CI/CD Integration
Purpose: For platform engineers, shows how to integrate the CLI with GitHub Actions, GitLab CI, and Jenkins.
What CI/CD Does in a GitOps Model
In openCenter, CI/CD pipelines do not deploy directly to clusters. FluxCD handles deployment. CI/CD pipelines validate changes before they merge — running opencenter cluster validate, checking SOPS encryption, and linting manifests. This keeps the Git repository clean and prevents broken configurations from reaching production.
GitHub Actions
Validate on Pull Request
# .github/workflows/validate.yml
name: Validate Cluster Config
on:
pull_request:
paths:
- 'applications/**'
- 'infrastructure/**'
jobs:
validate:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install openCenter CLI
run: |
curl -sL https://releases.opencenter.io/cli/latest/opencenter-linux-amd64 \
-o /usr/local/bin/opencenter
chmod +x /usr/local/bin/opencenter
- name: Validate cluster configuration
run: opencenter cluster validate <cluster-name>
- name: Lint Kubernetes manifests
run: |
kubectl kustomize applications/overlays/<cluster>/ > /dev/null
Verify SOPS Encryption
- name: Check for unencrypted secrets
run: |
# Find YAML files that look like secrets but are not SOPS-encrypted
find . -name '*.yaml' -exec grep -l 'kind: Secret' {} \; | while read f; do
if ! grep -q 'sops:' "$f" && ! grep -q 'ENC\[AES256_GCM' "$f"; then
echo "ERROR: Unencrypted secret found: $f"
exit 1
fi
done
GitLab CI
# .gitlab-ci.yml
stages:
- validate
validate-config:
stage: validate
image: ubuntu:22.04
rules:
- changes:
- applications/**/*
- infrastructure/**/*
before_script:
- curl -sL https://releases.opencenter.io/cli/latest/opencenter-linux-amd64
-o /usr/local/bin/opencenter
- chmod +x /usr/local/bin/opencenter
script:
- opencenter cluster validate <cluster-name>
- kubectl kustomize applications/overlays/<cluster>/ > /dev/null
Jenkins
// Jenkinsfile
pipeline {
agent any
triggers {
githubPush()
}
stages {
stage('Validate') {
steps {
sh 'opencenter cluster validate <cluster-name>'
sh 'kubectl kustomize applications/overlays/<cluster>/ > /dev/null'
}
}
stage('Check Secrets') {
steps {
sh 'opencenter cluster validate-secrets <cluster-name>'
}
}
}
post {
failure {
echo 'Validation failed — do not merge this PR.'
}
}
}
What to Validate in CI
| Check | Command | Catches |
|---|---|---|
| Config validity | opencenter cluster validate | Missing fields, invalid references |
| Kustomize build | kubectl kustomize <path> > /dev/null | Broken overlays, missing bases |
| Secrets encryption | Grep for unencrypted kind: Secret | Plaintext credentials in Git |
| YAML lint | yamllint -c .yamllint . | Syntax errors, formatting issues |
| Secrets sync | opencenter cluster validate-secrets | Drift between SOPS keys and encrypted values |
Verification
After setting up CI, open a test PR with a deliberate error (e.g., a typo in a HelmRelease version) and confirm the pipeline catches it. The PR should show a failed check, blocking merge until the issue is fixed.
Troubleshooting
- CLI not found in CI — Verify the download URL and that the binary has execute permissions.
- Validate fails on missing kubeconfig —
opencenter cluster validateworks offline against the Git repository. It does not need cluster access. If it asks for a kubeconfig, check the CLI version. - SOPS check false positives — Some YAML files contain
kind: Secretin comments or documentation. Refine the grep pattern to match only actual Kubernetes manifests.