---
title: OCM: Rethinking Software Delivery with a Secure and Standardized Approach
weight: 4
tags:
 - security
 - delivery
 - compliance
---

<!-- {{% button href="https://youtu.be/rkteV6Mzjfs" style="warning" icon="video" %}}Watch talk on YouTube{{% /button %}} -->
<!-- {{% button href="https://docs.google.com/presentation/d/1nEK0CVC_yQgIDqwsdh-PRihB6dc9RyT-" style="tip" icon="person-chalkboard" %}}Slides{{% /button %}} -->

## Challlenges

### Baseline

- Fan-in: SBOM
- Fan-out: Deployment automation
- In the middle: Out dev team and their product
- Questions: How do we transport this stuff

TODO: Steal illustartion

### Tooling

- Fan-in: Standard tools (SBOM, Containers, Maven, ...)
- Fan-out: Diverse: Human in the Loop with different tools
- Goal: Standardize everything and shift-left Deployment/Security/Compliance-Concerns

## The open component model

> Open standard created by SAP

- Suggests standards
- Contains example implementations but does not enforce them
- Constructor: Defines what our product needs to run on a cluster (e.g. HelmChart, Container, ...)

## Example

```mermaid
graph LR
    SyncAgent-->|with SBOM|PreProduct
    UIFramework-->|with SBOM|PreProduct
    PreProduct-->|Helm, Cointainer|Product
    Product-->|Bundle|AirgappedEnv
    subgraph AirgappedEnv
        Flux
        Kro
    end
```

## TL;DR

- We can use the constructor to create a archive that contains our product with all dependencies offline-ready
- We can upload the offline bundle into our airgapped oci registry or directory to our platform
- The resources and contruction bundles are defined as kubernetes CRDs and the cli can be used for upload and download (prbly among other features)
- The deployer defines how our resoruces shall be deploey (e.g. via flux)