1

Agenda

● Why GitOps? What problem is it solving?

● RedHat & GitOps
● GitLab & GitOps
● Use Cases

2
Why GitOps?

3
About me

Daniel Marquard
Sr. Defense Solutions Architect
@danielmarquard
gitlab.com/danielmarquard
linkedin.com/in/danielmarquard

4
What is GitOps?

GitOps is an operational framework

that takes DevOps best practices
used for application development such as version control,
collaboration, compliance, and CI/CD,
and applies them to infrastructure automation .

5
IaC...why bother?

6
Repeatability

● Automation

● Deploy to 1 environment

or 1,000

● Consistency

7
IaC is self-documenting

● Manually-configured resources
are black boxes

● No need for infrastructure

documentation beyond
diagrams

● Through git and change control

policies, infrastructure changes
are tracked over time

8
IaC enables idempotence

● Provides control, regulation,

and predictability
Idempotence (/ˌaɪdəmˈpoʊtəns/)
The property of certain ● Consistent behavior across all
operations in mathematics and deployments
computer science whereby they
can beapplied multiple times
● Underlying defects impact all
without changing the result beyond
of none
the initial application.

● Bug fixes apply to all

9
GitOps = IaC + MRs + CI/CD

10
GitOps vs IaC

GitOps IaC
● Code is stored in git repository ● Code may/may not be version
controlled

● Change is enacted via Merge Request ● Code changes may or may not go
through a review/approval process.
● Code is scanned for security and best
practices ● Changes can be applied many ways
(FTP or SSH to the server, command
● Infrastructure updates are line manual runs, etc.) They may or
automated may not be automated.

11
Components of GitOps

IaC MRs CI/CD

12
GitOps: Environments stored as code in Git

IaC
● Infrastructure as Code (IaC) or
X-as-Code (XaC- infra, config, policy,
etc.)

● Declarative code describes the desired

state

● Stored in a Git version control

● Git tooling as the UI

13
GitOps: MRs as the agent of change

MRs
● Merge Requests (MRs) or Pull
Requests (PRs) are the “gate”

● Main branch == product branch

(Default, Trunk, “main”, etc.)

● Code review, collaboration, and

approvals

14
GitOps: Automated Reconciliation

● Continuous Integration and

Continuous Delivery (CI/CD) as a
CI/CD
“reconciliation loop”

● CI/CD runs as a reconciler loop. Can

be agent (pull) or agentless (push)

● When the infrastructure state is out of

sync with the definition CI/CD updates
the infra to match the definition in Git

● Changes are implemented

automatically (no manual updates)
15
GitOps challenges to adoption

● Operations engineers need to adopt a developer

-centric view of their work
● Need a sophisticated level of deployment automation
● Not all operations belongs in git
○ Observability tools
○ Feature flags
○ Incident management

16
GitLab and GitOps

17
GitLab is the most popular solution for the Enterprise

COMPANY
- Incorporated in 2014
- 1300+ employees across 65 countries
- GitLab Federal entity est. in 2018

BROAD ADOPTION
- 100,000+ organizations
- Millions of users
- 70% share of self
-managed DevOps
repository market

STRONG COMMUNITY
- Open source model
- 2,500+ code contributors
- 10,000+ total contributors

18
 GitLab recognized as a Leader
Forrester: CI Forrester: Cloud Native CI
The only non cloud provider to be a leader
“GitLab’s vision is to serve enterprise -scale,
integrated software development teams - The
Forrester WaveTM: Continuous Integration Tools, Q3 2017 report

GitLab
GitLab

Jenkins

The Forrester Wave™ is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave™ are trademarks of Forrester
Research, Inc. The Forrester Wave™ is a graphical representation of Forrester's call on a market and is plotted using a detailed
spreadsheet with exposed scores, weightings, and comments. Forrester does not endorse any vendor, product, or service depicted in
the Forrester Wave. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change. 19
Today’s Mission Challenge- Complex Toolchains Reinforce Silos

Manage Plan Create Verify Package Secure Release Configure Monitor Defend

20
 Say hello to GitLab- an entirely new thing

GITLAB IS REPLACING POINT TOOLS… AND ENABLING ENTIRELY NEW CAPABILITI

Project management Concurrent development

SCM Moving security forward (SecDevOps)
CI/CD Seamless collaboration
Issue tracking Full accountability
Container registries Cycle time measurement
Logging Transparency
Dependency scanning Real-time feedback
License management ...

