Managing Git Sources in GitOps Runtimes

Add Standard/Restricted Git Sources to GitOps Runtimes

NOTE
This feature is currently in Beta.

A Git Source is a unique entity created for use with GitOps Runtimes in Codefresh.

The Git Source connects to a Git repository within your organization, serving as an easy way to manage the deployment and configuration of Argo CD applications on clusters.
The Git repository referenced by the Git Source stores application manifests and other resources. All resources in the Git repo are always synced to the cluster. Codefresh manages the Git Source itself as an Argo CD application.


Types of Git Sources

Codefresh allows you to create two types of Git Sources: Standard and Restricted Git Sources.

Both types of Git Sources sync Argo CD application manifests. The main difference lies in the namespace to which Argo CD applications are synced. With a Restricted Git Source, you can sync Argo CD applications to the namespace of your choice, instead of to the default namespace which is the Runtime’s namespace.

More on Restricted Git Sources

Restricted Git Sources:

  • Are optimized for multi-tenant organizations where multiple development teams create and deploy applications for different customers on the same cluster
  • Control which teams can create what applications and where they can deploy them

Codefresh removes the complexity from the manual configuration required to sync and manage applications and their resources in different namespaces:

  • Administrators set up Restricted Git Sources in Codefresh with the Git repo, cluster, and namespace definitions
  • Codefresh manages the Argo CD applications synced to the Git Source, ensuring secure compliance without complex administrative overhead


Standard and Restricted Git Sources further explains the differences between the two types of Git Sources.
See how the Restricted Git Source enforces secure deployment boundaries in Use case: Restricted Git Source in multi-tenant environment.

You can create, and manage both types Git Sources directly in the Codefresh UI. See Git Source settings and Create a Git Source.

To understand how the Git Source interacts with GitOps Runtimes and Argo CD applications, explore Git Sources, GitOps Runtimes, Argo CD applications.

Standard and Restricted Git Sources

Codefresh allows you to create two types of Git Sources:

  • Standard Git Source
  • Restricted Git Source

Standard Git Source

The Standard Git Source is created as an Argo CD application within the GitOps Runtime’s namespace. Manifests of Argo CD applications synced to a Standard Git Source are also deployed to the Runtime’s namespace. Standard Git Sources are typically assigned to the default Application Project.

Features of Standard Git Sources
  • Application Project
    The default or user-defined Application Project allows deployments from any Git repository, to any destination cluster and namespace(s).

  • Git repository
    The Git repository linked to the Standard Git Source can store different types of resources, from Argo CD applications to config maps, Argo Workflow templates, and more.

Restricted Git Source

The Restricted Git Source is also created as an Argo CD application within the GitOps Runtime namespace, with two major differences:

  • Manifests of Argo CD applications synced to a Restricted Git Source are deployed to a user-defined namespace, not to the Runtime’s namespace.
  • Codefresh automatically creates the Application Projects according to the settings defined for the Restricted Git Source.

The most notable feature of the Restricted Git Source is its ability to control access to the Git repositories with Argo CD applications, and to enforce deployments only to specific clusters and namespaces.

Features of Restricted Git Sources
  • Application Projects
    All Argo CD applications synced to the same Restricted Git Source must belong to the same Application Project. Codefresh simplifies this by automatically creating the Application Project for the Restricted Git Source. As a user, you do not have the option to manually select the Application Project to which your applications should belong to when working with Restricted Git Sources.

    Whenever you create a Restricted Git Source, Codefresh generates two Application Projects for the Git Source with the same name as the Restricted Git Source:

    • Application Project for the Restricted Git Source application, with the suffix restricted added to the name
    • Application Project controlling the Argo CD applications synced to the Restricted Git Source.
  • Git repository
    The Git repository referenced by the Restricted Git Source can house only manifests of Argo CD applications, Application sets, and Application Projects.

  • Deployment destinations
    The destination clusters and namespaces defined by the Restricted Git Source defines the deployment destinations allowed for applications.

Git Sources, GitOps Runtimes, Argo CD applications

Let’s look at how the Git Source interacts with other entities such as GitOps Runtimes and Argo CD applications.

GitOps Runtime, Git Sources, Argo CD applications

GitOps Runtime, Git Sources, Argo CD applications

Git Sources & GitOps Runtimes

Git Sources are always linked to GitOps Runtimes within Codefresh’s GitOps ecosystem. Every GitOps Runtime can be associated with one or more Git Sources.

