 Jadi, saya fikir ia adalah... Selamat pagi, semua. Jadi, saya Kwon. Jadi, ini pembentangan saya. Flux dan intro untuk GitOps. Jadi, saya sebenarnya... Dapak dan software engineer. Saya... Mereka berubah di Django dan Angular. Dan saya berkongsi kepada komuniti Transports Malaysia. Jadi, itu saya di Shanghai. 2 bulan lalu. Okey, jadi sebelum saya mulakan perbincangan... beberapa keselamatan. Pertama, saya tidak mempunyai kerja di BVOPs. Yang adalah Flux. Pemimpin yang mempunyai Flux. Dan saya bukan pembentangan. Saya hanya berkongsi beberapa jenis doktor. Dan... Views dikenal di sini dengan saya. Dan saya masih sangat terkenal. Jadi... Ini dikenal... yang terbaik. Yang terbaik untuk saya. Jadi, jika ada diskrepensi... Saya tidak menghargainya. Jadi... Ya, mari kita pertama bercakap tentang komuniti di seluruh. Jadi... Sebuah cara biasa memikirkan perkara dalam komuniti... sejauh yang saya tahu adalah... saya tidak peduli sejauh yang... Jadi... Ya, jadi... saya tidak peduli di sejarah ini. Sejauh yang... saya ada 20 GB. Saya tidak peduli bagaimana anda menghargainya... sejauh yang saya ada... sebuah port yang mempunyai... sejauh CPU, sejauh memori. Saya tidak peduli di mana ia berlaku. Sejauh yang 10% berlaku di sini dan... seperti ini. Dan... cara tradisional yang membuat perkara... adalah biasanya... Qubed CTL, Apply dan Forget. Jadi... anda membuat perkara yang berlaku dan membuat perkara... anda membuat perkara yang berlaku? Anda memulai Qubed CTL dan Apply... kemudian anda memulai untuk bekerja. Kemudian anda mungkin memulai perkara yang berlaku di tempat yang berlaku... semuanya dengan kontrol versi... yang saya rasa... semasa masa berlaku... mengubah perkara yang berlaku. Anda memulai untuk meminta diri dan teman anda... sehingga... perkara ini berlaku di kontrol versi saya. Anda boleh memulai. Di mana mereka memulai. Mereka memulai dan memulai. Mereka memulai perkara yang berlaku dan memulai. Di mana? Dan... Bukankah ini sudah dilatihkan? Kenapa anda masih memulai perkara yang berlaku di kontrol versi ini? Kemudian... bagaimana anda memulai perkara yang berlaku di kontrol versi ini? Yang paling penting... adalah... saya melihat perkara ini mempunyai... kita katakan 1,000M. Tetapi... sebenarnya di kontrol versi ini mempunyai 2,000M. Kenapa ia berlaku? Tiada siapa. Kemudian... anda memulai perkara Qubed CTL... di kontrol versi yang berlaku... tetapi... seperti... jika anda berminat dengan perkara Qubed CTL dan perkara itu... perkara itu mungkin... hanya perkara yang terakhir berlaku. Sebelum itu... nah. Jadi... masalahnya... anda tahu... kita meletakkan... terlalu banyak percaya pada orang. Kita berkata... anda harus memulai perkara yang berlaku di kontrol versi ini... selepas anda membuat beberapa perubahan. Tetapi... anda tahu... saya hanya memulai perkara yang berlaku dulu... dan kemudian... saya akan memulai perkara yang berlaku nanti... dan kemudian... saya memulai X, Y, Z... betul? betul? Jadi... memerlukan perkara ini disebabkan VeeWorks. Jadi VeeWorks pada tahun 2015... mereka memulai perkara ini disebabkan VeeCloud... untuk membantu menjelaskan perubahan. Kemudian pada tahun 2006... mereka... memutuskan perubahan. Sebenarnya, ia menjelaskan. Tetapi mereka menjelaskan dalam 40 minit... disebabkan... perkara ini yang berlaku. Kemudian... pada tahun 2017... mereka menjelaskan perubahan. Jadi... apa perkara yang ditolakkan di sini? Jadi... perkara yang ditolakkan adalah... pertama adalah perkara yang berlaku... yang bermakna... saya tidak menjelaskan... apa perkara yang ditolakkan... untuk menjelaskan perkara ini. Saya hanya berkata... okey, saya tidak peduli apa yang anda lakukan... sejauh kemudian... setelah 10 minit... saya mahu ia menjadi seperti ini. Saya tidak peduli apakah anda memulai perkara yang ditolakkan... sejauh kemudian... setelah 10 minit... ini adalah apa yang saya mahu. Selanjutnya, tentu saja, versi dan imut. Semuanya berlaku di GIT... dan peraturan itu adalah GIT. Dan... ya, mari saya kembali... dan sebabnya... sebabnya GIT... anda dapat melihat... siapa berlaku apa yang berlaku... ini adalah perkara yang penting... terutamanya apabila anda berlaku... di syarikat besar... dan... tentu saja... untuk GITOPS... perubahan sepatutnya... anda harus mempunyai... sebuah idea yang berkata... okey, ini adalah... setelah 10 minit... dan jika tidak... setelah 10 minit... ini akan berlaku. Dan tentu saja, berlaku berlaku. Jadi... ada banyak agensi software... yang berlaku berlaku... dan berkata... okey, ada beberapa kebiasaan. Jadi, bagi contohnya... anda memandu perubahan. Jadi, anda memandu dan berkata... okey, kita sekarang dalam mode berlaku... tapi anda tidak harus melakukan dalam produksi, betul? Jadi, dalam kegiatan GITOPS... anda berkata... okey, mode berlaku harus berlaku... dan setelah 10 minit... ia berlaku dengan berlaku... dan berkata... ini tidak... kegiatan tidak harus berjaya. Jadi... ia berlaku dengan berlaku... dan berlaku dengan berlaku. Jadi, semua ini dalam 10 minit. Tapi... 10 minit adalah... seperti... kebiasaan... kebiasaan yang biasa. Tetapi, tentu saja anda boleh berubah... 