Source from repo
Kubernetes Specialist

Deploy and manage Kubernetes workloads: manifests, RBAC, Helm charts, service mesh, GitOps, and troubleshooting.
jeffallanGitHub jeffallanSource repo Original GitHub link Publisher page
Files
Skill
n/a
Size
129.5 KB
Entrypoint
SKILL.md
Format
git-repo
Open file
references/gitops.md

Syntax-highlighted preview of this file as included in the skill package.
Rendered Source
markdown531 linesFree
references/gitops.md
1# GitOps
2 
3---
4 
5## GitOps Principles
6 
71. **Declarative** - Entire system described declaratively
82. **Versioned and immutable** - Desired state stored in Git
93. **Pulled automatically** - Agents pull state from Git
104. **Continuously reconciled** - Agents ensure actual matches desired
11 
12## ArgoCD Installation
13 
14```bash
15# Create namespace
16kubectl create namespace argocd
17 
18# Install ArgoCD
19kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml
20 
21# Wait for pods
22kubectl wait --for=condition=Ready pods --all -n argocd --timeout=300s
23 
24# Get initial admin password
25kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d
26 
27# Install CLI
28brew install argocd
29 
30# Login
31argocd login localhost:8080 --username admin --password <password>
32 
33# Access UI
34kubectl port-forward svc/argocd-server -n argocd 8080:443
35```
36 
37## ArgoCD Application
38 
39```yaml
40apiVersion: argoproj.io/v1alpha1
41kind: Application
42metadata:
43  name: myapp
44  namespace: argocd
45  finalizers:
46    - resources-finalizer.argocd.argoproj.io
47spec:
48  project: default
49  source:
50    repoURL: https://github.com/myorg/myapp-manifests.git
51    targetRevision: main
52    path: overlays/production
53  destination:
54    server: https://kubernetes.default.svc
55    namespace: production
56  syncPolicy:
57    automated:
58      prune: true
59      selfHeal: true
60      allowEmpty: false
61    syncOptions:
62      - CreateNamespace=true
63      - PrunePropagationPolicy=foreground
64      - PruneLast=true
65    retry:
66      limit: 5
67      backoff:
68        duration: 5s
69        factor: 2
70        maxDuration: 3m
71  revisionHistoryLimit: 10
72```
73 
74## ArgoCD ApplicationSet
75 
76```yaml
77apiVersion: argoproj.io/v1alpha1
78kind: ApplicationSet
79metadata:
80  name: myapp-environments
81  namespace: argocd
82spec:
83  generators:
84    - list:
85        elements:
86          - cluster: dev
87            namespace: development
88            revision: develop
89          - cluster: staging
90            namespace: staging
91            revision: main
92          - cluster: prod
93            namespace: production
94            revision: main
95  template:
96    metadata:
97      name: 'myapp-{{cluster}}'
98    spec:
99      project: default
100      source:
101        repoURL: https://github.com/myorg/myapp-manifests.git
102        targetRevision: '{{revision}}'
103        path: 'overlays/{{cluster}}'
104      destination:
105        server: https://kubernetes.default.svc
106        namespace: '{{namespace}}'
107      syncPolicy:
108        automated:
109          prune: true
110          selfHeal: true
111```
112 
113## ArgoCD with Helm
114 
115```yaml
116apiVersion: argoproj.io/v1alpha1
117kind: Application
118metadata:
119  name: myapp-helm
120  namespace: argocd
121spec:
122  project: default
123  source:
124    repoURL: https://charts.example.com
125    chart: myapp
126    targetRevision: 1.2.0
127    helm:
128      releaseName: myapp
129      valueFiles:
130        - values-production.yaml
131      values: |
132        replicaCount: 5
133        image:
134          tag: v2.0.0
135      parameters:
136        - name: service.type
137          value: LoadBalancer
138  destination:
139    server: https://kubernetes.default.svc
140    namespace: production
141```
142 
143## ArgoCD Project
144 
145```yaml
146apiVersion: argoproj.io/v1alpha1
147kind: AppProject
148metadata:
149  name: production
150  namespace: argocd
151spec:
152  description: Production applications
153  sourceRepos:
154    - 'https://github.com/myorg/*'
155    - 'https://charts.example.com'
156  destinations:
157    - namespace: production
158      server: https://kubernetes.default.svc
159    - namespace: production-*
160      server: https://kubernetes.default.svc
