Jump to Category
| 🚀 Pipeline Strategy & Architecture | 🎯 Advanced Deployment Patterns |
| 🛡️ Security in the Pipeline (DevSecOps) | 🛠️ Infrastructure & Tooling |
| 📊 Metrics & Observability |
Pipeline Strategy & Architecture
1. Compare Trunk-Based Development with GitFlow. How does each affect a CI/CD pipeline?
- GitFlow: Uses long-lived feature branches, a `develop` branch, and a `main`/`master` branch. It’s structured but can lead to large, complex merges and slower feedback loops. In CI/CD, this often results in separate pipelines for feature branches, develop (deploying to staging), and main (deploying to production).
- Trunk-Based Development (TBD): All developers commit directly to a single `main` branch (or short-lived feature branches that merge quickly). This approach requires strong automated testing and often uses feature flags to manage releases. It enables much faster integration and deployment cycles, aligning perfectly with true continuous delivery. The CI/CD pipeline is simpler, focused on validating and deploying the `main` branch rapidly.
TBD is generally preferred for teams practicing mature CI/CD as it maximizes feedback speed and reduces merge complexity.
Read about Trunk-Based Development.2. What are the CI/CD challenges in a monorepo vs. a polyrepo setup?
- Monorepo (single repository for all services):
- Challenge: The primary challenge is building and deploying only what has changed. A naive setup would build and test everything on every commit, which is slow and expensive.
- Solution: Implement path-based filtering in your CI pipeline to identify which projects or services are affected by a change and only trigger the relevant build/test/deploy workflows.
- Polyrepo (one repository per service):
- Challenge: Managing dependencies and orchestrating deployments across multiple repositories. A change in a shared library can trigger a complex cascade of builds in downstream services.
- Solution: Use versioning for shared libraries, create automated pipelines that trigger downstream builds upon a successful library release, and use tools to visualize cross-repo dependencies.
3. How would you design a reusable and scalable pipeline architecture?
The key is to create abstractions and avoid duplicating pipeline logic.
- Templates/Shared Libraries: Use features like GitLab CI/CD `include`, GitHub Actions `composite actions` or `reusable workflows`, or Jenkins `Shared Libraries`. This allows you to define a standard template for stages like `build`, `test`, and `deploy`.
- Parameterization: Design templates to accept parameters (e.g., application name, cloud environment, resource size). Individual application pipelines can then call these templates with their specific values.
- Containerization of Build Tools: Define your build environment in a Docker image. This ensures that all builds run in a consistent, reproducible environment, regardless of the CI runner’s configuration.
4. What is “Pipeline as Code”? What are its benefits?
Pipeline as Code is the practice of defining your CI/CD pipeline’s configuration in a version-controlled file (e.g., a `Jenkinsfile`, `.gitlab-ci.yml`, or `azure-pipelines.yml`) that lives alongside your application code.
Benefits:
- Version Control: The pipeline is versioned, auditable, and can be reviewed in pull requests just like any other code.
- Reproducibility: You can easily recreate a pipeline and track its history.
- Collaboration: All team members can see and contribute to the pipeline’s definition.
- Automation: It enables fully automated setup and management of build and deployment processes.
Advanced Deployment Patterns
5. Compare Blue-Green and Canary deployments.
- Blue-Green Deployment: You maintain two identical production environments, “Blue” (the current live version) and “Green” (the new version). You deploy and test the new version on the Green environment. To go live, you switch the router to direct all traffic from Blue to Green. This provides instant rollback by simply switching back. It’s simpler but can be expensive as it requires double the infrastructure.
- Canary Deployment: You gradually roll out the new version to a small subset of users. You start by directing a small percentage of traffic (e.g., 1%) to the new version (the “canary”). You then monitor for errors and performance issues. If all is well, you gradually increase the traffic to the new version until it handles 100%. This allows you to test in production with minimal impact but is more complex to implement and monitor.
6. How do feature flags complement CI/CD and enable progressive delivery?
Feature flags (or feature toggles) allow you to decouple code deployment from feature release. You can deploy new, incomplete code to production behind a disabled flag. This allows for continuous integration to the main branch without affecting users.
