gitops-workflows
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseGitOps Workflows
GitOps工作流
Expert guidance for implementing production-grade GitOps workflows using ArgoCD and Flux CD, covering declarative deployment patterns, progressive delivery strategies, multi-environment management, and secure secret handling for Kubernetes infrastructure.
本内容提供使用ArgoCD和Flux CD搭建生产级GitOps工作流的专业指导,涵盖声明式部署模式、渐进式交付策略、多环境管理以及Kubernetes基础设施的安全密钥管理。
When to Use This Skill
适用场景
- Implementing GitOps principles for Kubernetes deployments
- Automating continuous delivery from Git repositories
- Managing multi-cluster or multi-environment deployments
- Implementing progressive delivery (canary, blue-green) strategies
- Configuring automated sync policies and reconciliation
- Managing secrets securely in GitOps workflows
- Setting up environment promotion workflows
- Designing repository structures for GitOps (monorepo vs multi-repo)
- Implementing rollback strategies and disaster recovery
- Establishing compliance and audit trails through Git
- 为Kubernetes部署落地GitOps原则
- 自动化从Git仓库触发持续交付
- 管理多集群或多环境部署
- 落地渐进式交付(金丝雀、蓝绿部署)策略
- 配置自动同步策略与调和机制
- 在GitOps工作流中安全管理密钥
- 搭建环境升级工作流
- 设计GitOps的仓库结构(单仓库vs多仓库)
- 落地回滚策略与灾难恢复方案
- 通过Git建立合规性与审计追踪
Core Concepts
核心概念
The Four Principles
四大原则
- Declarative: Entire system state expressed in code
- Versioned: Canonical state stored in Git with full history
- Pulled Automatically: Agents pull desired state (no push to prod)
- Continuously Reconciled: Automatic drift detection and correction
- 声明式:整个系统状态通过代码定义
- 版本化:规范状态存储在Git中并保留完整历史
- 自动拉取:由代理拉取期望状态(无需推送至生产环境)
- 持续调和:自动检测并修正配置漂移
Key Benefits
核心优势
- Complete deployment history and audit trail
- Fast rollback via Git operations
- Enhanced security (no cluster credentials in CI)
- Self-healing infrastructure
- Multi-cluster consistency
- Familiar Git workflows for infrastructure changes
- 完整的部署历史与审计追踪
- 通过Git操作快速回滚
- 增强安全性(CI流程中无需集群凭证)
- 自修复基础设施
- 多集群一致性
- 采用开发者熟悉的Git流程管理基础设施变更
Quick Reference
快速参考
| Task | Load reference |
|---|---|
| GitOps principles and benefits | |
| Repository structure patterns (monorepo, multi-repo, branches) | |
| ArgoCD setup, Applications, ApplicationSets | |
| Flux bootstrap, sources, Kustomizations, HelmReleases | |
| Environment promotion strategies | |
| Secret management (Sealed Secrets, ESO, SOPS) | |
| Progressive delivery (canary, blue-green) | |
| Rollback strategies and disaster recovery | |
| Best practices and patterns | |
| 任务 | 参考文档路径 |
|---|---|
| GitOps原则与优势 | |
| 仓库结构模式(单仓库、多仓库、分支) | |
| ArgoCD安装、应用、ApplicationSets | |
| Flux引导、数据源、Kustomizations、HelmReleases | |
| 环境升级策略 | |
| 密钥管理(Sealed Secrets、ESO、SOPS) | |
| 渐进式交付(金丝雀、蓝绿部署) | |
| 回滚策略与灾难恢复 | |
| 最佳实践与模式 | |
Workflow Steps
工作流步骤
1. Choose Repository Structure
1. 选择仓库结构
Decision factors:
- Team size and organization structure
- Application coupling and dependencies
- Access control requirements
- Deployment frequency and independence
Options:
- Monorepo: Single repo, unified platform teams, shared infrastructure
- Multi-repo: Separate repos per app/team, independent release cycles
- Environment branches: Git flow style, simple mental model
决策因素:
- 团队规模与组织架构
- 应用耦合度与依赖关系
- 访问控制要求
- 部署频率与独立性
可选方案:
- 单仓库(Monorepo):单一仓库,统一平台团队,共享基础设施
- 多仓库(Multi-repo):每个应用/团队独立仓库,发布周期自主
- 环境分支:Git flow风格,模型简单易懂
2. Select GitOps Tool
2. 选择GitOps工具
ArgoCD:
- UI-focused with visual application management
- App of Apps pattern for hierarchical deployments
- ApplicationSets for multi-cluster deployments
- Strong RBAC and project isolation
Flux:
- CLI-first, GitOps Toolkit architecture
- Native Kustomize and Helm support
- Automated image updates
- Lighter weight, cloud-native
ArgoCD:
- 以UI为核心,支持可视化应用管理
- 支持App of Apps模式实现分层部署
- 支持ApplicationSets管理多集群部署
- 强大的RBAC与项目隔离能力
Flux:
- 以CLI优先,采用GitOps Toolkit架构
- 原生支持Kustomize与Helm
- 支持自动化镜像更新
