Upgrade to Pro — share decks privately, control downloads, hide ads and more …

IT-Tage 2021 - GitOps: Introduction to Continuous Operations with Kubernetes

schnatterer
December 09, 2021

IT-Tage 2021 - GitOps: Introduction to Continuous Operations with Kubernetes

Für viele ist GitOps die Weiterentwicklung klassischer CI/CD-Prozesse. Es klingt simpel und bietet Vorteile beispielsweise das konsequente deklarative Beschreiben von Infrastructure As Code. Auch die Security verbessert sich, weder Mensch noch CI- Server brauchen Zugriff auf die Betriebsumgebung. Im Detail sind dann aber viele Fragen zu beantworten: Welche Tools gibt es? Wie lassen sich Stages realisieren, Fehler bemerken, Helm Charts deployen, Ressourcen löschen oder Secrets sicher ablegen? Wieviele Repositories machen Sinn und wie strukturiert man diese?

Auf diese und andere Fragen geht der Vortrag ein. Der Fokus wird hierbei auf den Betrieb von Anwendungen auf Kubernets Clusters liegen. Dabei fließen Praxistipps aus meiner Erfahrungen aus knapp zwei Jahren GitOps in Produktion aus verschiedenen Umfeldern ein. Nach dem Talk solltet ihr ein Gefühl dafür haben, wie der Stand von GitOps ist, und ob jetzt ein guter Zeitpunkt ist, das Thema zu verfolgen.

Mehr Details:

Was ist GitOps? Definitionen und Abgrenzungen verstehen.
Wo ist es einsetzbar? Anwendungsfälle kennenlernen.
Wie ist es einsetzbar? Übersicht über Werkzeuge und Designentscheidungen bekommen.
Welche Herausforderungen entstehen dabei? Lösungsmöglichkeiten lernen.

https://www.ittage.informatik-aktuell.de/programm/2021/gitops-einfuehrung-in-continuous-operations-am-beispiel-von-kubernetes.html

schnatterer

December 09, 2021
Tweet

More Decks by schnatterer

Other Decks in Technology

Transcript

  1. #ittage


    Johannes Schnatterer, Cloudogu GmbH
    // GITOPS: HANDS-ON

    CONTINUOUS
    OPERATIONS
    WITH KUBERNETES
    Version: 202112081726-8938e47

    @jschnatterer
    2

    View Slide

  2. Agenda
    • What is GitOps?
    • How can it be used?
    • What challenges arise?
    • Demo
    3

    View Slide

  3. What is GitOps?
    5

    View Slide

  4. Origin: blog post by Weaveworks, August 2017
    Use developer tooling to drive operations
    weave.works/blog/gitops-operations-by-pull-request
    6

    View Slide

  5. "Classic" Continuous Delivery ("CIOps")

    Developer
    Git Repo CI Server
    Continuous Integration +
    Continuous Delivery
    K8s Cluster
    push pull deploy
    imperative,
    once
    GitOps

    K8s Cluster
    Developer
    Git Repo
    CI Server
    Continuous Integration Continuous Delivery
    GitOps
    operator
    push
    pull
    pull
    deploy
    declarative,
    continuously
    7

    View Slide

  6. GitOps Principles
    The desired state of a GitOps managed system must be:
    1 Declarative
    2 Versioned and Immutable
    3 Pulled Automatically
    4 Continuously Reconciled
    github.com/open-gitops/documents/blob/main/PRINCIPLES.md
    8

    View Slide

  7. GitOps vs DevOps
    • DevOps is about collaboration of formerly separate groups (mindset)
    • GitOps focuses on ops (operating model)
    • GitOps can be used with or without DevOps
    9

    View Slide

  8. K8s Cluster
    Developer
    Git Repo
    CI Server
    GitOps
    operator
    push
    pull
    pull
    deploy
    Advantages of GitOps
    • No access to cluster from outside
    (might also solve firewall/zone issues)
    • No credentials on CI server
    (neither cluster access nor for apps)
    • Forces declarative description
    • IaC is auditable
    • Scalability - one repo many applications
    • Self-healing / Hands-off ops
    10

    View Slide

  9. How can GitOps be used?
    12

    View Slide

  10. What can GitOps be used for?
    Cloud
    Cluster
    K8s Resources /
    applications
    Cloud Infra IAM DNS VMs Clusters
    ...
    Services CRDs
    ...
    Deployments
    13

    View Slide

  11. GitOps tool categories
    • GitOps operators/controllers
    • Supplementary GitOps tools
    • Tools for operating cloud infra
    14

    View Slide

  12. GitOps operators/controllers







    15

    View Slide

  13. Supplementary GitOps tools
    Secrets


    • + K8s integration
    • Operators for Key Management Systems
    bitnami-labs/sealed-secrets
    Soluto/kamus
    mozilla/sops
    16

    View Slide

  14. Others
    • Backup / restore
    • Horizontal Pod Autoscaler
    • Deployment Strategies - Progressive Delivery


    • ...
    argo-cd.readthedocs.io/en/release-2.0/user-guide/best_practices
    17

    View Slide

  15. GitOps operators
    +
    Infra Operator
    =
    Operate cloud infra with GitOps
    18

    View Slide

  16. Operate Kubernetes with Kubernetes
    Cloud Infra
    Repo
    Management Cluster Target Cluster
    Target Cluster
    Target Cluster
    19

    View Slide

  17. Management Cluster
    Cloud Infra
    Repo
    GitOps
    operator
    API-Server Infra operator
    Target Clusters
    Infra providers
    pull watch
    apply resources
    apply resources
    create/
    manage
    create/
    manage
    create
    clusters/
    VMs/
    metal
    20