30 saat jika anda mahu. Ya, jadi... saya akan memandu CD. Jadi... seperti yang anda lihat, CD adalah setelah... berlaku dan berlaku... berlaku dengan solusi yang... yang... saya akan kata... sangat berlaku dengan berlaku... dan ia berlaku... dengan kit untuk GDOP... atau GOTK. Pembuah pembunyi yang berlaku... lebih dari itu... nanti. Dan ia adalah projek CNA-CF Graduator... dan ia... ia berlaku dengan Wiva... ia bukan G2. Okey. Jadi... apa kebebasan... di antara pembunyi dan pembunyi yang berlaku? Jadi pembunyi... pembunyi yang berlaku... itu adalah pembunyi yang berlaku? Jadi... apa pembunyi yang berlaku? Jadi, jika anda berkenal... dengan acara GDOP... atau beberapa anda... memakai sebuah CNA-CF Graduator... atau beberapa klingkat CNA-CF Graduator... jadi, apa yang berlaku? adalah... okey, apabila saya menerima perkara ini... sebelum saya menerima perkara ini, saya akan perlu mengenai kira-kira... dari... mari kita kata kira-kira... semoga anda memakai kira-kira... memakai... mengenai kira-kira... dan kemudian... anda memakai kira-kira, memakai konfig yang berlaku... anda mengemaskan ke klas anda. Jadi... masalah itu... adalah sebenarnya... jika kita kata... Jika seseorang menggantikan penggantikan CIP, mereka dapat melihat kredensi anda. Tetapi... Ya, ia adalah sebuah vaktor yang terkenal. Tetapi untuk menggantikan penggantikan penggantikan penggantikan, ia terlihat di dalam domain percayaan. Jadi apa yang kita maksudkan? Sebenarnya, setelah 10 minit, ia menggantikan dari Repository Github. Jadi anda dapat melihat Repository Github tidak mempunyai kekontrolan di dalam percayaan daripada percayaan yang terkenal. Jadi semuanya telah dipercaya dalam domain percayaan di dalam percayaan. Jadi percayaan percayaan dan tidak apa-apa yang lain. Jadi... Pekan Github yang menggantikan penggantikan penggantikan, ia sesuatu yang sama. Jadi, kita mempunyai percayaan penggantikan, ia menghentikan pemerintan image, yang adalah sesuatu seperti perang, perang-perang, menghentikan perang perang untuk menggantikan penggantikan. Kemudian, ada perkara lain yang terkenal untuk menggantikan penggantikan penggantikan, ia menghentikan penggantikan untuk menggantikan perang. Jadi seperti yang saya katakan tadi, pemerintan penggantikan yang mempunyai kekontrolan, ia akan menggantikan penggantikan. Jadi, Github 2K atau GOTK adalah sebenarnya sebuah ketuaan di sana, tetapi tidak untuk masuk ke kedua, ia mempunyai penggantikan penggantikan. Ia mempunyai penggantikan yang terkenal untuk penggantikan penggantikan. Jadi, ia mempunyai Repository Github, Repository OCR, Repository Gits, dan ia mempergunakan penggantikan. Jadi, sejauh sejauh, ia mengingatkan. Dan kemudian perkara lain adalah penggantikan penggantikan. Jadi, saya tidak yakin bagaimana penggantikan penggantikan yang penting. Tetapi, ia seperti penggantikan penggantikan dalam penggantikan, ia mengeluarkan pipeline CD, dan ia menyebabkan dengan penggantikan penggantikan tersebut. Dan ada penggantikan penggantikan. Salah satu perkara lain adalah ia sangat bergerak di sekiranya, penggantikan dan penggantikan. Jadi semuanya dikawal dikawal dikawal dan Helm adalah basically the first class citizen there. So it allows you to decorate, manage Helm chart releases. So anything you want towards Helm, you just write it in a YAMO file and they will apply it for you. And also notification controller, which is something a little extra is that if there is any changes towards your cluster, it just notifies you. So it can be Microsoft Teams, it can be Discord. So it says, okay, I deleted this resource within this particular commit and the reason why. And so on. And also another thing is the image automation controller. So this is quite interesting, is that it monitors a repository. So like for GitHub repositories, it looks and sees, okay, the latest release is like version 2. So it looks at version, looks at GitHub and says it's version 2, looks at your configuration, your configuration says version 1. So it will automatically open a new branch and then submit a pull request. Sorry. So those seniors and anything, they can just see okay, this is good much. So this looks a little wonky. So how a commit cycle works is that first we need to know that Git is always the source of truth in this case. So let me see. Okay, there you go. So first thing of course, for Git repository, you push it always. Then the flux controller will pull from the Git repository, then it builds an artifact. So after that, it will generate the status and says that okay, what should I do about it? And it will look at the Kubernetes API server and then APS server will notify new revision, fetch artifact, blah, blah, blah. And also one thing that you can see over here on step nine actually is the ability, not ability, like the feature to decrypt secrets. So when we are working on a GitOps repository, we tend to commit secrets in. So a lot of people may probably will say, oh no, why do we commit