Using GitOps for Cortex
Last updated
Was this helpful?
Last updated
Was this helpful?
As an alternative to working through the Cortex UI, Cortex supports following a . Using a GitOps model - which entails using descriptor files to manage entities, Scorecards, and Workflows in Cortex through your version control system - provides some benefits:
Metadata are version-controlled
The repository where your code lives is also the source of truth for information
You always own the data
You can easily monitor and track GitOps changes via
Users must have the View GitOps logs permission.
When following the GitOps model in Cortex, you manage via entity descriptor files that live in your git repository. An entity descriptor, also referred to as a Cortex YAML, describes an entity in your catalogs. You may store all of your entity definitions in a single repository or you can store the YAML in the repository of the corresponding entity.
Cortex checks for cortex.yaml or cortex.yml anywhere in the default branch (for Bitbucket, GitHub, and GitLab) and processes any changes pushed to the default branch. For Azure, Cortex checks the .cortex directory.
Cortex recommends storing the cortex.yaml in the repository root or basePath.
If an entity's file is deleted from the repository and you have enabled GitOps-based auto-archival, then the corresponding entity in Cortex will be archived. This feature checks for deleted files, so if the file is moved, it will not be archived from Cortex. See for more information.
The following example shows a single repository structure. Entity descriptor files are listed under catalog subdirectories for catalog, domains, and teams:
Note the following:
You cannot create catalogs via GitOps; catalogs can only be defined in the Cortex UI.
The YAML files cannot be in sub-directories under catalog, domains and teams.
Cortex's git integrations support automatic parsing of the entity descriptor file, enabling users to switch to GitOps in under five minutes.
If you plan to use a GitOps workflow, we recommend switching to the GitOps model after Cortex has been broadly rolled out to your organization. Ideally, developers will have the opportunity to experiment with Cortex through the UI, and leaders will set a threshold for a GitOps cutover.
It is possible to enable UI editing and disable UI importing for any entity. While this would allow users to create new entities via GitOps, they must make changes to the entity through the UI. Any changes made via GitOps would not register in Cortex.
Before getting started, note the following:
Domain, team, and Scorecard definitions must be in the .cortex/domains, .cortex/teams, or .cortex/scorecards folders, respectively.
The hierarchy of entities in Cortex is based on that hierarchy being defined in the entity's YAML file; Cortex does not set hierarchies or entity relationships based on a YAML file's location in your repository.
You can define any number of entities within the same repository.
The recommended placement for entity descriptor files is in the root of the repository, or in the appropriate .cortex/catalog folder.
For GitHub or GitLab, the descriptor can be located anywhere in the repository as long as the file is named cortex.yaml or cortex.yml.
Confirm that the Cortex UI editor is disabled for each entity type you want to use a GitOps approach for:
Disable the toggles for UI editing next to services, domains, teams, and other entity types.
Before you can move to a GitOps approach, Cortex must be integrated with GitHub, GitLab, Azure DevOps, or Bitbucket.
See the tabs below for instructions on each provider.
Azure DevOps
Add a webhook for Azure DevOps:
Click Create a new webhook and copy the unique webhook URL.
Set the event type to Code pushed and use the URL from the previous step.
Once GitOps is enabled, Cortex will detect push events in your repositories. For the first webhook for a given repository, Cortex looks for the cortex.yaml files and processes them. For subsequent webhooks, Cortex only processes files with a change in the webhook event. A maximum of 3,000 changed files will be reported per commit.
Additional configuration
Multi-account configuration
It is possible to configure multiple account integrations with Cortex for each of the git integrations. If you're creating or editing a cortex.yaml in the non-default configuration, you must reference the alias you used for that integration when you configured it.
For example, if you added a second GitHub configuration called non-default-example, you would define the following block in the entity descriptor:
If you do not define the alias, Cortex will use the default configuration when processing changes made to the cortex.yaml file. If a repository is not included in the default configuration, changes will not be processed via GitOps.
After completing your GitOps configuration, you can start managing entities via GitOps.
Before following these steps:
Cortex's standard GitOps configuration suits most common use cases:
Single or many projects per repo
Only one branch needs to be processed for cortex.yaml
The cortex.yaml file is in the default or main branch
However, there may be scenarios that require special setups, such as the following examples:
Monorepos in Bitbucket: Multiple projects in a single repo, split into subfolders.
Branches: Non-main or non-default branches, or different projects in multiple branches.
See the sections below for more information about special configurations.
By default, Cortex will check all repositories for services, domains, teams, and other entity types. It is possible to restrict which repositories entities are imported from:
Under Options by entity type, find the dropdown labeled Entity GitOps repository allowlist for new entity types.
Select the repositories you want to import from.
When one or more repositories are selected for a given entity type, Cortex will only check those repos for changes to the cortex.yaml file.
If you make changes in a repo that is not designated on the allowlist, Cortex will not process those changes.
When using a monorepo with Bitbucket, you must use the cortex-properties.yaml file:
The file is automatically processed, just like the entity descriptor.
It should live in the default branch for the repo, regardless of which branches it states Cortex should use to find entity descriptor files.
