Cloud Native Computing Foundation / GitOpsCon NA 2022

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

How to Achieve (Actual) GitOps with Terraform and Flux - Priyanka Ravi, Weaveworks

GitOps might sound like a self-explanatory term, but it is not as easy as it sounds. Many think this just means to store your Infrastructure-as-Code in Git, then have a pipeline run the code, but it is actually much more complicated than that. True GitOps takes the deployment out of CI/CD, and the most popular solutions are using Kubernetes controllers to do all the heavy lifting. Ensure what you’ve defined in Terraform is what’s always running and available. Flux continuously looks for changes and reconciles with the desired state. Take advantage of all the benefits of GitOps: streamlined and secure deployments, quicker time to market, and more time to concentrate on app development! Pinky will provide an in-depth look at the new Flux Terraform Controller, which enables Terraform deployments to be done the GitOps Way. They’ll end with a demo of a common use case implementation.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from April 17-21, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

⚡Lightning Talk: Why Do We Do This? the Heart of GitOps - Leigh Capili, VMware

Much toil and work is wasted! in the pursuit of glory, the sacrifice of mission, and the hosting... of web applications. In a computable world of information, there are often many valid solutions to the same problem, and naturally, there are a lot of ways to effectively deliver software, but why is GitOps a good way to do that? Is GitOps really just a trendy name for Continuous Delivery, or is there something more here? GitOps has a heart. There is a full-bodied reason for why this community beats to the rhythms and habits begged for by it's tools. This talk will break that down and speak to the question, "Why do we do this?"

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Complete DR of Stateful Workloads, PVs and CSI Snapshots via Flux and Vault OSS - Kingdon Barrett, Weaveworks

Stateful workloads present a heavy challenge for platform operators to secure, backup, and provide for their recovery in the event of "black swan" or cluster-ending catastrophes. Developing a strategy for CSI volumes and managing snapshots should be a priority for cluster operators who otherwise may leave their important data vulnerable to ransomware attacks or other threats; what mitigations can be applied in the event of a full compromise? With GitOps, managing recovery of STATELESS workloads is made easy, almost effortless. It hasn't been shown how that level of convenience is replicated for STATEFUL workloads and DR on persistent volumes. Cluster operators may already know enough about CSI to understand that PVCs are backed by PVs and have a ReclaimPolicy that may be set to Retain. How does one manage this persistence with GitOps? How to manage snapshots? What exactly does snapshot restore executed via GitOps approach look like? Let’s endeavour now to offer clear prescriptive guidance about effective GitOps strategies for managing disaster recovery. What are some strategic approaches to apply to bring our risks back within tolerance? We will find out more in this talk.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Secure Multicluster Istio Configuration Using GitOps Patterns - Christian Hernandez, Red Hat & Nicholas Schuetz, Solo.io

Deploying, securing, and managing a service mesh multicluster environment can be a complex process. Furthermore, enforcing your organization’s security policies and procedures can be a challenge when you start scaling your environment when things like drift and cluster sprawl come into play. In this presentation we will go over how to manage a production Istio deployment in a secure way with policy enforcement using Argo CD and enable a Developer self service by integrating Argo Rollouts for progressive delivery.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Hundreds of Clusters Sitting in a Tree with Argo CD - Mike Tougeron, Adobe

What if each developer or team could independently provision and run their own Kubernetes clusters with full api access? Learn how to leverage Argo CD, vcluster and Kubernetes' cluster-api to build dynamic and full-access environments with every pull request. Then see how these independent environments can be stitched together to create a unified view for QE, integration testing or demos. All while managing each environment's costs and compliance from a single view on the host cluster.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Keynote: The Future of GitOps - Erik Jacobs, Senior Manager, Red Hat

The GitOps practice continues evolving and becoming more accepted and integrated into teams daily. Now that we have a more clear path to GitOps, how can we continue to evolve the practice to make it as easy as possible to integrate across the application development life cycle? In this session, we’ll explore possibilities to integrate across the application development lifecycle to further coordinate releases.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Lightning Talk: Don't Wait, Secure your DevOps Processes Using Open Standard Methods Today! - Dov Hershkovitch, GitLab

