Kubernetes GitOps at Cloudflare Terin Stock Cloud-Native and Kubernetes Silicon Valley Meetup January 16 2020 

Terin Stock @terinjokes Software Engineer 

No content

“How do we do releases?” ● Had three goals in mind when picking a workflow: ○ Continuous ○ Automatic ○ Reviewable 

The Status Quo 

Status Quo of Releases ● Build server manages releases of the master branch ● Release artifacts and manifests built at the same time ● Releases are automatically promoted 

Status Quo of Releases ● Our workflow goals: ○ Automated ✔ ○ Continuous ❌ ○ Reviewable ❌ 

Non-Continuous Releases ● Modifications made with kubectl are not reverted until the next time the build server ran ○ In practice, the next time code was merged to master ○ Development cadence of software differs ● System state can easily diverge, often being fatal to future releases. 

No content

Non-Reviewable Releases ● Manifests are generated by the build server behind the scenes. ○ Difficult to review what will be released ○ Difficult to stagger promotions ● Build server enforced templating system ○ Had to hack around templating if tasks weren't simple 

GitOps Workflow 

GitOps Workflow ● Consider a git repository has the source of truth for Kubernetes manifests. ● Any changes that reach master are deployed to Kubernetes ○ In fact, they're continuously deployed to Kubernetes ● Can restore a previous release with git revert. 

Reviewable Releases ● Git has a powerful tool for reviews: a pull request! ● The manifests are directly deployed; no need to parse and understand a template. 

No content

Automating Releases ● A task on the build server generates the release manifests. ○ Output is captured and opened as a pull requests on the manifests repository. ○ Capturing output allows teams to select best tools for their project. 

Automating Releases ● For releases to multiple environments, multiple pull requests can be made. ○ Gives flexibility to stagger releases where required ○ Cancel releases by declining the pull request 

Continuous Releases ● Tools running in Kubernetes monitor the git repository ○ Patches are applied to Kubernetes resources to bring them in sync. ● Currently using kube-applier and git-sync 

Continuous Releases ● Starting migration to Pusher's Faros controller ○ CRDs track changes and removals ○ Maintains synchronized status fields 

GitOps Workflow ● Our workflow goals: ○ Automated ✔ ○ Continuous ✔ ○ Reviewable ✔ 

GitOps all the things! 

Thanks ● Fill free to ask me questions afterwards. ○ @terinjokes 

Back Matter 

Colophon The main body text, including headers, were set in Cambo by Argentinian foundry Huerta Tipográfica based on the style of traditional Khmer type. Monospace text was set in Anonymous Pro by Minnesota font designer Mark Simonson. It was inspired by mid-90s freeware Macintosh font Anonymous 9.