How ACK One Enables Multi‑Cluster GitOps for Hybrid Cloud Deployments

GitOps Overview

GitOps treats a Git repository as the single source of truth for Kubernetes application deployment. Argo CD continuously synchronizes the desired state from Git to one or more clusters, providing rapid, consistent, and secure delivery. A CNCF micro‑survey released in late 2023 shows that GitOps is the primary choice for most developers, and the Argo CD project graduated in December 2022, confirming its stability.

Key Benefits of GitOps

Rapid delivery and continuous deployment : Automated build and deployment accelerate release speed while keeping cluster state in sync with Git.

High reliability : Git version control enables quick rollbacks and auditability, improving deployment consistency.

Enhanced security : Developers only need Git repository permissions, not direct Kubernetes access, reducing manual error risk.

Ease of adoption : Familiarity with Git makes GitOps easy to learn and integrate.

ACK One GitOps Features

ACK One extends the open‑source Argo CD project with a fully managed, multi‑cloud, multi‑cluster, hybrid‑cloud continuous delivery platform. It integrates fleet management and Alibaba Cloud RAM SSO, delivering an out‑of‑the‑box Argo CD experience with secure, automated multi‑cluster application deployment.

Deployment Workflow

Developers create an Application or ApplicationSet via the Argo CD UI, CLI, or Go SDK.

When a new container image is pushed, Argo CD Image Updater detects the tag change and updates the corresponding YAML in the Git repository.

Argo CD periodically synchronizes the Git state to both cloud and on‑premises clusters, with secret management backed by KMS.

Deployment status changes trigger real‑time notifications (e.g., DingTalk).

ApplicationSet Example

The following ApplicationSet YAML demonstrates deploying multiple applications across clusters using a matrix generator:

apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
  name: cluster-git
spec:
  goTemplate: true
  goTemplateOptions: ["missingkey=error"]
  generators:
    - matrix:
        generators:
          - git:
              repoURL: https://github.com/argoproj/argo-cd.git
              revision: HEAD
              directories:
                - path: applicationset/examples/matrix/cluster-addons/*
          - clusters:
              selector:
                matchLabels:
                  argocd.argoproj.io/secret-type: cluster
  template:
    metadata:
      name: '{{.path.basename}}-{{.name}}'
    spec:
      project: '{{index .metadata.labels "environment"}}'
      source:
        repoURL: https://github.com/argoproj/argo-cd.git
        targetRevision: HEAD
        path: '{{.path.path}}'
      destination:
        server: '{{.server}}'
        namespace: '{{.path.basename}}'

Multi‑Tenant RBAC Management

When multiple teams share a GitOps system, ACK One integrates Alibaba Cloud RAM users and roles for SSO login, providing fine‑grained RBAC across Argo CD projects, applications, and clusters.

Fleet permissions allow RAM administrators to grant RBAC rights to users/roles for specific clusters and applications.

Argo CD argocd-rbac-cm can map RAM users/roles to Argo CD roles (e.g., project‑admin).

Projects can be created per team, binding each team’s applications and Git repositories to isolated namespaces.

Example AppProject granting read‑only access to a specific application for a RAM user/role:

apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
  name: demo
  namespace: argocd
spec:
  destinations:
    - name: '*'
      namespace: '*'
      server: '*'
  roles:
    - groups:
        - "27***02"
      name: test
      policies:
        - p, proj:demo:application1, applications, get, demo/*, allow
  sourceRepos:
    - https://github.com/AliyunContainerService/gitops-demo.git

Corresponding argocd-rbac-cm configuration to bind the RAM user/role to the project‑admin role:

data:
  policy.csv: |
    p, role:project-admin, projects, *, *, allow
    g, "27***02", role:project-admin
  scopes: '[uid]'

Secret Management in Multi‑Cluster GitOps

Secure handling of tokens, passwords, and private keys across clusters is achieved by integrating ACK Secret Manager with KMS. The workflow is:

Install the ACK Secret Manager component in target clusters.

Add credentials to the KMS credential store.

Create an ExternalSecret manifest in the Git repository and reference it in the workload Deployment.

ACK One GitOps syncs the manifest; the Secret Manager generates the corresponding Kubernetes Secret for the workload.

Example ExternalSecret (simplified):

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: my-secret
spec:
  secretStoreRef:
    name: kms-store
    kind: SecretStore
  target:
    name: my-k8s-secret
  dataFrom:
    - extract:
        key: /path/to/credential

References

https://www.cncf.io/blog/2023/11/07/cncf-gitops-microsurvey-learning-on-the-job-as-gitops-goes-mainstream/

https://www.cncf.io/announcements/2022/12/06/the-cloud-native-computing-foundation-announces-argo-has-graduated/

https://argo-cd.readthedocs.io/en/stable/operator-manual/applicationset/Generators-Matrix/

https://help.aliyun.com/zh/ack/distributed-cloud-container-platform-for-kubernetes/user-guide/overview-9

https://help.aliyun.com/zh/ack/distributed-cloud-container-platform-for-kubernetes/user-guide/fleet-management-overview

https://help.aliyun.com/zh/ack/distributed-cloud-container-platform-for-kubernetes/use-cases/construction-of-hybrid-cloud-disaster-recovery-system-based-on-ack-one

https://help.aliyun.com/zh/ack/distributed-cloud-container-platform-for-kubernetes/user-guide/manage-users-based-on-gitops

https://help.aliyun.com/zh/ack/distributed-cloud-container-platform-for-kubernetes/user-guide/secret-management