SDD 0019 - GitOps

Author

Simon Rüegg

Owner

Reviewers (SIG)

Date

2019-11-20

Status

implemented

Summary

This defines how we use GitOps to bring configuration to a cluster. It includes the used tools and how to configure them.

Motivation

GitOps has many advantages and we decided early on that we want to leverage them to manage Kubernetes clusters. Currently two main tools exist to implement GitOps: Flux from WeaveWorks and Argo CD from the Argo project. This design document describes which tool we will use and how to do so.

Goals

Define how to use Argo CD and how to configure it.

Non-Goals

Access to the Argo CD UI from outside the cluster (for example, other than port-forward)

Design Proposal

Argo CD is installed in every SYN managed cluster and implements GitOps config management. Each Commodore component will be mapped to an Argo CD Application. One App of Apps (for example, umbrella App) will combine all components which need to be installed on a cluster.

Bootstrapping

Steward will bootstrap a basic installation of Argo CD. It will generate an SSH private key to be used to access the cluster’s catalog repo. Additionally a password will be generated to be used by the Argo CD admin account.

Configuration of Argo CD

Argo CD will configure itself via the regular Commodore configuration management. Only during bootstrapping will Steward generate a basic configuration to connect Argo CD to the cluster’s catalog repository.

We won’t use the authentication part (Dex) of Argo CD, as the admin user is sufficient for the time being.

App of Apps

The App of Apps pattern creates an umbrella App which only creates other Apps. This root App will be generated by Commodore and ultimately controls which components get installed on a cluster. This means a component could end up in a cluster’s catalog repo but isn’t installed because it’s not included in the root App. We could leverage this to disable certain components for example on local development environments.

Drawbacks

The higher complexity of Argo CD leads to a more complex setup overall. Some of the features of Argo CD aren’t (yet) required. Additionally the concept of applications adds some overhead to Commodore as these need to be generated as seamless as possible.

Alternatives

An alternative to Argo CD is flux as it implements the same basic idea of GitOps. An early proof of concept was implemented using flux. While it provides an easier UX, it also lacks some features which make Argo CD a better fit. To mention some of them:

Sync policy per application
UI to show current state
Comprehensive metrics
Supports multiple control repos
Full RBAC control

Also with this announcement of Argo CD and flux joining forces both tools will merge into one in the foreseeable future.

References

Introduction to GitOps with OpenShift - blog.openshift.com/introduction-to-gitops-with-openshift/
GitOps - www.weave.works/technologies/gitops/
Argo CD & Flux joining forces - www.weave.works/blog/argo-flux-join-forces