Obsidian on aviadhaham.mehttps://aviadhaham.me/tags/obsidian/Recent content in Obsidian on aviadhaham.meHugo -- gohugo.ioen© 2024 Aviad Haham. All rights reserved.Fri, 29 May 2026 00:00:00 +0000Headless Obsidian Sync for an AI Vaulthttps://aviadhaham.me/posts/headless-obsidian-sync-ai-vault/Fri, 29 May 2026 00:00:00 +0000https://aviadhaham.me/posts/headless-obsidian-sync-ai-vault/<p>I wanted my agent to write into the same Obsidian vault I use on my laptop, without giving the container direct access to my desktop. The setup ended up being pretty simple:</p> <ul> <li>a host-owned vault directory on the VPS</li> <li>a headless Obsidian Sync container</li> <li>the Hermes container mounting that same vault path</li> <li>a couple of basic permission guards</li> </ul> <p>That keeps Hermes inside the same note-taking flow I already use, while still keeping the host boundary clean.</p> <h2 id="the-storage-model">The storage model</h2> <p>Hermes mounts the host tree directly into the container:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">volumes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">${HERMES_HOME_DIR}:/opt/data</span><span class="w"> </span></span></span></code></pre></div><p>The vault lives under that tree, so anything Hermes writes to <code>/opt/data/vaults</code> lands in the shared vault directory.</p> <h2 id="the-sync-bridge">The sync bridge</h2> <p>The actual sync layer is a headless Obsidian Sync container:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">services</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">obsidian-sync</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">ghcr.io/belphemur/obsidian-headless-sync-docker:0.0.8@sha256:...</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">restart</span><span class="p">:</span><span class="w"> </span><span class="l">unless-stopped</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">cap_drop</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">ALL</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">cap_add</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">CHOWN</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">SETUID</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">SETGID</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">DAC_OVERRIDE</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">security_opt</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="kc">no</span>-<span class="l">new-privileges:true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">environment</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">OBSIDIAN_AUTH_TOKEN</span><span class="p">:</span><span class="w"> </span><span class="l">${OBSIDIAN_AUTH_TOKEN}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">VAULT_NAME</span><span class="p">:</span><span class="w"> </span><span class="l">${VAULT_NAME}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">VAULT_PASSWORD</span><span class="p">:</span><span class="w"> </span><span class="l">${VAULT_PASSWORD:-}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">PUID</span><span class="p">:</span><span class="w"> </span><span class="l">${PUID:-1000}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">PGID</span><span class="p">:</span><span class="w"> </span><span class="l">${PGID:-1000}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">VAULT_PATH</span><span class="p">:</span><span class="w"> </span><span class="l">${VAULT_PATH:-/vault}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">DEVICE_NAME</span><span class="p">:</span><span class="w"> </span><span class="l">${DEVICE_NAME:-obsidian-docker}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">CONFLICT_STRATEGY</span><span class="p">:</span><span class="w"> </span><span class="l">${CONFLICT_STRATEGY:-merge}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">volumes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">/home/hermes/vaults:/vault</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">${CONFIG_HOST_PATH:-./config}:/home/obsidian/.config</span><span class="w"> </span></span></span></code></pre></div><p>This is the bridge to my Obsidian Sync peers. It mounts the same vault path Hermes uses, so edits move both ways:</p> <ul> <li>laptop changes sync to the VPS</li> <li>Hermes-written notes sync back to the laptop</li> </ul> <h2 id="a-small-but-important-detail">A small but important detail</h2> <p>Before the containers start, the host directories are created with the right ownership. That avoids the usual first-run Docker problem where a root-owned directory breaks later writes.</p> <h2 id="the-security-boundary">The security boundary</h2> <p>The important part is that the agent is <em>not</em> running as my admin user on the host.