WEBVTT 1 00:00:00.160 --> 00:00:03.240 Welcome to the deep dive. We're your shortcut to getting 2 00:00:03.359 --> 00:00:07.799 genuinely well informed fast without drowning you in details. 3 00:00:07.879 --> 00:00:11.839 Yeah, we focus on those core insights, those aha moments exactly. 4 00:00:12.279 --> 00:00:15.439 And today we are taking a really fascinating deep dive 5 00:00:15.480 --> 00:00:18.800 into the world of Argo CD and git ops. We're 6 00:00:18.879 --> 00:00:21.800 using Argo CD up and running a hands on guide 7 00:00:21.800 --> 00:00:24.239 to get ups and Kubernetes by Andrew Block and Christian 8 00:00:24.239 --> 00:00:28.199 Hernandez as our guide. It's a pretty comprehensive. 9 00:00:27.679 --> 00:00:31.039 Definitely, and our mission today really is to unpack what 10 00:00:31.199 --> 00:00:34.600 gid ops actually is, how Argo CD brings it to life, 11 00:00:35.320 --> 00:00:39.200 and why it's becoming such a standard for cloud native apps. 12 00:00:39.439 --> 00:00:41.960 Right. So, whether you're prepping for that big meeting or 13 00:00:42.039 --> 00:00:45.399 just trying to stay current, or maybe you're just you know, curious. 14 00:00:45.039 --> 00:00:47.399 We'll give you the essential nuggets you walk away understanding 15 00:00:47.399 --> 00:00:48.200 this whole paradigm. 16 00:00:48.240 --> 00:00:51.679 Okay, let's start unpacking getups. We hear this term everywhere, 17 00:00:52.079 --> 00:00:53.840 so at its very core, what is it? 18 00:00:54.240 --> 00:00:57.200 Well, the book defines it pretty simply. It's basically a 19 00:00:57.240 --> 00:01:01.200 method for managing your infrastructure, your applications. Yeah, by describing 20 00:01:01.240 --> 00:01:04.599 the state you want them to be in declaratively in 21 00:01:04.760 --> 00:01:08.079 get and using git as that single source of truth. 22 00:01:08.799 --> 00:01:11.159 That sounds simple, but I guess the revolutionary part is 23 00:01:11.200 --> 00:01:13.920 the shift right from telling systems how to do things 24 00:01:13.959 --> 00:01:17.359 exactly imperative commands to just defining what you want in 25 00:01:17.400 --> 00:01:20.920 a way that's like auditible and trappable because it's. 26 00:01:20.719 --> 00:01:24.879 In geit precisely. Yeah, that's the real aha moment there. 27 00:01:25.200 --> 00:01:27.359 And you know the origin story is pretty interesting too. 28 00:01:27.519 --> 00:01:29.200 Oh yeah, tell me about that. 29 00:01:29.359 --> 00:01:32.040 It goes back to twenty seventeen with leave Works. They 30 00:01:32.079 --> 00:01:36.400 apparently had this incident where someone fat finger to config. 31 00:01:36.280 --> 00:01:38.400 Change oops we've all been there, took. 32 00:01:38.280 --> 00:01:41.120 Down their whole platform. Yeah, but the way they recovered 33 00:01:41.439 --> 00:01:44.079 by rolling back using git it sort of revealed this 34 00:01:44.159 --> 00:01:45.400 new better way of working. 35 00:01:45.519 --> 00:01:48.560 Ah. So necessity is the mother of invention. 36 00:01:48.560 --> 00:01:51.920 Kind of Yeah. And their CEO, Alexis Richardson, he's the 37 00:01:51.920 --> 00:01:54.719 one who coined the term git ops. It came out 38 00:01:54.719 --> 00:01:55.719 of a real mess basically. 39 00:01:55.760 --> 00:01:57.640 Okay, that makes sense, and it's important to note right 40 00:01:57.719 --> 00:01:59.879 this isn't some completely separate thing from. 41 00:02:00.840 --> 00:02:03.000 No, not at all. The book is really clear on this. 42 00:02:03.079 --> 00:02:05.719 It says get ops is DevOps. Get ops is the 43 00:02:05.840 --> 00:02:07.319 natural progression of DevOps. 44 00:02:07.359 --> 00:02:09.759 So it's like formalizing the good stuff people were already 45 00:02:09.800 --> 00:02:13.639 trying to do version control automation exactly. 46 00:02:13.719 --> 00:02:16.599 It takes those DevOps best practices and puts them into 47 00:02:16.680 --> 00:02:21.159 a really solid, audible automated workflow, like putting guardrails on things. 48 00:02:21.240 --> 00:02:25.400 Gotcha. So if it's a progression, what specifically defines it? 49 00:02:25.520 --> 00:02:26.400 Are their rules? 50 00:02:26.639 --> 00:02:29.439 Yeah? There are the open getops principles, which came out 51 00:02:29.439 --> 00:02:32.759 in twenty twenty one, lay out four key tenets. First, 52 00:02:32.960 --> 00:02:34.400 it has to be declarative. 