Internal Developer Platform
Internal Developer Platform is a technique we adopt in the garden.
Summary
This is not so much a platform itself, but rather the realization that a platform is needed for every team. This is a loose collection of items that are glued together to lessen developer cognitive burden.
Details
The IDP
The IDP isn’t a single thing. And there is no off-the-shelf solution to cover every case. Instead it is a mental framework for getting the right tooling glued together in a way that facilitates developers.
The Ops team specify the resources and templates used, when the developers trigger certain actions. The Ops team has to treat the IDP like any product team would and build it based on user research, maintain it, and continually improve it.
3 Panes of Glass
Everyone using the IDP needs 3 panes of glass:
- The IDE to code
gitto merge/push- the IDP to ship
5 Core Components
The IDP needs to have at least 1 solution in each of the 5 areas. While multiple tools are possible in each area a goal should be the minimal set of useful tools.
Application Configuration Management
Manage config in a dynamic, scalable, and reliable way
- Store app config in git repos
- Reference template by Version (stored elsewhere as an artifact)
- Reference Secrets by name (not stored in git)
- Scope should encompass all aspects of the app (external and internal)
- External: DNS, DBs, Platform
- Internal: Helm chart
Infrastructure Orchestration
Orchestrate based on context
- This is the pipeline tool. It has to support configuration of all the following:
- Pipeline - build and deployment pipelines
- Compute / Clusters - Setting up and making ready any compute resources
- 2nd touch App setup - Setting up any additional things on top of the compute
- Artifact Registry - Push and Pull artifacts
- DNS - DNS should be real
- Certs - Certs should be real and tied to DNS
- Other Resources - Anything else that might be critical
Environment Management
Enable devs to create full envs
- Envs should be setup the following ways:
- Automatic for review - It is often useful, if feasible, for an testing ENV to automatically be setup based on standard actions like a PR. This will allow the developer to have a dedicated system during development, and allow the reviewer to use that env during reviews.
- Self service - Next best thing where the Devs can setup their own envs as they need them.
- By type / Shared - Ops needs to manage a static set of envs that are maintained over time.
Deployment Management
CD
- Ideal development process
- Git push - Developer pushing code is the start CI which usually ends in Artifacts being created
- Automated deploy - Newly built artifacts trigger automatic deployment
- Trigger next steps - After the deployment is successful it should be possible to trigger the next step. That might be:
- Run acceptance tests
- Deploy to another environment
- Notify 3rd parties (i.e., close a maintenance window)
Role-based Access Control
RBAC
Manage users and permissions
- RBAC ties into Enterprise SSO. The following would be org level roles
- Member - any member of the team, usually they can access the stuff they setup
- Service Account - machine level access
- manager - manage other users
- Admin - DevOps role
- Additionally the app or env usually has roles like
- Viewer - read-only access
- Contributor - can update config (usually also a “Member”)
- Owner - full admin (usually the one that deployed the env)