GitOps ⚙️⎈ Recipes 🍱 With a Spice 🌶️ of Security 🔐

•

0 likes•30 views

Presented at CNCF Toronto Q2 meetup on June 22, 2023. You’ve seen the light of GitOps and are excited to streamline the release process of your development teams and platform engineers. Ready to proceed down this path, the realities of Day 2 operations are settling in. Does a perfect repository, folder/branching structure, and templating process exist? Who must approve which pull requests? How involved will the CI pipeline be? Oops!-Do you have a rollback process in place? All of these requirements must be met while still ensuring security and compliance is kept in check. This talk will run over several different GitOps recipes and discuss relevant security and compliance considerations. You will leave this talk with your eyes once again glittering with excitement to travel down the GitOps path armed with an swiss army knife of recipes and how they will fit into your organization, all while still maintaining a high security and compliance posture.

Software

GitOps ⚙
Recipes 🍱 With a
Spice 🌶 of
Security 🔐
Julian Mazzitelli - @thejmazz, CIO
BioBox(.io)

What is GitOps?
https://www.weave.works/blog/automate-kubernetes-with-gitops
https://www.weave.works/technologies/gitops/

How ArgoCD Performs the GitOps Reconciliation Loop

Monorepo or Polyrepo?
● Simplicity vs. Scale
● 🌶 Branch Protections and PR Approvals 🔜

Image Updater
● FluxCD has this built in
● argocd-image-updater is v0.12.2, works for
Kustomize and Helm
● Changes image tags in manifests when new
images are pushed
● Last resort: write your own git bot script! Easy to
replace values in yaml with dasel

Image Updates at BioBox
● Monorepo
● Pushes build images, write back from a bot into
Git, updating images in bx.application.yaml
● PRs with “env” label, kubectl apply current
bx.application.yaml for dev/QA environments
● Prod release updates/hotfixes are made manually
via PR on deployments repo
● Beyond images: other configuration values,
database migration targets

Branches or Directories?
(for environments - base vs dev vs staging vs prod)

Branches or Directories?
(for environments - base vs dev vs staging vs prod)
Directories.

Branches or Directories?
(for environments - base vs dev vs staging vs prod)
Directories. Nobody likes purple ketchup.

Branches or Directories?
(for environments - base vs dev vs staging vs prod)
Directories. Nobody likes purple ketchup, especially Git.

App of Apps vs. Giant Application
● Application: A single repo+path+revision watched by the
GitOps controller
● A single application may start off simple, but will grow
complex quickly!
○ Every resource must be checked each sync (though ArgoCD has an
option to only sync out-of-sync resources)
○ Overwhelming amount of resources in dashboard, combining
unrelated resources
○ Limits use of hooks (PreSync, PostSync)
● So, app-of-apps? “Deployments” repo consists purely of
Application.argoproj.io CRDs, who reference the
“templates” repo
● 🚧 Beware of multi-cluster complications
○ E.g. “templates” render out Applications
○ Central GitOps -> app-of-apps needs to have children destination
in-cluster (cannot mix ad-hoc K8s resources with children apps!)
○ GitOps-per-cluster -> Could mix applications with resources

Render Templates - Ahead of Time or Live?
● Should your repo contain un-rendered Helm/Kustomize/x templates, or should
you render everything into yaml?
Ahead Live
✅ No surprises, review resources as they will end
up
✅ 100% Declarative
❌ More copy-pasting, management of your
templates (Kustomize overlays can help, so much)
✅🌶 Ability to run thorough CI checks (kubelinter -
e.g. enforce no root, Security is 😁)
🔸 Can make monorepo tamable?
(name.resource.namespace.yaml)
✅ Better diffing (can sort keys deterministically)
✅ Ability to provide “last-mile” configurations (e.g.
requests, replicas)
❌ Only “semi” declarative
✅ Simpler, up and running faster
❌ Limited CI (unless you render out in CI?)
● Use both techniques! Depending on situation: semi-declarative on dev (+flexibility), full
declarative on prod. Platform, database fully declarative, stateless apps semi-declarative