53 00:02:34.479 --> 00:02:38.039 Declarative, meaning you describe the what, not the how, like 54 00:02:38.080 --> 00:02:39.439 a Kubernetes manifest. 55 00:02:39.560 --> 00:02:43.879 Precisely your entire system, state, apps, infra networks, whatever is 56 00:02:43.919 --> 00:02:47.000 described declaratively, you say what the end state should look like. Okay. 57 00:02:47.039 --> 00:02:48.919 Principle one declarative what's suck. 58 00:02:49.080 --> 00:02:53.000 Second, versioned and immutable. The desired state lives entirely in. 59 00:02:53.000 --> 00:02:55.759 Geit ah the source of truth part exactly. 60 00:02:55.800 --> 00:02:59.000 And because it's GIT, you get a complete, unchangeable history 61 00:02:59.000 --> 00:03:02.479 of every single change, auditing rollbacks, it's all built in. 62 00:03:02.599 --> 00:03:03.759 That's huge. Okay. 63 00:03:03.800 --> 00:03:06.800 Third, Third, and this is a really key difference from 64 00:03:06.800 --> 00:03:10.560 a lot of traditional CICD. Changes are pulled. 65 00:03:10.639 --> 00:03:13.400 Automatically, hold, not push right. 66 00:03:13.599 --> 00:03:16.520 Instead of a CI server pushing updates, you have get 67 00:03:16.639 --> 00:03:21.080 ups agents or controllers inside your environment, actively pulling the 68 00:03:21.120 --> 00:03:24.400 definitions from Git. They run this reconciliation loop. 69 00:03:24.199 --> 00:03:27.439 A reconciliation loop like a little robot constantly checking. 70 00:03:27.520 --> 00:03:31.479 Yeah, constantly checking does the live system match the blueprint 71 00:03:31.520 --> 00:03:34.479 in Git. It makes it more secure, more robust than 72 00:03:34.560 --> 00:03:36.000 just reacting to webbooks. 73 00:03:36.280 --> 00:03:38.719 Interesting, okay, And the fourth principle follows from that. 74 00:03:38.840 --> 00:03:42.280 It does it's continuously reconciled. Those agents are always observing 75 00:03:42.280 --> 00:03:45.000 the live state and working to make it match the 76 00:03:45.080 --> 00:03:48.319 desired state from GIT. It's like Kubernetes controllers, but for 77 00:03:48.439 --> 00:03:52.479 your whole application stack, always self healing, always striving for 78 00:03:52.520 --> 00:03:53.240 that get state. 79 00:03:53.439 --> 00:03:55.719 Okay. That makes get ups much clearer. So where does 80 00:03:55.840 --> 00:03:57.919 argo CD fit in this landscape? 81 00:03:58.240 --> 00:04:00.599 Rgo CD is a really prominent tool in this space. 82 00:04:00.719 --> 00:04:03.000 It's part of the wider Argo project and those built 83 00:04:03.039 --> 00:04:06.120 specifically for getups. Developer experience was a big focus too. 84 00:04:06.039 --> 00:04:08.599 And its main job is its core purpose. 85 00:04:08.280 --> 00:04:12.080 Is delivering changes to Kubernetes clusters, potentially at massive scale, 86 00:04:12.439 --> 00:04:15.080 following those getups principles we just talked about, and. 87 00:04:15.080 --> 00:04:18.360 The big value proposition seems to be around configuration drift. 88 00:04:18.439 --> 00:04:21.839 Absolutely, that's where it really shines. It actively detects and 89 00:04:21.879 --> 00:04:25.439 prevents configuration drift. You know, when your live cluster gets 90 00:04:25.480 --> 00:04:27.480 out of sync with Git because someone made a manual 91 00:04:27.560 --> 00:04:28.480 change or something. 92 00:04:28.279 --> 00:04:32.279 Broke, rgo CD sees the mismatch and flags it or 93 00:04:32.759 --> 00:04:33.839 fixes it both. 94 00:04:33.959 --> 00:04:37.439 Potentially. It constantly compares the YAMEL and Git to the 95 00:04:37.480 --> 00:04:40.319 live state. If they diverge, it lets you know, and 96 00:04:40.360 --> 00:04:42.639 you can configure it to automatically sink things back to 97 00:04:42.680 --> 00:04:43.480 the desired state. 98 00:04:43.720 --> 00:04:47.639 Okay, and you mentioned it brought structure to Kubernetes management. 99 00:04:47.800 --> 00:04:50.560 Yeah, Before tools like rgo CD, managing all the differ 100 00:04:50.600 --> 00:04:53.839 Kubernetes pieces to deployment services can fig maps could be 101 00:04:53.879 --> 00:04:54.279 a bit. 102 00:04:54.160 --> 00:04:56.519 Loose, right, just a bunch of Yamo files. 