SysOps/DevOps Warszawa MeetUp #48 - 27.02.2020
Senior SRE @
kubectl create/apply/edit/delete ... kubectl create/apply/edit/delete -f some.yaml
kubectl create/apply/edit/delete ... kubectl create/apply/edit/delete -f some.yaml
So when we delete file from Git... not everyone remembers to delete the object.
Are there better options?
But first let's determine our needs.
Changelog and rollbacks are easy
git log
git revert
Access to the repository may be restricted to a small group of people.
Cluster state is restored to latest revision automatically.
The practical guide to GitOps from Weaveworks
This is not easy:
The pipeline has to be scheduled regularly.
Example: one of Deployments is misconfigured
Let's deploy first application
tree demo_1/
demo_1/
├── deployment.yaml
├── pod.yaml
└── service.yaml
0 directories, 3 files
spec: source: path: demo_1/ repoURL: 'https://gitlab.com/mjasion/argocd-example.git' targetRevision: master directory: recurse: true destination: namespace: default server: 'https://kubernetes.default.svc' project: default syncPolicy: automated: prune: true selfHeal: true apiVersion: argoproj.io/v1alpha1 kind: Application metadata: name: demo1
spec: source: path: demo_1/ repoURL: 'https://gitlab.com/mjasion/argocd-example.git' targetRevision: master directory: recurse: true destination: namespace: default server: 'https://kubernetes.default.svc' project: default syncPolicy: automated: prune: true selfHeal: true apiVersion: argoproj.io/v1alpha1 kind: Application metadata: name: demo1
spec: source: path: demo_1/ repoURL: 'https://gitlab.com/mjasion/argocd-example.git' targetRevision: master directory: recurse: true destination: namespace: default server: 'https://kubernetes.default.svc' project: default syncPolicy: automated: prune: true selfHeal: true apiVersion: argoproj.io/v1alpha1 kind: Application metadata: name: demo1
Compare the latest code in Git with the live state. Figure out what is different.
The process of making an application move to its target state. E.g. by applying changes to a Kubernetes cluster.
Application is out of sync
Auto-heal is disabled
Something is out of sync
CI Tool | GitOps Tool | |
---|---|---|
Cluster | Outside | Inside |
Code Repository | Read/Write | Read |
Container Repository | Read/Write | Read |
RBAC is designed to define allow rules
But this ClusterAdmin
can sometimes save your ass :-)
In EKS there is and aws-auth
ConfigMap
And add proper permissions
data: mapUsers: | - "groups": - "system:masters" # <---- THIS "userarn": "arn:aws:iam::xxx:user/marcin" "username": "marcin" - "groups": - "system:authenticated" # <---- THIS "userarn": "arn:aws:iam::xxx:user/other" "username": "other"
data: mapUsers: | - "groups": - "system:masters" # <---- THIS "userarn": "arn:aws:iam::xxx:user/marcin" "username": "marcin" - "groups": - "system:authenticated" # <---- THIS "userarn": "arn:aws:iam::xxx:user/other" "username": "other"
You can not notice the issue...
data: mapUsers: | - "groups": - "system:masters" "userarn": "arn:aws:iam::xxx:user/marcin" "username": "marcin" - "groups": - "system:authenticated" "userarn": "arn:aws:iam::xxx:user/marcin" "username": "marcin"
data: mapUsers: | - "groups": - "system:masters" "userarn": "arn:aws:iam::xxx:user/marcin" "username": "marcin" - "groups": - "system:authenticated" "userarn": "arn:aws:iam::xxx:user/marcin" "username": "marcin"
data: mapUsers: | - "groups": - "system:masters" "userarn": "arn:aws:iam::xxx:user/marcin" "username": "marcin" - "groups": - "system:authenticated" "userarn": "arn:aws:iam::xxx:user/marcin" "username": "marcin"
It is not possible to configure dependencies between Applications
$ kubectl create namespace argocd $ kubectl apply -n argocd \ -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yml $ kubectl patch svc argocd-server -n argocd \ -p '{"spec": {"type": "LoadBalancer"}}'
apiVersion: argoproj.io/v1alpha1 kind: Application metadata: namespace: argocd name: argo-root spec: source: path: applications/ repoURL: 'https://gitlab.com/mjasion/argocd-example.git' targetRevision: master directory: recurse: true destination: namespace: argocd server: 'https://kubernetes.default.svc' project: default syncPolicy: automated: prune: true selfHeal: true
To reduce recovery procedure.
To have all things in repository.
argo-root Application
which manages other
Application
definitions
Istio in 90 seconds
kind: Application metadata: name: istio-crd spec: destination: namespace: istio-system server: 'https://kubernetes.default.svc' source: path: istio_helm/istio-init ...
kind: Application metadata: name: istio spec: source: path: istio_helm/istio repoURL: 'https://gitlab.com/mjasion/argocd-example.git' targetRevision: master helm: valueFiles: - values-istio-demo.yaml destination: namespace: istio-system ...
It is better to use branches: prod & staging etc.
Webhook integration (GitHub, BitBucket, GitLab)
SSO integration
Auditing
Reverting changes (without git revert too)
Works with git push --force💩
GitOps precursor - tool developed Weaveworks
Automatically updates container tags
Requires write access to git repository
Poor support for branching model
Support plain objects and Helm
Object pruning was in alpha stage
No UI😢