🌶 Compliance
● Polyrepo
○ Assign specific teams to specific repositories
○ Can probably get away with branch protections requiring one review
○ ✅ Simpler change management controls
○ 🔐 Map repository teams directly to Kubernetes RBAC
○ ❌ Polyrepo management and complexity
● Monorepo
○ Developers and Operations belong to the same repo - how to avoid stepping on each other’s
toes?
○ Write a CI script that checks for reviews from specific individuals based on contents of change
■ No ingress, platform, storage class changes? Allow developer to approve, otherwise
operations must approve.
🔏 “Provide the list of users who can view/edit/delete the
in-scope production applications”

Thank you!
Julian Mazzitelli
@thejmazz
BioBox.io

Many people ask, "Which one is better for me: App Engine, Cloud Functions, or Cloud Run?" To help you learn more about them, understand their differences, appropriate use cases, etc., why not deploy the same app to all 3? With this "test drive," you only need to make minor config changes between platforms. You'll also learn one of Google Cloud's AI/ML "building block" APIs as a bonus as the sample app is a simple "mini" Google Translate "MVP". This is a 45- 60-minute talk that reviews the Google Cloud serverless compute platforms then walks through the same app and its deployments. The code is maintained at https://github.com/googlecodelabs/cloud-nebulous-serverless-python

Rejekts 24 EU No GitOps Pain, No Platform Gain

Łukasz Piątkowski

The journey to GitOps

Nicola Baldi

Rapid Prototyping with TurboGears2Alessandro Molina

GitOps: Git come unica fonte di verità per applicazioni e infrastruttura

sparkfabrik

GitOps è un nuovo metodo di CD che utilizza Git come unica fonte di verità per le applicazioni e per l'infrastruttura (declarative infrastructure / infrastructure as code), fornendo sia il controllo delle revisioni che il controllo delle modifiche. In questo talk vedremo i concetti alla base di CI/CD, ovvero Continuous Integration e Continuous Deployment (o anche Continuous Delivery), pratiche nello sviluppo software che permettono ai team di creare dei progetti collaborativi in modo rapido, efficiente e idealmente con meno errori. Infine vedremo come implementare un flusso di lavoro GitOps usando Github actions e ArgoCD.

Kubernetes GitOps featuring GitHub, Kustomize and ArgoCD

Sunnyvale

Drupal 8 provides a robust configuration management system which represents a paradigm shift from previous versions of Drupal. It's now easier than ever to represent your configuration in code and manage it with source control. However, that may not be enough. This session will propose a new strategy for thinking about Drupal 8 configuration, treating it as just another dependency, managed the same way code dependencies are managed with Composer. We'll cover: Drupal 8 configuration management overview New ways of managing your git repository Composer and Drupal Console Drupal 8 multisite considerations

Serverless? How (not) to develop, deploy and operate serverless applications.

gjdevos

Advanced Configuration Management with Config Split et al.

Nuvole

So you know how to use configuration management in Drupal 8. It works great for its intended use case but you have more advanced needs and Drupal core and drush don’t really help you? You read or write blog posts pointing out shortcomings of Drupals configuration management? Configuration Split and its friends will jump in and help with almost all your Configuration Management struggles. Some configuration needs to exist only in some environments, like development modules? Your client edits some configuration on the production site? You have two sites that are almost the same but not exactly? You checked out configuration split but didn’t get what it does? At this session all your questions will be answered and you will love the configuration management in Drupal 8 even more. Next to Configuration Split and its road map we will also see some other solutions for other potential stumbling blocks, such as deploying configuration which depends on content or installing a site from existing configuration. Modules covered: Configuration Split (and Config Filter) Configuration installer Configuration Read-only mode More modules briefly

Docman - The swiss army knife for Drupal multisite docroot management and dep...

Aleksey Tkachenko

Hadoop: Big Data Stacks validation w/ iTest How to tame the elephant?

