IT AI Skill

Gitops Ci Cd

Implement GitOps practices for infrastructure and application management including Git-based declarative deployments, ArgoCD, Flux, pull request workflows, and automated drift detection. Use when setting up GitOps pipelines, managing infrastructure as code...

GitOps & CI/CD

Implement Git-based declarative deployment workflows for infrastructure and application management.

Workflow

1. GitOps Architecture

GITOPS PLATFORM ARCHITECTURE
═══════════════════════════════════════

GIT REPOSITORY STRUCTURE:
═══════════════════════════════════════

infrastructure/
  ├── environments/
  │   ├── production/
  │   │   ├── kubernetes/
  │   │   │   ├── namespaces/
  │   │   │   ├── networking/
  │   │   │   ├── monitoring/
  │   │   │   └── applications/
  │   │   └── terraform/
  │   │       ├── vpc/
  │   │       ├── kubernetes/
  │   │       └── database/
  │   ├── staging/
  │   └── development/
  ├── components/
  │   ├── monitoring/
  │   ├── logging/
  │   └── networking/
  └── policies/
      ├── security/
      └── compliance/

applications/
  ├── api-gateway/
  │   ├── manifests/
  │   ├── helm-chart/
  │   └── argocd-app.yaml
  ├── auth-service/
  └── web-frontend/

GitOps Controller: ArgoCD (or Flux)
  → Watches Git repositories
  → Compares desired state (Git) with actual state (cluster)
  → Auto-syncs or requests sync on drift
  → Supports environments via Git branches or directories

CONTROL FLOW:
═══════════════════════════════════════

Developer → Git PR → Review → Merge → ArgoCD detects change → Deploy to cluster
                                                    ↓
                                              Drift detected → Alert + Auto-remediate

2. ArgoCD Application Management

ARGOCD APPLICATION DEFINITION
═══════════════════════════════════════

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: api-gateway
  namespace: argocd
spec:
  project: production
  source:
    repoURL: https://github.com/company/infrastructure.git
    targetRevision: main
    path: applications/api-gateway/manifests
    helm:
      valueFiles:
        - values.yaml
        - values-production.yaml
      parameters:
        - name: replicaCount
          value: "3"
        - name: image.tag
          value: "v2.1.0"
  destination:
    server: https://kubernetes.default.svc
    namespace: production
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=true
      - PruneLast=true
    retry:
      limit: 5
      backoff:
        duration: 5s
        factor: 2
        maxDuration: 3m

SYNC POLICIES:
═══════════════════════════════════════

Auto-sync: Automatic deployment on Git change (production: manual or auto with hooks)
Self-heal: Automatic correction of manual changes (drift remediation)
Prune: Remove resources no longer in Git (clean orphaned resources)

APP-OF-APPS PATTERN:
═══════════════════════════════════════

Root application (aggregator):
  → applicationSet that discovers child applications
  → One manifest references all applications
  → Environment promotion via Git branches

Environment Promotion:
  → Development: Branch dev/* → auto-sync
  → Staging: Merge to staging branch → auto-sync
  → Production: Merge to main + approval → auto-sync

3. CI/CD Pipeline Integration

CI PIPELINE (GitHub Actions)
═══════════════════════════════════════

name: Build and Push
on:
  push:
    branches: [main, staging, 'dev/**']
  pull_request:
    branches: [main, staging]

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - checkout
      - build Docker image
      - run unit tests
      - run linting
      - scan for vulnerabilities (Trivy)
      - push image to registry (tagged with commit SHA)
      - update Git manifest with new image tag (Renovate/flux)
      - commit and push to infrastructure repo

CD PIPELINE (ArgoCD)
═══════════════════════════════════════

  → ArgoCD watches infrastructure repo
  → Detects manifest change (new image tag)
  → Validates: diff between desired and current state
  → Staging: Auto-deploys
  → Production: Waits for approval (or auto with canary)

GATEKEEPING:
═══════════════════════════════════════

Quality gates before deployment:
  1. All tests pass (unit, integration, e2e)
  2. Security scan: No critical/high CVEs
  3. Image signed (Cosign)
  4. Code coverage > 80%
  5. Performance regression test passed
  6. PR approved by 2+ reviewers
  7. Branch protection rules enforced

4. Drift Detection & Remediation

DRIFT DETECTION
═══════════════════════════════════════

ArgoCD drift types:
═══════════════════════════════════════

Type                  Cause                    Action
─────────────────────────────────────────────────────────────
Resource modified    Manual kubectl edit       Self-heal (revert)
Resource deleted     Accidental deletion        Self-heal (recreate)
Resource added       Manual kubectl apply       Prune (remove)
Config drift         Helm values changed        Self-heal (reconcile)

Drift detection frequency:
  → Default: Every 3 minutes
  → Custom: Per-application sync interval
  → Long-polling: Kubernetes watch events (real-time)

NOTIFICATION CONFIGURATION:
═══════════════════════════════════════

  → Drift detected: Slack alert to #infra-alerts
  → Sync failed: PagerDuty page to on-call engineer
  → Health degraded: Email to application team
  → Deployment complete: Slack notification

REMEDIATION OPTIONS:
═══════════════════════════════════════

  1. Auto-sync (self-heal): Revert to Git state automatically
  2. Manual sync: Approve sync via ArgoCD UI or CLI
  3. Update Git: If change was intentional, update Git first
  4. Ignore: Exclude specific fields from drift detection

5. Multi-Environment Management

ENVIRONMENT STRATEGY
═══════════════════════════════════════

Branch Strategy:
═══════════════════════════════════════

  main          → Production (protected, requires approval)
  staging       → Staging (auto-deploy from dev merge)
  develop       → Development (feature branches merge here)
  feature/*     → Feature branches (PR to develop)

Configuration by Environment:
═══════════════════════════════════════

  → Helm values per environment (values-{env}.yaml)
  → Kustomize overlays (kustomization-{env}.yaml)
  → Environment-specific secrets (external secrets operator)
  → Namespace isolation per environment

Environment Matrix:
═══════════════════════════════════════

Env         Replicas  Resources     Database     Monitoring  Access
───────────────────────────────────────────────────────────────────────
Development 1         Small         Shared       Basic      Dev team
Staging     2         Medium        Copy of prod Full       QA + Dev
Production  3+        Full          Production   Full       Restricted
Disaster    1         Full          Replica      Full       Admin only

Edge Cases

Large repos: Shallow clones, sparse checkout for performance
Air-gapped clusters: Local mirror, offline ArgoCD installation
Multi-cluster: ArgoCD clusters config, application routing
Cross-namespace: RBAC for ArgoCD service account
Secrets in Git: Never store secrets in Git; use Sealed Secrets or external vault

Integration Points

Git providers: GitHub, GitLab, Bitbucket
Orchestration: Kubernetes, Amazon EKS, GKE, AKS
Container registries: ECR, GCR, Docker Hub, ACR
CI tools: GitHub Actions, GitLab CI, Jenkins, CircleCI
GitOps tools: ArgoCD, Flux, Argo Workflows
Security: Cosign, Notary, Trivy, Snyk

Output

GitOps Status

GITOPS STATUS — Production
═══════════════════════════════════════

Applications managed: 28
  Healthy: 26
  Degraded: 1 (api-gateway — canary in progress)
  Missing: 0
  Out of sync: 1 (monitoring-stack — config drift)

Git repository: infrastructure/main
  Last sync: 2 minutes ago
  Branch protection: Enforced

Deployments today: 4 (all successful)
Drift events: 1 (auto-remediated)