1602ec992d
* spelling: across Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: anyway Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: assessment Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: attribute Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: crlf Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: cmux Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: committed Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: convenience Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: does-not Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: e.g. Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: fall back Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: fall back to Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: then ... falls back Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: formatted Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: github Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: gitlab Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: gitops Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: health checks Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: located Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: logging Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: oidc Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: openshift Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: os Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: powershell Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: preferred Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: redact Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: repo Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: similarly Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: staging Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: statefulset Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: stopped Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: superseded Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: synchronization Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: to Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: unified Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: verification Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: zookeeper Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> Co-authored-by: Josh Soref <jsoref@users.noreply.github.com>
3.2 KiB
Best Practices
Separating Config Vs. Source Code Repositories
Using a separate Git repository to hold your kubernetes manifests, keeping the config separate from your application source code, is highly recommended for the following reasons:
-
It provides a clean separation of application code vs. application config. There will be times when you wish to modify just the manifests without triggering an entire CI build. For example, you likely do not want to trigger a build if you simply wish to bump the number of replicas in a Deployment spec.
-
Cleaner audit log. For auditing purposes, a repo which only holds configuration will have a much cleaner Git history of what changes were made, without the noise coming from check-ins due to normal development activity.
-
Your application may be comprised of services built from multiple Git repositories, but is deployed as a single unit. Oftentimes, microservices applications are comprised of services with different versioning schemes, and release cycles (e.g. ELK, Kafka + ZooKeeper). It may not make sense to store the manifests in one of the source code repositories of a single component.
-
Separation of access. The developers who are developing the application, may not necessarily be the same people who can/should push to production environments, either intentionally or unintentionally. By having separate repos, commit access can be given to the source code repo, and not the application config repo.
-
If you are automating your CI pipeline, pushing manifest changes to the same Git repository can trigger an infinite loop of build jobs and Git commit triggers. Having a separate repo to push config changes to, prevents this from happening.
Leaving Room For Imperativeness
It may be desired to leave room for some imperativeness/automation, and not have everything defined
in your Git manifests. For example, if you want the number of your deployment's replicas to be
managed by Horizontal Pod Autoscaler,
then you would not want to track replicas in Git.
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
spec:
# do not include replicas in the manifests if you want replicas to be controlled by HPA
# replicas: 1
template:
spec:
containers:
- image: nginx:1.7.9
name: nginx
ports:
- containerPort: 80
...
Ensuring Manifests At Git Revisions Are Truly Immutable
When using templating tools like helm or kustomize, it is possible for manifests to change
their meaning from one day to the next. This is typically caused by changes made to an upstream helm
repository or kustomize base.
For example, consider the following kustomization.yaml
bases:
- github.com/argoproj/argo-cd//manifests/cluster-install
The above kustomization has a remote base to the HEAD revision of the argo-cd repo. Since this is not a stable target, the manifests for this kustomize application can suddenly change meaning, even without any changes to your own Git repository.
A better version would be to use a Git tag or commit SHA. For example:
bases:
- github.com/argoproj/argo-cd//manifests/cluster-install?ref=v0.11.1