Dmitri Shiryaev

Head first android apps dev tools

Shaka Huang

There is something about serverless

gjdevos

GCP - Continuous Integration and Delivery into Kubernetes with GitHub, Travis...

Oleg Shalygin

Kubernetes provides an automated platform to deployment, scaling and operations of applications across a cluster of hosts. Complementing Kubernetes with a series of build scripts in conjunction with Travis-CI, GitHub, Artifactory, and Google Cloud Platform, we can take code from a merged pull request to a deployed environment with no manual intervention on a highly scaleable and robust infrastructure.

Next Level DevOps Implementation with GitOps

Ramadoni Ashudi

Merge hells - Feature Toggles to the rescue

Leena N

Feature branching has been popular for long, but everyone knows about the “merge hell”, a common issue because of long lived branches or infrequent integration. How do you continuously merge, test and release software with great confidence without spending too much time on merging and fixing conflict issues. That is where Mainline development, one of the key practices of Continuous Delivery, comes into picture and Feature Toggle works in conjunction with the same. Feature Toggle [also referred as Feature Flip, Feature Switch, Feature flag] is a simple technique which allows you to turn on or off a feature through configuration. Feature toggles gives you the flexibility to toggle features in specific environments i.e. turn on a feature in testing or staging servers and turn it off the same in production. This also helps to rollback features, as rolling back is as simple as turning off the feature and deploying.

Serverless Computing with Google Cloud

wesley chun

Advanced Dagger talk from 360andev

Mike Nakhimovich

GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021

William Caban

Easy path to machine learning (Spring 2020)

wesley chun

Drupal performance and scalability

Twinbit

Mete Atamel "Resilient microservices with kubernetes"

IT Event

Frontend microservices: architectures and solutions

Mikhail Kuznetcov

gitopsthekubernetesway-201026090439.pdf

saraichiba2

Gitops: the kubernetes way

sparkfabrik

GitOps è un nuovo metodo di CD che utilizza Git come unica fonte di verità per le applicazioni e per l'infrastruttura (declarative infrastructure/infrastructure as code), fornendo sia il controllo delle revisioni che il controllo delle modifiche. In questo talk vedremo come implementare workflow di CI/CD Gitops basati su Kubernetes, dalla teoria alla pratica passando in rassegna i principali strumenti oggi a disposizione come ArgoCD, Flux (aka Gitops engine) e JenkinsX

Trunk based development

go_oh

Are you sick of Merge Hell? Do your feature branches go rogue? Do you spend more time fiddling with your Version Control System than doing actual development work? Then Trunk Based Development might be for you. Facebook does it. Google does it. Instead of messing with multiple branches, just use your master branch. Always. In addition to giving you an overview about how Trunk Based Development works, where it shines and where the pitfalls are, this talk will also cover the necessary techniques to succeed with it, such as Branch By abstraction, Feature Toggles and backwards compatible Database Migrations.

Quarkus Hidden and Forbidden Extensions

Max Andersen

Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...

Globus

The U.S. Geological Survey (USGS) has made substantial investments in meeting evolving scientific, technical, and policy driven demands on storing, managing, and delivering data. As these demands continue to grow in complexity and scale, the USGS must continue to explore innovative solutions to improve its management, curation, sharing, delivering, and preservation approaches for large-scale research data. Supporting these needs, the USGS has partnered with the University of Chicago-Globus to research and develop advanced repository components and workflows leveraging its current investment in Globus. The primary outcome of this partnership includes the development of a prototype enterprise repository, driven by USGS Data Release requirements, through exploration and implementation of the entire suite of the Globus platform offerings, including Globus Flow, Globus Auth, Globus Transfer, and Globus Search. This presentation will provide insights into this research partnership, introduce the unique requirements and challenges being addressed and provide relevant project progress.

Similar to GitOps ⚙️⎈ Recipes 🍱 With a Spice 🌶️ of Security 🔐

Configuration as Dependency: Managing Drupal 8 Configuration with git and Com...

