Joy is a GitOps CLI tool with Kubernetes-style YAML file formats for simplifying the deployment of project releases to Kubernetes and their promotion across environments. It proves a perfect complement to other GitOps tools, such as ArgoCD and Crossplane.
- Defines Kubernetes-style YAML file formats:
Environment
: A Kubernetes cluster and/or namespace to deploy to.Project
: An application (eg: a microservice, front-end...) that can be deployed to different environments.Release
: The deployment configuration for a specific version of a project to a given environment.
- GitOps-oriented: Your joy "catalog" git repo defines the Source of Truth™ for your environments, projects and releases. Combined with the ApplicationSet generator plugin, changes to releases are detected by ArgoCD, transformed and deployed to the target environment.
- The
joy
CLI allows you to:- List and select environments, projects, releases.
- Promote releases from one environment to another, transfering specific portions of release configuration intelligently.
- The joy-generator ArgoCD
ApplicationSet
generator plugin allows to automatically generate ArgoCDApplication
resources from your joy catalog, to deploy your releases to Kubernetes. - YAML resources are extensible via custom values to address your specific metadata needs.
Joy dramatically reduces the cognitive load on developers when it comes to deploying their projects to Kubernetes. It allows them to think in terms of high-level release YAML files, and then to use the joy
CLI to promote those releases across environments.
It also provides the DevOps/platform engineers with a layer of abstraction to manage the more intricate deployment details, such as ArgoCD Applications and Helm charts.
What makes joy releases useful and powerful:
- They only contain the high-level information that is relevant to developers, providing a very simple, visual and intuitive interface to the deployment process.
- Portions of the release that are environment-specific can be locked with a special
# lock
comment to prevent them from being carried over from environment to environment during promotions. - They tie together all the deployment configuration that needs to travel with a given build, such as:
- Container image+version
- Helm chart+version
- Helm values for deploying the container
$ brew tap nestoca/public
$ brew install joy
Upgrade with:
$ brew update
$ brew upgrade joy
Download from GitHub releases and put the binary somewhere in your $PATH.
$ git clone git@github.com:<OWNER>/<CATALOG>.git ~/.joy
That is the default location where joy will look for your catalog repo. If you want to clone your catalog in a different location for convenience, create a ~/.joyrc
file with the following content to redirect joy to it:
catalog-dir: /absolute/path/to/your/catalog
- DevOps/platform engineers create a "joy catalog" git repo, defining different
Environment
resources. - Developers create
Project
andRelease
resources in that same git repo. Release
resources placed within same sub-directory tree as anEnvironment
resource are considered part of that environment.- A
Release
defines:- The release's name.
- The project it belongs to.
- The version of the container to deploy.
- The Helm chart to use for deployment.
- The values to pass to the Helm chart.
- Certain environment-specific portions of the release can be marked with a
# lock
comment to exclude them from promotions.
- CI pipelines for
master
branch build calljoy build promote
at the end of their process to promote the release in
Sealed Secrets is an open-source Kubernetes controller and client-side CLI tool from Bitnami that aims to solve the problem of storing secrets in Git using asymmetric crypto encryption. It generates a public and private key and can be used to encrypt/decrypt application secrets in a secure way. Sealed Secrets are "one-way" encrypted K8s Secrets that can be created by anyone but can only be decrypted by the controller running in the target cluster recovering the original object.
Joy takes advantage of the fact that the public key (or "certificate") for each cluster — required by developers to encrypt secrets — is not sensitive and can safely be stored in your joy git catalog in each Environment
resource, for example:
apiVersion: joy.nesto.ca/v1alpha1
kind: Environment
metadata:
name: staging
spec:
order: 0
owners:
- team-dragons
sealedSecretsCert: |
-----BEGIN CERTIFICATE-----
MIIEaDCCZrSgZwIBZgIQQVigtDuTUYj4m2BxtpZbPaZNBgkqhkiG9w0BZQsFZDZZ
MB4XDTIyMTZwNaIwNTZyN1oXDTMyMTZwNDIwNTZyN1owZDCCZiIwDQYJKoZIhvcN
...
kwqbLB/f7nqjUZvN6fkjqKCleLx4GI3H8WZxURqYU2ZPQ6/6kmNZHjekiYRJYhdn
QpgDdtXavNV/KcrL1je/BZErRusBbjR5LwFaZp0YCo0=
-----END CERTIFICATE-----
Joy provides a command to help you automatically extract your cluster's public key and add it to one of your Environment
resources, assuming you have proper permissions to read secrets from given cluster:
$ joy sealed-secrets import
? Select kube context of cluster to fetch seal secrets certificate from:
dev-rw
dev-admin
staging-rw
> staging-admin
production-rw
production-admin
? Select environment to import sealed secrets certificate into:
dev
> staging
production
✅ Imported sealed secrets certificate from cluster staging-admin into environment staging
Make sure to commit and push those changes to git.
Once the sealed secrets certificate has been imported and committed into your joy catalog, developers can use the joy sealed-secrets seal
command to encrypt their secrets for a specific environment:
$ joy sealed-secrets seal
? Select environment to seal secret in:
dev
> staging
production
? Enter secret to seal [Enter 2 empty lines to finish]
This is my highly
sensitive secret
which comprises
multiple lines
🔒 Sealed secret:
AgAWCq7OKWq+eabiqCwccMr0ll9e07Rwc1iW7itKyc1AzQlLmjrr1UK/VHP8ALWAWODSrJ8E8WVs4qvTjUdLVpbLRZVVBajYUAUXCxeVtk
QciuWsl5tfuWl4yxZdeBuTIsy/DHdK37STmRFB7yJeqqozPG+VyiJEb/to+jEpp7hzTkyk1GrPOz3Rtw4RUcwHD1lGtBdlanIDTd6B76Ju
...
+WXmUf3cUW8tSF5nMGY8f9hv4Wmb4cCa1yCC1QaVv82qlWSfKGsxo2oVMFvxwPXpqXUzfVY/TF01XrWoj4uwMDbvXlXNvooS7KpHcXpS6s
bAb8BXekgmMPhnGMH3OmCHPREcKEN4ccc+gDbOFp7mQjnnxYdMAmxQKY42zN
Note that the kubeseal
CLI must be installed on your machine in order for this to work.
Integrating a tool like Crossplane with joy allows you to provision the infrastructure required by your projects as part of the same release process as their deployment. This is a powerful way to ensure that your infrastructure is always in sync with your project deployments.
Take the example of a project that's just been modified to now require a storage bucket. Whenever that new version will be deployed to a new environment, it will require that bucket to be provisioned in that environment. With joy, that infrastructure requirement can be defined in the Release
resource values and that bucket can be provisioned automatically whenever that new version of the project gets promoted to a new environment. That is a game changer, as it can be extremely tricky to try and keep track of the evolving infrastructure requirements of your projects as they get promoted across environments.
As Crossplane is not yet very flexible in terms of templating (eg: conditionals and loops), we recommend relying on helm charts to deal with this templating complexity and create the appropriate Crossplane resources required by the project based on the values passed to it. For example, given a bucketName
value, the helm chart could create a Crossplane Bucket
resource and let the Crossplane provider provision the actual bucket in the cloud.