Security is shifting left. What used to be a straightforward task in the past, such as deploying an application, today involves secrets. Secrets are typically stored in a secret management solution framework, yet available to the engineer's disposal. In this lightning talk, I will explain how you could secure your DevOps process today, using an open standard (JTW) to access secrets, without compromising due to security or complaints, or waiting for a DevOps vendor to build a native integration framework for you

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Simplifying Edge Deployments Using EMCO and GitOps - Igor DC & Adarsh Vincent Chittilappilly, Intel

Multi-cluster, multi-app edge deployments may involve multiple applications on different cluster types located in different environments. This adds complexity to management, security, and consistency. These complexities can be addressed by using EMCO (Edge Multi-Cluster Orchestrator). With EMCO, GitOps can be leveraged to communicate with Kubernetes clusters over the git protocol, integrating with a variety of public clouds. EMCO acts as the intelligent agent that writes resources to the git location, helping in management, consistency, and security (since no direct communication happens to these clusters). - What goes in the repository: o Kubernetes resources as rendered from Helm Charts. o Cloud-specific configuration and resource files (Kustomization, FluxCD system files, RootSync configurations). - Security considerations: o Token-based authentication for Flux, Azure and Anthos. o Kubernetes Secrets concept for storing and passing sensitive information. o HTTPS APIs ensure data privacy. - The different git libraries in use (and future): o Git2go for interacting with git. o Azure and Anthos APIs o Gitea for local git server

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Welcome + Opening Remarks: The State of the GitOps Working Group - Christian Hernandez, Red Hat & Scott Rigby, Weaveworks

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Build and Deploy Cloud Native (OCI) Artifacts, the GitOps Way - Mathieu Benoit, Google

Cloud Native (OCI) Artifacts are not just containers, they could be any files: Helm charts, README.md files, etc. Could you imagine a GitOps world without Git? Let's see in action how you could build and deploy OCI artifacts, the GitOps way. The first part of the demo will demonstrate how to build your own Helm charts as OCI artifacts by having tools such as Trivy (security scanning), Gatekeeper (compliance checking), Helm and GitHub actions in order to validate and build your OCI artifacts during the Continuous Integration flow. Then, the second part will demonstrate how you could actually deploy OCI artifacts in your Kubernetes cluster in a GitOps way with Config Sync, Kustomize and Helm.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Carry Your Legacy Apps Into a GitOps World - Chandler Wilkerson, Red Hat

GitOps promises a future where all infrastructure is code, but what about all these legacy applications that have to be kept running while DevOps teams build that future? Enter two CNCF Incubator projects, KubeVirt and ArgoCD! ArgoCD brings tested code control workflows to bear in managing infrastructure, while KubeVirt introduces virtual machines to the Kubernetes ecosystem. This session will demonstrate using ArgoCD to bring up KubeVirt, and bring virtual machines along for the ride while running a version of Bookinfo with mixed VM and containerized microservices. After this session, you’ll be well positioned to bring even your legacy services into a GitOps workflow.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Closing Remarks - Christian Hernandez, Red Hat & Scott Rigby, Weaveworks

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Experimenting with CUE and Carvel to Enable GitOps for Your Applications - Dmitriy Kalinin & Shatarupa Nandi, VMware

You might have heard about Cue (https://cuelang.org) -- an open source language for defining, generating, and validating all kinds of data. Wait, Kubernetes configuration is data! You also probably heard about Carvel (https://carvel.dev) -- a set of composable tools that embrace GitOps principles and help with building, configuring, and deploying applications to Kubernetes. So... what happens when we try to use these two projects together for GitOps? In this session we'll explore (and run through some live demos): - Why would you want to use Cue to define your Kubernetes configuration - How does Carvel tools help with managing deployed Cue configuration - How we can safely adopt Cue configuration in our existing environments

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

GitOps Syllabus: Working Our Way Through the Lesson Plan - Raptor Dzuricsko & Elisha Greenwald, Teachers Pay Teachers

The Devtools platform team at Teachers Pay Teachers were looking to improve their current CICD platform. Having no prior knowledge of Gitops or ArgoCD, the small team decided to give it a go. They’re early on in their migration but the team has learnt a ton. In this talk, team members will share their experience with ArgoCD and some of the decisions and tradeoffs they chose. Some topics they’ll cover are: choosing a gitops implementation, auto vs manual sync, keeping the helm config in the app repo, commit strategies for staging and production, backwards compatibility and more.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

