An Overview of GitLab's DevOps platform

At the Open Source summit this summer I spoke with Brendan O'Leary of GitLab. Some of the topics we touch on in the interview below are GitLab's end-to-end toolchain, their cloud agnosticism, their focus on security and how, while they operate in multicloud environments, their typical customer tends to prefer hosting GitLab themselves rather than in the public cloud.

Transcript:

Brendan O’Leary - GitLab   

[00:00:00] Barton: All right, coming to you live from the open source summit here at the JW merit in lovely Austin, Texas. I'm here with Brendan O'Leary. How are you, sir?

[00:00:08] Brendan O'Leary: I'm great. Thanks for having me.

[00:00:10] Barton: So you are  with GitLab, let's start with what is GitLab?

[00:00:15] Brendan O'Leary: Sure. GitLab is a complete DevOps platform and so what that means is it allows you to go all the way from collecting ideas about what's gonna get worked on through developing the code and working together, through deploying it and then observing it in production.  GitLab has tools for all of that as one DevOps platform that we deliver.

[00:00:38] Barton: That's probably news to some people who've heard about you, but don't know a ton and thinking of you more on the, the front end only. How have you been building out as a tool chain?

[00:00:49] Brendan O'Leary: That’s a really good point. Even having git in our name. We began life as a source control tool which can easily make [00:01:00] you think just about source control which of course is the managing of all the files that are involved in creating a software product. You can think of it as a bunch of folders of files together and we're all editing in it and that would be chaos. Well, a source code management tool helps you manage that chaos anyway. So that's how we started life, but then our customers, often large enterprises, wanted to host their own, and then wanted to do a lot more with it.

So we ended up adding, CI/CD, originally as a separate product, but then we integrated it into one platform and we saw a lot of emergent benefits we weren't necessarily expecting.  Then as we started to continue to build out, we looked at before you code ie enterprise agile planning kind of tooling, and then after you deploy ie observability.  We recently acquired a company called Ops trace to bring even more observability into the platform.  We really believe that having one platform is the most efficient way to deliver better software faster and building software more quickly is becoming the way  [00:02:00] you compete in every industry.

[00:02:02] Barton: So are you finding that your, customers are doing an equal mix of using the platform as is, as well as pulling out some of the components and putting in quote, unquote best of best of breed?

[00:02:13] Brendan O'Leary: Sure. We definitely have a lot of integration with other tools.  Not every customer starts at the same place. They don't need to rip and replace tools that they already have and like to use. They could maybe start by using, source code management and the other pieces of GitLab, and then slowly adopt the platform over time.  What we do see is that customers that start to adopt additional stages has actually then is in an accelerated adoption rate and so we do think that there's another proof point to this thesis on a DevOps platform having a lot of value.  But that's not how everyone starts.  Sometimes they just start with source code and then learn from there.

[00:02:56] Barton: So one axis would be building [00:03:00] out your solution with regards to capabilities. Another one could be size of the project that you can handle so if I start out small and then I end up having a much bigger effort, do you replace certain parts?  Do you have modules you put on top of others to help you grow?  How does that work?

[00:03:18] Brendan O'Leary: Sure.  it's really designed to be used by a single developer or by a large enterprise customer. The difference is not across that axis, even our free tier, where we're based on an open source GitLab, even that tier has the entire DevOps life cycle in it.  The tools that we built on top of that, that are part of our open core model, are the ones that enterprises need to really understand across the enterprise.  How is development going?  Get the kind of enterprise standards, enforced across the organization.  So I wouldn't say it's necessarily that you use different tools but I do think [00:04:00] you end up using things differently, depending on the scale of, like you said, the scale of the project or the scale of the company that's using it.  Those things really factor into how you use those tools.

[00:04:11] Barton: So how would it work if I'm using a private cloud and I want to use your tool chain and I'm also working in AWS meaning I'm working in a multi-cloud environment.  How would you take the GitLab chain and utilize it in, in those scenarios?

[00:04:28] Brendan O'Leary: That's a great question, and actually it's one of the big benefits that GitLab has in the market is that we're cloud agnostic. We don't have a cloud that we're associated with or own.  We're not trying to drive compute in a in another cloud or our cloud. So that ability to be cloud agnostic has really enabled a lot of our customers who are deploying to multiple places. Some public clouds and maybe also private cloud.

As we see, heavily regulated industries learning and [00:05:00] understanding how public cloud and private cloud have to integrate.  Those are a lot of our customers who are going through those same questions in their organizations right now and the nice thing is they can use the same process and the same tooling, no matter what cloud they're deploying to.  And they might have their developers not have to worry about that, right? Like let's build the code that we want to build and then deploy it the way that the organization needs to.

[00:05:24] Barton: cool. And so now let's talk about new buzzwords.  So we've got DevOps, you've got DevSecOps. You've got AIOps.  You've got GitOps. So since your Gitlab, what is Git ops and how do you play in there?

[00:05:36] Brendan O'Leary: So I think that's the buzz thing to do. You can create a buzzword just by putting ops on the end of it.  So the idea of GitOps, I really see it as an evolution of DevOps.  I've been in the DevOps space for a long time and I built software before we had the term DevOps.      , and I remember this inability to easily collaborate with the operators of the software versus the developers. [00:06:00] So I think GitOps is maybe almost a natural progression of that to say, Hey, not only are we gonna be working together, we're gonna use the git mentality for a lot of things.