</p> <ul> <li><code>hermes</code> is an unprivileged host user</li> <li>vault and config dirs are owned by <code>hermes</code></li> <li>the sync container has <code>no-new-privileges</code></li> <li>capabilities are trimmed aggressively</li> <li>the mount is local to the host, not exposed over a public port</li> </ul> <p>So the note flow stays convenient without making the vault a loose shared filesystem.</p> <h2 id="the-core-idea">The core idea</h2> <p>In practice, the architecture is:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-text" data-lang="text"><span class="line"><span class="cl">laptop Obsidian </span></span><span class="line"><span class="cl"> ↕ Obsidian Sync </span></span><span class="line"><span class="cl">headless sync container on VPS </span></span><span class="line"><span class="cl"> ↕ vault directory </span></span><span class="line"><span class="cl">Hermes container </span></span></code></pre></div><p>The point is simple: the agent and the human editor write into the same vault, but through a controlled host-side bridge.</p> <p>A great pattern for anyone who want an agent to work inside your notes when the agent runs remotely and you don&rsquo;t share a filesystem</p>Implementing Scalable GitOps With Argo CD and ApplicationSets: A Case Studyhttps://aviadhaham.me/posts/implementing-gitops-with-argo-cd-and-applicationsets/Sun, 28 Apr 2024 00:00:00 +0000https://aviadhaham.me/posts/implementing-gitops-with-argo-cd-and-applicationsets/<blockquote> <p><em>This infrastructure was developed at <a href="https://nexxen.com">Nexxen</a>, where I&rsquo;m currently employed.</em></p> </blockquote> <p>Transitioning from the inefficient &ldquo;<a href="https://argo-cd.readthedocs.io/en/stable/operator-manual/cluster-bootstrapping/#app-of-apps-pattern">App of Apps</a>&rdquo; model, we adopted GitOps with Argo CD and <code>ApplicationSet</code>s for improved efficiency and reliability. The old system, with its hunderds of declarative Argo <code>Application</code>s and frequent manual changes them, was operationally taxing, error-prone and not scalable.</p> <p>The shift to a declarative GitOps approach using <code>ApplicationSet</code>s has significantly minimized manual interventions, enhancing the scalability and accuracy of our deployment processes.</p> <p>In this blog post, I&rsquo;ll explore our approach to establishing a scalable and maintainable GitOps infrastructure using the Argo CD <code>ApplicationSets</code> CRD.</p> <p><strong>I will delve into how we</strong>:</p> <ol> <li>Bootstrap and manage Argo CD configurations.</li> <li>Structure our <code>ApplicationSet</code>s and GitOps deployments repository for scalability (utilizing the <code>git</code> generator).</li> <li>Leverage <code>ApplicationSet</code>s to automate deployment processes.</li> <li>Manage and scale our deployments across multiple clusters and environments.</li> </ol> <blockquote> <p><em>I provided real examples, from two teams, Octo and Datamine2, to give you a better understanding of how we structure our deployments.</em></p> </blockquote> <h2 id="introduction-to-our-gitops-setup">Introduction to Our GitOps Setup</h2> <p>We divided our configurations into two repositories.</p> <ul> <li> <p><strong>The <code>argocd-management</code> repository</strong>, accessible only to system administrators, contains sensitive Argo CD configurations.</p> </li> <li> <p>Developers mainly use <strong>the <code>gitops-deployments</code> repository</strong> for deployment manifests.</p> </li> </ul> <blockquote> <p>This strategy safeguards our management configurations and aligns with the principle of least privilege.</p> </blockquote> <p>Our GitOps framework is built around two main repositories:</p> <h3 id="argocd-management-repository"><code>argocd-management</code> repository:</h3> <p>Manages Argo CD&rsquo;s foundational configurations, including <code>AppProject</code>s and <code>ApplicationSet</code>s.</p> <ul> <li> <p>Example directory structure</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-text" data-lang="text"><span class="line"><span class="cl">├── app-of-appprojects.yml </span></span><span class="line"><span class="cl">├── app-of-appsets.yml </span></span><span class="line"><span class="cl">├── appprojects </span></span><span class="line"><span class="cl">| ├── [more team based directories] </span></span><span class="line"><span class="cl">│ ├── octo </span></span><span class="line"><span class="cl">│ │ ├── appproject-infra-non-prod.yml </span></span><span class="line"><span class="cl">│ │ ├── appproject-infra-prod.yml </span></span><span class="line"><span class="cl">│ │ ├── appproject-orphans-non-prod.yml </span></span><span class="line"><span class="cl">│ │ ├── appproject-orphans-prod.yml </span></span><span class="line"><span class="cl">│ │ └── kustomization.yaml </span></span><span class="line"><span class="cl">│ ├── sunflower </span></span><span class="line"><span class="cl">│ │ ├── appproject-datamine2-non-prod.yml </span></span><span class="line"><span