A single, intuitive user experience, data model and integrations

21
 Built from the ground up as a single application
200% faster DevSecOps lifecycle
Developers Product Management Quality Assurance Security Operations Infrastructure

✔ Conversation ✔ Data ✔ Permission Model ✔ Interface ✔ Security ✔ Collaboration ✔ Analytics

Single Single Single Single Governance & Team Lifecycle

Store

Collaborate

Manage Plan Create Verify Package Secure Release Configure Monitor Defend

Automate

22
How GitLab does GitOps

Testing/Lab

Lint/Syntax
Validate
Dry Run

Production Configuration

23
GitLab Secure Capabilities
- Continuous Application Security

Container
Scanning

Dependency Scanning License Management

🔎🔎 Secrets Detection
Static Application Security Dynamic Application
Testing (SAST) Security Testing (DAST)

🔎🔎 API Fuzzing 🔎🔎 Coverage Fuzzing

Security Testing Built into Merge Requests

24
GitLab is the first single application for the entire
DevOps lifecycle

25
Code Repository
Source code management is where development team sharing and
collaboration begins. GitLab is a Git-based fully integrated platform for
software development.

● Collaborate
○ Review, comment, and improve each other’s code
○ Share code, enable re-use and ‘innersourcing’.
○ File locking prevents conflicts
○ Included WebIDE enables development on any platform
● Accelerate
○ Git base repository, enabling developers to work from their local
copy of the code
○ Branch code, make changes and then quickly merge code
● Compliant & Secure
○ Review, track and approve code changes with powerful merge
requests
○ Automatically scan for code quality and security with every commit.
○ Simplify auditing and compliance with granular access controls and
reporting

26
CI/CD
GitLab Continuous Integration (CI) & Continuous Delivery / Deployment (CD).
● Advantages of GitLab CI/CD
○ Integrated: CI/CD is part of GitLab, enabling a single conversation from
planning to deployment.
○ Open source: CI/CD is a part of both the open source GitLab Community
Edition and the proprietary GitLab Enterprise Edition.
○ Easy to learn: Well documented with examples and our Quick Start
guide.
○ Seamless: Single great UI/UX for your team.
○ Scalable: Test run distributed on separate machines of which you can
add as many as you want.
○ Faster results: Each build can be split into multiple jobs that run in
parallel or multiple machines.
○ Optimized for delivery: Multiple stages, manual deploy gates,
environments, and variables.

27
CI/CD
GitLab Continuous Integration (CI) & Continuous Delivery (CD).
● One Application for the entire DevSecOps lifecycle
○ Built your app using GitLab Runners
■ GitLab Runner is an application which processes builds. It
can be deployed separately and works with GitLab CI/CD
through an API.
● Works on any platform the can build Go binaries
including Linux, macOS, Windows, FreeBSD and Docker.
● Test programming languages .Net, Java, Python, C,
PHP, and others.
● Feature rich with Autoscaling, great Docker support, run
multiple jobs concurrently.
○ Run unit and integration tests to check that code is valid
○ Live preview of development branches with Review Apps before
merging into stable.
○ Deploy to multiple environments like staging and production, and
support advanced features such as a canary deployments.
○ Monitor performances and status of your application
○ Built for Cloud Native with Kubernetes integration
○ See the status of each build within the Merge Request
28
Issue Management
Plan and manage projects. GitLab enables lean and agile project
management from basic issue tracking to Scrum and Kanban style project
management that scales from small teams to large complex organizations.

