2018 12 11 Kubecon Gitops Tutorial

1. Hands-on Gitops Weaveworks – https://weave.works – @weaveworks Kubecon Seattle – December 2018 Brice Fernandes – brice@weave.works – @fractallambda 1
2. Hi I’m Brice I work for Weaveworks as a customer success engineer You can find Weaveworks at https://www.weave.works or @weaveworks The team at Weaveworks is behind the GitOps model You can find me online at @fractallambda and email me at brice@weave.works 2
3. Everything available at tinyurl.com/gitops-tutorial 3
4. What is Gitops? 4
5. GitOps is... An operation model Derived from CS and operation knowledge Technology agnostic (name notwithstanding) A set of principles (Why instead of How) A way to speed up your team 5
6. 1 The entire system is described declaratively. 2 The canonical desired system state is versioned (with Git) 3 Approved changes to the desired state are automatically applied to the system 4 Software agents ensure correctness and alert on divergence 6
7. 1 The entire system is described declaratively. 7
8. 1 The entire system is described declaratively. Beyond code, data ⇒ Implementation independent Easy to abstract in simple ways Easy to validate for correctness Easy to generate & manipulate from code 8
9. 1 The entire system is described declaratively. Beyond code, data ⇒ Implementation independent Easy to abstract in simple ways Easy to validate for correctness Easy to generate & manipulate from code 9
10. How is that different from Infrastructure as code? 10
11. How is that different from Infrastructure as code? It’s about consistency in the failure case. 11
12. It’s about consistency in the failure case. When imperative systems fail, the system ends up in an unknown, inconsistent state. 12
13. fail, the system ends up in an unknown, inconsistent state. Declarative changes let you think of changes as transactions. 13
14. Declarative changes let you think of changes as transactions. This is a very good thing. 14
15. 2 The canonical desired system state is versioned (with Git) 15
16. 2 The canonical desired system state is versioned (with Git) Canonical Source of Truth (DRY) With declarative definition, trivialises rollbacks Excellent security guarantees for auditing Sophisticated approval processes (& existing workflows) Great Software ↔ Human collaboration point 16
17. 3 Changes to the desired state are automatically applied to the system 17
18. 3 Approved changes to the desired state are automatically applied to the system Significant velocity gains Privileged operators don’t cross security boundaries Separates What and How. 18
19. 4 Software agents ensure correctness and alert on divergence 19
20. 4 Software agents ensure correctness and alert on divergence Continuously checking that desired state is met System can self heal Recovers from errors without intervention (PEBKAC) It’s the control loop for your operations 20
21. 1 The entire system is described declaratively. 2 The canonical desired system state is versioned (with Git) 3 Approved changes to the desired state are automatically applied to the system 4 Software agents ensure correctness and alert on divergence 21
22. Typical CICD pipeline Shares credentials cross several logical security boundaries. Git creds Dev RW RW Container Registry (CR) creds2 CI creds Code Repo RO CI RW RW CR creds3 Container Registry RO Cluster API CR creds1 API creds Continuous Integration Boundary Continuous Delivery/Deployment
23. GitOps pipeline Credentials are never shared across a logical security boundary. Git creds CI creds CR creds2 CR creds3 Cluster API Dev RW RO Code Repo RO Container Registry CI RW RW RO Deploy RW CR creds1 Can al sa s e re Config repo creds Config Repo Cluster API creds
24. GitOps pipeline Credentials are never shared across a logical security boundary. Git creds CI creds CR creds2 CR creds3 Cluster API Dev RW RO Code Repo RO CI RW Container Registry RW RO Deploy RW CR creds1 Config repo creds Operator RW Config Repo Cluster API creds
25. GitOps pipeline Credentials are never shared across a logical security boundary. Git creds CI creds CR creds2 CR creds3 Cluster API Dev RW RO Code Repo RO CI RW Container Registry Cluster API creds RW RO Deploy RW CR creds1 Config repo creds Operator RW Config Repo Pro s & co t en c e t t
26. GitOps pipeline Credentials are never shared across a logical security boundary. Git creds CI creds CR creds2 CR creds3 Cluster API Dev RW RO Code Repo RO CI RW Container Registry RW RO Deploy RW CR creds1 Config repo creds Operator RW Ex e t a di g an t ut Config Repo Cluster API creds
27. Gitops is Functional Reactive Programming… ...for your infrastructure. Like React, but for servers and applications.
28. What should be GitOps’ed? 28
29. What should be GitOps’ed? I’m o r so y 29
30. ? 30
31. Kubernetes Manifests Application configuration Provisioning scripts Dashboards Alerts Playbook Application checklists Recording Rules Sealed Secrets 31
32. 32
33. 33
34. 34
35. 35
36. Gitops Hands-on 36
37. Everything available at tinyurl.com/gitops-tutorial 37
38. In al g an n OS lu 38
39. Weave Cloud 39
40. 40
41. 41
42. 42
43. 43
44. Usi We v o 44
45. Questions? 45 day trial Weaveworks https://weave.works @weaveworks @fractallambda brice@weave.works go.weave.works/extended tinyurl.com/gitops-tutorial 45