GitOps integration

Turbonomic integrates with Git-based software through Argo CD, a GitOps continuous delivery tool that manages ArgoCD Application resources using Custom Resources (CRs). With this integration, Turbonomic can identify the container platform cluster resources managed by Argo CD, and then execute resize actions against the Git-based version control software serving as Argo CD's 'source of truth'. Argo CD completes the action by synchronizing changes onto the running environment.

Turbonomic currently supports the following definitions:

Workload definition - path to version control software Version control software (Git source) Application packaging
ArgoCD Application CR in the cluster GitHub or GitLab None (straight YAMLs only). Operators and Helm are not supported.
ArgoCD ApplicationSet CR in the cluster

Configurations

It is assumed that Argo CD is installed and active in the cluster managed by Turbonomic. Although Turbonomic discvoers comprehensive information from the Argo CD applications that manage the resources, some details (such as Git credentials) must be configured in Kubeturbo running in the same cluster. The following sections describe these configurations.

Creating a developer access token in Git

  1. In Settings, select Developer Settings.

  2. Select Personal Access Tokens.

  3. Generate a new token and grant the following permissions:
    • delete:packages

    • gist

    • notifications

    • repo

    • write:discussion

    • write:packages

  4. Copy the token. You will need it in the next task.

Creating a secret to store the developer access token

Create a new secret in the namespace where Kubeturbo is deployed.

kind: Secret
apiVersion: v1
metadata:
  name: github
  namespace: turbo
data:
  token: {your_token_in_Base64}
type: Opaque
Note:

You will need to add a rule to your existing Kubeturbo service account role to grant permissions to get the secrets resource.

rules:
  # Existing rules
  - apiGroups:
      - ""
    resources:
      - secrets
    verbs:
      - get

Configuring Kubeturbo deployed through YAML

The following snippet shows the settings to configure in the Kubeturbo deployment. These settings will be used for all Argo CD apps deployed in the cluster.

--git-email string                           The email to be used to push changes to git.
--git-secret-name string                     The name of the secret which holds the git credentials.
--git-secret-namespace string                The namespace of the secret which holds the git credentials.
--git-username string                        The user name to be used to push changes to git.
--git-commit-mode                            The commit mode that should be used for git action executions. One of request|direct. Defaults to direct.

Specify these settings in the args section of the YAML file, as shown in the following example.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: kubeturbo-test
....
....      
spec:
  replicas: 1
  selector:
    matchLabels:
      app: kubeturbo-test
  template:
    metadata:
      annotations:
        kubeturbo.io/monitored: "false"
      labels:
        app: kubeturbo-test
    spec:
      containers:
      - args:
        - --turboconfig=/etc/kubeturbo/turbo.config
        - --v=2
        - --kubelet-https=true
        - --kubelet-port=10237
        - --git-email=youremail@gmail.com
        - --git-secret-name=your-github-secret-name
        - --git-secret-namespace=turbo
        - --git-username=yourusername
        - --git-commit-mode=direct
        image: turbonomic/kubeturbo:latest
        imagePullPolicy: Always
        name: kubeturbo-test
        resources: {}
...
...

Configuring Kubeturbo deployed through an operator

In the operator's CR spec, find the args section and configure the following settings. These settings will be used for all Argo CD apps deployed in the cluster.

apiVersion: charts.helm.k8s.io/v1
kind: Kubeturbo
metadata:
  name: kubeturbo-sample
spec:
  HANodeConfig:
    nodeRoles: '"master"'
  args:
    kubelethttps: true
    kubeletport: 10250
...
...
  # [ArgoCD integration] The email to be used to push changes to git.
   gitEmail: "youremail@gmail.com"
  # [ArgoCD integration] The username to be used to push changes to git.
   gitUsername: "yourusername"
  # [ArgoCD integration] The name of the secret which holds the git credentials.
   gitSecretName: "your-github-secret-name"
  # [ArgoCD integration] The namespace of the secret which holds the git credentials.
   gitSecretNamespace: "turbo"
  # [ArgoCD integration] The commit mode that should be used for git action executions. One of {request|direct}. Defaults to direct.
   gitCommitMode: "direct"

(Optional) Fine grained app specific configurations

It is possible for Argo CD apps to sync with different sources of truth (such as different GitHub repositories) within the same cluster. It is also possible that the credentials for these sources of truth are different. The app specific fine grained configuration uses a config Custom Resource to support different configuration information for different apps.

If you use plane YAML, first install the CRD that you can download here.

To deploy the CRD, run the following command:

kubectl apply -f https://raw.githubusercontent.com/turbonomic/turbo-gitops/main/config/crd/bases/gitops.turbonomic.io_gitops.yaml

When the type definition is available, use a configuration similar to the following example.

apiVersion: gitops.turbonomic.io/v1alpha1
kind: GitOps
metadata:
  name: gitops-sample
spec:
  config:
    - commitMode: direct
      credentials:
        email: test@turbonomic.comm
        secretName: gitops-secret
        secretNamespace: gitops
        username: turbo
      selector: '^turbo.*$'
      whitelist:
        - app-name-1
        - app-name-2

This resource is name spaced. You can specify one or several non-conflicting configurations for each namespace. If an app is selected as per the whitelist or the selector, the credentials and commitMode listed in the GitOps resource spec will be used instead of the global specs configured in Kubeturbo.

(Optional) Cluster local resource update

You may want Turbonomic to update the resources locally and directly in the cluster, rather then pushing the changes to the source of truth.

  • Security

    You may want to minimize access to the credentials and the source of truth.

  • Faster optimization

    If the update must be pushed to the source of truth, the turnaround time for the update is longer because of the number of systems involved and the possibility of failures and retries. Turbonomic must also push a commit or a pull request (approvals might be required) to the source of truth. Even if Argo CD runs in auto-sync mode, it must pull and sync the resource into the cluster.

    For faster optimization, you may want to update a resource locally in the cluster.

    Note:

    Argo CD has a default interval of 3 minutes to discover changes in the source of truth. Changes in Turbonomic can take 10 minutes or longer to apply.

  • Multi-cluster scenarios

    It is possible for multiple clusters to use a unified app definition and sync from a base definition. Optimizations from one cluster might not apply to another cluster. If the updates are applied to the source of truth, then the change applies to all the clusters.

  • Newer or unsupported tooling in the pipeline

    It is possible that Turbonomic does not have the capability to understand the pipeline or directly interact with the GitOps system.

To update the resources locally, configure the Argo CD app to skip the syncing of some fields from the child resources.

  • spec.ignoreDifferences prevents out-of-sync prompts when the cluster local value changes. For details, see the Argo CD documentation.

  • If the sync happened because of other field changes (as described in the Argo CD documentation), RespectIgnoreDifferences ignores the copying of original values into the cluster local resources.

Use both options in the Argo CD applications.