|
The company works with several contractors and actively uses advanced digital technologies to promote products and serve customers, which require continuous development and changes. However, the customer experienced a number of problems: •— there was no single unified development environment for agencies and no single code repository; — SLA varied from site to site and from agency to agency; — there was no way to present and control uniform security requirements; — support of solutions was complicated, which entailed its high cost. In this regard, the company was looking for a contractor who could take on their solution and unify the company's IT infrastructure. |
Key Challenges
- Deploy a single multi-tenant platform for hosting contractor applications based on Yandex Cloud.
- Unify the development/testing/production environment for various contractors.
- Simplify support for solutions through unification, rather than multiple different platforms.
- Increase solution security and pass an internal audit.
- Obtain a single SLA for infrastructure solutions for B2C sites and applications.
The ICL Services team implemented a multi-tenant DevOps platform for hosting contractor applications based on Yandex Cloud.
PaaS services are mainly used for the platform (Managed PostgreSQL\MySQL, managed OpenSearch, managed Kubernetes, Audit Trails, Managed Kafka, etc.).
Infrastructure deployment is an automatic process (the IaC approach and Terraform, GitLab, Ansible solutions are used). When onboarding a new agency, a pipeline is launched that creates a separate isolated cloud with the necessary resources via Terraform - development and testing environments, a container registry, managed DBMS are common to all sites.
When onboarding a new site or application, additional resources are created:
— isolated environments for QA and production circuit (Kubernetes cluster managed DBMS; container registry; Lockbox; etc.);
— a dedicated group is created in GitLab, the necessary project templates and CI\CD pipelines are added.
The architecture of sites and applications is based on microservices, so the following tasks were also automatically performed for each new environment via the pipeline:
— installation of the Ingress controller, helm, S3 CSI driver, FluentBit collector, Cosign for checking the signature of container images;
— integration with Lockbox, Container Registry, etc.
The DevSecOps pipeline included the implementation of the following blocks:
— SAST (Static Application Security Testing),
— SCA (Software Composition Analysis),
— DAST (Dynamic Application Security Testing),
— scanning container images for vulnerabilities.
In addition, the resulting security reports were automatically published to a single Security Dashboard - the Defect Dojo tool.
Publishing the application to the production environment was possible only after successfully completing each scanning stage or studying the corresponding security reports.
The project also included developing Terraform modules for Yandex Cloud PaaS services (Kafka, Redis, OpenSearch, etc.) and setting up Audit Trails.
Results
- The platform implements a standardized approach to developing, testing, implementing, securing and monitoring solutions, as well as automating these processes.
- The onboarding time for a new site has been reduced from several weeks to several hours.
- The costs of supporting the solution have been reduced due to unification and automation (up to 50%).