GitOps
ArgoCD, Flux; declarative infrastructure, drift detection, reconciliation loops
GitOps is an operational model where a Git repository is the single source of truth for both application and infrastructure state. An automated agent (ArgoCD or Flux) continuously compares the desired state in Git against the actual cluster state, and reconciles any drift. This means deployments are pull-based (the agent pulls from Git) rather than push-based (CI pipeline pushes to the cluster), eliminating the need for CI systems to have cluster credentials.
Key Points
- ArgoCD Application CRD links a Git repo path/revision to a Kubernetes namespace — ArgoCD polls or uses a webhook to detect changes and syncs automatically or on approval.
- Flux GitOps Toolkit uses separate controllers (source-controller, kustomize-controller, helm-controller) composably — more modular than ArgoCD, better suited for complex multi-tenancy.
- Drift detection: if someone manually applies a kubectl change in production, ArgoCD/Flux detects the deviation and can auto-remediate or alert — enforcing immutable infrastructure.
- ApplicationSets in ArgoCD generate multiple Application objects from a template + generator (e.g., one Application per cluster from a list) — critical for fleet management across 100s of clusters.
- Image update automation (Flux image-reflector-controller) watches a container registry and opens a PR when a new image tag matches a policy (e.g., semver `>=1.2.0`) — fully automating the push-to-production pipeline.
- GitOps promotes environment promotion via PR: a merge from `staging` branch to `main` triggers reconciliation in production — with full Git audit trail and review process.
- Secret management in GitOps: use Sealed Secrets (Bitnami) or External Secrets Operator to store encrypted or referenced secrets in Git — never commit plaintext secrets.
- Multi-cluster GitOps: ArgoCD runs in a management cluster and deploys to fleet clusters using cluster secrets — use `ApplicationSet` with cluster generator for uniform fleet management.
Real-World Example
Weaveworks (the company that coined GitOps) runs its production infrastructure entirely via Flux: every change to production must pass through a PR on the infrastructure Git repository, providing a complete audit trail aligned with SOC 2 requirements.