- 轻量级设计,云原生特性突出
3. Configure Secret Management
3. 配置密钥管理
Never commit unencrypted secrets to Git
Options:
- Sealed Secrets: Client-side encryption, simple workflow
- External Secrets Operator: Sync from external secret stores (AWS, Vault, GCP)
- SOPS: File-based encryption with age or cloud KMS
绝对不要将未加密的密钥提交至Git
可选方案:
- Sealed Secrets:客户端加密,流程简单
- External Secrets Operator:从外部密钥存储同步(AWS、Vault、GCP)
- SOPS:基于文件的加密,支持age或云KMS
4. Implement Sync Policies
4. 配置同步策略
Non-production environments:
- Automated sync with and
pruneselfHeal - Frequent reconciliation (1-5 minutes)
- Fail fast with immediate feedback
Production environments:
- Manual approval or gated automation
- Health checks and wait conditions
- Progressive delivery for high-risk changes
- Sync windows for maintenance periods
非生产环境:
- 开启自动同步并启用与
pruneselfHeal - 高频调和(1-5分钟)
- 快速失败,即时反馈
生产环境:
- 手动审批或 gated 自动化
- 配置健康检查与等待条件
- 对高风险变更采用渐进式交付
- 设置维护时段的同步窗口
5. Set Up Environment Promotion
5. 搭建环境升级流程
Promotion strategies:
- Git-based: Tag or branch promotion with Git operations
- Kustomize overlays: Update image tags in environment-specific overlays
- Automated updates: Flux ImageUpdateAutomation for semver policies
升级策略:
- 基于Git:通过Git操作进行标签或分支升级
- Kustomize覆盖层:在环境专属覆盖层中更新镜像标签
- 自动更新:使用Flux ImageUpdateAutomation实现语义化版本策略
6. Configure Progressive Delivery
6. 配置渐进式交付
For high-risk changes:
- ArgoCD Rollouts: Canary deployments with automated analysis
- Flagger: Progressive delivery with metric-based promotion
- Traffic shifting with Istio or other service mesh
- Automated rollback on failed analysis
针对高风险变更:
- ArgoCD Rollouts:支持自动分析的金丝雀部署
- Flagger:基于指标的渐进式交付
- 通过Istio或其他服务网格实现流量切换
- 分析失败时自动回滚
7. Establish Rollback Procedures
7. 建立回滚流程
Git rollback:
- for specific commits
git revert - Tag-based rollback by updating targetRevision
- Fast and declarative
Tool-specific:
- ArgoCD: with revision history
argocd app rollback - Flux: Suspend automation, manual rollback, resume
Git回滚:
- 使用撤销特定提交
git revert - 通过更新targetRevision实现基于标签的回滚
- 快速且符合声明式原则
工具专属回滚:
- ArgoCD:使用结合版本历史
argocd app rollback - Flux:暂停自动化,手动回滚后恢复
Common Mistakes
常见误区
- Committing unencrypted secrets - Always use secret management solution
- No automated sync in non-prod - Slows development feedback
- Automated sync in production without gates - High risk of breaking changes
- Ignoring drift detection - Manual changes should be reconciled or alerted
- No health checks - Sync succeeds but app is unhealthy
- Missing dependency ordering - Apps deploy before infrastructure ready
- No rollback testing - Discover issues during actual incidents
- Inconsistent environments - Staging differs too much from production
- No promotion testing - Manual errors during environment promotion
- Weak RBAC - Too many permissions for GitOps service accounts
- 提交未加密的密钥 - 务必使用密钥管理方案
- 非生产环境未开启自动同步 - 减缓开发反馈速度
- 生产环境无闸门的自动同步 - 高风险变更易引发故障
- 忽略配置漂移检测 - 手动变更应被调和或触发告警
- 未配置健康检查 - 同步成功但应用处于不健康状态
- 忽略依赖顺序 - 应用在基础设施就绪前完成部署
- 未测试回滚流程 - 仅在实际事故中发现问题
- 环境不一致 - 预发布环境与生产环境差异过大
- 未自动化环境升级 - 手动操作易出错
- RBAC权限过松 - GitOps服务账号权限过大
Resources
资源
- OpenGitOps: https://opengitops.dev/
- ArgoCD Documentation: https://argo-cd.readthedocs.io/
- Flux Documentation: https://fluxcd.io/docs/
- ArgoCD Rollouts: https://argoproj.github.io/argo-rollouts/
- Flagger: https://docs.flagger.app/
- External Secrets Operator: https://external-secrets.io/
- Sealed Secrets: https://github.com/bitnami-labs/sealed-secrets
- SOPS: https://github.com/mozilla/sops
- OpenGitOps:https://opengitops.dev/
- ArgoCD文档:https://argo-cd.readthedocs.io/
- Flux文档:https://fluxcd.io/docs/
- ArgoCD Rollouts:https://argoproj.github.io/argo-rollouts/
- Flagger:https://docs.flagger.app/
- External Secrets Operator:https://external-secrets.io/
- Sealed Secrets:https://github.com/bitnami-labs/sealed-secrets
- SOPS:https://github.com/mozilla/sops