Juncheng Anthony Lin - Redhat - A Practical Approach to Traditional and Cloud Native Infrastructure Management using GitOps

1. V0000000
OpenInfra Days @ Vietnam 2022
27-Aug-2022
A Practical Approach to Traditional
and Cloud Native Infrastructure
Management using GitOps
Anthony Lin
anthony.lin@redhat.com
Hybrid Cloud Specialist,
Red Hat ASEAN
1

2. AGENDA
OpenInfra Days @ Vietnam 2022
▪ What is GitOps?
▪ IaC Automation and GitOps
▪ GitOps and Kubernetes Multi-Cluster Management
▪ Q&A

3. What is GitOps?
3
OpenInfra
Days
@
Vietnam
2022

4. GitOps
● Prescriptive style of Infrastructure as Code
○ For deploying and managing large, sophisticated, distributed and cloud-native
systems
○ Uses Git as the single source of truth for declarative infrastructure and
applications
■ Defined state of infrastructure is Git version controlled, complete with a
useful audit log of all activity
● Brings together developments and operations with development process and
tooling
○ Provides a consistent means of working across the organization
○ Helps to increase productivity and velocity of deployments and development

5. GitOps considers that Git repository is our only source of truth. Manual
operations are prohibited and changes are introduced through git to
perform deployments adopting “Continuous Deployment”.
Contributor’s
Pull Request
Content
Review
Release
for
Consumption
Generate
Artifacts
Test
Content

6. IaC Automation and
GitOps
6
OpenInfra
Days
@
Vietnam
2022

7. 7
#1 Fill the form Request For Change.
#2 Fill the form again after talking with senior colleague.
#3 Now you can fill the webform and link CIs from CMDB.
#4 Your Configuration Item (CI) is not in the CMDB.
#5 Use your own team's CMDB (A.K.A Excel).
#6 Sleep(1 week) and waitfor(Change Advisory Board).
#7 Explain why you really, really need to do your job.
#8 Someone's else execute and get syntax error.
#9 Goto #2
The Joy of Request For Changes

8. 8
Infrastructure As Code
"Infrastructure As Code is the capability to rebuild the entire infrastructure only with
system’s data and code from your version control systems "
Data Code

9. IaC Practices
Data Code
Automated tests
Security and compliance
Automating execution from a
shared environment
Source Control
Modularizing and
versioning
Documentation

10. Describing Machines using YAML

11. Benefits of CI/CD
● Velocity
○ Automation = Speed
○ Accelerate time to value
● Productivity
○ Automation of Repetitive Tasks
○ Experimentation = Innovation
● Sustainability
○ Quality
○ Reproducibility
○ Stability
○ Processes

12. Public Cloud Experience
Infrastructure
● CI/CD
● Fully Tested
● Fully Automated
● Infra as Code (IaC)
Applications
W W W
DB

13. “Classic” On-Premise Infrastructure
Infrastructure
● Manually Deployed
and/or Operated
● Error-Prone Changes
● Fragile
● Low Reproducibility
● Low Confidence
Applications
W W W
DB

14. On-Premise Infrastructure with CI/CD
Infrastructure
● CI/CD
● Fully Tested
● Fully Automated
● Infra as Code (IaC)
Applications
W W W
DB

15. What is Need to Enable CI/CD in an
Infrastructure Project?
● Infrastructure as Code
● Test Environments
● Time and Effort

16. Applying Software Best Practices to Hardware
Physical
Infrastructure as
Code
● Speed+
● Cost-
● Risk-
● Velocity
● Productivity
● Sustainability
Physical
CI/CD
Infrastructure as code is
the foundation required to
automate deployments
and scaling in the physical
world.

17. What CI/CD Looks like in Practice
Step1 Step 2 Step3 Step5
Step4
Pipeline
RUN
Q. How do we know the operation will be
successful?
A. Because we test it first (that is the CI part)

18. What CI/CD Looks like in Practice
Step 1 Step 2 Step 4
Step 3
A pipeline consisting of all the
automated steps needed to
achieve the required operation:
● New deployment
● Upgrade
● Scale-up/Scale-down
● Config change
● and others ...
For proper CI/CD, some of these
steps are tests that are usually
executed in a virtual environment
Prepare the
Virtual
Environment
Actual Operation:
- Deployment
- Upgrade
- Config Change
- and others ...
Test the
result of this
operation
Repeat the
operation in a
production
environment
CD
CI

19. deploy test
environment
start impact
monitoring
upgrade
process
impact
analysis
Iteration 1
deploy test
environment
start impact
monitoring
upgrade
process
impact
analysis
Iteration 2
deploy test
environment
start impact
monitoring
upgrade
process
impact
analysis
Iteration 13
deploy test
environment
start impact
monitoring
upgrade
process
impact
analysis
Production
deployment
Iteration 14
Process did not complete because
of error in upgrade process
orchestration
Impacted test application
because of BZ #xxxxxx. hotfix
provided by Red Hat.
No impact detected!
Site 1
Site 2
Site 3
Multiple production clusters
upgraded with:
● Very high confidence
● One-click operation
● Engineers already working
on something else
...
...
...
...
...
Cloud Upgrade Example

