The 2021 DORA report gives a veiled nod to GitOps

December 07, 2021

The 2021 DORA report is out, and it continues its focus on the characteristics of top performing DevOps teams. It's becoming an essential read for anyone interested in how companies are using DevOps. The findings show that GitOps principles are integral to top performing teams. Here are the highlights from the report.

Related posts

No More Manual Reviews — Policy as Code to the Rescue

Continuous AWS Cloud Security with Trusted Delivery

Progressive Delivery: Towards Continuous Resilience with Flagger & Weave GitOps

The 2021 DORA report is out, and it continues its focus on the characteristics of top performing DevOps teams. It's becoming an essential read for anyone interested in how companies are using DevOps. The findings show that GitOps principles are integral to top performing teams. Here are the highlights from the report.

SRE and DevOps are complementary

SRE (Software Reliability Engineering) started to gain traction around the same time as DevOps, and has its origins in companies like Google and Facebook. 

According to the report, SRE and DevOps are not competing practices. SRE and DevOps are both about how to automate and achieve operational excellence. Both SRE and DevOps aim to achieve the same goals, such as high-quality software, stable and resilient systems, and quick time to market. They both work to develop and maintain a culture of automation and continuous improvement. 

“Teams with SRE practices spend more time writing code than teams that don’t practice SRE.“ - 2021 DORA report

Integrate security throughout the software supply chain 

As the SolarWinds hack demonstrates, there's a software supply chain security problem. Many businesses pay little attention to software supply chain security and are prime targets of hackers.

Security practices are often introduced at the end of the software development life cycle, resulting in an incomplete understanding of the security risks involved in the software supply chain. 

The software supply chain includes: development, build, test, installation, update, and retirement. Security practices and controls should be fully integrated over the entire software supply chain. This is the only way to ensure that all software has appropriate security. 

Security should not rest on the shoulders of busy developers. Instead, the report encourages teams to ‘Invite InfoSec early and often.‘ The report also encourages teams to include security testing as a routine. This means to ‘Integrate a security review into every phase.’

This practice of making every stage of the process reviewable, auditable, versioned, and testing-friendly is a core tenet of GitOps. The collaborative nature of Git encourages peer review of code that has been committed. This is essential for teams that want to deliver high quality software that is reliable. 

A great way to quicken this process is to ‘Build pre-approved code,’ according to the report. This again is central to the GitOps way of operating where code can be reused. In fact, the platform model that we have talked about a lot involves creating templates for resources, and tools. This goes a step further than reusing code, and even has implications at the infrastructure level. 

These practices that GitOps enables, and in some cases, delivers out of the box, are what make for secure software. 

Trunk-based development

The report noticed that elite teams use a ‘trunk-based development’ approach. The core idea of trunk-based development is that the trunk of the source code tree is the main line of development. Each check-in to the trunk is immediately ready for integration with the existing code base. The trunk never gets frozen. Here at Weaveworks, we have another name for this type of development - GitOps.

With GitOps, the main trunk is the central Git repository, and it is contributed to by other Git repositories that are edited by developers. GitOps follows the same principle of ‘merging’ work from various development branches into a single repository. 

The report recommends that teams ‘merge their work at least once a day.’ This high frequency of changes is typical of GitOps, where changes are merged asynchronously and multiple times a day.  

Deployment automation

Automating your deployments is necessary if you want to speed up the process of deploying new changes to your environment. Automating deployments allows you to build a pipeline that will allow you to move changes through your build and test environments, into production, and then into your customers' hands. The goal is to make deployments fast, consistent and frictionless. .

When it comes to GitOps, automating deployments is a key focus area. Weave GitOps (based on Flux) is a GitOps tool that watches all Git repositories and when it notices a change, it automatically deploys it. This allows developers to continuously deliver features to production with minimal effort as part of their usual workflow. 

Building on this, Flagger, another GitOps tool, takes this further by enabling progressive delivery methods like canary releasing and blue-green deployments. It integrates with a service mesh like Istio or Linkerd, and splits traffic between production clusters in progessive steps. The entire process is defined in Git, and completely automated end-to-end.

Database change management

The report gives importance to tracking changes in the system. For most development teams today, this database system is Git. It’s what development teams use to collaborate with, and all changes are version controlled in Git. 

GitOps enables you to review the changes before you merge a pull request. With all changes versioned you have an automatic, ready-made audit trail to use for compliance.

Open source technologies 

The DORA report highlights the importance of leveraging today’s leading open source tools over proprietary tooling. 

“Closed source technologies limit your ability to transfer knowledge in and out of the organization. Open source technologies have a community around them.“ - The 2021 DORA report

GitOps itself relies heavily on open source tooling such as Flux and Flagger. Beyond this, GitOps supports the entire range of CNCF tooling such as Istio, Prometheus, Helm, and more. 

High quality documentation

Finally, one of the key areas that elite teams excel at is documentation. They have a high quality of internal documentation, and are better able to implement technical practices. This includes having clear ownership, guidelines to update documentation, and including it as part of the development process.

Circling back to the start of how SRE teams function, a recent post by Tyler Treat talks about the idea of “productization of infrastructure and operations.” That this is the only way for the SRE team at Google to deal with the explosion of management duties once they migrated to the microservice model from the monolithic. 

GitOps fosters and enables this kind of productization of infrastructure and operations, and facilitates the creation and maintenance of high quality documentation. All of this is done in Git, and is done automatically. 

In conclusion, the 2021 DORA report is in close alignment with the core GitOps principles. It may not mention the word ‘GitOps’ but all the ideas such as trunk-based development, database change management, deployment automation, and open source are integral to the GitOps approach. Read the report in its entirety to learn more. 


Related posts

No More Manual Reviews — Policy as Code to the Rescue

Continuous AWS Cloud Security with Trusted Delivery

Progressive Delivery: Towards Continuous Resilience with Flagger & Weave GitOps

Whitepaper: GitOps Boosts Business Performance - The Facts