How to use GitOps for a smooth and secure delivery


by Fabio Lonegro

GitOps, a best practice of DevOps, helps development and operations teams work together. In this first article of a two-part series, Fabio Lonegro, Technical Director at Deltatre, tells us about the concept behind GitOps


by Fabio Lonegro

GitOps, a best practice of DevOps, helps development and operations teams work together. In this first article of a two-part series, Fabio Lonegro, Technical Director at Deltatre, tells us about the concept behind GitOps

DevOps helps developers and operations teams work together to develop and deploy applications more quickly. To understand GitOps, let’s first look at DevOps.

What is DevOps?

DevOps is a process for managing applications in real environments. It helps organizations deliver applications and new features quickly, deploy more frequently, and solve issues.

DevOps relies on continuous iterations and collaboration between development and operations teams. Automation is also used as much as possible in the DevOps approach.

What is GitOps?

GitOps, a best practice of DevOps, is where a specific operating process (ops) is tied to a tool (Git). It is a version control system where we keep all the different versions of our system. Git is the Single Source of Truth (SSOT) for creating or updating the system architecture, where Git pull requests can verify and automate changes to the infrastructure.

GitOps describes the state of the system, rather than how the state was obtained and contains code that is continuously comparing the desired state with the observed state. If something changes, the system reacts. For example, it may send an alert or carry out reconciliation.



Senior DevOps Engineer – Video Experiences


The CI/CD pipeline

The principal tool used in DevOps is the Continuous Integration/Continuous Development (CI/CD) pipeline. The CI/CD pipeline uses automation during the development, testing and deployment stages of creating an application.

While there are similarities between CI and CD automation, they are different. In CI, code is integrated into the code base. CD happens after code integration and includes multiple processes which involve testing, staging and deployment code.

Challenges of the CI/CD workflow

There are some challenges in the CI/CD workflow to consider. These include:

  • Release responsibility: When working in a limited or restricted environment (e.g. a bank or the government), delivery requires special attention.
  • Release promotion automation across environments: Bugs and errors can occur when moving from one environment to another. Therefore, environments need to be kept consistent.
  • Environments proliferation and scalability: Delivering to a single Kubernetes (K8) cluster is usually straightforward. However, when the number of environments increases, things can become more complicated, especially when you have different stages, such as dev environment, staging, and production. Challenges can also arise with scalability. For example, what if you want to deliver to IIT devices?
  • Single Source of Truth: A Single Source of Truth (SSOT) ensures that all teams use the correct and up-to-date information. Therefore, it’s essential to define what the SSOT is. Is it the system, the manager, or the documentation? All of these sources can be problematic, so we find it is most reliable to define the SSOT in the code.



DevOps Engineer – Video Experiences


How GitOps can address CD challenges

GitOps introduces a consistent model to approve changes, keeping all team members in the loop. Additionally, all versions are stored in Git, making it easier to monitor, track and compare modifications.

With GitOps, we can introduce a reconciliation actor that runs in the system it has to monitor. The reconciliation actor inverts the traditional push-based CD approach and adopts a pull mechanism. In short, instead of pushing to the actual environment, this component pulls the desired state from the GitWrap. In the case of untracked changes, GitOps can fix this.

GitOps is highly scalable. Rather than parallelizing the CD pipelines (push parallelization), we scale the environments (consumer scaling).

GitOps is more secure. With no environment credentials in the CD system, GitOps offers more security.

Everything from apps to infrastructure can be deployed from the GitWrap, and deployments are automated, saving time. Additionally, because every environment is looking for its specific state, the environment pulls the correct configuration, release promotion is free, and it is no longer necessary to manually move items.

GitOps Challenges

As with any approach, there will be challenges that you need to address with a solid strategy. These include:

Secrets management: A secret is something that is kept or meant to be kept unknown or unseen by others. This definition can apply to credentials to access external resources such as:

  • database credentials
  • API keys
  • certificates
  • SSH keys

With everything versioned in Git, it is essential to consider, from the beginning, whether to also version secrets in Git. Whether or not you version secrets in Git will depend on the acceptable risks related to the project and organization. There are various approaches to secure secrets in Git, including encryption. We’ll take a closer look at these in part two.

Multiple CI workflows impacting the same GitOps repo: When many different workflows are packed into the same GitWrap, a conflict in the state of the system could arise.

Git repositories proliferation: With every new app or environment, the number of Git repositories will increase. Over time, there may be too many Git repositories to manage. Therefore, it's necessary to consider how to scale GitOps from the start.


Czech Republic

Lead DevOps Engineer (Azure) - Video Experiences


GitOps for microservices

At Deltatre, we use the GitOps approach for many of our projects. Stay tuned to find out how we use GitOps to develop and deliver microservices securely and progressively in part two.



Open positions at Deltatre

Explore roles