Git Sources are housed in the account’s Shared Configuration Repository, typically within .resources/<runtime-name>/. The Shared Config repo is a dedicated Git repository that stores configuration settings and manifests shared between Runtimes within the same account.

Git Source tab in GitOps Runtime

Git Source tab in GitOps Runtime

Git Sources & Argo CD applications

When creating an Argo CD application in Codefresh, selecting the Git Source to which it should sync is a critical step before committing the application manifest.

Selecting Git Source for Argo CD application

Selecting Git Source for Argo CD application

Syncing an Argo CD application to a Git Source, ensures that:

  • The application’s manifest in the Git repository linked to the Git Source is always synced with the cluster.
  • The application hierarchy is accurately displayed in the GitOps Apps dashboard, as one of a set with the Git Source as the parent application.

Applications synced to Git Source in GitOps Apps dashboard

Applications synced to Git Source in GitOps Apps dashboard

If the Argo CD application is not synced to a Git Source:

  • The hierarchy is not correctly displayed in the GitOps Apps dashboard, even if the Argo CD application is part of an application set.
  • You cannot modify the application’s settings nor delete the application in Codefresh. The UI displays a notification that “there was an issue with the application’s Git Source.”

Notfication for application not synced to Git Source

Notfication for application not synced to Git Source

Use case: Restricted Git Source in multi-tenant environment

The use case illustrates how the Restricted Git Source can handle secure application deployment in multi-tenant environments.

Scenario

Multiple teams are engaged in creating applications for Marvel characters. Each team must be constrained to create the applications in the Git repos defined for them, and deploy the applications within the namespaces assigned to them.

There are three teams:

  • Hulk
  • Thor
  • Thanos

Objective

Use Codefresh’s Restricted Git Sources to define and enforce restrictions.

Set up the Restricted Git Source for Hulk

Let’s see how to achieve this for a single team, the Hulk team.

  1. Create Git repo for the Hulk team
    Create the Git repo where the developers in the Hulk team can store their application manifests. Make sure to grant write permissions only to members of the Hulk team.
    Let’s name the Git repo marvel-hulk-team-apps.

  2. Create destination namespace for deployment
    Create the namespace on the cluster to which Hulk applications can be deployed. Let’s name it, cf-hulk-apps-zone.
    Note that the Namespace must start with the prefix cf-.

  3. Create a Restricted Git Source
    Create the Restricted Git Source for the Hulk team that will define the namespace to which to deploy application manifests, and the namespace to which to deploy the applications themselves. For detailed descriptions of the settings, see Git Source settings in this article.
    1. In the Codefresh UI, go to your GitOps Runtime for which to create Git Sources.
    2. Click the Git Sources tab and click Create Git Source.
    3. Define the following:
      • Name: hulk-apps
      • Type: Restricted
      • Source: marvel-hulk-team-apps (this is the Git repo linked to the Restricted Git Source where the Hulk team will store their application manifests)
      • Branch: main
      • Path: .
    4. Leave the other settings empty, and click Next.
    5. Specify the deployment settings:
      • Source Namespace: Define the namespace to which to deploy the application manifests. Because we want to enforce permissions, we will define cf-hulk-app-manifests as the namespace. The cf- prefox is mandatory for the namespace. If the namespace does not exist, Codefresh will automatically create it.
      • Allowed Clusters & Namespaces: Select the relevant cluster and namespace to which to deploy the applications. Let’s select hulk-apps-zone as the namespace to which to deploy applications.
    6. Click Create. You have now created the Restricted Git Source. Codefresh creates the Application Projects with the required configurations to enforce the restrictions.
  4. Create an Argo CD application
    When you create an Argo CD application in Codefresh, you are prompted to select the:
    • GitOps Runtime for the application
    • Git Source in which to store the application manifest, from among the Git Sources created for the Runtime to which you have write permissions
      The Restricted Git Source you select dictates which target clusters and namespaces are available for deployment.
      Codefresh enforces the limitations through both the UI and the GitOps Runtime to ensure that applications cannot be deployed outside their set boundaries.

Repeat this process to set up Restricted Git Sources for other teams.

How does the Restricted Git Source function?

The diagram below is a visual representation of the above use case, illustrating how a Restricted Git Source functions to deploy Argo CD applications synchronized to it.

Restricted Git Source functionality

Restricted Git Source functionality

Create a Git Source

Create Standard or Restricted Git Sources for any provisioned GitOps Runtime. You can then commit manifests of Argo CD applications to any of these Git Sources.