161  clusterResourceWhitelist:
162    - group: ''
163      kind: Namespace
164  namespaceResourceBlacklist:
165    - group: ''
166      kind: ResourceQuota
167    - group: ''
168      kind: LimitRange
169  roles:
170    - name: developer
171      description: Developer access
172      policies:
173        - p, proj:production:developer, applications, get, production/*, allow
174        - p, proj:production:developer, applications, sync, production/*, allow
175      groups:
176        - developers
177```
178 
179## Flux Installation
180 
181```bash
182# Install Flux CLI
183brew install fluxcd/tap/flux
184 
185# Check prerequisites
186flux check --pre
187 
188# Bootstrap Flux (GitHub)
189flux bootstrap github \
190  --owner=myorg \
191  --repository=fleet-infra \
192  --branch=main \
193  --path=clusters/production \
194  --personal
195 
196# Bootstrap Flux (GitLab)
197flux bootstrap gitlab \
198  --owner=myorg \
199  --repository=fleet-infra \
200  --branch=main \
201  --path=clusters/production
202```
203 
204## Flux GitRepository
205 
206```yaml
207apiVersion: source.toolkit.fluxcd.io/v1
208kind: GitRepository
209metadata:
210  name: myapp
211  namespace: flux-system
212spec:
213  interval: 1m
214  url: https://github.com/myorg/myapp-manifests
215  ref:
216    branch: main
217  secretRef:
218    name: github-credentials
219  ignore: |
220    # Exclude files
221    .git/
222    *.md
223```
224 
225## Flux Kustomization
226 
227```yaml
228apiVersion: kustomize.toolkit.fluxcd.io/v1
229kind: Kustomization
230metadata:
231  name: myapp
232  namespace: flux-system
233spec:
234  interval: 10m
235  targetNamespace: production
236  sourceRef:
237    kind: GitRepository
238    name: myapp
239  path: ./overlays/production
240  prune: true
241  timeout: 2m
242  healthChecks:
243    - apiVersion: apps/v1
244      kind: Deployment
245      name: myapp
246      namespace: production
247  postBuild:
248    substitute:
249      environment: production
250      replicas: "5"
251    substituteFrom:
252      - kind: ConfigMap
253        name: cluster-vars
254```
255 
256## Flux HelmRepository
257 
258```yaml
259apiVersion: source.toolkit.fluxcd.io/v1beta2
260kind: HelmRepository
261metadata:
262  name: bitnami
263  namespace: flux-system
264spec:
265  interval: 1h
266  url: https://charts.bitnami.com/bitnami
267---
268apiVersion: helm.toolkit.fluxcd.io/v2beta1
269kind: HelmRelease
270metadata:
271  name: redis
272  namespace: production
273spec:
274  interval: 5m
275  chart:
276    spec:
277      chart: redis
278      version: '17.x'
279      sourceRef:
280        kind: HelmRepository
281        name: bitnami
282        namespace: flux-system
283  values:
284    architecture: standalone
285    auth:
286      enabled: true
287      existingSecret: redis-credentials
288    master:
289      persistence:
290        size: 10Gi
291```
292 
293## Flux ImageUpdateAutomation
294 
295```yaml
296apiVersion: image.toolkit.fluxcd.io/v1beta1
297kind: ImageRepository
298metadata:
299  name: myapp
300  namespace: flux-system
301spec:
302  image: myregistry.io/myapp
303  interval: 1m
304  secretRef:
305    name: registry-credentials
306---
307apiVersion: image.toolkit.fluxcd.io/v1beta1
308kind: ImagePolicy
309metadata:
310  name: myapp
311  namespace: flux-system
312spec:
313  imageRepositoryRef:
314    name: myapp
315  policy:
316    semver:
317      range: '>=1.0.0'
318---
319apiVersion: image.toolkit.fluxcd.io/v1beta1
320kind: ImageUpdateAutomation
321metadata:
322  name: myapp
323  namespace: flux-system
324spec:
325  interval: 1m
326  sourceRef:
327    kind: GitRepository
328    name: myapp
329  git:
330    checkout:
331      ref:
332        branch: main
333    commit:
334      author:
335        email: [email protected]
336        name: fluxcdbot
337      messageTemplate: 'Update image to {{.NewTag}}'
338    push:
339      branch: main
340  update:
341    path: ./overlays/production
342    strategy: Setters
343```
344 
345## Progressive Delivery with Flagger
346 
347```yaml
348# Install Flagger
349kubectl apply -k github.com/fluxcd/flagger/kustomize/istio
350 
351---
352apiVersion: flagger.app/v1beta1
353kind: Canary
354metadata:
355  name: myapp
356  namespace: production
357spec:
358  targetRef:
359    apiVersion: apps/v1
360    kind: Deployment
