One of the first questions I am asked when setting up OpenShift-Gitops (based on ArgoCD) are:
“How do I use it for automatic onboarding of new projects and how can I limit access to the different clusters and different teams?”
While there are different approaches, I usually suggest the following:
Use one instance to manage the configuration of the cluster(s) (let’s call it management gitops) and use a separate GitOps instance to deploy the actual workload, the applications (let’s call it application gitops).
This could be one instance for multiple applications, or one instance per team. The advantages here are that you can separate basic cluster configuration and the setup of new namespaces with the deployment of the workload. The cons however are that you need to manage multiple instances.
To summarize this setup:
- Gitops instance that is solely responsible for cluster configuration and thus will take care of the creation of objects like: Namespaces, NetworkPolicies or Quotas that define the boundaries of a new application
- Gitops instance for the application instance, where developers can deploy their workload and test new features.
In addition, we have 2 clusters, that can both be managed by the Gitops instances:
- DEV: to let developers do their tests.
- PROD: for our production workload.