NOTE
You must be in the List View for GitOps Runtimes to create Git Sources.

Before you begin

How to

  1. In the Codefresh UI, on the toolbar, click the Settings icon.
  2. From Runtimes in the sidebar, select GitOps Runtimes.
  3. In the List View, select the Runtime for which to create a Git Source, and then click the Git Sources tab.
  4. Click Create Git Source, and in the Create Git Source panel, follow the instructions to define the settings for the Git Source.

Create Git Source

Create Git Source
  1. Click + Create Git Source.

Git Source settings

The table describes the settings you can define for Standard and Restricted Git Sources.
For how-to instructions, see Create a Git Source.

Git Source Settings

Git Source Settings
Setting Description
Name The name of the Git Source, which must be unique within the cluster. The syntax must conform to that of Kubernetes objects.
Type The type of Git Source to create.
  • Standard Git Source: The Git Source is created as an Argo CD Application in the Runtime's namespace, and belongs to the default or user-defined Application Project without deployment and repo restrictions.
  • Restricted Git Source: The Git Source is created as an Argo CD application also in the Runtime's namespace, and belongs to the Application Projects created and automatically assigned by Codefresh. Applications synced with a Restricted Git Source must belong to the same Application Project and can deploy only to allowed clusters and namespaces.
Source The Git repository where the application manifests, including that of the Git Source application, are stored.
  • Repository: Mandatory. The URL of the Git repo.
  • Branch: Optional. The specific branch within the repo in which to create the Git Source application manifest.
  • Path: Optional. The specific path within the repo, and branch if one is specified, in which to create the Git Source application manifest.
Include Files and Exclude Files The file or files to include or exclude from the Git repo when syncing to the destination cluster.
Use GLOB to define patterns using wildcards to match path names in the source Git repo.

For example, workflows/**/*.yaml, in the Include Files field would include all files in the workflows directory and all its child directories, with .yaml as the extension.

**/images/**/* in the Exclude Files field, would ignore all directories entitled images.
For GLOB guidelines and examples, see this article.
Namespace Applies to Restricted Git Sources only.
The namespace in the cluster to which to deploy the manifests of Argo CD applications synced with this Git Source, and must start with the prefix cf-.
If the namespace doesn’t exist on the cluster, Codefresh automatically creates it.

These namespaces are added to the configmap argocd-cmd-params-cm in data.application.namespaces as cf-*. You can define a different prefix for the namespaces by replacing cf with your preferred prefix, <prefix>-* and use that prefix in Restricted Git Sources. Argo CD monitors these additional namespaces for application reconciliation.
Application Project Scope Applies to Restricted Git Sources only.
The destination clusters and namespaces to which the applications synced to the Git Source and belonging to this Application Project can be deployed, and the trusted Git repos for the applications.
  • Allowed clusters and namespaces: Single or multiple pairs of predefined clusters and namespaces to which applications belonging to the Application Project can be deployed.
    For example, specifying a cluster-namespace pair codefresh-production/game-apps:marvel-apps will deploy the applications only to the defined cluster and namespace.
    You can add multiple namespaces to the cluster-namespace pair.

    You can also use pattern matching for clusters and namespaces with the * wildcard for broad matching. For example, marvel-apps* as the namespace would include the marvel-apps-asia, marvel-apps-eu, and marvel-apps-us namespaces.
  • Allowed Git Repos: One or more trusted Git repositories for Argo CD applications synced to this Restricted Git Source. An Argo CD application that references a repository not in the trusted list is not synced to the Source Namespace in the cluster.

View Git Sources and settings

Drill down on a GitOps Runtime in List View to see its Git Sources.

  1. In the Codefresh UI, go to the GitOps Runtimes page.
  2. From the List View (the default), click a Runtime name, and then select the Git Sources tab.

Git Sources in runtime

Git Sources in runtime
  1. To go to the Git Source repo, in the Repo column, mouse over the repo name and select Go to Git repo.
  2. To see the settings for the Git Source, select the context menu at the end of the row, and click Details.

Edit Git Source settings

Edit an existing Git Source by changing the source and destination definitions, and included/excluded files.

NOTE
You cannot change the name and type of the Git Source.