class="cl">│ │ ├── appproject-datamine2-prod.yml </span></span><span class="line"><span class="cl">│ │ └── kustomization.yaml </span></span><span class="line"><span class="cl">│   └── kustomization.yaml </span></span><span class="line"><span class="cl">├── appsets </span></span><span class="line"><span class="cl">| ├── [more team based directories] </span></span><span class="line"><span class="cl">│ ├── octo </span></span><span class="line"><span class="cl">│ │ ├── appset-infra-non-prod.yml </span></span><span class="line"><span class="cl">│ │ ├── appset-infra-prod.yml </span></span><span class="line"><span class="cl">│ │ ├── appset-orphans-non-prod.yml </span></span><span class="line"><span class="cl">│ │ ├── appset-orphans-prod.yml </span></span><span class="line"><span class="cl">│ │ └── kustomization.yaml </span></span><span class="line"><span class="cl">│ ├── sunflower </span></span><span class="line"><span class="cl">│ │ ├── appset-datamine2-non-prod.yml </span></span><span class="line"><span class="cl">│ │ ├── appset-datamine2-prod.yml </span></span><span class="line"><span class="cl">│ │ └── kustomization.yaml </span></span><span class="line"><span class="cl">│   └── kustomization.yaml </span></span><span class="line"><span class="cl">└── bootstrap.yml </span></span></code></pre></div></li> </ul> <h3 id="gitops-deployments-repository"><code>gitops-deployments</code> repository:</h3> <p>Acts as the single source of truth for all declarative deployments within our organization.</p> <blockquote> <p>This is a monorepo gitops repository that contains all the Kubernetes manifests that are used/deployed across all the company.</p> </blockquote> <ul> <li> <p>Example directory structure</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-text" data-lang="text"><span class="line"><span class="cl">deployments </span></span><span class="line"><span class="cl">│ </span></span><span class="line"><span class="cl">├── [more team based directories] </span></span><span class="line"><span class="cl">├── octo </span></span><span class="line"><span class="cl">│ ├── infra </span></span><span class="line"><span class="cl">│ │   ├── devlake </span></span><span class="line"><span class="cl">│ │   │   └── envs </span></span><span class="line"><span class="cl">│ │   │   └── prod </span></span><span class="line"><span class="cl">│ │   │   ├── appset_config.json </span></span><span class="line"><span class="cl">│ │   │   ├── kustomization.yaml </span></span><span class="line"><span class="cl">│ │   │   ├── ui_deployment_patch.yml </span></span><span class="line"><span class="cl">│ │   │   └── values.yml </span></span><span class="line"><span class="cl">│ │   └── vault-auth </span></span><span class="line"><span class="cl">│ │   └── envs </span></span><span class="line"><span class="cl">│ │   └── prod </span></span><span class="line"><span class="cl">│ │   ├── appset_config.json </span></span><span class="line"><span class="cl">│ │   ├── kustomization.yaml </span></span><span class="line"><span class="cl">│ │   └── resources.yml </span></span><span class="line"><span class="cl">│ └── orphans </span></span><span class="line"><span class="cl">│ ├── aws-search </span></span><span class="line"><span class="cl">│ │   ├── base </span></span><span class="line"><span class="cl">│ │   │   ├── deployment.yml </span></span><span class="line"><span class="cl">│ │   │   ├── kustomization.yaml </span></span><span class="line"><span class="cl">│ │   │   └── service.yml </span></span><span class="line"><span class="cl">│ │   ├── envs </span></span><span class="line"><span class="cl">│ │   │   └── prod </span></span><span class="line"><span class="cl">│ │   │   ├── appset_config.json </span></span><span class="line"><span class="cl">│ │   │   └── kustomization.yaml </span></span><span class="line"><span class="cl">│ │   └── variants </span></span><span class="line"><span class="cl">│ │   └── prod </span></span><span class="line"><span class="cl">│ │   ├── deployment.yml </span></span><span class="line"><span class="cl">│ │   └── kustomization.yaml </span></span><span class="line"><span class="cl">│ └── another-app </span></span><span class="line"><span class="cl">│    ├── base </span></span><span class="line"><span class="cl">│    │   ├── deployment.yml </span></span><span class="line"><span class="cl">│    │   └── kustomization.yaml </span></span><span class="line"><span class="cl">│    └── envs </span></span><span class="line"><span class="cl">│    └── prod </span></span><span class="line"><span class="cl">│    ├── appset_config.json </span></span><span class="line"><span class="cl">│    ├── consul_configmap.yml </span></span><span class="line"><span class="cl">│    ├── consul_deployment.yml </span></span><span class="line"><span class="cl">│    └── kustomization.yaml </span></span><span class="line"><span class="cl">│ </span></span><span