With the rise of DevOps, low-cost cloud computing, and container technologies, the way Java developers approach development today has changed dramatically. This practical guide helps you take advantage of microservices, serverless, and cloud native technologies using the latest DevOps techniques to simplify your build process and create hyperproductive teams. Stephen Chin, Melissa McKay, Ixchel Ruiz, and Baruch Sadogursky from JFrog help you evaluate an array of options. The list includes source control with Git, build declaration with Maven and Gradle, CI/CD with CircleCI, package management with Artifactory, containerization with Docker and Kubernetes, and much more. Whether you're building applications with Jakarta EE, Spring Boot, Dropwizard, MicroProfile, Micronaut, or Quarkus, this comprehensive guide has you covered. • Explore software lifecycle best practices • Use DevSecOps methodologies to facilitate software development and delivery • Understand the business value of DevSecOps best practices • Manage and secure software dependencies • Develop and deploy applications using containers and cloud native technologies • Manage and administrate source control repositories and development processes • Use automation to set up and administer build pipelines • Identify common deployment patterns and antipatterns • Maintain and monitor software after deployment Cover 1 Copyright 4 Table of Contents 5 Foreword 11 Preface 15 Conventions Used in This Book 15 Using Code Examples 16 O’Reilly Online Learning 17 How to Contact Us 17 Acknowledgments 18 Chapter 1. DevOps for (or Possibly Against) Developers 19 DevOps Is a Concept Invented by the Ops Side 20 Exhibit 1: The Phoenix Project 20 Exhibit 2: The DevOps Handbook 20 Google It 22 What Does It Do? 22 State of the Industry 23 What Constitutes Work? 24 If We’re Not About Deployment and Operations, Then Just What Is Our Job? 24 Just What Constitutes “Done”? 25 Rivalry? 25 More Than Ever Before 26 Volume and Velocity 27 Done and Done 27 Float Like a Butterfly... 28 Integrity, Authentication, and Availability 29 Fierce Urgency 30 The Software Industry Has Fully Embraced DevOps 30 Making It Manifest 31 We All Got the Message 32 Chapter 2. The System of Truth 33 Three Generations of Source Code Management 34 Choosing Your Source Control 36 Making Your First Pull Request 40 Git Tools 44 Git Command-Line Basics 45 Git Command-Line Tutorial 49 Git Clients 50 Git IDE Integration 53 Git Collaboration Patterns 56 git-flow 56 GitHub Flow 59 GitLab Flow 60 OneFlow 61 Trunk-Based Development 62 Summary 62 Chapter 3. An Introduction to Containers 65 Understanding the Problem 66 The History of Containers 67 Why Containers? 70 Intro to Container Anatomy 73 Docker Architecture and the Container Runtime 76 Docker on Your Machine 80 Basic Tagging and Image Version Management 86 Image and Container Layers 87 Best Image Build Practices and Container Gotchas 89 Respect the Docker Context and .dockerignore File 89 Use Trusted Base Images 90 Specify Package Versions and Keep Up with Updates 91 Keep Your Images Small 91 Beware of External Resources 92 Protect Your Secrets 93 Know Your Outputs 93 Summary 93 Chapter 4. Dissecting the Monolith 95 Cloud Computing 97 Microservices 98 Antipatterns 98 DevOps and Microservices 100 Microservice Frameworks 101 Spring Boot 102 Micronaut 108 Quarkus 112 Helidon 115 Serverless 118 Setting Up 120 Summary 127 Chapter 5. Continuous Integration 129 Adopt Continuous Integration 130 Declaratively Script Your Build 132 Build with Apache Ant 135 Build with Apache Maven 138 Build with Gradle 141 Continuously Build 144 Automate Tests 145 Monitor and Maintain Tests 146 Summary 147 Chapter 6. Package Management 149 Why Build-It-and-Ship-It Is Not Enough 150 It’s All About Metadata 151 Key Attributes of Insightful Metadata 151 Metadata Considerations 152 Determining the Metadata 153 Capturing Metadata 153 Writing the Metadata 156 Dependency Management Basics for Maven and Gradle 160 Dependency Management with Apache Maven 160 Dependency Management with Gradle 173 Dependency Management Basics for Containers 178 Artifact Publication 180 Publishing to Maven Local 180 Publishing to Maven Central 181 Publishing to Sonatype Nexus Repository 184 Publishing to JFrog Artifactory 185 Summary 185 Chapter 7. Securing Your Binaries 187 Supply Chain Security Compromised 187 Security from the Vendor Perspective 