A complete continuous integration and continuous delivery (CI/CD) pipeline can trigger builds based on code commits, push the image to Container Registry, and then trigger Distributed Cloud Container Platform for Kubernetes (ACK One) GitOps to deploy the updated application to multiple clusters. This topic describes the terms used in ACK One GitOps and the procedure of a CI/CD pipeline.
Terms
GitOps overview
The key of GitOps for application deployment is using the Git repository as the single source to manage the deployment templates of applications and continuously deploy new applications to the specified Kubernetes clusters until the application deployment in the Kubernetes clusters is consistent with the state of your Git repository.
Benefits of GitOps
Ease of learning: Git is easy to learn and integrate.
High reliability: Git repositories support version control, fast rollbacks, and auditing.
High security: No permissions on Kubernetes clusters are required for developers to use GitOps. This ensures cluster security. To use GitOps, only permissions on Git repositories are required.
Continuous deployment: Applications in Kubernetes clusters are automatically updated based on the source Git repositories. This implements continuous deployment for applications in Kubernetes clusters.
ACK One GitOps overview
ACK One Fleet implements GitOps-based continuous delivery with hosted open source Argo CD. ACK One Fleet also supports multi-cluster deployment to improve the availability of applications delivered through GitOps and allow you to deploy system components to multiple clusters.
Argo CD is an open source Cloud Native Computing Foundation (CNCF) project and a continuous delivery tool that adopts the declarative configuration method of GitOps. Argo CD is integrated with Git repositories and Helm repositories and provides a full-featured UI. Argo CD is implemented as a Kubernetes controller that continuously monitors applications and synchronizes applications with their source Git repositories. For more information about Argo CD, see What is Argo CD?
Benefits of ACK One GitOps
ACK One GitOps hosts Argo CD, providing native CLI and UI experiences.
ACK One GitOps provides a separate Argo CD console that is integrated with Alibaba Cloud single sign-on (SSO) and supports permission control among users.
ACK One GitOps supports application distribution across clusters. Argo CD is automatically enabled for the clusters that are associated with the Fleet instances of ACK One. The associated clusters use GitOps for application distribution.
ACK One GitOps supports Argo CD ApplicationSet to improve the user experience of application distribution across clusters.
ACK One GitOps is O&M-free and provides out-of-the-box features.
ACK One GitOps allows you to use the GitOps capabilities provided by the Argo project that graduated at the CNCF without additional configuration, including the open source Argo CD console and CLI that you can directly access by using your Alibaba Cloud account, multi-user permission management, and multi-cluster application deployment. These capabilities can help you quickly build pipelines for multi-cluster application deployment.
Procedure
This best practice describes how to use ACK One GitOps and Container Registry to create CI/CD pipelines in Dev, Staging, and Production clusters. These pipelines can automatically synchronize image changes to applications and deploy the updated image in the preceding clusters by using the recommended deployment method after you commit code changes to your Git repository.
Dev cluster: automatically synchronizes image changes and deploys the latest image.
Staging and Production clusters: deploy the latest image based on Rollouts after you manually synchronize image changes.
Prepare a business code repository and a deployment repository.
Enable and log on to ACK One GitOps. The O&M team first needs to configure a CI pipeline and filter rules, and associate the pipeline with a Container Registry Enterprise Edition instance.
The developer team commits code changes to the business code repository to trigger the Container Registry Enterprise Edition instance to build an image. After the image is built, the Container Registry Enterprise Edition instance pushes the image to the image repository.
When ACK One GitOps detects image changes in the image repository, it proposes the latest image version tag back to the deployment repository.
When ACK One GitOps detects image version tag changes in the deployment repository, it triggers the application to deploy the latest image to the Dev cluster.
If the Staging cluster is configured with auto application synchronization, ACK One GitOps automatically updates the image version.
The image updater can detect image updates that match the specified filter rules in the image repository.
Argo CD can monitor YAML changes in the deployment repository.
After the continuous delivery is complete, the developer team can check whether the application in the Dev cluster meets their requirements.
If the application meets the requirements, the O&M team triggers ACK One GitOps to deploy the application to the Staging and Production clusters. The O&M team also uses Argo Rollout or Kruise Rollout to perform canary releases. For more information, see Use ACK One GitOps and Argo Rollouts to perform canary releases and Use Kruise Rollout to implement canary releases based on ACK One GitOps.
ImportantAdditional steps are required for performing rolling updates in the Staging and Production clusters across regions. You cannot directly deploy the updated image in the Staging and Production clusters by committing code changes.
Step 1: View the directory tree of the deployment repository
You can reference the directory tree of the deployment repository in this best practice. For more information, see Introduction to sample applications deployed based on ACK One GitOps.
Step 2: Enable and log on to ACK One GitOps
You can use the ACK One console or CLI to enable and log on to ACK One GitOps.
Use the console
Log on to the ACK One console. In the left-side navigation pane, choose .