class="line"><span class="cl">└── datamine2 </span></span><span class="line"><span class="cl"> ├── datamine-amoeba-appprd </span></span><span class="line"><span class="cl"> │   ├── base </span></span><span class="line"><span class="cl"> │   │   ├── deployment.yml </span></span><span class="line"><span class="cl"> │   │   ├── kustomization.yaml </span></span><span class="line"><span class="cl"> │   ├── envs </span></span><span class="line"><span class="cl"> │   │   ├── non-prod-sandbox </span></span><span class="line"><span class="cl"> │   │   │   ├── appset_config.json </span></span><span class="line"><span class="cl"> │   │   │   ├── kustomization.yaml </span></span><span class="line"><span class="cl"> │   │   ├── non-prod-staging </span></span><span class="line"><span class="cl"> │   │   │   ├── kustomization.yaml </span></span><span class="line"><span class="cl"> │   │   └── prod </span></span><span class="line"><span class="cl"> │   │   ├── appset_config.json </span></span><span class="line"><span class="cl"> │   │   ├── kustomization.yaml </span></span><span class="line"><span class="cl"> │   └── variants </span></span><span class="line"><span class="cl"> │   ├── prod </span></span><span class="line"><span class="cl"> │   │   ├── env.yml </span></span><span class="line"><span class="cl"> │   │   ├── kustomization.yaml </span></span><span class="line"><span class="cl"> │   ├── sandbox </span></span><span class="line"><span class="cl"> │   │   ├── env.yml </span></span><span class="line"><span class="cl"> │   │   ├── kustomization.yaml </span></span><span class="line"><span class="cl"> │   └── staging </span></span><span class="line"><span class="cl"> │   ├── env.yml </span></span><span class="line"><span class="cl"> │   ├── kustomization.yaml </span></span><span class="line"><span class="cl"> └── datamine-amoeba-catalog </span></span><span class="line"><span class="cl">    ├── base </span></span><span class="line"><span class="cl">    │   ├── deployment.yml </span></span><span class="line"><span class="cl">    │   ├── kustomization.yaml </span></span><span class="line"><span class="cl">    ├── envs </span></span><span class="line"><span class="cl">    │   ├── non-prod-sandbox </span></span><span class="line"><span class="cl">    │   │   ├── appset_config.json </span></span><span class="line"><span class="cl">    │   │   └── kustomization.yaml </span></span><span class="line"><span class="cl">    │   ├── non-prod-staging </span></span><span class="line"><span class="cl">    │   │   └── kustomization.yaml </span></span><span class="line"><span class="cl">    │   └── prod </span></span><span class="line"><span class="cl">    │   ├── appset_config.json </span></span><span class="line"><span class="cl">    │   └── kustomization.yaml </span></span><span class="line"><span class="cl">    └── variants </span></span><span class="line"><span class="cl">    ├── prod </span></span><span class="line"><span class="cl">    │   ├── env.yml </span></span><span class="line"><span class="cl">    │   ├── kustomization.yaml </span></span><span class="line"><span class="cl">    ├── sandbox </span></span><span class="line"><span class="cl">    │   ├── env.yml </span></span><span class="line"><span class="cl">    │   ├── kustomization.yaml </span></span><span class="line"><span class="cl">    └── staging </span></span><span class="line"><span class="cl">    ├── env.yml </span></span><span class="line"><span class="cl">    ├── kustomization.yaml </span></span></code></pre></div></li> </ul> <h2 id="our-approach-to-bootstrapping-and-managing-argo-cd-configurations">Our Approach to Bootstrapping and Managing Argo CD Configurations</h2> <p>Although <code>ApplicationSet</code>s offer significant reductions in time and manual errors by automating deployment processes, integrating them with Kustomize has elevated their effectiveness.</p> <p>By managing <code>ApplicationSet</code>s and <code>AppProject</code>s through Argo CD applications themselves (<code>app-of-appsets</code> and <code>app-of-appprojects</code>) we have automated even the application of these configurations to the cluster. This meta-management layer ensures that all changes are self-maintaining and self-applying, which enhances automation and reduces the need for manual oversight even further.</p> <blockquote> <p>We utlize the power of the <code>Application</code> CRD to manage the <code>AppProjects</code>, and the <code>Application</code> factories, the <code>ApplicationSets</code>!</p> </blockquote> <p><strong>Below, I&rsquo;ll explain our approach more in detail:</strong></p> <ul> <li> <p>We start our setup with a bootstrap operation defined in the <code>bootstrap.yml</code> file, which contains all necessary configurations for initializing Argo CD.</p> <blockquote> <p><em>At the time of writing this post, it only contains an <code>AppProject</code> manifest (named <code>management</code>), that we use for the two root YAMLs I will mention below.