20. GitOps + IaC in Action
Check-Out
Content
1
Trigger CI
Check-In
Changes
Approve
Changes
3
6
7 Trigger CD
Peer
Reviewer(s)
Engineers
Test
4
8 Deploy
2
Notify
5
Notify
9
Dev Workspace
0

21. Golden Image GitOps Pipeline with Ansible Automation Platform
Code
Version
Control
Build
Code Editor
Source Code
Management
Artifact /
Image
Creation
Leads to much faster reaction time to new CVEs and security
vulnerabilities as new images can be built quickly with pipeline!
Package New Base OS Server Image
● Pipeline allows easy
rebuild of Base OS
Image
● Rebuilt image is
properly hardened
and updated with
the latest security
patches
● Provides hardened
Base OS Image for
Developers to carry
out application
testing
● Pipeline can be
easily extended to
include application
installation and
other custom
requirements

22. Golden Image GitOps Pipeline with Ansible Automation Platform

23. Golden Image GitOps Pipeline

24. GitOps and Kubernetes
Multi-Cluster
Management
24
OpenInfra
Days
@
Vietnam
2022

25. 25
Cloud-native Approaches
● Declarative infrastructure definitions
● Separation of Software / Data / Configuration
● Automate everything
● Rebuild vs Repair
● Scalability. Scale Out not Up.
● Oriented to:
○ Containers / Kubernetes
○ Microservices architectures
○ 12 factor apps
○ DevSecOps / Agility
○ Portability -> Multi/Hybrid cloud

26. ▸ Disparate clusters built by
individual teams within the
organization.
▸ Significant effort spent to meet
security, governance and
compliance requirements of the
organization.
▸ Ensuring the platform is
operationally ready within days
and not weeks-to-months to
onboard developer teams.
Challenges
▸ Provide containers-as-a-service
capability within the organization
through self-service
consumption
▸ Automate standard container
platform build within the
organization
▸ Enforce policies and
configuration on the container
platform in a consistent manner
▸ Using git as the source of truth
Solution
26
Adopting Kubernetes Enterprise Wide

27. Run
▸ Observability: Central monitoring and logging
▸ DevOps tooling. Automated builds. CI/CD, IDE, Container registry
▸ Unified storage abstraction
Manage
▸ Multi cluster management
▸ GitOps. Application lifecycle management.
▸ Project team and application onboarding
Governance, Compliance and Security
▸ Policy-based governance, risk, and compliance
▸ Shift Left. Container security.
▸ Zero trust security
▸ Trusted supply chain
▸ Approved tech stack. Language runtime, databases, RHEL UBI images.
Automate Everything
▸ IaC
▸ Configuration Management
▸ Workflow orchestration
▸ Network and security automation
Supporting Application Modernization
Application
modernization
Run
Automate
Manage
27
Governance,
compliance and
security
Consistency is key across the organization
Physical
Virtua
l
Private
cloud
Public
cloud
Edge

28. Sync
Monitor
Detect
drift
Take
action
Argo CD
● Cluster and application configuration versioned in Git
● Automatically syncs configuration from Git to clusters
● Drift detection, visualization and correction
● Granular control over sync order for complex rollouts
● Rollback and rollforward to any Git commit
● Manifest templating support (Helm, Kustomize, etc)
● Visual insight into sync status and history
28

29. OpenShift
(on-premises)
Pull Request
merged
OpenShift
(public cloud)
Kubernetes
webhook
poll
sync
hooks
Argo CD
29

30. 30
Open Source Community & Ecosystem
Open Policy Agent
Hive
metal3

31. 31
Multi-Cluster Management
Multicluster lifecycle
management
Policy driven governance,
risk, and compliance
Advanced application
lifecycle management
Multicluster observability
for health and optimization
Multicluster networking for
interconnecting

32. OpenShift Clusters
Architecture
OpenShift Management Cluster
Platform Team
Developers’ namespaces
Developers’ network policies
Governance & Policies
Observability
Container Security Container Registry
Automation SIEM Red Hat SSO
Platform Team
Ansible Playbooks
Platform Team
Governance policies
Configuration policies
Compliance policies
32
Central
Management
Managed
Clusters

33. OpenShift as a Service Demo - An Opinionated Approach

34. V0000000
34
Any
questions?

35. linkedin.com/company/red-hat
youtube.com/user/RedHatVideo
s
facebook.com/redhatinc
twitter.com/RedHat
Red Hat is the world’s leading provider of
enterprise open source software solutions.
Award-winning support, training, and consulting
services make
Red Hat a trusted adviser to the Fortune 500.
Thank you
35