Getting started with GitOps - Container Service for Kubernetes

Distributed Cloud Container Platform for Kubernetes (ACK One) allows you to use GitOps on a Fleet instance to manage applications deployed from Git repositories in terms of version management, multi-cluster distribution, and continuous deployment. GitOps supports applications orchestrated by using YAML manifests, Helm charts, and Kustomize. GitOps is compatible with open source ArgoCD and provides highly-available control planes. This topic describes how to use GitOps on a Fleet instance to deploy a multi-cluster application.

Prerequisites

The Fleet management feature is enabled. For more information, see Enable Fleet management.
Multiple clusters are associated with the Fleet instance. For more information, see Associate clusters with a Fleet instance.
The Resource Access Management (RAM) policy AliyunAdcpFullAccess is attached to a RAM user. For more information, see Grant permissions to RAM users.
CLI only: The kubeconfig file of the Fleet instance is obtained in the ACK One console and a kubectl client is connected to the Fleet instance.
CLI only: The latest version of Alibaba Cloud CLI is installed and Alibaba Cloud CLI is configured.

Billing

After you enable GitOps, ACK One automatically creates the following cloud resources.

A Server Load Balancer (SLB) instance, which is used to expose the endpoints of the ArgoCD API and ArgoCD UI.
A pay-as-you-go elastic container instance with 2 vCores and 4 GB of memory, which is used to run the ArgoCD service.

For more information, see Cloud resource billing for multi-cluster Fleets.

Supported regions

All regions that have the Fleet management feature of ACK One enabled. For more information, see Regions supported by multi-cluster Fleets and workflow clusters.

Step 1: Enable Internet access for the GitOps console on the Fleet instance

ACK One automatically enables GitOps when creating a Fleet instance. By default, you can access the GitOps console through a virtual private cloud (VPC). To do this, make sure that your office network is connected to the VPC.

To enable Internet access for the GitOps console in order to submit and view applications, perform the following steps.

Important

Security risks may arise after you enable Internet access for the GitOps console. Make sure that access control list (ACL) rules are configured before you perform this operation.

Use the console

Log on to the ACK One console. In the left-side navigation pane, choose Fleet > GitOps.
On the GitOps page, click to the right of the Fleet instance name in the upper-left corner and then select a Fleet instance from the drop-down list.
By default, GitOps is enabled for newly created Fleet instances. If GitOps is disabled for your Fleet instance, click Enable GitOps. In the dialog box that appears, click OK.
If GitOps is enabled for your Fleet instance, the GitOps page displays GitOps Console and Access Control.
On the GitOps page, click Access Control. In the dialog box that appears, enable access control, enter the IP addresses or CIDR blocks that you want to add to the whitelist, and then click OK.
After Internet access is enabled, click GitOps Console to access the GitOps console over the Internet.

Use Alibaba Cloud CLI

Make sure the latest version of Alibaba Cloud CLI is installed and run the following command to enable GitOps and Internet access.
- Replace <your_clusterid> with the ID of your Fleet instance.
- Replace AccessControlList with the public IP address of the user agent. For more information about how to query the public IP address of the user agent, see Enable public access to Argo CD.
```
aliyun adcp UpdateHubClusterFeature --ClusterId <your_clusterid> --PublicAccessEnabled true --AccessControlList "[\"10.100.XX.XX/24\"]" --ArgoCDEnabled true 
```
Optional: If you use the AccessKey pair of a RAM user, you must attach the AliyunAdcpFullAccess policy to the RAM user. For more information, see Grant permissions to a RAM user.

Step 2: Create an application and deploy the application

Use the console

On the GitOps page, click GitOps Console to open the ArgoCD UI logon page and click LOG IN VIA ALIYUN. Then, log on to the ArgoCD UI with your Alibaba Cloud account.

Connect to a Git repository.

In the left-side navigation pane of the ArgoCD UI, click Settings and then choose Repositories > + Connect Repo.

In the panel that appears, configure the following parameters and click CONNECT.

Section	Parameter	Value
Choose your connection method		VIA HTTPS
CONNECT REPO USING HTTPS	Type	git
	Project	default
	Repository URL	https://github.com/AliyunContainerService/gitops-dem
	Skip server verification	Select the check box.

After the Git repository is connected, CONNECTION STATUS displays Successful.

Create an application.

In the left-side navigation pane of the ArgoCD UI, click Applications and then click + NEW APP.

In the panel that appears, configure the following parameters and click CREATE.

Section	Parameter	Value
GENERAL	Application Name	echo-server-demo
	Project Name	default
	SYNC POLICY	Select Automatic from the drop-down list. Valid values: Manual: You need to manually synchronize changes from the Git repository to the cluster where the application is deployed. Automatic: ArgoCD Server scans the Git repository every 3 minutes and synchronizes changes to the cluster where the application is deployed.
	SYNC OPTIONS	Select AUTO-CREATE NAMESPACE.
SOURCE	Repository URL	Select a Git repository from the drop-down list. In this example, https://github.com/AliyunContainerService/gitops-demo.git is selected.
	Revision	HEAD
	Path	manifests/helm/echo-server
DESTINATION	Cluster URL/Cluster Name	Select a cluster from the drop-down list.
DESTINATION	Namespace	echo-server-demo
HELM	VALUES FILES	values.yaml

After the application named echo-server-demo is created, you can view the status of the application on the Application page.
If SYNC POLICY is set to Manual, you need to click SYNC to manually deploy the application in the specified cluster. After the status of the application changes to Healthy and Synced, the application is deployed.
Click the name of the application to view the application details. The details page displays the topology and status of Kubernetes resources used by the application.

Use the ArgoCD CLI

Log on to ArgoCD.

Access ArgoCD v2.8.7. Download and install ArgoCD CLI v2.8.7.

Run the following command on the Fleet instance to obtain the initial password of ArgoCD:

kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d

Run the following command on the Fleet instance to log on to ArgoCD by using port-forward. The default username is admin.

export ARGOCD_OPTS='--port-forward-namespace argocd --port-forward'

argocd login
Username: admin
Password:

Expected output:

'admin:login' logged in successfully
Context 'port-forward' updated

Run the following command on the Fleet instance to change the password of the default user admin:

argocd account update-password
*** Enter password of currently logged in user (admin):
*** Enter new password for user admin:
*** Confirm new password for user admin:

Expected output:

Password updated
Context 'port-forward' updated

Connect to a Git repository.

Run the following command to add a Git repository:

argocd repo add https://github.com/AliyunContainerService/gitops-demo.git --name echo-server

Expected output:

Repository 'https://github.com/AliyunContainerService/gitops-demo.git' added

Run the following command to query Git repositories:

argocd repo list

Expected output:

TYPE  NAME  REPO                                                       INSECURE  OCI    LFS    CREDS  STATUS      MESSAGE  PROJECT
git         https://github.com/AliyunContainerService/gitops-demo.git  false     false  false  false  Successful           default

Run the following command to query clusters:

argocd cluster list

Expected output: The ArgoCD cluster list displays all clusters associated with the Fleet instance.

SERVER                          NAME                                        VERSION  STATUS      MESSAGE                                                  PROJECT
https://47.97.XX.XX:6443      c83f3cbc90a****-temp02   1.22+    Successful
https://kubernetes.default.svc  in-cluster                                           Unknown     Cluster has no applications and is not being monitored.

Create an application.

Run the following command to create an application:

argocd app create echo-server --repo https://github.com/AliyunContainerService/gitops-demo.git --path  manifests/helm --dest-namespace echo-server-cli --dest-server https://47.97.XX.XX:6443

Expected output:

application 'echo-server' created

Run the following command to deploy the application in the specified cluster:

argocd app sync echo-server

Expected output:

TIMESTAMP                  GROUP        KIND   NAMESPACE                       NAME    STATUS    HEALTH        HOOK  MESSAGE
2022-09-22T14:32:45+08:00            Service  echo-server-cli           echo-server  OutOfSync  Missing
2022-09-22T14:32:45+08:00   apps  Deployment  echo-server-cli           echo-server  OutOfSync  Missing
2022-09-22T14:32:45+08:00            Service  echo-server-cli           echo-server    Synced  Progressing
2022-09-22T14:32:45+08:00            Service  echo-server-cli           echo-server    Synced   Progressing              service/echo-server created
2022-09-22T14:32:45+08:00   apps  Deployment  echo-server-cli           echo-server  OutOfSync  Missing                  deployment.apps/echo-server created
2022-09-22T14:32:45+08:00   apps  Deployment  echo-server-cli           echo-server    Synced  Progressing              deployment.apps/echo-server created

Name:               echo-server
Project:            default
Server:             https://47.97.XX.XX:6443
Namespace:          echo-server-cli
URL:                https://127.0.0.1:52742/applications/echo-server
Repo:               https://github.com/AliyunContainerService/gitops-demo.git
Target:
Path:               manifests/helm
SyncWindow:         Sync Allowed
Sync Policy:        <none>
Sync Status:        Synced to  (e5c2618)
Health Status:      Progressing

Operation:          Sync
Sync Revision:      e5c261880a4072cdbfa5173add2be426f7f3****
Phase:              Succeeded
Start:              2022-09-22 14:32:44 +0800 CST
Finished:           2022-09-22 14:32:45 +0800 CST
Duration:           1s
Message:            successfully synced (all tasks run)

GROUP  KIND        NAMESPACE        NAME         STATUS  HEALTH       HOOK  MESSAGE
       Service     echo-server-cli  echo-server  Synced  Progressing        service/echo-server created
apps   Deployment  echo-server-cli  echo-server  Synced  Progressing        deployment.apps/echo-server created

Run the following command to query applications:

argocd app list

Expected output:

NAME             CLUSTER                     NAMESPACE        PROJECT  STATUS  HEALTH   SYNCPOLICY  CONDITIONS  REPO                                                     PATH              TARGET
echo-server      https://47.97.XX.XX:6443  echo-server-cli  default  Synced  Healthy  <none>      <none>      https://github.com/AliyunContainerService/gitops-demo.git  manifests/helm

Step 3: Disable GitOps for the Fleet instance

When you no longer need to use GitOps, you can delete the application managed by GitOps and then disable GitOps.

Note

To delete a Fleet instance, you must first disable GitOps for the Fleet instance.

Use the console

Log on to the ACK One console. In the left-side navigation pane, choose Fleet > GitOps.
On the GitOps page, click to the right of the Fleet instance name in the upper-left corner and select your Fleet instance from the drop-down list.
In the upper-right corner of the GitOps page, click Disable. In the message that appears, click OK.

Use Alibaba Cloud CLI

Make sure that the latest version of Alibaba Cloud CLI is installed and run the following command to disable GitOps for the Fleet instance:

aliyun adcp UpdateHubClusterFeature --ClusterId <your_clusterid> --ArgoCDEnabled false