System Design Space
Knowledge graphSettings

Updated: March 25, 2026 at 12:30 AM

GitOps

medium

How to implement GitOps: desired state in Git, pull-based delivery, Argo CD/Flux, progressive delivery and rollback in production.

GitOps is not about a catchy slogan. It is about a system where desired state can actually be traced all the way into production without manual magic.

In real design work, the chapter shows how Git becomes the source of intent while control loops, drift detection, rollback, and progressive delivery turn change rollout into a managed process with clear responsibility boundaries.

In interviews and engineering discussions, it helps talk about GitOps not only through its benefits but also through its costs: propagation delay, harder secret handling, and the discipline a repository-centered workflow demands.

Practical value of this chapter

Design in practice

Build a GitOps pipeline with clear separation between declarative intent and runtime control loops.

Decision quality

Define drift detection, rollback policy, and progressive delivery rules for safe changes.

Interview articulation

Explain how pull-based deployment improves auditability and reduces manual operational error.

Trade-off framing

Highlight costs: update propagation delay, secret-management complexity, and strict repository discipline needs.

Foundation

Infrastructure as Code

GitOps does not replace IaC, but adds a continuous reconciliation model and delivery governance to it.

Open chapter

GitOps is an operating model where the state of the platform is managed through Git, and clusters are automatically brought to the desired state. The key value is predictable, verifiable and reproducible changes in production.

GitOps model

  • Git is the single source of truth for the desired state of the platform.
  • Delivery works in a pull model: the agent in the cluster itself synchronizes the state from Git.
  • Any change goes through a pull request, review and audit trail.
  • Drift between cluster state and git state is detected automatically and corrected by reconcile-loop.

Building blocks

Continuous reconcile loop (desired state vs actual state)PR openedchecks + approvalsmerge -> syncapplydrift feedbackCluster stateworkloads + configRepository strategyapps + platform + overlaysPromotion flowPR path across environmentsPolicy gatessecurity + compliance checksReconciliation controllerArgo CD / Flux sync loop

What it does

Separate app configs, platform baseline, and environment overlays so team ownership does not conflict.

Operational focus

Standardize directory structure and naming conventions before team scale-up.

Anti-pattern

Mixing app and platform changes in one layer makes reviews harder and increases blast radius.

In practice

Inside Argo: Automating the Future

Documentary context for Argo evolution and production GitOps adoption.

Open chapter

Industry tools

Argo CD

Role: Kubernetes GitOps controller and deployment orchestrator

Best fit: Platforms with many services and clusters where UI, RBAC, app health, and project boundaries are important.

Strengths

  • Mature ecosystem with strong integration into Argo Rollouts and Workflows.
  • App-of-Apps pattern works well for large-scale application governance.

Constraints

  • As application count grows, repo and project architecture must stay disciplined.
  • Needs clear sync-window, ownership, and multi-tenant policy practices.

Flux CD

Role: Git-native controller with a composable CRD model

Best fit: Teams that prefer an API-first model and deep automation via Git and OCI workflows.

Strengths

  • Lightweight control plane and strong image automation integration.
  • Composable architecture fits platform engineering use cases well.

Constraints

  • Less out-of-the-box UI functionality compared to Argo CD.
  • Requires mature observability and disciplined operational runbooks.

Rancher Fleet

Role: Fleet GitOps manager for large-scale multi-cluster operations

Best fit: Organizations running dozens or hundreds of downstream clusters, especially edge and geo-distributed estates.

Strengths

  • Strong focus on high-scale multi-cluster rollout operations.
  • Works well when Rancher is already the central cluster management layer.

Constraints

  • Most effective inside Rancher-centric platform ecosystems.
  • Needs a clear strategy for bundle decomposition and dependency control.

OpenShift GitOps

Role: Enterprise GitOps distribution built on top of Argo CD

Best fit: OpenShift organizations that need integrated enterprise controls, support, and platform standardization.

Strengths

  • Deep integration with OpenShift RBAC, policy, and lifecycle operations.
  • Lowers adoption cost for teams inside a unified enterprise platform.

Constraints

  • Strong coupling to the OpenShift platform model.
  • Architecture decisions should align with platform distribution release cycles.

Anthos Config Sync (Config Management)

Role: Policy-centered GitOps model for Kubernetes fleets

Best fit: Organizations prioritizing centralized governance and declarative policy/config enforcement at scale.

Strengths

  • Strong governance focus with namespace boundaries and policy-controller practices.
  • Useful for unified compliance operations across large Kubernetes fleets.

Constraints

  • More pronounced dependence on managed cloud ecosystem choices.
  • Needs explicit ownership and exception workflow for policy repositories.

Companion toolchain

Progressive delivery

Tools: Argo Rollouts, Flagger

Enable canary and blue-green strategies via declarative rollout policies and metrics checks.

Secrets in GitOps flow

Tools: External Secrets Operator, SOPS, Sealed Secrets

Provide secure integration between Git workflows and secret management without plaintext values in repos.

Policy as code

Tools: OPA Gatekeeper, Kyverno, Conftest

Enforce mandatory guardrails before and after manifests reach production clusters.

Image update automation

Tools: Flux Image Automation, Renovate

Automate image tag updates through pull requests while preserving auditability.

How to choose the stack

  • If priority is UI, app-level visibility, and Argo ecosystem depth, Argo CD is often selected.
  • If teams prefer API-first Git-native composable controllers, Flux CD is usually a strong fit.
  • For very large multi-cluster and edge estates, Fleet is commonly evaluated.
  • In enterprise distributions (OpenShift/Anthos), the built-in GitOps stack is often the pragmatic default.

SRE

SRE and reliability

GitOps reduces manual changes in production and improves traceability of incident actions.

Open chapter

Operational patterns

Enter progressive delivery (canary/blue-green) and explicit rollback strategy for each service.

For incidents, use emergency branch and post-incident revert PR instead of manual hotfix in the cluster.

Synchronize secrets processes with GitOps: encryption/external secret-stores and short-lived credentials.

Determine ownership: who is responsible for platform overlays and who is responsible for app-level manifests.

Practical checklist

  • All deployment changes can be reproduced via PR without manual kubectl patches in production.
  • There is drift monitoring and alerting when there is a discrepancy between the desired/actual state.
  • Rollback procedures are clearly defined and tested on game day.
  • There is a consistent branching/promotions process between dev/stage/prod.
  • Secrets and sensitive values are not stored in cleartext in Git.

References

Related chapters

Enable tracking in Settings