Back to Details

gitops-workflow

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

GitOps Workflow

GitOps工作流

Complete guide to implementing GitOps workflows with ArgoCD and Flux for automated Kubernetes deployments.
使用ArgoCD和Flux实现GitOps工作流以完成Kubernetes自动化部署的完整指南。

Purpose

用途

Implement declarative, Git-based continuous delivery for Kubernetes using ArgoCD or Flux CD, following OpenGitOps principles.
遵循OpenGitOps原则,使用ArgoCD或Flux CD为Kubernetes实现基于Git的声明式持续交付。

When to Use This Skill

适用场景

  • Set up GitOps for Kubernetes clusters
  • Automate application deployments from Git
  • Implement progressive delivery strategies
  • Manage multi-cluster deployments
  • Configure automated sync policies
  • Set up secret management in GitOps
  • 为Kubernetes集群搭建GitOps
  • 从Git自动部署应用
  • 实施渐进式交付策略
  • 管理多集群部署
  • 配置自动同步策略
  • 在GitOps中设置密钥管理

OpenGitOps Principles

OpenGitOps原则

  1. Declarative - Entire system described declaratively
  2. Versioned and Immutable - Desired state stored in Git
  3. Pulled Automatically - Software agents pull desired state
  4. Continuously Reconciled - Agents reconcile actual vs desired state
  1. 声明式 - 整个系统以声明式方式描述
  2. 版本化且不可变 - 期望状态存储在Git中
  3. 自动拉取 - 软件代理拉取期望状态
  4. 持续协调 - 代理协调实际状态与期望状态

ArgoCD Setup

ArgoCD搭建

1. Installation

1. 安装

bash
undefined
bash
undefined

Create namespace

Create namespace

kubectl create namespace argocd
kubectl create namespace argocd

Install ArgoCD

Install ArgoCD

kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml

Get admin password

Get admin password

kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d

**Reference:** See `references/argocd-setup.md` for detailed setup
kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d

**参考:** 详细搭建步骤请查看 `references/argocd-setup.md`

2. Repository Structure

2. 仓库结构

gitops-repo/
├── apps/
│   ├── production/
│   │   ├── app1/
│   │   │   ├── kustomization.yaml
│   │   │   └── deployment.yaml
│   │   └── app2/
│   └── staging/
├── infrastructure/
│   ├── ingress-nginx/
│   ├── cert-manager/
│   └── monitoring/
└── argocd/
    ├── applications/
    └── projects/
gitops-repo/
├── apps/
│   ├── production/
│   │   ├── app1/
│   │   │   ├── kustomization.yaml
│   │   │   └── deployment.yaml
│   │   └── app2/
│   └── staging/
├── infrastructure/
│   ├── ingress-nginx/
│   ├── cert-manager/
│   └── monitoring/
└── argocd/
    ├── applications/
    └── projects/

3. Create Application

3. 创建应用

yaml
undefined
yaml
undefined

argocd/applications/my-app.yaml

argocd/applications/my-app.yaml

apiVersion: argoproj.io/v1alpha1 kind: Application metadata: name: my-app namespace: argocd spec: project: default source: repoURL: https://github.com/org/gitops-repo targetRevision: main path: apps/production/my-app destination: server: https://kubernetes.default.svc namespace: production syncPolicy: automated: prune: true selfHeal: true syncOptions: - CreateNamespace=true
undefined
apiVersion: argoproj.io/v1alpha1 kind: Application metadata: name: my-app namespace: argocd spec: project: default source: repoURL: https://github.com/org/gitops-repo targetRevision: main path: apps/production/my-app destination: server: https://kubernetes.default.svc namespace: production syncPolicy: automated: prune: true selfHeal: true syncOptions: - CreateNamespace=true
undefined

4. App of Apps Pattern

4. 应用的应用模式

yaml
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: applications
  namespace: argocd
spec:
  project: default
  source:
    repoURL: https://github.com/org/gitops-repo
    targetRevision: main
    path: argocd/applications
  destination:
    server: https://kubernetes.default.svc
    namespace: argocd
  syncPolicy:
    automated: {}
yaml
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: applications
  namespace: argocd
spec:
  project: default
  source:
    repoURL: https://github.com/org/gitops-repo
    targetRevision: main
    path: argocd/applications
  destination:
    server: https://kubernetes.default.svc
    namespace: argocd
  syncPolicy:
    automated: {}

Flux CD Setup

Flux CD搭建

1. Installation

1. 安装

bash
undefined
bash
undefined

Install Flux CLI

Install Flux CLI

curl -s https://fluxcd.io/install.sh | sudo bash
curl -s https://fluxcd.io/install.sh | sudo bash

Bootstrap Flux

Bootstrap Flux

flux bootstrap github
--owner=org
--repository=gitops-repo
--branch=main
--path=clusters/production
--personal
undefined
flux bootstrap github
--owner=org
--repository=gitops-repo
--branch=main
--path=clusters/production
--personal
undefined

