Skip to content

Gitflow for DevOps

Gitflow for DevOps is an agreed workflow for software development and operations teams to manage their software, code and configuration in different environments and stages in a unified way. It is based on the Gitflow branching model and is adapted to the needs of DevOps teams delivering a self-service platform to developers. The model is opinionated but is designed to be a baseline for future extensions.

The Overall Context

The enterprise Acme to own the domain acme.com and have in house operations and development teams.

We define the enterprise Acme to use the following software:

  • OpenShift for Cloud
  • Argo CD for GitOps Deployments
  • GitLab for Software Life Cycle Management
  • Ansible for infrastructure as code
  • Backstage for Inventory Management
  • Active Directory or Entra for IAM

We define the enterprise Acme to build the following software: * Phippy and Goldie are apps that Acme produces. * Phippy is the frontened facing app your clients love. * Goldie is a postgres database operator being a core service of your self-service platform. * Phippy is a one single instance app that runs on one of your production cluster. * Goldie is a one cluster service that runs on one or all the clusters. * Phippy is produced by Team A a team of PHP developers. * Goldie is produced by Team B a team of devops. * Phippy and Goldie are shipped via Argo CD and are wrapped in Helm. * Phippy and Goldie are developed with the same git workflow as well as other parts of infrastructue (ansible, terraform). * Git workflow always produces semver versions that are tested through stages. * semver release versions are controlled and managed through conventionalcommits.

Why to use GitFlow for DevOps?

  • Strong versioning and release management
  • Clear separation of development, staging, and production environments
  • Better collaboration and code review processes
  • Easier bug tracking, hotfix and change management
  • Improved CI/CD integration, goverance and automation
  • Compatible for Multi-agent Collaboration in a Model similar to GasTown
  • A change to an environment / application is a commit of code and configuration bundled in a new version and potentially grouped with other changes.
  • Promotion of a change is decoupled from the point in time of a commit. It is a decision that can be made at any time after the commit and can be automated or manual.

Read more about the anti-pattern of mapping branches to environments for GitOps deployments.

The advantages of GitFlow over trunk-based development for operations teams

  • Allows a fast moving development branch for features and fixes without affecting the stability of the main branch.
  • A clear seperation of development and production
  • Favors scheduled and planned release cycles for governance and compliance, which is crucial for infrastructure and operations teams.
  • Enables better collaboration and code review, promotion processes

Many devops favor trunk-based development for increased agility and faster delivery.

Gitflow Diagram

The following diagramm represents a unified and versioned workflow over all infrastructure projects using IaC ( ansible, terraform ), GitOps Deployments ( Argo CD, Flux ). Gitflow might be not strictly enforced within Acme, but gitflow can be also used in the development of Phippy.

--- config: logLevel: 'debug' theme: 'base' --- gitGraph TB: commit id: "Initial commit" tag: "1.1.0" branch dev checkout dev commit id: "Development setup" branch feat/long-thing checkout feat/long-thing commit id: "feat: Add feature 1" commit id: "Update feature 1" commit id: "Update feature 2" checkout dev branch fix/small-thing checkout fix/small-thing commit id: "fix: Add fix small" checkout dev merge fix/small-thing branch feat/big-thing checkout feat/big-thing commit id: "feat: Something Big" commit id: "Update Something Big" checkout main merge dev tag: "1.2.0" checkout dev merge feat/big-thing checkout main branch hotfix/critical-bug checkout hotfix/critical-bug commit id: "fix: Fix critical bug" checkout main merge hotfix/critical-bug tag: "1.2.1" checkout dev merge main checkout dev checkout feat/big-thing checkout feat/long-thing commit id: "Update feature 3" checkout dev merge feat/long-thing checkout main merge dev tag: "1.3.0"

Types of Software

Diffentiating between different types of software is important to understand the different lifecycles and workflows. The following table gives an overview of the different types of software in the context of a self-service platform for software development and operations.

