Adopting GitOps for Kubernetes deployments
# About GitOps
After some years of grappling with various approaches to deploying apps on Kubernetes, we've finally embraced GitOps 🥳
GitOps leverages Git as the single source of truth to define every part of a cloud-native system. Once declared in Git, a GitOps agent automatically applies all code, configuration, and policies across dev, test, staging, and production environments. With GitOps, whenever there is any divergence between Git and what's running in a cluster, developers are alerted. Depending on the case, Kubernetes reconcilers automatically update or roll back the cluster. With Git at the center of the delivery pipelines, developers can use familiar tools to make pull requests to accelerate and simplify both application deployments and policies that govern software delivery end-to-end.
Here some procedures we are happy to leave behind ❗️❗️
- Maintaining a single Helm chart in every git repository to build & deploy the code.
- Using environment variables in pipelines to populate those as secrets inside the Helm chart.
- Using Terraform to deploy Kubernetes resources.
- Using kubectl and yaml files to create/replace Kubernetes resources.
- Whitelisting pipeline's IPs on Kubernetes API and keeping kubeconfig templates and other creds in pipelines to perform such deployments.
Here what we now do instead 🚀
- 💪 A "meta Helm chart", allows us to have a single chart to rule them all . Dev teams only need to maintain a single
values.yaml
file that is built and its freshly generated chart is pushed to the team's OCI repository. - 👀 Instead of "pushing" apps to the kubernetes cluster, we now use Flux (opens new window) to pull app configs and charts and keep the state of the clusters in sync with the git repository as a single point of truth
- 🔐 We use in-cluster secrets decryption with Flux & Mozilla Sops (opens new window) to keep secrets away from our pipelines and avoid any potential SaaS data breaches. Our next step is to implement Kubernetes External Secrets (opens new window) that enables us to securely store secrets outside of our code repositories, reducing the risk of accidental code pushes that could expose sensitive information. With these measures in place, we can ensure that our sensitive information remains secure and protected.
# About Flux
# What is Flux?
Flux is a continuous deployment solution designed for Kubernetes environments that helps teams to automate the process of deploying and updating their applications with ease. Recognized by the Cloud Native Computing Foundation (CNCF), Flux's popularity is due to its seamless integration with Kubernetes and its simple configuration.
Teams can use Flux to manage their Kubernetes deployments declaratively in repositories, specifying how they want their applications to behave, which streamlines the process. With Flux, you can achieve a smooth and efficient deployment process that saves time and resources.
# How does Flux work?
Flux uses continuous reconciliation to synchronize the Kubernetes resources stored in a git repository with the cluster, ensuring that the cluster always has the most up-to-date configuration. By avoiding the use of binary manifests in the CD pipeline, teams can simplify their deployment process and eliminate the risk of configuration drift. Flux's declarative management approach allows teams to specify how they want their applications to behave, and Flux takes care of the rest.
# Flux's integration with other tools
Flux is a highly versatile and flexible tool that can integrate smoothly with a variety of other tools and services in the DevOps ecosystem. Whether you're using CI/CD tools like Jenkins and GitLab CI, Kubernetes tools like Helm and Kustomize, or monitoring and logging tools like Prometheus and Grafana, Flux can be effortlessly integrated with them to provide a seamless experience.
# Conclusion
In conclusion, the principles of GitOps that Flux enables, such as:
- Git as the only source of truth
- All configurations existing as code
- All changes being verifiable and observable
provide us a powerful framework for managing software delivery in a modern DevOps ecosystem. By embracing GitOps, teams can benefit from greater transparency, automation, and collaboration in their software development and deployment processes. With Flux's capabilities for continuous deployment, declarative management, and seamless integration with other tools, it serves as a valuable choice for organizations looking to adopt a GitOps approach to software delivery.