2. Create GitRepository

2. 创建GitRepository

yaml
apiVersion: source.toolkit.fluxcd.io/v1
kind: GitRepository
metadata:
  name: my-app
  namespace: flux-system
spec:
  interval: 1m
  url: https://github.com/org/my-app
  ref:
    branch: main
yaml
apiVersion: source.toolkit.fluxcd.io/v1
kind: GitRepository
metadata:
  name: my-app
  namespace: flux-system
spec:
  interval: 1m
  url: https://github.com/org/my-app
  ref:
    branch: main

3. Create Kustomization

3. 创建Kustomization

yaml
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
  name: my-app
  namespace: flux-system
spec:
  interval: 5m
  path: ./deploy
  prune: true
  sourceRef:
    kind: GitRepository
    name: my-app
yaml
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
  name: my-app
  namespace: flux-system
spec:
  interval: 5m
  path: ./deploy
  prune: true
  sourceRef:
    kind: GitRepository
    name: my-app

Sync Policies

同步策略

Auto-Sync Configuration

自动同步配置

ArgoCD:
yaml
syncPolicy:
  automated:
    prune: true # Delete resources not in Git
    selfHeal: true # Reconcile manual changes
    allowEmpty: false
  retry:
    limit: 5
    backoff:
      duration: 5s
      factor: 2
      maxDuration: 3m
Flux:
yaml
spec:
  interval: 1m
  prune: true
  wait: true
  timeout: 5m
Reference: See 
references/sync-policies.md
ArgoCD:
yaml
syncPolicy:
  automated:
    prune: true # Delete resources not in Git
    selfHeal: true # Reconcile manual changes
    allowEmpty: false
  retry:
    limit: 5
    backoff:
      duration: 5s
      factor: 2
      maxDuration: 3m
Flux:
yaml
spec:
  interval: 1m
  prune: true
  wait: true
  timeout: 5m
参考: 请查看 
references/sync-policies.md

Progressive Delivery

渐进式交付

Canary Deployment with ArgoCD Rollouts

使用ArgoCD Rollouts实现金丝雀部署

yaml
apiVersion: argoproj.io/v1alpha1
kind: Rollout
metadata:
  name: my-app
spec:
  replicas: 5
  strategy:
    canary:
      steps:
        - setWeight: 20
        - pause: { duration: 1m }
        - setWeight: 50
        - pause: { duration: 2m }
        - setWeight: 100
yaml
apiVersion: argoproj.io/v1alpha1
kind: Rollout
metadata:
  name: my-app
spec:
  replicas: 5
  strategy:
    canary:
      steps:
        - setWeight: 20
        - pause: { duration: 1m }
        - setWeight: 50
        - pause: { duration: 2m }
        - setWeight: 100

Blue-Green Deployment

蓝绿部署

yaml
strategy:
  blueGreen:
    activeService: my-app
    previewService: my-app-preview
    autoPromotionEnabled: false
yaml
strategy:
  blueGreen:
    activeService: my-app
    previewService: my-app-preview
    autoPromotionEnabled: false

Secret Management

密钥管理

External Secrets Operator

外部密钥操作器(External Secrets Operator)

yaml
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: db-credentials
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: aws-secrets-manager
    kind: SecretStore
  target:
    name: db-credentials
  data:
    - secretKey: password
      remoteRef:
        key: prod/db/password
yaml
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: db-credentials
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: aws-secrets-manager
    kind: SecretStore
  target:
    name: db-credentials
  data:
    - secretKey: password
      remoteRef:
        key: prod/db/password

Sealed Secrets

加密密钥(Sealed Secrets)

bash
undefined
bash
undefined

Encrypt secret

Encrypt secret

kubeseal --format yaml < secret.yaml > sealed-secret.yaml
kubeseal --format yaml < secret.yaml > sealed-secret.yaml

Commit sealed-secret.yaml to Git

Commit sealed-secret.yaml to Git

undefined
undefined

Best Practices

最佳实践

  1. Use separate repos or branches for different environments
  2. Implement RBAC for Git repositories
  3. Enable notifications for sync failures
  4. Use health checks for custom resources
  5. Implement approval gates for production
  6. Keep secrets out of Git (use External Secrets)
  7. Use App of Apps pattern for organization
  8. Tag releases for easy rollback
  9. Monitor sync status with alerts
  10. Test changes in staging first
  1. 为不同环境使用独立仓库或分支
  2. 为Git仓库实施RBAC
  3. 启用同步失败通知
  4. 为自定义资源配置健康检查
  5. 为生产环境设置审批网关
  6. 避免将密钥存入Git(使用外部密钥管理)
  7. 使用应用的应用模式进行组织管理
  8. 为发布打标签以便回滚
  9. 通过告警监控同步状态
  10. 先在预发布环境测试变更

Troubleshooting

故障排查

Sync failures:
bash
argocd app get my-app
argocd app sync my-app --prune
Out of sync status:
bash
argocd app diff my-app
argocd app sync my-app --force
同步失败:
bash
argocd app get my-app
argocd app sync my-app --prune
状态不同步:
bash
argocd app diff my-app
argocd app sync my-app --force

Related Skills

相关技能

  • k8s-manifest-generator
    - For creating manifests
  • helm-chart-scaffolding
    - For packaging applications
  • k8s-manifest-generator
    - 用于创建清单
  • helm-chart-scaffolding
    - 用于打包应用