secrets in? We don't actually. So for my situation is that I use this thing called a sealed secret or Mozilla SOPs. So we use sealed secrets. So sealed secrets basically has a master key. So that master key will encrypt all of the secrets that we can ultimately commit into our source control. So in the end, you can have a track record over your secrets, but you don't expose it. But in the end, it's nearly to secure your keys. So after everything happens here, it will validate, it will apply. Then after that, if anything needs to be deleted, it deletes wait for readiness and then if it's ready, then it sends another alert and everything. So yeah, so for reconciliation, for commit cycle, everything runs within this particular turn. And yeah, like what I said just now, there's little bit of extras called image update automation. So what happens is that it automatically creates a branch. As you can see, this is my personal project here. It creates a branch. So as you can see over here, it merge, merge, merge. And then suddenly a new revision happens. Version 135 happens. And then it will go for a prod and a staging. And then whether I decide merge anything, then I decide. So the reason why image update automation is viewed as an extra because during your setup, you actually have to send it an extra flag. So that's why I put it as an extra. So next, in our production. So in our production, let's first talk about our scenario. So our product is called TalkUp. It's a CRM that serves customer mainly in Southeast Asia. So for usual deployments, a semaphore CI pipeline, which is a click-based pipeline, is invoked and then we apply Helm charts. So the way we apply Helm charts is that we take a look at the deployment repository configuration and then we apply it and that's it. There's no tracking. There's no nothing. We only know that this particular revision has been applied. But when? No tracking. So for our most utility applications, luckily, are already deployed using Helm charts. And we have just two Kubernetes clusters production and staging and 24-7 availability is required. So we have this requirement. It means that we are basically changing views on a moving vehicle as you can see there. So how do we migrate? To migrate to flux, of course, we need to create a new cluster which is a test. We test everything there first. I think I broke it 3-5x. And then after that in staging, I installed the flux controller and GitOps took it first. So anything I can just directly modify my GitOps repo and then it will reflect back on that cluster. So for that's why I say just now that we are lucky that we are already doing Helm charts is because when it detects that it is Helm and then when we declared in the GitOps repository, it automatically take over. So there's no downtime, there's no nothing. The only thing that happens is it will apply a label saying that okay, this is now managed by flux and that's it. So there's no downtime, there's no nothing. But remember to lock your versions lah. Okay. And then after that the seal secret controller is added first so that we can start committing secrets. And then ya, like I said, anything managed by Helm taken over, remember to lock versions. And this is very important is that the declarations remember to edit according to namespaces because as far as my experience goes it takes over the entire namespace. So and ya worth noting it does not delete existing resources that are not declared. So what happens during our testing is that okay we have some things that are declared within flux and for some things we open a namespace just to test it out. And we were wondering why why did the new resources didn't get deleted after 10 minutes. So after investigation turns out flux probably takes over according to namespaces. So as my boss says do you have any metrics? What happens is we have around 100x speed improvements on cluster recovery time which may be larger for clusters that are more complex but our one is very simple. So since the introduction of GitOps the cluster recovery time reduce from about 3 days to about 40 minutes since we just bootstrap everything and then that's it and then we can be pretty sure the cluster is in a state we want it to be which is working and this is very important to me and also very close to my heart is that we can now democratize cluster management. So when you are a junior developer going into the company boss says don't touch my cluster don't touch my configuration. I'm 2 years in the company now boss if I'm seeing this I still don't don't have access to production. Ya so we can democratize cluster management but involving juniors without being scared that our cluster so randomly explode because anything that is happening will need to go through that Git two chain anything any change they want to do needs to go through a pull request so they can actually bootstrap their own cluster link it on the link it on the images or link it on the declarations that let's say production staging has replicate