Cloud AI

GitOps is an operational framework that uses Git as the single source of truth for declarative infrastructure and applications. By storing desired state in Git repositories, teams achieve version control, audit trails, and automated reconciliation of infrastructure.

GitOps Principles

• Declarative: System state is described declaratively
• Versioned: Desired state is stored in Git
• Automated: Changes are automatically applied
• Continuously Reconciled: Agents ensure actual state matches desired state

ArgoCD Installation

# Install ArgoCD
kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml

# Get initial admin password
kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d

ArgoCD Application

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: production-app
  namespace: argocd
spec:
  project: default
  source:
    repoURL: https://github.com/company/k8s-manifests.git
    targetRevision: main
    path: environments/production
  destination:
    server: https://kubernetes.default.svc
    namespace: production
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
    - CreateNamespace=true
    retry:
      limit: 5
      backoff:
        duration: 5s
        maxDuration: 3m

Flux Installation

# Bootstrap Flux
flux bootstrap github \
  --owner=company \
  --repository=fleet-infra \
  --branch=main \
  --path=clusters/production \
  --personal

Flux Kustomization

apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
  name: infrastructure
  namespace: flux-system
spec:
  interval: 10m
  sourceRef:
    kind: GitRepository
    name: flux-system
  path: ./infrastructure
  prune: true
  healthChecks:
  - apiVersion: apps/v1
    kind: Deployment
    name: nginx-ingress
    namespace: ingress-nginx
  timeout: 2m

Repository Structure

fleet-infra/
├── clusters/
│   ├── production/
│   │   ├── flux-system/
│   │   └── infrastructure.yaml
│   └── staging/
├── infrastructure/
│   ├── controllers/
│   │   ├── ingress-nginx/
│   │   └── cert-manager/
│   └── configs/
└── apps/
    ├── base/
    ├── production/
    └── staging/

Secrets Management with SOPS

# .sops.yaml
creation_rules:
  - path_regex: .*.yaml
    encrypted_regex: ^(data|stringData)$
    kms: arn:aws:kms:us-east-1:123456789:key/abc-123

# Encrypt secret
sops -e secret.yaml > secret.enc.yaml

# Flux decryption provider
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
  name: apps
spec:
  decryption:
    provider: sops
    secretRef:
      name: sops-aws

Progressive Delivery

# Flagger canary deployment
apiVersion: flagger.app/v1beta1
kind: Canary
metadata:
  name: app
  namespace: production
spec:
  targetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: app
  progressDeadlineSeconds: 60
  service:
    port: 80
  analysis:
    interval: 30s
    threshold: 5
    maxWeight: 50
    stepWeight: 10
    metrics:
    - name: request-success-rate
      thresholdRange:
        min: 99
      interval: 1m

Conclusion

GitOps transforms infrastructure management by providing version control, audit trails, and automated reconciliation. Whether using ArgoCD or Flux, the key is establishing clear repository structures and implementing proper secrets management.