adhering to internal banking policy.

The discussion should also include the existence of internal registry integrations where projects and namespaces have a known lifecycle and association with systems, CIDB, etc.

Individual tools that are selected, automated, and orchestrated will constantly change, but the integrations between these tools and internal systems could be an interesting problem to collaborate on, or at the very least, share approaches and learnings, etc.

DevOps Mutualization Meeting Notes

Date and Time : Thursday 30th July @ 1pm ET / 6pm BST - https://github.com/finos/community/issues/52#issuecomment-669343645

• Orchestration tools have been created but gluing them together is the interesting part. Tools out of the box also don't give metrics, so they need to be glued together to obtain.

• It was added that self service is important so things can be setup in a secure and right way by the team. Self service in cloud is important, especially considering banking is wedded to approval mechanisms and raising multiple tickets for orders.

• It was suggested an orchestration engine should be open sourced so external parties can integrate their tools. This way we reach a financial services unified voice. Open sourcing and comparing notes is a valuable conversation.

• Also, self services gives the change frequency, regulatory compliance and security needed whilst being super important

• The group was asked, is there value having a whirlwind tour of people who represent their current pipeline orchestration over a call? The group agree there is value with many volunteers.

• The group was also asked to add vulnerability scanning tools to the discussion topic list as group representatives don't want to roll their own solutions.

• The group fed back that we might find many members are following the same principles of DevOps orchestration with some differences. If one bank leads, we can say whether we're the same or different.

• The group would like to answer the question of where we've been forced to build bespoke DevOps orchestration solutions and therefore duplicating effort.

[DovOps]

As mentioned during our call ( #52 ) - I think it would be more interesting in terms of tooling to discuss the 'glue' and self-service workflow automation that teams at FIs are producing to ensure the proper controls are laid down, and some sort of integration with an internal registry of projects or namespaces that have some known lifecycle and association with systems/CIDB, etc. The individual tools that are selected, automated, and orchestrated will constantly change, but the integrations between these tools and internal systems could be an interesting problem to collaborate on - at the very least, share approaches and learnings, etc. What do others think?

[mcleo-d]

@DovOps - I have updated the title and body of this story based on your feedback and the content of the DevOps Mutualization discussion on 30th July 2020 - https://github.com/finos/community/issues/52#issuecomment-669343645

Please feel free to feedback as I circulate the notes of our last meeting to the group.

James.

[natishalom]

"The individual tools that are selected, automated, and orchestrated will constantly change, but the integrations between these tools and internal systems could be an interesting problem to collaborate on - at the very least, share approaches and learnings, etc. What do others think?"

@DovOps we can start by mapping the various automation tools and the main categories. For example Infrastructure as code, configuration management, Container Management (Kubernetes) and than we can describe how a potential integration between those tools may look like.

[mcleo-d]

Hey @natishalom - I recommend we do this in a way that allows people to contribute into a central mark down table that can be consumed into a wiki at a later date. I've come up with the following rough example to kickstart discussion.

What am I missing / getting wrong? 🤔 😄

Resource Type Table

Describes the type of DevOps resource to be categorised.	Resource Type	Description
Infrastructure as Code	Description Here
Configuration Management	Description Here
Container Management (Kubernetes)	Description Here

Resource Table

Describes the resource being utilised in banking DevOps teams.	Resource	Description	Resource Type
Name Example	Description Example	Infrastructure as Code
Name Example	Description Example	Configuration Management
Name Example	Description Example	Container Management (Kubernetes)

Resource Integration Mapping Table

Describes resource integration, the direction of integration and how the resources are being integrated.	Resource Primary	Resource Secondary	Integration Direction_	Integration Description
Resource Name	Resource Name	Integration Direction Example	Integration Description Example

[natishalom]

This looks like a good start. The partners report on this subject could be useful to break down the list of players per category

https://www.gartner.com/document/3984924?ref=shareSummary&submissionGuid=e0d105df-dcff-4094-a6d6-dc488e0caa8f

[mcleo-d]

All - Thank you for attending the FINOS DevOps Mutualization How are banks orchestrating DevOps and the 'Glue' utilised to create existing self-service workflows? session.

Please find a list of the attendees below

DevOps Mutualization Meeting Attendees

Date and Time : Thursday 24th September @ 12:30pm ET / 5:30pm BST

Name	Firm
Amol Shukla	Morgan Stanley
Ashok Singh	JPMC
Cate Thompson	Capital One
Dov Katz	Morgan Stanley
Edward Dushak	JPMC
Gabriele Columbro	FINOS
Gopinath Gopalsamy	JPMC
Gus Paul	Morgan Stanley
John Mark Walker	Capital One
Jonathan Bodner	Capital One
Junji Katto	Itau
Leonid Tsvayberg	JPMC
Luis Testa	Itau
Marcelo Toro	Morgan Stanley
Paul Groves	Citi
Rahul Garde	Goldman Sachs
Rod	Itau
Stefanos Piperoglou	Citi
Topo Pal	Captial One
Tosha Ellison	FINOS

[mcleo-d]

Please find below meeting minutes from the DevOps Mutualization Formation Meeting that took place on Thursday 24th September @ 12:30pm ET / 5:30pm BST.

DevOps Mutualization Meeting Minutes

Date and Time : Thursday 24th September @ 12:30pm ET / 5:30pm BST

• How is infrastructure provisioned against the SDLC?
  • Infrastructure and code deployment happening through SDLC.
  • Terraform and other such technologies like Bit Bucket being engaged.
• How does a developer run a security scan before merge? 
  • This happens prior to pull request merge.
  • Developers can trigger from IDEs using SonarCube, Black Duck and others
  • Build time is a factor for being able to run security tests in realtime. Software should build fast to enable.  
  • Dependencies are a particular problem as you can pull in multiple dependencies from external sources.
  • How is this reflected in build tickets and evidence stores?
  • Getting a complete view of dependencies is ideal end state depending on the tech stack.
  • Dependency information is obtained according to the build tools.
  • Xray is used depending on the tech stack.
  • Docker images are also scanned.
  • Dependency information is also known within C++ tech stacks.
• Shifting left on engineering gates was a subject matter of interest that was raised by the group.
• The following items were highlighted as areas of interest for future deep dives
  • SDLC/CIM
  • Group Specific Controls / Gates
  • Self Service Portal
  • Metrics - Collection and Reporting
• Evidence store within the SDLC toolchain was selected as the deep dive by the group
• When is performance testing done?
  • Project owners define the test criteria   - The tooling defines that criteria   - The testing is done as part of the release pipeline and is collected as evidence
• Defining what should go into an evidence store manifest will be a good aspect for mutualization
• Self service portal and DevOps tools wrappers
  • Is there was a terraform script for all the tools, it would be great to standardise on that.

[mcleo-d]

Hey all - The following Self Service Glue Document has been created in the DevOps Mutualization Project on GitHub to break the conversation out of this issue and place it in project where people can add their own documents and edit existing ones through pull requests.

https://github.com/finos-labs/devops-mutualization/blob/master/docs/self-service-glue.md

Let me know if you have further questions.

James.

[mcleo-d]

This issue has now moved into the DevOps Mutualization Project and can be found here -> https://github.com/finos-labs/devops-mutualization/issues/2