</em></p> </blockquote> </li> <li> <p>In order to reconstruct our setup, <strong>the only manual steps we need to perform</strong> are the following:</p> <ol> <li><strong>Apply the bootstrap configuration:</strong> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl apply -f bootstrap.yml </span></span></code></pre></div></li> <li><strong>Set up management for AppProjects and ApplicationSets:</strong> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl apply -f app-of-appprojects.yml </span></span><span class="line"><span class="cl">kubectl apply -f app-of-appsets.yml </span></span></code></pre></div></li> </ol> </li> <li> <p>To make changes (add, delete, or edit), simply update the <code>appprojects</code> and <code>appsets</code> directories using the <code>kustomize</code> structure. Each change will be automatically detected by either the <code>app-of-appprojects</code> or <code>app-of-appsets</code> respectively.</p> </li> </ul> <h3 id="diagram-how-its-working-together">Diagram: How It&rsquo;s Working Together</h3> <p><img src="https://aviadhaham.me/posts-images/appsets-factories-automation-diagram.png" alt="Diagram illustrating the whole operation"></p> <h2 id="understanding-our-applicationset-approach">Understanding Our ApplicationSet Approach</h2> <ul> <li> <p><strong>Generators</strong>: Using <code>generators</code>, the <code>ApplicationSet</code> constructs a dynamic list of Argo CD applications to be managed. These generators use patterns and parameters defined in configuration files (like <code>appset_config*.json</code> that you&rsquo;ll see below) to determine which applications should exist (or be deleted).</p> </li> <li> <p><strong>Scalability</strong>: This approach enables the <code>ApplicationSet</code> to scale efficiently, as it can automatically adjust the number of managed applications based on the repository’s current state. New applications are created, and outdated ones are removed without manual intervention.</p> </li> <li> <p><strong>Considerations</strong>:</p> <ul> <li> <p>Any directory that won&rsquo;t have the <code>appset_config*.json</code> file or that won&rsquo;t match its appropriate <code>ApplicationSet</code>, will be ignored by the <code>ApplicationSet</code>.</p> </li> <li> <p>It&rsquo;s also important to make sure that no other <code>ApplicationSet</code> is targeting the same directory, as it may lead to conflicts and unexpected behavior.</p> </li> </ul> </li> </ul> <h2 id="our-applicationsets-strategies">Our ApplicationSets Strategies</h2> <p>We have two main strategies for our <code>ApplicationSet</code>s:</p> <h3 id="gitlab-subgroup-based-applicationsets">GitLab Subgroup-based <code>ApplicationSet</code>s</h3> <p><code>ApplicationSet</code>s are primarily organized per GitLab subgroup, automatically generating Argo CD <code>Application</code>s for each service or application within the subgroup.</p> <ul> <li> <p><strong>&ldquo;Orphans&rdquo; <code>ApplicationSet</code>s</strong> (<strong>for applications/repos that do not belong to any subgroup</strong>) As we have many applications that do not belong to any subgroup, we handle them as “orphans” (both in terms of <code>ApplicationSet</code>s and in the <code>gitops-deployments</code> repo).</p> <blockquote> <p><strong>Rationale</strong>: We encountered issues when creating an <code>ApplicationSet</code> that watches the root hierarchy of the group, as it did not behave as expected. Instead, we decided to separate the &ldquo;orphans&rdquo; into a different directory and handle the path logic in the CI using simple bash code. For more details on how we resolved this issue, refer to the <a href="#qa">Q&amp;A</a> section.</p> </blockquote> </li> </ul> <h3 id="prod-and-non-prod-environments">Prod and Non-Prod Environments</h3> <ul> <li> <p>The production environments are handled by <code>ApplicationSet</code>s that target directories with a <code>prod</code> prefix in their paths, and non-production environments with a <code>non-prod</code> prefix.</p> <blockquote> <p><strong>Rationale</strong>: By using prefixes for <code>prod*</code> and <code>non-prod*</code>, we can effectively manage different types of deployments in separate <code>ApplicationSet</code>s. This approach also ensures that the user only needs to add these prefixes when they want the deployments to be picked up and watched by the corresponding <code>ApplicationSet</code> for deployment.