I'd love a deeper dive in file organization across organization. Kubernetes config, common CRDs, templates, common pipeline steps, etc. Would love to see a vertical slice of full enterprise repo/folder/file structure from the ground up.

I love your chain of thought - I had to fight uphill battles in multiple jobs to *not* use long-lived branches, especially not production branches different from main.

Question Thursday: How many GitOps (ArgoCd) Instances recommended when you staging about multiple environments and different Kubernetes versions? Further details on the scenario: If you have for example 5 environments (Dev, function-test, QA, PreProd, Prod) and around 400 Apps Management by 10 Teams. A major/minor update of the Kubernetes version is not done via in-place update, but via a parallel Kubernetes instance next to the environment and the apps are moved. Is one ArgoCD instance enough? Should you separate Prod and Non-Prod? Should you separate Kubernetes updates in a new ArgoCD? Should you separate GitOps/ArgoCD instances per team or per namespace? Is there antother recommendation if you want to use Argo Workflow or Argo Rollouts. Is it than a good idea to split the Argo Instance between environments Thanks

I actually have a meeting scheduled with colleagues next week to explain exactly this to them - many thanks for creating something that allows me to avoid a 'meeting that should have been a youtube video' 😀

In some projects, we typically use combination of both, we use a seperate overlay for each of the environments to define manifests, but we also use different branches just to have a promotion mechanism between the envs, so these branches should be eventually in sync. We came to this setup after trying both ways, and the branching strategy is only to have a proper promotion mechanism and no other reason.

Thanks for another great video🎉 in my opinion developers should have what they need and care about in their repo. They shouldn't care about the insights of Argo or Flux, but they should know how to run their app. I totally agree that having a separate repo for the desired state is a good idea, I go for separate folders because they are easy to use with environment promotion. It's a pity I can't share the fantastic post Codefresh did about it, KZbin doesn't allow me. This new question and answer format is great 👍

Are you kidding or can you read my search history. I just started today a look up for the topic of the video. Therefore I am very interested and excited to watch your video

I have recently been struggling to work this out for myself, so thanks for the great info! The argocd best practices say "Using a separate Git repository to hold your Kubernetes manifests, keeping the config separate from your application source code, is highly recommended". It seems simpler to keep the application manifests together with the source code and just keep the environment configs in a seperate git repo. Any idea why they so strongly suggest the separation and have you hit any big problems by not doing it? As a gitops noob (but experienced dev), it's really difficult to filter all the online info to build a good dev-to-prod gitops pipeline.

Great video again! Here we use a repository per application, with everything (monorepo...), like backend services code, frontend code, helm charts, etc. We then have a separate repository with helmfile (very great tool) and a directory per environment. As the same team is responsible for test, staging and production environments, no need for separate repos!

We use 3 different approaches. Dir for cluster specific services. Dir for internal apps. Files for common services. And finally, a gitsha to point to last known good config of the common services for controlling when production env gets updated

It would be amazing to se your preferred way to do gotops. With examples. Thanks!

Thanks for the insights! While I loathe helm, it has something that newer "intermediary languages" lack, which is this idea of the chart as a pre-hydrated artifact. You can define your chart in the app repo and push it to oci alongside the docker image, and the gitops repo can "instantiate" it and supply the values at the last mile. Tools like cdk8s go straight from code to fully hydrated yaml, and you're left with having a CI to do a "build step" in your gitops repo to make a build per env, or rely on kustomization overlays which are a bit verbose. I'd be curious to hear your thoughts on ways to represent this 3 step process (intermediary language -> env agnostic artifact -> env specific instantiation) with tools like cdk8s or kcl!

I would love a (visual) example of each way in action to have a better understanding

I once worked for a company which used branches for different environments. Contained Terraform & Manifests. They ended up with multiple "prod" branches somehow.

One other supplementing rule is that ANYTHING that is deployed ANYWHERE should first touch mainbranch. If it's good enough for ev testing - it's good enough for main branch

Love you and your Channel

you can use b ranches for different environment manifests that are mergable - having an environment specific named manifest can exist in all branches but can be targeted in cicd when a commit to the required branch is detected. this would be pretty much the same as the environment specific directories you mention. in this way you can have all manifests mergeable to the main branch and that wont interfere with each other.

