GitOpsSets enterprise

caution

This feature is in alpha and certain aspects will change

We're very excited for people to use this feature. However, please note that some changes will be made to the API and behavior, particularly to enhance security by implementing impersonation for more fine-grained control over how the generated resources are applied.

Introduction

GitOpsSets enable Platform Operators to have a single definition for an application for multiple environments and a fleet of clusters. A single definition can be used to generate the environment and cluster-specific configuration.

As an example, we can take an application that needs to be deployed to various environments (Dev, Test, Prod) built by a fleet of clusters. Each of those environments + clusters requires a specialized configuration powering the same Application. With GitOpsSets and the generators you just declare the template, you want to use, the selector that will match the cluster of the inventory, and where to get the special configuration.

GitOpsSets will create out of the single resource all the objects and flux primitives that are required to successfully deploy this application. An operation that required the editing of 100’s files can be done now with a single command.

The initial generators that are coming with the preview release are:

• List Generator: Simplest generator. Provide a list of Key/Value pairs that you want to feed the template with.
• Git Generator: Enable to extract a set of files (environment-specific configurations) from a Flux GitRepository, and make the contents of these available to the templates, this would let you have config in app-dev.json, app-staging.json and app-production.json for example, and the contents of these would be available to the templates.
• Matrix Generator: Combine slices of generators into the desired compounded input.
• Pull request Generator: Automatically discover open pull requests within a repository to generate a new deployment.

Use cases

• Single application definition for different environment (EU-West, North America, Germany )
• Deployment of single definition across fleet of clusters matching any cluster with based on a label (Production)
• Separation of concerns between teams (Teams managing different artefacts flowing into single definition via generators)

Security

WARNING generating resources and applying them directly into your cluster can be dangerous to the health of your cluster.

This is especially true for the GitRepository generator, where it may not be obvious to the author of the files, or the author of the template the consequences of the template rendering.

The default ServiceAccount that is used by the gitopssets-controller is extremely limited, and can not create resources, you will need to explicitly grant permissions to create any of the resources you declare in the template, missing permissions will appear in the controller logs.

It is not recommended that you create a role with blanket permissions, under the right circumstances, someone could accidentally or maliciously overwrite the cluster control-plane, which could be very dangerous.