GitOps Implementation Patterns
Modern infrastructure delivery demands declarative automation and continuous reconciliation; GitOps meets this need by turning Git into the single source of truth.
When I first tried GitOps, it wasn’t because I read a buzzword. It was because I was tired of manually patching Kubernetes manifests at 2 a.m., trying to remember which cluster I had updated and whether the change was in a pull request or someone’s terminal. GitOps promised a cleaner path: declare the desired state in Git, let automation apply it, and always know exactly what is running. The promise is compelling, but the implementation can feel like a maze of tools and patterns. That maze is the focus of this article. We will walk through practical patterns for adopting GitOps, the tradeoffs, and how to shape a workflow that matches real teams and real constraints.
If you are a developer or platform engineer looking to move from imperative scripts and ad hoc deployments to a reliable, auditable delivery pipeline, GitOps is worth a serious look. It is not magic, and it will not solve every problem, but it can dramatically reduce drift and increase confidence. By the end of this guide, you should know how GitOps fits into modern delivery, what the main implementation patterns look like, and where it might or might not be the right choice.
Where GitOps fits today
GitOps builds on a simple idea: use Git as the declarative source of truth for infrastructure and applications. This approach aligns naturally with Kubernetes, which itself is declarative, but GitOps is broader. It can manage Helm charts, Kustomize overlays, Terraform modules, and even non-Kubernetes resources through controllers and operators.
In practice, GitOps is most often used with Kubernetes, but it extends to cloud resources via tools like Crossplane and to infrastructure provisioning with Terraform. Teams that adopt GitOps typically include platform engineers, SREs, and application developers who want to self-serve deployments without direct access to cluster APIs. The pattern has matured significantly since the term was coined by Weaveworks in 2017; the GitOps Principles provide a stable foundation: declarative description, version control, automated delivery, and continuous reconciliation.
Compared to traditional CI-only pipelines, GitOps shifts the focus from imperative scripts to declarative manifests. Instead of Jenkins or GitHub Actions running kubectl apply, a controller inside the cluster continuously reconciles the actual state to match the desired state in Git. This inversion reduces the need for broad credentials in CI, improves auditability, and makes rollbacks a matter of reverting a commit.
Core GitOps implementation patterns
GitOps is not a single tool. It is a set of patterns that you combine to fit your organization’s needs. Below are the most common patterns I have seen work in production, including code context and configuration examples.
Pattern 1: Pull-based reconciliation with GitOps operators
This is the canonical GitOps pattern. A controller inside the cluster pulls changes from Git and applies them to the cluster. The controller runs with scoped permissions and no external network access, which reduces the attack surface. The most popular controller is Argo CD, but Flux is another robust option.
Example: Basic Argo CD Application setup
In this pattern, you define an Application resource that points to a Git repository containing Kubernetes manifests or Helm charts. Argo CD continuously monitors the repo and reconciles the cluster state.
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: sample-app
namespace: argocd
spec:
project: default
source:
repoURL: https://github.com/example/sample-app-manifests
targetRevision: main
path: overlays/production
destination:
server: https://kubernetes.default.svc
namespace: production
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
A key mental model here is “Git is the source of truth; the controller is the executor.” The controller does not wait for a CI job to trigger; it constantly reconciles. This means that if someone edits a resource directly in the cluster, the controller will revert it to the Git state. This behavior prevents configuration drift.
For larger setups, you often have multiple Applications, possibly using ApplicationSets for multi-cluster and multi-tenant scenarios.
Pattern 2: Push-based CI with limited scope
Some organizations are not ready to allow a controller inside the cluster to pull from Git. In these cases, CI systems push changes to the cluster, but you can still follow GitOps principles: changes are only applied when merged to a tracked branch, and the manifests in Git remain the source of truth. This is a transitional pattern and can be implemented with care.
Example: GitHub Actions pushing a Helm release
In this pattern, the CI pipeline builds the image and updates the Helm values or chart version in a separate manifests repository. A subsequent job applies the changes to the cluster using a service account with narrow permissions.
name: Deploy Helm Chart
on:
push:
branches:
- main
paths:
- 'charts/myapp/**'
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up Helm
uses: azure/setup-helm@v3
- name: Configure Kubernetes
uses: azure/k8s-set-context@v3
with:
method: kubeconfig
kubeconfig: ${{ secrets.KUBECONFIG_PROD }}
- name: Deploy
run: |
helm upgrade --install myapp ./charts/myapp \
--namespace production \
--create-namespace \
--set image.tag=${{ github.sha }} \
--atomic
While this is simpler to start with, it requires careful management of credentials and relies on CI history for auditability. Many teams eventually move to pull-based controllers for better security and resilience.