</p> </blockquote> </li> </ul> <h3 id="examples-applicationset-manifests">Examples <code>ApplicationSet</code> Manifests</h3> <p>Real example <code>ApplicationSet</code>s config that we use for our own DevOps team (&ldquo;Octo&rdquo;):</p> <ul> <li> <p><strong>Infra</strong>:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">argoproj.io/v1alpha1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ApplicationSet</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">octo-infra-prod</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">argocd</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">generators</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">git</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">repoURL</span><span class="p">:</span><span class="w"> </span><span class="l">git@git.company.com:octo/gitops-deployments.git</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">revision</span><span class="p">:</span><span class="w"> </span><span class="l">main</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">files</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="l">deployments/octo/infra/**/envs/prod*/appset_config*.json</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">template</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;octo-{{path[3]}}-{{cluster.name}}-{{env}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">finalizers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">resources-finalizer.argocd.argoproj.io</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">argocd</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">project</span><span class="p">:</span><span class="w"> </span><span class="l">octo-infra-prod</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">source</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">repoURL</span><span class="p">:</span><span class="w"> </span><span class="l">git@git.company.com:octo/gitops-deployments.git</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">targetRevision</span><span class="p">:</span><span class="w"> </span><span class="l">main</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{path}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">destination</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">server</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{cluster.address}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{namespace}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">syncPolicy</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">automated</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">selfHeal</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">prune</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">syncOptions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">CreateNamespace=true</span><span class="w"> </span></span></span></code></pre></div></li> <li> <p><strong>Orphans</strong>:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">argoproj.io/v1alpha1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ApplicationSet</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">octo-orphans-prod</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">argocd</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">generators</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">git</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">repoURL</span><span class="p">:</span><span class="w"> </span><span class="l">git@git.company.com:octo/gitops-deployments.git</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">revision</span><span class="p">:</span><span class="w"> </span><span class="l">main</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">files</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="l">deployments/octo/orphans/**/envs/prod*/appset_config*.json</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">template</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;octo-{{path[3]}}-{{cluster.name}}-{{env}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">finalizers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">resources-finalizer.argocd.argoproj.io</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">argocd</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">project</span><span class="p">:</span><span class="w"> </span><span class="l">octo-orphans-prod</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">source</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">repoURL</span><span class="p">:</span><span class="w"> </span><span class="l">git@git.company.com:octo/gitops-deployments.git</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">targetRevision</span><span class="p">:</span><span class="w"> </span><span class="l">main</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{path}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">destination</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">server</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{cluster.address}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{namespace}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">syncPolicy</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">automated</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">selfHeal</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">prune</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">syncOptions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">CreateNamespace=true</span><span class="w"> </span></span></span></code></pre></div></li> </ul> <p>These <code>ApplicationSet</code>s targets the <code>orphans</code>/<code>infra</code> directory within the <code>octo</code> subgroup in the <code>gitops-deployments</code> repo, focusing on the <code>prod</code> environment.