GitOps

What is GitOps?

GitOps is a modern operational framework extending DevOps principles to infrastructure and application management by leveraging Git repositories as the single source of truth. Teams manage entire system configurations—infrastructure, deployments, operational procedures—solely through Git workflows.

All desired states (Kubernetes manifests, Terraform code) are captured declaratively in Git. Any change to infrastructure, applications, or configuration must go through Git-based workflows via pull or merge requests, enabling rigorous code review, automated validation, and clear auditable history.

Continuous deployment engines (reconciliation agents or controllers like Argo CD, Flux) monitor Git repositories, automatically reconcile live systems to desired state, and correct configuration drift. This ensures environments always match what’s defined in version control.

Core Principles

Declarative Configuration
Entire system defined declaratively—describing what you want, not how to achieve it. Examples include Kubernetes YAML, Terraform HCL, Helm charts.

Versioned and Immutable Source of Truth
All configurations stored in version control (Git). Every change creates clear, auditable, immutable history supporting easy rollbacks and compliance requirements.

Automated Change Approval and Delivery
Changes proposed via pull/merge requests, reviewed, approved. Often triggers CI/CD pipelines for automated validation and testing. Once merged, system automatically initiates deployment.

Continuous Reconciliation and Drift Correction
Automated agents continuously compare actual state with desired state in Git. Any deviation either auto-corrected or flagged, ensuring ongoing consistency.

How GitOps Works

Workflow Components:

• Git as single source of truth – All desired state configurations stored in Git repository
• Declarative configuration – Tools like Kubernetes manifests, Terraform, Helm describe target state
• Pull/Merge requests – Changes proposed via PR/MR, reviewed, tested, merged
• CI/CD automation – Merging triggers automated pipelines validating and delivering changes
• Continuous reconciliation – GitOps controllers monitor Git and runtime environment, auto-correcting drift

Example Workflow:

1. Write/modify configuration (change Kubernetes deployment YAML)
2. Commit changes to branch, open pull request
3. Team members review and approve
4. Merge to main branch triggers CI/CD pipeline
5. GitOps agent detects change, reconciles runtime state with Git
6. Manual environment changes detected and restored from Git

Kubernetes GitOps Workflow

Step-by-Step Process:

1. Define Desired State – Write/update declarative files (YAML, HCL)
2. Commit and PR – Commit to feature branch, open pull request
3. Review and Approve – Team reviews, tests, approves via CI pipelines
4. Merge to Main – Approved changes merged, triggers deployment pipeline
5. GitOps Agent Applies Change – Agent (Argo CD) syncs environment to match new state
6. Continuous Monitoring – Agent monitors for drift, auto-corrects or alerts

Sample YAML:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-app
spec:
  replicas: 3
  template:
    spec:
      containers:
        - name: my-app
          image: my-app:1.2.3

Flow: Developer PR → Review → Merge → CI/CD Pipeline → GitOps Agent → Environment matches Git

Key Benefits

Consistency and Reliability
Environments always deployed from version-controlled, tested configurations. Eliminates configuration drift and undocumented manual changes.

Auditability and Compliance
Every change tracked in Git. Simple rollbacks (revert in Git). Supports compliance audits with complete change history.

Developer Experience
Teams use familiar Git workflows. No direct production access needed. Reduces operational complexity.

Improved Security
Pull-based deployment minimizes attack surface. Fewer people need privileged access. Changes reviewed before application.

Faster Recovery
Restore entire systems from Git. Rapid recovery from failures. Complete disaster recovery capability.

Scalability and Collaboration
PR workflows facilitate teamwork and code review. Supports multi-cluster, multi-cloud, hybrid deployments.

Vendor Neutrality
Implementable with any Git provider and various open-source or commercial tools.

Challenges and Considerations

Cultural Shift
Teams must avoid “quick fixes” outside Git, requiring discipline and process changes.

Repository Complexity
Managing multiple repositories or large configuration files can be unwieldy at scale. Tool selection and integration may be challenging.

Secrets Management
Storing secrets securely is critical. Plaintext in Git is major anti-pattern—use tools like HashiCorp Vault or Sealed Secrets.

Conflict Resolution
Simultaneous changes from multiple contributors can cause merge conflicts requiring careful coordination.

Scaling Observability
As environments grow, maintaining visibility and auditability requires additional monitoring and tooling.

No Native Secrets Support
GitOps is not a secrets manager. Must be paired with external solutions.

GitOps vs DevOps vs Platform Engineering

Key Differences:

• GitOps is implementation of DevOps principles focusing on Git as single source of truth
• DevOps is broader cultural and technical movement emphasizing collaboration and automation
• Platform Engineering builds reusable platforms, often leveraging GitOps for delivery

Key Tools

Best Practices

Declarative Configuration Everywhere:
Use YAML, HCL, or Helm for all configuration. Avoid imperative scripts.

Store All State in Version Control:
All desired state, documentation, policies in Git for complete traceability.

Automate Validation:
Integrate CI/CD for tests, linting, policy checks (OPA/Kyverno).

Adopt Pull-Based Deployments:
Use agents (Argo CD, Flux) that pull and reconcile rather than push-based scripts.

Secure Secrets Properly:
Never store plaintext secrets in Git. Use Sealed Secrets or HashiCorp Vault.

Monitor Drift Frequently:
Set agents to detect and correct drift promptly.

Plan Repository Structure:
Use clear repo structures and branch policies for complexity management.

Educate and Document:
Ensure team-wide understanding and buy-in with comprehensive documentation.

Use Cases by Role

Application Developers:
Use Git workflows to propose/deploy changes. Focus on coding while deployment is automated. Easy rollbacks with clear audit trails.

Platform Engineers:
Manage infrastructure at scale with reproducible configs. Enforce consistency across clusters/clouds. Automate provisioning and updates.

Security Teams:
Full audit trail for all changes. Enforce policy as code. Reduce attack surface by minimizing direct production access.

Business Stakeholders:
Accelerate feature delivery and time-to-market. Increase system reliability and stability. Lower risk with faster disaster recovery.

Example Scenarios:

• Kubernetes Cluster Management – Deploy/manage multiple clusters with guaranteed consistency
• Multi-Cloud Deployments – Apply same config across AWS, Azure, on-premises
• Disaster Recovery – Restore environments by rolling back to previous commits
• API Management – Manage API configs as code with version control

References

• GitLab: What is GitOps?
• Red Hat: What is GitOps?
• Harness: What is GitOps?
• Codefresh: What is GitOps?
• Sysdig: What is GitOps?
• Spot.io: Understanding GitOps Principles
• Datadog: GitOps Principles and Components
• Dynatrace: What is GitOps?
• Zuplo: What is GitOps?
• Spacelift: GitOps vs DevOps
• Codefresh: GitOps Benefits
• Harness: GitOps Benefits
• Humanitec: GitOps Pros and Cons
• AWS: GitOps Tools Comparison
• Spacelift: Top GitOps Tools 2025
• Medium: The 6 Best GitOps Tools
• OpenGitOps
• Sealed Secrets
• HashiCorp Vault
• GitOps Explained - GitLab YouTube
• Argo CD GitOps Tutorial - TechWorld with Nana
• Flux GitOps Demo - CNCF