Skip to main content

GitOps methodology

Overview

GitOps is a way to manage infrastructure and applications using version-controlled, declarative configurations. Tools like ArgoCD, Crossplane, and the nullplatform Terraform provider help automate and simplify cloud infrastructure management.

With GitOps, all changes are tracked, auditable, and easy to roll back if something goes wrong.

Available technologies for GitOps

Here are the main tools used in GitOps:

  • ArgoCD: Synchronizes Kubernetes clusters with Git repositories and supports automated rollbacks.
  • Crossplane: Manages Kubernetes resources and cloud services across providers using declarative configurations.
  • Nullplatform Terraform provider: Combines Terraform’s infrastructure management with GitOps workflows for version-controlled infrastructure.

These tools work together to manage infrastructure and applications effectively.

Setup

Before you begin, ensure you have:

  • A Kubernetes cluster ready.
  • Crossplane installed in the cluster.
  • (Optional) ArgoCD installed in the cluster.
  • An API key. See API keys to generate one if needed.

Example nullplatform configuration

Here’s how to set up your code repository provider and asset repository provider.

Save this configuration in a .yaml file.

  1. Convert the API key to JSON and base64:

    echo '{"apiKey": "MjM5MDgyMDcx.dasdasdklasdasdkjlqrqewrv"}'|base64
    # nullplatform-apikey.yaml
    apiVersion: v1
    data:
      credentials: ewogICAgImFwaUtleSI6ICJNak01TURneU1EY3guZGFzZGFzZGtsYXNkYXNka2pscXJxZXdydiIKfQo=
    kind: Secret
    metadata:
      name: opentofu-nullplatform-apikey
      namespace: default
    type: Opaque

  2. Install the OpenTofu provider for Crossplane:

    apiVersion: pkg.crossplane.io/v1
    kind: Provider
    metadata:
      name: provider-opentofu
    spec:
      package: xpkg.upbound.io/upbound/provider-opentofu:v0.2.1

  3. Configure the provider with the API key and nullplatform provider:

    apiVersion: opentofu.upbound.io/v1beta1
    kind: ProviderConfig
    metadata:
      name: nullplatform-provider
    spec:
      configuration: |
        terraform {
            required_providers {
              nullplatform = {
                source = "nullplatform/nullplatform"
              }
          }
          backend "kubernetes" {
            secret_suffix     = "providerconfig-nullplatform"
            namespace         = "default"
            in_cluster_config = true
          }
        }

        variable "apiKey" {
          type = string
        }

        provider "nullplatform" {
          api_key = var.apiKey
        }
      credentials:
        - filename: terraform.tfvars.json
          source: Secret
          secretRef:
            namespace: default
            name: opentofu-nullplatform-apikey
            key: credentials

  4. Create a workspace with the provider configurations:

    apiVersion: opentofu.upbound.io/v1beta1
    kind: Workspace
    metadata:
      name: example-nullplatform-provider
      annotations:
        # Sets the external name for the OpenTofu workspace. If omitted,
        # the workspace name defaults to the value of `metadata.name` (e.g., 'example-nullplatform-provider').
        crossplane.io/external-name: docker-registry-nullplatform
    spec:
      providerConfigRef:
        name: nullplatform-provider
      forProvider:
        # By default, workspaces use a remote source (e.g., workspace-remote.yaml).
        # For simple cases, an inline source can be used to embed main.tf as HCL.
        vars:
          - key: login_server
            value: "https://docker.io"
          - key: username
            value: "myusername"
          - key: password
            value: "mypassword"
          - key: nrn
            value: "organization=1:account=2:namespace=3"
        source: Inline
        module: |
          variable "login_server" {
            type        = string
            description = "The login server for the Docker registry."
          }

          variable "path" {
            type        = string
            description = "The path to the Docker registry."
            default = null
          }

          variable "username" {
            type        = string
            description = "The username for the Docker registry."
          }

          variable "password" {
            type        = string
            description = "The password for the Docker registry."
          }

          variable "nrn" {
            type        = string
            description = "The NRN for the Docker registry."
          }

          resource "nullplatform_provider_config" "docker_server" {
            nrn        = var.nrn
            type       = "docker-server"
            dimensions = {}
            attributes = jsonencode({
              "setup" : {
                "server" : var.login_server,
                "path" : var.path,
                "username" : var.username,
                "password" : var.password,
                "use_namespace" : false
              }
            })
          }

      writeConnectionSecretToRef:
        namespace: default
        name: opentofu-workspace-docker-registry-nullplatform

Applying the configuration

  1. Install the manifests:

    kubectl apply -f .

  2. Check the workspace status to confirm it's created and synchronized:

    kubectl get workspace
    # Expected output:
    NAME                            SYNCED   READY   AGE
    example-nullplatform-provider   True     True    57s

Verification

After applying the configuration:

  1. Go to nullplatform at https://<your-org-name>.app.nullplatform.io.
  2. Check your code repository provider is configured in Platform Settings > Code Repository.