Closed vs. Open-Source Software Delivery Platforms
The Rise of Open Adoption Software
Open adoption software is re-drawing the IT Stack. Companies like Github, Docker, Mulesoft, Cloudera, and others are stealing budgets from more traditional application/client-server companies while driving more innovation. The above graphic illustrates the trend over the past few decades.
The same is true in the software delivery world. Spinnaker, an open-source project from Netflix, is the cloud-native, next-generation deployment system that powers the core of Armory’s Platform to help software teams ship better software, faster.
A new entrant in software delivery, Harness, is taking a closed-source approach to software delivery, which negates all the benefits provided by open source and the vibrant community surrounding it. And worse, Harness has misrepresented the capabilities of Spinnaker, as detailed below.
Armory believes that open source will win when pitted against closed-source solutions. The Spinnaker community already has over 4,000 members and is innovating rapidly on Netflix’s platform. Netflix, Google, Microsoft, Oracle and others are investing in Spinnaker and writing drivers for deploying workloads to AWS, Kubernetes, Azure, Bare Metal Cloud, DC/OS, ECS, OpenStack, and others.
No single company will be able to match the velocity of the world’s best cloud providers and the vibrant community building for those targets, nor keep up with the underlying innovation on those clouds.
These are the reasons that Armory uses Spinnaker at the Core of our Platform to help teams ship better software, faster.
The benefits of an open-source software delivery platform
Open-Source delivery and external integrations
Both Spinnaker and Harness are targeted at companies with hundreds of applications (and their respective deployment pipelines). Companies at this size have unique requirements in the sense that they might need to comply with specific legislation or processes specific to their business or industry.
In theory, any deployment solution could be used on it own in its original/vanilla form. In practice, however, an extra step of customization is often needed. In the most usual scenario, one or several rounds of modifications are required to accommodate all the corner cases of the company.
With a closed-source delivery platform, any modifications required on the base version are a lengthy, painful process. The company is forced to:
- contact the vendor and explain the unique requirements
- wait for the vendor to decide if the changes will be implemented (or not)
- obtain a modified version of the software — which may be more expensive while also being less fully supported.
As an example, in the case of Harness, a very small subset of external integrations are currently supported. What happens to companies that wish to integrate another solution that is not on the Harness product roadmap?
With an open-source application, this situation never happens. A company can directly modify the code on demand. In the case of Spinnaker the entire platform is based on nine microservices; each one responsible for a single thing. A company can either add or modify any of those microservices, add a new one, or even replace one without waiting for approval from any vendor.
As an example, Spinnaker comes with a micro-service called Echo which acts as message/event listener. Any company can modify the code and add any integration to any external system — even if it is something developed in-house.
- With a closed-source delivery platform you are limited to integrations selected by the vendor
- With an open delivery platform, any integration with any other application is possible by default
Open-Source delivery and core modifications
A corollary to the previous point is the ability to extend the core distribution of the delivery solution itself. The most significant example of this in Spinnaker is cloud support. Spinnaker originally supported AWS. OpenStack support was added by Target and Veritas, DC/OS support was added by Cerner, Kubernetes support was added by Google, and ECS support was added by Lookout.
Thus any company that selects Spinnaker knows most cloud providers are directly supported. In the case of Harness, a company can only wait until their cloud provider is added.
Even if Harness has the capacity to cover the most well-known cloud providers on its own, it could never achieve the coverage that Spinnaker is free to achieve. Lesser known cloud providers will be especially happy when they know they can add support for their cloud on the basic Spinnaker distribution.
The perfect current example of how many cloud providers can be supported with an open-source application is the support list for Terraform.
- With Spinnaker, you are free to modify the base software according to your special needs
- With Harness, there is no room for custom modifications
Open-Source delivery and community collaboration
Open source is based on collaboration. Nobody is re-inventing the wheel, and everybody can benefit from the work of others. A bug in Spinnaker that is fixed by one company will probably be useful to all other companies that use the same setup.
This means that with every new Spinnaker release, you essentially get, for free, the knowledge and engineering wisdom of companies in the same space as you — including some of the best engineers on the planet from companies like Netflix and Google.
Spinnaker is being used and supported by major companies including Netflix, Google, Target, Box, Mulesoft, and more. See the full list here.
All those companies have the opportunity and the expertise to contribute fixes and improvements on the open-source Spinnaker distribution, increasing the overall quality of the software in an exponential manner.
With Harness, on the other hand, you are dependent on the Harness team itself, vs. the combined knowledge of all companies deploying and improving on Spinnaker.
- With Spinnaker, you gain the combined expertise of all companies that use it
- With Harness, you are relying on the expertise of a single company
Open-Source delivery and upgrades
Upgrading any software is a time-consuming process. Even here, however, open source comes with two major advantages:
- If for some reason you want to stay on a previous version, you can “backport” features from the new version
- You can pin software components to the old version if you are not ready to upgrade to the latest and greatest
But this flexibility is only possible with open-source software. In the case of closed-source, you are forced to run the “blessed” version provided by the vendor regardless of your needs.
This flexibility is especially necessary in the early years of a software product where new features are added at a much higher rate.
Spinnaker is a mature product that has been used internally in Netflix in production for the last 3-4 years — and Netflix drives 37% of all internet traffic in the evenings, making Spinnaker a very mature and bulletproof software delivery platform.
- With Spinnaker, you can choose to use whichever version works best for your company. You can decide to closely follow new releases, upgrade whenever you see fit or even (in an extreme case) create your own distribution
- With Harness, you are limited to using the version(s) approved by the vendor and upgrade at their own pace instead of your own.
Open-Source delivery and vendor lock-in
The deployment platform used within a company is the most critical piece of software, second only to the runtime environment used for the application deployment.The long-term viability, safety, and flexibility of the deployment solution a company is using is of utmost importance.
Spinnaker is not controlled by any particular company. If Google, Netflix, or Target go out of business tomorrow, Spinnaker will continue to exist. Companies that have the expertise and knowledge can still maintain Spinnaker and upgrade it with new features and fixes (which is very easy given the availability of the source code).
Given the number of companies that are using Spinnaker, it is highly unlikely that all of them will disappear at the same time. For this reason alone, Spinnaker has a bright future ahead of it, because as long as any company is using it, it still can be improved and extended.
Harness is a single company that fully controls the deployment solution they offer. This makes the viability of the product dependent on the company itself.
If Harness goes out of business for any reason, the product simply ceases to exist. If another vendor merges/buys Harness, your company will need to adapt to any pricing scheme or roadmap the new vendor will dictate.
Choosing an open-source deployment solution is the only rational choice to avoid vendor lock-in while participating in the community-driven innovation.
- With Spinnaker you are never locked in to a single vendor. Spinnaker is not controlled by a single entity. This is why many companies now have policies that require procurement departments to consider open-source before closed-source solutions.
- With Harness, you base your deployment solution on the existence of the vendor
Open-Source delivery and Security
Deployments are one of the most sensitive and critical parts of your organization. Even if you don’t want to modify the code itself, having access to it means that you can audit and verify it to make sure that it does what it is supposed to be doing.
A closed-source product, on the other hand, is unverifiable. It might suffer from security vulnerabilities. It might “phone home.” It might leak your sensitive data. There is no way to know for sure.
Since Spinnaker deploys infrastructure, not applications, it also manages your cloud infrastructure. This makes it doubly important to run Spinnaker in a trusted cloud environment — yours.
Choosing a closed-source solution for your delivery pipeline means that you blindly trust the vendor with your intellectual property and application source code. Also, you accept the risk that when a security issue is indeed found, the solution vendor is solely responsible for providing a fix on time.
With an open-source solution, you don’t need to trust any external entity at all. The source code is there for you to audit and verify and your intellectual property can safely stay within your premises.
If a security issue is found, you can either fix the problem yourself or benefit from the collective response of all companies that are using it.
- With Spinnaker you can preemptively audit the source code. Security issues can be fixed on the spot
- With Harness, you trust blindly the vendor for your security. Security issues can be fixed only as fast as the vendor can respond.
Open-Source delivery and Recruiting
An open-source solution is open for everybody to collaborate. This means that finding engineers to work on it is always easier as you can look at the community already participating in building that product.
An open-source delivery solution means that you can draw potential employees from the pool of contributors to the project. In an open-source project, any engineer can be a contributor, as there is no barrier for anybody to enter.