On the Multi-cluster GitOps page, click
to the right of the Fleet instance name in the upper-left corner and then select a Fleet instance from the drop-down list. By default, GitOps is enabled for newly created Fleet instances. If GitOps is disabled for your Fleet instance, click Enable GitOps. In the dialog box that appears, click OK.
If GitOps is enabled for your Fleet instance, the GitOps page displays GitOps Console and Access Control.
On the GitOps page, click GitOps Console.
If you want to access GitOps over the Internet, enable public access to GitOps first. For more information, see Enable public access to GitOps.
Use the CLI
For more information about how to use the CLI to enable and log on to ACK One GitOps, see the Step 1: Enable public access to the GitOps console section of the "Work with GitOps" topic and Log on to the GitOps system.
Step 3: Build an image CI pipeline
You can use the following methods to build an image CI pipeline. You can also use a third-party CI system to build the pipeline.
Method 1: Build a CI pipeline based on Container Registry
Create an image repository based on Container Registry Enterprise Edition, bind the image repository to the business code repository, and configure build rules. For more information, see Use a Container Registry Enterprise Edition instance to build an image. You can turn on Pull from Anonymous Users on the overview page of the Container Registry Enterprise Edition instance or use aliyun-acr-credential-helper to pull images without using Secrets. For more information, see Use the aliyun-acr-credential-helper component to pull images without using a secret.
If your business code repository is a Git repository and image pulling times out, enable the Build With Servers Deployed Outside Chinese Mainland feature.
Method 2: Build a CI pipeline based on an ACK One workflow cluster
For more information about how to build a CI pipeline based on an ACK One workflow cluster, see Use an ACK One workflow cluster to build an image CI pipeline.
Step 4: Use ACK One GitOps to deploy an application
After ACK One GitOps is enabled, you can use the ACK One GitOps (Argo CD) console or Argo CD CLI to deploy and manage applications. You can use ApplicationSets to deploy multi-cluster applications based on GitOps. For more information, see Use ACK One GitOps to deploy applications.
Step 5: Use the ACK One GitOps image updater to build a CI/CD pipeline
ACK One GitOps fixes the continuous delivery issue. However, the developer team requires an end-to-end automated solution that covers code commits, image building, and automated deployment to improve development efficiency.
To fix this issue, ACK One GitOps integrates the Argo CD image updater and supports Container Registry image repositories. When the CI pipeline is triggered by code commits to build and push images to a Container Registry Enterprise Edition image repository, the image updater can monitor image changes and automatically update the corresponding image version tag in the deployment repository.
After the image version tag is updated, the Argo CD Application detects the change and initiates a Sync operation to deploy the latest image. Based on the image updater, ACK One GitOps can work with CI pipelines to automate continuous integration and continuous delivery.
For more information, see Use ACK One GitOps and Container Registry to build CI/CD pipelines.
Argo CD can monitor changes in the deployment repository. Therefore, if you want to directly update the YAML image in the deployment repository to trigger continuous delivery, you do not need to use the image updater to monitor changes in the image repository.
Step 6: Perform canary releases
Additional steps are required for performing rolling updates in the Staging and Production clusters across regions. You cannot directly deploy the updated image in the Staging and Production clusters by committing code changes. For more information, see Use ACK One GitOps and Argo Rollouts to perform canary releases and Use Kruise Rollout to implement canary releases based on ACK One GitOps.
Step 7: Roll back an application
You may want to roll back an application when a release fails. You can use one of the following methods to roll back an application.
Quick rollback
On the Applications page of the Argo CD console, click HISTORY AND ROLLBACK, select a version, and then click ROLLBACK. For more information, see the Step 4: Roll back to an application version section of the "Use ACK One GitOps to deploy applications" topic.
Use the Argo CD CLI to roll back the application. For more information, see the Use the Argo CD CLI section of the "Application management" topic.
End-to-end rollback
Run the following command to roll back to a historical commit and trigger the CI/CD pipeline:
# Roll back to a historical commit.
git revert HEAD
# git revert HEAD~3.. HEAD~3 indicates the fourth last commit from the current one.
# git revert <commit-id-1> <commit-id-2> ... <commit-id-n> indicates the number of commits from which changes can be reverted. The commits are not consecutive.
# After the revert operation is complete, push the local branch to the remote repository to trigger the CI/CD pipeline.
git push origin HEAD:${branch}The image updater synchronizes the reverted changes to the deployment repository and updates the changes to the application.
Step 8: Manage user permissions in ACK One GitOps
Argo CD provides a powerful user permission management feature. This feature allows you to manage the permissions of a user on a resource by using the following permission policy template. The supported resources include applications, clusters, and repositories. You can also specify the project to which the resources belong. You can limit users from performing actions such as create, update, delete, and get.
p, <user/group>, <resource>, <action>, <project>/<object>For more information, see Configure multi-tenant permissions for ACK One GitOps.