Devconf.US

Ann Marie Fred

I've been a software engineer for 20 years, and I was a manager for 3 years. I've worked in research, consulting, web portal development, IT systems management development, cloud computing, hybrid cloud, deployment automation, web platform development and operations, and most recently, developer tools for Kubernetes, DevOps, SRE and platform engineering.

My specialties are DevOps, cybersecurity, platform engineering, artificial intelligence, continuous delivery, cloud computing, distributed systems, agile development, continuous integration, web operations, and high availability / disaster recovery for IT services.

In my free time, I enjoy reading, scuba diving, travel, games, and having fun with my husband, two daughters, and the family dog.


Session

08-14
13:00
35min
Building a Better Software Supply Chain
Ann Marie Fred

At Red Hat, we had a standard build pipeline for software, but it had a problem. It consisted of more than 250 services across more than 1000 host systems, which made it difficult to understand, and it required dozens of people to maintain.
We started the project now known as Konflux in order to simplify release cycles; improve the security of our software supply chain; improve the data collected for attestation, provenance, and software bill-of-materials; reduce the number of duplicate services; simplify maintenance; reduce maintenance costs; collaborate on open source projects; and improve the onboarding experience for our development teams.
We chose Kubernetes as the foundation of our architecture, because of its proven model for deploying scalable, secure services. We chose Tekton, along with Tekton Chains and Tekton Results, for our build and test pipelines, because of their open and flexible design. We chose Argo CD because of its GitOps model, full featured support for Kubernetes, and community adoption. We chose a suite of open source command-line tools for the security checks and other automation. And we’re using Backstage to teach developers how to onboard, by example.
Along the way, we learned a great deal about what we should and shouldn’t standardize in our pipelines. This talk will explain how we implemented the system, and more importantly, the course corrections we made to our plans as we built it out. You will come away from this session with a reference architecture as well as a list of key lessons learned in CI/CD and software supply chain security.

DevOps and Automation, Security and Compliance
Metcalf Small Ballroom (capacity 100)