Argo CD and Flux Are CNCF Grads: But What Now?
Argo CD and Flux achieving CNCF graduation status definitely represents a solid nod to GitOps’ viability in the community. But now that both projects reached this milestone within a few days of each other, what does this mean for the community in a way that will change the user experience?
Obviously, GitOps is deemed a central component for Kubernetes deployments. But will this change the course of GitOps in substantive ways as the projects join the ranks of 19 other projects, including Envoy and, of course, Kubernetes?
.@fluxcd was created as an internal @weaveworks project to help deploy services from Git. In 2019 we donated it to @CloudNativeFdn as a sandbox project, then promoted to incubation status in 2021. Now #Flux has graduated as the 1st #GitOps project 🎉 https://t.co/ICDu5XmGOX pic.twitter.com/ZAOYtcyzEx
— Weaveworks (@weaveworks) December 5, 2022
Argo CD’s and Flux’s proponents, main contributors and maintainers and other proponents say the graduation represents a major milestone. This is because graduation is a big “safe to use at scale” signal, said Alexis Richardson founder and CEO of Weaveworks, a leading GitOps provider for CI/CD for Kubernetes for Flux (Richardson is also credited for inventing the term GitOps).
The process involved 12 to 18 months of top-level enterprise and “hyperscale due diligence,” covering security, scalability, multitenancy, community and usability, Richardson told The New Stack. “The standard could not really be any higher and so the result is a massive vote of confidence,” he said.
Indeed, the graduation status should help to continue the momentum of the adoption of the projects, while leading to improvements to security and governance for Argo CD, Flux and GitOps in general (more about this below).
“Graduation is meant to symbolize a product ‘crossing the chasm,’ so the tools need to be mainstream in order to have done that,” Dan Garfield, co-founder and chief open source officer at Codefresh, which is a main Argo CD maintainer, along with Intuit, Akuity, BlackRock and Red Hat. “This is really a measurement of adoption though it’s not a hard number.”
On a macro scale, the graduation means that the two largest GitOps providers have evolved to meet the evolving and changing requirements of Kubernetes environments as cloud native infrastructure and deployments gradually mature. After all, it’s hard to find organizations developing and deploying applications on any scale that do not use either Argo CD or Flux, Torsten Volk, an analyst for Enterprise Management Associates (EMA), told The New Stack. “Volk said, the graduation now allows enterprise DevOps teams to pull out the stops when it comes to Argo- and Flux adoption, as they have now been deemed ‘safe to use’ at a large scale. To underline this statement, the Argo and Flux teams have shown their ability to quickly and decisively deal with security challenges that were thrown in their way in 2022 which was important and at the same time impressive to observe.”
There has been a lot of discussion about what GitOps is and what it is not, some of which is contradictory. For the purposes of this article, as the “single source of truth” — Richardson originally coined this phrase — the Git repository contains the application configuration definitions as code, reflecting the state of what applications or Kubernetes cluster configurations should be. The desired state of applications on Git are pulled automatically and are continuously monitored and reconciled with the running applications.
Both Garfield and Richardson referred to this opengitops.dev for what they say is the industry definition, as the organization’s definition helps to ensure “there is a canonical source for GitOps,” Garfield says.
GitOps operators like Argo CD and Flux monitor git as the immutable source of truth for the desired state and apply that desired state to the actual state. The immutable structure of Git also automates changes to applications and code in clusters when vulnerabilities are discovered — as they invariably will be — during runtime. Likewise, if someone were to modify runtimes directly, such as would happen during a security breach, GitOps operators will automatically detect these changes and overwrite them with the desired state in Git.
GitOps tools such as Flux and Argo CD, continuously monitor application definitions and configurations defined in a Git repository and compare the specified state of these configurations with their live state on the cluster. Argo CD reports any configurations that deviate from their specified state. These reports allow administrators to automatically or manually resync configurations to the defined state. Again, Git always serves as the single source of truth.
“In 2022, organizations have collectively learned that there is no alternative to a declarative, immutable, and fully automated approach toward managing the DevOps pipeline,” Volk said. “Each time we allow gaps in the pipeline we introduce incalculable operational risk into our organization, which is no longer acceptable as we are scaling up cloud native application platforms.”
Argo CD vs. Flux
Both Argo CD and Flux have their uses and variances, which have been previously covered. That said, Argo CD — like Flux — takes advantage of the history available in Git to make it possible to easily audit the change history or revert back to previously working versions before a breaking change was applied. That means faster recovery from failure and more confidence in releasing new software, Garfield said.
Argo CD is critical for organizations to minimize the risk of experimentation as it makes it easy and therefore reliable to roll back any changes to deployment code, application code, or infrastructure code. “This becomes especially interesting when talking about the introduction or enhancement of machine learning models as part of an application,” Volk said. “Argo leverages Kubernetes container orchestration to run compute-intensive training jobs in parallel and without slowing down the rest of the pipeline. This helps organizations adopt machine learning capabilities without risking the health and performance of their DevOps pipelines.”
Flux generally reverts drift changes automatically. It automatically reverts any drift for resources that it manages on each reconciliation interval, and Flux can also be configured to send a notification every time its controller applies any configuration change that tells what resource has been changed, Richardson said. “There is no manual mode, that would be contrary to the GitOps definition where changes are always automatically applied from the source of truth in a continuous fashion,” Richardson said.
There is “Flux reconcile,” which you can run to trigger an early sync, but it runs the same sync that is regularly scheduled, and the definition of GitOps has this reconciliation being done continuously, so any changes the user makes to prevent automatic continuous application will be contrary to GitOps principles, Kingdon Barrett, open source support engineer at Weaveworks, said.
“We definitely do have users in the field who are doing this, and we have a proposal for manually gated changes which would make this formally possible, but the addition of “or manually” here implies to me that users can somehow run Flux in ‘check-only’ mode, receive a notification about the drift, see what has changed and make a decision to revert it, which is not a feature of Flux today. Flux is always enforcing unless it is suspended/disabled.”
Organizations typically view Argo and Flux as two competing platforms with developers preferring the usability and simplicity of Argo and platform operators liking Flux as their “Swiss army knife” to stay on top of GitOps pipelines, Volk said. “Combining both platforms could be a viable approach toward providing operators with the ability to ensure complete compliance control through continuously synching entire app environments with their source code while developers could use Argo to easily define, deploy and track their application code on top of Kubernetes clusters controlled by Flux,” Volk said.
However, Flux and Argo have a different approach to GUIs, Richardson noted. Flux has an API-led approach that enables multiple GUIs. Platforms such as Weaveworks, AWS, Azure and D2IQ provide GUIs that are integrated with their own security and workflows, he said, adding Weave GitOps is “the main open source GUI.”