● Track & manage issues

○ Collaborate and define specific business needs with Issues / User
Stories.
○ Track ownership, effort, size, complexity and priority of resolution.
○ Eliminate silos and enable cross-functional engagement.
● Agile project management
○ Manage sprints with Milestones and Burndown Charts.
○ Track your backlog with issue lists and Labels for filtering and
prioritization.
● Visualize work with Issue Boards
○ Visualize the status of work across the lifecycle.
○ Manage, assign and track the flow of work.
○ Enable Kanban and Scrum styles of agile delivery
● DevOps pipeline traceability
○ Link issues with actual code changes in merge requests
○ Visualize and track the status of builds, testing, security scans, and
delivery 29
Issue Management
Agile Portfolio Management. GitLab helps you manage and govern
portfolios of agile projects.

● Plan future work with Epics

○ Organize new initiatives and efforts into Epics
○ Plan sub epics and issues into sprints and milestone
● Roadmaps visualize value delivery
○ Prioritize and visualize sequence of delivery with Roadmaps.
○ Communicate plans, timing, and strategic flow
○ Maintain visibility from strategic plans to execution
● GitLab uses GitLab to build and deliver GitLab
○ See how we do it with our public GitLab.org project.

30
Use Cases

31
Cloud Operating Model - Automated at Scale

32
 GitLab Architecture Sample

1. Terraform setups K8s clusters in three clouds and

registers to GitLab Group
2. New managed-apps install via CI kicks off
3. AutoDevOps deploys apps via CI/CD
4. App “migration” by updating App Environment

← build files here - .tf files

33
GitLab Demo Systems

34
GitLab Demo Systems

Cloud Platform
GitLab repository for
playbooks / configurations Project demosys-mgmt Project demosys-saas
and CI pipeline. Issues and
Merge requests to manage Compute Engine Compute Engine

changes / iterations. TF- Ansible- Laravel App Server (Portal) TF- Ansible- GitLab Omnibus
TF- Ansible- MySQL Database Server TF- Ansible- GitLab Runners
TF- Ansible- Jenkins Instance
Terraform is used to create Module for instances
infrastructure Module for instances Module for clusters
Top-level TF directory for future apps and services Top-level TF directory for future apps and services

Cloud DNS Kubernetes Engine

Ansible is used to install and
TF- Managed Zones TF- GitLab Instance-Level Cluster
configure software Module for clusters

Network / Virtual Private Cloud Cloud DNS

VPC Template for All Management Regions
TF- Managed Zones
TF- VPC
TF- Subnets and NAT Gateway
TF- Firewall Rules

35
Embedded Systems

36
 OPENSHIFT FOR EMBEDDED CI/CD

Embedded DevSecOps Big Picture

DEVELOPER GITLAB SERVER ARTIFACT REPOSITORY RELEASE MANAGER

FIELD-
WORTHY?

☒
☑
OPENSHIFT
CI/CD PIPELINE
(GitLab)
IMAGE BUILD PROMOTE PROMOTE PROMOTE
& DEPLOY TO DIGITAL TWIN TO HW-IN THE LOOP TO HARDWARE

P HYSICAL SEP ARATION (CURRENT)

OPENSHIFT OR
OPENSHIFT
STANDALONE
IMAGE
IMAGE
REGISTRY
REGISTRY
OPENSHIFT
OPENSHIFT CLUSTER OR
CLUSTER CONTAINER
HOST
NON-PROD DEV DIGITAL TWIN HW-IN-THE-LOOP PROD
- Tra d it iona l SW - Te st ha rne sse s
De v/ Te st - Curt iss- Wrig ht b oa rd s
Re a l- Tim e - Sub syst e m HW - Common int e rfa ce s Re a l- Tim e
e mula t io n (1553 , 176 0 , se ria l, e t c.)

NESTED CI/CD Dig it a l Twin it e ra t ive Airfra m e -

sp e cific it e ra t ive
37 PIPELINES d e ve lo p m e nt
d e ve lo p m e nt
p ro ce sse s p rio r
t o HW p ro m o t ion p ro ce sse s

37
 OPENSHIFT FOR EMBEDDED CI/CD

Embedded DevSecOps POC Scope

DEVELOPER GITLAB SERVER ARTIFACT REPOSITORY RELEASE MANAGER

FIELD-
WORTHY?

