Stage 4 · Provision
GitOps Workflows
GitOps Principles
Declarative, versioned, pulled, and continuously reconciled — the four pillars of GitOps.
What Is GitOps?
GitOps is a deployment paradigm where Git is the single source of truth for declarative infrastructure and applications. Instead of using CI pipelines to push changes to clusters, GitOps agents inside the cluster pull changes from Git. This inverts the traditional CI/CD model.
The term was coined by Alexis Richardson of Weaveworks in 2017. It applies principles from software development — version control, code review, audit trails — to operations. Every change is a Git commit, every rollback is a Git revert.
The Four Principles
- Declarative — The desired state of the system is declared in configuration files, not imperative scripts.
- Versioned — The desired state is stored in Git. Every change is a commit with a history, author, and message.
- Pulled — Software agents automatically pull changes from Git and apply them to the cluster.
- Continuously Reconciled — Agents constantly compare the actual state to the desired state and reconcile differences.
Push vs Pull Deployment
Traditional CI/CD uses push-based deployment — a pipeline runs kubectl apply from outside the cluster. GitOps uses pull-based deployment — an agent inside the cluster watches Git and applies changes. Pull-based deployment is more secure because the cluster does not need external API access.
| Aspect | Push-based CI/CD | Pull-based GitOps |
|---|---|---|
| Agent location | Outside cluster (CI runner) | Inside cluster |
| Cluster credentials | Stored in CI system | Stored in cluster (more secure) |
| Drift detection | None — assumes apply succeeded | Continuous — agent reconciles |
| Rollback | Re-run pipeline with previous commit | Git revert — agent detects and reconciles |
| Audit trail | CI pipeline logs | Git history (authoritative) |
GitOps Tools
| Tool | Approach | Key Features |
|---|---|---|
| ArgoCD | Declarative UI + API | Web UI, RBAC, SSO, multi-cluster |
| Flux v2 | Kubernetes-native | Extensible, image automation, Helm support |
| Codefresh | Commercial GitOps platform | Built-in ArgoCD, analytics, rollbacks |
Benefits
- Auditability — Every change is a Git commit with author, timestamp, and message.
- Reproducibility — Re-deploy from any Git commit to recreate the exact state.
- Security — No external access to the cluster API required.
- Drift detection — Continuous reconciliation catches manual changes.
- Rollback — Git revert is the rollback mechanism — simple and reliable.
Limitations
- Secrets — Git cannot store plaintext secrets. Requires SealedSecrets, SOPS, or External Secrets.
- Learning curve — Requires understanding Kubernetes, Helm/Kustomize, and the GitOps tool.
- Complexity — Adds another layer to the deployment stack.
- Circular dependency — The GitOps agent itself needs to be deployed (bootstrap problem).
In GitOps, if it is not in Git, it does not exist. Manual changes to the cluster are reconciled away. This is both the strength and the constraint — all changes must go through Git.
Flux is lighter and more Kubernetes-native than ArgoCD. Start with Flux if you want minimal overhead. Choose ArgoCD if you need a web UI and multi-cluster management.
Mark this lesson complete to store local progress and unlock a cleaner resume path the next time you visit.