DevOps Intermediate
GitOps — Patterns and Anti-patterns¶
GitOpsArgoCDFluxBest Practices 6 min read
GitOps architectural patterns. Monorepo vs polyrepo, environment promotion, secrets management.
Repo Strategy¶
- App repo + Config repo (recommended)
- Monorepo — simpler for small teams
- Repo per environment — maximum isolation
├── apps/
│ ├── api-gateway/
│ │ ├── base/
│ │ │ ├── deployment.yaml
│ │ │ ├── service.yaml
│ │ │ └── kustomization.yaml
│ │ └── overlays/
│ │ ├── dev/
│ │ ├── staging/
│ │ └── prod/
├── infrastructure/
│ ├── cert-manager/
│ └── monitoring/
└── clusters/
├── dev/
├── staging/
└── prod/
Environment Promotion¶
- CI builds image and pushes with tag (git SHA)
- CI updates image tag in
overlays/dev/ - GitOps sync to dev
- Automated tests
- PR from dev to staging overlay
- Review + merge, then sync to staging
- PR to prod, merge, then sync to prod
Secrets in GitOps¶
- Sealed Secrets — encrypted in Git (Bitnami)
- SOPS — Mozilla SOPS with age/KMS
- External Secrets Operator — sync from Vault/AWS SSM/Azure KV
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: api-keys
spec:
refreshInterval: 1h
secretStoreRef:
name: azure-keyvault
kind: ClusterSecretStore
target:
name: api-keys
data:
- secretKey: DATABASE_URL
remoteRef:
key: prod-database-url
Anti-patterns¶
- Manual kubectl apply alongside GitOps leads to drift
- Secrets in plaintext in Git
- Skipping environments
- No drift detection
- PRs too large to review
Summary¶
GitOps requires discipline in repo structure, environment promotion and secrets management. Never commit secrets in plaintext.
Need Help with Implementation?¶
Our team has experience designing and implementing modern architectures. We’re happy to help.