GitOps with Flux and OCI Registries - Soulé Ba & Scott Rigby, Weaveworks

Flux is a CNCF tool that enables users to adopt the GitOps methodology for continuous deployment. Flux reconciles your workload from different sources: Git, Helm repository, an S3 bucket, and now Flux maintainers have added support for OCI registries. Not only can Helm charts be stored as OCI artifacts, but also your Kubernetes desired state in plain YAML and other popular formats like Kustomize and Terraform. We will demonstrate how to use OCI registries as a source to deploy workloads using flux: - Deploy charts and Kubernetes manifests from an OCI registry - Sign and verify the workloads - Automatically update configuration repository and observer automatic upgrades We will also present the Flux OCI as source architecture so users can better understand what's going on under the hood when they use OCI registries for their GitOps source.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Lightning Talk: Green(Ing) CI/CD: A Sustainability Journey with GitOps - Niki Manoledaki, Weaveworks

Our infrastructure needs are increasingly energy and carbon intensive. CI/CD is one area where we can take steps to measure and reduce our footprint. In this talk, we present our investigation into instrumenting CI/CD systems and GitOps tools to achieve this. We share the outcomes and lessons learned from these experiments so far. Our journey begins with traditional CI/CD where the two are tightly coupled. Transitioning to GitOps often starts with decoupling the two. This is an opportunity to measure the energy consumption of each step and think about environmental impact from the very beginning. Energy use can be measured before and after this decoupling, and we can show you how. On the next stop in our sustainability journey, we evaluate how GitOps tools and patterns can be used to reduce energy consumption and wasted resources. Expressing a system declaratively offers full visibility of the tools running in your clusters. Another promise of GitOps is that it can be used to turn IT off when not needed. GitOps can also support tools and policies to measure and optimize energy and carbon usage. Our journey ends with some reflections on methodology, outcomes, and next steps.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Lightning Talk: How to Keep a Secret in GitOps, Without Keeping It in Git - Nikita Kutselev & Daniel Hoang, Akuity Inc

One of the biggest challenges to adopting GitOps is determining what strategy to use for secrets management.
In this session we will comprehensively compare 6 different tools that you can use to manage secrets in GitOps without violating the GitOps principles:
Sealed Secrets
Argo CD Vault Plugin
SOPS
Vault Agent
Secrets Store CSI Driver
External Secrets Operator
Afterwards we will share our experience evaluating these solutions, and why we chose External Secrets as the standard for our cloud infrastructure.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Lightning Talk: Leveraging GitOps - How Red Hat Delivers Managed Layered Services on Kubernetes - Yashvardhan Kukreja & Ashish Anand Narayanan, Red Hat

Red Hat's Managed Services ecosystem is heavily backed by GitOps. All the way from defining the core bundles and manifests of those services, to validating them, to propagating them through the upstream Openshift Cluster Manager's Cluster Service, to delivering and deploying them across the entire fleet of all of the customer's Openshift Dedicated clusters, it's all governed and lifecycled by airtight GitOps tooling. By leveraging technologies like Jenkins, TektonCD, Terraform, handwritten GitLab bots and many more, Red Hat has carved this seemingly complicated yet beautiful at its core ecosystem of delivering its Managed Services in an extremely resilient, majorly self-serviceable and reconciliable pattern to its customers. In this talk, Yashvardhan and Ashish would like to share the architectural insights and learnings about this GitOps-powered ecosystem, how was it implemented and how do all these pieces fit together to deliver Red Hat's Managed Layered Services to the customers seamlessly.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Lightning Talk: Managing the ‘Git’ Half of ‘GitOps’: How to Structure Infrastructure Code Repositories - Jim Sheldon, Harness

With popular GitOps tools such as Argo CD and Flux CD, managing your Kubernetes configurations in Git repositories has never been easier. Unfortunately, often the structure of this code in Git repositories is an afterthought, which can lead to significant refactoring in the future.