103 00:04:56.680 --> 00:05:00.560 Rgo CD introduced the concept of an ARGOCD application. Think 104 00:05:00.560 --> 00:05:03.480 of it as an atomic unit of work. It bundles 105 00:05:03.519 --> 00:05:07.279 everything related to your app, the deployment, the service, ingress, 106 00:05:07.319 --> 00:05:08.720 everything into one manageable thing. 107 00:05:08.879 --> 00:05:12.839 So deployments become more coherent, audible, automated exactly. 108 00:05:12.959 --> 00:05:15.120 You're dealing with the whole application picture at once. 109 00:05:15.199 --> 00:05:18.040 And it's flexible too, right, not just for strict geit ops. 110 00:05:18.079 --> 00:05:20.199 That's true. The book points out it can function as 111 00:05:20.240 --> 00:05:22.720 a general purpose deployment tool even if you're not doing 112 00:05:22.800 --> 00:05:26.439 full git ops yet, and it integrates nicely with tools 113 00:05:26.480 --> 00:05:29.879 people already use like Helm and customize. We'll get into 114 00:05:29.879 --> 00:05:30.680 those more cool. 115 00:05:30.720 --> 00:05:33.360 So it's adaptable. Let's maybe peel back the layers a bit. 116 00:05:33.680 --> 00:05:35.480 What's the architecture look like under the hood. 117 00:05:35.639 --> 00:05:39.800 Sure, so RGOCD itself follows on Microservice's architecture. Is made 118 00:05:39.879 --> 00:05:43.040 up of several smaller independent components working together. 119 00:05:43.199 --> 00:05:45.480 Okay, typical cloud native design, right. 120 00:05:45.560 --> 00:05:48.920 And it leans heavily on Kubernetes primitives. It uses Kubernetes 121 00:05:49.040 --> 00:05:52.279 concepts effectively. What's really fundamental is how it implements the 122 00:05:52.319 --> 00:05:54.079 Kubernetes controller pattern. 123 00:05:54.040 --> 00:05:57.519 Ah, the reconciliation loop idea again exactly. 124 00:05:58.160 --> 00:06:01.720 Just like built in Kubernetes controllers watch resources, rg CD 125 00:06:01.839 --> 00:06:05.759 watches two things, the desired state and get and the 126 00:06:05.800 --> 00:06:07.199 actual spate in your clusters. 127 00:06:07.800 --> 00:06:10.279 If there's a difference, it steps in and enforces the 128 00:06:10.319 --> 00:06:12.079 get state prevents that. 129 00:06:12.040 --> 00:06:14.360 Drift precisely, it's constantly reconciling. 130 00:06:14.519 --> 00:06:16.720 So what are the main components doing this work? 131 00:06:16.839 --> 00:06:20.040 Okay, First, you have the repository server. Its job is 132 00:06:20.079 --> 00:06:22.959 to maintain a local cache of your Git repos or 133 00:06:23.000 --> 00:06:26.319 Helm chart sources casing for speed yep, and then it 134 00:06:26.439 --> 00:06:30.240 generates the final Kubernetes manifests from whatever source you're using, 135 00:06:30.319 --> 00:06:31.959 Helm customized plane YAML. 136 00:06:32.519 --> 00:06:36.079 It preps the manifests, got it manifest prep station what else? 137 00:06:36.120 --> 00:06:38.079 Then there's the API server. This is the main hub. 138 00:06:38.319 --> 00:06:42.759 It uses gRPC and rest pretty standard stuff for communication, 139 00:06:42.959 --> 00:06:47.439 and this manages everything really application status, triggering, sinks, handling, RBAC, 140 00:06:47.600 --> 00:06:49.519 role based access control, you know who can do what, 141 00:06:50.120 --> 00:06:51.480 and it also serves the web UI. 142 00:06:52.079 --> 00:06:54.759 The user interface runs off This API server. 143 00:06:54.879 --> 00:06:57.399 Makes sense, but for cashing it uses rehttis. 144 00:06:57.079 --> 00:06:59.759 Reddus okay, fast in memory database. 145 00:06:59.439 --> 00:07:02.000 Right is it for local caching to speed things up, 146 00:07:02.040 --> 00:07:05.560 reduce calls to get and store some temporary state. Important 147 00:07:05.639 --> 00:07:09.399 note though this redd as cache isn't persistent. If rgo 148 00:07:09.480 --> 00:07:11.800 CV restarts, it rebuilds the cash. 149 00:07:11.600 --> 00:07:14.399 From get good to know not a permanent data store. 