GitOps integration

The DataPower® GitOps integration helps to automate configuration management through version control. This integration supports industry-standard GitOps practices and authoring experiences.

On the DataPower Gateway, service development and configuration management are manual operations. An administrator or developer must log in to an interface to create objects or change existing objects. Before GitOps integration, DataPower provided no tools to automate configuration management across multiple systems by using version control. With GitOps integration, you can populate the DataPower configuration from a version control system such as Git and declaratively deploy the DataPower configuration and files to multiple systems.

Restriction: Although the volume for the RAID array appears as a subdirectory on the local: directory, it is not a subdirectory. Therefore, GitOps integration does not operate against files that you store in the RAID array.

GitOps converts persisted configuration in a domain to JSON and operates on the document by using JSONata transforms and queries. DataPower runs all Git operations and templating with the global gitops-read, gitops-remove-template, gitops-write, and gitops-write-template commands.

Attention: The following limitations apply.
  • You cannot use GitOps in the default domain.
  • You cannot use GitOps to add, configure, or update crypto material such as keys and certificates. Continue to use the existing DataPower capabilities. Never store crypto material in Git version control.
  • You cannot use the Git rebase, merge, or similar operation that can result in the need for conflict resolution.
  • If a read or write operation overwrites or conflicts with changes on the target, the operation fails.

Git repository

The DataPower GitOps implementation is scoped to a domain. The implementation supports multiple domains and shared templates in the same Git repository. The layout in the Git repository is as follows.
/datapower
├── domain1
│   ├── config
│   └── local
├── domain2
│   ├── config
│   └── local
└── templates

The datapower directory must exist at the root of the Git repository. In the datapower directory, the templates directory might exist and contains template configurations. Any other directory is treated as a DataPower domain.

DataPower file system

For any domain with GitOps configured, the following directories are created and used for GitOps processing. 
temporary:///
  gitops/
    config/
      in/           # On gitops-read, location to put configuration. Watched by configuration sequence.
      out/          # On gitops-write, location to put templated configuration to be committed to Git.
      staging/      # Location to put the source from Git to resolve any templated fields.
    templates/
      in/           # Location to put templates from Git. Watched by configuration sequence.
      out/          # On gitops-write-template, location to put templates to be committed to Git.

GitOps read (gitops-read)

The GitOps read action pulls new configuration from Git based on the configured GitOps object. The source domain configuration in JSON and any configured templates are pulled from the Git repository with the commit identifier on the GitOps object. The identifier can be a branch, a commit hash, or a tag. The templated values from the inbound JSON are then resolved. The executable configuration is placed into the location that a configuration sequence tracks to be committed and persisted to the domain configuration.

GitOps remove template (gitops-remove-template)

The GitOps remote template action creates a commit to remove a single template and pushes to the Git repository. When removed, the template can no longer be configured as a remote template by any other DataPower domain. DataPower created commits use the Git user and email on the GitOps object.

To write a template to the Git repository, use the GitOps write template(gitops-write-template).

This action object is available only when GitOps is configured in read/write mode.

GitOps write (gitops-write)

The GitOps write action takes the persisted configuration from the domain, templates it with the template policies on the GitOps instance, and writes to the Git repository. DataPower created commit operations use the Git user and email on the GitOps object.

This action is available only when GitOps is configured in read/write mode.

GitOps write template (gitops-write-template)

The GitOps write template action creates a commit to write a single template and pushes to the Git repository. When written, the template can be configured as a remote template by any other DataPower domain. Similar to gitops-write, DataPower created commits use the Git user and email on the GitOps object.

To remove a template from the Git repository, use the GitOps remove template (gitops-remove-template).

This action object is available only when GitOps is configured in read/write mode.

Available white papers

The following white papers are available and contain additional information about the DataPower GitOps integration.