引言在软件交付速度要求越来越高的今天传统的手动部署和运维方式已成为业务发展的瓶颈。DevOps文化强调开发与运维的协作而GitOps则将这种协作提升到了新的高度——以Git仓库作为唯一事实来源实现基础设施和应用部署的声明式管理。本文将系统介绍DevOps的核心理念、GitOps的工作模式以及基于ArgoCD和Flux的完整实践方案。一、DevOps文化与实践1.1 DevOps核心原则CALMS框架| 维度 | 含义 | 实践 | |------|------|------| | Culture | 文化 | 打破Dev与Ops的壁垒 | | Automation | 自动化 | CI/CD流水线 | | Lean | 精益 | 消除浪费持续改进 | | Measurement | 度量 | 数据驱动决策 | | Sharing | 共享 | 知识共享工具共享 |1.2 CI/CD流水线设计现代CI/CD架构Developer Push │ v ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │ Build │───►│ Test │───►│ Deploy │ │ ├ Compile │ │ ├ Unit │ │ ├ Staging │ │ ├ Package │ │ ├ Integration│ │ └ Production│ │ └ Scan │ │ ├ Security │ │ │ └─────────────┘ │ └ E2E │ └─────────────┘ └─────────────┘GitHub Actions完整流水线name: CI/CD Pipeline on: push: branches: [main] pull_request: branches: [main] jobs: build: runs-on: ubuntu-latest steps: - uses: actions/checkoutv4 - name: Set up JDK 17 uses: actions/setup-javav3 with: java-version: 17 distribution: temurin - name: Cache Maven dependencies uses: actions/cachev3 with: path: ~/.m2 key: ${{ runner.os }}-m2-${{ hashFiles(**/pom.xml) }} - name: Build with Maven run: mvn clean package -DskipTests - name: Run unit tests run: mvn test - name: Code coverage run: mvn jacoco:report - name: SonarQube scan run: mvn sonar:sonar -Dsonar.projectKeymy-app env: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} security-scan: needs: build runs-on: ubuntu-latest steps: - uses: actions/checkoutv4 - name: Trivy vulnerability scanner uses: aquasecurity/trivy-actionmaster with: scan-type: fs format: sarif output: trivy-results.sarif - name: Upload scan results uses: github/codeql-action/upload-sarifv2 with: sarif_file: trivy-results.sarif deploy-staging: needs: [build, security-scan] runs-on: ubuntu-latest if: github.ref refs/heads/main steps: - uses: actions/checkoutv4 - name: Build Docker image run: | docker build -t myapp:${{ github.sha }} . docker tag myapp:${{ github.sha }} myapp:latest - name: Push to registry run: | echo ${{ secrets.DOCKER_PASSWORD }} | docker login -u ${{ secrets.DOCKER_USERNAME }} --password-stdin docker push myapp:${{ github.sha }} - name: Update GitOps repo run: | git clone https://${{ secrets.GIT_TOKEN }}