This means a company can recruit the top experts or contributors of a particular open-source solution on its workforce.
With closed-source solutions, the only experts that can be found are the people who work on the vendor, making them an extremely scarce resource.
Engineers love to work on open-source software. This is why Netflix open-sourced Spinnaker in the first place. By encouraging your engineers to participate in an open-source project that’s core to your company’s software delivery processes, you are providing your engineers a fulfilling and strategic outlet.
- With Spinnaker, any software engineer can become an expert on the improvement and maintenance of your deployment solution
- With Harness, only a small group of experts exist (the employees of the vendor)
Open Source is the way forward
There is no longer an argument on whether open source is the best possible choice. Open-source solutions have already won. Just take a look at the rest of the deployment infrastructure and runtime. The whole stack is open source:
- Linux kernel is open source
- Linux userspace is open source
- Docker is open source
- Kubernetes is open source
- Jenkins is open source
- Terraform, puppet, Ansible et.c are open-source solutions
Harness is going against the current, following the old ways.
Spinnaker vs. Harness (aka The new way vs. The old way)
In this PDF, Harness makes the case that Spinnaker is missing many features when compared to Harness. Not only is this false, as detailed below, but Armory believes the open-source community will, over the long-term, move much faster than any single company can. Investing in a closed-source solution is a guaranteed way to miss on the Open Adoption Software movement and experience massive vendor lock-in with a sub-standard, proprietary solution.
- Armory has provided a fully supported, enterprise-grade distribution of Spinnaker since early 2017. Spinnaker powers the Core of our Platform, enabling software teams to ship better software, faster. Get more details on Armory’s Platform here.
- Armory offers automated canary analysis solution using Kayenta open-sourced by Google and Netflix, which leverages metrics from Datadog, New Relic, Prometheus and Stackdriver to promote or kill canary deployments in an automated fashion.
You can learn more about Kayenta here: https://blog.armory.io/announcing-kayenta-the-best-in-class-canarying-engine-from-netflix-and-google/
Here are other inaccuracies from the Harness PDF:
- We find that most companies run tests in Jenkins, which is why Spinnaker is not trying to reinvent the wheel here. We believe in using the best tool for each need. Spinnaker will surface the results of tests to pass or fail the pipeline, providing for an optimal workflow.
- Spinnaker allows you to do to this. Spinnaker provides for user-configured integrations via a webhook stage in deployment pipelines. For example, Google has a new security software supply chain product called Grafeas (also open source) for Kubernetes. Using Spinnaker’s webhook functionality enables a much broader range of options to be integrated. Additionally, with Spinnaker, users can freely integrate with any APIs, and not be tied to just the ones provided by the CD platform itself.
- Spinnaker supports pipeline templates out of the box. Spinnaker’s declarative service, Keel, is a new way of defining the intended state and the system converges on that to ensure it stays in that state. Additionally, Spinnaker is platform agnostic.
- Armory offers Certified Pipelines, a way to automate & enforce load testing, integration testing, security scanning, and canaries.
- This exists in Spinnaker today. Armory Spinnaker can publish logs to a centralized logging server like Splunk, Sumo Logic or Syslog. Learn more here.
- There are already industry standard secret stores like Hashicorp Vault, Nike Cerberus
- These solutions have a large OSS community
- There’s no need to reinvent the wheel; better to integrate with the industry-leading tools you already know and love
- Spinnaker offers this out of the box via JSON or YAML
- Spinnaker has an opinionated, immutable approach to deploying applications (for very good reasons), but that does not preclude its use deploying traditional applications.
- Spinnaker supports many cloud providers with dedicated resources, such as:
- Kubernetes in datacenter
- OpenStack in datacenter
- DC/OS in datacenter
- Oracles’ Bare Metal Cloud (BMC)
An important point about trust, safety and security: Harness claims to be the better option “where the application is truly critical to the business.”
Relying on a hosted solution for software delivery means that hosted solution also has the ability to destroy your cloud accounts.
Armory installs Spinnaker within a company’s Virtual Private Clouds (VPCs), so you can leverage the benefits of a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define. This avoids the security & compliance risks of SaaS offering.