DevOps Tools for Java Developers Best Practices from Source Code to Production Containers Stephen Chin, Melissa McKay, Ixchel Ruiz, and Baruch Sadogursky BBeeiijjiinngg BBoossttoonn FFaarrnnhhaamm SSeebbaassttooppooll TTookkyyoo DevOps Tools for Java Developers by Stephen Chin, Melissa McKay, Ixchel Ruiz, and Baruch Sadogursky Copyright © 2022 Stephen Chin, Melissa McKay, Ixchel Ruiz, and Baruch Sadogursky. All rights reserved. Printed in the United States of America. Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472. O’Reilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (http://oreilly.com). For more information, contact our corporate/institutional sales department: 800-998-9938 or [email protected]. Acquisitions Editor: Suzanne McQuade Indexer: Sue Klefstad Development Editor: Corbin Collins Interior Designer: David Futato Production Editor: Elizabeth Faerm Cover Designer: Karen Montgomery Copyeditor: Sharon Wilkey Illustrator: Kate Dullea Proofreader: Piper Editorial Consulting, LLC April 2022: First Edition Revision History for the First Edition 2022-04-15: First Release See http://oreilly.com/catalog/errata.csp?isbn=9781492084020 for release details. The O’Reilly logo is a registered trademark of O’Reilly Media, Inc. DevOps Tools for Java Developers, the cover image, and related trade dress are trademarks of O’Reilly Media, Inc. The views expressed in this work are those of the authors and do not represent the publisher’s views. While the publisher and the authors have used good faith efforts to ensure that the information and instructions contained in this work are accurate, the publisher and the authors disclaim all responsibility for errors or omissions, including without limitation responsibility for damages resulting from the use of or reliance on this work. Use of the information and instructions contained in this work is at your own risk. If any code samples or other technology this work contains or describes is subject to open source licenses or the intellectual property rights of others, it is your responsibility to ensure that your use thereof complies with such licenses and/or rights. 978-1-492-08402-0 [LSI] Table of Contents Foreword. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix Preface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii 1. DevOps for (or Possibly Against) Developers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 DevOps Is a Concept Invented by the Ops Side 2 Exhibit 1: The Phoenix Project 2 Exhibit 2: The DevOps Handbook 2 Google It 4 What Does It Do? 4 State of the Industry 5 What Constitutes Work? 6 If We’re Not About Deployment and Operations, Then Just What Is Our Job? 6 Just What Constitutes “Done”? 7 Rivalry? 7 More Than Ever Before 8 Volume and Velocity 9 Done and Done 9 Float Like a Butterfly… 10 Integrity, Authentication, and Availability 11 Fierce Urgency 12 The Software Industry Has Fully Embraced DevOps 12 Making It Manifest 13 We All Got the Message 14 iii 2. The System of Truth. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Three Generations of Source Code Management 16 Choosing Your Source Control 18 Making Your First Pull Request 22 Git Tools 26 Git Command-Line Basics 27 Git Command-Line Tutorial 31 Git Clients 32 Git IDE Integration 35 Git Collaboration Patterns 38 git-flow 38 GitHub Flow 41 GitLab Flow 42 OneFlow 43 Trunk-Based Development 44 Summary 44 3. An Introduction to Containers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Understanding the Problem 48 The History of Containers 49 Why Containers? 52 Intro to Container Anatomy 55 Docker Architecture and the Container Runtime 58 Docker on Your Machine 62 Basic Tagging and Image Version Management 68 Image and Container Layers 69 Best Image Build Practices and Container Gotchas 71 Respect the Docker Context and .dockerignore File 71 Use Trusted Base Images 72 Specify Package Versions and Keep Up with Updates 73 Keep Your Images Small 73 Beware of External Resources 74 Protect Your Secrets 75 Know Your Outputs 75 Summary 75 4. Dissecting the Monolith. