CI/CD & GitOps

Mastering continuous delivery and GitOps workflows for Kubernetes with modern tools and best practices.

GitOps Principles & Philosophy

GitOps is an operational framework that takes DevOps best practices (version control, collaboration, CI/CD) and applies them to infrastructure automation. Git becomes the single source of truth for your entire system.

Declarative

System described declaratively in Git, not imperatively through scripts

Versioned & Immutable

Git provides version control, audit trail, and easy rollback capabilities

Pulled Automatically

Agents automatically pull changes from Git, no external access to cluster needed

Continuously Reconciled

System continuously self-heals to match desired state in Git

GitOps Tools (2025)

🎯

Argo CD (CNCF Graduated)

Declarative GitOps CD with powerful UI and enterprise features

Key Features:

• Rich web UI with real-time visualization of application state
• Multi-cluster management from single control plane
• SSO integration (OIDC, SAML, LDAP) for enterprise auth
• RBAC for fine-grained access control
• Auto-sync with self-healing capabilities
• ApplicationSets for managing apps across multiple clusters
• Progressive delivery with Argo Rollouts integration

Best for: Best for teams wanting comprehensive UI and multi-cluster management

Adoption: Most widely adopted (50K+ GitHub stars)

🌊

Flux v2 (CNCF Graduated)

Kubernetes-native GitOps toolkit with extensible controller architecture

Key Features:

• Modular architecture with independent controllers
• Native support for Helm and Kustomize
• Image automation for updating deployments
• Notification system (Slack, MS Teams, webhooks)
• Multi-tenancy support with isolated namespaces
• Dependency management between applications
• OCI artifact support for Helm charts and manifests

Best for: Best for Kubernetes-native approach and advanced automation

Adoption: CNCF Graduated, used by AWS, Microsoft, Azure

⚡

GitHub Actions + kubectl

Direct deployment approach using GitHub's CI/CD platform

Key Features:

• Native GitHub integration with simple YAML workflows
• Secrets management via GitHub Secrets
• Self-hosted runners for private clusters
• Matrix builds for multi-cluster deployments
• Reusable workflows for standardization
• OpenID Connect for secure cloud authentication

Best for: Best for simpler deployments or GitHub-centric workflows

Adoption: Increasingly popular for straightforward use cases

Progressive Delivery Patterns

🎲

Argo Rollouts

Advanced deployment strategies with traffic management

• Canary deployments with automatic promotion
• Blue-green deployments
• Traffic splitting with service mesh integration
• Analysis and metrics-based rollback
• Experiments and A/B testing

🚦

Flagger (CNCF)

Progressive delivery operator for Kubernetes

• Automated canary analysis
• Integration with Istio, Linkerd, App Mesh
• Metrics-driven promotion decisions
• Webhook notifications and gating
• Load testing automation

When to Use Each Strategy

Blue-Green:High-risk releases, need instant rollback, can afford double resources temporarily

Canary:Gradual rollout with real user testing, metrics-based promotion, critical applications

Feature Flags:Runtime feature toggling, A/B testing, decouple deployment from release

Modern CI/CD Pipeline Architecture

Recommended Pipeline Flow (2025)

1.
CI Pipeline (GitHub Actions, GitLab CI, Jenkins):
- • Build and test application code
- • Run security scans (SAST, dependency checking)
- • Build container image with SHA tags
- • Scan image for vulnerabilities (Trivy, Snyk)
- • Sign image with Sigstore/cosign
- • Push to container registry
2.
Update Manifest Repository:
- • Automated PR to update image tag in Kubernetes manifests
- • Separate repo for GitOps (app code ≠ deployment config)
- • Environment-specific overlays with Kustomize or Helm values
3.
GitOps Operator (Argo CD / Flux):
- • Continuously monitors Git repository
- • Detects changes and syncs to cluster
- • Enforces desired state with automatic reconciliation
- • Sends notifications on deployment events
4.
Progressive Delivery (Optional):
- • Canary analysis with Argo Rollouts or Flagger
- • Metrics collection and automatic promotion/rollback
- • Traffic shifting with service mesh

Security Best Practices

Use OIDC for keyless authentication to cloud providers
Scan images for vulnerabilities in CI pipeline
Sign all images with Sigstore/cosign
Implement policy enforcement (Kyverno, OPA)
Use least-privilege service accounts
Rotate secrets and credentials regularly

Repository Structure

Separate app code from Kubernetes manifests
Use monorepo or multiple repos (not mixed)
Environment-specific overlays (dev, staging, prod)
Version control everything (infra as code)
Branch protection and required reviews
Automated testing for manifests (kubeval, kube-linter)

Essential CI/CD Tools (2025)

Image Building

• Docker BuildKit
• Buildpacks (CNCF)
• ko (Google)
• Kaniko

Manifest Management

• Kustomize
• Helm 3
• Jsonnet
• Carvel ytt

Security Scanning

• Trivy
• Grype
• Snyk
• Aqua Security

Policy Enforcement

• Kyverno
• OPA Gatekeeper
• jsPolicy
• Kubewarden

Secrets Management

• External Secrets Operator
• Sealed Secrets
• SOPS
• Vault

Progressive Delivery

• Argo Rollouts
• Flagger
• Keptn
• Spinnaker

Key Takeaways

GitOps makes Git the single source of truth for both application and infrastructure code
Argo CD and Flux are production-ready GitOps tools with strong CNCF community support
Separate application code from Kubernetes manifests for cleaner GitOps workflows
Progressive delivery with canary deployments reduces risk of production incidents
Security scanning, image signing, and policy enforcement are essential in modern pipelines

Previous: Scaling Next: Troubleshooting