Gitops application practice series – Overview


Hello, I’m Zhang Jintao.

Next, we will bring you a series of articles on the application practice of gitops, which is the first one.

What is gitops

First, let’s learn about gitops:

Gitops was first founded and proposed by weaveworks in 2017. It is a way of kubernetes cluster management and application delivery. Gitops uses git as a single source of facts for declarative infrastructure and applications. The core idea of gitops is to have a git repository, which contains the current required infrastructure in the target environmentDeclarativeDescription, and an automated process to match the target environment to the state described in the GIT repository. With gitops, you can alert for any difference between the GIT repository and the content running in the cluster. If there is a difference, kubernetes recomciplers will automatically update or roll back the cluster according to the situation. With git as the center of pipeline, developers can issue PR using their familiar tools to accelerate and simplify application deployment and operation tasks in kubernetes.

This made gitops cause quite a stir on Twitter and kubecon.

Gitops application practice series - OverviewGitops application practice series - Overview

Let’s talk about weaveworks, a company that provides developers with the most efficient way to connect, observe and control docker containers. On the official website, we can see the principles and patterns of gitops workflow, how to realize their large-scale operation of kubernetes in production, and the differences and best practices between gitops and infrastructure code (IAC) configuration management tools.…

One of the founders of k8s:Kelsey HightowerI once tweeted that gitops is a versioned CI / CD based on declarative infrastructure. Stop scripting and start (automated) distribution.

How does gitops work?

Configure the environment as a git repository

Gitops organizes the deployment with the code base as the core. We need at least two repositories: the application library and the environment configuration library. The application library contains the source code of the application and the manifests to deploy the application. The environment configuration library contains all deployment manifests of the infrastructure currently required by the deployment environment. It describes which applications and infrastructure services (message broker, service grid, monitoring tools, etc.) should run in what configuration and version in the deployment environment.

Push based and pull based deployment

The difference between the two deployment types is how to ensure that the deployment environment is the same as the required infrastructure. Recommended here,A pull based approach is preferred, gitops is more secure, and there are many existing best practices to learn from.

Pull based deployment

The traditional CI / CD pipeline is triggered by external events, such as when new code is pushed to the application library.

The deployment method based on pull introduces the operator. It takes over the role of pipeline by constantly comparing the expected state in the environment configuration library with the actual state in the deployment environment. When differences are found, the operator updates the state in the deployment environment to match the environment configuration library. In addition, it can monitor the image registry to find a new version of the image to deploy.

Gitops application practice series - Overview

The deployment based on pull model can not only update the environment when the environment configuration library changes;

The operator can also restore when there are differences between the actual environment and the environment configuration library.

This ensures that all changes can be tracked in the GIT log because no one is allowed to make direct changes to the cluster.

Then, the monitoring points in this way focus on the operator and various components (for example, whether the image warehouse can pull the image normally, etc.).

To avoid the God mode permission problem in push based scenarios, the operator should always be in the same environment or cluster as the application to be deployed. (k8s RBAC authorization: kubernetes has supported role-based access (RBAC) since 1.6. Cluster administrators can more accurately control the resource access of users or service account roles. In RBAC, permissions are associated with roles, and users can obtain the permissions of these roles by becoming members of appropriate roles.)

Push based deployment

Push based deployment strategies can be implemented using popular CI / CD tools, such as Jenkins, circleci, or Travis CI. The source code of the application exists in the application library together with kubernetes yaml required by the deployed application. Whenever the application code is updated, it will trigger the construction of pipeline, the construction of container image, and finally update the environment configuration library with the new deployment manifest.

You can also store yaml templates in the application library. When building a new version, you can use templates to generate yaml in the environment configuration library.

Gitops application practice series - Overview

Changes to the environment configuration library trigger the deployment of pipeline. Pipeline is responsible for applying all the manifests in the environment configuration library to the infrastructure. This requires us to pay more attention to deployment permission segmentation and control. At the same time, this method cannot automatically notice any deviation of the environment and its required state. We need additional monitoring and alarm methods to ensure that the environment is consistent with the content described in the environment repository.

Complex application environment

For most applications, it is unrealistic to use only one application library and one environment configuration library. Gitops can handle it, too. You can set up multiple build pipelines to update the environment configuration library. Then, just like the previous two described processes, automate the gitops workflow to start and deploy the application.

Gitops application practice series - Overview

We need to use separate branches in the environment configuration library to manage multiple environments. Choose to set up an operator or build a pipeline to automate the gitops workflow to start and deploy the application.


1. Gitops can also be considered for environments that do not use k8s. (at present, most pull based gitops are implemented under kubernetes.)

2. Password. Never store passwords in plain text in Git! In the k8s ecosystem, there are tools to support this encryption. (such as vault)

3. Dev, QA and prod environments cannot be directly handled with gitops. CI / CD pipeline can be introduced to manage the environment.

4. Devops does not conflict with gitops. Devops is about cultural change in the organization, which can make programmers and system maintainers cooperate better. Gitops is a technology for continuous delivery. If Devops has been promoted, it may better access gitops.

Welcome to subscribe my official account number [MoeLove].

Gitops application practice series - Overview