How to Configure your Repos for Multi-Tenancy and GitOps: Zscaler’s Use Case

By Tamao Nakahara
July 01, 2022

In this talk Flux end user Zscaler explains how they adopted Flux to achieve multi-tenancy requirements. Multi-tenancy was not only a security but also a customer requirement and GitOps was a crucial component in this journey.

Related posts

Add GitOps Without Throwing Out Your CI Tools

What is the Enterprise Market Perspective of GitOps?

GitOps Days 2022 Recap: Intro to Kubernetes, GitOps, & Observability Tutorial

If you need GitOps for multi-tenancy, don't miss this fantastic talk from Zscaler sharing how they do tenants of tenants using Flux: “Multi-tenancy Best Practices using the Cloud Native Ecosystem: Zcaler’s GitOps Journey”

Zscaler is a 4,000-person strong public cloud security company, with headquarters in San Jose, California. The company's cloud-native technology platform, the Zscaler Zero Trust Exchange, is designed to help enterprise customers secure their employees, applications, and data as infrastructure and applications move to the cloud and as employees connect to work remotely, away from the traditional corporate network. Neeta Rathi (Staff Software Engineer at Zscaler) and Josh Carlisle (Principal Architect | Manager - Cloud Protection at ZScaler) shared their journey at GitOps Days 2022. They had a unique greenfield opportunity to build modern infrastructure for their SaaS offering. They wanted to make sure that it was cloud native, Kubernetes-focused, and leveraged GitOps.

An essential part of their solution was multi-tenancy using the open source Flux project, which is in incubation and very close to graduation in the Cloud Native Computing Foundation. Although multi-tenancy would bring some complexity to their set-up, it was a requirement for security and client needs, and Flux was critical to accelerating their journey to success.

The Zscaler team has tenant-specific microservices. Moreover, their deployments can have multiple environments: for instance, shared on a single cluster or deployed to multiple geographies around the world. In addition, they have tenants of multiple environments and multiple customer tenants within those tenants.

In the beginning, the Zscaler team did some custom work to explore what they needed. As they progressed into writing their own controllers, it became clear that they wanted to leverage Flux instead. Their custom solution was not robust or viable, and the Flux controllers were more advanced. Moreover, it made sense to rely on a project that is written and maintained by experts, and for which there is an active and vibrant community on Slack and GitHub. Finally, knowing that Flux is now the technology of choice for platforms such as Microsoft’s Arc Kubernetes, AWS’s EKS Anywhere, D2iQ’s Enterprise Kubernetes Platform, and Weaveworks’ Weave GitOps (and others') builds confidence for Enterprise companies such as Zscaler.

Neeta and Josh explain how they have multiple microservices repos.

Two key repos are:

  • a subsystems config repo where they store configs for microservices, helm releases, etc.
  • Flux cluster repo where they keep repo cluster definitions, tenant definitions, etc.

They also rely on Flux’s image tags and notifications features.

Neeta and Josh cover several of the benefits of following these best practices.

  • With Flux’s multi-tenancy capabilities, they are able to configure their tenants of tenants easily.
  • Moreover, Flux makes the process traceable.
  • With Flux, their onboarding, upgrades, and offboarding are greatly simplified and secure. Onboarding now entails creating a new folder in the repo. Upgrades can be a simple change to a manifest. To offboard, they can simply remove a kustomization from a tenant yaml and delete the folder. For all of this, with GitOps they have a clear history of changes made and who made the change in case they get audited.

To get Zscaler’s full story, and both the technical and business benefits of GitOps with Flux, check out their talk of how they gained these benefits with a low risk of failure.

Here’s the video in its entirety if you’d like to watch from start to finish:

Next Steps

We’ll be publishing more blog posts along with videos from the event to our GitOps Days 2022 Playlist, so stay tuned for more as they become available. And don’t forget to subscribe to our YouTube channel!

Experience how easy it is to enable GitOps and run your apps in a cluster. Try Weave GitOps Core, it’s free and open source and it’s powered by Flux!

Get Started

Related posts

Add GitOps Without Throwing Out Your CI Tools

What is the Enterprise Market Perspective of GitOps?

GitOps Days 2022 Recap: Intro to Kubernetes, GitOps, & Observability Tutorial