361    name: myapp
362  progressDeadlineSeconds: 600
363  service:
364    port: 80
365    targetPort: 8080
366    gateways:
367      - myapp-gateway
368    hosts:
369      - myapp.example.com
370  analysis:
371    interval: 1m
372    threshold: 5
373    maxWeight: 50
374    stepWeight: 10
375    metrics:
376      - name: request-success-rate
377        thresholdRange:
378          min: 99
379        interval: 1m
380      - name: request-duration
381        thresholdRange:
382          max: 500
383        interval: 1m
384    webhooks:
385      - name: load-test
386        url: http://flagger-loadtester.test/
387        timeout: 5s
388        metadata:
389          cmd: "hey -z 1m -q 10 -c 2 http://myapp-canary.production:80/"
390```
391 
392## Sealed Secrets
393 
394```bash
395# Install controller
396kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.24.0/controller.yaml
397 
398# Install kubeseal CLI
399brew install kubeseal
400 
401# Create sealed secret
402kubectl create secret generic db-credentials \
403  --from-literal=username=admin \
404  --from-literal=password=secret123 \
405  --dry-run=client -o yaml | \
406  kubeseal --format yaml > sealed-db-credentials.yaml
407 
408# Apply sealed secret
409kubectl apply -f sealed-db-credentials.yaml
410```
411 
412```yaml
413apiVersion: bitnami.com/v1alpha1
414kind: SealedSecret
415metadata:
416  name: db-credentials
417  namespace: production
418spec:
419  encryptedData:
420    username: AgBy8h...encrypted...
421    password: AgCtr2...encrypted...
422  template:
423    type: Opaque
424    metadata:
425      labels:
426        app: myapp
427```
428 
429## SOPS with Age
430 
431```bash
432# Install SOPS
433brew install sops
434 
435# Generate age key
436age-keygen -o age.agekey
437 
438# Create SOPS config
439cat > .sops.yaml << EOF
440creation_rules:
441  - path_regex: .*\.enc\.yaml$
442    encrypted_regex: ^(data|stringData)$
443    age: age1...publickey...
444EOF
445 
446# Encrypt secret
447sops --encrypt --in-place secrets.enc.yaml
448 
449# Configure Flux decryption
450kubectl create secret generic sops-age \
451  --namespace=flux-system \
452  --from-file=age.agekey
453```
454 
455```yaml
456# Flux Kustomization with SOPS
457apiVersion: kustomize.toolkit.fluxcd.io/v1
458kind: Kustomization
459metadata:
460  name: myapp
461  namespace: flux-system
462spec:
463  decryption:
464    provider: sops
465    secretRef:
466      name: sops-age
467  # ... rest of spec
468```
469 
470## Repository Strategies
471 
472### Mono-repo
473```
474fleet-repo/
475├── apps/
476│   ├── myapp/
477│   │   ├── base/
478│   │   └── overlays/
479│   └── another-app/
480├── infrastructure/
481│   ├── cert-manager/
482│   └── ingress-nginx/
483└── clusters/
484    ├── dev/
485    ├── staging/
486    └── production/
487```
488 
489### Multi-repo
490```
491# App repos (one per app)
492myapp-manifests/
493├── base/
494└── overlays/
495 
496# Infrastructure repo
497infrastructure/
498├── cert-manager/
499└── ingress-nginx/
500 
501# Fleet repo (references others)
502fleet-infra/
503├── apps.yaml      # Points to app repos
504└── infra.yaml     # Points to infra repo
505```
506 
507## ArgoCD vs Flux Comparison
508 
509| Feature | ArgoCD | Flux |
510|---------|--------|------|
511| UI | Built-in web UI | Third-party (Weave GitOps) |
512| Multi-tenancy | AppProject | Namespaced resources |
513| Helm | Native support | HelmController |
514| Image automation | ArgoCD Image Updater | Native ImagePolicy |
515| Notifications | ArgoCD Notifications | Alerts/Receivers |
516| RBAC | Built-in | Kubernetes RBAC |
517| Architecture | Centralized | Distributed |
518 
519## Best Practices
520 
5211. **Use separate repos** for app code and manifests
5222. **Protect main branch** with required reviews
5233. **Use sealed secrets or SOPS** for sensitive data
5244. **Enable auto-sync with prune** for drift correction
5255. **Set up notifications** for sync failures
5266. **Use ApplicationSets/Kustomizations** for multi-environment
5277. **Implement progressive delivery** for safe rollouts
5288. **Version your Helm charts** semantically
5299. **Keep manifests DRY** with Kustomize overlays
53010. **Monitor reconciliation metrics** and alerts
531
Preparing the source view

Kubernetes Specialist

references/gitops.md
