Delivery Operations: The Path from Code to Production
Fabian Peter 7 Minuten Lesezeit

Delivery Operations: The Path from Code to Production

GitLab, Harbor, and ArgoCD: Modern Delivery Workflow
compliance-campaign-2026 delivery-operations ci-cd gitops deployment workflow
Ganze Serie lesen (40 Artikel)

Diese Serie erklärt systematisch, wie moderne Software compliant entwickelt und betrieben wird – von EU-Regulierungen bis zur technischen Umsetzung.

  1. Compliance Compass: EU Regulations for Software, SaaS, and Cloud Hosting
  2. GDPR: Privacy by Design as the Foundation of Modern Software
  3. NIS-2: Cyber Resilience Becomes Mandatory for 18 Sectors
  4. DORA: ICT Resilience for the Financial Sector Starting January 2025
  5. Cyber Resilience Act: Security by Design for Products with Digital Elements
  6. Data Act: Portability and Exit Capability Become Mandatory from September 2025
  7. Cloud Sovereignty Framework: Making Digital Sovereignty Measurable
  8. How EU Regulations Interconnect: An Integrated Compliance Approach
  9. 15 Factor App: The Evolution of Cloud-Native Best Practices
  10. 15 Factor App Deep Dive: Factors 1–6 (Basics & Lifecycle)
  11. 15 Factor App Deep Dive: Factors 7–12 (Networking, Scaling, Operations)
  12. 15 Factor App Deep Dive: Factors 13–15 (API First, Telemetry, Auth)
  13. The Modern Software Development Lifecycle: From Cloud-Native to Compliance
  14. Cloud Sovereignty + 15 Factor App: The Architectural Bridge Between Law and Technology
  15. Standardized Software Logistics: OCI, Helm, Kubernetes API
  16. Deterministically Checking Security Standards: Policy as Code, CVE Scanning, SBOM
  17. ayedo Software Delivery Platform: High-Level Overview
  18. ayedo Kubernetes Distribution: CNCF-compliant, EU-sovereign, compliance-ready
  19. Cilium: eBPF-based Networking for Zero Trust and Compliance
  20. Harbor: Container Registry with Integrated CVE Scanning and SBOM
  21. VictoriaMetrics & VictoriaLogs: Observability for NIS-2 and DORA
  22. Keycloak: Identity & Access Management for GDPR and NIS-2
  23. Kyverno: Policy as Code for Automated Compliance Checks
  24. Velero: Backup & Disaster Recovery for DORA and NIS-2
  25. Delivery Operations: The Path from Code to Production
  26. ohMyHelm: Helm Charts for 15-Factor Apps Without Kubernetes Complexity
  27. Let's Deploy with ayedo, Part 1: GitLab CI/CD, Harbor Registry, Vault Secrets
  28. Let's Deploy with ayedo, Part 2: ArgoCD GitOps, Monitoring, Observability
  29. GitLab CI/CD in Detail: Stages, Jobs, Pipelines for Modern Software
  30. Kaniko vs. Buildah: Rootless, Daemonless Container Builds in Kubernetes
  31. Harbor Deep Dive: Vulnerability Scanning, SBOM, Image Signing
  32. HashiCorp Vault + External Secrets Operator: Zero-Trust Secrets Management
  33. ArgoCD Deep Dive: GitOps Deployments for Multi-Environment Scenarios
  34. Guardrails in Action: Policy-Based Deployment Validation with Kyverno
  35. Observability in Detail: VictoriaMetrics, VictoriaLogs, Grafana
  36. Alerting & Incident Response: From Anomaly to Final Report
  37. Polycrate: Deployment Automation for Kubernetes and Cloud Migration
  38. Managed Backing Services: PostgreSQL, Redis, Kafka on ayedo SDP
  39. Multi-Tenant vs. Whitelabel: Deployment Strategies for SaaS Providers
  40. From Zero to Production: The Complete ayedo SDP Workflow in an Example

TL;DR

  • Delivery Operations describe the journey from code in your version control to running workloads in production – including build, test, packaging, security scans, deployment, and monitoring.
  • Unlike Platform Operations (cluster, network, basic services), Delivery Operations focus on reproducible, traceable, and automated processes that address both technical quality and regulatory requirements.
  • A well-designed end-to-end workflow – Code → CI → Package → Scan → Deploy → Monitor – is the most effective lever to pragmatically implement requirements from the Cyber Resilience Act, NIS‑2, DORA, and Data Act.
  • Key compliance components include SBOMs, CVE scanning, signed artifacts, a robust audit trail, and the exit capability of your platform – all embedded in a streamlined developer experience.
  • ayedo provides an integrated environment with its Software Delivery Platform, where Delivery Operations, Compliance, and modern Cloud-Native technology are combined – including pre-configured workflows, guardrails, and a consistent delivery workflow demo.

