I went to cdCon in Austin, June of 2022. This was my first conference in many years (thanks, pandemic!) and it felt like a conference that was everyone’s first in a long while. Things were a little stilted and the social side of the conference wasn’t as fluid as other conferences I’ve gone to. It’s a new community for me though. The weirdness didn’t come through in the content though. There were a bunch of cool ideas that came up.
First, supply chain! There were a bunch of folks talking about the importance of the supply chain. This was more than just checking for CVEs, but also signing commits and artifacts and hardening our package repositories from malicious actors. This is still a very evolving space, but it was clear to me that we should be thinking about our full supply chain and the vulnerabilities that are present. To this end, I’ve already connected with Sneha, director of AppSec, to discuss this further.
The VP of platform for CircleCI, Michael Stahnke, had a really good coin of phrase that I liked. He called pipelines “automated confidence” which really resonated with me. Today, folks are deploying manually and looking at graphs to “make sure things look right”. In practice, this means they’re gaining confidence in their deployable artifact. By encoding that judgement into precise alarms and rollback strategies, we can automate that part of our job (which, let’s be honest, isn’t the best part of the day).
He also talked about how the unit of work within our environments isn’t a “commit” like we think it is. Sure, commits flow through the system and affect some change (intentional or unintentional). Instead, he puts forward that simply “change” is the unit of work within our environments because there are effects which aren’t tied to commits at all. Some examples he gave were “a load balancer spins up a new node” or “your payment provider decided you can’t take money from Russia”. I’m not sure if that is much different than how I’ve been thinking about things, but it’s at least a novel enough framing that I’m going to try it on for a while to see how I like it.
There were a few talks, mostly from folks in the financial sector, which talked about governance and compliance. It introduced me to this interesting tech called Open Policy Agent (OPA). It’s a declarative format to describe access to things which can be “Who is allowed to push this container image?” to “who can call this API?“. I’d like to investigate how it could be used within the context of some of the things we’re already doing. Things like the SOX compliance badges and “do you have snapshots in your dependency chain?” feel like candidates for this sort of work. I super like how clear and discoverable the criteria are (as opposed to buried in some java app somewhere).
There were a handful of keynotes which were the usual mix of great and iffy. Cory Doctorow spoke about the importance of interoperability, and I’m a total fan of his. It was a great presentation. Other folks talked about the importance of Developer Experience, and it got me thinking: Should we have folks within CT who are focused on improving DX? I’m thinking a technical writer would be a huge boon, especially around some of our internal platforms where you can’t necessarily find answers in the external world.
Probably the coolest thing I saw while at cdCon was how folks are using Open Telemetry. Open Telemetry, for those unfamiliar, is an abstraction layer around logs, metrics and traces. Traces were the standout here. There were two demos from the folks at Elastic where they had instrumented their build, test and deploy process to emit traces. You could see Jenkins kicking off, waiting for a worker to pick up the build, watch maven download all of it’s dependencies, execute tests (with a span for each one that turns red on failure), and more. It was a fascinating use of the tool and it’s something that I think could be really interesting for us. Having that single source of “this is what that execution looked like” opens up the possibilities for both a unified view of things, but also a surfacing of problem areas without a bunch of extra work.
I also had a panel discussion while I was here on the importance of interoperability within CI/CD tooling. It went pretty well, I thought. :)
Anyway, I think the conference was totally worth it. It’s got me excited about a few new tools (OPA, supply chain, and OTel for DX) and may inform some future roadmap stuff within eBay.