Adding GitOps To CI/CD Pipelines

Many teams have already invested significant time and effort into building and fine tuning their CI/CD pipelines and understandably do not want to deprecate all that work. Most CI/CD pipelines do more than just build a container, push it to a registry and update a deployment manifest on a Kubernetes cluster. The pipelines will include code quality checks, vulnerability scanning, automated testing and more. GitOps can never replace all that nor is it supposed to.

GitOps is an enhancement to the Continuous Deployment (CD) step of the pipeline. GitOps is more than CD, it provides greater automation, eliminates the unpredictability of configuration drift and enhances security.

GitOps Enhances Continuous Deployment


The GitOps principles as defined by OpenGitOps:

  • Declarative - A system managed by GitOps must have its desired state expressed declaratively.
  • Versioned and Immutable - Desired state is stored in a way that enforces immutability, versioning and retains a complete version history.
  • Pulled Automatically - Software agents automatically pull the desired state declarations from the source.
  • Continuously Reconciled - Software agents continuously observe actual system state and attempt to apply the desired state.

Continuous Deployment is a fire and forget strategy. GitOps provides continuous reconciliation of the desired state against the observed state, eliminating configuration drift. For example a CI/CD pipeline might build a new image, push it to a registry, then issue a kubectl command to update a deployment manifest to use the new image. All good so far but the desired state is not recorded anywhere and if somebody issues another kubectl command to change the image again the configuration has drifted with no guaranteed way to get back to a known good configuration.

GitOps enhances continuous deployment with closed circuit feedback and full versioning enabling quick and easy rollback to a previously known good configuration. With GitOps the change to the manifest has to come from Git, providing a versioned history of changes. The continuous reconciliation of desired state against observed state means that any unauthorised changes are automatically reverted back to the desired state stored in Git.

Example Implementation

Devtron CI/CD pipelines are built with ArgoCD

An existing CI/CD pipeline that is triggered from a push to a branch in Git. The pipeline performs a bunch of quality checks, builds a container and pushes it to a registry. This can be used as a trigger for a Devtron GitOps pipeline; different pipelines can be triggered using a regular expression filter on the image tag, from a pull request, and from the new tags being created on the repository. These different mechanisms can be used to trigger the Devtron GitOps pipelines.

GitOps Pipeline

The Dev pipeline just deploys immediately, engineers are not so worried about stability and just want to work on the latest. The staging pipeline is more controlled and creates a pull request to merge in the new version of the manifest with the new image tag. The generated pull request is then reviewed and approved before being merged in. This provides additional checks and control of when the new image gets deployed. Production is similar to staging but with additional review and approval requirements. The timing of the release into Production is controlled by the merge of the pull request. Should any of these updates to any environment not be ideal, because each change is versioned and immutable, rolling back to a previous commit is quick and easy.

All changes to any environment are performed by GitOps, significantly reducing the number of engineers who require direct kubectl access to Kubernetes clusters which simplifies user management and enhances security.

Devtron improves GitOps pipelines by leveraging all the benefits of ArgoCD along with enhanced user experience, security, and it completes the Continuous Deployment workflow with automated SLO-based rollbacks. Additional benefits of devtron include showing configuration drifts that are easily visualized in the dashboard, approval workflows that are seamlessly integrated into the deployment pipelines, and configuration protection for your critical environments.

GitOps Completes CI/CD Pipelines

GitOps does not replace your existing CI/CD pipelines, it enhances them; providing greater automation, eliminating the unpredictability of configuration drift, and enhancing security by preventing unauthorized changes. Retain the investment in existing CI/CD pipelines and use GitOps to provide Continuous Deployment in a more controlled and repeatable manner. It’s time to switch to CI/GitOps with Devtron.