Erich Beyrent

Serverless? How (not) to develop, deploy and operate serverless applications.

gjdevos

Advanced Configuration Management with Config Split et al.

Nuvole

Docman - The swiss army knife for Drupal multisite docroot management and dep...

Aleksey Tkachenko

Hadoop: Big Data Stacks validation w/ iTest How to tame the elephant?

Dmitri Shiryaev

Head first android apps dev tools

Shaka Huang

There is something about serverless

gjdevos

GCP - Continuous Integration and Delivery into Kubernetes with GitHub, Travis...

Oleg Shalygin

Next Level DevOps Implementation with GitOps

Ramadoni Ashudi

Merge hells - Feature Toggles to the rescue

Leena N

Serverless Computing with Google Cloud

wesley chun

Advanced Dagger talk from 360andev

Mike Nakhimovich

GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021

William Caban

Easy path to machine learning (Spring 2020)

wesley chun

Drupal performance and scalability

Twinbit

Mete Atamel "Resilient microservices with kubernetes"

IT Event

Frontend microservices: architectures and solutions

Mikhail Kuznetcov

gitopsthekubernetesway-201026090439.pdf

saraichiba2

Gitops: the kubernetes way

sparkfabrik

GitOps è un nuovo metodo di CD che utilizza Git come unica fonte di verità per le applicazioni e per l'infrastruttura (declarative infrastructure/infrastructure as code), fornendo sia il controllo delle revisioni che il controllo delle modifiche. In questo talk vedremo come implementare workflow di CI/CD Gitops basati su Kubernetes, dalla teoria alla pratica passando in rassegna i principali strumenti oggi a disposizione come ArgoCD, Flux (aka Gitops engine) e JenkinsX

Trunk based development

go_oh

Similar to GitOps ⚙️⎈ Recipes 🍱 With a Spice 🌶️ of Security 🔐 (20)

Configuration as Dependency: Managing Drupal 8 Configuration with git and Com...

Serverless? How (not) to develop, deploy and operate serverless applications.

Advanced Configuration Management with Config Split et al.

Docman - The swiss army knife for Drupal multisite docroot management and dep...

Hadoop: Big Data Stacks validation w/ iTest How to tame the elephant?

Head first android apps dev tools

There is something about serverless

GCP - Continuous Integration and Delivery into Kubernetes with GitHub, Travis...

Next Level DevOps Implementation with GitOps

Merge hells - Feature Toggles to the rescue

Serverless Computing with Google Cloud

Advanced Dagger talk from 360andev

GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021

Easy path to machine learning (Spring 2020)

Drupal performance and scalability

Mete Atamel "Resilient microservices with kubernetes"

Frontend microservices: architectures and solutions

gitopsthekubernetesway-201026090439.pdf

Gitops: the kubernetes way

Trunk based development

Recently uploaded

Quarkus Hidden and Forbidden Extensions

Max Andersen

Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...

Globus

Navigating the Metaverse: A Journey into Virtual Evolution"

Donna Lenk

Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...

Globus

The Earth System Grid Federation (ESGF) is a global network of data servers that archives and distributes the planet’s largest collection of Earth system model output for thousands of climate and environmental scientists worldwide. Many of these petabyte-scale data archives are located in proximity to large high-performance computing (HPC) or cloud computing resources, but the primary workflow for data users consists of transferring data, and applying computations on a different system. As a part of the ESGF 2.0 US project (funded by the United States Department of Energy Office of Science), we developed pre-defined data workflows, which can be run on-demand, capable of applying many data reduction and data analysis to the large ESGF data archives, transferring only the resultant analysis (ex. visualizations, smaller data files). In this talk, we will showcase a few of these workflows, highlighting how Globus Flows can be used for petabyte-scale climate analysis.

BoxLang: Review our Visionary Licenses of 2024

Ortus Solutions, Corp

Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...

