STOP Deploying VCF Wrong: Unlocking Tenant-Ready Workflows with GitOps & CI/CD

Part 2 of the VCF Automation Series: Tenant-Ready Workflows at Scale

Why GitOps for VCF Automation?

VCF 9.0 Automation gives us a powerful foundation for multi-tenant self-service infrastructure. But to operate like a true internal platform-as-a-service, we need:

• Version control of blueprints and workflows
• Consistent deployment across environments
• Integrated approval and testing processes

This is where GitOps and CI/CD pipelines come in. By storing VCF Automation blueprints, Aria Orchestrator workflows, and even Ansible playbooks in Git—and connecting them to your CI/CD tooling—you bring repeatability, collaboration, and traceability into the heart of your private cloud.

---

What to Version-Control in VCF Automation

Artifact	Description
Blueprints (YAML)	VM templates, networking, and post-provisioning actions
vRO Workflows (JSON/XML)	Automation logic and integrations (e.g., Ansible Tower calls)
Ansible Playbooks	OS config, middleware deployment, security hardening
Input Values (Secrets masked)	Environment-specific overrides or GitOps variable files

All of this should live in a Git repository scoped by team or tenant.

---

CI/CD Flow Example for VCF Automation

1. Developer/Platform Engineer submits a pull request for a new blueprint YAML file
2. GitHub Actions or GitLab CI runs a validation job:
   • Lint blueprint structure
   • Run security scans on playbooks or embedded scripts
   • Dry-run against a staging org (optional)
3. Approval Stage: Optionally enforce merge policies
4. Merge to main triggers deployment pipeline:
   • Push blueprint into VCF Automation via API or CLI
   • Sync Aria Orchestrator workflows if included
   • Tag release and notify team

---

Recommended Tools

• Source Control: GitHub, GitLab, Bitbucket
• CI/CD: GitHub Actions, GitLab CI, Jenkins, Argo Workflows
• Integration APIs:
  • VCF Automation CLI or REST APIs
  • vRO import/export APIs
  • Ansible Tower job template sync via Tower CLI or API

---

Sample GitOps Repo Structure

vcf-automation/ ├── blueprints/ │ ├── ubuntu-dev-vm.yaml │ └── win19-core.yaml ├── orchestrator-workflows/ │ └── ansible-tower-trigger.json ├── playbooks/ │ └── install-docker.yml ├── ci/ │ └── validate-blueprint.yml └── README.md

---

Pro Tips

• Use tags in Git to align blueprint versions with VCF deployments
• Protect main branch with PR reviews and automation validation
• Use blueprint naming conventions that reflect tenant, tier, and app (e.g., dev-web-tier1.yaml)
• Store secrets in CI/CD vaults, not inside Git

---

Coming Up Next

In Part 3, we’ll explore Multi-Tenant RBAC Policies for Workflow Governance—how to enforce least privilege across VCF Automation, Orchestrator, and external integrations like Ansible.

Additional Learning

Massive Upgrades, Lower Costs, and AI Readiness: Meet VCF 9.0