150 00:07:14.839 --> 00:07:18.560 And finally, finally, a really key part its own custom 151 00:07:18.639 --> 00:07:25.319 resources or crds. These extend Kubernetes itself. Rgo CD adds 152 00:07:25.360 --> 00:07:28.680 things like application at project and application set. 153 00:07:28.519 --> 00:07:31.720 So you manage rgo CD deployments using these Kubernetes native 154 00:07:31.720 --> 00:07:32.720 objects exactly. 155 00:07:32.759 --> 00:07:35.439 These crds become your main way of interacting with rgo 156 00:07:35.519 --> 00:07:39.360 CD and defining your gitups deployments within Kubernetes itself. 157 00:07:39.600 --> 00:07:41.680 Very cool. Okay, so how do you actually get this 158 00:07:41.720 --> 00:07:43.079 thing running and start using it? 159 00:07:43.360 --> 00:07:46.360 Installation is pretty standard Kupernettes stuff. You can use the 160 00:07:46.399 --> 00:07:49.639 raw yamal manifests they provide our helm or yeah, more 161 00:07:49.639 --> 00:07:52.720 commonly these days helm charts. The book guides you through 162 00:07:52.959 --> 00:07:56.600 setting it up into local kind cluster Kubernettes in Docker, 163 00:07:56.839 --> 00:07:58.600 which is great for just playing around. 164 00:07:58.319 --> 00:08:00.360 And learning and interacting with it. I hear the UI 165 00:08:00.439 --> 00:08:01.639 is quite good, it really is. 166 00:08:01.759 --> 00:08:04.720 The user interface gives you a great visual overview. You 167 00:08:04.759 --> 00:08:07.160 can see what apps are doing, theirs, SINC, datas, health, 168 00:08:07.199 --> 00:08:09.519 managed settings. It's very user friendly. 169 00:08:09.600 --> 00:08:11.040 How do you access it? Initially? 170 00:08:11.360 --> 00:08:13.839 You can start with cubictol PORTFOD, just a tunnel into 171 00:08:13.839 --> 00:08:16.759 it quickly, but for anything more permanent, you'd set up 172 00:08:16.759 --> 00:08:19.160 a proper Kubernetes ingress to give it a real host 173 00:08:19.240 --> 00:08:21.680 name like rgo CD dot, your domain, dot. 174 00:08:21.560 --> 00:08:23.920 Local or something right, make it accessible like a normal 175 00:08:23.920 --> 00:08:25.519 web app. What about the command line. 176 00:08:25.639 --> 00:08:28.639 Yep, there's the rg CDCLI tool. It actually offers more 177 00:08:28.639 --> 00:08:32.799 functionality than the UI, sometimes hitting the same back end API. 178 00:08:33.360 --> 00:08:36.080 It's where you do more advanced things like adding remote 179 00:08:36.080 --> 00:08:37.919 clusters declaratively. 180 00:08:37.879 --> 00:08:42.120 UI for visuals, CLI for power users, and automation. But 181 00:08:42.200 --> 00:08:45.799 here's the really neat getops part I read about. You 182 00:08:45.879 --> 00:08:48.679 manage rgo CD itself declaratively. 183 00:08:48.840 --> 00:08:52.360 Yes, this is super elegant. Rgo CD's own configuration like 184 00:08:52.399 --> 00:08:56.120 connection details for get, rebos, security settings, UI tweaks is 185 00:08:56.159 --> 00:08:58.679 stored in standard Kubernetes confct maps and secrets. 186 00:08:58.720 --> 00:09:01.399 So you can put rgo CD can fig in get 187 00:09:01.720 --> 00:09:04.759 and have ARGOCD apply its own can fig using. 188 00:09:04.519 --> 00:09:08.360 GetUp exactly, it manages itself. You define its configuration, declaratively 189 00:09:08.440 --> 00:09:11.399 commit it, and rgo CD picks it up and reconfigures itself. 190 00:09:11.559 --> 00:09:12.840 It's get oops all the way down. 191 00:09:13.080 --> 00:09:15.559 That is elegant. Okay, let's get to the heart of it, 192 00:09:16.320 --> 00:09:21.600 managing and synchronizing actual applications. This application CRD seems key. 193 00:09:22.039 --> 00:09:25.279 It is an rgo CD application is basically a pointer. 194 00:09:25.960 --> 00:09:29.360 It tells ARGOCD about a set of Kubernetes resources that 195 00:09:29.399 --> 00:09:31.679 belong together. It primarily defines two things. 196 00:09:31.679 --> 00:09:32.279 What are those? 197 00:09:32.399 --> 00:09:35.039 First? The dot sbec dot source. This is where the 198 00:09:35.080 --> 00:09:38.279 manifests live, usually a get repo URL, maybe a specific 199 00:09:38.320 --> 00:09:40.759 branch or tag and a path within that repo. 200 00:09:40.960 --> 00:09:42.639 Okay, where the blueprint is right. 201 00:09:42.879 --> 00:09:46.279 And interestingly, newer versions like V two point six onwards 202 00:09:46.519 --> 00:09:48.200 support multisource applications. 