The IT landscape is an ever-evolving environment that aims at grading up the existing workflows in a loop to improve efficiency and speed. Infrastructure-as-Code (IAC) was a huge shift in how infrastructure is provisioned and how changes are tracked. Tools like Terraform, Puppet, Ansible, and more made this possible with the notion of the desired state. Instead of imperatively configuring systems, you create a declarative file that describes what the environment should look like and the platform will do whatever it has to do to make it happen.
If you follow the developments around Kubernetes and Cloud Native areas, you probably came across the term GitOps at some point in time. In this article, we will go through what it is, how it helps organizations, and what tools you can use to leverage it.
Git reconciliation
First of all, let’s quickly define what is GitOps.
GitOps lets you store the declarative files that describe your environment and reconcile them in the Kubernetes cluster.
For instance, you have a bunch of YAML files to deploy resources in your Kubernetes cluster stored in a Git repository. There is a controller in the Kubernetes cluster that watches this Git repository. If something changes in the repo, the controller will detect it and apply the change in the cluster (this is called reconciliation). In short, instead of manually running a “kubectl” command, you only edit a file in a Git Repo.
In the example below we have a Git repository (left) in which we have YAML files that describe a deployment with 2 nginx replicas and a service. The Kubernetes cluster (right) runs a “GitOps” controller (bad term by the way) that watches the repo.
Now if I want to scale my deployment from 2 replicas to 3, all I need to do is to edit the file in the Git repo and create a Pull Request that will be reviewed by my peers to ensure I’m not screwing things up and then merge it. After the change is merged, the “GitOps” controller (again don’t quote me on that) will notice the change and reconcile the running state.
Core principles
While having a controller do the work for you is already pretty cool, the benefits of GitOps span further than that. It drastically improves traceability and auditing through versioning and reduces the risk of error by having reviewed changes (four eyes principle).
Versioning
Every change that is made to the git repository is tracked in a commit that is tied to a user and timestamped, making it easy to identify what was changed, by whom, and when. The flexible nature of Git also offers the possibility to easily go back to an earlier commit if a breaking change was pushed by mistake.
Here is an example in the below screenshot of a private repository where I describe my home automation stuff. The first few commits were made a while back for testing purposes but you can see that I updated a couple of apps with a simple Git commit.
Better teams’ collaboration
Instead of having YAML files scattered across everyone’s computers or in whatever code management system’s out there, having everything in Git establishes a single source of truth where you can be sure to find up-to-date manifests.
For instance, the commit below updates the image tag to use to update an app. After the commit is merged, the GitOps controller (ArgoCD in my case) will detect this change, pull the new image and recreate the pod with it.
Flexibility
While Infrastructure as Code offers a way to manage infrastructure components, the GitOps workflow is much better suited for a Cloud Native environment as you can manage anything and everything.
GitOps allows you to deploy any kind of cloud-native resources as long as you provide valid manifests or Helm charts. With the use of CRDs (Custom Resource Definitions) and controllers (which together make up operators), you can provision anything through Kubernetes extensions like Kubernetes clusters themselves on specific infrastructures like Tanzu Community Edition and CAPV or cluster-API Provider vSphere
Pull vs Push
While many environments are Push-based, meaning the Manager actively pushes changes to the target environment, GitOps is a Pull-based mechanism. As a result, the controllers running in the environments are responsible to identify changes between the running state and the files stored in Git. This significantly simplifies the management of the solution since you can pull from various locations and it also improves security as you can already store secrets directly in your cluster.
Note that there are options like Mozilla SOPS to encrypt your secrets, store them in the Git repository and have them decrypted in the cluster with the private key. Other options include Hashicorp’s Vault, Bitnami’s Sealed secrets…
GitOps solutions
While GitOps is still a fairly new area of the IT landscape (even in IT terms), there are few contenders that man this space as the leaders.
ArgoCD
ArgoCD is usually the solution of choice for those starting with GitOps as it offers a very nice graphical user interface and is easy to configure.
You can trigger most actions from the UI and there is a good CLI tool as well
FluxCD
Flux is a bit more barebones than ArgoCD in that there is no UI so you have to do everything in the command line (which shouldn’t be a problem if you work in the cloud native space really).
I particularly like FluxCD for its simplicity and flexibility. No need to mess around with Apps like in ArgoCD. Here you watch your sources and whatever’s in there will be reconciled in the system.
Weave GitOps
Weaveworks were the one who came up with the term GitOps and the whole framework around it. Ironically, the industry seems to gravitate towards Flux and ArgoCD as the GitOps leaders. I personally never tried Weave Gitops core or Enterprise so I can’t give feedback on it but felt wrong not to mention it and I have no doubts it does the job just fine.
Wrap up
Managing infrastructure isn’t always easy and proved to be a challenge for many organizations regardless of their sizes. Whether you handle clusters, apps, or network services, ensuring an audit trail and facilitating rollback operations is among the most important part of the job as things like ISO certifications or security compliance may rely on it entirely.
GitOps addresses some of these issues by leveraging the architecture on which Git is built and its strengths around versioning. Having a single source of truth and the ability to have every single change reviewed by team members would have sounded like a dream to me back when I was managing vSphere clusters that ran critical enterprise components.
Follow our Twitter and Facebook feeds for new releases, updates, insightful posts and more.