The state of what our infrastructure should be stored in git as well and handled in source control and made a merge request. If we want to change it we evaluate the change and we have approval on the change. And then we implement the change, the same thing we do with software, we want to do with the entire operation of he company.

And so that I think is where GitOps comes in and then when you associate GitOps and Kubernetes together you get into some pretty buzzy words.  I think that really, it was born out of Kubernetes, this idea that we have this elastic compute, and we want to be able to describe that infrastructure as code.  But I think it's a concept that can apply in many areas, to say, Hey, we want to really make every process change we make be just like how we make code and that's [00:07:00] gonna enable all the security points we need, but it's also gonna enable us to be able to collaborate.

[00:07:05] Barton: So, speaking of security, I'm learning here about the concept of software supply chain.   Is that something that you have a special focus on?

[00:07:16] Brendan O'Leary: Yes, it is, we have a number of security tools built into the platform, right? You mentioned DevSecOps earlier, right? That has to be part of it as well. And so we have a number of security tools.  One is focused on open source and the supply chain that comes in. Right. And what are the known vulnerabilities there?

[00:07:37] Barton: could you explain for people that don't know, when you say the supply chain, what does that mean in this case?

[00:07:41] Brendan O'Leary: Sure. So when we say supply chain in the general, we're talking about raw materials that come in from suppliers that you then add value to and ship out and really in software, the way that software's built today, it's really no different.   Most software that you see or run or see run [00:08:00] in the world has a lot of what was called open source tools underneath it. These things that folks work on collaboratively together in the open and it's available for anyone to use. And so it's very rare to find a piece of software today that doesn't have one, or more likely, many open source projects that it brings in as part of its code.  So that is kind of like where all materials that comes in.

So the concern there is if someone's able to infiltrate that supply chain or find a vulnerability in that supply chain, well now you have that, right? Because you've taken those materials in its now part of your problem.  So that's why there’s been this big focus on understanding what comprises the software solution, maybe not the easiest question to answer all the time. Right. We've gotta answer that correctly so that we can then understand what vulnerabilities may exist given that set of items.

[Barton: So as you look forward, where do you see GitLab going?  [00:09:00] what are some of the areas you're heading into? Also, if someone was trying to decide, should I use GitLab or that other company that starts with Git, where are the places, situations or customer profiles where you say you are strongest?  Where would you say you’re the obvious choice?

Brendan O'Leary: Sure. So, first, what are we looking at?  This focus on the software supply chain is where the whole world is kind of focused right now.  The EU commission is looking into it. President Biden, in the United States issued an executive order specifically about securing the software supply chain. So it's on everyone's mind, including politicians, so I think that'll be with us for some time until we were able to standardize and work as an industry to find the right way to solve some of those problem.

 I also think that observability is something that is even still in its infancy.  It's something we've been talking about as an organization or as an industry for a long time but I think we're gonna see more.   This will give [00:10:00] context to what we can observe about how the software is acting in the real world and bringing that context back into a platform where we can understand the impact that developers are having by their changes.  So I think those are the two things I'm really looking at, going forward or at least in the short term.

And then as far as GitLab or GitHub, the way we grew into a DevOps platform is we had customers in the enterprise that needed that.  So there was a pretty big difference for a while,  we went wide on DevOps while they went really deep on source code management and being the home of open.  Now since then they've added some other tooling that is in the security space and these other ways.

So I think that proves to us even more the theory that a DevOps platform is how you're going to deliver software going forward. And of course we could future by feature, compare them but I think GitHub and github.com is the home of open source, I think that’s undisputed, I think a more typical customer for us might want [00:11:00] not to host in the cloud or they might wanna use our GitLab.com but they might wanna host it themselves. And so we have a lot of large enterprises or folks with a lot of regulation placed on them for one reason or other that need to run it themselves in a private cloud or even disconnected from the public internet. That's where we see a lot of growth and a lot of customers that are starting to realize, Hey, once we have this, now we can do so much more and we can again do that all in a disconnected world.

Barton: Cool. And then just to end with, if we zoom out and I'm looking to get into the DevOps space or I wanna lead an effort to do that within my company, What are some of the things you think people should keep in mind? What are the key things they should focus on and key things they should avoid?

Brendan O'Leary: Sure.  DevOps has been around for, I don't know, 15 years now, maybe a little less, and I think we're still all learning together what it means. And so I think it's key to plan on to be learning all [00:12:00] of the time. Step one and then step two, I think, is to remember that, while it may be a job title somewhere, it is definitely more than a job title.   it's about a process and it's about bringing people together. And those two things are typically much harder than software.     But a lot of times as engineers we like to focus on the software first and, what's the tool I'm gonna use and da, da da

Barton technical gravity is how I heard it described

Brendan O'Leary: technical gravity, I like that. So I would say again, if someone's getting into it, I think you're going to see yourself have a lot more impact on either your own personal growth or on the growth of your organization if you are able to remember, people then process then software,  in that order.

Barton: Cool. Brendan O’Leary thank you so much.