際際滷

際際滷Share a Scribd company logo

How to Structure Your K8s GitOps Repository at Scale by Erik Berdonces - DevOpsBCN - October 2024

D
devopsbcnmeetup

This talk will cover how to structure your GitOps repository for Kubernetes at scale. We'll discuss the challenges of managing complex environments with multiple clusters and how to keep your configurations DRY (Don't Repeat Yourself). We'll also dive into using FluxCD and Kustomize to automate deployments and manage configurations effectively

1 of 37
Download to read offline
How to Structure Your K8s GitOps Repository at Scale Taming the GitOps complexity (when possible)
A bit about me Erik Berdonces Bonelo TechLead and Senior DevOps Engineer @ Midokura @sturgelose in all social networks
Glossary Environment: A K8s cluster and all the cloud resources needed for the cluster and services running in them. It must be reproducible and declared as IaC. Pro鍖le: A set of Environments with the same aim and similar con鍖guration IaC (Infrastructure as Code): ability to provision and support your computing infrastructure using code instead of manual processes and settings. Tenant: a user consuming the K8s platform to deploy an app App: any service installed on top of Kubernetes. They can be either part of the Platform (to provide runtime/services to other apps) or part of the Product (provide value to the 鍖nal user)
GitOps GitOps is an operational framework that takes DevOps best practices used for application development such as version control, collaboration, compliance, and CI/CD, and applies them to infrastructure automation. TLDR; Deploy infrastructure via IaC using CI/CD and PRs using Git as con鍖g storage. Do not trust humans by doing changes manually and make everything declarative.
Prod Cluster Staging Cluster Git is used as the source of con鍖guration for all ENVs Staging Cluster Prod Cluster Chart v2 Values v2 Secrets v2 Terraform v2 Chart v1 Values v1 Secrets v1 Terraform v1 Git Repository Cloud Resources Cloud Resources /staging/app1 /production/app1
Staging Cluster Cloud Resources Staging Cluster Chart v1 Values v1 Secrets v1 Terraform v1 Easy to: Replicate Rollback Track changes (who and when) See whats in the env without connecting to the cluster or cloud. Reconcile to a known state just checking in a Git repository.
Which kinds of infra IaaC tooling do exist? For Cloud infrastructure: Terraform/TerraGrunt Pulumi Ansible CloudFormation (AWS) / Azure ARM For K8s resources: YAML 鍖les Kustomize Helm FluxCD/ArgoCD Hybrid: Crossplane terraform-controller (FluxCD)
Tooling for today
Intro to FluxCD Chart v1 Values v1 Secrets v1
Intro to Terraform
When we will use each? Terraform To setup the K8s cluster and any Cloud resource FluxCD + Helm + Kustomize To deploy resources inside a K8s Cluster Why this choice? For an environment to be reproducible, we need to declare the cluster itself as a code. FluxCD and Helm require a k8s cluster to run, and to avoid this chicken-and-egg problem we need Terraform. Terraform K8s and Nodes FluxCD App
Roles in our MultiTenant Environments Platform Team Sets up the K8s cluster Administrates nodes and bindings between cluster and Cloud Provides shared dependencies to developers Developer Team(s) Develops an app Deploys an app version in a given Env with some con鍖guration May deploy Cloud resources to be consumed by their app
In a Nutshell Staging Cluster Prod Cluster Chart v2 Values v2 Secrets v2 Chart v1 Values v1 Secrets v1 Promote! Chart v2 Values v2 Secrets v2
Challenges Secrets and Con鍖g differs between envs: we cant promote everything! Handling Apps that are only deployed to certain Environments Keeping my GitOps structure DRY
Challenge 1: How could I structure my Git Repo? Lets start simple: how do I structure a simple App? Chart Config (values.yaml) Encrypted Secrets + + SOPS (or similar tools) can be used to store encrypted secrets in a Git Repository securely Other K8s resources CRD instances
Case: One Env, One App app/ helm.yaml con鍖g.yaml secrets.yaml.encrypted
Challenge 2: Can I promote everything? No! Secrets will differ between environments Will you use the same secrets in staging and prod? No! Solution: get rid of secrets with Workload Identity for Azure, AWS, GCloud, using roles instead of secrets. Con鍖guration might change values between environments Resource allocations, annotations and optimizations will differ between Staging and Production environments. New con鍖g can be tied to speci鍖c versions of a chart, which makes it more challenging.
Promoting is more complex Staging Cluster Prod Cluster Chart v2 Values v2 Chart v1 Values v1 Staging Values Secrets Prod Values Secrets Chart v2 Values v2 This requires identifying and managing in different ways con鍖guration that can be promoted vs the one that cant be promoted!
Case: Multiple distinct envs, One App envs/ prod/ env-con鍖g.yaml helm.yaml app-con鍖g.yaml secrets.yaml.encrypted staging/ env-con鍖g.yaml helm.yaml app-con鍖g.yaml secrets.yaml.encrypted Copy the files to promote This is more complex than before: Some 鍖les are duplicated (not DRY) Promoting means moving 鍖les between folders Envs can drift away easily Developers need to classify in which con鍖g 鍖le sort changes but still somehow manageable Using different branches for different envs doesnt provide value as we cant merge a branch to another without overriding env-con鍖g or secrets.
Challenge 3: Even more Environments Staging Cluster Prod EU Cluster Chart v2 Values v2 Chart v1 Values v1 Staging Values Secrets Prod EU Values Secrets Prod US Cluster Prod US Values Secrets Similar Chart v2 Values v2
Case: Multiple similar envs, One App envs/ prod-eu/ env-con鍖g.yaml helm.yaml app-con鍖g.yaml secrets.yaml.encrypted prod-us/ env-con鍖g.yaml helm.yaml app-con鍖g.yaml secrets.yaml.encrypted staging/ env-con鍖g.yaml helm.yaml app-con鍖g.yaml secrets.yaml.encrypted A change to all prod envs requires multiple changes Automating this gets more complex (how to track which env is in which stage?) Less DRY but still somehow manageable
Case: Multiple similar envs, One App stages/ prod/ helm.yaml app-con鍖g.yaml staging/ helm.yaml app-con鍖g.yaml envs/ prod-eu/ env-con鍖g.yaml secrets.yaml.encrypted (extends ../../stages/prod) prod-us/ env-con鍖g.yaml secrets.yaml.encrypted (extends ../../stages/prod) staging/ env-con鍖g.yaml secrets.yaml.encrypted (extends ../../stages/staging) Alternatively we can use Kustomization to make it DRYer: prod-eu and prod-us envs inherit from prod stage staging env inherts from staging stage Pros All envs of a stage are forced to be similar Promotions look much easier Creating a new ENV could be automatized Cons Promotions are more dangerous: one change in the stage affects all clusters env-con鍖g and app-con鍖g live in different folders, making it complex for developers to map them.
Challenge 4: How do I promote multiple apps? Staging Cluster Prod Cluster Chart v2 Values v2 Chart v1 Values v1 Staging Values Secrets Prod Values Secrets Chart v2 Values v2 Chart v1 Values v1 Staging Values Secrets Prod Values Secrets
Types of app relationships Bounded apps Apps are deployed together and as they depend to each other in some con鍖guration. envs/ prod/ app1-env-con鍖g.yaml app1-helm.yaml app1-app-con鍖g.yaml app1-secrets.yaml.encrypted app2-env-con鍖g.yaml app2-helm.yaml app2-app-con鍖g.yaml app2-secrets.yaml.encrypted staging/ app1-env-con鍖g.yaml app1-helm.yaml app1-app-con鍖g.yaml app1-secrets.yaml.encrypted app2-env-con鍖g.yaml app2-helm.yaml app2-app-con鍖g.yaml app2-secrets.yaml.encrypted envs/ app1/ prod/ env-con鍖g.yaml helm.yaml app-con鍖g.yaml secrets.yaml.encrypted staging/ env-con鍖g.yaml helm.yaml app-con鍖g.yaml secrets.yaml.encrypted app2/ prod/ env-con鍖g.yaml helm.yaml app-con鍖g.yaml secrets.yaml.encrypted staging/ env-con鍖g.yaml helm.yaml app-con鍖g.yaml secrets.yaml.encrypted Apps have distinct lifecycle (independent)
To aggregate multiple apps We can use a Kustomization 鍖le to aggregate the different sources for this env
Challenge 5: Declaring Cloud resources Solution 1: Create a Terraform state, independent from 鍖ux and copy its con鍖guration to a new state when promoting. Pro: All terraform lives in one repo and has a single work鍖ow Con: Need to deploy two pieces, one for 鍖ux and one for terraform Solution 2: Use CrossPlane, TerraformController and similars to declare resources with YAML and inside the HelmChart or Flux. Pro: All service contained in K8s resources Con: Creates a different Terraform work鍖ow Cloud Database Staging Cluster TF Controller Terraform Repository Cloud Database Staging Cluster Secret
Challenge 6: di鍖erences between apps and runtime Apps Managed by Developer teams Scoped to a namespace Depend on Runtime Runtime Services Managed by Operations/Platform team Impact at cluster level May install CRDs Usually base dependencies of Apps We could say: The cluster is part of the Runtime where the apps run in. And the apps must be able to choose how the Runtime is con鍖gured.
The runtime paradox If we allow any app to con鍖gure the runtime however they need: every environment will be distinct (high complexity to administrate) App developers will be happy (they are given what they request) But, if we limit runtimes to speci鍖c con鍖gurations: Environments will be similar (low complexity to administrate) App developers will be unhappy as we cannot cover their needs
Meet me half way Closed menu Home-Made A menu with extras to choose from
Introducing, Kustomize Components Kustomize seems to struggle with applications that mix multiple, optional features on demand, affecting different aspects of a base con鍖guration. Components can be included from higher-level overlays to create variants of an application, with a subset of its features enabled. Find a full explanation here: https://github.com/kubernetes-sigs/kustomize/blob/master/examples/components.md Why Components and not Kustomize resources? Because Kustomize overlays do not support composition. Components solve this problem and allow reusing code in different stages
Building a component
Using components with runtime apps _base is the default main dish that is provided to everyone. Every runtime app requires having one. nodeport is an optional addon to add to the ingress-nginx runtime app. A pro鍖le then just becomes a combination of runtime apps and addons, tied for a speci鍖c usage: prod, QA, staging, etc.
So, how can we mix all this? Our aim is: 1. Automate creating an ENV as much as possible (no human interaction) 2. Give developers as much freedom as possible 3. Setup everything to make it as easy to promote as possible
Terraform Repository Creates vNet + K8s Cluster Flux CD Installs and sets a stage Git Repository Fetches env con鍖g Sets Cluster secrets and con鍖g Ingress Nginx CertManager ExternalDNS App1 AWS S3 Bucket
Now, do we need all this? Maybe not! Adding all this automation also adds complexity. It is not necessary to use all these tricks, and they should only be used when complexity becomes too hard to manage. Always aim to keep it as simple as possible for developers.
Where can I see this in action? https://github.com/Sturgelose/flux-structure-example
Ideas for Future Iterations Use CrossPlane or TerraformController to deploy cloud App Dependencies How to setup the CI to automatically promote everything? AIM: reduce human interaction to the minimum.