203 00:09:48.240 --> 00:09:49.279 Oh what does that mean? 204 00:09:49.559 --> 00:09:52.200 It means you can pull manifests from multiple sources like 205 00:09:52.240 --> 00:09:54.919 maybe your main app deployment from one get repo, but 206 00:09:55.000 --> 00:09:58.159 it's database configuration from another, and combine them into a 207 00:09:58.200 --> 00:10:02.399 single rgo CD application. Really powerful for complex setups. 208 00:10:02.480 --> 00:10:03.480 Okay, that's the source. 209 00:10:03.519 --> 00:10:05.960 What's the second part, the dot spec dot destination. This 210 00:10:06.159 --> 00:10:09.960 just tells our docd where to deploy those manifests, which 211 00:10:10.039 --> 00:10:13.279 Kubernetes cluster and which namespace within that cluster could be. 212 00:10:13.200 --> 00:10:15.720 The same cluster rgo CD is running on or different one. 213 00:10:16.000 --> 00:10:19.000 Yep, you can specify in cluster for the local cluster 214 00:10:19.519 --> 00:10:22.799 or provide the API server address for a remote cluster. 215 00:10:23.000 --> 00:10:26.200 And to manage the actual YAML complexity you mentioned, helm. 216 00:10:26.000 --> 00:10:29.159 And customize absolutely. You rarely want to be just copying 217 00:10:29.159 --> 00:10:33.120 and pasting raw YAML everywhere. RGOCD has first class support 218 00:10:33.159 --> 00:10:35.679 for Helm, which is kind of the standard package manager 219 00:10:35.679 --> 00:10:37.039 for Kubernetes. 220 00:10:36.480 --> 00:10:39.320 Now right for templating and managing dependencies, and. 221 00:10:39.440 --> 00:10:43.240 Also Customize, which is great for applying environment specific patches 222 00:10:43.320 --> 00:10:47.840 or variations to base manifests without actually changing the original files. 223 00:10:48.000 --> 00:10:50.960 You use bases and overlays, so RGOCD works with these 224 00:10:50.960 --> 00:10:55.000 tools to render the final manifests before applying them exactly. 225 00:10:55.039 --> 00:10:57.720 It uses the repository server component we talked about to 226 00:10:57.799 --> 00:11:00.960 run Helm or customize base on your applications tech. 227 00:11:01.080 --> 00:11:05.519 Okay, now the magic part synchronization. You said by default 228 00:11:05.720 --> 00:11:08.200 nothing happens when you create an application. 229 00:11:07.879 --> 00:11:11.279 Correct, and this is surprising but also really important. By default, 230 00:11:11.720 --> 00:11:15.480 creating an application resource just registers it with rgo CD. 231 00:11:15.720 --> 00:11:18.600 It doesn't actually apply anything to your cluster yet it 232 00:11:18.600 --> 00:11:20.159 gives you a chance to review. You can look in 233 00:11:20.159 --> 00:11:23.519 the UI see what argocd would deploy and make sure 234 00:11:23.519 --> 00:11:27.039 it looks right before you manually click sink or enable automation. 235 00:11:27.120 --> 00:11:28.039 It's a safety net. 236 00:11:28.200 --> 00:11:32.159 Ah okay, a deliberate pause, but you can automate it. Oh. 237 00:11:32.240 --> 00:11:35.120 Yes, you define a SINK policy in the application manifest. 238 00:11:35.480 --> 00:11:37.399 This lets you turn on automated. 239 00:11:36.960 --> 00:11:38.679 SINC And what options do you have there. 240 00:11:38.879 --> 00:11:43.240 Key ones are pune true, which tells RGOCD to automatically 241 00:11:43.279 --> 00:11:46.519 delete resources from the cluster if they're removed from get 242 00:11:46.600 --> 00:11:47.759 garbage collection. 243 00:11:47.600 --> 00:11:50.039 Essentially important for keeping things clean, and. 244 00:11:49.960 --> 00:11:53.960 Self heal true this tells RGCD to automatically fix any 245 00:11:54.039 --> 00:11:57.720 drifted to texts. If someone manually changes something in the cluster, 246 00:11:58.080 --> 00:11:59.559 self heal will revert it back. 247 00:11:59.440 --> 00:12:03.159 To the gets stay so truly, enforcing that get source of. 248 00:12:03.120 --> 00:12:06.000 Truth exactly the thing. Policy also lets you set up 249 00:12:06.000 --> 00:12:08.919 retry strategies. If a sinc fails with backoffs and. 250 00:12:08.960 --> 00:12:12.080 Limits, what about controlling things at a finer grain than 251 00:12:12.120 --> 00:12:13.600 the whole application you. 252 00:12:13.559 --> 00:12:17.440 Can You can use Kubernetes annotations directly on individual resource 253 00:12:17.519 --> 00:12:21.080 manifests in get what. For instance, you might annotate a 254 00:12:21.120 --> 00:12:26.799 persistent volume claim with rgocd dot rgoprojei dot iosinc options 255 00:12:26.840 --> 00:12:29.840 prune false to prevent argo CD from ever deleting it 256 00:12:30.200 --> 00:12:31.480 even if it's removed. 