Anthony Dahanne

Les Buildpacks existent depuis plus de 10 ans ! D’abord, ils étaient utilisés pour détecter et construire une application avant de la déployer sur certains PaaS. Ensuite, nous avons pu créer des images Docker (OCI) avec leur dernière génération, les Cloud Native Buildpacks (CNCF en incubation). Sont-ils une bonne alternative au Dockerfile ? Que sont les buildpacks Paketo ? Quelles communautés les soutiennent et comment ? Venez le découvrir lors de cette session ignite

May Marketo Masterclass, London MUG May 22 2024.pdf

Adele Miller

Globus Compute wth IRI Workflows - GlobusWorld 2024

Globus

As part of the DOE Integrated Research Infrastructure (IRI) program, NERSC at Lawrence Berkeley National Lab and ALCF at Argonne National Lab are working closely with General Atomics on accelerating the computing requirements of the DIII-D experiment. As part of the work the team is investigating ways to speedup the time to solution for many different parts of the DIII-D workflow including how they run jobs on HPC systems. One of these routes is looking at Globus Compute as a way to replace the current method for managing tasks and we describe a brief proof of concept showing how Globus Compute could help to schedule jobs and be a tool to connect compute at different facilities.

SOCRadar Research Team: Latest Activities of IntelBroker

SOCRadar

The European Union Agency for Law Enforcement Cooperation (Europol) has suffered an alleged data breach after a notorious threat actor claimed to have exfiltrated data from its systems. Infamous data leaker IntelBroker posted on the even more infamous BreachForums hacking forum, saying that Europol suffered a data breach this month. The alleged breach affected Europol agencies CCSE, EC3, Europol Platform for Experts, Law Enforcement Forum, and SIRIUS. Infiltration of these entities can disrupt ongoing investigations and compromise sensitive intelligence shared among international law enforcement agencies. However, this is neither the first nor the last activity of IntekBroker. We have compiled for you what happened in the last few days. To track such hacker activities on dark web sources like hacker forums, private Telegram channels, and other hidden platforms where cyber threats often originate, you can check SOCRadar’s Dark Web News. Stay Informed on Threat Actors’ Activity on the Dark Web with SOCRadar!

Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...

Mind IT Systems

TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR

Tier1 app

Even though at surface level ‘java.lang.OutOfMemoryError’ appears as one single error; underlyingly there are 9 types of OutOfMemoryError. Each type of OutOfMemoryError has different causes, diagnosis approaches and solutions. This session equips you with the knowledge, tools, and techniques needed to troubleshoot and conquer OutOfMemoryError in all its forms, ensuring smoother, more efficient Java applications.

Using IESVE for Room Loads Analysis - Australia & New Zealand

IES VE

AI Pilot Review: The World’s First Virtual Assistant Marketing Suite

Google

AI Pilot Review: The World’s First Virtual Assistant Marketing Suite 👉👉 Click Here To Get More Info 👇👇 https://sumonreview.com/ai-pilot-review/ AI Pilot Review: Key Features ✅Deploy AI expert bots in Any Niche With Just A Click ✅With one keyword, generate complete funnels, websites, landing pages, and more. ✅More than 85 AI features are included in the AI pilot. ✅No setup or configuration; use your voice (like Siri) to do whatever you want. ✅You Can Use AI Pilot To Create your version of AI Pilot And Charge People For It… ✅ZERO Manual Work With AI Pilot. Never write, Design, Or Code Again. ✅ZERO Limits On Features Or Usages ✅Use Our AI-powered Traffic To Get Hundreds Of Customers ✅No Complicated Setup: Get Up And Running In 2 Minutes ✅99.99% Up-Time Guaranteed ✅30 Days Money-Back Guarantee ✅ZERO Upfront Cost See My Other Reviews Article: (1) TubeTrivia AI Review: https://sumonreview.com/tubetrivia-ai-review (2) SocioWave Review: https://sumonreview.com/sociowave-review (3) AI Partner & Profit Review: https://sumonreview.com/ai-partner-profit-review (4) AI Ebook Suite Review: https://sumonreview.com/ai-ebook-suite-review

In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...

