Introduction to GitOps
Coined by Weaveworks, GitOps is a delivery model for Kubernetes applications and monitoring and managing container clusters using Git as the source of truth. The GitOps model initially started with four fundamental principles-
- The apps and container infrastructure should be configured declaratively in Git.
- All the declaration updates should be versioned.
- All the approved versions should be immediately applied to the target clusters.
- Software should monitor and notify any divergence between defined declarations in Git and the target cluster. Automatic reconciliation between the source and destination must happen after that.
But with time, the definition of GitOps methodology has evolved to provide self-service developer experience by automating CI/CD for releasing changes into production quickly, reliably, and at scale.
Some standard open-source tools which are used for implementing GitOps are:
In this article, we will discuss and compare the two software considered for practicing GitOps- Argo and Flux, and highlight which will be suitable for enterprise delivery.
Intro to Argo CD and Flux CD
Argo CD is a declarative continuous delivery tool for Kubernetes applications. It uses the GitOps style to create and manage Kubernetes clusters. When any changes are made to the application configuration in Git, Argo CD will compare it with the configurations of the running application and notify users to bring the desired and live state into sync. Argo is a graduated CD project of the Cloud Native Computing Foundation (CNCF).
(Read more on What is Argo CD?)
Refer the Argo CD UI:
Flux is also an open-source solution for GitOps. It was created by Weaveworks and is currently graduated by CNCF. Flux is Kubernetes-native and keeps the clusters in sync with the defined configuration in the source.
Flux has a command line interface (CLI) first approach, so it does not offer a UI for app onboarding and deployments.
Comparison between Argo and Flux
DevOps, SecOps, and the platform team usually research to find a suitable GitOps solution for CI/CD process based on specific criteria. We will select criteria to compare Argo and Flux which will help the IT team to determine the best GitOps tool and adopt it quickly.
We have compared Argo and Flux in 6 criteria- GitOps deployment, security and policies, visibility and observability, user experience, community support and popularity, and extensibility.
Tabular comparison: Argo CD vs Flux CD
Argo and Flux provide the basic functionality for GitOps-style deployment, such as connecting with source code management tools like Git and Bitbucket and deploying applications to target clusters. Both tools offer regular reconciliation of the declared state and target cluster to avoid configuration drifts.
Note: Argo and Flux differ in getting started with GitOps (installing and implementing GitOps), but the functionality is the same.
When it comes to supporting various deployment mechanisms, Argo and Flux both support plain vanilla manifest deployments, HELM charts, Kustomize apps, and Jsonnet files. They both support applications and container configurations deployment to the target environments. You can deploy into multiple clusters in a multi-cloud using Argo or Flux.
Regarding image updates in the registry, Flux and Argo are equipped with an image updater that can be used to update the manifest files in Git. So you can use any of these tools to scan container registers such as Docker, identify the latest image based on conditions like the semantic version, and then update the Kubernetes manifest files with the latest image. After that, the new changes in the YAML can be synchronized with the target cluster. This feature makes Argo and Flux compatible with any CI/CD pipelines and makes deployments more autonomous.
Compared to Flux, Argo offers an intuitive UI to carry out all source repositories configurations and deployments.
Progressive delivery is another critical capability platform engineers seek to gradually roll out their applications to the market reducing the negative impact or degradation of user experience. The idea is to allow a small portion of the production traffic to a newly deployed application and gradually redirect the traffic based on the performance and behavior of the newly deployed application.
Argo and Flux provide rollout strategies such as canary and blue/green. To deploy using rollout strategies, Argo provides Argo Rollouts, while Flux provides Flagger. Both the tools offer runtime traffic splitting and switching functionality with integrations with open-source service mesh software such as Istio, Linkered, AWS App Mesh, etc, and ingress controllers such as Envoy API gateway, NGINX, Traefik, etc.).
Both tools provide metrics analysis (throughput, CPU utilization, etc.) for validating a canary’s performance. They provide CRDs to analyze metrics collected from monitoring or APM tools. Both Argo and Flux support a range of metrics analysis, such as Prometheus, Datadog, Stack driver, Graphite, and New Relic, to get started with the deployment.
Although metrics analysis is suitable for measuring performance, understanding the behavior of canary is also equally important. And Flux does not offer the advanced deployment verification of new releases. But with Argo Rollouts, you can conduct a holistic risk assessment of new releases using logs and metrics before increasing the traffic to the canary release.
In case of any anomalies in the new deployment or degradation of the health of the containers, Argo and Flux can help you rollback to older versions instantly. Both Argo and Flux provide alerts and notifications capabilities for real-time feedback on the deployments.
Security and Policy integration
Security is the top criterion for large organizations across North America to avoid introducing any vulnerability in the production systems. SecOps will emphasize more on ensuring a platform is highly secured with the proper authentication and authorization mechanism for production usage. Along with the application security, they want to implement a more robust policy and governance in their software delivery process to avoid any vulnerability getting introduced to production accidentally.
Argo cd and Flux cd offer authentication, authorization, and secrets management to make the platform more secure for developers’ self-service without any problems.
Flux is primarily dependent on Kubernetes based RBAC and does not have a layer of RBAC on top of Kubernetes. Argo supports application permissions to be more fine grained and supports readonly mode for production systems without Kubernetes giving them access to resources.
Here are a few security capabilities Argo provides:
1. Argo provides SSO integration for stronger authentication. It provides OIDC connectors for Okta, Google SSO, OAuth, Linkedin SSO, etc.
