Continuous Deployment with Argo CD, Jenkins X, and Flux Billy Yuen Alexander Matyushentsev Todd Ekenstam Jesse Suen M A N N I N G Part 1: Background Part 2: Patterns and processes Part 3: Tools Chapter 1 Chapter 3 Chapter 4 Chapter 9 Environment Why GitOps? Pipelines Argo CD management Chapter 2 Chapter 6 Chapter 5 Chapter 10 Kubernetes and Access control Deployment Jenkins X GitOps and security strategies Chapter 7 Chapter 11 Secrets Flux Chapter 8 Observability 302 GitOps and Kubernetes Continuous Deployment with Argo CD, Jenkins X, and Flux ii GitOps and Kubernetes CONTINUOUS DEPLOYMENT WITH ARGO CD, JENKINS X, AND FLUX BILLY YUEN ALEXANDER MATYUSHENTSEV TODD EKENSTAM AND JESSE SUEN MAN NING SHELTER ISLAND For online information and ordering of this and other Manning books, please visit www.manning.com. The publisher offers discounts on this book when ordered in quantity. For more information, please contact Special Sales Department Manning Publications Co. 20 Baldwin Road PO Box 761 Shelter Island, NY 11964 Email: [email protected] ©2021 by Manning Publications Co. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by means electronic, mechanical, photocopying, or otherwise, without prior written permission of the publisher. Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in the book, and Manning Publications was aware of a trademark claim, the designations have been printed in initial caps or all caps. Recognizing the importance of preserving what has been written, it is Manning’s policy to have the books we publish printed on acid-free paper, and we exert our best efforts to that end. Recognizing also our responsibility to conserve the resources of our planet, Manning books are printed on paper that is at least 15 percent recycled and processed without the use of elemental chlorine. Manning Publications Co. Development editor: Dustin Archibald 20 Baldwin Road Technical development editor: Al Krinker PO Box 761 Review editor: Aleks Dragosavljevic´ Shelter Island, NY 11964 Production editor: Deirdre S. Hiam Proofreader: Katie Tennant Technical proofreader: Sam Brown Typesetter and cover designer: Marija Tudor ISBN 9781617297977 Printed in the United States of America contents preface xi acknowledgments xii about this book xiii about the authors xviii about the cover illustration xx PART 1 BACKGROUND ................................................. 1 1 Why GitOps? 3 1.1 Evolution to GitOps 4 Traditional Ops 4 ■ DevOps 6 ■ GitOps 7 1.2 Developer benefits of GitOps 9 Infrastructure as code 9 ■ Self-service 10 ■ Code reviews 11 Git pull requests 12 1.3 Operational benefits of GitOps 13 Declarative 13 ■ Observability 15 ■ Auditability and compliance 16 ■ Disaster recovery 19 2 Kubernetes and GitOps 20 2.1 Kubernetes introduction 20 What is Kubernetes? 21 ■ Other container orchestrators 22 Kubernetes architecture 22 ■ Deploying to Kubernetes 25 2.2 Declarative vs. imperative object management 30 How declarative configuration works 34 v vi CONTENTS 2.3 Controller architecture 37 Controller delegation 37 ■ Controller pattern 38 NGINX operator 40 2.4 Kubernetes + GitOps 44 2.5 Getting started with CI/CD 44 Basic GitOps operator 45 ■ Continuous integration pipeline 47 PART 2 PATTERNS AND PROCESSES ............................. 53 3 Environment management 55 3.1 Introduction to environment management 56 Components of an environment 57 ■ Namespace management 59 ■ Network isolation 64 ■ Preprod and prod clusters 67 3.2 Git strategies 68 Single branch (multiple directories) 69 ■ Multiple branches 70 Multirepo vs. monorepo 70 3.3 Configuration management 71 Helm 72 ■ Kustomize 76 ■ Jsonnet 79 ■ Configuration management summary 83 3.4 Durable vs. ephemeral environments 83 4 Pipelines 86 4.1 Stages in CI/CD pipelines 86 GitOps continuous integration 88 ■ GitOps continuous delivery 94 4.2 Driving promotions 98 Code vs. manifest vs. app config 98 ■ Code and image promotion 99 ■ Environment promotion 101 ■ Putting it all together 102 4.3 Other pipelines 102 Rollback 103 ■ Compliance pipeline 106 5 Deployment strategies 109 5.1 Deployment basics 110 Why ReplicaSet is not a good fit for GitOps 111 ■ How Deployment works with ReplicaSets 114 ■ Traffic routing 120 Configuring minikube for other strategies 122 CONTENTS vii 5.2 Blue-green 123 Blue-green with Deployment 125 ■ Blue-green with Argo Rollouts 130 5.3 Canary 133 Canary with Deployment 134 ■ Canary with Argo Rollouts 138 5.4 Progressive delivery 140 Progressive delivery with Argo Rollouts 140 6 Access control and security 148 6.1 Introduction to access control 149 What is access control? 149 ■ What to secure 150 ■ Access control in GitOps 153 6.2 Access limitations 155 Git repository access 155 ■ Kubernetes RBAC 163 ■ Image registry access 168 6.3 Patterns 171 Full access 171 ■ Deployment repo access 172 ■ Code access only 172 6.4 Security concerns 173 Preventing image pull from untrusted registries 173 Cluster-level resources in a Git repository 174 7 Secrets 176 7.1 Kubernetes Secrets 177 Why use Secrets? 177 ■ How to use Secrets 178 7.2 GitOps and Secrets 181 No encryption 181 ■ Distributed Git repos 181 ■ No granular (file-level) access control 181 ■ Insecure storage 181 Full commit history 182 7.3 Secrets management strategies 182 Storing Secrets in Git 182 ■ Baking Secrets into the container image 182 ■ Out-of-band management 183 ■ External Secrets management systems 184 ■ Encrypting Secrets in Git 185 Comparison of strategies 186 7.4 Tooling 187 HashiCorp Vault 187 ■ Vault Agent Sidecar Injector 190 Sealed Secrets 194 ■ Kustomize Secret generator plugin 198 viii CONTENTS 8 Observability 203 8.1 What is observability? 204 Event logging 205 ■ Metrics 209 ■ Tracing 212 Visualization 217 ■ Importance of observability in GitOps 219 8.2 Application health 219 Resource status 220 ■ Readiness and liveness 224 Application monitoring and alerting 225 8.3 GitOps observability 227 GitOps metrics 227 ■ Application sync status 228 Configuration drift 232 ■ GitOps change log 234 PART 3 TOOLS ........................................................ 239 9 Argo CD 241 9.1 What is Argo CD? 241 Main use cases 242 ■ Core concepts 243 ■ Sync and health statuses 244 ■ Architecture 246 9.2 Deploy your first application 249 Deploying the first application 249 ■ Inspect the application using the user interface 251 9.3 Deep dive into Argo CD features 253 GitOps-driven deployment 253 ■ Resource hooks 254 Postdeployment verification 257 9.4 Enterprise features 257 Single sign-on 258 ■ Access control 261 ■ Declarative management 263 10 Jenkins X 267 10.1 What is Jenkins X? 267 10.2 Exploring Prow, Jenkins X pipeline operator, and Tekton 269 10.3 Importing projects into Jenkins X 273 Importing a project 274 ■ Promoting a release to the production environment 281 11 Flux 284 11.1 What is Flux? 284 What Flux does 285 ■ Docker registry scanning 286 Architecture 288