GitOps (Configuration Management)¶

Pleiades uses a pull-based GitOps model to manage configuration. Each node periodically polls a Git repository, verifies commit signatures (GPG), validates configuration, and applies diffs with minimal disruption.

Workflow 1) Fetch: clone/fetch the configured repo/branch into a local workdir. 2) Verify: enforce GPG-signed HEAD commit; optionally restrict to an allowlist of signer fingerprints. 3) Load: parse gslbd.yaml from the configured pathPrefix. 4) Validate: run basic schema/cross-field checks. 5) Apply: replace the endpoint set atomically in both LB and checker; recreate the checker when settings change. 6) Record: export metrics and last applied commit info (sha, signer).

Configuration

gitops:
  repoURL: "ssh://gitea@git.example.com/infra/gslb-config.git"
  branch: "main"
  pathPrefix: "clusters/prod-eu-glb"
  pollInterval: "30s"
  requireSignature: true
  allowedSigners: ["ABCD...FPR"]
  auth:
    sshKeyPath: "/etc/gslb/gitops_deploy_key"

Repository layout (example)

infra/gslb-config/
└── clusters/
    └── prod-eu-glb/
        └── gslbd.yaml

Security - GPG verification is required when requireSignature: true (default). Configure trust on the host or provide fingerprints via allowedSigners. - SSH deploy key is supported via gitops.auth.sshKeyPath.

Failure modes - Fetch failure: keep running with last-good config. - Signature failure: reject the change; keep last-good. - Validation failure: reject change; keep last-good.

Metrics - gslbd_gitops_fetch_total{result} - gslbd_gitops_verify_total{result} - gslbd_gitops_apply_total{result} - gslbd_gitops_last_apply_info{sha,signer} (value 1)

Code references - internal/gitops/* (fetcher, verifier, watcher stubs) - cmd/gslbd/main.go (reconciliation loop) - internal/config/validator/validate.go