They enable **progressive delivery** by allowing you to turn the feature on for specific user segments (e.g., internal testers, beta users, or a percentage of all users) directly in production. This provides fine-grained control over a release, allows for testing in a real-world environment, and provides an instant “kill switch” to disable a faulty feature without needing to redeploy.
Read Martin Fowler’s article on Feature Toggles.7. How would you design an automated rollback strategy?
An automated rollback strategy relies on real-time monitoring. The process would be:
- After a deployment, the CI/CD pipeline enters a “monitoring” phase.
- It queries a monitoring tool (like Prometheus or Datadog) for key application metrics (e.g., error rate, request latency) for a defined period.
- If these metrics cross a predefined alarm threshold (e.g., error rate spikes above 5%), the pipeline automatically triggers a rollback.
- The rollback action would be to redeploy the previous stable version of the application artifact. For example, in Kubernetes, this could be as simple as running `kubectl rollout undo deployment`.
8. What is a “GitOps” workflow?
GitOps is a paradigm for managing infrastructure and applications where a Git repository is the single source of truth. The desired state of the entire system is declared in a Git repo. An automated agent (like Argo CD or Flux) continuously compares the live state of the cluster with the state defined in Git. If there is a discrepancy, the agent automatically updates the live state to match the repository. All changes, including infrastructure updates and application deployments, are made via pull requests to the Git repo, providing a fully auditable and version-controlled operational model.
Security in the Pipeline (DevSecOps)
9. What is DevSecOps? Explain how you would integrate SAST, DAST, and SCA tools into a pipeline.
DevSecOps is the practice of integrating security testing and practices into every phase of the software development and deployment lifecycle, rather than treating it as a final step.
Integration into a pipeline would look like this:
- SAST (Static Application Security Testing): Integrated early in the CI process, often as a step after code is checked out. It scans the raw source code for potential vulnerabilities (e.g., SQL injection flaws, hardcoded secrets). Tools include SonarQube, Checkmarx.
- SCA (Software Composition Analysis): Runs after dependencies are installed. It scans all open-source libraries and their transitive dependencies for known CVEs (Common Vulnerabilities and Exposures). Tools include Snyk, OWASP Dependency-Check.
- DAST (Dynamic Application Security Testing): Runs later in the pipeline, against a running application in a staging or test environment. It probes the application from the outside, simulating attacks to find runtime vulnerabilities like XSS. Tools include OWASP ZAP, Veracode.
10. How should secrets be managed and used in a CI/CD pipeline?
Secrets (like API keys, database passwords, and cloud credentials) should never be stored in plaintext in the repository or CI/CD configuration.
The best practice is:
- Store all secrets in a dedicated secrets management tool like HashiCorp Vault, AWS Secrets Manager, or Azure Key Vault.
- The CI/CD pipeline’s runner or agent authenticates to the secrets manager using a secure, short-lived identity (e.g., an IAM role or workload identity).
- The pipeline job fetches the required secrets at runtime, injects them into the environment for the duration of the job, and they are never logged or stored permanently on the runner.
11. What is container image signing and why is it important?
Image signing is the process of cryptographically signing a container image to verify its authenticity and integrity. When you build an image, you can sign it with a private key. Before deploying the container, your runtime environment (like a Kubernetes admission controller) can verify this signature against a public key.
This is important because it ensures that the image being deployed is the exact one that was built by your trusted CI pipeline and has not been tampered with. It protects against running unauthorized or malicious images in your production environment. Tools like Cosign (part of Sigstore) are commonly used for this.
12. How do you secure the CI/CD pipeline itself?
Securing the pipeline is as important as securing the application. Key measures include:
- Principle of Least Privilege: The CI/CD service and its runners should have the minimum permissions necessary to perform their jobs.
- Branch Protection Rules: Enforce code reviews and passing status checks before code can be merged into the main branch.
- Secrets Management: Use a dedicated secrets manager instead of environment variables.
- Runner Security: Use ephemeral, isolated runners for each job to prevent cross-contamination. Keep runner software and dependencies patched.
- Audit Logs: Regularly review audit logs for your CI/CD system to detect suspicious activity.
