Git ops & Continuous Infrastructure with terra*
- 1. Copyright © 2021 HashiCorp
GitOps & Continuous
Infrastructure with Terra*
Haggai Philip Zagury, DevOps Group & Tech lead
September 2021
- 2. Focus for today's talk - why GitOps
GitOps
Every Change is Driven by a change in source control
- 3. Focus for today's talk - why GitOps
GitOps
Every Change is Driven by a change in source
control
Alexis Richardson coined the term Gitops in
2017. Gitops is the new phase of DevOps
that many organizations are adopting, in
which all the infrastructure will be stored in
Git as code and will be used for continuous
deployment
#1 - The entire system described declaratively.
#2 - The canonical desired system state versioned in Git.
#3 - Approved changes that can be automatically applied to the
system.
------
#4 - Software agents to ensure correctness and alert on
divergence.
- 4. My Journey.tf
Using terraform in various use cases, adv, caveats
Working with terraform for the past 5 years (at least)
Love & Hate relationship with State management
- From tiny projects (single main.tf file)
- 5. My Journey.tf
Using terraform in various use cases, adv, caveats
Working with terraform for the past 5 years (at least)
Love & Hate relationship with State management
- From tiny projects (single main.tf file)
- To 10’s of *.tf files
- Have you seen 001_s3.tf, 002_iam.tf …
- Things can break very fast ....
- 6. My Journey.tf
Using terraform in various use cases, adv, caveats
Working with terraform for the past 5 years (at least)
Love & Hate relationship with State management
- From tiny projects (single main.tf file)
- To 10’s of *.tf files
- Upgrading to terraform 0.13
- What comes first ? Account / S3 / Dynamodb lock table ?
- Terraform without terraform cloud ?!
(for small teams / startups)
- 7. My Journey.tf
Using terraform in various use cases, adv, caveats
Working with terraform for the past 5 years (at least)
Love & Hate relationship with State management
- From tiny projects (single main.tf file)
- To 10’s of *.tf files
- Upgrading to terraform 0.13
- What comes first ? Account / S3 / Dynamodb lock table ?
- Terraform without terraform cloud ?!
(for small teams / startups)
- Seamless integration with Consul / Vault (more on that later)
The ones I worked with ;)
- 8. My Journey.tf
Using terraform in various use cases, adv, caveats
Working with terraform for the past 5 years (at least)
Love & Hate relationship with State management
- From tiny projects (single main.tf file)
- To 10’s of *.tf files
- Upgrading to terraform 0.13
- What comes first ? Account / S3 / Dynamodb lock table ?
- Terraform without terraform cloud ?!
(for small teams / startups)
- Seamless integration with Consul / Vault (more on that later)
- Cloud Native Technologies
- 12. Focus for today's talk
GitOps
Every Change is Driven by a change in source
control (git is standard scm hence GitOps)
Continuous Infrastructure &
Operations
Utilizing DevOps best-practices and tools
enabling and entire SDLC based on Git
Operations.
- 15. 01 GitOps the early days ...
Terraform Cloud || Run from your laptop
- 16. 01 GitOps the early days ...
Terraform Cloud || Run from your laptop
- 24. CODE EDITOR
ci-mode
If ./terraform files in git changeset
then terraform workspace select $env
tf apply -auto-approve
If ./backend files in git changeset
Docker build + push all backend components
Then terraform workspace select $env
tf apply -auto-approve
If ./frontend files in git changeset
Upload files to s3 static + invalidation cloudfront
tf apply -auto-approve
end
```
`
- 25. CODE EDITOR
Pseudo
pipeline
If we could freestyle it ...