257 00:12:31.159 --> 00:12:33.639 From gitt ah protecting stateful things right. 258 00:12:34.120 --> 00:12:37.399 Or there's skip dry run and missing resource true, which 259 00:12:37.440 --> 00:12:40.240 can be useful if your application installs its own crds 260 00:12:40.559 --> 00:12:43.799 or operators. Sometimes the dry run fails initially because the 261 00:12:43.799 --> 00:12:46.440 CRD isn't there yet, So this lets you bypass that 262 00:12:46.559 --> 00:12:48.200 check for specific resources. 263 00:12:48.279 --> 00:12:51.679 Okay, annotations for fine tuning. What about running tasks during 264 00:12:51.759 --> 00:12:53.879 SINC like database migrations. 265 00:12:54.000 --> 00:12:57.480 That's where hooks come in. RGOCD lets you define Kubernetes 266 00:12:57.600 --> 00:13:00.559 jobs or pods as hooks that run its specif points 267 00:13:00.600 --> 00:13:01.639 in the sync life cycle. 268 00:13:01.759 --> 00:13:02.759 When would you use those? 269 00:13:02.960 --> 00:13:05.480 You have precinc hooks that run before anything else sincoks 270 00:13:05.519 --> 00:13:08.279 during the main sync, post sync, after a successful sink, 271 00:13:08.440 --> 00:13:10.759 sink fail if it bombs out, and even post. 272 00:13:10.519 --> 00:13:13.480 Delete, so post sync would be perfect for database migrations, 273 00:13:13.519 --> 00:13:17.159 apply the new app code, then run the migration job exactly. 274 00:13:17.320 --> 00:13:19.840 Or precinc could be used to say take a database 275 00:13:19.840 --> 00:13:23.080 backup before and upgrade. Very powerful automation. 276 00:13:22.840 --> 00:13:26.080 And for really complex apps with lots of dependencies, how 277 00:13:26.120 --> 00:13:27.080 do you manage the order? 278 00:13:27.399 --> 00:13:30.639 That's where sink waves are incredibly useful. Sometimes you need 279 00:13:30.720 --> 00:13:33.519 resource a like a database, to be fully up and 280 00:13:33.600 --> 00:13:36.440 running before resource b your application starts. 281 00:13:36.559 --> 00:13:38.559 Right dependencies, sink waves. 282 00:13:38.399 --> 00:13:41.759 Let you assign numerical waves to your resources using annotations. 283 00:13:42.320 --> 00:13:46.039 RGCD applies resources in wave order, waiting for resources in 284 00:13:46.080 --> 00:13:49.159 one wave to become healthy before starting the next wave zero, 285 00:13:49.320 --> 00:13:51.120 then wave one, wave two, and so on. 286 00:13:51.480 --> 00:13:55.320 Ah, so you can orchestrate complex rollouts precisely. 287 00:13:55.399 --> 00:13:58.399 Precisely. It prevents things from failing just because of dependency 288 00:13:58.440 --> 00:13:59.200 wasn't ready yet. 289 00:13:59.200 --> 00:14:02.200 One more sinc thing. Ignoring differences Sometimes the live state 290 00:14:02.240 --> 00:14:04.320 should be different, right, like with autoscaling. 291 00:14:04.399 --> 00:14:07.480 Good point. Yes, rgo CD lets you configure it to 292 00:14:07.559 --> 00:14:11.840 ignore specific differences. Maybe you have a horizontal pod autoscaler 293 00:14:12.159 --> 00:14:14.919 managing the replica's count of a deployment. You don't want 294 00:14:15.000 --> 00:14:17.000 rgo CD fighting with the HPA, so. 295 00:14:17.000 --> 00:14:20.200 You tell RGOCD, hey ignore changes to spec Dot replicas 296 00:14:20.200 --> 00:14:21.879 for this deployment exactly. 297 00:14:22.320 --> 00:14:24.720 You can configure these ignores at the application level or 298 00:14:24.799 --> 00:14:28.840 even globally for certain resource types or specific JSON paths 299 00:14:29.279 --> 00:14:32.480 across your whole RGOCD instance. Very flexible. 300 00:14:32.639 --> 00:14:36.559 Okay, makes sense. Now what about application health? How does 301 00:14:36.679 --> 00:14:39.480 rgo CD know if a deployment actually worked? 