Very important topic. And very good video. I have two comments. I think argocd defends spliting the state git repository with all the manifests and the source code it self. They discuss that on their documentation. The other it has to do with oci objects. If we have the config manifests in the source repository, what do you think about pushing them as a package in a pipeline as an oci object and configure flux to use it in the k8s instance git repository?

Nice series!

My question: how do you deal with devbox (global) paths in the nushell? eval "$(devbox global shellenv)" does not work for nushell. I love your videos, thank you for the time and effort!

Some remote repositories integrate CODEOWNERS files into their user auth and pull request approvers. These implementations make keeping a seperate repository not worth the effort. As for branches, if Git Flow was a mistake, then why are we even talking about "GitOps Flow". Directories/files/flagged entrypoints are the right answer to this question.

💯 Separate folders for separate environments (/application sets). Dedicated branches per environment makes me wanna off myself.

Thank you so much for this! Exactly what I have been trying to figure out. I really want to keep the application manifest configuration in the same repo as my app code. I plan to use KCL to create the manifests and abstract away k8 resources while setting good defaults and common config. One thing I am confused on is the deployment process with the gitops repo for my application. Should I publish my app KCL (kinda like helm chart) as a semantic versioned package then render that package in my gitops repo using environment values stored there as input into KCL options? Basically like creating a chart in apps and the values.yaml is in gitops repo, and you render that chart to a folder in the gitops repo instead of directly deploying helm to argo. I am afraid of using argo apps that point directly at the head of the app repo. If I make changes to the KCL code that is not ready for production, I wouldn't want argo to think that it can deploy those changes to prod.

Dear Viktor, please show us how to use Kubebuilder, how to create own CRDs for Kubernetes.

How do you feel about Kargo using branch-per-"rendered manifests" as an option? Their intent I think is to keep all environment configuration in mainline but render the final into an env-specific branch for sync only, i.e. it's never merged back to mainline.

Can I avoid the massive amount of code duplication i.e directories containing basically the same thing?

I don't know if I trust the devs with app manifests in their own repo....

But here are some issues, if you are using Gitlab. That CI workflow will always trigger so lets say you make a new release artifact push then as a result of the new artifact you update your gitops manifest tag. That means the CI workflow will trigger again, though we dont want that because the source did not change?

What would be a viable strategy to enforce promotion through environments? I'm tired of seeing the same modification to both, staging and production environment, in the same PR :(

Why can't we use different branches for different environments while keeping configurations/manifests for different environments in separate folders? One does not necessarily exclude the other. Each environment will 'know' from which folder it should be provisioned, while CI triggers are configured to watch for changes in specific branches. This will make all branches mergeable with one another and make propagation of changes quite trivial and git-driven. I mean, it doesn't necessarily have to be configured like that, but it's definitely a viable option.

Hard disagree on the directories per environment or separate repository. Git is smarter than that, you can perfectly make changes to an environment-specific branch and still merge in new changes from lower environments without them affecting or overwriting the other environment. Directories per environment always ends the same, it's the approach I've seen the most at clients, and it always ends up in a horrible configuration drift between environments, which then it becomes the platform team's problem for some reason. Using git branches has many advantages, and there is not a single reason why you "need" to merge to a mainline branch in Git. It for example allows you to implement specific branch permissions, which for some environments can be a requirement, or you could only allow a bot and a platform/operations team to update versions from a lower env to specific branches in acceptation or production environments, for example a bot that checks if an integration test suite was successfully run. Say you have a development, test and production environment, you start off in your dev branch, with your base application manifests and specific configuration, from there you create a tst branch, where you make the necessary changes to the configuration, from there you branch off to prd to deploy to production and do the same. Any time you then merge changes from dev to tst or from tst to production, will preserve the branch-local changes. If there would be configuration conflicts or env-specific config changes when doing that from dev to tst for example, you branch from your tst environment branch, merge in the lower environment branch, make your changes, and merge that new temporary branch into your tst branch. This ensure your configuration is as close as possible between environments and you don't end up with "but it worked in the dev environment" - which has become the new "it works on my machine". Is it perfect? No, but when having to deal with dozens of development teams deploying hundreds of services, being able to enforce a way of working prevents it from becoming a massive burden on the ops/platform team because dev teams screwed up.