Getting developers working in harmony is no easy task. Tools like GitHub make it much easier to manage code, but as infrastructure and deployment become more complex, issues arise with the systems projects are built on.
GitOps helps solve these problems. It’s a collection of practices that uses Git for more than just code. You can use it to help synchronize your project on every level, making sure vital information is recorded and changes are tracked.
In this article, you’ll learn more about GitOps and see some use cases where it can make a big difference. Then, you’ll learn about how to use GitOps with Cerbos, a service that helps you manage cloud-native applications.
GitOps can help you formalize and improve your continuous integration practices. It acts as a source of truth that your team can use and modify. It effectively offers you the advantages Git brings to your codebase but applies them to your tooling.
With GitOps, you use configuration files along with file formats like YAML to build a declarative description of your infrastructure. It means you’re setting out exactly how to build your project’s environment before you even start coding.
That makes it easy for people to get up to speed with the project quickly, and gets them back on track if things go wrong. Since changes are logged, you can see who’s done what, which creates transparency and accountability and lets you solve problems more easily.
It also means fewer headaches, fewer unexplained crashes, and fewer things that work—somehow—even though no one’s sure how. Now you can all see that your intern is using v2.3 of a dependency that everyone else has at v2.4.
Using Git to store declarative data means you can spot variations or changes in your configuration files and make informed decisions on whether to keep them or not. You can also identify precisely where things have gone wrong, roll back changes that cause an issue, and track who introduced what.
Let’s run through some example scenarios where those things could benefit you. There are plenty more, and as you read through these, think about how the issues discussed could apply to your projects.
Continuous deployment lets you immediately deploy the builds triggered by continuous integration, which automates builds using the code in your Git repository. It makes your teams more efficient, allowing you to make smaller, faster builds that can be initiated by anyone on the team.
With GitOps, you can implement continuous deployment from any environment without having to switch tools. It’s self-documenting, as changes are all recorded in the repo.
The transparency inherent in the practice prevents siloing and creates a comprehensive log of your project as it evolves. This makes it much easier than it otherwise would be to hunt for and identify problems, along with what caused them.
Tests are triggered with each deployment, and again, you have more opportunity to locate issues.
Developers are familiar with Git. They know it, and they know how to use and interact with it. Having your configuration data there means it’s easy to view at any time. You don’t have to worry about changes being lost, the canonical version of a file being disputed, or keeping track of who did what.
Your project files can become out of date, but if so, everyone can tell, as they can compare their version to what’s on the repo. That makes it much easier to make sure everyone is using a properly configured environment that reflects the most recent updates.
GitOps originated as a way to improve cluster management and is still closely associated with Kubernetes. While it has since grown beyond that, it’s still an excellent way to mitigate some of the problems of the complexity of Kubernetes.
Whether you’re provisioning clusters, altering configurations, or managing a deployment, GitOps lets you track the details as they change, compare different versions of them, and spot when they diverge across different setups.
GitOps is ideal for differentiating your services. Instead of just being a single source of truth, GitOps allows you to have multiple flavors of it. If your users have different plans to choose from, you can use GitOps to manage different configurations to support your various offerings.
Changing a configuration file that affects the services delivered by the same codebase is easy to do when you have control of those files.
With GitOps, you use Git to store declarative files, as well as configuration data for practices like CI/CD. This can mean build data, pathways to data that needs to be included, and anything else, such as application code or documentation.
Cerbos uses GitOps natively and handles user authorization and access control. It makes getting started with GitOps easy, and this tutorial will walk you through a few simple steps to help you learn the basics. For further information, take a look at Cerbos’ documentation.
There are several ways to acquire Cerbos. You can install it from one of the binaries available for Linux and Mac. There’s also a Helm option if you prefer that.
Alternatively, you could install it with Homebrew:
brew tap cerbos/tap
brew install cerbos
Or you can install via Docker:
docker run --rm --name cerbos -p 3592:3592 ghcr.io/cerbos/cerbos:0.17.0
The API can be called via JSON requests, as the following example from the documentation illustrates. This is a call to /api/check
:
{
"requestId": "test01",
"action": "approve",
"resource": {
"policyVersion": "dev",
"kind": "leave_request",
"attr": {
"owner": "alicia"
}
},
"principal": {
"id": "alicia",
"policyVersion": "dev",
"roles": ["user"],
"attr": {
"geography": "GB"
}
},
"includeMeta": true,
"auxData": {
"jwt": {
"token": "xxx.yyy.zzz",
"keySetId": "ks-1"
}
}
}
You can call the admin API with a call such as GET /admin/auditlog/list/KIND_ACCESS
or GET /admin/auditlog/list/KIND_DECISION
.
For example, to view the last three decision log entries, you could call curl -k -u cerbos:cerbosAdmin \ 'https://localhost:3592/admin/auditlog/list/KIND_DECISION?tail=3'
from the command line.
You can also use GitHub Actions with Cerbos.
The following action, taken from the Cerbos GitHub repo, downloads and installs the latest version:
steps:
- name: Setup Cerbos
uses: cerbos/cerbos-setup-action@v1
with:
version: latest
name: 'Cerbos Setup Action'
description: 'Setups Cerbos by downloading and adding to the path'
author: 'Cerbos'
Inputs:
Version:
description: 'Cerbos tooling version to download'
required: true
default: 'latest'
Runs:
using: 'node12'
main: 'dist/index.js'
Once Cerbos is downloaded and ready, you can compile it and validate and test your policies using the compile action. The following code shows how to do that:
- uses: actions/checkout@v2
- name: Setup Cerbos
uses: cerbos/cerbos-setup-action@v1
- name: Compile with Cerbos
uses: cerbos/cerbos-compile-action@v1
with:
policyDir: policies
testDir: tests # Omit to skip tests
Which calls the following YAML:
name: 'Cerbos Compile Action'
description: 'Compile and test Cerbos policies'
author: 'Cerbos'
Inputs:
policyDir:
description: 'Policy directory'
required: true
default: '/policies'
testDir:
description: 'Test directory'
Runs:
using: 'node12'
main: 'dist/index.js'
There are several test applications in the Cerbos documentation. Running these and modifying them will give you an idea of how you can go further and develop your own projects with Cerbos.
The Photo application is a great place to start. It shows you how to install from Docker, create your own configuration files, and set up multiple user roles with different permissions.
If you have an authentication setup in place, check out the tutorials for JWT, Auth0, and Magic.
With GitOps, you can improve your build and deployment pipelines and make sure your CI/CD infrastructure is as accessible and transparent as your code. It opens it up to the whole team, allowing everyone to contribute.
As you’ve learned today, it isn’t hard to get started. There are services available that you can install from Docker in minutes and easily tailor to your specific situation.
Cerbos makes it easy to implement permissions and authorization. It fully supports GitOps, with both a built-in testing framework and integration for continuous integration and deployment. Try it today, and learn how you can simplify your workflows.
Book a free Policy Workshop to discuss your requirements and get your first policy written by the Cerbos team