Juraj Vysvader

Enhancing Research Orchestration Capabilities at ORNL.pdf

Globus

Cross-facility research orchestration comes with ever-changing constraints regarding the availability and suitability of various compute and data resources. In short, a flexible data and processing fabric is needed to enable the dynamic redirection of data and compute tasks throughout the lifecycle of an experiment. In this talk, we illustrate how we easily leveraged Globus services to instrument the ACE research testbed at the Oak Ridge Leadership Computing Facility with flexible data and task orchestration capabilities.

Lecture 1 Introduction to games development

abdulrafaychaudhry

How Recreation Management Software Can Streamline Your Operations.pptx

wottaspaceseo

Recreation management software streamlines operations by automating key tasks such as scheduling, registration, and payment processing, reducing manual workload and errors. It provides centralized management of facilities, classes, and events, ensuring efficient resource allocation and facility usage. The software offers user-friendly online portals for easy access to bookings and program information, enhancing customer experience. Real-time reporting and data analytics deliver insights into attendance and preferences, aiding in strategic decision-making. Additionally, effective communication tools keep participants and staff informed with timely updates. Overall, recreation management software enhances efficiency, improves service delivery, and boosts customer satisfaction.

top nidhi software solution freedownload

vrstrong314

This presentation emphasizes the importance of data security and legal compliance for Nidhi companies in India. It highlights how online Nidhi software solutions, like Vector Nidhi Software, offer advanced features tailored to these needs. Key aspects include encryption, access controls, and audit trails to ensure data security. The software complies with regulatory guidelines from the MCA and RBI and adheres to Nidhi Rules, 2014. With customizable, user-friendly interfaces and real-time features, these Nidhi software solutions enhance efficiency, support growth, and provide exceptional member services. The presentation concludes with contact information for further inquiries.

Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf

AMB-Review

Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos https://www.amb-review.com/tubetrivia-ai Exclusive Features: AI-Powered Questions, Wide Range of Categories, Adaptive Difficulty, User-Friendly Interface, Multiplayer Mode, Regular Updates. #TubeTriviaAI #QuizVideoMagic #ViralQuizVideos #AIQuizGenerator #EngageExciteExplode #MarketingRevolution #BoostYourTraffic #SocialMediaSuccess #AIContentCreation #UnlimitedTraffic

Globus Compute Introduction - GlobusWorld 2024

Globus

Recently uploaded (20)

Quarkus Hidden and Forbidden Extensions

Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...

Navigating the Metaverse: A Journey into Virtual Evolution"

Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...

BoxLang: Review our Visionary Licenses of 2024

Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...

May Marketo Masterclass, London MUG May 22 2024.pdf

Globus Compute wth IRI Workflows - GlobusWorld 2024

SOCRadar Research Team: Latest Activities of IntelBroker

Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...

TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR

Using IESVE for Room Loads Analysis - Australia & New Zealand

AI Pilot Review: The World’s First Virtual Assistant Marketing Suite

In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...

Enhancing Research Orchestration Capabilities at ORNL.pdf

Lecture 1 Introduction to games development

How Recreation Management Software Can Streamline Your Operations.pptx

top nidhi software solution freedownload

Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf

Globus Compute Introduction - GlobusWorld 2024

GitOps ⚙️⎈ Recipes 🍱 With a Spice 🌶️ of Security 🔐

1. GitOps ⚙ Recipes 🍱 With a Spice 🌶 of Security 🔐 Julian Mazzitelli - @thejmazz, CIO BioBox(.io)

2. What is GitOps? https://www.weave.works/blog/automate-kubernetes-with-gitops https://www.weave.works/technologies/gitops/