This talk covers four approaches for structuring the code applied by GitOps tooling:
- Application and infrastructure code in one repository
- Separate infrastructure repository, multiple branches
- Separate infrastructure repository, directory-based
- Multiple infrastructure repositories, one per environment

With each approach, Jim will present the benefits and potential drawbacks.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Lightning Talk: The Successful Recipe to Secure Your Fleet of Clusters: GitOps + Policies + Service Mesh - Mathieu Benoit & Poonam Lamba, Google

With GitOps you could deploy any Kubernetes resources: Apps, configs, policies, infra, etc. Is it your case? How do you ensure security and compliance across your multiple clusters? Let's see in action how you could bring more security and governance across the fleet of your clusters thanks to both Service Mesh and Policies, in a GitOps way. The demos will illustrate a series of Gatekeeper policies violations and fixes in order to secure your Service Mesh setup, your clusters and your workloads. And because shifting left security guardrails is important, we’ll also illustrate how you could catch such policy violations in your Continuous Integration (CI) system, before actually applying these resources in your Kubernetes clusters.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Our Journey in Integrating GitOps Tools Into Delivery Pipelines - Brad McCoy, Basiq & Thomas Schuetz, Dynatrace

As we started our journey into GitOps we soon discovered that for delivery we also needed deployment validation as an addition to the existing GitOps toolsets to find out if our applications are really working as GitOps is mostly about deployment and not about the deployment validation process after that. We started to see that we needed to integrate more capabilities into our GitOps delivery processes, such as observability, and testing. One example was for canary deployments, we started to see that observability was very important to progress to the next step. When we deployed applications at 2 am we realized that if there was no real traffic coming through how could we validate that our canary analysis was correct, generally, this analysis will just ask the observability tool if there were any 500 errors in the canary. So we had to integrate load testing and integration testing into our process to ensure the app was ready. Therefore, we started to build integrations between ArgoCD/Flux in the Keptn Project and faced some challenges while doing this. This Talk will go over the challenges we faced and provide an outlook of what we think the future looks like.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Policy-Based GitOps: How Policies Can Help Secure and Automate GitOps Workflows - Jim Bugwadia, Nirmata & Avni Sharma, Intuit

GitOps is awesome for workflows such as managing sets of applications across fleets of clusters, and the provisioning of multi-tenant infrastructure for teams or end-users. However, there are often gaps in these workflows that require manual configuration or the creation of custom controllers. Additionally, these workflows remain hard to secure, and security best practices like “the least privilege principle” cannot be easily applied. In this session, Avni and Jim will show how Kubernetes-native policies can be used to secure and automate complex GitOps workflows. First, they will showcase use cases for using GitOps such as managing a consistent set of applications across multiple clusters and delivering multi-tenant “Namespaces-as-a-Service” and “Clusters-as-a-Service”, using ArgoCD. Then they will highlight the current gaps in automation and security. Next, they will demonstrate how Kyverno, a Kubernetes native policy engine, can be used with GitOps to address these critical gaps. Attendees will learn how to successfully use policies and GitOps together and also avoid common pitfalls when multiple controllers are in play.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Preview Environments with ArgoCD - Brandon Phillips, Codefresh

Deploying to static environments(QA/staging/prod) is a familiar process for existing ArgoCD users. However, several teams want to shift left and use preview environments. Preview environments are created dynamically when a pull request is opened and are destroyed when the pull request is merged/approved This talk will focus on implementing preview environments in a GitOps way using ArgoCD.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Toward Full Adoption of GitOps and Best Practices at RingCentral - Ivan Anisimov, RingCentral & Tamao Nakahara, Weaveworks

This talk will cover RingCentral’s current journey and commitment to adopt GitOps and best practices in the AI department. Ivan will share their needs for managing infrastructure at scale, serving the internal developers, implementing progressive delivery such as canary deployments, and managing hybrid clouds. All of these choices benefit the team and RingCentral as a company: money savings, greater security, reliability, faster troubleshooting, and more. This session will cover how the team does this by using a range of tools such as Kubernetes, Flux, Kustomize, Terraform, Istio, Prometheus, and more, as well as some decisions they are making to ensure a Kubernetes-first architecture. The session will include considerations for how the tools are designed, how that helps to drive best practices, and pitfalls to avoid. By enabling both technical and business benefits, the GitOps journey at RingCentral is helping them to focus on innovation, increased velocity, and the company’s success.