Presenters
Source
Unlocking Secure Software Promotion: Cargo’s Game-Changing Custom Steps! 🚀
Hey tech enthusiasts! Ever wondered what happens before your perfectly synced Kubernetes cluster gets an update? We all love Argo CD for its brilliant GitOps deployment capabilities, keeping our clusters continuously reconciled from Git. But here’s the million-dollar question: what controls what’s allowed into Git in the first place?
Jesse Suen, co-founder and CTO of Acuity and co-creator of the Argo and Cargo projects, recently shone a spotlight on this crucial gap. He revealed how Cargo is evolving promotion beyond simple image tag updates, transforming it into a robust enforcement boundary. Get ready to rethink how your software moves!
Beyond Simple Sync: The Promotion Predicament 💡
Argo CD excels as your deployment layer. It watches Git, reconciles your cluster, reports app health, and helps you troubleshoot. It makes sure what’s in Git gets deployed. But real promotions are far more complex than just updating a tag. Before you promote, you need answers to critical questions:
- Did a trusted pipeline build this image?
- Does the image have any CVEs (Common Vulnerabilities and Exposures)?
- Do the Kubernetes specs follow your organization’s policies?
- Is the target environment even ready? Did someone run that database migration?
This is where the traditional GitOps flow often hits a wall. You need a layer that ensures safety and compliance before changes ever reach your deployment system.
Enter Cargo: Your Intelligent Promotion Layer 🛡️
Think of Cargo as the powerful promotion layer sitting above Argo CD. While Argo CD handles how software deploys, Cargo tackles how software moves.
Cargo’s mission is clear:
- It discovers new artifacts.
- It defines your pipeline that moves them from stage to stage.
- Crucially, it controls what’s allowed to reach Git in the first place.
Customers consistently ask Cargo to participate in vital processes like supply chain security, image scanning, policy enforcement, and coordinating with infrastructure. The challenge? When you talk to 10 different teams, you’ll get 10 different requests for tools and integrations. This means no one-size-fits-all solution exists. We need flexibility, but also standardization.
The Custom Step Revolution: Flexibility Meets Standardization ✨
Acuity’s brilliant answer to this challenge is custom promotion steps. The idea is elegantly simple: if you can containerize it, you can make it a promotion step.
A custom step is essentially a container image you want to run, the command to execute, and the parameters for that command. You register it at the system level, and then every team gains access to it, using it like any other normal step in their promotion pipelines.
Cargo in Action: A Glimpse into Secure Promotions 🎯
Jesse demonstrated a typical Cargo pipeline promoting Nginx images through dev, staging, and two production environments. The promotion process follows a standard GitOps flow: cloning a GitOps repo, updating YAML Helm values, committing, and pushing.
However, two custom steps truly highlight Cargo’s power:
- OPA Test: This step validates Kubernetes manifests against a set of
policies. It uses OPA’s
conf testutility with remote policy rules, ensuring your manifests adhere to organizational standards. - Trivy Image: This step runs the Trivy CLI to scan images for critical CVEs. If it finds any, the promotion fails.
Let’s see the impact of these custom steps in action:
- Scenario 1: Vulnerable Image Blocked! Jesse attempted to promote an older
Nginx image known to have critical vulnerabilities. The
Trivy imagestep failed immediately, flagging the exact CVEs. - Scenario 2: Policy Violation Prevented! Next, he tried to promote a “good”
Nginx version, but one of the target environments was misconfigured, violating
an OPA policy (specifically, a deployment with a privileged container, against
Rego rules). The
OPA teststep failed, clearly explaining the policy violation.
The critical takeaway from both failures? There was no Git commit, no push. Argo CD never saw these unsafe changes. Cargo acted as the ultimate gatekeeper, preventing non-compliant or vulnerable software from ever reaching your deployment pipeline.
Promotion as an Enforcement Boundary: A Paradigm Shift 🌐
What Jesse showed us represents a fundamental shift in thinking about promotion. Promotion is no longer just a delivery mechanism; it’s an enforcement boundary.
Now, your security team, compliance team, and platform team can all participate in the promotion decision with their own specialized tools:
- Cosign for supply chain verification.
- Trivy for image scanning.
conf test(OPA) for policy testing.- You can even run database migrations with tools like Liquibase or Flyway, or integrate AI-powered automation steps.
Basically, if you can containerize it, it can be part of your promotion workflow.
The Future of Software Movement 🚀
Kubernetes solved the problem of how software runs. Argo CD brilliantly solved how software deploys. And now, Cargo is stepping up to solve the crucial problem of how software moves. It empowers organizations to build secure, compliant, and automated promotion pipelines, ensuring only the highest quality software reaches production.
Learn More! 📚
Want to dive deeper into Cargo and secure promotion?
- Book Signing: Jesse and other authors will be signing the “Argo CD Up and Running” book on Thursday at the Acuity booth.
- Webinar: Acuity is hosting an upcoming Cargo webinar in two weeks that will cover this topic and more! Stop by their booth or check their website for details.