At the inaugural online summit “Cloud Native Live” hosted by our friends at Twistlock, Weaveworks Customer Success Engineer, Brice Fernandes (@fractallambda) presented “Delivering Quality at Speed with GitOps”.

Brice discussed how by introducing and implementing GitOps best practices into your Kubernetes deployment pipelines, DevOps team can gain velocity without sacrificing on quality.


GitOps Principles

Briefly, the four principles of GitOps are:

  • Describe the entire system declaratively
  • Version the desired system state in Git
  • Allow approved Pull Requests to be automatically applied to the system
  • Ensure correctness with the use of software agents

#1. The entire system is described declaratively.

Kubernetes is just one example of many modern cloud native tools that are “declarative” and that can be treated as code. Declarative means that configuration is guaranteed by a set of facts instead of by a set of instructions. With your application’s declarations versioned in Git, you have a single source of truth. Your apps can then be easily deployed and rolled back to and from Kubernetes. And even more importantly, when disaster strikes, your cluster’s infrastructure can also be dependably and quickly reproduced.

#2. The canonical desired system state is versioned in Git.

With the declaration of your system stored in a version control system, and serving as your canonical source of truth, you have a single place from which everything is derived and driven. This trivializes rollbacks; where you can use a `Git revert` to go back to your previous application state. With Git’s excellent security guarantees, you can also use your SSH key to sign commits that enforce strong security guarantees about the authorship and provenance of your code.

#3. Approved changes to the desired state are automatically applied to the system.

Once you have the declared state kept in Git, the next step is to allow any changes to that state to be automatically applied to your system. What's significant about this is that you don't need cluster credentials to make a change to your system. With GitOps, there is a segregated environment that the state definition lives outside of. This allows you to separate what you do and how you're going to do it.

#4. Software agents ensure correctness and alert on divergence.

Once the state of your system is declared and kept under version control, software agents can inform you whenever reality doesn’t match your expectations. The use of agents also ensures that your entire system is self-healing. And by self-healing, we don’t just mean when nodes or pods fail—those are handled by Kubernetes—but in a broader sense, like in the case of human error. In this case, software agents act as the feedback and control loop for your operations.

View the talk in its entirety: