Strengthening CI/CD and Security in Federal High-Performance Computing (HPC) Environments with CloudBees

In today's landscape, the rapid and accurate deployment of resources is critical. Continuous integration, delivery, and deployment (CI/CD) methodologies enable organizations to effectively manage their enterprise-scale systems. CloudBees, an Enterprise-level CI/CD solution built on Jenkins, offers powerful capabilities specifically tailored for HPC environments, addressing these unique needs.

High-Performance Computing (HPC) systems have much to gain from CI/CD, too. They need deployments that deliver changes quickly and reliably. Reducing error-prone manual operations makes high-performance computing more accurate and cost-effective. However, the benefits don’t stop there. The University of Boulder has already demonstrated success with HPC systems, using it to manage many issues, including the complexity between various build and operating system options.

While HPC organizations understand CI/CD’s benefits, they need solutions that scale and integrate into their systems while working with their regulatory and security frameworks.

CloudBees provides Enterprise level CI/CD capabilities built on top of Jenkins, the premiere open-source CI/CD platform. Let's see how CloudBees meets HPC system requirements with a secure, flexible, and audit-ready solution.

CloudBees stands as a proven solution for HPC systems, facilitating seamless integration, standardization, and faster deployments. CloudBees has demonstrated its effectiveness in managing complex environments and meeting regulatory and security frameworks.

Pipelines sit at the heart of any CI/CD system. They remove the manual effort and reduce risks in the software build, release, and delivery processes. They do this with automated processes that make operations more reliable, repeatable, and secure.

When a developer commits code, a CI/CD pipeline transforms it into releasable software. Automating this process means more than simply making it happen more quickly. It’s a less labor-intensive and more reliable operation, too. When you automate these activities, you guarantee that all your code undergoes the same building, testing, packaging, and deployment procedures. So, automated pipelines drive your standardization efforts and reduce the errors suffered with manual steps.

But what happens when these pipelines are all built from scratch by different engineers? If engineers from different DevOps teams build each of their pipelines in an HPC system, you’ve created a CI/CD system, but with few standards. This duplicates efforts, complicates fixing bugs, and makes audits challenging.

Pipelines only facilitate standards when you build them from common modules that use approved tools and methods. CloudBees makes this possible with templates for building compliant pipelines, and role-based access controls (RBAC) for governing who can change or use them.

Building pipelines from shared building blocks go a long way toward making your release process stronger and more reliable. However, you need your pipelines to run in a consistent environment, too. So CloudBees has tools to standardize building the controllers that run your build, test, and deploy steps. It also offers tools to recreate runtime environments from stored code.

Controlling who can create, modify, and run pipelines and environments are only half of the compliance job. Complex organizations need to know who performs these actions, and when. With CloudBees every aspect of your pipelines is auditable and repeatable, with logs for all user activity, including both pipeline executions and configuration changes.

For some, continuous and automated sounds risky. How can you be sure that pipelines only run when they should and stop when there’s an issue? You need gates that build and deploy jobs that can only cross when they meet specific criteria or gain the proper authorization.

For example, you may need to add entry gates to a pipeline step to prevent changes from advancing to production without management approval. Or, you need to verify that the developer tagged the change with the right information before it advances to the build stage.

CloudBees supports manual gates. This means an approver must click a button before any pipeline advances to the gated step. The controller does this by sending emails to a list of personnel with the authority to approve or reject the job. If they approve it, the pipeline proceeds. If they reject the job, the pipeline halts, and the controller halts the process.

CloudBees has automated gates, too. They’re opened or closed based on runtime information. These gates can run procedures that query external systems, or they can evaluate criteria for the job. Like the manual gates, the pipeline only advances if the job meets the criteria.

Secure and authorized software deployments are vital. CloudBees offers comprehensive entry and exit gates within CI/CD pipelines, enabling the implementation of strict authorization protocols aligned with federal compliance requirements. These gates ensure that changes advance only when specific criteria are met, safeguarding the integrity and security of enterprise systems.

When controllers execute pipeline steps, they need credentials to check out code, commit changes, run builds, execute tests, deploy packages, and other activities required to get their jobs done. Managing these credentials in a secure environment with regulatory requirements can be difficult and time-consuming. As a result, some organizations fall back on deprecated practices, such as shared credentials or running jobs with elevated privileges.

