Aprende patrones de GitOps de nivel de producción para gestionar múltiples clústeres de Kubernetes con ArgoCD, Helm y Kustomize.
Keywords: argocd multi cluster, gitops kubernetes, helm kustomize patterns, argocd best practices 2024, kubernetes gitops automation, argocd enterprise patterns, multi cluster management
La gestión manual de Kubernetes conduce a:
- Configuraciones inconsistentes entre clústeres
- Errores de despliegue por comandos kubectl manuales
- Vulnerabilidades de seguridad por acceso directo a clústeres
- Horas perdidas solucionando problemas de sincronización
Vamos a resolver estos problemas con la automatización GitOps.
graph TD
A[Git Repository] -->|Push| B[ArgoCD]
B -->|Sync| C[Production Cluster]
B -->|Sync| D[Staging Cluster]
B -->|Sync| E[Development Cluster]
F[Helm Charts] -->|Template| B
G[Kustomize Overlays] -->|Patch| B
B -->|Status| H[Prometheus]
H -->|Alert| I[Alertmanager]
I -->|Notify| J[Slack/Email]
# root-application.yaml
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: root-app
namespace: argocd
spec:
project: default
source:
repoURL: https://github.com/your-org/gitops-repo.git
targetRevision: HEAD
path: apps
destination:
server: https://kubernetes.default.svc
namespace: argocd
syncPolicy:
automated:
prune: true
selfHeal: true
---
# apps/application-set.yaml
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
name: cluster-apps
namespace: argocd
spec:
generators:
- clusters:
selector:
matchLabels:
environment: production
template:
metadata:
name: '{{name}}-{{path.basename}}'
spec:
project: default
source:
repoURL: https://github.com/your-org/gitops-repo.git
targetRevision: HEAD
path: '{{path}}'
helm:
valueFiles:
- values-{{values.environment}}.yaml
destination:
server: '{{server}}'
namespace: '{{path.basename}}'
syncPolicy:
automated:
prune: true
selfHeal: true# charts/base-app/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Values.name }}
labels:
{{- include "base-app.labels" . | nindent 4 }}
spec:
replicas: {{ .Values.replicas }}
selector:
matchLabels:
{{- include "base-app.selectorLabels" . | nindent 6 }}
template:
metadata:
labels:
{{- include "base-app.selectorLabels" . | nindent 8 }}
spec:
containers:
- name: {{ .Values.name }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
ports:
- containerPort: {{ .Values.service.port }}
resources:
{{- toYaml .Values.resources | nindent 12 }}
env:
{{- range .Values.env }}
- name: {{ .name }}
valueFrom:
secretKeyRef:
name: {{ $.Values.name }}-secrets
key: {{ .key }}
{{- end }}# overlays/production/kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../base
namePrefix: prod-
commonLabels:
environment: production
managed-by: argocd
patches:
- path: resource-patch.yaml
target:
kind: Deployment
name: .*
configMapGenerator:
- name: app-config
behavior: merge
files:
- config.properties
secretGenerator:
- name: app-secrets
files:
- secrets.env
type: Opaque
images:
- name: app-image
newName: registry.company.com/app
newTag: v1.2.3# health_check.py
import requests
import json
from kubernetes import client, config
from datetime import datetime
import logging
def check_application_health(app_name, namespace):
"""Check ArgoCD application health"""
try:
config.load_incluster_config()
custom_api = client.CustomObjectsApi()
# Get application status
app = custom_api.get_namespaced_custom_object(
group="argoproj.io",
version="v1alpha1",
namespace=namespace,
plural="applications",
name=app_name
)
# Check sync status
sync_status = app['status']['sync']['status']
health_status = app['status']['health']['status']
# Get detailed resource health
resources = app['status'].get('resources', [])
unhealthy_resources = [
r for r in resources
if r.get('health', {}).get('status') != 'Healthy'
]
return {
'name': app_name,
'sync_status': sync_status,
'health_status': health_status,
'unhealthy_resources': unhealthy_resources,
'timestamp': datetime.utcnow().isoformat()
}
except Exception as e:
logging.error(f"Health check error: {str(e)}")
raiseProblem: An e-commerce platform needed to manage 20+ Kubernetes clusters across multiple regions with consistent configurations.
Solution: Implemented:
- GitOps deployment pipeline
- Multi-cluster management
- Automated rollbacks
- Custom health checks
Results:
- Deployment time reduced by 80%
- Zero manual kubectl commands
- 100% configuration consistency
- Rollback time under 30 seconds
- Configure RBAC
- Set up sealed secrets
- Implement health checks
- Configure automated rollbacks
- Set up monitoring
- Implement backup strategy
- Configure disaster recovery
- Set up audit logging
name: GitOps Pipeline
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
jobs:
validate:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Set up Helm
uses: azure/setup-helm@v3
- name: Set up Kustomize
uses: imranismail/setup-kustomize@v2
- name: Validate Helm Charts
run: |
helm lint charts/*
helm template charts/* > template.yaml
kubectl validate -f template.yaml
- name: Validate Kustomize
run: |
kustomize build overlays/production > kustomize.yaml
kubectl validate -f kustomize.yaml
sync:
needs: validate
runs-on: ubuntu-latest
if: github.ref == 'refs/heads/main'
steps:
- name: Install ArgoCD CLI
run: |
curl -sSL -o argocd https://github.com/argoproj/argo-cd/releases/latest/download/argocd-linux-amd64
chmod +x argocd
- name: Sync Applications
run: |
argocd app sync root-app --prune
argocd app wait root-app
env:
ARGOCD_SERVER: ${{ secrets.ARGOCD_SERVER }}
ARGOCD_AUTH_TOKEN: ${{ secrets.ARGOCD_AUTH_TOKEN }}├── apps/
│ ├── application-set.yaml
│ └── root-application.yaml
├── charts/
│ └── base-app/
│ ├── Chart.yaml
│ ├── values.yaml
│ └── templates/
│ ├── deployment.yaml
│ ├── service.yaml
│ └── ingress.yaml
├── overlays/
│ ├── production/
│ │ ├── kustomization.yaml
│ │ └── resource-patch.yaml
│ └── staging/
│ ├── kustomization.yaml
│ └── resource-patch.yaml
└── base/
├── kustomization.yaml
└── resources.yaml
- Use RBAC for access control
- Implement sealed secrets
- Enable audit logging
- Use image scanning
- Implement network policies
- Configure pod security policies
- Use OPA Gatekeeper