When using the cortex-properties.yaml file, the basePath may not function as expected if you have service code elsewhere in your repository.
Note that this file should only be used for custom workflows, such as using monorepos in Bitbucket or using a non-default branch as the home for your entity descriptor files.
You can configure Cortex to automatically process cortex.yaml files in non-standard branches, multiple branches, or both.
Consider the following example scenario:
You have a project where main is protected and is the default branch.
You want to include cortex.yaml in the develop branch.
You also have a separate project version in a staging branch with its own cortex.yaml file.
To represent this:
Add a cortex-properties.yaml file in the default branch of your repo
Define the branches field with a list of branches to process.
The default branch must be explicitly defined if you are using an advanced configuration and you want Cortex to search for a cortex.yaml file in the default branch.
If your cortex-properties.yaml file does not contain a branches field, Cortex will continue to process the default branch.
When using Azure DevOps for GitOps, you can configure Cortex to look for cortex.yaml files in multiple subdirectories.
Consider the following example scenario:
You have a monorepo structure where all projects live in a single repository.
Each project lives in a subdirectory in the main repository (project1/, project2/, etc.).
Each project has its own cortex.yaml file.
To represent this:
Add a src-dirs field in a cortex-properties.yaml file at the root of the repository, containing a list of directories to process.
Cortex will still process any cortex.yaml file found in the root of the repository.
Conflicts between UI editing, GitOps, and the Cortex API
If GitOps has previously been enabled, but UI editing is temporarily turned on, any changes made in Cortex to applicable entities will not be reflected in Git. When the file is next changed through your Git provider, it will override changes made in the UI.
The last received change in a cortex.yaml file will override previous changes, whether it originated from the create/update entity API or a push from your Git provider. Changes are not appended and the last submitted entire file takes precedence, so fields omitted in cortex.yaml will be removed.
Will my cortex.yaml file be picked up immediately?
If you already have a cortex.yaml file when you set up GitOps, Cortex will automatically process it. However, the file will not be processed until UI editing is disabled.
The entity I created appears in GitOps logs, but displays 0 entities 0 scorecards in the Entities column.
Since you can , you can choose to use a GitOps workflow for only some entity types.
Cortex will only check for files in the repository's default branch, unless . Cortex defaults to main if there is no default branch defined.
Cortex does not delete Scorecards if a corresponding Scorecard YAML is deleted. You can enable automatic archival of entities through GitOps by toggling on "Enable auto archiving of services" in . Read more in the .
For Bitbucket, Bitbucket Server, or Azure DevOps, you MUST place descriptor files in the appropriate .cortex/ subdirectory. It is possible to for unique cases.
When using a single repository structure, as described in the , the .cortex subdirectory only respects catalog, scorecards, domains, and teams subdirectories. Do not place the cortex.yaml file in the .cortex directory unless it is in one of the supported subdirectories.
For additional information on using GitOps to manage Scorecards and Workflows, see and .
When following a GitOps approach, you make changes to entities via their entity descriptor file and sync the changes using a Cortex git integration or programmatically using the . You must disable UI editing to ensure consistency. If the UI editor is enabled, then changes made via git will not be processed in Cortex.
Navigate to the .
Follow the instructions to .
In Cortex, navigate to and validate your Azure DevOps integration.
Follow the instructions from Azure on .
Navigate to and validate your configuration.
Follow the for adding a project-level or repository-level webhook.
If you're using a monorepo, see the section below: .
The is pre-configured with the ability to use the GitOps approach in Cortex. If you configure the integration using a personal access token, you will also need to add a webhook.
Follow the instructions to .
Follow the instructions from GitHub on . Cortex recommends adding an , but you can also define the webhook for a .
Follow the instructions to .
In the in Cortex, click Create a new token.
In GitLab, (recommended) or a .
Cortex's out-of-the-box GitOps configuration suits most common use cases, but you may have a scenario that requires additional configuration, such as a monorepo in Bitbucket, a repository with different projects in multiple branches, a need to restrict which repositories to import from, and more. See below for more information.
We recommend reviewing the to understand the basics about working with entities in Cortex.
View the , which displays all changes made in your Cortex workspace. If your entity creation was successful, you should expect to see it at the top of the list.
Search the for the new entity's name or tag. If your creation was successful, it will appear in the search results.
View the , which displays all changes made in your Cortex workspace. If your entity edit was successful, you should expect to see it at the top of the list.
Search the for the entity's name or tag. If your edit was successful, it will appear in the search results.
In the Cortex UI on an , entities created or updated via GitOps will display the file path of the entity's YAML file and a preview of the last GitOps log. You must have the View GitOps logs permission.
Navigate to the .
Using GitOps with a monorepo - one Git repository with multiple entities - is supported out-of-the-box for Azure DevOps, GitHub, and GitLab when you use the basepath field to specify the subdirectory in the entity descriptor (see an example of this in the docs for , , and ).
First, use the to validate your cortex.yaml file. Then, confirm GitOps settings are configured correctly:
Make sure for the entity type that you're trying to create.
Check repositories in the GitOps . If there are repositories selected for the entity type you're working with, confirm that you're working from an allowed repo.