it to your to their own laptop and run the changes there and once they are really sure they just run a pull request and then for the juniors is that okay lah if my senior pass it they pass this is not my problem anymore okay so throughout this lessons learned we actually shall started way way way earlier because our staging actually broke twice the first time I think my senior use three to five days second time is three days so yeah the earlier you incorporate GitOps the better the smaller the downtime and yeah this is also towards me so when convincing your boss try getting to the so what conclusion as soon as possible to let them have a very high level overview so in my own in my circumstance here the so what conclusion is that okay I can say my senior time from three days to forty minutes this is the so what but I towards me it's I took about one week to get to that conclusion so blame's on me and also when you are doing it dig into the configuration as much as possible to reduce the discrepancies between the declared and the actual one so some users secret targets at ENV from or some manually pass once especially like when you're setting up elastic search you basically need to pass in the password in the helm configuration I don't know if it fix now but yeah it's like that and we set we set it up like that so I broke staging once because of that but I think that's a small issue la and yeah don't worry if it takes 20 deployment cycles to fully roll everything out just make sure to be right on the first try don't break anything yeah another important thing is to install the we've get off dashboard right from the start so for flux it operates mainly using YAMMO files so it's more catered towards operators so this we've get off dashboard thing basically is open source official dashboard so you can see okay what is being stuck where so just sorted out there and you'll be on your way so before I get to my conclusion I realize I have a lot of time so I'll extra slide so why flux CD and not X which I think many people are using Argo right so if you are familiar the logos is Argo code fresh so code fresh is basically Argo but enterprise version the the one that is flux we've works is enterprise version of flux Jenkins X I think most of you heard it before worth is also something similar okay so why are we using flux CD and not X Argo ya so the reason why is that first we are using flagger from the start already so flagger is actually I would say a traffic shaping tool so let's say we roll up a new deployment it helps us do a canary deployment which is like 10% towards the new nothing happens 20% and so on until 50% so we figure that okay since both are from the flux CD project they should work well together good and flux is way more bebel bare bones the Argo CD for me so for me simple is better and hence very very much easier developer onboarding from the YAMO side so if you study normal declaration normal CRDs then it will be good for you instead of clicking through the Argo environment without knowing what you are doing so in a nutshell quite get up so this is like take away ish for a boss so first increase productivity auditability reliability is better and then you can trace what you want when it's reliable because any any changes or any weird changes you did will be rollback within 10 minutes for flux so very enhanced the experience democratization of development anyone can try developing already very much from your security guard rails so because you are going through git it means that you can restrict access towards the cluster towards your juniors that don't know what they are doing because you just need them to access the git report instead of the cluster itself and faster development better ops everything in YAMO file so there's actually an inside joke about DevOps is that we are actually not DevOps engineer we are YAMO engineer and then easy complies and auditing this is like obviously because you can see all the commits and I think that is my presentation thank you very much I think I will take questions no question eh yes may I know why you use seed secret I mean there are other alternatives yeah alternatives because it much much more simpler like I said because for Mozilla soaps you need some knowledge towards your cloud provider is one and for seal secrets you just need knowledge of probably two things one is the CRD for the seal secrets and the second one is actually how to backup your master keys and where when so that's the reason we went for seal secrets so because our company is still small so we don't want to invest so much developer time on it so this is probably like the simplest way of all but let's say you have like monthly password rotation then seal secrets does have its own own rotation so they are true or so we can have monthly password rotations I mean all of those you can just write a script to automate it right yeah so any more questions? if no then I think I'll earn the session thank you everyone for having me here