Recommended

CD in kubernetes using helm and ksonnet. Stas Kolenkin
CD in kubernetes using helm and ksonnet. Stas KolenkinCD in kubernetes using helm and ksonnet. Stas Kolenkin
CD in kubernetes using helm and ksonnet. Stas Kolenkin
DataArt
GDG Cloud Southlake #8 Steve Cravens: Infrastructure as-Code (IaC) in 2022: ...
GDG Cloud Southlake #8 Steve Cravens: Infrastructure as-Code (IaC) in 2022: ...GDG Cloud Southlake #8 Steve Cravens: Infrastructure as-Code (IaC) in 2022: ...
GDG Cloud Southlake #8 Steve Cravens: Infrastructure as-Code (IaC) in 2022: ...
James Anderson
prodops.io k8s presentation
prodops.io k8s presentationprodops.io k8s presentation
prodops.io k8s presentation
Prodops.io
Introduction to containers, k8s, Microservices & Cloud Native
Introduction to containers, k8s, Microservices & Cloud NativeIntroduction to containers, k8s, Microservices & Cloud Native
Introduction to containers, k8s, Microservices & Cloud Native
Terry Wang
Kubernetes Intro
Kubernetes IntroKubernetes Intro
Kubernetes Intro
Antonio Ojea Garcia
What is the Difference Between Kubernetes and Docker?
What is the Difference Between Kubernetes and Docker?What is the Difference Between Kubernetes and Docker?
What is the Difference Between Kubernetes and Docker?
Ravendra Singh
Developer Experience Cloud Native - Become Efficient and Achieve Parity
Developer Experience Cloud Native - Become Efficient and Achieve ParityDeveloper Experience Cloud Native - Become Efficient and Achieve Parity
Developer Experience Cloud Native - Become Efficient and Achieve Parity
Michael Hofmann
CI/CD Across Multiple Environments
CI/CD Across Multiple EnvironmentsCI/CD Across Multiple Environments
CI/CD Across Multiple Environments
Karl Isenberg
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)
QAware GmbH
際際滷 DevSecOps Microservices
際際滷 DevSecOps Microservices 際際滷 DevSecOps Microservices
際際滷 DevSecOps Microservices
Hendri Karisma
OpenNebula Conf 2014 | Cloud Automation for OpenNebula by Kishorekumar Neelam...
OpenNebula Conf 2014 | Cloud Automation for OpenNebula by Kishorekumar Neelam...OpenNebula Conf 2014 | Cloud Automation for OpenNebula by Kishorekumar Neelam...
OpenNebula Conf 2014 | Cloud Automation for OpenNebula by Kishorekumar Neelam...
NETWAYS
OpenNebulaConf 2014 - Cloud Automation for OpenNebula - Kishorekumar Neelamegam
OpenNebulaConf 2014 - Cloud Automation for OpenNebula - Kishorekumar NeelamegamOpenNebulaConf 2014 - Cloud Automation for OpenNebula - Kishorekumar Neelamegam
OpenNebulaConf 2014 - Cloud Automation for OpenNebula - Kishorekumar Neelamegam
OpenNebula Project
Meteor South Bay Meetup - Kubernetes & Google Container Engine
Meteor South Bay Meetup - Kubernetes & Google Container EngineMeteor South Bay Meetup - Kubernetes & Google Container Engine
Meteor South Bay Meetup - Kubernetes & Google Container Engine
Kit Merker
Ultimate Guide to Microservice Architecture on Kubernetes
Ultimate Guide to Microservice Architecture on KubernetesUltimate Guide to Microservice Architecture on Kubernetes
Ultimate Guide to Microservice Architecture on Kubernetes
kloia
Making Service Deployments to AWS a breeze with Nova
Making Service Deployments to AWS a breeze with NovaMaking Service Deployments to AWS a breeze with Nova
Making Service Deployments to AWS a breeze with Nova
Gregor Heine
Using Docker For Development
Using Docker For DevelopmentUsing Docker For Development
Using Docker For Development
Laura Frank Tacho
DevOpsDays Tel Aviv DEC 2022 | Building A Cloud-Native Platform Brick by Bric...
DevOpsDays Tel Aviv DEC 2022 | Building A Cloud-Native Platform Brick by Bric...DevOpsDays Tel Aviv DEC 2022 | Building A Cloud-Native Platform Brick by Bric...
DevOpsDays Tel Aviv DEC 2022 | Building A Cloud-Native Platform Brick by Bric...
Haggai Philip Zagury
Mete Atamel "Resilient microservices with kubernetes"
Mete Atamel "Resilient microservices with kubernetes"Mete Atamel "Resilient microservices with kubernetes"
Mete Atamel "Resilient microservices with kubernetes"
IT Event
Docker Application to Scientific Computing
Docker Application to Scientific ComputingDocker Application to Scientific Computing
Docker Application to Scientific Computing
Peter Bryzgalov
Intro to Cloud Native _ v1.0en (2021/01)
Intro to Cloud Native _ v1.0en (2021/01)Intro to Cloud Native _ v1.0en (2021/01)
Intro to Cloud Native _ v1.0en (2021/01)
Young Suk Ahn Park
OpenStack with-docker-team-17
OpenStack with-docker-team-17OpenStack with-docker-team-17
OpenStack with-docker-team-17
Jaspreet Singh
GCP Meetup #3 - Approaches to Cloud Native Architectures
GCP Meetup #3 - Approaches to Cloud Native ArchitecturesGCP Meetup #3 - Approaches to Cloud Native Architectures
GCP Meetup #3 - Approaches to Cloud Native Architectures
nine
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3
Velocidex Enterprises
Kubernetes Application Deployment with Helm - A beginner Guide!
Kubernetes Application Deployment with Helm - A beginner Guide!Kubernetes Application Deployment with Helm - A beginner Guide!
Kubernetes Application Deployment with Helm - A beginner Guide!
Krishna-Kumar
Configuration Management and Transforming Legacy Applications in the Enterpri...
Configuration Management and Transforming Legacy Applications in the Enterpri...Configuration Management and Transforming Legacy Applications in the Enterpri...
Configuration Management and Transforming Legacy Applications in the Enterpri...
Docker, Inc.
Cloud Deployment Toolkit
Cloud Deployment ToolkitCloud Deployment Toolkit
Cloud Deployment Toolkit
Bret Piatt
Cloudfoundry Introduction
Cloudfoundry IntroductionCloudfoundry Introduction
Cloudfoundry Introduction
Yitao Jiang
Helm - Package Manager for Kubernetes
Helm - Package Manager for KubernetesHelm - Package Manager for Kubernetes
Helm - Package Manager for Kubernetes
Knoldus Inc.
Unlocking Engineering Excellence_ A Back-to-Basics Approach.pdf
Unlocking Engineering Excellence_ A Back-to-Basics Approach.pdfUnlocking Engineering Excellence_ A Back-to-Basics Approach.pdf
Unlocking Engineering Excellence_ A Back-to-Basics Approach.pdf
devopsbcnmeetup
Multi-cloud governance at scale talk.pdf
Multi-cloud governance at scale talk.pdfMulti-cloud governance at scale talk.pdf
Multi-cloud governance at scale talk.pdf
devopsbcnmeetup

More Related Content

Similar to How to Structure Your K8s GitOps Repository at Scale by Erik Berdonces - DevOpsBCN - October 2024 (20)

Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)
QAware GmbH
際際滷 DevSecOps Microservices
際際滷 DevSecOps Microservices 際際滷 DevSecOps Microservices
際際滷 DevSecOps Microservices
Hendri Karisma
OpenNebula Conf 2014 | Cloud Automation for OpenNebula by Kishorekumar Neelam...
OpenNebula Conf 2014 | Cloud Automation for OpenNebula by Kishorekumar Neelam...OpenNebula Conf 2014 | Cloud Automation for OpenNebula by Kishorekumar Neelam...
OpenNebula Conf 2014 | Cloud Automation for OpenNebula by Kishorekumar Neelam...
NETWAYS
OpenNebulaConf 2014 - Cloud Automation for OpenNebula - Kishorekumar Neelamegam
OpenNebulaConf 2014 - Cloud Automation for OpenNebula - Kishorekumar NeelamegamOpenNebulaConf 2014 - Cloud Automation for OpenNebula - Kishorekumar Neelamegam
OpenNebulaConf 2014 - Cloud Automation for OpenNebula - Kishorekumar Neelamegam
OpenNebula Project
Meteor South Bay Meetup - Kubernetes & Google Container Engine
Meteor South Bay Meetup - Kubernetes & Google Container EngineMeteor South Bay Meetup - Kubernetes & Google Container Engine
Meteor South Bay Meetup - Kubernetes & Google Container Engine
Kit Merker
Ultimate Guide to Microservice Architecture on Kubernetes
Ultimate Guide to Microservice Architecture on KubernetesUltimate Guide to Microservice Architecture on Kubernetes
Ultimate Guide to Microservice Architecture on Kubernetes
kloia
Making Service Deployments to AWS a breeze with Nova
Making Service Deployments to AWS a breeze with NovaMaking Service Deployments to AWS a breeze with Nova
Making Service Deployments to AWS a breeze with Nova
Gregor Heine
Using Docker For Development
Using Docker For DevelopmentUsing Docker For Development
Using Docker For Development
Laura Frank Tacho
DevOpsDays Tel Aviv DEC 2022 | Building A Cloud-Native Platform Brick by Bric...
DevOpsDays Tel Aviv DEC 2022 | Building A Cloud-Native Platform Brick by Bric...DevOpsDays Tel Aviv DEC 2022 | Building A Cloud-Native Platform Brick by Bric...
DevOpsDays Tel Aviv DEC 2022 | Building A Cloud-Native Platform Brick by Bric...
Haggai Philip Zagury
Mete Atamel "Resilient microservices with kubernetes"
Mete Atamel "Resilient microservices with kubernetes"Mete Atamel "Resilient microservices with kubernetes"
Mete Atamel "Resilient microservices with kubernetes"
IT Event
Docker Application to Scientific Computing
Docker Application to Scientific ComputingDocker Application to Scientific Computing
Docker Application to Scientific Computing
Peter Bryzgalov
Intro to Cloud Native _ v1.0en (2021/01)
Intro to Cloud Native _ v1.0en (2021/01)Intro to Cloud Native _ v1.0en (2021/01)
Intro to Cloud Native _ v1.0en (2021/01)
Young Suk Ahn Park
OpenStack with-docker-team-17
OpenStack with-docker-team-17OpenStack with-docker-team-17
OpenStack with-docker-team-17
Jaspreet Singh
GCP Meetup #3 - Approaches to Cloud Native Architectures
GCP Meetup #3 - Approaches to Cloud Native ArchitecturesGCP Meetup #3 - Approaches to Cloud Native Architectures
GCP Meetup #3 - Approaches to Cloud Native Architectures
nine
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3
Velocidex Enterprises
Kubernetes Application Deployment with Helm - A beginner Guide!
Kubernetes Application Deployment with Helm - A beginner Guide!Kubernetes Application Deployment with Helm - A beginner Guide!
Kubernetes Application Deployment with Helm - A beginner Guide!
Krishna-Kumar
Configuration Management and Transforming Legacy Applications in the Enterpri...
Configuration Management and Transforming Legacy Applications in the Enterpri...Configuration Management and Transforming Legacy Applications in the Enterpri...
Configuration Management and Transforming Legacy Applications in the Enterpri...
Docker, Inc.
Cloud Deployment Toolkit
Cloud Deployment ToolkitCloud Deployment Toolkit
Cloud Deployment Toolkit
Bret Piatt
Cloudfoundry Introduction
Cloudfoundry IntroductionCloudfoundry Introduction
Cloudfoundry Introduction
Yitao Jiang
Helm - Package Manager for Kubernetes
Helm - Package Manager for KubernetesHelm - Package Manager for Kubernetes
Helm - Package Manager for Kubernetes
Knoldus Inc.
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)
QAware GmbH
際際滷 DevSecOps Microservices
際際滷 DevSecOps Microservices 際際滷 DevSecOps Microservices
際際滷 DevSecOps Microservices
Hendri Karisma
OpenNebula Conf 2014 | Cloud Automation for OpenNebula by Kishorekumar Neelam...
OpenNebula Conf 2014 | Cloud Automation for OpenNebula by Kishorekumar Neelam...OpenNebula Conf 2014 | Cloud Automation for OpenNebula by Kishorekumar Neelam...
OpenNebula Conf 2014 | Cloud Automation for OpenNebula by Kishorekumar Neelam...
NETWAYS
OpenNebulaConf 2014 - Cloud Automation for OpenNebula - Kishorekumar Neelamegam
OpenNebulaConf 2014 - Cloud Automation for OpenNebula - Kishorekumar NeelamegamOpenNebulaConf 2014 - Cloud Automation for OpenNebula - Kishorekumar Neelamegam
OpenNebulaConf 2014 - Cloud Automation for OpenNebula - Kishorekumar Neelamegam
OpenNebula Project
Meteor South Bay Meetup - Kubernetes & Google Container Engine
Meteor South Bay Meetup - Kubernetes & Google Container EngineMeteor South Bay Meetup - Kubernetes & Google Container Engine
Meteor South Bay Meetup - Kubernetes & Google Container Engine
Kit Merker
Ultimate Guide to Microservice Architecture on Kubernetes
Ultimate Guide to Microservice Architecture on KubernetesUltimate Guide to Microservice Architecture on Kubernetes
Ultimate Guide to Microservice Architecture on Kubernetes
kloia
Making Service Deployments to AWS a breeze with Nova
Making Service Deployments to AWS a breeze with NovaMaking Service Deployments to AWS a breeze with Nova
Making Service Deployments to AWS a breeze with Nova
Gregor Heine
Using Docker For Development
Using Docker For DevelopmentUsing Docker For Development
Using Docker For Development
Laura Frank Tacho
DevOpsDays Tel Aviv DEC 2022 | Building A Cloud-Native Platform Brick by Bric...
DevOpsDays Tel Aviv DEC 2022 | Building A Cloud-Native Platform Brick by Bric...DevOpsDays Tel Aviv DEC 2022 | Building A Cloud-Native Platform Brick by Bric...
DevOpsDays Tel Aviv DEC 2022 | Building A Cloud-Native Platform Brick by Bric...
Haggai Philip Zagury
Mete Atamel "Resilient microservices with kubernetes"
Mete Atamel "Resilient microservices with kubernetes"Mete Atamel "Resilient microservices with kubernetes"
Mete Atamel "Resilient microservices with kubernetes"
IT Event
Docker Application to Scientific Computing
Docker Application to Scientific ComputingDocker Application to Scientific Computing
Docker Application to Scientific Computing
Peter Bryzgalov
Intro to Cloud Native _ v1.0en (2021/01)
Intro to Cloud Native _ v1.0en (2021/01)Intro to Cloud Native _ v1.0en (2021/01)
Intro to Cloud Native _ v1.0en (2021/01)
Young Suk Ahn Park
OpenStack with-docker-team-17
OpenStack with-docker-team-17OpenStack with-docker-team-17
OpenStack with-docker-team-17
Jaspreet Singh
GCP Meetup #3 - Approaches to Cloud Native Architectures
GCP Meetup #3 - Approaches to Cloud Native ArchitecturesGCP Meetup #3 - Approaches to Cloud Native Architectures
GCP Meetup #3 - Approaches to Cloud Native Architectures
nine
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3
Velocidex Enterprises
Kubernetes Application Deployment with Helm - A beginner Guide!
Kubernetes Application Deployment with Helm - A beginner Guide!Kubernetes Application Deployment with Helm - A beginner Guide!
Kubernetes Application Deployment with Helm - A beginner Guide!
Krishna-Kumar
Configuration Management and Transforming Legacy Applications in the Enterpri...
Configuration Management and Transforming Legacy Applications in the Enterpri...Configuration Management and Transforming Legacy Applications in the Enterpri...
Configuration Management and Transforming Legacy Applications in the Enterpri...
Docker, Inc.
Cloud Deployment Toolkit
Cloud Deployment ToolkitCloud Deployment Toolkit
Cloud Deployment Toolkit
Bret Piatt
Cloudfoundry Introduction
Cloudfoundry IntroductionCloudfoundry Introduction
Cloudfoundry Introduction
Yitao Jiang
Helm - Package Manager for Kubernetes
Helm - Package Manager for KubernetesHelm - Package Manager for Kubernetes
Helm - Package Manager for Kubernetes
Knoldus Inc.