☒
☑
OPENSHIFT
● Scop e is shift e d CI/CD PIPELINE
(GitLab)

P HYSICAL SEP ARATION (CURRENT)

t owa rd s t he ha rd wa re , IMAGE BUILD PROMOTE TO PROMOTE
b e g inning wit h a n & DEPLOY HW-IN THE LOOP TO HARDWARE
e xist ing a p p lica t ion.
● We ll- e st a b lishe d a nd OPENSHIFT OR
p rove n DEV p ip e line OPENSHIFT
STANDALONE
IMAGE
st a g e e nsure s t he IMAGE
REGISTRY
q ua lit y a nd se curit y of REGISTRY
t he a p p lica t ion OPENSHIFT
cont a ine r p rior t o OPENSHIFT CLUSTER OR
d e p loyme nt p e r DoD CLUSTER CONTAINER
DSOP g uid a nce . HOST
NON-PROD DEV HW-IN-THE-LOOP PROD
- Cloud / On - prem - Te st ha rne sse s
- Curt iss- Wrig ht b oa rd s
Re a l- Tim e - Common int e rfa ce s Re a l- Tim e
(1553 , 176 0 , se ria l, e t c.)

38

38
 OPENSHIFT FOR EMBEDDED CI/CD

Embedded DevSecOps - POC Components

Re p re se nt a t ive a p p lica t ion

Ap p lica t ion Cont a ine r

ARTIFACT/CONTAINER PROMOTE P romot ion Me cha nisms (on-
DEVELOPER GITLAB SERVER
REPOSITORY (GITLAB) TO HARDWARE g round or in- flig ht )

☒ ☒
- Ma nua l (via CD)
- Tra d it iona l file t ra nsfe r
☑ ☑ - Ansib le Aut oma t ion
- Host - b a se d cont a ine r
Ap p lica t ion
ma na g e me nt ut ilit ie s
Co nt a ine r
(P od ma n,

P HYSICAL SEP ARATION

Skop e o, e t c..)
CI/CD PIPELINE FOR APPLICATION Ap p lica t ion
Cont a ine r
BUILD AND HARDENING (GitLab +
OpenShift)

HW-IN-THE-
OPENSHIFT LOOP
CLUSTER TEST Re a l- Tim e Re a l- Tim e
Re a l- Tim e

39

39
 5 ● Aircraft promotion workflow of

Embedded DevSecOps the application container can

OPENSHIFT FOR EMBEDDED CI/CD
be as manual or as automated
● Choose an existing application. as is feasible (container image
1

POC Workflow
● Minimally adapt the existing development / can be written to a CD, secure
packaging workflow to use GitLab and laptop or via a guard/CDS
OpenShift to output a container image as directly to flightline / near
the final product. flightline maintenance
systems).
AIRCRAFT ● Via the above mechanisms,
EXISTING AP P LICATION PROMOTION the fully tested and approved
WORKFLOW application container image is
pulled from the GitLab
ARTIFACT/CONTAINER PROMOTE container repository and
DEVELOPER GITLAB SERVER
REPOSITORY (GITLAB) TO HARDWARE transferred to the aircraft’s
☒ ☒

P HYSICAL SEP ARATION

subsystem.

☑ ☑

APPLICATION BUILD /
HW-IN-THE-
HARDENING PIPELINE WITH
GITLAB AND OPENSHIFT LOOP
TESTS

2 ● Developers use GitLab and 3 ● Once the application container is 4

built and passes virtual/emulation If the HW tests pass and the
OpenShift running in AWS to
testing, the HW-in-the-loop designated approver deems
create a new version of the
environment is triggered to pull the the application ready for
application by modifying
application container image from the production, an “aircraft
code, and executing a build /
GitLab container repository and run it promotion” workflow is
hardening / testing pipeline
(via Ansible, Podman, Skopeo, etc..). initiated.
● This results in a container
image of that application ● Test suites are run against the
40
deposited in the GitLab application container from a GitLab
container repository. pipeline to confirm functionality on
the target hardware.
40
GitLab & Ansible
Manage Routers & Switches

41
GitLab & Ansible - Configuration Management

Site A Site E

Site B Site D

+
Site C.1 Site F

Site C.2

42
Q&A

43