Pattern 3: Multi-environment promotion with overlays
In real projects, you rarely deploy the same manifest to all environments. You promote changes from development to staging to production, often with slight configuration differences. Tools like Kustomize or Helm overlays help you manage these variations while keeping a single source of truth.
Example: Kustomize overlays for environments
Folder structure:
app-manifests/
├── base/
│ ├── deployment.yaml
│ ├── service.yaml
│ └── kustomization.yaml
└── overlays/
├── development/
│ ├── replica-count.yaml
│ ├── kustomization.yaml
│ └── configmap-patch.yaml
├── staging/
│ ├── replica-count.yaml
│ ├── kustomization.yaml
│ └── configmap-patch.yaml
└── production/
├── replica-count.yaml
├── kustomization.yaml
└── configmap-patch.yaml
Base kustomization.yaml:
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- deployment.yaml
- service.yaml
Overlay kustomization.yaml for production:
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: production
resources:
- ../../base
patchesStrategicMerge:
- replica-count.yaml
- configmap-patch.yaml
commonLabels:
environment: production
Overlay replica-count.yaml:
apiVersion: apps/v1
kind: Deployment
metadata:
name: sample-app
spec:
replicas: 3
Overlay configmap-patch.yaml:
apiVersion: v1
kind: ConfigMap
metadata:
name: sample-app-config
data:
LOG_LEVEL: info
FEATURE_FLAG_NEW_UI: "false"
Argo CD or Flux can be configured to track specific overlay paths per environment, giving you automated promotion with human review via pull requests.
Pattern 4: Progressive delivery and canary rollouts
Advanced GitOps patterns integrate progressive delivery to reduce risk. Argo Rollouts and Flagger are commonly used with Argo CD or Flux to perform canary or blue-green deployments. The Git repository still holds the desired state, but the controller orchestrates gradual traffic shifting and automated rollback based on metrics.
Example: Argo Rollouts resource
apiVersion: argoproj.io/v1alpha1
kind: Rollout
metadata:
name: sample-app
namespace: production
spec:
replicas: 3
selector:
matchLabels:
app: sample-app
template:
metadata:
labels:
app: sample-app
spec:
containers:
- name: app
image: example/sample-app:latest
ports:
- containerPort: 8080
strategy:
canary:
steps:
- setWeight: 20
- pause: { duration: 5m }
- setWeight: 50
- pause: { duration: 5m }
- setWeight: 100
In this pattern, the Git commit updates the image tag in the Rollout object. The controller handles the steps, querying metrics from Prometheus and adjusting traffic via service mesh or ingress. If thresholds fail, it rolls back automatically.
Pattern 5: Terraform and infrastructure as code integration
GitOps is not limited to Kubernetes. Teams managing cloud resources often combine Terraform with GitOps controllers. The Terraform controller for Flux or similar patterns allow Terraform plans and applies to be triggered by Git changes and reconciled by a controller.
Example: Flux Terraform resource (conceptual)
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: GitRepository
metadata:
name: infra-repo
namespace: flux-system
spec:
interval: 1m
url: https://github.com/example/infra
ref:
branch: main
---
apiVersion: infra.contrib.fluxcd.io/v1alpha2
kind: Terraform
metadata:
name: network-infra
namespace: flux-system
spec:
interval: 5m
path: ./aws/vpc
sourceRef:
kind: GitRepository
name: infra-repo
approvePlan: auto
backendConfig:
secretSuffix: network-infra-state
This approach keeps cloud infrastructure in Git and reconciles changes continuously. It requires careful handling of state and secrets but provides strong auditability.
Pattern 6: Multi-cluster GitOps
Large organizations often manage multiple clusters per environment or region. GitOps patterns support multi-cluster setups through tools like Argo CD ApplicationSets or Flux multi-tenancy and Kustomize remote bases.
