← 返回首页
☁️

GitOps架构

📂 architecture ⏱ 2 min 216 words
架构云原生GitOpsArgoCDFluxCD

GitOps架构

GitOps原则

GitOps将Git作为基础设施和应用配置的唯一可信源,通过声明式配置和自动同步实现持续交付。

┌─────────────────────────────────────────────┐
│              GitOps工作流                    │
├─────────────┬─────────────┬─────────────────┤
│  开发者     │   Git仓库   │   集群          │
├─────────────┼─────────────┼─────────────────┤
│  提交代码   │  存储配置   │  自动同步       │
│  PR审核     │  版本历史   │  状态自愈       │
└─────────────┴─────────────┴─────────────────┘
                    │
                    ▼
            ┌───────────────┐
            │  GitOps引擎   │
            │  (ArgoCD等)   │
            └───────────────┘

ArgoCD配置

# ArgoCD Application
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: myapp
  namespace: argocd
spec:
  project: default
  source:
    repoURL: https://github.com/org/k8s-manifests.git
    targetRevision: HEAD
    path: apps/myapp/overlays/prod
  destination:
    server: https://kubernetes.default.svc
    namespace: production
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
    - CreateNamespace=true

ArgoCD自动同步

# ArgoCD项目配置
apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
  name: production
  namespace: argocd
spec:
  description: Production applications
  sourceRepos:
  - 'https://github.com/org/k8s-manifests.git'
  destinations:
  - namespace: production
    server: https://kubernetes.default.svc
  clusterResourceWhitelist:
  - group: ''
    kind: Namespace
  namespaceResourceWhitelist:
  - group: 'apps'
    kind: Deployment
  - group: ''
    kind: Service

FluxCD配置

# FluxCD Kustomization
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
  name: myapp
  namespace: flux-system
spec:
  interval: 5m
  path: ./apps/myapp
  prune: true
  sourceRef:
    kind: GitRepository
    name: app-repo
  healthChecks:
  - apiVersion: apps/v1
    kind: Deployment
    name: myapp
    namespace: production
  timeout: 3m

多环境部署

# 目录结构
apps/
  myapp/
    base/
      deployment.yaml
      service.yaml
    overlays/
      dev/
        kustomization.yaml
      staging/
        kustomization.yaml
      prod/
        kustomization.yaml

# overlays/prod/kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../base
patchesStrategicMerge:
- replicas-patch.yaml
- resource-patch.yaml
namespace: production

密钥管理

# SOPS加密配置
apiVersion: v1
kind: Secret
metadata:
  name: app-secrets
  annotations:
    sealedsecrets.bitnami.com/managed: "true"
type: Opaque
data:
  DB_PASSWORD: AgBy3i4OJSWK+PiTySYZZA9rO43cGDEq...
  API_KEY: AgC0nRzB08HgKt1X1Ys0X4K2f8s3N5m7...

GitOps最佳实践

实践 说明
单一仓库 所有配置集中管理
分支策略 main分支自动部署
PR审核 所有变更通过PR
密钥加密 SOPS/Sealed Secrets
监控告警 同步失败及时通知
回滚机制 Git revert快速回滚