Roc Alayo Arnabat & Sergi Rosell Ferrer - GitOps in Modern Security-Compliant Environments

Discover how a company achieved high security standards by implementing GitOps in a monorepo environment, using Terraform for IaC and GitHub pipelines, with automated testing, validation, and deployment of changes, and UTF-8 complaint.

Key takeaways
  • The presentation discuss GitOps in modern security-compliant environment, specifically in a company that required high security standards.
  • The company opted for a monorepo approach using Terraform for infrastructure as code (IaC) and follows a similar pattern for application code with GitHub pipelines.
  • The company created a centralized NAT gateway to manage internal traffic and uses IAM roles instead of static credentials.
  • The security practices include tagging, naming conventions, access control, and versioning of infrastructure files.
  • The company uses a pipeline-centric approach with automated testing, validation and deploying of changes to the infrastructure.
  • Every change is tracked and logged, with Argo CD deploying changes detected by the pipeline.
  • The platform is divided into three concepts: capsule (high-level abstraction), module (middle-level abstraction), and runtime (low-level abstract).
  • The company uses Helm charts values versioning, but not for infrastructure yet.
  • The security team is aligned and involved in the configuration process.
  • Automatic testing is used to ensure deployment of changes without breaking dependencies.
  • The company uses TerraForm test new functionality for testing TerraForm configurations.
  • The presentation also discusses issues with versioning, especially related to Helm charts.
  • The pipelines are run in GitHub, and the CI/CD flow is unified for the infrastructure across the company.
  • The company is working with security to automate the process and include more checks and balances.
  • Users can be testers in the company platform and participate in the UX experience.
  • The company is using Istio for GRPC balancing in the Kubernetes cluster.