More from devopsbcnmeetup (6)

Unlocking Engineering Excellence_ A Back-to-Basics Approach.pdf
Unlocking Engineering Excellence_ A Back-to-Basics Approach.pdfUnlocking Engineering Excellence_ A Back-to-Basics Approach.pdf
Unlocking Engineering Excellence_ A Back-to-Basics Approach.pdf
devopsbcnmeetup
Multi-cloud governance at scale talk.pdf
Multi-cloud governance at scale talk.pdfMulti-cloud governance at scale talk.pdf
Multi-cloud governance at scale talk.pdf
devopsbcnmeetup
Hiring from Both Sides of the Table by Fabio Scagliola - DevOpsBCN - October ...
Hiring from Both Sides of the Table by Fabio Scagliola - DevOpsBCN - October ...Hiring from Both Sides of the Table by Fabio Scagliola - DevOpsBCN - October ...
Hiring from Both Sides of the Table by Fabio Scagliola - DevOpsBCN - October ...
devopsbcnmeetup
Infrastructure Prowing Pains by David Poblador i Garcia - DevOpsBCN - March 2024
Infrastructure Prowing Pains by David Poblador i Garcia - DevOpsBCN - March 2024Infrastructure Prowing Pains by David Poblador i Garcia - DevOpsBCN - March 2024
Infrastructure Prowing Pains by David Poblador i Garcia - DevOpsBCN - March 2024
devopsbcnmeetup
Policy as Code by David Acacio - DevOps BCN - October 2023Policy as Code by David Acacio - DevOps BCN - October 2023
Policy as Code by David Acacio - DevOps BCN - October 2023
devopsbcnmeetup
A Modern DevOps Manifesto by David Casta単eda - DevOps BCN - October 2023
A Modern DevOps Manifesto by David Casta単eda - DevOps BCN - October 2023A Modern DevOps Manifesto by David Casta単eda - DevOps BCN - October 2023
A Modern DevOps Manifesto by David Casta単eda - DevOps BCN - October 2023
devopsbcnmeetup
Unlocking Engineering Excellence_ A Back-to-Basics Approach.pdf
Unlocking Engineering Excellence_ A Back-to-Basics Approach.pdfUnlocking Engineering Excellence_ A Back-to-Basics Approach.pdf
Unlocking Engineering Excellence_ A Back-to-Basics Approach.pdf
devopsbcnmeetup
Multi-cloud governance at scale talk.pdf
Multi-cloud governance at scale talk.pdfMulti-cloud governance at scale talk.pdf
Multi-cloud governance at scale talk.pdf
devopsbcnmeetup
Hiring from Both Sides of the Table by Fabio Scagliola - DevOpsBCN - October ...
Hiring from Both Sides of the Table by Fabio Scagliola - DevOpsBCN - October ...Hiring from Both Sides of the Table by Fabio Scagliola - DevOpsBCN - October ...
Hiring from Both Sides of the Table by Fabio Scagliola - DevOpsBCN - October ...
devopsbcnmeetup
Infrastructure Prowing Pains by David Poblador i Garcia - DevOpsBCN - March 2024
Infrastructure Prowing Pains by David Poblador i Garcia - DevOpsBCN - March 2024Infrastructure Prowing Pains by David Poblador i Garcia - DevOpsBCN - March 2024
Infrastructure Prowing Pains by David Poblador i Garcia - DevOpsBCN - March 2024
devopsbcnmeetup
Policy as Code by David Acacio - DevOps BCN - October 2023Policy as Code by David Acacio - DevOps BCN - October 2023
Policy as Code by David Acacio - DevOps BCN - October 2023
devopsbcnmeetup
A Modern DevOps Manifesto by David Casta単eda - DevOps BCN - October 2023
A Modern DevOps Manifesto by David Casta単eda - DevOps BCN - October 2023A Modern DevOps Manifesto by David Casta単eda - DevOps BCN - October 2023
A Modern DevOps Manifesto by David Casta単eda - DevOps BCN - October 2023
devopsbcnmeetup

Recently uploaded (20)

