GitOps w/ or w/o Kubernetes

Gerd Aschemann <gerd@aschemann.net>

Questions

Please answer some questions via MentiMeter

https://www.menti.com
Enter 4312 9664

About me

Gerd Aschemann <gerd@aschemann.net>
- Twitter: @GerdAschemann
- Mastodon: @ascheman@mastodon.social
- https://aschemann.net
Freelancer: Java/Groovy, Architecture, DevOps/SRE, DDD, …
Co-Organizer:
- JSail UnConference
- JUG Darmstadt
- JavaLand (retired)
- CyberLand

Live demo (TL;DR) - slides are mostly backup

Visit https://github.com/ascheman/gitops-demo-deployment if you want to actively follow the demo.

Results

Check results of MentiMeter

CI vs. CD

Figure 1. Continuous Integration → Continuous Delivery

The Problem

How can we control

(initial/continuous) deployment of a certain artefact (version) to a target environment?
that the deployed version remains active in the target environment?

Towards a solution

Figure 2. Add Infrastructure as Code (IaC)

Getting Closer

Figure 3. Let IaC refer to artefact

Deployment items (~ Artefacts)

Software delivery items are called artefact
Software deployments consist of
- Artefacts, e.g., Docker Image, Java jar/war, RPM package, AMI, …
- Configuration settings, e.g., DB connection string + credentials, Service URL, …

Artefact coordinates

Artefacts are described by their coordinates, e.g.

Repository/Registry (URL)
Namespace / Name, e.g., Maven/Gradle Group/Artefact,
Version(s): change over time
→ Similar to Configuration(s)

Updated Problem

How can we control

the (initial) deployment of a certain artefact (version) configuration to a target environment?
that the deployed version configuration remains active in the target environment?

Configuration and State

A particular configuration can also be treated as state
Use configuration and state synonymously
Distinguish desired state and actual state

How to describe state

State (configurations) can be defined

Declarative (supports stateful management), e.g.,
- Kubernetes (Manifest, Helm, Helmfile, …)
- Terraform
- Puppet, …
Imperatively (make state management harder), e.g.,
- Kustomize (k8s)
- Ansible
- Cloud SDKs (?)

(Technical) Solution(s)

Maintain State Changes

Kubernetes (k8s): Lucky you!
Ansible:
- Apply Playbook(s)
- Use Ansible Tower (AWX)
Terraform: Run (terraform plan +) terraform apply

Maintain Durability

→ Out-of-scope for this presentation

k8s: Use (Re-) Conciliation Operator (Push → Pull)
Ansible:
- Re-Apply Playbook(s)
- Use Ansible Tower (aka. Ansible Automation Platform)
Terraform: Re-Run terraform plan + apply (???)

Control Change

On higher level the problem remains

How can we control state (changes)?
How do we ensure a certain configuration is applied to an environment?
How do we know which state is applied?
Who is in control of the change?
- What will be changed?
- Review Change?
- Who approves the Change?

GitOps to the Rescue

Maintain each configuration (state) in a Git repository/branch
Automatically apply changes by an agent (here: pipeline)
Use Git workflows to control change (i.e., use pull-requests)

→ GitOps

GitOps State by Repository

Configure stage(s)/environments in separate repositories.

Figure 4. State by Repository

GitOps State by Branch

Configure stage(s)/environments in separate branches.

Figure 5. State by Branch

GitOps Origins

GitOps,
- originally coined by Weaveworks
- nowadays used in a wider sense (versioned Continuous Delivery of Cloud Native applications), cf. https://gitops.tech
Principles
- Describe (entire) system declarative
- Maintain desired system state in Git
- Automatically apply (approved) state changes
- Ensure correctness / durability by software agents (k8s: operators)

Demonstration(s)

Sample (overview)

Apply new Version (overview)

Apply new Version (step-by-step)