Abbr Name Purpose
cs Cluster Service A single internal service available in clusters configured by devops
ps Platform Service An instance of a service provided by the platform via operators for applications configured by software developers
app Applications All other software running on the platform and its services

Lifecycle of infrastructure and software components

Definitions

An environment is a set of resources (servers, databases, configurations) where something is deployed.

A stage is a logical, ordered step in a deployment pipeline of a software or infrastructure component.

A release is a software or infrastructure component tagged with a specific version in its lifecycle and tested for the stage prd.

Stages

There at least three stages with a different meaning.

Name Purpose Hints
dev Used by all the devops and developers when they develop -
int Used by only CI/CD pipelines -
prd Where released software is deployed -

Team B: Platform Service Lifecycle

  • Team B develops Goldie in the dev environment and stage.
  • A stage consists of one or more clusters isolated from other environments with clusters.
  • An Environment is a set of resources (servers, networks, resource groups, configurations)
  • Goldie has the stages dev, int and prd.
  • Goldie is being tested in the environment int via Continuous Integration Pipelines.
  • Goldie is being released to the environment and stage prd.
  • Team A uses Phippy in the environment prd.
flowchart LR tA[Team A] -- uses --> dev01 tB[Team B] -- uses --> prd subgraph dev [Development Environment] subgraph dev01 [Cluster dev-01] gabc[ Goldie 0.0.0+abc ] end end gabc -- Test OK --> gdev subgraph int [Integration Environment] subgraph int01 [Cluster int-01] gdev[ Goldie 0.0.0+dev ] end end RELEASE([Release]) gdev -- Test OK --> RELEASE RELEASE -- Approval --> g1 RELEASE -- Automatic --> g2 subgraph prd [Production Environment] subgraph prd01 [Cluster prd-01] g1[ Goldie 1.1.0 ] end subgraph tst01 [Cluster tst-01] g2[ Goldie 1.1.0 ] end end

Team A: Software Lifecycle

  • Team A develops Phippy in the dev environment and stage.
  • A stage consists of usually one namespace isolated from namespaces of other stages.
  • An Environment is a set of mainly cluster internal resources (services, databases, configurations)
  • Phippy has the stages dev, int and prd.
  • Phippy is being tested in the environment int via Continuous Integration Pipelines.
  • Phippy is being released to the environment and stage prd.
  • Team A uses Phippy in the environment prd.
flowchart LR tB[Team B] -- uses --> pdev subgraph prd01 [Cluster prd-01] subgraph pprd [Production Environment] p4[ Phippy 1.1.0 ] end end subgraph tst01 [Cluster tst-01] subgraph pdev [Development Environment] p1[ Phippy 0.0.0+abc ] end subgraph pint [Integration Environment] p2[ Phippy 0.0.0+dev ] end subgraph ptst [Test Environment] p3[ Phippy 1.2.0 ] end end p1 -- Test OK --> p2 RELEASE([Release]) p2 -- Test OK --> RELEASE RELEASE -- Automatic --> p3 RELEASE -- Approval --> p4

Naming conventions

  • Namespaces can't start with numbers

For cluster services

Context Pattern Example
Namespace ${appid} smtp
ArgoCD ${apptype}-${appid}-${cluster} cs-smtp-prd01

For platform services

Context Pattern Example
Namespace OLM default or ps-${appid} ps-cloudnative-pg
ArgoCD ${apptype}-${appid}-${cluster} ps-cloudnative-pg-prd01

See ps-cloudnative-pg chart for an example of a platform service with its own namespace and ArgoCD application.

For applications

Context Pattern Example
Namespace ${apptype}-${appid}-${env}-${instance} app-phippy-prd-01 or app-phippy-prd
ArgoCD ${apptype}-${appid}-${env}-${instance} app-phippy-prd-01 or app-phippy-prd

In case your app has just one instance drop ${instance}. In this example Phippy exists just once in all the stages.