302 00:14:39.799 --> 00:14:43.480 It relies heavily on kubernators built in health checks. This 303 00:14:43.559 --> 00:14:46.720 means defining proper readiness and liveness probes in your deployments 304 00:14:46.720 --> 00:14:49.360 in state ful sets is absolutely critical. 305 00:14:49.000 --> 00:14:52.600 Because RGOCD uses those probe statuses to decide if a 306 00:14:52.639 --> 00:14:57.120 resource and therefore the whole application is healthy exactly if 307 00:14:57.120 --> 00:14:59.840 your probes aren't set up correctly, rgo CD might think 308 00:15:00.039 --> 00:15:02.480 app is healthy when it's not, or vice versa. 309 00:15:02.600 --> 00:15:05.360 Good probes are fundamental to reliable get ops. 310 00:15:05.559 --> 00:15:07.720 Does argo CD add its own health checks too? 311 00:15:07.960 --> 00:15:11.200 It does for many standard Kubernetes resource types. It has 312 00:15:11.240 --> 00:15:14.279 built in logic to understand the health of deployments, services, 313 00:15:14.279 --> 00:15:19.080 stateful sets, etc. However, there's a catch. Oh a surprising fact, Yeah, 314 00:15:19.159 --> 00:15:22.080 surprising faction. In the book, the built in health check 315 00:15:22.120 --> 00:15:26.000 for rgo CD's own application CRD was actually removed by 316 00:15:26.039 --> 00:15:28.320 default back in argo CD version one point eight. 317 00:15:28.399 --> 00:15:30.320 Wait, why would they do that and why does it matter? 318 00:15:30.480 --> 00:15:34.600 It matters if you're doing complex orchestrations where one rgo 319 00:15:34.639 --> 00:15:37.200 CD application needs to know if another argo CD application 320 00:15:37.279 --> 00:15:39.639 is healthy before it proceeds, like in the app of 321 00:15:39.679 --> 00:15:41.080 apps pattern we might discuss. 322 00:15:41.200 --> 00:15:43.360 Ah, So if you need applications to depend on each 323 00:15:43.360 --> 00:15:44.440 other's health, you need. 324 00:15:44.320 --> 00:15:47.480 To explicitly re enable that application health check in the 325 00:15:47.519 --> 00:15:51.919 main argo CD configment rgo CD cny it's off by default, 326 00:15:51.960 --> 00:15:54.720 which can trip people up when building those advanced workflows. 327 00:15:54.960 --> 00:15:58.200 Good tip. Okay, let's shift gears to more advanced topics 328 00:15:58.240 --> 00:16:02.480 operationalizing this stuff. Authentication and authorization seem crucial. 329 00:16:02.679 --> 00:16:06.080 Absolutely out of the box, RGCD gives you a single 330 00:16:06.120 --> 00:16:09.480 admin user. The initial password is in a Kubernet. 331 00:16:09.120 --> 00:16:10.919 Seekert change it immediately, yes, please? 332 00:16:11.360 --> 00:16:15.120 Then you can define additional local users. But more realistically, 333 00:16:15.159 --> 00:16:18.960 in an enterprise setup, you'll integrate with single sign on sso. 334 00:16:18.840 --> 00:16:22.120 Like using Octa or Google Workspace or something exactly. 335 00:16:22.320 --> 00:16:26.679 Rgo CD supports standard protocols like openetd Connect, ODC, or 336 00:16:26.720 --> 00:16:29.080 you can use an identity broker like decks, which can 337 00:16:29.120 --> 00:16:33.440 then connect to LDFP, SAML, get up whatever your company uses. 338 00:16:33.759 --> 00:16:36.000 The book uses key cloak as an example of you decks. 339 00:16:36.200 --> 00:16:39.559 Okay, so users log in with their normal company credentials. 340 00:16:39.960 --> 00:16:42.080 What about what they can do once logged in. 341 00:16:42.559 --> 00:16:45.960 That's where rg CDs built in RBAC comes in. Role 342 00:16:45.960 --> 00:16:48.679 based access control. It governs permissions. 343 00:16:48.879 --> 00:16:50.159 Does it have default roles? 344 00:16:50.279 --> 00:16:53.279 Yes? It starts with a powerful role Dot admin and 345 00:16:53.320 --> 00:16:56.360 a useful role dot readily, but you can define your 346 00:16:56.360 --> 00:17:00.519 own custom roles using simple CSD policies stored in configmap. 347 00:17:00.159 --> 00:17:02.960 So you can get really granular, like this team can 348 00:17:03.000 --> 00:17:04.960 only deploy to the devname space. 349 00:17:04.720 --> 00:17:09.599 Precisely, and that leads into projects or app project resources. 350 00:17:09.960 --> 00:17:13.759 These are fundamental for multi tenancy or just organizing things. 