Presenters

Source

From Single Clusters to a Fleet: Mastering Multi-Cloud with GitOps Armada ๐Ÿš€

Remember that moment three weeks ago when a single AWS region outage sent dashboards into the red and ticket queues into overdrive? The panic was palpable, right? Now, imagine a world where you could spin up three backup clusters without even breaking a sweat, before a problem even hits. That’s the future we’re building, and today, we’re diving deep into how Calura moved from managing isolated clusters to automating an entire fleet across clouds, regions, and environments, all powered by the magic of GitOps. โœจ

The Pain of Manual Deployment ๐Ÿ˜ซ

Let’s be honest, the traditional approach to managing infrastructure is holding us back.

  • Slow Expansion: Need to launch in three new regions? With manual processes, you’re looking at weeks per region, if everything goes perfectly. Your Q4 project risks slipping into Q1, or worse, a cloud outage cripples your service and you have no standby clusters ready. Revenue bleeds while you scramble to shift traffic.
  • Multi-Cloud Nightmares: Embracing a multi-cloud strategy to avoid vendor lock-in sounds like a brilliant idea. But then you’re faced with AWS, GCP, and Azure โ€“ each with its own unique tooling and quirks. Suddenly, your ops team is stretched thin and on the verge of burnout.
  • The Common Thread: The root cause in all these scenarios? Manual processes. They’re inconsistent, painfully slow, and leave us vulnerable.

Enter the GitOps Armada: Your Automated Fleet ๐Ÿšข

This is precisely why we built the GitOps Armada. We’ve engineered a GitOps pipeline that automatically deploys on both clusters, distributes workloads based on cluster attributes, and keeps your entire fleet resilient across any cloud. The beauty of this approach? Everything is declarative, traceable, and automated.

What Makes the Armada Tick? ๐Ÿ› ๏ธ

To build this robust system, we identified four key components:

  1. Cluster Provisioning: The foundation of our fleet.
  2. Credential & Metadata Storage: Securely housing the keys to our kingdom.
  3. Data Retrieval: Accessing the necessary information efficiently.
  4. Intelligent Deployment: Determining what goes where.

Our Toolkit: Open Source and Cloud-Agnostic Powerhouses ๐Ÿ’ช

We chose our tools wisely, prioritizing open-source, cloud-agnostic solutions with strong community support:

  • Terraform / OpenTofu: For provisioning our infrastructure.
  • Secrets Manager (HashiCorp Vault / AWS Secrets Manager): For secure credential storage.
  • External Secrets Operator (ESO): To bridge secrets managers and Kubernetes.
  • Argo CD with Application Sets: For declarative GitOps deployment and automation.

The Fleet Analogy: How it All Comes Together ๐ŸŒ

Let’s visualize this like a magnificent fleet. When a new ship (cluster) joins, here’s the journey:

  1. Shipyard (Terraform): Terraform (or OpenTofu) provisions a brand-new cluster on AWS, GCP, Azure, or even bare metal.
  2. Secure Harbor (Secrets Manager): Terraform then securely writes the cluster’s credentials and vital metadata into our chosen secrets manager. This metadata includes the cluster name, region, cloud provider, and environment โ€“ the DNA of our cluster.
  3. Scouting Mission (External Secrets Operator): ESO acts as our fleet scout. It reads the metadata from the secrets manager and syncs it into Kubernetes as labeled secrets. These labels are crucial signals for Argo CD.
  4. Fleet Command (Argo CD): Argo CD, our fleet command center, automatically discovers these newly labeled clusters.
  5. Deployment Orders (Application Sets): Application Sets are our intelligent dispatchers. They match cluster attributes to specific workload deployment rules.

Within minutes, your new cluster is not only live but also populated with all the right applications, perfectly tailored to its environment.

Diving Deeper into the Components: ๐Ÿ‘จโ€๐Ÿ’ป

  • Terraform (The Ship Builder): It’s responsible for constructing the actual Kubernetes infrastructure. Equally important, it crafts and securely stores the cluster’s identity package (credentials and metadata) in the secrets manager. This metadata is the bedrock for all subsequent automation.
  • External Secrets Operator (The Fleet Scout): ESO’s job is to continuously monitor the secrets manager. It translates the metadata into Kubernetes secrets, appending specific labels that tell Argo CD which clusters to manage and what information to inject.
  • Argo CD (The Fleet Admiral): Once clusters are discovered via those labels, Argo CD takes charge. It’s the engine that deploys applications.
  • Application Sets (The Deployment Strategist): This is where the magic happens for targeted deployments. Application Sets watch for clusters with specific attributes and automatically generate Argo CD applications that match those attributes. Argo CD then deploys these applications across the fleet and meticulously monitors their sync status. The icing on the cake? Argo CD constantly checks for configuration drift and automatically corrects it, ensuring your entire fleet remains in the exact declared state. No surprises, no errors.

Intelligent Workload Deployment: Deploy X Where Attribute Y Exists ๐ŸŽฏ

With the fleet ready, how do we ensure the right applications land on the right ships? The pattern is elegantly simple:

An Application Set defines: Deploy [Application Name] where [Cluster Attribute] is [Value].

This attribute can represent a cloud provider, a region, or an environment.

Examples in Action:

  • Deploy to all Dev clusters in AWS:
    • Match: environment=dev AND cloudProvider=aws
    • Every cluster meeting both these conditions will receive the specified deployment.
  • Deploy to all clusters in GCP:
    • Match: cloudProvider=gcp
    • Every GCP cluster, regardless of region or environment, will get this deployment.
  • Deploy to all clusters in the EU:
    • Match: region is in [eu-central-1, eu-west-1, europe-west1, europe-west4]
    • This uses match expressions to target clusters in a specific list of EU regions across different cloud providers.

These cluster generators can be combined with other generators (like Git, Helm, or Kustomize generators) to create incredibly sophisticated and nuanced deployment patterns.

The GitOps Armada in Action: A Live Demo ๐ŸŽฌ

Let’s see this in action! We’ll provision a GKE cluster and an EKS cluster simultaneously.

  • Terraform applies, creating both clusters and their corresponding secrets in AWS Secrets Manager.
  • Within minutes, External Secrets Operator pulls these into Argo CD, applying the correct labels.
  • Application Sets then spring into action, generating the right applications. Our AWS dev cluster gets Carpenter and the AWS Load Balancer Controller. Meanwhile, all clusters in our fleet joyfully sync the guestbook application.

The Results: Speed, Consistency, and True Multi-Cloud ๐Ÿ’จ๐ŸŒŸ๐ŸŒ

So, what does this GitOps Armada empower you to achieve?

  • Unprecedented Speed: What used to take weeks now takes minutes. โšก
  • Rock-Solid Consistency: Experience zero configuration drift across your entire fleet. ๐Ÿ’ฏ
  • True Multi-Cloud Capability: The same pipeline works seamlessly across AWS, GCP, Azure, and on-premise environments. ๐ŸŒ
  • Full Control with Audit Trails: Every change is declared, versioned, and traceable in Git, giving you complete oversight. ๐Ÿ“œ

Remember those scenarios we started with? The cloud outage, the multi-cloud complexity, the slow expansion? They’re all solved. This is the transformative power of GitOps Armada.

Thank you! [Applause] [Music]

Appendix