「云原生 」专场 - gotc.oschina.net
Transcript of 「云原生 」专场 - gotc.oschina.net
![Page 1: 「云原生 」专场 - gotc.oschina.net](https://reader030.fdocuments.net/reader030/viewer/2022012711/61aaf2c05a76d66f70518019/html5/thumbnails/1.jpg)
「云原生 」专场
马景贺 2021年7月10日
利用 Tekton + ArgoCD 打造云原生 GitSecOps
![Page 2: 「云原生 」专场 - gotc.oschina.net](https://reader030.fdocuments.net/reader030/viewer/2022012711/61aaf2c05a76d66f70518019/html5/thumbnails/2.jpg)
LFAPAC 开源布道师/华为云 MVP
ZTE/ LTE 4G开发
IBM/DevOps
中国 DevOps 社区成员、组织者、讲师
云原生社区管委会成员/持续交付 SIG 发起人
马景贺(小马哥)
![Page 3: 「云原生 」专场 - gotc.oschina.net](https://reader030.fdocuments.net/reader030/viewer/2022012711/61aaf2c05a76d66f70518019/html5/thumbnails/3.jpg)
云原生应用交付之痛01
痛则思变02
GitOps 之殇:敏感信息 & 镜像之谜03
GitSecOps 体系04
GitSecOps 之思05
![Page 4: 「云原生 」专场 - gotc.oschina.net](https://reader030.fdocuments.net/reader030/viewer/2022012711/61aaf2c05a76d66f70518019/html5/thumbnails/4.jpg)
云原生应用交付之痛01
![Page 5: 「云原生 」专场 - gotc.oschina.net](https://reader030.fdocuments.net/reader030/viewer/2022012711/61aaf2c05a76d66f70518019/html5/thumbnails/5.jpg)
曾经的那些灵魂拷问
Ø 环境上的信息是什么(资源、环境变量、等)
Ø 版本相关的信息(发布时间、版本历史)
Ø 安全相关(具有 kubernetes 集群权限的人员列表,操作权限)
Ø ……
![Page 6: 「云原生 」专场 - gotc.oschina.net](https://reader030.fdocuments.net/reader030/viewer/2022012711/61aaf2c05a76d66f70518019/html5/thumbnails/6.jpg)
痛则思变02
![Page 7: 「云原生 」专场 - gotc.oschina.net](https://reader030.fdocuments.net/reader030/viewer/2022012711/61aaf2c05a76d66f70518019/html5/thumbnails/7.jpg)
痛则思变
x.yamlx.yamlx.yaml
描述
存储
修改
同步
ü 以声明式系统为基座(典型如k8s)
ü 以Git(GitHub/GitLab)为单一可信源
![Page 8: 「云原生 」专场 - gotc.oschina.net](https://reader030.fdocuments.net/reader030/viewer/2022012711/61aaf2c05a76d66f70518019/html5/thumbnails/8.jpg)
GitOps 之爽
Ø 用户体验提升(开发、Prod Admin)
Ø 部署简单
Ø 回滚快速
Ø 安全性提高
Ø 合规审计变得容易
以人为本
所见即所得
![Page 9: 「云原生 」专场 - gotc.oschina.net](https://reader030.fdocuments.net/reader030/viewer/2022012711/61aaf2c05a76d66f70518019/html5/thumbnails/9.jpg)
pull request 监听
同步
![Page 10: 「云原生 」专场 - gotc.oschina.net](https://reader030.fdocuments.net/reader030/viewer/2022012711/61aaf2c05a76d66f70518019/html5/thumbnails/10.jpg)
Argo CD is a declarative, GitOps continuous Delivery tool for Kubernetes.
