IaC and GitOps in motion

Transcript

1. None

2. Vincent GILLET • 15 years + experience • Aerospace /

   Avionics / Automotive / Services / Government • Not a DevOps engineer • K8S and automation enthuthiast ( official docker trainer if you need )

3. IaC and GitOps in motion

4. Buckle up !

5. Disclaimer for all of this to work: security team to

   act as enablers toward developers and not gatekeepers !

6. IaC: code, describing a desired state, to interact with API

   of a cloud provider

7. GitOps

8. None

9. Criteria for our IaC and GitOps deployment • Secured •

   Maintainable • Auditable • Automated • Progressive deployment • Highly available • Easily understandable • Elastic • … DO NOT TRY TO GET EVERYTHING AT ONCE, YOU WILL FAIL ! ✔ ✔ ✔

10. Pull pattern: the secret sauce

11. Pull pattern: the secret sauce

12. Pull pattern: the secret sauce • No external access required

    to either AWS account or EKS • One least privilege IAM role on Atlantis • Access is directly git repository access, no 3rd party RBAC sitting on top • Git audit for free • Lightweight, one PR = one deployment • Native terraform and k8s DSL • Execution context is in the environment, not in the code Secured Maintainable Easily understandable ✔ ✔ ✔

13. Sure, that’s nice process but what about my repositories ?

14. One branch per environment (inherited from gitflow, branch environment)

15. Enjoy Guitar Hero ? More cherry picking than merging

16. Mono repo: one branch but distinct folders 3 weeks later

    Imagine 1 year Execution context ? Same access ?

17. MOF pyramid MOF: Meta-Object Facility

18. Mono repo is cool trunk based should remains the priority

19. IaC trunk-based

20. GitOps trunk-based Resilient to company reorganization Fine grained access management

    Git remains the golden truth Easily auditable Smaller is better

21. See you on my next talk: “Why your company failed

    at DevOps while trying to apply this !”