Lecture 16 - 17 - NonTraditional Machining Presentation.ppt
Lecture 16 - 17 - NonTraditional Machining Presentation.pptLecture 16 - 17 - NonTraditional Machining Presentation.ppt
Lecture 16 - 17 - NonTraditional Machining Presentation.ppt
INSTITUTE OF ENGINEERING /BKC
GRAPHS AND DISCONTINUITIES POWERPOINT.pptx
GRAPHS AND DISCONTINUITIES POWERPOINT.pptxGRAPHS AND DISCONTINUITIES POWERPOINT.pptx
GRAPHS AND DISCONTINUITIES POWERPOINT.pptx
ChrisPuyoc1
Hackathon-Problem-Statements-Technology-Track-with-Link.pptx
Hackathon-Problem-Statements-Technology-Track-with-Link.pptxHackathon-Problem-Statements-Technology-Track-with-Link.pptx
Hackathon-Problem-Statements-Technology-Track-with-Link.pptx
datahiverecruitment
Requirements Engineering for Secure Software
Requirements Engineering for Secure SoftwareRequirements Engineering for Secure Software
Requirements Engineering for Secure Software
Dr Sarika Jadhav
UHV UNIT-3 HARMONY IN THE FAMILY AND SOCIETY.pptx
UHV UNIT-3 HARMONY IN THE FAMILY AND SOCIETY.pptxUHV UNIT-3 HARMONY IN THE FAMILY AND SOCIETY.pptx
UHV UNIT-3 HARMONY IN THE FAMILY AND SOCIETY.pptx
ariomthermal2031
271094912XOULFHKBXRCVHBJKFG KMXCG HJKLMRTVBHNJMXRCVBHUINJ
271094912XOULFHKBXRCVHBJKFG KMXCG HJKLMRTVBHNJMXRCVBHUINJ271094912XOULFHKBXRCVHBJKFG KMXCG HJKLMRTVBHNJMXRCVBHUINJ
271094912XOULFHKBXRCVHBJKFG KMXCG HJKLMRTVBHNJMXRCVBHUINJ
QualityManager48
Airport Components Part1 ppt.pptx-Site layout,RUNWAY,TAXIWAY,TAXILANE
Airport Components Part1 ppt.pptx-Site layout,RUNWAY,TAXIWAY,TAXILANEAirport Components Part1 ppt.pptx-Site layout,RUNWAY,TAXIWAY,TAXILANE
Airport Components Part1 ppt.pptx-Site layout,RUNWAY,TAXIWAY,TAXILANE
Priyanka Dange
DBMS Nested & Sub Queries Set operations
DBMS Nested & Sub Queries Set operationsDBMS Nested & Sub Queries Set operations
DBMS Nested & Sub Queries Set operations
Sreedhar Chowdam
Unit-03 Cams and Followers in Mechanisms of Machines.pptx
Unit-03 Cams and Followers in Mechanisms of Machines.pptxUnit-03 Cams and Followers in Mechanisms of Machines.pptx
Unit-03 Cams and Followers in Mechanisms of Machines.pptx
Kirankumar Jagtap
Data+Management+Masterclasssdfsdfsdfsd.pdf
Data+Management+Masterclasssdfsdfsdfsd.pdfData+Management+Masterclasssdfsdfsdfsd.pdf
Data+Management+Masterclasssdfsdfsdfsd.pdf
Nguy畛n H畉i
LA2-64 -bit assemby language program to count number of positive and negative...
LA2-64 -bit assemby language program to count number of positive and negative...LA2-64 -bit assemby language program to count number of positive and negative...
LA2-64 -bit assemby language program to count number of positive and negative...
VidyaAshokNemade
Water Industry Process Automation & Control Monthly - April 2025
Water Industry Process Automation & Control Monthly - April 2025Water Industry Process Automation & Control Monthly - April 2025
Water Industry Process Automation & Control Monthly - April 2025
Water Industry Process Automation & Control
Telehealth technology A new horizon in health care
Telehealth technology A new horizon in health careTelehealth technology A new horizon in health care
Telehealth technology A new horizon in health care
Dr INBAMALAR T M
PLANT CELL REACTORS presenation PTC amity
PLANT CELL REACTORS presenation PTC amityPLANT CELL REACTORS presenation PTC amity
PLANT CELL REACTORS presenation PTC amity
UrjaMoon
02.BigDataAnalytics curso de Legsi (1).pdf
02.BigDataAnalytics curso de Legsi (1).pdf02.BigDataAnalytics curso de Legsi (1).pdf
02.BigDataAnalytics curso de Legsi (1).pdf
ruioliveira1921
Chapter1-Introduction 旅留粒粒旅虜劉 劉僚僚凌旅竜
Chapter1-Introduction 旅留粒粒旅虜劉 劉僚僚凌旅竜Chapter1-Introduction 旅留粒粒旅虜劉 劉僚僚凌旅竜
Chapter1-Introduction 旅留粒粒旅虜劉 劉僚僚凌旅竜
ssuserb91a20
Call for Papers - 6th International Conference on Big Data and Machine Learni...
Call for Papers - 6th International Conference on Big Data and Machine Learni...Call for Papers - 6th International Conference on Big Data and Machine Learni...
Call for Papers - 6th International Conference on Big Data and Machine Learni...
IJDKP
UHV unit-2UNIT - II HARMONY IN THE HUMAN BEING.pptx
UHV unit-2UNIT - II HARMONY IN THE HUMAN BEING.pptxUHV unit-2UNIT - II HARMONY IN THE HUMAN BEING.pptx
UHV unit-2UNIT - II HARMONY IN THE HUMAN BEING.pptx
ariomthermal2031
Disruption channel in business model innovation topic
Disruption channel in business model innovation topicDisruption channel in business model innovation topic
Disruption channel in business model innovation topic
anandraj930873
CCNA_Product_OverviewCCNA_Productsa.pptx
CCNA_Product_OverviewCCNA_Productsa.pptxCCNA_Product_OverviewCCNA_Productsa.pptx
CCNA_Product_OverviewCCNA_Productsa.pptx
UdayakumarAllimuthu