    View Slide

  18. -
    Tools for operating cloud infra







    +
    Cloud or Operator



    rancher/terraform-controller
    21

    View Slide

  19. See also
    ( )
    • General tool comparison,
    • tips on criteria for tool selection,
    • comparison of ArgoCD and Flux
    cloudogu.com/blog/gitops-tools iX 4/2021
    22

    View Slide

  20. What challenges arise with GitOps?
    24

    View Slide

  21. More Infra ...
    • GitOps Operator: One or more custom controllers
    • Helm, Kustomize Controllers
    • Operators for Supplementary tools (secrets, etc.)
    • Monitoring/Alerting systems
    • ...
    25

    View Slide

  22. ... higher cost
    • Maintenance/patching (vendor lock-in)
    • Resource consumption
    • Learning curve
    • Error handling
    • failing late and silently
    • monitoring/alerting required
    • reason might be difficult to pinpoint
    • operators cause alerts (OOM errors, on Git/API server down, etc.)
    26

    View Slide

  23. Day two questions
    • POC is simple
    • Operations in prod has its challenges
    • How to realize local dev env?
    • How to delete resources?
    • How to realize staging?
    • How to structure repos and how many of them?
    • Role of CI server?
    • ...
    27

    View Slide

  24. Local development
    • Option 1: Deploy GitOps operator and Git server on local cluster
    complicated
    • Option 2: Just carry on without GitOps.
    Easy, when IaC is stored in app repo
    28

    View Slide

  25. How to delete resources?
    • garbage collection (Flux) / resource pruning (ArgoCD)

    disabled by default
    • Enable from beginning avoid manual interaction
    • Unfortunately, still often unreliable / too defensive (?)
    29

    View Slide

  26. Implementing stages
    Idea 1: Staging Branches
    • Develop Staging
    • Main Production


    thoughtworks.com/radar/techniques/gitops


    Logic for branching complicated and error prone (merges)
    30

    View Slide

  27. Idea 2: Staging folders
    • On the same branch: One folder per stage
    • Process:
    • commit to staging folder only ( protect prod),
    • create short lived branches and pull requests for prod
    • Duplication is tedious, but can be automized
    ├── production

    │ └── application

    │ └── deployment.yaml

    └── staging

    └── application

    └── deployment.yaml


    • Logic for branching simpler
    • Supports arbitrary number of stages
    31

    View Slide

  28. Basic role of CI server
    K8s Cluster
    Developer
    Git Repo
    CI Server
    GitOps
    operator
    OCI Registry
    push
    pull
    push
    pull
    + watch
    pull
    + push
    deploy
    Optional: GitOps operator updates image version in Git


    github.com/argoproj-labs/argocd-image-updater
    fluxcd.io/docs/guides/image-update
    32

    View Slide

  29. Number of repositories: application vs GitOps repo
    K8s Cluster
    Developer
    Git Repo
    CI Server
    GitOps
    operator
    OCI Registry
    push
    pull
    push
    pull
    pull
    deploy



    K8s Cluster
    Developer
    App Repo GitOps Repo
    CI Server
    GitOps
    operator
    OCI Registry
    push
    app
    code
    push
    infra
    code
    pull
    push
    pull
    pull
    deploy
    GitOps tools: Put infra in separate repo! See
    argo-cd.readthedocs.io/en/release-2.0/user-guide/best_practices
    33

    View Slide

  30. Disadvantages
    • Separated maintenance & versioning of app and infra code
    • Review spans across multiple repos
    • Local dev more difficult
    • Static code analysis for IaC code not possible

    How to avoid those?
    34

    View Slide

  31. Extended role of CI server
    K8s Cluster
    Developer
    App Repo GitOps Repo
    CI Server
    GitOps
    operator
    OCI Registry
    push
    app
    code
    push
    infra
    code
    pull
    push
    pull
    pull
    deploy



    K8s Cluster
    Developer
    App Repo GitOps Repo
    CI Server
    GitOps
    operator
    OCI Registry
    push
    app
    +infra
    code
    pull
    push
    infra
    code
    push
    pull
    pull
    deploy
    35

    View Slide

  32. Advantages
    • Single repo for development: higher efficiency
    • Automated staging (e.g. PR creation, namespaces)
    • Shift left: static code analysis + policy check on CI server,
    e.g. yamlint, kubeval, helm lint, conftest
    • Simplify review by adding info to PRs
    36

    View Slide

  33. Disadvantage
    Complexity in CI pipelines
    Recommendation: Use a plugin or library, e.g.

    cloudogu/gitops-build-lib
    37

    View Slide

  34. Demo
    Your Host
    K3d Container
    SCM-Manager
    Docker Daemon ArgoCD
    App Repos GitOps Repos
    Registry
    Jenkins
    run
    pull push
    push
    pull
    deploy
    cloudogu/gitops-playground
    38

    View Slide

  35. 40

    View Slide

  36. GitOps experience distilled
    Has advantages, once established
    Mileage for getting there may vary
    41

    View Slide

  37. Adopt GitOps?
    • Greenfield: Definitely
    • Brownfield: Depends
    42

    View Slide

  38. Johannes Schnatterer, Cloudogu GmbH

    • GitOps Resources (intro, articles, talks, videos, projects)
    • Discussions
    • /

    cloudogu.com/gitops
    Trainings Consulting
    Jobs
    43

    View Slide

  39. Image sources
    • What is GitOps?

    • How can GitOps be used? Tools:
    • What challenges arise with GitOps?
    https://pixabay.com/illustrations/question-mark-
    important-sign-1872665/
    https://pixabay.com/photos/tools-
    knives-wrenches-drills-1845426/
    https://unsplash.com/photos/bJhT_8nbUA0
    44

    View Slide