Criteria for selecting CI/CD tools

Here's a collection of thoughts regarding how to chose a CI/CD tool that fits your needs.

Documentation

• is the overall concept documented and easy-to-understand
• does usage of tool provide enough blog posts / SO posts / tutorials / videos

Setup & Maintenance (Day 1 and Day 2 operations)

• Packages (.rpm, .deb...) available (and maintained)
• Docker images available (and maintained)
• Proper update workflow (zero downtime)
• Installer for (public) cloud environments (BOSH manifest, Terrarform, Ansible, Chef, ...)
• Can setup and configuration be fully automated (e.g. Concourse via BOSH)
• Regarding configuration: GUI-only config or files (that can be put in version control...)
• HA setup, zero downtime

On-premise vs. SaaS

• do you need an on-prem solution
• could it be SaaS solution
• do you "only" build stuff, or also deploy stuff

OSS vs. Commercial products

• how big is the community around the tool
• popularity of tool (last commits, stars on Github, issues opened vs. closed...)
• do you need (commercial) support

User Management

• LDAP integration
• multi-tenancy capabilities
• Granularity of roles / permissions
• can user / roles management be stored in files or only via GUI
• SSO with Github, Gitlab, ...

Credentials Management

• Internal credentials store
• Connection to external store (credhub, vault, ...)
• are credentials securely injected into your jobs
• can credentials be masqueraded in log outputs (to wrap up log exposure generated by ugly configured gradle plugins for example ...)
• support for openID

Job Runners

• Scalability of runners (auto-scale)
  • for various backends (aws auto-scaling-groups, kubernetes, dockermachine, .... find more)
  • allow dynamic registration of new runners
  • allow save deregistration of scaled out runners!
• Integration of Dockerimages for single build-steps (be not forced to bake all the tools into a single docker)
• running on arbitrary machines (even local laptop)
• uni-directional vs. bi-directional communication between master and agents
• do runners cover all OSes that you need (i.e. Windows, Mac)
• can runners easily be set up (with your build tools)
• are environments separated (each tech stack has its own runner)
• do jobs survive a restart of the master
• Caching concept - many build jobs need massive ammount of dependencies. Not downloading these dependencies every time is relevant for build-steps speed up.

Pipelines

• Support of Pipelines
• Pipline per commit
• Pipelines as code
• DSL (Groovy...) or YAML
• fan-in / fan-out
• can tasks be shared in libraries
• can pipelines be generated via CLI tool / automated
• are manual approval / input steps provided
• pipeline of pipelines (cool concept found in GoCD :)
• Quality of statemachine concepts - found some suprising situations where jobs was not expected to be executed.
• Respect order of commits & serialization points in pipelines (ensure just one concurrent deployment of a single stage x service)

Job Configuration

• grouping jobs in folders / groups
• templates for job configuration re-use
• Artifact storage and retrival for a job (S3, on CICD Server, on artifact server ...), support for artifact lifecycle

Environments

• Deployment overview per environment: If some of your jobs do a deployment, you may want to be able to redo the deployment. A overview of available and current deployments per environment is very useful.

API / CLI tools

• can tool be accessed / configured / extended via API / CLI
• what features are exposed as API
• what about multi-tenancy / permission management of API

Integration in SCM

• feedback on every commit (builds / doesn't build), visible in SCM
• check merge / pull requests
• automatically create jobs for branches
• scan ORGs / groups for projects, automatically create jobs (e.g. Jenkins Github integration)
• grant permissions to build jobs based on SCM permissions

Your Ecosystem

• does tool integrate well into your ecosystem
  • .NET --> TFS?
  • Cloud Foundry --> Concourse?
• does ecosystem provide ready-to-use setup (e.g. spring pipelines)

Traceability / Ticketing system

• Linking / tracing of artifacts from ticket to scm commit to release to deployment
• Integration in ticketing system like JIRA - show build state, group builds, close / open tickets

Dashboards, Notifications, Monitoring, Logs

• are useful, configurable dashboards provided
• is monitoring of disk usage, CPU, ... provided (e.g. integration in Prometheus...)
• what about rotating logs, deleting old artifacts, clean up of broken builds
• integration in chat servers like Slack, HipChat, Mattermost or RocketChat
• email notifications - possibility to manage groups of people that are notified
• reports on code quality, test results, performance tests
• given a broken build: how fast can you figure out, why it broke

Extensibility

• plugins / vs. plugin hell
• how to check new plugins before upgrade
• how well are extension points documented
• can product be extended without plugins (e.g. Concourse resources)

Support & Feedback by

• https://twitter.com/tknerr_de
• https://github.com/jerger

Rerferences

• http://dannyvarner.com/2017/08/11/how-to-choose-a-continuous-integration-tool.html
• https://stackify.com/top-continuous-integration-tools/
• https://blog.sqreen.io/how-to-choose-your-ci-tool/