gitops-workflow

Implement declarative, Git-based continuous delivery for Kubernetes using ArgoCD or Flux CD, following OpenGitOps principles.

• Set up GitOps for Kubernetes clusters
• Automate application deployments from Git
• Implement progressive delivery strategies
• Manage multi-cluster deployments
• Configure automated sync policies
• Set up secret management in GitOps

• You need a one-off manual deployment
• You cannot manage cluster access or repo permissions
• You are not deploying to Kubernetes

1. Define repo layout and desired-state conventions.
2. Install ArgoCD or Flux and connect clusters.
3. Configure sync policies, environments, and promotion flow.
4. Validate rollbacks and secret handling.

• Avoid auto-sync to production without approvals.
• Keep secrets out of Git and use sealed or external secret managers.

1. Declarative - Entire system described declaratively
2. Versioned and Immutable - Desired state stored in Git
3. Pulled Automatically - Software agents pull desired state
4. Continuously Reconciled - Agents reconcile actual vs desired state

1. Installation

```bash

# Create namespace

kubectl create namespace argocd

# Install ArgoCD

kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml

# Get admin password

kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d

```

Reference: See references/argocd-setup.md for detailed setup

2. Repository Structure

```

gitops-repo/

├── apps/

│ ├── production/

│ │ ├── app1/

│ │ │ ├── kustomization.yaml

│ │ │ └── deployment.yaml

│ │ └── app2/

│ └── staging/

├── infrastructure/

│ ├── ingress-nginx/

│ ├── cert-manager/

│ └── monitoring/

└── argocd/

├── applications/

└── projects/

```

3. Create Application

```yaml

# argocd/applications/my-app.yaml

apiVersion: argoproj.io/v1alpha1

kind: Application

metadata:

name: my-app

namespace: argocd

spec:

project: default

source:

repoURL: https://github.com/org/gitops-repo

targetRevision: main

path: apps/production/my-app

destination:

server: https://kubernetes.default.svc

namespace: production

syncPolicy:

automated:

prune: true

selfHeal: true

syncOptions:

- CreateNamespace=true

```

4. App of Apps Pattern

```yaml

apiVersion: argoproj.io/v1alpha1

kind: Application

metadata:

name: applications

namespace: argocd

spec:

project: default

source:

repoURL: https://github.com/org/gitops-repo

targetRevision: main

path: argocd/applications

destination:

server: https://kubernetes.default.svc

namespace: argocd

syncPolicy:

automated: {}

```

1. Installation

```bash

# Install Flux CLI

curl -s https://fluxcd.io/install.sh | sudo bash

# Bootstrap Flux

flux bootstrap github \

--owner=org \

--repository=gitops-repo \

--branch=main \

--path=clusters/production \

--personal

```

2. Create GitRepository

```yaml

apiVersion: source.toolkit.fluxcd.io/v1

kind: GitRepository

metadata:

name: my-app

namespace: flux-system

spec:

interval: 1m

url: https://github.com/org/my-app

ref:

branch: main

```

3. Create Kustomization

```yaml

apiVersion: kustomize.toolkit.fluxcd.io/v1

kind: Kustomization

metadata:

name: my-app

namespace: flux-system

spec:

interval: 5m

path: ./deploy

prune: true

sourceRef:

kind: GitRepository

name: my-app

```

Auto-Sync Configuration

ArgoCD:

```yaml

syncPolicy:

automated:

prune: true # Delete resources not in Git

selfHeal: true # Reconcile manual changes

allowEmpty: false

retry:

limit: 5

backoff:

duration: 5s

factor: 2

maxDuration: 3m

```

Flux:

```yaml

spec:

interval: 1m

prune: true

wait: true

timeout: 5m

```

Reference: See references/sync-policies.md

Canary Deployment with ArgoCD Rollouts

```yaml

apiVersion: argoproj.io/v1alpha1

kind: Rollout

metadata:

name: my-app

spec:

replicas: 5

strategy:

canary:

steps:

- setWeight: 20

- pause: {duration: 1m}

- setWeight: 50

- pause: {duration: 2m}

- setWeight: 100

```

Blue-Green Deployment

```yaml

strategy:

blueGreen:

activeService: my-app

previewService: my-app-preview

autoPromotionEnabled: false

```

External Secrets Operator

```yaml

apiVersion: external-secrets.io/v1beta1

kind: ExternalSecret

metadata:

name: db-credentials

spec:

refreshInterval: 1h

secretStoreRef:

name: aws-secrets-manager

kind: SecretStore

target:

name: db-credentials

data:

- secretKey: password

remoteRef:

key: prod/db/password

```

Sealed Secrets

```bash

# Encrypt secret

kubeseal --format yaml < secret.yaml > sealed-secret.yaml

# Commit sealed-secret.yaml to Git

```

1. Use separate repos or branches for different environments
2. Implement RBAC for Git repositories
3. Enable notifications for sync failures
4. Use health checks for custom resources
5. Implement approval gates for production
6. Keep secrets out of Git (use External Secrets)
7. Use App of Apps pattern for organization
8. Tag releases for easy rollback
9. Monitor sync status with alerts
10. Test changes in staging first

Sync failures:

```bash

argocd app get my-app

argocd app sync my-app --prune

```

Out of sync status:

```bash

argocd app diff my-app

argocd app sync my-app --force

```

• k8s-manifest-generator - For creating manifests
• helm-chart-scaffolding - For packaging applications