GitOps Workflows
Expert guidance for implementing production-grade GitOps workflows using ArgoCD and Flux CD, covering declarative deployment patterns, progressive delivery strategies, multi-environment management, and secure secret handling for Kubernetes infrastructure.
When to Use This Skill
- •Implementing GitOps principles for Kubernetes deployments
- •Automating continuous delivery from Git repositories
- •Managing multi-cluster or multi-environment deployments
- •Implementing progressive delivery (canary, blue-green) strategies
- •Configuring automated sync policies and reconciliation
- •Managing secrets securely in GitOps workflows
- •Setting up environment promotion workflows
- •Designing repository structures for GitOps (monorepo vs multi-repo)
- •Implementing rollback strategies and disaster recovery
- •Establishing compliance and audit trails through Git
Core Concepts
The Four Principles
- •Declarative: Entire system state expressed in code
- •Versioned: Canonical state stored in Git with full history
- •Pulled Automatically: Agents pull desired state (no push to prod)
- •Continuously Reconciled: Automatic drift detection and correction
Key Benefits
- •Complete deployment history and audit trail
- •Fast rollback via Git operations
- •Enhanced security (no cluster credentials in CI)
- •Self-healing infrastructure
- •Multi-cluster consistency
- •Familiar Git workflows for infrastructure changes
Quick Reference
| Task | Load reference |
|---|---|
| GitOps principles and benefits | skills/gitops-workflows/references/core-principles.md |
| Repository structure patterns (monorepo, multi-repo, branches) | skills/gitops-workflows/references/repository-structures.md |
| ArgoCD setup, Applications, ApplicationSets | skills/gitops-workflows/references/argocd-implementation.md |
| Flux bootstrap, sources, Kustomizations, HelmReleases | skills/gitops-workflows/references/flux-implementation.md |
| Environment promotion strategies | skills/gitops-workflows/references/environment-promotion.md |
| Secret management (Sealed Secrets, ESO, SOPS) | skills/gitops-workflows/references/secret-management.md |
| Progressive delivery (canary, blue-green) | skills/gitops-workflows/references/progressive-delivery.md |
| Rollback strategies and disaster recovery | skills/gitops-workflows/references/rollback-strategies.md |
| Best practices and patterns | skills/gitops-workflows/references/best-practices.md |
Workflow Steps
1. Choose Repository Structure
Decision factors:
- •Team size and organization structure
- •Application coupling and dependencies
- •Access control requirements
- •Deployment frequency and independence
Options:
- •Monorepo: Single repo, unified platform teams, shared infrastructure
- •Multi-repo: Separate repos per app/team, independent release cycles
- •Environment branches: Git flow style, simple mental model
2. Select GitOps Tool
ArgoCD:
- •UI-focused with visual application management
- •App of Apps pattern for hierarchical deployments
- •ApplicationSets for multi-cluster deployments
- •Strong RBAC and project isolation
Flux:
- •CLI-first, GitOps Toolkit architecture
- •Native Kustomize and Helm support
- •Automated image updates
- •Lighter weight, cloud-native
3. Configure Secret Management
Never commit unencrypted secrets to Git
Options:
- •Sealed Secrets: Client-side encryption, simple workflow
- •External Secrets Operator: Sync from external secret stores (AWS, Vault, GCP)
- •SOPS: File-based encryption with age or cloud KMS
4. Implement Sync Policies
Non-production environments:
- •Automated sync with
pruneandselfHeal - •Frequent reconciliation (1-5 minutes)
- •Fail fast with immediate feedback
Production environments:
- •Manual approval or gated automation
- •Health checks and wait conditions
- •Progressive delivery for high-risk changes
- •Sync windows for maintenance periods
5. Set Up Environment Promotion
Promotion strategies:
- •Git-based: Tag or branch promotion with Git operations
- •Kustomize overlays: Update image tags in environment-specific overlays
- •Automated updates: Flux ImageUpdateAutomation for semver policies
6. Configure Progressive Delivery
For high-risk changes:
- •ArgoCD Rollouts: Canary deployments with automated analysis
- •Flagger: Progressive delivery with metric-based promotion
- •Traffic shifting with Istio or other service mesh
- •Automated rollback on failed analysis
7. Establish Rollback Procedures
Git rollback:
- •
git revertfor specific commits - •Tag-based rollback by updating targetRevision
- •Fast and declarative
Tool-specific:
- •ArgoCD:
argocd app rollbackwith revision history - •Flux: Suspend automation, manual rollback, resume
Common Mistakes
- •Committing unencrypted secrets - Always use secret management solution
- •No automated sync in non-prod - Slows development feedback
- •Automated sync in production without gates - High risk of breaking changes
- •Ignoring drift detection - Manual changes should be reconciled or alerted
- •No health checks - Sync succeeds but app is unhealthy
- •Missing dependency ordering - Apps deploy before infrastructure ready
- •No rollback testing - Discover issues during actual incidents
- •Inconsistent environments - Staging differs too much from production
- •No promotion testing - Manual errors during environment promotion
- •Weak RBAC - Too many permissions for GitOps service accounts
Resources
- •OpenGitOps: https://opengitops.dev/
- •ArgoCD Documentation: https://argo-cd.readthedocs.io/
- •Flux Documentation: https://fluxcd.io/docs/
- •ArgoCD Rollouts: https://argoproj.github.io/argo-rollouts/
- •Flagger: https://docs.flagger.app/
- •External Secrets Operator: https://external-secrets.io/
- •Sealed Secrets: https://github.com/bitnami-labs/sealed-secrets
- •SOPS: https://github.com/mozilla/sops