See phippy chart for an example of an application with its own namespace and ArgoCD application.

Service and Application Distribution

flowchart LR subgraph prd [Production Environment] subgraph prd01 [Cluster prd-01] g1[ app-goldie-prd-01 1.2.0 ] p1[ app-phippy-prd 1.1.0 ] pg1[ ps-cloudnative-pg-prd-01 1.0.0 ] end subgraph tst01 [Cluster tst-01] g2[ app-goldie-tst-01 1.2.0 ] p2[ app-phippy-tst 1.2.0 ] pg2[ ps-cloudnative-pg-tst-01 1.0.0 ] end subgraph ctl01 [Cluster ctl-01] argo[ app-argo-prd 1.0.0 ] sso[ app-sso-prd 1.0.0 ] gitlab[ app-gitlab-prd 1.0.0 ] aap[ app-aap-prd 1.0.0 ] g3[ app-goldie-ctl-01 1.2.0 ] pg3[ ps-cloudnative-pg-ctl-01 1.0.0 ] end end

Cluster Distribution over Infrastructure Stages

flowchart LR subgraph prd [Production Environment] prd01[Cluster prd-01] tst01[Cluster tst-01] ctl01[Cluster ctl-01] end subgraph int [Integration Environment] int01[Cluster int-01] end subgraph dev [Development Environment] dev01[Cluster dev-01] dev02[Cluster dev-02] end

Provider specific environments and isolation

If you produce a self-service platform, your stages need isolation. Depending of the provider you have the following options for isolation:

Azure

  • Tennats
  • Subscriptions

VMWare

  • Host Groups / Clusters in seperate Networks, storage pools, LUNs

Hetzner

  • Projects

Bare Metal

  • Different Hosts / Clusters in seperate Networks, LUNs, ...

Data Model for Inventory Management

In this section the model is implemented as an example with the inventory management system Backstage. It`s main purpose is the presentation and aggregation of data and systems as a hub.

Backstage.

Use cases for the inventory

  • Developers want to find out which services and applications are available in the platform and how to use them.
  • Support engineers can contact the right team responsible for a service or application.
  • ArgoCD can read all those definitions to render the app-of-apps
  • ArgoCD generate those definitions from the app-of-apps as a catalog.
  • OpenShift can read those definitions to manage access control.

Abstract Entity Data Model

About goldie

  • The platform service goldie is a Resource of type database
  • goldie is part of the the system OpenShift of the domain acme.com
  • Team B is a Group and groups have Users
  • Team B is the owner of OpenShift and goldie.
  • A Component like app-phippy-prd can relate to goldie.
  • goldie can have references to the documentation, team, sources, deep links to argocd ...

About phippy

  • The phippy instance app-phippy-prd is a Component of type website with lifecyle production
  • It depends on a Component phippy which is of type Project and belongs to the System Business Applications of the Domain acme.com
  • Team A is a Group and groups have Users. That Team A is the owner of a Project
  • A Cluster is a Resource and a Compnent like app-phippy-prd can relate to it.
  • app-phippy-prd can have references to the documentation, team, sources, deep links to argocd, openshift ui ...

Catalog and consumers

  • A catalog contributes compontents, resources or relations to the inventory model.
  • A consumer consumes compontents, resources or relations from all the catalogs for its own configuration.
Entity (type:name) Catalog Consumer
resource:cluster/uuid-12345 OpenShift Cluster Catalog ArgoCD, Project
compontent:goldie Platform Service Catalog ArgoCD
compontent:phippy ArgoProject Catalog -
compontent:app-phippy-prd Argo Application Catalog -
compontent:app-phippy-tst Argo Application Catalog -
group:team-a User Catalog ArgoCD / OpenShift
group:team-b User Catalog ArgoCD / OpenShift
user:acme/team-b/bjoern.dieding User Catalog ArgoCD / OpenShift
user:acme/team-a/john.doe User Catalog ArgoCD / OpenShift

Further Reading: