How Weave GitOps Builds on Flux to bring GitOps to the Enterprise
From open source Flux to Weave GitOps and Weave GitOps Enterprise, this article explains the different options available for establishing a GitOps-controlled CI/CD pipeline in your organization.
Weave GitOps Enterprise is a commercially supported single pane of glass via which you can improve operations across all Kubernetes clusters, boosting security and compliance while removing pipeline bottlenecks. Best of all, it can accommodate all the tools you already use.
The Trouble with Kubernetes
Kubernetes is hard, even for the most knowledgeable staff. The complexity involved in deploying it for the first time and maintaining it from day 2 can therefore incur significant amounts of time and money. Dealing with a new and complex platform can also lead to security vulnerabilities, due to the scope for misconfiguration. We have a solution.
Simplifying Kubernetes Management with Flux
Today, Weave GitOps Enterprise is among the most effective solutions to the problem of Kubernetes management. Built on the open-source reconciliation agent, Flux, it makes essential Kubernetes operations much less labor-intensive, without limiting your choice of tools. But first, let’s talk about the software agent at its heart: Flux.
Initially conceived by Weaveworks, Flux was designed to sit at the heart of a CI/CD pipeline, controlling Kubernetes and automating software delivery. It has recently achieved Graduated status at the Cloud Native Computing Foundation, the organization’s highest level of project maturity. That means it now ranks alongside established cloud native projects such as Kubernetes, Envoy and Prometheus. With over 300 contributors from around the world, Flux is available through platforms including AWS, Microsoft, VMWare Tanzu. It is the GitOps platform of choice for enterprise firms including SAP, Volvo Cars and Axel Springer.
How Weave GitOps Builds on Flux
Weave GitOps is an open-source extension to Flux that adds visual tooling. It offers an easier onboarding experience, allowing users to install and visualize not just Flux, but also Helm Charts and application deployments, via its web-based user interface. Weave GitOps gives teams with limited Kubernetes expertise the tools they need to deploy applications easily and securely - while also integrating with Visual Studio Code, so development teams can take advantage of GitOps from inside their IDE.
Getting Serious with Weave GitOps Enterprise
Weave GitOps Enterprise builds on both Flux and open-source Weave GitOps with additional tools and enterprise-grade commercial support. But as a full-stack GitOps platform, Weave GitOps Enterprise goes much further than just Kubernetes automation. For larger teams with mission-critical needs, it delivers unrivaled security and scalability.
Weave GitOps Enterprise offers a single pane of glass via which you can see all your clusters, so you can manage them more efficiently. It also includes templating based on CAPI, so you can choose the infrastructure you want to run your Kubernetes clusters on. This means platform operators can architect the installation of several necessary components, including monitoring (Prometheus, DataDog, New Relic, etc), ingress and networking (Calico, etc), and service mesh (Linkerd, Istio, etc). You can then empower the end consumers of your platform to self-build their clusters without manual intervention from other teams, putting an end to the bottlenecks that can arise when waiting for infrastructure – vital when everything is needed at cloud-native speed.
The most important enterprise capabilities of Weave GitOps Enterprise can be summarized as:
- Continuous application delivery across all clusters.
- Embedded security and compliance with policy as code and Weave Policy Library
- Enforcement of cluster and application policies to ensure compliance at every step.
- Comprehensive Support for Weave GitOps Enterprise, policy, and your whole Kubernetes environment.
- Progressive delivery to ensure the stability and success of production rollouts.
- Pipelines that manage application progression across all development stages.
- Cluster and application multi-tenancy controlled with RBAC.
- Fleet management of clusters across all cloud providers, on-premise and hybrid environments.
- Standard templating across all your clusters and applications.
Figure: GitOps Templates with Weave GitOps
A Modular and Flexible Solution
It’s true that many of the functions of Weave GitOps and Weave GitOps Enterprise can be performed by open-source tools. But that means having at least seven different point solutions, with no guaranteed support for CVEs, nor hotfixes for any code bugs that may arise. It means you need highly skilled engineers to maintain and manage those projects, especially as updates and new releases are made available quarterly, or even more frequently.
Weave GitOps Enterprise takes care of all this – and it doesn’t force you to use particular tools. Its modular approach allows you to build a Kubernetes and application management and distribution system that suits your organization, based on the software you already have in use – so there’s no need to rip and replace. You maintain the freedom of choice, the container runtimes right for your organization, the Kubernetes distributions right for your environments, and the cloud provider that works for you.
Figure: Pipelines management with Weave GitOps
Unrivaled Security, Thanks to Flux
The Flux microservice architecture (including Weave GitOps for the UI) allows you to select only the Flux microservices you need, lowering the attack surface. Flux is more secure by design, with regard to entire vulnerability classes, such as:
- OCI container signature verification: Flux will verify the signed OCI artifact before deployment, ensuring the source of the container. With the right policies applied, Flux can deny deployment based on other criteria your organization requires.
- Code execution: Flux v2 was built to prioritize integration with libraries instead of binaries. When executing commands for tools like Git and Kustomize, it uses their Go library alternatives, which reduces the likelihood of bugs that could otherwise allow attackers to inject commands for Flux to blindly execute.
- XSS, JWT, and other web-related: the standard Flux deployment does not come with the UI installed, therefore by default its deployment is not exposed to Web UI-specific vulnerabilities.
- Privilege escalation: all write actions against a Kubernetes cluster are impersonated based on a tenant service account. This way, in a multi-tenancy environment, even if a bug exists within Flux reconcilers, or if a tenant is trying to change objects beyond the namespaces they have control of, the Kubernetes RBAC will enforce the permissions given to that account, therefore blocking the attempt. Most other applications will apply changes based on a cluster-level service account, meaning that any bug can have catastrophic consequences.
- Sensitive information disclosure: Flux supports on-demand decryption of sensitive Information, which means that information is kept secret and is only decrypted at the moment it is needed, then soon discarded. No secrets or credentials are saved on disk at any time.
The Ultimate GitOps Platform for Continuous Application Delivery
Weave GitOps Enterprise is the only Kubernetes management platform to combine this level of security with such power to speed up and streamline your delivery pipeline. As the quintessential GitOps solution, it uses Git as both a data store and single source of truth, providing bulletproof version control and full audit trails, making compliance a much less onerous and costly task – vital for anyone working in regulated industries and incredibly useful for everyone else.
To learn more about Weave GitOps Enterprise and what it can do for your organization, contact the team at Weaveworks today.