Example: Argo CD ApplicationSet for multi-cluster
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
name: guestbook
namespace: argocd
spec:
generators:
- list:
elements:
- cluster: https://cluster1.example.com
env: production
- cluster: https://cluster2.example.com
env: staging
template:
metadata:
name: '{{cluster}}-guestbook'
spec:
project: default
source:
repoURL: https://github.com/argoproj/argocd-example-apps
targetRevision: HEAD
path: guestbook
destination:
server: '{{cluster}}'
namespace: guestbook
syncPolicy:
automated:
prune: true
selfHeal: true
This pattern uses a generator to create Applications per cluster, with overlays determining environment-specific configuration.
Pattern 7: Sealed secrets and safe configuration
Handling secrets in Git is a common concern. The practical pattern is to encrypt secrets before committing them to Git, then decrypt them inside the cluster using a controller. Bitnami Sealed Secrets is a popular solution. Alternatively, use external secret managers like AWS Secrets Manager and synchronize with tools like External Secrets Operator.
Example: SealedSecret resource
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: db-credentials
namespace: production
spec:
encryptedData:
username: AgBy3i4...
password: AgB8z9k...
This pattern keeps secrets safe while maintaining the declarative approach. The controller decrypts them only in the cluster.
Pattern 8: Drift detection and self-healing
One of the strongest advantages of pull-based GitOps is continuous reconciliation. If an administrator changes a resource directly in the cluster, the controller will revert it. This drift detection ensures consistency and reduces snowflake environments.
In Argo CD, self-healing is enabled via syncPolicy. In Flux, the kustomize-controller handles reconciliation. For non-Kubernetes resources, the same concept applies: the controller continually compares actual state to desired state.
Honest evaluation: Strengths, weaknesses, and tradeoffs
Strengths
- Auditability and compliance: Every change is a Git commit. You can trace exactly who changed what and when.
- Security model: Pull-based controllers use cluster-scoped credentials, reducing the need to distribute credentials to CI systems.
- Developer experience: Teams can propose changes via pull requests and review them without direct cluster access.
- Reliability: Self-healing reduces drift and makes environments predictable.
Weaknesses
- Initial complexity: Setting up controllers, repositories, overlays, and policies takes time.
- State management for cloud resources: Terraform state and secrets require careful handling.
- Multi-environment coordination: Without clear processes, overlays can become complex.
- Learning curve: Developers and operators need to understand declarative patterns and Git workflows.
When GitOps is a good fit
- You use Kubernetes or are moving toward it.
- You want strong auditability and compliance.
- Your team values self-service and peer review via pull requests.
- You are ready to invest in automation and standardization.
When GitOps may not fit
- You manage only a few static servers with minimal changes.
- You rely heavily on imperative scripts and cannot define declarative states.
- Your organization lacks mature Git workflows or review practices.
- You need immediate, low-latency changes without commit-to-deploy cycles.
A personal experience
I implemented GitOps for a mid-sized platform team running multiple Kubernetes clusters. Initially, we used a push-based pattern via Jenkins because it felt familiar. However, we ran into two issues: credential sprawl and drift. Developers started patching production directly because the CI pipeline was slow. Moving to Argo CD solved the drift problem almost overnight. The self-healing feature reverted unintended changes, and the visual dashboard reduced confusion about what was actually deployed.
The learning curve was not trivial. We spent a week designing repository structure: should manifests live with the code, or in a separate repo? We chose a separate repo to decouple application builds from infrastructure definitions, but we kept per-app folders to simplify onboarding. Another pitfall was overusing Kustomize overlays for too many small variations; it became hard to follow. We standardized a small set of base overlays and documented them clearly.
One moment stands out. During an incident, we realized a bad image was deployed to production. A quick git revert in the manifests repo, followed by Argo CD’s automated sync, restored the previous state in minutes. No panic, no manual rollbacks. That moment made the investment feel worth it.
Getting started: Workflow and mental models
Start by mapping your deployment workflow. Identify the desired state inputs: manifests, Helm charts, Kustomize overlays, Terraform modules. Decide where they live: monorepo, polyrepo, or hybrid. Choose a controller based on your stack: Argo CD for Kubernetes-heavy setups, Flux for a more Git-native approach, or both if you need flexibility.