Delivery Operations as a Counterpart to Platform Operations

When we talk about modern Cloud-Native environments, terms like Kubernetes, Observability, or Infrastructure as Code often come up. These are classic topics of Platform Operations: building and operating the technical foundation – i.e., clusters, network, storage, logging, identity, and the underlying platform.

Delivery Operations complement this perspective: They describe everything that happens between commit and production. While Platform Teams ensure that your Kubernetes clusters are available, secure, and performant, Delivery Teams ensure that changes to your business application reliably, reproducibly, and auditable land in these clusters.

Typical tasks of Delivery Operations:

  • Designing standardized CI/CD workflows
  • Defining quality gateways (tests, security scans, reviews)
  • Handling container images, charts, and other release artifacts
  • Establishing GitOps mechanisms for deployments
  • Building guardrails that automatically enforce best practices and compliance requirements

In a regulated environment – such as the financial sector or critical infrastructures – Delivery Operations are the bridge between technical requirements and legal regulations. They translate regulations into concrete, everyday workflows.

From Commit to Monitoring: The End-to-End Workflow

A mature delivery workflow follows a clear, repeatable pattern. A proven reference model is:

Code → CI → Package → Scan → Deploy → Monitor

Each of these steps contributes to the overall responsibility – technically, organizationally, and regulatorily.

1. Code and Continuous Integration (CI)

It all starts with the code in a versioning system like GitLab or GitHub. Here, you:

  • Create feature branches
  • Create merge requests
  • Conduct code reviews
  • Trigger quality checks like linting and tests

From the perspective of Delivery Operations, two points are crucial:

  1. Automation: Every commit to relevant branches triggers a CI pipeline. This ensures that tests and analyses are not “forgotten.”
  2. Traceability: Merge requests, reviews, approvals, and pipeline results together form a chronological audit trail. For NIS‑2 and DORA, this traceability is a cornerstone of security and risk management.

Even in the CI phase, compliance requirements can be made controllable: through binding review rules, mandatory tests, and SAST/dependency scans.

2. Build & Package: From Code to Artifacts

The next step is to generate deployable units from the verified code:

  • Container images
  • Helm charts or other deployment templates
  • Possibly additional packages (e.g., CLI tools, libraries)

Important here:

  • Immutable Artifacts: Each build result is uniquely versioned and no longer changed. This facilitates rollbacks and is a prerequisite for a robust audit trail.
  • Central Registry: Container images and charts are stored in a trusted registry like Harbor. Accesses are controlled, and there are clear rules about which registries are considered “trusted.”

Delivery Operations ensure that these steps are standardized – in the form of reusable pipeline templates instead of individual scripts in each project.

3. Scan & Sign: Anchoring Security and Integrity

Before artifacts move towards production, they are checked and signed. Three elements work together:

  1. CVE Scanning: Container images and possibly libraries are automatically checked for known vulnerabilities. Modern registries can scan images upon push or regularly in the background and provide results.
  2. SBOM Generation: A Software Bill of Materials (SBOM) describes what components your artifact consists of. It is central to the Cyber Resilience Act, which came into force on January 7, 2024, and applies widely from January 7, 2027. SBOMs enable transparency and faster response to new vulnerabilities.
  3. Signed Artifacts: Signatures ensure that an image or chart originates unchanged from your build process. Clusters or deployment systems can verify signatures and only accept approved artifacts.

For Delivery Operations, this means: Scans and signatures are no longer optional “add-ons” but a fixed part of the standard workflow. The transition “Package → Scan → Deploy” only occurs if defined security gates are met.