  1. In the Codefresh UI, on the toolbar, click the Settings icon.
  2. From Runtimes in the sidebar, select GitOps Runtimes.
  3. From the List View (the default), select the Runtime with the Git Source, and then select the Git Sources tab.
  4. In the row with the Git Source to edit, from the context menu select Details.
  5. In the panel that appears, click Edit.

Example YAMLs of Git Source resources

Example: Standard Git Source manifest

Here’s an example of the Standard Git Source application manifest, which is similar to any Argo CD application.

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  annotations:
    argocd.argoproj.io/tracking-id: in-cluster:argoproj.io/Application:runtime/loans-gs
  finalizers:
    - resources-finalizer.argocd.argoproj.io
  labels:
    app.kubernetes.io/instance: in-cluster
    codefresh.io/entity: git-source
    codefresh.io/internal: "false"
  name: loans-gs
  namespace: runtime
spec:
  destination:
    namespace: runtime
    server: https://kubernetes.default.svc
  project: default
  source:
    directory:
      exclude: ""
      include: "*"
      jsonnet: {}
      recurse: true
    path: atgardner-git-source
    repoURL: https://github.com/noam-codefresh/git-source.git
    targetRevision: main
  syncPolicy:
    automated:
      allowEmpty: true
      prune: true
      selfHeal: true

Example: Restricted Git Source app manifest

Here’s an example of the Restricted Git Source application manifest.

apiVersion: csdp.codefresh.io/v1
kind: RestrictedGitSource
metadata:
  annotations:
    argocd.argoproj.io/tracking-id: in-cluster:csdp.codefresh.io/RestrictedGitSource:runtime/hulk-apps
  labels:
    app.kubernetes.io/instance: in-cluster
  name: hulk-apps     # taken from the name of the Git Source as the name of the Git Source application and Application Project 
  namespace: runtime
spec:
  destinations:                             # destination clusters and namespaces allowed by the Application Project 
  - namespace: cf-hulk-apps-zone
    server: https://kubernetes.default.svc
  source:                                    # source repos for the Git Source and other Argo CD Applications
    directory:
      exclude: ""
      include: '*'
      recurse: true
    path: applications
    repoURL: https://github.com/team-hulk/marvel-hulk-apps.git/
    targetRevision: HEAD
  sourceNamespace: cf-hulk-app-manifests     # namespace to which to sync application manifests
  sourceRepos:                                   #  Git repos allowed by the Application Project
  - '*'
  syncPolicy:                                    
    automated:
      allowEmpty: true
      prune: true
      selfHeal: true
    syncOptions:
    - allowEmpty=true
    - CreateNamespace=true

Example: Application Project for Restricted Git Source application

Codefresh creates two Application Projects for a Restricted Git Source, one for the Restricted Git Source application itself, and the other for the applications synced to the Restricted Git Source.

Here’s an example of the Application Project created for the Restricted Git Source application.

apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
  name: hulk-apps          # Name of the Restricted Git Source used also for Restricted App Project
  namespace: runtime
spec:
  clusterResourceWhitelist:    # allow all resource types by default
  - group: '*'
    kind: '*'
  destinations:                # Destination Namespace defined in Restricted GitSource
  - namespace: cf-hulk-apps-zone
    server: https://kubernetes.default.svc
  sourceNamespaces:
  - cf-hulk-app-manifests     # Source Namespace defined in Restricted Git Source for syncing apps
  sourceRepos:                    # Allowed Git repos defined in Restricted Git Source; by default allows all source repositories
  - '*'

Example: Application Project for Argo CD applications synced to Restricted Git Source

Codefresh creates two Application Projects for a Restricted Git Source, one for the Restricted Git Source application itself, and the other for the applications synced to the Restricted Git Source.

Here’s an example of the Application Project created for the Restricted Git Source application.

# Restricted AppProject
apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
  name: hulk-apps-restricted             # name is the same as that of RestrictedGitSource with `-restricted` suffix
  namespace: runtime
spec:
  clusterResourceWhitelist:               # allow only Namespace and Application/ApplicationSet resources
  - group: ''
    kind: Namespace
  - group: argoproj.io
    kind: Application
  - group: argoproj.io
    kind: ApplicationSet
  destinations:
  - namespace: cf-hulk-app-manifests     # maps to the Source Namespace defined in Restricted Git Source to sync app manifests
    server: https://kubernetes.default.svc
  sourceRepos:
  - '*'                                     # allowed Git repos defined in Restricted Git Source; by default allows all source repositories

Monitoring & managing GitOps Runtimes
Shared Configuration Repository