Suggested repository structure
gitops/
├── apps/
│ ├── team-a/
│ │ ├── base/
│ │ └── overlays/
│ │ ├── dev/
│ │ ├── staging/
│ │ └── prod/
│ └── team-b/
│ ├── base/
│ └── overlays/
│ ├── dev/
│ ├── staging/
│ └── prod/
├── clusters/
│ ├── prod-cluster-1/
│ │ ├── apps/
│ │ └── infrastructure/
│ ├── prod-cluster-2/
│ │ ├── apps/
│ │ └── infrastructure/
│ └── staging/
│ ├── apps/
│ └── infrastructure/
├── infrastructure/
│ ├── terraform/
│ │ ├── aws/
│ │ │ ├── vpc/
│ │ │ └── eks/
│ │ └── gcp/
│ └── helm/
│ ├── ingress-nginx/
│ └── prometheus/
└── README.md
The mental model:
- Apps live in
apps/with base overlays and environment-specific patches. - Clusters reference the apps they need via ApplicationSets or Flux Kustomization objects.
- Infrastructure lives separately and is reconciled as its own unit.
Tooling choices
- Controllers: Argo CD or Flux.
- Templating: Helm for packaged apps, Kustomize for overlays.
- Secrets: Sealed Secrets or External Secrets Operator.
- Progressive delivery: Argo Rollouts or Flagger.
- Policy: OPA Gatekeeper or Kyverno for guardrails.
- CI: GitHub Actions or GitLab CI for building artifacts, while deployment is handled by the controller.
Workflow steps
- Developer opens a pull request in the manifests repo with proposed changes.
- CI runs checks: lint manifests, run tests, validate Kustomize build.
- Reviewers approve and merge.
- Controller detects changes, reconciles, and reports status.
- If progressive delivery is enabled, rollout proceeds with canary steps.
- Audit trail is captured in Git and controller logs.
Distinguishing features and ecosystem strengths
Developer experience
GitOps offers a consistent mental model across environments. Developers learn one workflow: propose changes in Git, review, merge, and watch reconciliation. This reduces cognitive load and avoids the “it worked on my machine” problem.
Maintainability
Declarative manifests are easier to version and diff than imperative scripts. Overlays make environment-specific changes explicit. With Git history, you can analyze trends and identify problematic changes quickly.
Ecosystem strengths
- Argo CD: Rich UI, ApplicationSets, multi-cluster support, and integration with Argo Rollouts.
- Flux: Modular controllers, GitOps Toolkit, and strong alignment with Kubernetes APIs.
- Helm: Widely adopted packaging format, excellent for third-party charts.
- Kustomize: Native Kubernetes patching without templating language overhead.
- Terraform controllers: Enable cloud infrastructure in GitOps workflows.
- Policy engines: Gatekeeper and Kyverno enforce standards without blocking deployments.
Real outcomes
Teams using GitOps often report fewer outages caused by configuration drift and faster rollbacks. They gain better compliance for audits, as every change is traceable. Developers feel empowered to ship changes without needing direct cluster access, which improves velocity while maintaining controls.
Free learning resources
- Weaveworks: What is GitOps? — foundational principles and history.
- Argo CD Documentation: Getting Started — practical setup and concepts.
- Flux Documentation: Flux Core Concepts — modular controllers and GitOps workflow.
- Bitnami Sealed Secrets: GitHub repository — managing secrets in Git safely.
- External Secrets Operator: Documentation — synchronizing secrets from external managers.
- OPA Gatekeeper: Policy Framework — enforcing governance in Kubernetes.
- Argo Rollouts: Progressive Delivery — canary and blue-green deployments.
- Kustomize: Documentation — overlays and patches.
Who should use GitOps and who might skip it
GitOps is a strong fit for teams that need reliable, auditable, and secure delivery practices, especially those with Kubernetes at the core. Platform engineers and SREs benefit from the reduced operational burden and consistent state management. Developers appreciate the clear workflow and self-service capabilities.
If your infrastructure is small and static, or if you lack the time and organizational support to invest in declarative practices and reviews, the overhead may outweigh the benefits. In such cases, simpler CI-driven deployments may suffice, with a path to GitOps later.
Conclusion
GitOps is a practical set of patterns for managing infrastructure and applications declaratively. Pull-based controllers provide security and self-healing; overlays and progressive delivery enable safe promotion; and integration with tools like Terraform expands GitOps beyond Kubernetes. The journey requires thoughtful design, but the outcome is a stable, auditable, and developer-friendly delivery pipeline.
When I look back at the 2 a.m. patch sessions I mentioned earlier, GitOps feels like a light in that darkness. It won’t eliminate all problems, but it provides a clear map: declare what you want, store it in Git, and let automation bring the world in line. If that map sounds helpful, start small, pick one pattern, and iterate. The patterns are there to be adapted, not enforced.