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Cloud Computing 79 Microservices 80 Antipatterns 80 iv | Table of Contents DevOps and Microservices 82 Microservice Frameworks 83 Spring Boot 84 Micronaut 90 Quarkus 94 Helidon 97 Serverless 100 Setting Up 102 Summary 109 5. Continuous Integration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 Adopt Continuous Integration 112 Declaratively Script Your Build 114 Build with Apache Ant 117 Build with Apache Maven 120 Build with Gradle 123 Continuously Build 126 Automate Tests 127 Monitor and Maintain Tests 128 Summary 129 6. Package Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 Why Build-It-and-Ship-It Is Not Enough 132 It’s All About Metadata 133 Key Attributes of Insightful Metadata 133 Metadata Considerations 134 Determining the Metadata 135 Capturing Metadata 135 Writing the Metadata 138 Dependency Management Basics for Maven and Gradle 142 Dependency Management with Apache Maven 142 Dependency Management with Gradle 155 Dependency Management Basics for Containers 160 Artifact Publication 162 Publishing to Maven Local 162 Publishing to Maven Central 163 Publishing to Sonatype Nexus Repository 166 Publishing to JFrog Artifactory 167 Summary 167 Table of Contents | v 7. Securing Your Binaries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 Supply Chain Security Compromised 169 Security from the Vendor Perspective 171 Security from the Customer Perspective 171 The Full Impact Graph 171 Securing Your DevOps Infrastructure 172 The Rise of DevSecOps 172 The Role of SREs in Security 173 Static and Dynamic Security Analysis 174 Static Application Security Testing 174 Dynamic Application Security Testing 175 Comparing SAST and DAST 177 Interactive Application Security Testing 178 Runtime Application Self-Protection 179 SAST, DAST, IAST, and RASP Summary 180 The Common Vulnerability Scoring System 181 CVSS Basic Metrics 181 CVSS Temporal Metrics 182 CVSS Environmental Metrics 183 CVSS in Practice 183 Scoping Security Analysis 184 Time to Market 184 Make or Buy 184 One-Time and Recurring Efforts 186 How Much Is Enough? 186 Compliance Versus Vulnerabilities 186 Vulnerabilities Can Be Combined into Different Attack Vectors 187 Vulnerabilities: Timeline from Inception Through Production Fix 188 Test Coverage Is Your Safety Belt 190 Quality Gate Methodology 191 Quality Gate Strategies 192 Fit with Project Management Procedures 193 Implementing Security with the Quality Gate Method 193 Risk Management in Quality Gates 194 Practical Applications of Quality Management 195 Shift Security Left 195 Not All Clean Code Is Secure Code 197 Effects on Scheduling 198 The Right Contact Person 198 Dealing with Technical Debt 198 vi | Table of Contents Advanced Training on Secure Coding 199 Milestones for Quality 199 The Attacker’s Point of View 199 Methods of Evaluation 200 Be Aware of Responsibility 201 Summary 201 8. Deploying for Developers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 Building and Pushing Container Images 204 Managing Container Images by Using Jib 205 Building Container Images with Eclipse JKube 207 Deploying to Kubernetes 210 Local Setup for Deployment 212 Generate Kubernetes Manifests by Using Dekorate 213 Generate and Deploy Kubernetes Manifests with Eclipse JKube 216 Choose and Implement a Deployment Strategy 219 Managing Workloads in Kubernetes 225 Setting Up Health Checks 226 Adjusting Resource Quotas 231 Working with Persistent Data Collections 233 Best Practices for Monitoring, Logging, and Tracing 234 Monitoring 237 Logging 240 Tracing 241 High Availability and Geographic Distribution 245 Hybrid and MultiCloud Architectures 247 Summary 249 9. Mobile Workflows. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251 Fast-Paced DevOps Workflows for Mobile 253 Android Device Fragmentation 255 Android OS Fragmentation 256 Building for Disparate Screens 258 Hardware and 3D Support 261 Continuous Testing on Parallel Devices 265 Building a Device Farm 266 Mobile Pipelines in the Cloud 270 Planning a Device-Testing Strategy 275 Summary 276 Table of Contents | vii 10. Continuous Deployment Patterns and Antipatterns. . . . . . . . . . . . . . . . . . . . . . . . . . . . 279 Why Everyone Needs Continuous Updates 279 User Expectations on Continuous Updates 280 Security Vulnerabilities Are the New Oil Spills 281 Getting Users to Update 287 Case Study: Java Six-Month Release Cadence 288 Case Study: iOS App Store 291 Continuous Uptime 294 Case Study: Cloudflare 294 The Hidden Cost of Manual Updates 300 Case Study: Knight Capital 300 Continuous Update Best Practices 302 Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305 viii | Table of Contents