4. Deploy: GitOps and Guardrails

Deployment today is rarely a single “kubectl apply” command but a process that:

  • Describes the desired state of the application in Git (GitOps)
  • Uses automation (e.g., ArgoCD) to synchronize this state to target clusters
  • Is secured by policies and guardrails in the clusters themselves

From a Delivery Operations perspective, the following aspects are crucial:

  • Git as Single Source of Truth: Configurations for staging and production are versioned in separate repositories or folders. Changes to the runtime environment undergo the same review and approval process as code.
  • Guardrails in the Cluster: Admission controllers and policy engines (e.g., Kyverno) implement technical guardrails: no privileged containers, no “latest” tags, mandatory network policies, minimum replica counts in production. Such guardrails standardize security and reliability – and significantly reduce the risk of misconfigurations.
  • Release Strategies: Canary releases, blue/green, or progressive rollouts are part of the toolkit. Delivery Operations define the framework in which specialist teams can safely experiment.

For NIS‑2 and DORA, consistent change processes, authorization models around deployments, and the technical enforcement of security policies are particularly relevant.

5. Monitor: Feedback Loop and Audit Trail

After deployment, the really important part begins: observing, learning, optimizing.

This includes:

  • Metrics and Dashboards: Latency, error rates, SLO tracking, capacity metrics
  • Logs and Traces: For error analysis, but also for forensic investigation in case of incidents
  • Deployment History: Which version ran when, who approved it, and what checks did it pass?

For DORA, which becomes applicable on January 17, 2025, this part is critical: Operational resilience is not just a matter of backups and SLAs, but also of transparency, responsiveness, and clearly defined processes in case of disruptions.

Delivery Operations and Regulation: CRA, NIS‑2/DORA, Data Act

Regulatory requirements often seem abstract. Delivery Operations help translate them into concrete, automatable building blocks.

Cyber Resilience Act: SBOM, Vulnerability Management, Updates

The Cyber Resilience Act (in force since January 7, 2024, largely applicable from January 7, 2027) requires, among other things:

  • Transparency about used components (SBOM)
  • Structured vulnerability management
  • Secure update mechanisms throughout the product lifecycle

Delivery Operations address these points by:

  • Anchoring SBOM creation as a fixed step in the pipeline
  • Conducting and documenting CVE scans automatically
  • Defining processes for responding to new vulnerabilities (hotfix branches, accelerated release paths, communication routines)
  • Making update processes reproducible – from the new version to the actual rollout in production

This creates a robust framework that not only “ticks off” CRA requirements but integrates them into the teams’ daily routine.

NIS‑2 and DORA: Governance, Auditability, Resilience

The NIS‑2 directive (in force since January 16, 2023, implementation deadline for member states by October 17, 2024) and DORA (in force since January 16, 2023, applicable from January 17, 2025) aim for increased resilience of critical and digital services.

Relevant aspects in the context of Delivery Operations:

  • Clear Responsibilities: Who is allowed to deploy what? Which roles are involved in approvals?
  • Audit Trail over the Entire Lifecycle: From commit and review through tests and scans to deployment – everything is traceably documented.
  • Standardized Change Processes: Changes to productive systems follow defined paths; emergency procedures are clearly described and technically supported.
  • Regular Evaluation of Measures: The effectiveness of tests, scans, and guardrails is measured and adjusted if necessary.

Here, Delivery Operations become the interface between technical teams, risk management, and the compliance department. A well-documented end-to-end workflow makes it much easier to pass audits and transparently manage risks.

Data Act: Exit Capability and Portability

The Data Act came into force on January 11, 2024, and will be largely applicable from September 12, 2025. It strengthens, among other things:

  • The portability of data
  • The ability to switch between cloud providers
  • Rights around data access and usage

From the perspective of Delivery Operations, clear design principles emerge:

  • Portable Deployment Model: Infrastructure descriptions, configurations, and deployments should not be inextricably tied to a specific provider. GitOps and Kubernetes-native workloads facilitate a later switch.
  • Standardized Artifact Formats: Container images, Helm charts, and SBOMs are usable independent of the manufacturer.
  • Documented Dependencies: Through SBOMs and structured configurations, it is traceable which external services are used – a prerequisite for exit strategies.

Delivery Operations thus become the lever to ensure exit capability not only contractually but also technically.

Organizational Design of Delivery Operations

Technology alone is not enough. Those who take Delivery Operations seriously must clearly define roles, processes, and platform offerings.

Roles and Responsibilities

A proven model:

  • Platform Team: Responsible for clusters, basic services, central tools,
Vorheriger Post Alle Posts Nächster Post

Ähnliche Artikel