Terraform GitOps Framework
About GitOps and Terraform in general
GitOps describes the idea that every change to your infrastructure should start with a change in a Git repository. The Git repository is your one source of truth. By doing this, your team and you can jointly propose, agree on and make changes following the same popular pull-request based workflow that has proven invaluable for software development.
This of course requires, that your infrastructure configuration is described in a format that can be stored in Git and that changes can be automated.
Terraform is the leading infrastructure as code solution. Using a declarative domain specific language (HCL) you can define your infrastructure as code. If any change to that infrastructure is needed, Terraform can plan the steps required to change the infrastructure from its current state to the new desired state based on the changes to the code in the repository. And with its remote state support, Terraform is able to do this in an automated way and prevent simultaneous changes from causing issues.
In theory, this means GitOps with Terraform should be straight forward. Simply set up a trigger to run Terraform commands from a CI/CD pipeline every time a change is made to the Git repository. But what seems simple in theory, often turns out to be slightly more complex in the real world.
GitOps automation pitfalls
There are three pitfalls to avoid to be able to trust your GitOps workflow with triggering automation that makes changes to your mission critical infrastructure.
- Ensure changes are reviewed and tested before they are applied to critical environments.
- Prevent configuration drift between environments from rendering that security ineffective.
- Integrate the GitOps workflow and the automation with the correct triggers and steps.
How the Kubestack framework can help
What does framework mean in this context? Think of it as Kubestack is to GitOps infrastructure automation, what Spring Boot is to cloud native Java applications.
The Kubestack framework is designed to help platform teams hit the ground running and avoid common pitfalls the same way an application team benefits from starting with a framework like Spring Boot.
Application frameworks help with common application requirements, Kubestack helps with common GitOps infrastructure automation requirements.
So when web application frameworks for example help with request routing or user authentication, Kubestack is a framework that helps with GitOps infrastructure automation. As such it provides reusable Terraform modules for the clusters and surrounding infrastructure and Kustomize bases for cluster services required before application workloads can be deployed.
Everything to get started
By starting with the Kubestack framework, platform teams don't just get reusable components. They get a proven, integrated implementation that avoids these common pitfalls.
Kubestack uses two infrastructure environments called ops-environment and the apps-environment. The purpose of the ops-environment is to validate changes, before they are promoted to the critical apps-environment. Both environments are configured using inheritance to avoid configuration drift, which would risk rendering the validation ineffective. The environments and inheritance model fully integrates both infrastructure configuration and Kubernetes cluster services.
Kubestack's GitOps workflow is designed to provide reliable automation for teams to jointly maintain clusters and services. It allows teams to:
- Peer review planned infrastructure changes,
- and validate these changes against the ops-environment
- before they are promoted to the critical apps-environment.
Designed to be extendable
Kubestack is built using Terraform modules and providers. This means Kubestack fully integrates with the entire Terraform ecosystem. Teams have the ability to build upon the framework, extend their infrastructure to meet their specific requirements and integrate it into the wider organization's architecture.
Try the Kubestack GitOps framework
Or let us join you on your GitOps journey.Learn more