</p> <blockquote> <p>For more details about the <code>appset_config*.json</code> files, refer to the <a href="#qa">Q&amp;A</a> section.</p> </blockquote> <h2 id="scale-strategies-with-applicationsets">Scale Strategies with ApplicationSets</h2> <p>Our architecture leverages ApplicationSets to facilitate scalability in the following ways:</p> <ul> <li> <p><strong>Deploying New Services</strong>: Adding a new directory in the <code>gitops-deployments</code>, to a <code>path</code> crawled by a specific <code>ApplicationSet</code> will make the <code>ApplicationSet</code> add another crawl (thanks to the globbing <code>**</code> in the <code>path</code>), and so, if the rest of the path is matching the regex/<code>path</code> in the rest of the path, it will add your new service, including all its environments.</p> </li> <li> <p><strong>Deploying the Same Service to Multiple Clusters</strong>: Adding a new JSON configuration file (matching the regex <code>appset_config*.json</code>) in the relevant envs directory automatically triggers the creation of a new Argo <code>Application</code> tailored to the specific parameters defined within the file.</p> <blockquote> <p>This makes scaling out to additional clusters or deployment environments seamless.</p> </blockquote> </li> <li> <p><strong>Multi-environment Management (Prod/Non-Prod)</strong>: By defining separate paths for different environments (like <code>prod</code>, <code>non-prod-staging</code>, <code>non-prod-sandbox</code>), <code>ApplicationSet</code>s can manage deployments across multiple environments efficiently, creating distinct sets of applications for each environment.</p> </li> </ul> <h3 id="example-of-environments-envs-structure">Example of Environments (<code>envs</code>) Structure</h3> <p>The <code>envs</code> directory structure plays a crucial role in how <code>ApplicationSet</code>s manage deployments:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-text" data-lang="text"><span class="line"><span class="cl">envs/ </span></span><span class="line"><span class="cl">├── non-prod-sandbox/ </span></span><span class="line"><span class="cl">│ ├── appset_config-a.json </span></span><span class="line"><span class="cl">│ ├── appset_config-b.json </span></span><span class="line"><span class="cl">│ ├── kustomization.yml </span></span><span class="line"><span class="cl">├── non-prod-staging/ </span></span><span class="line"><span class="cl">│ ├── appset_config-c.json </span></span><span class="line"><span class="cl">│ ├── kustomization.yml </span></span><span class="line"><span class="cl">├── prod/ </span></span><span class="line"><span class="cl"> ├── appset_config-d.json </span></span><span class="line"><span class="cl"> ├── kustomization.yml </span></span></code></pre></div><h2 id="qa">Q&amp;A</h2> <ul> <li> <p><strong>Q</strong>: How did you overcome the difference between the GitLab repositories heirarcy and the <code>gitops-deployments</code> repo heirarcy?</p> </li> <li> <p><strong>A</strong>: we implemented in the CI, a logic that checks if the repository is in the “root” / group level, and then adds to its path in <code>gitops-deployments</code>, the <code>orphans/</code> directory, so it will hit the right path in the gitops repo.</p> <ul> <li><strong><em>Snippet from our Gitlab CI&rsquo;s <code>before_script</code> logic:</em></strong> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="k">if</span> <span class="o">[[</span> <span class="nv">$CI_PROJECT_PATH</span> <span class="o">=</span>~ ^<span class="o">[</span>^/<span class="o">]</span>+/<span class="o">[</span>^/<span class="o">]</span>+$ <span class="o">]]</span><span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> <span class="nv">FULL_PROJECT_PATH</span><span class="o">=</span><span class="s2">&#34;</span><span class="nv">$CI_PROJECT_NAMESPACE</span><span class="s2">/orphans/</span><span class="nv">$CI_PROJECT_NAME</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"><span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="nv">FULL_PROJECT_PATH</span><span class="o">=</span><span class="s2">&#34;</span><span class="nv">$CI_PROJECT_PATH</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"><span class="k">fi</span> </span></span></code></pre></div></li> </ul> </li> </ul> <hr> <ul> <li> <p><strong>Q</strong>: What are the <code>appset_config*.json</code> files?