189 Security from the Customer Perspective 189 The Full Impact Graph 189 Securing Your DevOps Infrastructure 190 The Rise of DevSecOps 190 The Role of SREs in Security 191 Static and Dynamic Security Analysis 192 Static Application Security Testing 192 Dynamic Application Security Testing 193 Comparing SAST and DAST 195 Interactive Application Security Testing 196 Runtime Application Self-Protection 197 SAST, DAST, IAST, and RASP Summary 198 The Common Vulnerability Scoring System 199 CVSS Basic Metrics 199 CVSS Temporal Metrics 200 CVSS Environmental Metrics 201 CVSS in Practice 201 Scoping Security Analysis 202 Time to Market 202 Make or Buy 202 One-Time and Recurring Efforts 204 How Much Is Enough? 204 Compliance Versus Vulnerabilities 204 Vulnerabilities Can Be Combined into Different Attack Vectors 205 Vulnerabilities: Timeline from Inception Through Production Fix 206 Test Coverage Is Your Safety Belt 208 Quality Gate Methodology 209 Quality Gate Strategies 210 Fit with Project Management Procedures 211 Implementing Security with the Quality Gate Method 211 Risk Management in Quality Gates 212 Practical Applications of Quality Management 213 Shift Security Left 213 Not All Clean Code Is Secure Code 215 Effects on Scheduling 216 The Right Contact Person 216 Dealing with Technical Debt 216 Advanced Training on Secure Coding 217 Milestones for Quality 217 The Attacker’s Point of View 217 Methods of Evaluation 218 Be Aware of Responsibility 219 Summary 219 Chapter 8. Deploying for Developers 221 Building and Pushing Container Images 222 Managing Container Images by Using Jib 223 Building Container Images with Eclipse JKube 225 Deploying to Kubernetes 228 Local Setup for Deployment 230 Generate Kubernetes Manifests by Using Dekorate 231 Generate and Deploy Kubernetes Manifests with Eclipse JKube 234 Choose and Implement a Deployment Strategy 237 Managing Workloads in Kubernetes 243 Setting Up Health Checks 244 Adjusting Resource Quotas 249 Working with Persistent Data Collections 251 Best Practices for Monitoring, Logging, and Tracing 252 Monitoring 255 Logging 258 Tracing 259 High Availability and Geographic Distribution 263 Hybrid and MultiCloud Architectures 265 Summary 267 Chapter 9. Mobile Workflows 269 Fast-Paced DevOps Workflows for Mobile 271 Android Device Fragmentation 273 Android OS Fragmentation 274 Building for Disparate Screens 276 Hardware and 3D Support 279 Continuous Testing on Parallel Devices 283 Building a Device Farm 284 Mobile Pipelines in the Cloud 288 Planning a Device-Testing Strategy 293 Summary 294 Chapter 10. Continuous Deployment Patterns and Antipatterns 297 Why Everyone Needs Continuous Updates 297 User Expectations on Continuous Updates 298 Security Vulnerabilities Are the New Oil Spills 299 Getting Users to Update 305 Case Study: Java Six-Month Release Cadence 306 Case Study: iOS App Store 309 Continuous Uptime 312 Case Study: Cloudflare 312 The Hidden Cost of Manual Updates 318 Case Study: Knight Capital 318 Continuous Update Best Practices 320 Index 323 About the Authors 341 Colophon 342 With The Rise Of Devops, Low-cost Cloud Computing, And Container Technologies, The Way Java Developers Approach Development Today Has Changed Dramatically. This Practical Guide Helps You Take Advantage Of Microservices, Serverless, And Cloud Native Technologies Using The Latest Devops Techniques To Simplify Your Build Process And Create Hyperproductive Teams. Stephen Chin, Baruch Sadogursky, Ixchel Ruiz, And Melissa Mckay Help You Evaluate An Array Of Options. The List Includes Source Control With Git, Build Declaration With Maven And Gradle, Ci/cd With Circleci, Package Management With Artifactory, Containerization With Docker And Kubernetes, And Much More. Whether You're Building Applications With Jakarta Ee, Spring Boot, Dropwizard, Microprofile, Micronaut, Or Quarkus, This Comprehensive Guide Has You Covered. Explore Software Lifecycle Best Practices Use Devsecops Methodologies To Facilitate Software Development And Delivery Understand The Business Value Of Devsecops Manage And Secure Software Dependencies Develop And Deploy Applications Using Containers And Cloud Native Technologies Manage And Administrate Source Control Repositories And Development Processes Use Automation To Set Up And Administer Build Pipelines Identify Common Deployment Patterns And Antipatterns Maintain And Monitor Software After Deployment