Lecture 16 - 17 - NonTraditional Machining Presentation.ppt
Lecture 16 - 17 - NonTraditional Machining Presentation.pptLecture 16 - 17 - NonTraditional Machining Presentation.ppt
Lecture 16 - 17 - NonTraditional Machining Presentation.ppt
INSTITUTE OF ENGINEERING /BKC
GRAPHS AND DISCONTINUITIES POWERPOINT.pptx
GRAPHS AND DISCONTINUITIES POWERPOINT.pptxGRAPHS AND DISCONTINUITIES POWERPOINT.pptx
GRAPHS AND DISCONTINUITIES POWERPOINT.pptx
ChrisPuyoc1
Hackathon-Problem-Statements-Technology-Track-with-Link.pptx
Hackathon-Problem-Statements-Technology-Track-with-Link.pptxHackathon-Problem-Statements-Technology-Track-with-Link.pptx
Hackathon-Problem-Statements-Technology-Track-with-Link.pptx
datahiverecruitment
Requirements Engineering for Secure Software
Requirements Engineering for Secure SoftwareRequirements Engineering for Secure Software
Requirements Engineering for Secure Software
Dr Sarika Jadhav
UHV UNIT-3 HARMONY IN THE FAMILY AND SOCIETY.pptx
UHV UNIT-3 HARMONY IN THE FAMILY AND SOCIETY.pptxUHV UNIT-3 HARMONY IN THE FAMILY AND SOCIETY.pptx
UHV UNIT-3 HARMONY IN THE FAMILY AND SOCIETY.pptx
ariomthermal2031
271094912XOULFHKBXRCVHBJKFG KMXCG HJKLMRTVBHNJMXRCVBHUINJ
271094912XOULFHKBXRCVHBJKFG KMXCG HJKLMRTVBHNJMXRCVBHUINJ271094912XOULFHKBXRCVHBJKFG KMXCG HJKLMRTVBHNJMXRCVBHUINJ
271094912XOULFHKBXRCVHBJKFG KMXCG HJKLMRTVBHNJMXRCVBHUINJ
QualityManager48
Airport Components Part1 ppt.pptx-Site layout,RUNWAY,TAXIWAY,TAXILANE
Airport Components Part1 ppt.pptx-Site layout,RUNWAY,TAXIWAY,TAXILANEAirport Components Part1 ppt.pptx-Site layout,RUNWAY,TAXIWAY,TAXILANE
Airport Components Part1 ppt.pptx-Site layout,RUNWAY,TAXIWAY,TAXILANE
Priyanka Dange
DBMS Nested & Sub Queries Set operations
DBMS Nested & Sub Queries Set operationsDBMS Nested & Sub Queries Set operations
DBMS Nested & Sub Queries Set operations
Sreedhar Chowdam
Unit-03 Cams and Followers in Mechanisms of Machines.pptx
Unit-03 Cams and Followers in Mechanisms of Machines.pptxUnit-03 Cams and Followers in Mechanisms of Machines.pptx
Unit-03 Cams and Followers in Mechanisms of Machines.pptx
Kirankumar Jagtap
Data+Management+Masterclasssdfsdfsdfsd.pdf
Data+Management+Masterclasssdfsdfsdfsd.pdfData+Management+Masterclasssdfsdfsdfsd.pdf
Data+Management+Masterclasssdfsdfsdfsd.pdf
Nguy畛n H畉i
LA2-64 -bit assemby language program to count number of positive and negative...
LA2-64 -bit assemby language program to count number of positive and negative...LA2-64 -bit assemby language program to count number of positive and negative...
LA2-64 -bit assemby language program to count number of positive and negative...
VidyaAshokNemade
Water Industry Process Automation & Control Monthly - April 2025
Water Industry Process Automation & Control Monthly - April 2025Water Industry Process Automation & Control Monthly - April 2025
Water Industry Process Automation & Control Monthly - April 2025
Water Industry Process Automation & Control
Telehealth technology A new horizon in health care
Telehealth technology A new horizon in health careTelehealth technology A new horizon in health care
Telehealth technology A new horizon in health care
Dr INBAMALAR T M
PLANT CELL REACTORS presenation PTC amity
PLANT CELL REACTORS presenation PTC amityPLANT CELL REACTORS presenation PTC amity
PLANT CELL REACTORS presenation PTC amity
UrjaMoon
02.BigDataAnalytics curso de Legsi (1).pdf
02.BigDataAnalytics curso de Legsi (1).pdf02.BigDataAnalytics curso de Legsi (1).pdf
02.BigDataAnalytics curso de Legsi (1).pdf
ruioliveira1921
Chapter1-Introduction 旅留粒粒旅虜劉 劉僚僚凌旅竜
Chapter1-Introduction 旅留粒粒旅虜劉 劉僚僚凌旅竜Chapter1-Introduction 旅留粒粒旅虜劉 劉僚僚凌旅竜
Chapter1-Introduction 旅留粒粒旅虜劉 劉僚僚凌旅竜
ssuserb91a20
Call for Papers - 6th International Conference on Big Data and Machine Learni...
Call for Papers - 6th International Conference on Big Data and Machine Learni...Call for Papers - 6th International Conference on Big Data and Machine Learni...
Call for Papers - 6th International Conference on Big Data and Machine Learni...
IJDKP
UHV unit-2UNIT - II HARMONY IN THE HUMAN BEING.pptx
UHV unit-2UNIT - II HARMONY IN THE HUMAN BEING.pptxUHV unit-2UNIT - II HARMONY IN THE HUMAN BEING.pptx
UHV unit-2UNIT - II HARMONY IN THE HUMAN BEING.pptx
ariomthermal2031
Disruption channel in business model innovation topic
Disruption channel in business model innovation topicDisruption channel in business model innovation topic
Disruption channel in business model innovation topic
anandraj930873
CCNA_Product_OverviewCCNA_Productsa.pptx
CCNA_Product_OverviewCCNA_Productsa.pptxCCNA_Product_OverviewCCNA_Productsa.pptx
CCNA_Product_OverviewCCNA_Productsa.pptx
UdayakumarAllimuthu