With CloudBees, administrators manage credentials from a central location. This simplifies compliance with security regulations, encourages best practices, and enhances the system’s overall security posture. Admins can create individual entitlements for each controller or role without worrying about creating unnecessary complexity. With centralized control, it’s easier to ensure that controllers only have access to the resources they need.

CloudBees Platform role-based access controls (RBAC) simplifies building sophisticated authorization models. It supports security roles and permissions for jobs and projects, as well as folders that make it easy to control access to jobs. All these mechanisms are accessible from a centralized server and tie into your existing authentication systems with plugins for enterprise name services like LDAP.

Centralized credential management and RBAC go a long way toward securing enterprise CI/CD, but supply chain attacks are one of the most prevalent security concerns today. The Jenkins ecosystem relies heavily on plugins, so users need protection from these attacks so they can take advantage of its active user community.

With the CloudBees Assurance Program, you can safely add and update plugins to your pipelines. The program is a rigorous vetting process that tests and verifies plugins are ready for the enterprise. Only code that is stable, compatible with other plugins, and safe from attackers, are available for installation on your site.

HPC administrators need visibility into their pipelines and releases. This is especially important in a high-speed environment with extensive automation. Verifying builds and deployments after they’ve run doesn’t scale, so only real-time is satisfactory. They need a centralized view, with a single place to view release status, monitor workloads, and generate custom reports with a single click. 

CloudBees administrators can build a customized view with multiple dashboards, where they can access reporting functions for scheduling, auditing, and tracking pipelines. These reports don't stop at DevOps Research and Assessments (DORA) metrics: they are audit-ready and are useful for monitoring release performance and value stream management.

These analytics tools also track historical workload growth, with visibility across demand cycles. HPC administrators can find patterns, anticipate capacity issues, and see unexpected spikes in demand. So, they can take preemptive action to avoid bottlenecks and prevent unplanned downtime.

HPC systems rely on a variety of domain-specific tools. CloudBees seamlessly integrates with widely used tools in enterprise environments, such as EasyBuild, Spack, Singularity, and Puppet. These integrations ensure the compatibility and interoperability of HPC workflows, empowering federal agencies to leverage their existing tools while benefiting from CloudBees' CI/CD capabilities.

HPC users require the latest updates to the applications they use for research and development. This software is often complex, so the systems use domain-specific tooling that addresses these needs, as well as mainstream packages for managing large-scale systems. When HPC system administrators look to adopt CI/CD, they need a platform that works with their existing tools.

In their paper documenting the Summit supercomputer's infrastructure, the University of Colorado Boulder (UCB) covered how they integrated tools commonly used for HPC systems with Jenkins-based CI/CD. These tools included EasyBuild, Spack, Singularity, and Puppet.

EasyBuild is a software build and installation framework for managing scientific software on HPC systems. Like any build system, it can be driven from a Jenkins build job. EasyBuild also has Jenkins-specific features like XML output files to specify unit tests. Administrators can easily create EasyBuild templates to be shared across jobs and departments.

Spack is a packaging tool for HPC systems. Like EasyBuild, it can be driven by a Jenkins build job to build packages, push them to a repository, and then install them on target nodes or in containers.

Singularity is a container system with enhanced features for HPC applications. UCB developers built their code with Singularity to take advantage of its enhanced security model and used a local Singularity Registry for deploying the containers. They used Jenkins jobs to run all these operations.

Even in an HPC environment that runs containerized applications, administrators need infrastructure automation tools like Puppet to automate managing their servers and cluster. Jenkins has offered integrations with Puppet for deployments for many years.

CloudBees serves as a valuable solution tailored for HPC environments. It offers centralized management, powerful automation, and continuous monitoring capabilities necessary for efficient software delivery. By leveraging CloudBees, enterprises enhance their risk posture, improve software quality, and accelerate their ability to deliver secure and compliant solutions.

For federal agencies operating in HPC environments, CloudBees provides a robust CI/CD solution that addresses the unique challenges and compliance requirements they face. By implementing CloudBees, federal organizations can strengthen their CI/CD processes, ensure regulatory compliance, and bolster security, ultimately enhancing their ability to deliver high-performance solutions efficiently and reliably.