2. Apart from granular privilege access to clusters and other resources, Argo provides basic RBAC with two modes, read-only and unrestricted-access for smaller and startup teams. One can also extend the in-built RBAC policies for
a. Resources: clusters, projects, applications, repositories, certificates, keys, logs, accounts, etc.
b. Actions: Get, create, update, delete, sync, override, etc.
Read more about how to set manual RBAC functionality in Argo.
Moving to policy and governance, Flux provides no provision to insert security and compliance checks as part of the software delivery policy. Argo CD provides the minimal capability to ensure all the apps have undergone checks before getting deployed into target clusters.
However, applications can make use of admission control mechanisms of Kubernetes to provide policy controls for deployments in Argo and Flux. But if you are using Argo Workflows, you can introduce policy checks into the CI/CD workflow.
OpsMx provides ISD for Argo to ensure the DevOps and SecOps teams create policy gates in the GitOps style delivery. ISD for Argo connects with Open Policy Agent (OPA) to validate these policies in the runtime and decide to roll forward with reconciliation or notify stakeholders about the potential deployment risk. A few examples of procedures that can be defined in ISD for Argo are:
- Deployment freeze time or blackout window period
- Failing deployments which has not passed tests or are not approved by stakeholders
- Pre-deployment checks for new changes, such as containers must contain UB8 images, load balancer ports should run in a certain number of ports, etc.
Read more on visibility and security controls on Argo CD.
Visibility and observability
End-to-end visibility and observability of deployments are essential for providing a holistic experience to developers and necessary for DevOps and platform teams. UI is critical for IT organizations that prefer low-code or no-code deployment approaches.
Flux does not provide UI out of the box. There is a Git project for Flux web UI, but it is not popular, and there is hardly any contribution. One can download enterprise UI extensions from Weaveworks and checkout the Flux ecosystem.
Compared to CLI-first Flux, Argo provides a fantastic UI for repo configurations, app onboarding, secret management deployment, and practically everything one needs for GitOps-style delivery.
When it comes to observability, getting a clear picture of application status, deployment history and audit is very important for Ops team leads and project managers. With Argo CD one gets all deployment-related information in a single pane without needing to log into each Kubernetes cluster to find out. Read about multi-cluster deployment visibility in Argo.
The below image represents the UI of OpsMx ISD for Argo, which fetches the data from various Argo instances in an enterprise and provides application, cluster, and deployment information.
Community support and popularity
Many companies consider an open-source tool’s community support and overall popularity before considering production usage. Argo CD is the most popular GitOps tool, with many engineers contributing to the project. And this implies more Argo will have more innovation and granular features development. Argo has almost 195,481 contributions as of 20th Jan 2023. Other market signals (refer to the Google trends graph) indicate that Argo CDs are getting popular with time. Till date (24th Jan 2023), 350+ larger enterprises have installed and adopted Argo CD for GitOps style deployment.
Apart from the size of contributions, If you also consider the diversity of contributors, Argo leads the pack. Contributions are made by large enterprises such as Inuit, Red Hat, Walmart, and Google.
Argo CD and Flux CD are modular and extensible, so you can use their API to build extensions suitable for your enterprise needs. But since the Argo project is already viral, many products and components have emerged to help developers and DevOps. Some unique products under Argo projects are:
- Argo Workflow to create CI/CD pipelines for Kubernetes deployment.
- Argo Events, an event-based dependency manager for Kubernetes. Using Argo Events, DevOps engineers can define multiple dependencies from various event sources like webhook, s3, schedules, streams, etc., and trigger Kubernetes objects after successful events. Secondly, ArgoCD also supports CNCF standard format CDEvents out of the box. (CDEvents is a CNCF project developed for vendor neutral specification of event data to increase interoperability across services, platforms and systems)
- Argo Notification, to continuously monitor Argo apps and trigger notifications to users and managers about any changes to the application state.
OpsMx provides ISD for Argo and an add-on module to extend the open-source Argo for enterprise usage from Day 1. You can find all the integrations provided by OpsMx on the top of Argo.
Final Summary of Argo CD vs Flux CD
We have evaluated two open-source and popular GitOps tools – Argo and Flux on six dimensions: GitOps delivery, Rollout strategies, Security and policy enforcement, community support, and extensibility. Both tools provide almost similar features for implementing the GitOps process. And you can get started with Argo and Flux quickly for Kubernetes app deployment.
However, Argo CD will have greater enterprise acceptability because of its intuitive UI, diverse contributors, and more substantial community support.
If you need to save all the hassle and get started with enterprise-wide GitOps deployment, then use OpsMx Intelligent Software Delivery (ISD) for Argo, which comes with all the bells and whistles for security and scale requirements for your software delivery. ISD for Argo free trial available.
OpsMx also provides Argo Center of Excellence (COE) for enterprises needing expert services or consultation on Argo CD and Argo Rollout implementation to expedite their GitOps journey. If you want to get started with GitOps deployment for hundreds of microservices into multiple clusters across the cloud but not at the cost of installing, implementing, and maintaining Argo, then please contact us.
Founded with the vision of “delivering software without human intervention,” OpsMx enables customers to transform and automate their software delivery processes. OpsMx builds on open-source Spinnaker and Argo with services and software that helps DevOps teams SHIP BETTER SOFTWARE FASTER.