3. How ArgoCD Performs the GitOps Reconciliation Loop

4. Monorepo or Polyrepo? ● Simplicity vs. Scale ● 🌶 Branch Protections and PR Approvals 🔜

5. Image Updater ● FluxCD has this built in ● argocd-image-updater is v0.12.2, works for Kustomize and Helm ● Changes image tags in manifests when new images are pushed ● Last resort: write your own git bot script! Easy to replace values in yaml with dasel

6. Image Updates at BioBox ● Monorepo ● Pushes build images, write back from a bot into Git, updating images in bx.application.yaml ● PRs with “env” label, kubectl apply current bx.application.yaml for dev/QA environments ● Prod release updates/hotfixes are made manually via PR on deployments repo ● Beyond images: other configuration values, database migration targets

7. Branches or Directories? (for environments - base vs dev vs staging vs prod)

8. Branches or Directories? (for environments - base vs dev vs staging vs prod) Directories.

9. Branches or Directories? (for environments - base vs dev vs staging vs prod) Directories. Nobody likes purple ketchup.

10. Branches or Directories? (for environments - base vs dev vs staging vs prod) Directories. Nobody likes purple ketchup, especially Git.

11. App of Apps vs. Giant Application ● Application: A single repo+path+revision watched by the GitOps controller ● A single application may start off simple, but will grow complex quickly! ○ Every resource must be checked each sync (though ArgoCD has an option to only sync out-of-sync resources) ○ Overwhelming amount of resources in dashboard, combining unrelated resources ○ Limits use of hooks (PreSync, PostSync) ● So, app-of-apps? “Deployments” repo consists purely of Application.argoproj.io CRDs, who reference the “templates” repo ● 🚧 Beware of multi-cluster complications ○ E.g. “templates” render out Applications ○ Central GitOps -> app-of-apps needs to have children destination in-cluster (cannot mix ad-hoc K8s resources with children apps!) ○ GitOps-per-cluster -> Could mix applications with resources

12. Render Templates - Ahead of Time or Live? ● Should your repo contain un-rendered Helm/Kustomize/x templates, or should you render everything into yaml? Ahead Live ✅ No surprises, review resources as they will end up ✅ 100% Declarative ❌ More copy-pasting, management of your templates (Kustomize overlays can help, so much) ✅🌶 Ability to run thorough CI checks (kubelinter - e.g. enforce no root, Security is 😁) 🔸 Can make monorepo tamable? (name.resource.namespace.yaml) ✅ Better diffing (can sort keys deterministically) ✅ Ability to provide “last-mile” configurations (e.g. requests, replicas) ❌ Only “semi” declarative ✅ Simpler, up and running faster ❌ Limited CI (unless you render out in CI?) ● Use both techniques! Depending on situation: semi-declarative on dev (+flexibility), full declarative on prod. Platform, database fully declarative, stateless apps semi-declarative

13. 🌶 Compliance ● Polyrepo ○ Assign specific teams to specific repositories ○ Can probably get away with branch protections requiring one review ○ ✅ Simpler change management controls ○ 🔐 Map repository teams directly to Kubernetes RBAC ○ ❌ Polyrepo management and complexity ● Monorepo ○ Developers and Operations belong to the same repo - how to avoid stepping on each other’s toes? ○ Write a CI script that checks for reviews from specific individuals based on contents of change ■ No ingress, platform, storage class changes? Allow developer to approve, otherwise operations must approve. 🔏 “Provide the list of users who can view/edit/delete the in-scope production applications”

14. 🚧 Multi-Git Source Applications!? 🔧

15. Thank you! Julian Mazzitelli @thejmazz BioBox.io

GitOps ⚙️⎈ Recipes 🍱 With a Spice 🌶️ of Security 🔐

Recommended

Recommended

More Related Content

Similar to GitOps ⚙️⎈ Recipes 🍱 With a Spice 🌶️ of Security 🔐

Similar to GitOps ⚙️⎈ Recipes 🍱 With a Spice 🌶️ of Security 🔐 (20)

Recently uploaded

Recently uploaded (20)

GitOps ⚙️⎈ Recipes 🍱 With a Spice 🌶️ of Security 🔐