Upgrade to Pro — share decks privately, control downloads, hide ads and more …

GitOps with ArgoCD

GitOps with ArgoCD

501c51cc8680afbb72ea9c26832806e3?s=128

Sascha Selzer

May 05, 2021
Tweet

Transcript

  1. T E C H L U N C H /

    0 5 . 0 5 . 2 0 2 1 GitOps with ArgoCD Sascha Selzer @tommy1199
  2. Typical Project Setup Cluster Repository Buildserver Docker Registry Ingress Service

    Deployment Secret ConfigMap
  3. CI/CD Pipeline • Source Code • Deployment Templates • Credentials

    • Deployment Tools • Deployment context Cluster
  4. Independent Pipelines Cluster

  5. So what is the problem?

  6. Long Feedback Loop • One pipeline for CI and CD

    • If we have a bug in the deployment templates, full pipeline has to run • This means software has to be built just for an update for the deployment templates
  7. Shortcut Deployment Cluster Ingress Service Deployment Secret ConfigMap

  8. “kubectl is the new ssh“ Kelsey Hightower

  9. Auditing ? Cluster ? ?

  10. Reproducibility • Credentials • Deployment Tools • Deployment context ?

    Cluster
  11. Recovery Cluster

  12. Source of truth = Executed pipelines

  13. GitOps

  14. What is GitOps? • Operational model for Kubernetes clusters •

    First time mentioned 2017 • Git as single source of truth • We manage in git not only how to deploy, but also what to deploy
  15. “The world is envisioned as a repo and not as

    a kubernetes installation“ Kelsey Hightower
  16. GitOps in Action Source Code Repository Renders & Deploys Cluster

  17. GitOps in Action Cluster Source Code Repository Renders & Commits

    Config Repository
  18. GitOps in Action Cluster Source Code Repository Renders & Commits

    Config Repository Operator Pulls
  19. GitOps in Action Cluster Source Code Repository Renders & Commits

    Config Repository Operator Pulls Deploys
  20. Multi Deployments Cluster

  21. Spot diverges

  22. Diff • Compares config repository to actual deployment • Could

    notify user • Could automatically heal Cluster Operator Pulls Deploys Config Repository
  23. Inversion of Access

  24. Cluster access Cluster Operator Config Repository

  25. Cluster access • No cluster credentials needed outside of the

    cluster Cluster Operator Config Repository
  26. Git

  27. Git • Auditing through commit log • Typical development features

    possible (Feature Branches, Reviews) • Rollback a commit revert
  28. Recovery

  29. Recovery Cluster

  30. Recovery Cluster Latest cluster state

  31. ArgoCD

  32. ArgoCD • GitOps Operator • Manages depending resources as „Apps“

    • Can work with different config management tools (kustomize, helm, plain yaml) • Use Kubernetes API for storage
  33. Declarative Application

  34. Multi App Deployment

  35. ArgoCD Family • ArgoCD • ArgoCD ApplicationSet • ArgoCD Notifications

    • ArgoCD Image Updater
  36. An what about runtime secrets?

  37. Secrets Management • ArgoCD is un-opinionated • External solution needed

    • Many to choose from
  38. Secrets Management • Bitnami Sealed Secrets • GoDaddy Kubernetes External

    Secrets • External Secrets Operator • Hashicorp Vault • Helm Secrets • Banzai Cloud Bank-Vaults • Kustomize secret generator plugins • aws-secret-operator • KSOPS • argocd-vault-plugin
  39. Secrets Management • Bitnami Sealed Secrets • GoDaddy Kubernetes External

    Secrets • External Secrets Operator • Hashicorp Vault • Helm Secrets • Banzai Cloud Bank-Vaults • Kustomize secret generator plugins • aws-secret-operator • KSOPS • argocd-vault-plugin
  40. Deploys Secrets Flow Cluster Renders & Commits Config Repository CD

    Operator Pulls SealedSecret Commits encrypted secret Secret Operator Secret Decrypts Reads
  41. Sealed Secret

  42. Verdict • Helped to improve auditing and access management •

    Additional benefits through the UI • Secrets Management Strategy is needed when doing GitOps • Developers do not need direct cluster access, but additional tooling is needed to provide further visibility
  43. www.innoq.com Krischerstr. 100 40789 Monheim +49 2173 3366-0 Ohlauer Str.

    43 10999 Berlin Ludwigstr. 180E 63067 Offenbach Kreuzstr. 16 80331 München Hermannstrasse 13 20095 Hamburg Erftstr. 15-17 50672 Köln Königstorgraben 11 90402 Nürnberg innoQ Deutschland GmbH Danke! Fragen? Sascha Selzer sascha.selzer@innoq.com @tommy1199