If ./terraform files in git changeset
then terraform workspace select $env
tf apply -auto-approve
If ./backend files in git changeset
Docker build + push all backend components
Then terraform workspace select $env
tf apply -auto-approve
If ./frontend files in git changeset
Upload files to s3 static + invalidation cloudfront
tf apply -auto-approve
end
`
- 27. Running Terraform with Github Actions
Ahoy! -> Insurance for Recreational boats
The Continuous Infrastructure:
Terraform Workspace == Protected / Official Branch
● 1 Infrastructure Repository
● 3 environments - 3 branches (main, staging, dev)
● Trigger based on certain directory in changeset
-> quirky but works !
●
- 28. CODE EDITOR
ci-mode | brach == workspace
steps:
- name: gcr.io/${PROJECT_ID}/terraform:0.14.7
entrypoint: bash
args:
- '-c'
- |
cd /workspace/infrastructure/terraform/cloud-core;
terraform init;
if [ "${BRANCH_NAME}" == "master" ]; then
terraform workspace select production;
cp /workspace/infrastructure/terraform/production.tfvars /workspace/apply.tfvars;
gcloud container clusters get-credentials production-cluster --zone=us-east1-b
elif [ "${BRANCH_NAME}" == "staging" ]; then
cp /workspace/infrastructure/terraform/staging.tfvars /workspace/apply.tfvars;
gcloud container clusters get-credentials staging-cluster --zone=us-east1-b
terraform workspace select staging;
- 29. CODE EDITOR
ci-mode
steps:
- name: gcr.io/${PROJECT_ID}/terraform:0.14.7
entrypoint: bash
args:
...
exit
fi
terraform plan -var-file=/workspace/apply.tfvars -no-color -out=/workspace/tfplan-core;
terraform apply -input=false /workspace/tfplan-core;
- 35. CODE EDITOR
Vault (secrets Manager) ping
vault ping:
stage: .pre
script:
- echo "Check status of $VAULT_ADDR"
- |
until vault status
do
echo "Vault returned error or sealed"
sleep 5
done
rules:
- if: '$VAULT_ADDR'
when: always
- 36. CODE EDITOR
terraform apply -auto-approve
apply:
stage: apply
extends: .secrets
script:
- *install-curl-jq
- *gitlab-tf-backend
- terraform apply -auto-approve
- DYNAMIC_ENVIRONMENT_URL=$(terraform output -no-color env-dynamic-url)
- echo "DYNAMIC_ENVIRONMENT_URL=$DYNAMIC_ENVIRONMENT_URL" >> deploy.env
dependencies:
- plan production
artifacts:
expire_in: 1 week
name: $CI_COMMIT_REF_SLUG
reports:
dotenv: deploy.env
- 38. Increase Developers & Operations Productivity
Continuous deployment automation with an integrated feedback control loop speeds up
Mean Time to Deployment -> ship often isn’t just a catchy phrase !
Enhanced Developer Experience
Push code and not containers.
Developers can use familiar tools like Git to manage updates and features to Kubernetes more
rapidly without having to know the internal of Kubernetes. Newly on-boarded developers can get
quickly up to speed and be productive within days instead of months.
- 39. Improved Stability
When you use Git workflows to manage your cluster, you automatically gain a convenient audit
log of all cluster changes outside of Kubernetes. An audit trail of who did what, and when to your
cluster can be used to meet SOC 2 compliance and ensure stability.
Higher Reliability
With Git’s capability to revert/rollback and fork, you gain stable and reproducible rollbacks.
Because your entire system is described in Git, you also have a single source of truth from which
to recover after a meltdown, reducing your meantime to recovery (MTTR) from hours to minutes.
- 40. Consistency and Standardization
GitOps provides one model for making infrastructure, apps and Kubernetes add-on
changes, you have consistent end-to-end workflows across your entire organization.
Not only are your continuous integration and continuous deployment pipelines all driven by pull
request, but your operations tasks are also fully reproducible through Git.
Stronger Security Guarantees
Git’s strong correctness and security guarantees, backed by the strong cryptography used to
track and manage changes, as well as the ability to sign changes to prove authorship and origin
is key to a secure definition of the desired state of the cluster.