--- name: gitops-ci-cd description: Implement GitOps practices for infrastructure and application management including Git-based declarative deployments, ArgoCD, Flux, pull request workflows, and automated drift detection. Use when setting up GitOps pipelines, managing infrastructure as code in Git, implementing automated deployments, or configuring drift detection and remediation. Triggers on phrases like "GitOps", "ArgoCD", "Flux", "declarative infrastructure", "drift detection", "pull request deployment", "Git workflow", "app of apps", "sync policy", "helm operator", "Kustomize", "environment promotion". --- # GitOps & CI/CD Implement Git-based declarative deployment workflows for infrastructure and application management. ## Workflow ### 1. GitOps Architecture ``` GITOPS PLATFORM ARCHITECTURE ═══════════════════════════════════════ GIT REPOSITORY STRUCTURE: ═══════════════════════════════════════ infrastructure/ ├── environments/ │ ├── production/ │ │ ├── kubernetes/ │ │ │ ├── namespaces/ │ │ │ ├── networking/ │ │ │ ├── monitoring/ │ │ │ └── applications/ │ │ └── terraform/ │ │ ├── vpc/ │ │ ├── kubernetes/ │ │ └── database/ │ ├── staging/ │ └── development/ ├── components/ │ ├── monitoring/ │ ├── logging/ │ └── networking/ └── policies/ ├── security/ └── compliance/ applications/ ├── api-gateway/ │ ├── manifests/ │ ├── helm-chart/ │ └── argocd-app.yaml ├── auth-service/ └── web-frontend/ GitOps Controller: ArgoCD (or Flux) → Watches Git repositories → Compares desired state (Git) with actual state (cluster) → Auto-syncs or requests sync on drift → Supports environments via Git branches or directories CONTROL FLOW: ═══════════════════════════════════════ Developer → Git PR → Review → Merge → ArgoCD detects change → Deploy to cluster ↓ Drift detected → Alert + Auto-remediate ``` ### 2. ArgoCD Application Management ``` ARGOCD APPLICATION DEFINITION ═══════════════════════════════════════ apiVersion: argoproj.io/v1alpha1 kind: Application metadata: name: api-gateway namespace: argocd spec: project: production source: repoURL: https://github.com/company/infrastructure.git targetRevision: main path: applications/api-gateway/manifests helm: valueFiles: - values.yaml - values-production.yaml parameters: - name: replicaCount value: "3" - name: image.tag value: "v2.1.0" destination: server: https://kubernetes.default.svc namespace: production syncPolicy: automated: prune: true selfHeal: true syncOptions: - CreateNamespace=true - PruneLast=true retry: limit: 5 backoff: duration: 5s factor: 2 maxDuration: 3m SYNC POLICIES: ═══════════════════════════════════════ Auto-sync: Automatic deployment on Git change (production: manual or auto with hooks) Self-heal: Automatic correction of manual changes (drift remediation) Prune: Remove resources no longer in Git (clean orphaned resources) APP-OF-APPS PATTERN: ═══════════════════════════════════════ Root application (aggregator): → applicationSet that discovers child applications → One manifest references all applications → Environment promotion via Git branches Environment Promotion: → Development: Branch dev/* → auto-sync → Staging: Merge to staging branch → auto-sync → Production: Merge to main + approval → auto-sync ``` ### 3. CI/CD Pipeline Integration ``` CI PIPELINE (GitHub Actions) ═══════════════════════════════════════ name: Build and Push on: push: branches: [main, staging, 'dev/**'] pull_request: branches: [main, staging] jobs: build: runs-on: ubuntu-latest steps: - checkout - build Docker image - run unit tests - run linting - scan for vulnerabilities (Trivy) - push image to registry (tagged with commit SHA) - update Git manifest with new image tag (Renovate/flux) - commit and push to infrastructure repo CD PIPELINE (ArgoCD) ═══════════════════════════════════════ → ArgoCD watches infrastructure repo → Detects manifest change (new image tag) → Validates: diff between desired and current state → Staging: Auto-deploys → Production: Waits for approval (or auto with canary) GATEKEEPING: ═══════════════════════════════════════ Quality gates before deployment: 1. All tests pass (unit, integration, e2e) 2. Security scan: No critical/high CVEs 3. Image signed (Cosign) 4. Code coverage > 80% 5. Performance regression test passed 6. PR approved by 2+ reviewers 7. Branch protection rules enforced ``` ### 4. Drift Detection & Remediation ``` DRIFT DETECTION ═══════════════════════════════════════ ArgoCD drift types: ═══════════════════════════════════════ Type Cause Action ───────────────────────────────────────────────────────────── Resource modified Manual kubectl edit Self-heal (revert) Resource deleted Accidental deletion Self-heal (recreate) Resource added Manual kubectl apply Prune (remove) Config drift Helm values changed Self-heal (reconcile) Drift detection frequency: → Default: Every 3 minutes → Custom: Per-application sync interval → Long-polling: Kubernetes watch events (real-time) NOTIFICATION CONFIGURATION: ═══════════════════════════════════════ → Drift detected: Slack alert to #infra-alerts → Sync failed: PagerDuty page to on-call engineer → Health degraded: Email to application team → Deployment complete: Slack notification REMEDIATION OPTIONS: ═══════════════════════════════════════ 1. Auto-sync (self-heal): Revert to Git state automatically 2. Manual sync: Approve sync via ArgoCD UI or CLI 3. Update Git: If change was intentional, update Git first 4. Ignore: Exclude specific fields from drift detection ``` ### 5. Multi-Environment Management ``` ENVIRONMENT STRATEGY ═══════════════════════════════════════ Branch Strategy: ═══════════════════════════════════════ main → Production (protected, requires approval) staging → Staging (auto-deploy from dev merge) develop → Development (feature branches merge here) feature/* → Feature branches (PR to develop) Configuration by Environment: ═══════════════════════════════════════ → Helm values per environment (values-{env}.yaml) → Kustomize overlays (kustomization-{env}.yaml) → Environment-specific secrets (external secrets operator) → Namespace isolation per environment Environment Matrix: ═══════════════════════════════════════ Env Replicas Resources Database Monitoring Access ─────────────────────────────────────────────────────────────────────── Development 1 Small Shared Basic Dev team Staging 2 Medium Copy of prod Full QA + Dev Production 3+ Full Production Full Restricted Disaster 1 Full Replica Full Admin only ``` ## Edge Cases - **Large repos**: Shallow clones, sparse checkout for performance - **Air-gapped clusters**: Local mirror, offline ArgoCD installation - **Multi-cluster**: ArgoCD clusters config, application routing - **Cross-namespace**: RBAC for ArgoCD service account - **Secrets in Git**: Never store secrets in Git; use Sealed Secrets or external vault ## Integration Points - **Git providers**: GitHub, GitLab, Bitbucket - **Orchestration**: Kubernetes, Amazon EKS, GKE, AKS - **Container registries**: ECR, GCR, Docker Hub, ACR - **CI tools**: GitHub Actions, GitLab CI, Jenkins, CircleCI - **GitOps tools**: ArgoCD, Flux, Argo Workflows - **Security**: Cosign, Notary, Trivy, Snyk ## Output ### GitOps Status ``` GITOPS STATUS — Production ═══════════════════════════════════════ Applications managed: 28 Healthy: 26 Degraded: 1 (api-gateway — canary in progress) Missing: 0 Out of sync: 1 (monitoring-stack — config drift) Git repository: infrastructure/main Last sync: 2 minutes ago Branch protection: Enforced Deployments today: 4 (all successful) Drift events: 1 (auto-remediated) ```