351 00:17:13.880 --> 00:17:15.039 Let do projects control. 352 00:17:15.359 --> 00:17:19.160 They act as logical groupings for applications. Crucially, they let 353 00:17:19.200 --> 00:17:21.359 administrators restrict things within that. 354 00:17:21.319 --> 00:17:23.480 Group, like what kind of restrictions you can. 355 00:17:23.359 --> 00:17:26.799 Restrict which get repositories applications in that project are like 356 00:17:26.839 --> 00:17:27.319 to pull. 357 00:17:27.160 --> 00:17:29.440 From AH security boundaries. 358 00:17:28.960 --> 00:17:32.440 Exactly which destination clusters or name spaces they can deploy to. 359 00:17:32.839 --> 00:17:36.599 You can even blacklist or whitelist specific kinds of Kubernetes resources, 360 00:17:36.880 --> 00:17:39.640 maybe disallow creating cluster rolls from a certain project. 361 00:17:40.000 --> 00:17:43.720 Wow. Okay, So projects are like security and policy sandboxes 362 00:17:43.759 --> 00:17:45.559 for groups of applications. 363 00:17:45.000 --> 00:17:49.160 Yep, and you assign permissions which users or sso groups 364 00:17:49.160 --> 00:17:52.000 can access the project and what roles they have at 365 00:17:52.000 --> 00:17:52.960 the project level too. 366 00:17:53.359 --> 00:17:57.319 There's also something called applications sinc impersonation that sounds important 367 00:17:57.319 --> 00:17:57.960 for security. 368 00:17:58.480 --> 00:18:00.920 It is, and it's relatively new from v two point 369 00:18:00.920 --> 00:18:04.759 one four onwards. It lets you specify a different Kumbinaties 370 00:18:04.799 --> 00:18:07.920 service account for RGOCD to use what it actually applies 371 00:18:07.960 --> 00:18:10.799 manifest to a cluster for a specific application. 372 00:18:11.000 --> 00:18:13.640 Why is that better than ARGOCD just using its own 373 00:18:13.720 --> 00:18:15.200 default service account. 374 00:18:14.960 --> 00:18:18.720 Principle of least privilege, the default argo CD service account 375 00:18:18.720 --> 00:18:21.920 often needs fairly broad permissions to manage crds and things. 376 00:18:22.319 --> 00:18:25.759 By using impersonation, you can create a dedicated service account 377 00:18:25.880 --> 00:18:28.839 for an application that only has permissions to manage deployments 378 00:18:28.839 --> 00:18:31.240 and services in the specific name space. For example. 379 00:18:31.559 --> 00:18:34.480 Ah so, even if the main RGO CD controller was 380 00:18:34.519 --> 00:18:37.759 somehow compromised, the blast radius for what it could do 381 00:18:37.920 --> 00:18:39.440 during a sink is much smaller. 382 00:18:39.559 --> 00:18:42.759 Exactly, it decouples the control planes permissions from the sink 383 00:18:42.839 --> 00:18:46.079 execution permissions. Big security win makes sense. 384 00:18:46.519 --> 00:18:49.920 Okay, what about managing multiple clusters? How does that work? 385 00:18:50.240 --> 00:18:53.160 RGOCD uses a hub and spoke model. Your main RGO 386 00:18:53.200 --> 00:18:57.119 CD installation is the hub. It then manages deployments out 387 00:18:57.119 --> 00:18:59.079 to potentially many spoke clusters. 388 00:18:59.799 --> 00:19:02.599 The control plane is centralized generally. 389 00:19:02.359 --> 00:19:07.599 Yes, the hub pushes or more accurately applies the configurations 390 00:19:07.640 --> 00:19:09.759 defined in get out to the managed clusters. 391 00:19:09.839 --> 00:19:11.680 How do you add those remote clusters? 392 00:19:11.759 --> 00:19:14.279 You can use the rgo CLI. There's a command like 393 00:19:14.519 --> 00:19:17.880 rgo sed cluster ad or more get up style. You 394 00:19:17.920 --> 00:19:22.200 can define the cluster connection details. API server endpoint credentials 395 00:19:22.720 --> 00:19:25.519 within a kubernating secret and apply that secret to the 396 00:19:25.640 --> 00:19:27.359 rgo CD control plane cluster. 397 00:19:27.680 --> 00:19:30.400 So the cluster definitions themselves live in geit. 398 00:19:30.480 --> 00:19:34.279 Yep RGOCD watches for secrets labeled correctly and automatically adds 399 00:19:34.319 --> 00:19:35.480 them as managed clusters. 400 00:19:35.799 --> 00:19:38.079 Okay, so you have multiple clusters defined. How do you 401 00:19:38.119 --> 00:19:41.319