March Release - Weave GitOps 2022.03
The March release is adding trusted application delivery and policy-as-code capabilities to Weave GitOps: building on our acquisition of Magalix at the start of the year. This release makes it easier to get started with Weave GitOps if you’re an existing flux user, adds GitOps for Terraform and we have a new VSCode extension.
Today we are announcing the March 2022 release of Weave GitOps. The focus of this release is adding trusted application delivery and policy-as-code capabilities to Weave GitOps: building on our acquisition of Magalix at the start of the year. This release makes it easier to get started with Weave GitOps if you’re an existing flux user, adds GitOps for Terraform and we have a new VSCode extension.
Weave GitOps Trusted Delivery gives teams a system for automating Continuous Deployment. Trusted Delivery adds policy as code into the deployment pipeline reducing manual checks that teams need to do themselves.
With pure GitOps, Kubernetes is updated as soon as changes are merged into the monitored branch. Even though the merge happens as the result of a pull request, review and approval process, there’s still reluctance to trust automation to deploy straight into production. The reluctance is the result of uncertainty over the review process and the ability to recover quickly if there’s a problem. A change may be many hundreds of lines of YAML, humans are not very good at linting hundreds of lines of YAML. If you’re not using GitOps, recovering back to the last previously known good configuration is difficult. This lack of trust means that the final step is still manual.
Weave GitOps now includes Policy-as-Code checks to ensure that misconfigurations are automatically detected, notified and the deployment halted. The policy engine is built on Open Policy Agent (OPA) and includes a curated library of over a hundred policies covering: security, resilience and coding standards. The policies are, of course, stored in Git, which makes managing your policy library audited, controlled and easy.
Policy checks can be automatically triggered at various points in the CI/CD pipeline: commit, build, deploy and runtime. A GitHub Action is used to check policies on commit or pull request creation. The same Docker image can be used for pre-build checks e.g. CircleCI Docker job. Weave GitOps Trusted Delivery includes a Kubernetes admission controller as the final backstop; manifests with policy violations will be rejected. Finally the Weave GitOps agent continually checks the Kubernetes runtime configuration against the policies and reports back any violations. Violation events may be forwarded via various messaging integrations such as: Slack, MS Teams, generic webhook.
Weave GitOps Trusted Delivery is applicable to all Kubernetes entities from simple Deployments to service meshes, enabling operators to provide self service allowing developer autonomy. DevOps teams can manage Policy-as-Code to guarantee automatic deployments are secure, robust and standards compliant.
Just Add GitOps
Already a Flux user? Great choice, we’re happy you're using a CNCF project we donated and now support. The good news is, it's now easier than ever to move to Weave GitOps without throwing away any of the great work you’ve already done. Weave GitOps builds on a solid foundation of Flux, think of it as Flux plus plus. You get all the class leading security and functionality of Flux that you have come to rely on. Plus Trusted Delivery with Policy as Code, plus observability on the state of the Flux services and your application deployments.
Already made a start on your GitOps journey with Argo? Concerned about the potential security risks, incomplete Helm support, no Trusted Delivery? Now you can start to migrate to Weave GitOps with Flux Subsystem for Argo (FSA), continue to use the Argo dashboard with Weave GitOps entities displayed side by side.
Automation is one step to achieve higher DevOps maturity to enable high performing teams but you need to know that all the machinery is running reliably, this is where Observability comes to the rescue. Every Weave GitOps Kubernetes Pod exposes a Prometheus metrics endpoint and generates Kubernetes events. Each data point is collected and displayed on the builtin Weave GitOps dashboards providing a unified overview of the health of all your application deployments and the internal status of the GitOps engine. Alternatively, because Weave GitOps Observability is built on open standards, these metrics and events can be plumbed into your existing Observability tools such as: New Relic, Datadog, Grafana.
New VS Code Extension for Weave GitOps
The GitOps Tools for Visual Studio Code extension brings GitOps into your IDE. Who wants to change tools, when you can do GitOps deployments from right inside VS Code. You can now keep an eye on the health of the GitOps engine and your application deployments, knowing in real time that the change you just merged passed all the checks and was deployed cleanly.
It’s simple to add GitOps to any Kubernetes cluster, with special support for Azure Arc-enabled clusters. Then with a few clicks you can create deployments and use GitOps to push them to your clusters. This is a technology preview release that we'd love feedback on, releases are available from the project.
Terraform Extension for Flux
This release brings a technology preview of this extension. Together with Weave GitOps Cluster API (CAPI) capabilities enables users to configure a full-stack environment (host environment, kubernetes and all connected services) on any Cloud. The Terraform Controller brings the entire terraform universe into the GitOps flow.
Extend GitOps to all aspects of an environment by integrating Terraform resources. For example, during a GitOps application deployment we can use the Terraform Controller to create a managed database in AWS. This capability can use any Terraform provider to configure resources in AWS, Azure GCP and others. It can use Terraform modules to configure different parts of the software stack including databases, networking, security and IaaS.
The Terraform Controller can also detect drift in the runtime environment from the desired state (the plan) for any Terraform resource. This makes Terraform a truly GitOps system, compliant with the CNCF Open GitOps principles. Any Terraform resources can be continuously reconciled and any change will be alerted on; the drift can have automated remediation or manual remediation depending on the resources character. For example, this approach could be used to ensure a set of IAM roles and permissions are not changed across a cloud deployment.
Get Started Today
With our spring release Weave GitOps offers a complete solution for all your GitOps requirements from continuous deployment of applications to the management of a fleet of Kubernetes clusters across multiple platforms. Trusted Delivery using Policy-as-Code gives you the confidence to accelerate your software delivery pipelines by fully embracing Continuous Deployment across your enterprise.