CI and deployment Flashcards
continuous delivery
deploys built release to test and staging environments but does not release to production with out manual intervention/approval
Continuous deployment
releases to production after automatic testing has been completed in dev/test and staging. Only a failed test will stop the release going to prod
Continuous integration
automatic build of an application after a commit, merge or Pull request. Should include code quality tests
Static analysis
check non-running code for bugs, vulnerabilities and knows bad programming patterns/smells
Examples of static analysis tools
Sonarqube
white source bolt
PMD
White source bolt
provides license and vulnerabilities details on 3-party packages in your project
Dynamic analysis
ran against live deployed code. commonly used to run pentests against know vaubabilies like SQL injection
Examples of Dynamic analysis tools
owsap ZED ATTACK PROXY (zap)
What should unit tests be built for?
testing a single piece or a core function in isoloation.
What test data should be used in unit tests
mock data from a file
what data should be used in intergration tests
data hosted on the same DB system as the production enviormemtq
Example of a good unit test
- short and run quickly
- tests code critical to the application
- needs to be repeatable and return the same result everytime when everything is in a working state
- should not test external libaires, this should be done in intergration tests
- should not be done on combined functions and methods
When should you make a package
when code can be reused across your projects and the code does not need to be changed oftern
what is a packaged
ready to run compiled or uncompiled code depeneding on the langauge. Stored in compressed zip files that have a different exnteions based on the langauge/frameworkv
Symantec versioning
in x.x.x format. major breaking change. feature change that is backwards compatible. hotfix or patch
Artifacts Feeds
can contained company created packages or used to monitor and maintain 3rd party packages being used if upstream sources has been enabled
Common production deployment types
blue-green
canary/ring
rolling
blue Green
release is deployed to green eniovrment then traffic is shifted fromm blue to green using azure taffic manage or appliaction gateway. provides a quick roll back option
canary/ring
new features are provided to beta users so they can provide feedback
rolling
release is deployed to 1 node/region at a time
Where should secrets be stored
serects should not be stored on source control. Keyvault, secure varribles in pipelines and user profiles provided a plae to store serects with less risk
Code Coverage
Shows % of code that is being tested via unit tests
Code coverage fomrats suported by pipelines
coverlet, open cover, dotcover, visual studio, Cobertura and JaCoCo (JAVA)
extension or task for adding code coverage in pipeline web interface
ReportGenerator
difference between a gate and check
gates are in classic editor and checks are in used in yaml pipelines but a defined on the enivorment