https://argoproj.github.io/argo-cd/
![Page 11: 「云原生 」专场 - gotc.oschina.net](https://reader030.fdocuments.net/reader030/viewer/2022012711/61aaf2c05a76d66f70518019/html5/thumbnails/11.jpg)
03 GitOps 之殇:敏感信息 & 镜像之谜
![Page 12: 「云原生 」专场 - gotc.oschina.net](https://reader030.fdocuments.net/reader030/viewer/2022012711/61aaf2c05a76d66f70518019/html5/thumbnails/12.jpg)
敏感信息之殇
![Page 13: 「云原生 」专场 - gotc.oschina.net](https://reader030.fdocuments.net/reader030/viewer/2022012711/61aaf2c05a76d66f70518019/html5/thumbnails/13.jpg)
敏感信息之殇
![Page 14: 「云原生 」专场 - gotc.oschina.net](https://reader030.fdocuments.net/reader030/viewer/2022012711/61aaf2c05a76d66f70518019/html5/thumbnails/14.jpg)
敏感信息之殇
ü Sealed Secrets
ü Helm Secrets
ü Kamus
ü SOPS (gpg)
ü Vault
![Page 15: 「云原生 」专场 - gotc.oschina.net](https://reader030.fdocuments.net/reader030/viewer/2022012711/61aaf2c05a76d66f70518019/html5/thumbnails/15.jpg)
![Page 16: 「云原生 」专场 - gotc.oschina.net](https://reader030.fdocuments.net/reader030/viewer/2022012711/61aaf2c05a76d66f70518019/html5/thumbnails/16.jpg)
SOPS: Secrets OPerationS
h t t p s : / / g i t h u b . c o m / m o z i l l a / s o p s
![Page 17: 「云原生 」专场 - gotc.oschina.net](https://reader030.fdocuments.net/reader030/viewer/2022012711/61aaf2c05a76d66f70518019/html5/thumbnails/17.jpg)
镜像之谜
有人说:金钱能让人快乐,但是却没说钱从哪儿来;
ArgoCD:给我镜像,能帮你自动部署,但是却不管镜像在哪儿
![Page 18: 「云原生 」专场 - gotc.oschina.net](https://reader030.fdocuments.net/reader030/viewer/2022012711/61aaf2c05a76d66f70518019/html5/thumbnails/18.jpg)
Tekton: 完成源码到镜像的转换
![Page 19: 「云原生 」专场 - gotc.oschina.net](https://reader030.fdocuments.net/reader030/viewer/2022012711/61aaf2c05a76d66f70518019/html5/thumbnails/19.jpg)
Tekton: 完成源码到镜像的转换
![Page 20: 「云原生 」专场 - gotc.oschina.net](https://reader030.fdocuments.net/reader030/viewer/2022012711/61aaf2c05a76d66f70518019/html5/thumbnails/20.jpg)
Tekton: 完成源码到镜像的转换
![Page 21: 「云原生 」专场 - gotc.oschina.net](https://reader030.fdocuments.net/reader030/viewer/2022012711/61aaf2c05a76d66f70518019/html5/thumbnails/21.jpg)
![Page 22: 「云原生 」专场 - gotc.oschina.net](https://reader030.fdocuments.net/reader030/viewer/2022012711/61aaf2c05a76d66f70518019/html5/thumbnails/22.jpg)
04 GitSecOps 体系
![Page 23: 「云原生 」专场 - gotc.oschina.net](https://reader030.fdocuments.net/reader030/viewer/2022012711/61aaf2c05a76d66f70518019/html5/thumbnails/23.jpg)
![Page 24: 「云原生 」专场 - gotc.oschina.net](https://reader030.fdocuments.net/reader030/viewer/2022012711/61aaf2c05a76d66f70518019/html5/thumbnails/24.jpg)
05 GitSecOps 之思
![Page 25: 「云原生 」专场 - gotc.oschina.net](https://reader030.fdocuments.net/reader030/viewer/2022012711/61aaf2c05a76d66f70518019/html5/thumbnails/25.jpg)
https://github.com/majinghe/argocd-sops.git
https://github.com/majinghe/tekton-demo.git
ü Talk is cheap, just show the code
ü 安全是每个人的责任,需要每个人的参与
ü 没有一劳永逸的安全,只有永不止步的行动
ü 云原生未来已来,开源是其背后的巨大推动力
思考
https://github.com/majinghe/GitOps-demo.git
https://github.com/majinghe/Demo.git
![Page 26: 「云原生 」专场 - gotc.oschina.net](https://reader030.fdocuments.net/reader030/viewer/2022012711/61aaf2c05a76d66f70518019/html5/thumbnails/26.jpg)
Demo
![Page 27: 「云原生 」专场 - gotc.oschina.net](https://reader030.fdocuments.net/reader030/viewer/2022012711/61aaf2c05a76d66f70518019/html5/thumbnails/27.jpg)
![Page 28: 「云原生 」专场 - gotc.oschina.net](https://reader030.fdocuments.net/reader030/viewer/2022012711/61aaf2c05a76d66f70518019/html5/thumbnails/28.jpg)
THANKS