Infrastructure & Tooling
13. How does Infrastructure as Code (IaC) fit into a CI/CD pipeline?
IaC (using tools like Terraform or Bicep) is integral to a mature CI/CD pipeline. The infrastructure code is stored in a Git repository, just like application code.
A typical workflow is:
- A developer submits a pull request with IaC changes.
- The CI pipeline runs a `terraform plan` (or equivalent) and posts the output to the PR for review. This shows exactly what infrastructure changes will be made.
- Once approved and merged, a CD pipeline automatically runs `terraform apply` to provision or update the infrastructure.
This ensures that all infrastructure changes are peer-reviewed, auditable, and applied consistently.
Read about CI/CD with Terraform.14. What are some strategies for speeding up a slow CI pipeline?
- Caching: Cache dependencies (like npm packages or Maven artifacts) and Docker layers between runs so they don’t have to be downloaded or rebuilt every time.
- Parallelization: Run independent jobs (like unit tests, linting, and integration tests) in parallel stages. Many test runners also support parallelizing tests across multiple machines.
- Optimizing Build Steps: Use multi-stage Docker builds to leverage the build cache effectively. Ensure you are not running unnecessary steps.
- Larger Runners: Use CI runners with more CPU and memory, especially for compile-heavy or computationally intensive tasks.
15. What is the difference between self-hosted and cloud-managed CI/CD runners?
- Cloud-managed Runners (e.g., GitHub-hosted runners): Maintained by the CI/CD provider. They are simple to use and provide a clean, ephemeral environment for every job. The downside is that they can be more expensive and offer less customization.
- Self-hosted Runners: You manage the virtual machines or containers that run the CI jobs. This provides full control over the hardware, operating system, and installed software. It can be more cost-effective and is necessary when your jobs need access to resources in a private network. However, it adds operational overhead for maintenance and security.
16. What is the “shift-left” principle in the context of CI/CD?
“Shift-left” is the practice of moving testing, quality, and security checks as early as possible (to the “left”) in the development lifecycle. Instead of waiting for a late-stage QA or security review, these checks are integrated directly into the developer’s workflow and the automated CI pipeline. This includes running static code analysis, vulnerability scans, and unit tests on every commit. The goal is to catch issues earlier when they are easier and cheaper to fix.
Metrics & Observability
17. What are the four DORA metrics and why are they important?
The DORA (DevOps Research and Assessment) metrics are four key metrics used to measure the performance of a software development and delivery process. They are:
- Deployment Frequency: How often an organization successfully releases to production.
- Lead Time for Changes: The amount of time it takes to get a commit from development into production.
- Mean Time to Recovery (MTTR): How long it takes to restore service after a production failure.
- Change Failure Rate: The percentage of deployments that cause a failure in production.
They are important because they provide a data-driven way to measure DevOps maturity and identify areas for improvement in your CI/CD pipeline and development culture.
Explore the DORA research program.18. What is a value stream map in the context of software delivery?
A value stream map is a lean management tool used to visualize the entire flow of work required to deliver a feature, from idea to production. In CI/CD, this involves mapping out every step: planning, coding, code review, CI build, testing, security scans, deployment, and release. For each step, you measure the active time and the wait time. The goal is to identify bottlenecks and waste (especially wait times) in the delivery process and find opportunities for automation and improvement.
19. How would you add observability to your CI/CD pipeline itself?
You can add observability by treating your pipeline as a production system. This involves:
- Logging: Ensuring all pipeline steps produce structured logs that can be shipped to a central logging system for analysis.
- Metrics: Tracking key pipeline metrics, such as build duration, success/failure rates, and queue times. These can be exported to a monitoring system like Prometheus or Datadog.
- Tracing: For complex, multi-stage pipelines, you can use distributed tracing to visualize the entire workflow and identify which specific steps are causing delays.
20. What is the purpose of a release candidate (RC)?
A release candidate is a build or version of your software that is potentially ready to be a final release. After passing all automated tests in the CI pipeline, a build is promoted to an RC. This RC is then deployed to a staging or pre-production environment for final validation, such as manual exploratory testing, user acceptance testing (UAT), or performance testing. If the RC passes all these checks without any critical issues being found, it can be promoted and deployed to production as the final, stable release.