</p> </li> <li> <p><strong>A</strong>: The <code>appset_config*.json</code> files provide additional parameters for the <code>ApplicationSet</code>; that way we can combine both the ones we get from the <code>git</code> generator and the ones we define in the JSON file.</p> <ul> <li> <p><strong>Example <code>appset_config.json</code> file</strong>:</p> <ul> <li> <p><em>taken from <code>deployments/sunflower/datamine2/datamine-amoeba-appprd/envs/prod</code>, from the <code>gitops-deployments</code> repo</em></p> </li> <li> <p><em>Of course, you can structure your <code>ApplicationSet</code> and your JSON file in any way that suits your organization&rsquo;s needs.</em></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json"><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;env&#34;</span><span class="p">:</span> <span class="s2">&#34;prod&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;cluster&#34;</span><span class="p">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;name&#34;</span><span class="p">:</span> <span class="s2">&#34;dc1-november&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;address&#34;</span><span class="p">:</span> <span class="s2">&#34;https://10.1.1.1:6443&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;dc&#34;</span><span class="p">:</span> <span class="s2">&#34;dc1&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></div></li> </ul> </li> </ul> </li> </ul> <hr> <ul> <li> <p><strong>Q</strong>: How do we integrate Helm in our deployment approach?</p> </li> <li> <p><strong>A</strong>: Our deployment approach integrates Helm, allowing us to manage Helm-based and native Kubernetes deployments seamlessly. Key integration points include:</p> <ul> <li> <p><strong>Enabling Helm in Kustomize:</strong> We modify the <code>argocd-cm</code> ConfigMap to include the <code>--enable-helm</code> flag in the Kustomize build command.</p> </li> <li> <p><strong>Example Kustomization Config:</strong></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kustomize.config.k8s.io/v1beta1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Kustomization</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">helmCharts</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">devlake</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">repo</span><span class="p">:</span><span class="w"> </span><span class="l">https://apache.github.io/incubator-devlake-helm-chart</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">releaseName</span><span class="p">:</span><span class="w"> </span><span class="l">devlake</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">devlake</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">version</span><span class="p">:</span><span class="w"> </span><span class="m">1.0.0</span>-<span class="l">beta3</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">valuesFile</span><span class="p">:</span><span class="w"> </span><span class="l">values.yml</span><span class="w"> </span></span></span></code></pre></div></li> </ul> </li> </ul> <hr> <ul> <li> <p><strong>Q</strong>: How do we integrate Helm in our deployment approach?</p> </li> <li> <p><strong>A</strong>: Helm deployments work in a similar way to normal applications, where the entrypoint is the environment’s <code>kustomization.yml</code> file. This file should include a <code>helmCharts</code> section. Key integration points include:</p> <blockquote> <p>This enables flexibility by allowing Helm-based deployments to be patched and to create native K8s resources along the Helm releases.</p> </blockquote> <ul> <li> <p><strong>Enabling Helm in Kustomize:</strong> We modify the <code>argocd-cm</code> ConfigMap to include the <code>--enable-helm</code> flag in the Kustomize build command.</p> </li> <li> <p><strong>Example Kustomization Config:</strong></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kustomize.config.k8s.io/v1beta1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Kustomization</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">helmCharts</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">devlake</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">repo</span><span class="p">:</span><span class="w"> </span><span class="l">https://apache.github.io/incubator-devlake-helm-chart</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">releaseName</span><span class="p">:</span><span class="w"> </span><span class="l">devlake</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">devlake</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">version</span><span class="p">:</span><span class="w"> </span><span class="m">1.0.0</span>-<span class="l">beta3</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">valuesFile</span><span class="p">:</span><span class="w"> </span><span class="l">values.yml</span><span class="w"> </span></span></span></code></pre></div></li> </ul> </li> </ul>