How to Structure Your K8s GitOps Repository at Scale by Erik Berdonces - DevOpsBCN - October 2024

  • 1. How to Structure Your K8s GitOps Repository at Scale Taming the GitOps complexity (when possible)
  • 2. A bit about me Erik Berdonces Bonelo TechLead and Senior DevOps Engineer @ Midokura @sturgelose in all social networks
  • 3. Glossary Environment: A K8s cluster and all the cloud resources needed for the cluster and services running in them. It must be reproducible and declared as IaC. Pro鍖le: A set of Environments with the same aim and similar con鍖guration IaC (Infrastructure as Code): ability to provision and support your computing infrastructure using code instead of manual processes and settings. Tenant: a user consuming the K8s platform to deploy an app App: any service installed on top of Kubernetes. They can be either part of the Platform (to provide runtime/services to other apps) or part of the Product (provide value to the 鍖nal user)
  • 4. GitOps GitOps is an operational framework that takes DevOps best practices used for application development such as version control, collaboration, compliance, and CI/CD, and applies them to infrastructure automation. TLDR; Deploy infrastructure via IaC using CI/CD and PRs using Git as con鍖g storage. Do not trust humans by doing changes manually and make everything declarative.
  • 5. Prod Cluster Staging Cluster Git is used as the source of con鍖guration for all ENVs Staging Cluster Prod Cluster Chart v2 Values v2 Secrets v2 Terraform v2 Chart v1 Values v1 Secrets v1 Terraform v1 Git Repository Cloud Resources Cloud Resources /staging/app1 /production/app1
  • 6. Staging Cluster Cloud Resources Staging Cluster Chart v1 Values v1 Secrets v1 Terraform v1 Easy to: Replicate Rollback Track changes (who and when) See whats in the env without connecting to the cluster or cloud. Reconcile to a known state just checking in a Git repository.
  • 7. Which kinds of infra IaaC tooling do exist? For Cloud infrastructure: Terraform/TerraGrunt Pulumi Ansible CloudFormation (AWS) / Azure ARM For K8s resources: YAML 鍖les Kustomize Helm FluxCD/ArgoCD Hybrid: Crossplane terraform-controller (FluxCD)
  • 9. Intro to FluxCD Chart v1 Values v1 Secrets v1
  • 11. When we will use each? Terraform To setup the K8s cluster and any Cloud resource FluxCD + Helm + Kustomize To deploy resources inside a K8s Cluster Why this choice? For an environment to be reproducible, we need to declare the cluster itself as a code. FluxCD and Helm require a k8s cluster to run, and to avoid this chicken-and-egg problem we need Terraform. Terraform K8s and Nodes FluxCD App
  • 12. Roles in our MultiTenant Environments Platform Team Sets up the K8s cluster Administrates nodes and bindings between cluster and Cloud Provides shared dependencies to developers Developer Team(s) Develops an app Deploys an app version in a given Env with some con鍖guration May deploy Cloud resources to be consumed by their app
  • 13. In a Nutshell Staging Cluster Prod Cluster Chart v2 Values v2 Secrets v2 Chart v1 Values v1 Secrets v1 Promote! Chart v2 Values v2 Secrets v2
  • 14. Challenges Secrets and Con鍖g differs between envs: we cant promote everything! Handling Apps that are only deployed to certain Environments Keeping my GitOps structure DRY
  • 15. Challenge 1: How could I structure my Git Repo? Lets start simple: how do I structure a simple App? Chart Config (values.yaml) Encrypted Secrets + + SOPS (or similar tools) can be used to store encrypted secrets in a Git Repository securely Other K8s resources CRD instances
  • 16. Case: One Env, One App app/ helm.yaml con鍖g.yaml secrets.yaml.encrypted
  • 17. Challenge 2: Can I promote everything? No! Secrets will differ between environments Will you use the same secrets in staging and prod? No! Solution: get rid of secrets with Workload Identity for Azure, AWS, GCloud, using roles instead of secrets. Con鍖guration might change values between environments Resource allocations, annotations and optimizations will differ between Staging and Production environments. New con鍖g can be tied to speci鍖c versions of a chart, which makes it more challenging.
  • 18. Promoting is more complex Staging Cluster Prod Cluster Chart v2 Values v2 Chart v1 Values v1 Staging Values Secrets Prod Values Secrets Chart v2 Values v2 This requires identifying and managing in different ways con鍖guration that can be promoted vs the one that cant be promoted!
  • 19. Case: Multiple distinct envs, One App envs/ prod/ env-con鍖g.yaml helm.yaml app-con鍖g.yaml secrets.yaml.encrypted staging/ env-con鍖g.yaml helm.yaml app-con鍖g.yaml secrets.yaml.encrypted Copy the files to promote This is more complex than before: Some 鍖les are duplicated (not DRY) Promoting means moving 鍖les between folders Envs can drift away easily Developers need to classify in which con鍖g 鍖le sort changes but still somehow manageable Using different branches for different envs doesnt provide value as we cant merge a branch to another without overriding env-con鍖g or secrets.
  • 20. Challenge 3: Even more Environments Staging Cluster Prod EU Cluster Chart v2 Values v2 Chart v1 Values v1 Staging Values Secrets Prod EU Values Secrets Prod US Cluster Prod US Values Secrets Similar Chart v2 Values v2
  • 21. Case: Multiple similar envs, One App envs/ prod-eu/ env-con鍖g.yaml helm.yaml app-con鍖g.yaml secrets.yaml.encrypted prod-us/ env-con鍖g.yaml helm.yaml app-con鍖g.yaml secrets.yaml.encrypted staging/ env-con鍖g.yaml helm.yaml app-con鍖g.yaml secrets.yaml.encrypted A change to all prod envs requires multiple changes Automating this gets more complex (how to track which env is in which stage?) Less DRY but still somehow manageable
  • 22. Case: Multiple similar envs, One App stages/ prod/ helm.yaml app-con鍖g.yaml staging/ helm.yaml app-con鍖g.yaml envs/ prod-eu/ env-con鍖g.yaml secrets.yaml.encrypted (extends ../../stages/prod) prod-us/ env-con鍖g.yaml secrets.yaml.encrypted (extends ../../stages/prod) staging/ env-con鍖g.yaml secrets.yaml.encrypted (extends ../../stages/staging) Alternatively we can use Kustomization to make it DRYer: prod-eu and prod-us envs inherit from prod stage staging env inherts from staging stage Pros All envs of a stage are forced to be similar Promotions look much easier Creating a new ENV could be automatized Cons Promotions are more dangerous: one change in the stage affects all clusters env-con鍖g and app-con鍖g live in different folders, making it complex for developers to map them.
  • 23. Challenge 4: How do I promote multiple apps? Staging Cluster Prod Cluster Chart v2 Values v2 Chart v1 Values v1 Staging Values Secrets Prod Values Secrets Chart v2 Values v2 Chart v1 Values v1 Staging Values Secrets Prod Values Secrets
  • 24. Types of app relationships Bounded apps Apps are deployed together and as they depend to each other in some con鍖guration. envs/ prod/ app1-env-con鍖g.yaml app1-helm.yaml app1-app-con鍖g.yaml app1-secrets.yaml.encrypted app2-env-con鍖g.yaml app2-helm.yaml app2-app-con鍖g.yaml app2-secrets.yaml.encrypted staging/ app1-env-con鍖g.yaml app1-helm.yaml app1-app-con鍖g.yaml app1-secrets.yaml.encrypted app2-env-con鍖g.yaml app2-helm.yaml app2-app-con鍖g.yaml app2-secrets.yaml.encrypted envs/ app1/ prod/ env-con鍖g.yaml helm.yaml app-con鍖g.yaml secrets.yaml.encrypted staging/ env-con鍖g.yaml helm.yaml app-con鍖g.yaml secrets.yaml.encrypted app2/ prod/ env-con鍖g.yaml helm.yaml app-con鍖g.yaml secrets.yaml.encrypted staging/ env-con鍖g.yaml helm.yaml app-con鍖g.yaml secrets.yaml.encrypted Apps have distinct lifecycle (independent)
  • 25. To aggregate multiple apps We can use a Kustomization 鍖le to aggregate the different sources for this env
  • 26. Challenge 5: Declaring Cloud resources Solution 1: Create a Terraform state, independent from 鍖ux and copy its con鍖guration to a new state when promoting. Pro: All terraform lives in one repo and has a single work鍖ow Con: Need to deploy two pieces, one for 鍖ux and one for terraform Solution 2: Use CrossPlane, TerraformController and similars to declare resources with YAML and inside the HelmChart or Flux. Pro: All service contained in K8s resources Con: Creates a different Terraform work鍖ow Cloud Database Staging Cluster TF Controller Terraform Repository Cloud Database Staging Cluster Secret
  • 27. Challenge 6: di鍖erences between apps and runtime Apps Managed by Developer teams Scoped to a namespace Depend on Runtime Runtime Services Managed by Operations/Platform team Impact at cluster level May install CRDs Usually base dependencies of Apps We could say: The cluster is part of the Runtime where the apps run in. And the apps must be able to choose how the Runtime is con鍖gured.
  • 28. The runtime paradox If we allow any app to con鍖gure the runtime however they need: every environment will be distinct (high complexity to administrate) App developers will be happy (they are given what they request) But, if we limit runtimes to speci鍖c con鍖gurations: Environments will be similar (low complexity to administrate) App developers will be unhappy as we cannot cover their needs
  • 29. Meet me half way Closed menu Home-Made A menu with extras to choose from
  • 30. Introducing, Kustomize Components Kustomize seems to struggle with applications that mix multiple, optional features on demand, affecting different aspects of a base con鍖guration. Components can be included from higher-level overlays to create variants of an application, with a subset of its features enabled. Find a full explanation here: https://github.com/kubernetes-sigs/kustomize/blob/master/examples/components.md Why Components and not Kustomize resources? Because Kustomize overlays do not support composition. Components solve this problem and allow reusing code in different stages
  • 32. Using components with runtime apps _base is the default main dish that is provided to everyone. Every runtime app requires having one. nodeport is an optional addon to add to the ingress-nginx runtime app. A pro鍖le then just becomes a combination of runtime apps and addons, tied for a speci鍖c usage: prod, QA, staging, etc.
  • 33. So, how can we mix all this? Our aim is: 1. Automate creating an ENV as much as possible (no human interaction) 2. Give developers as much freedom as possible 3. Setup everything to make it as easy to promote as possible
  • 34. Terraform Repository Creates vNet + K8s Cluster Flux CD Installs and sets a stage Git Repository Fetches env con鍖g Sets Cluster secrets and con鍖g Ingress Nginx CertManager ExternalDNS App1 AWS S3 Bucket
  • 35. Now, do we need all this? Maybe not! Adding all this automation also adds complexity. It is not necessary to use all these tricks, and they should only be used when complexity becomes too hard to manage. Always aim to keep it as simple as possible for developers.
  • 36. Where can I see this in action? https://github.com/Sturgelose/flux-structure-example
  • 37. Ideas for Future Iterations Use CrossPlane or TerraformController to deploy cloud App Dependencies How to setup the CI to automatically promote everything? AIM: reduce human interaction to the minimum.
AboutCopyright
息 2025 際際滷