Step by step preparation of PR

  environment="test"
  release="release/v2"
  git checkout -b prepare/${environment} origin/perform/${environment} # (1)
  git merge --ff -m"Switch to ${release}" ${release} # (2)
  git push -fu origin # (3)

1	Start with the current state (i.e., `perform/` branch)
2	Merge state change (i.e., `release/` branch)
3	Push it to Github and let the action prepare the change

Then check Github Actions and PRs

Roll back Version (overview)

Roll back Version (step-by-step)

Step by step rollback

  environment="test"
  rollback=... # (1)
  git checkout -b prepare/${environment} origin/perform/${environment} # (2)
  git revert -m 'Roll back to previous version' ${rollback} # (3)
  git push -fu origin # (4)

1	Find the state change to revert
2	Start with the current state (i.e., `perform/` branch)
3	Roll back the change
4	Push it to Github and let the action(s) do the rest

Check Github Actions and PRs

Development / New environment

Create new environment

  start=release/v2
  environment=oop-2023
  git checkout ${start} # <1>
  git push -f origin HEAD:init/${environment} # <2>

1	Checkout a suitable starting point
2	Push it to an `init/` branch on Github

Watch Github Actions initializing the new environment

Development / Auto-perform/-destroy (overview)

Development / Auto-perform (steps)

Apply current state to environment (full-automatic mode)

  environment=oop-2023
  current=$(git branch --show-current)
  git fetch --all --prune
  git checkout -b auto-perform/${environment} origin/perform/${environment}
  git merge --ff -m"Auto-Perform changes from ${current}" ${current}
  git push -fu origin

Watch Github Actions applying the change

Development / Auto-destroy (steps)

Destroy environment (full-automatic mode)

  environment=oop-2023
  git pull -f
  git checkout perform/${environment}
  git push -f origin HEAD:auto-destroy/${environment}

Watch Github Actions destroying the environment

Other Terraform Approaches

Atlantis
Terrateam

Other Approaches: Atlantis

CD-Application (C/S) for Terraform
Watch for PRs (Github, Gitlab, Bitbucket, Azure Devops(?), …)
Control by ChatOps (comment PRs)

Other Approaches: Terrateam

CD-Application (C/S) for Terraform
Watch for PR → Map to GH Action
Access Control
Auto-Merge
Drift Detection (Re-Conciliation)
Multi-Branching
Workflow Customization

Not covered (yet)

Reconcilement (neither here, nor Atlantis)
Access Management
- No direct grants to target envs necessary
- Control access by repository/branch permissions
Complex use cases, e.g.,
- release bundling
- inhomogeneous resources (for instance: k8s + TF)
Housekeeping
Extensions, e.g., chatbot

Summary

GitOps can solve typical control challenges
- Persist environment configurations to Git
- Enable change management by following well-known Git flows
- Include typical quality assurance, e.g., 4 eyes principle/review
Run easily on state based configurations (Terraform, k8s)
Stateless configurations are subject to proof of concept (Ansible Tower)

Thank You

Please provide Feedback via Mentimeter

https://www.menti.com
Type 6295 3967

GitOps w/ or w/o Kubernetes

Questions

About me

Live demo (TL;DR) - slides are mostly backup

Results

CI vs. CD

The Problem

Towards a solution

Getting Closer

Deployment items (~ Artefacts)

Artefact coordinates

Updated Problem

Configuration and State

How to describe state

(Technical) Solution(s)

Maintain State Changes

Maintain Durability

Control Change

GitOps to the Rescue

GitOps State by Repository

GitOps State by Branch

GitOps Origins

Demonstration(s)

Sample (overview)

Apply new Version (overview)

Apply new Version (step-by-step)

Roll back Version (overview)

Roll back Version (step-by-step)

Development / New environment

Development / Auto-perform/-destroy (overview)

Development / Auto-perform (steps)

Development / Auto-destroy (steps)

Other Terraform Approaches

Other Approaches: Atlantis

Other Approaches: Terrateam

Not covered (yet)

Summary

Thank You

Links