Loading learning content...
Imagine a world where every infrastructure state is version-controlled, every change is auditable, and the actual state of your systems is automatically reconciled to match what's declared in your repository. This is the promise of GitOps—a set of practices that fundamentally transforms how organizations manage infrastructure.
GitOps takes the familiar Git-centric workflow that developers already use for application code and extends it to infrastructure and operations. The result is a unified model where Git repositories become the authoritative source for both application deployments and infrastructure configuration, and automated systems continuously ensure that reality matches the declared intent.
By the end of this page, you will understand the four core principles of GitOps, how they differ from traditional CI/CD approaches, the architectural patterns that enable GitOps at scale, and the cultural and organizational shifts required to adopt GitOps successfully. You will be prepared to evaluate whether GitOps is right for your organization and how to implement it effectively.
GitOps is an operational framework that applies DevOps best practices—version control, collaboration, compliance, and CI/CD—to infrastructure automation. The term was coined by Weaveworks in 2017, though the underlying principles had been evolving in the industry for years.
The GitOps Definition:
GitOps is characterized by four fundamental principles, each building on the others to create a coherent operational model:
Why These Principles Matter:
Each principle addresses a specific operational challenge:
Together, these principles create systems that are predictable, auditable, and resilient.
A common misconception is that GitOps is simply CI/CD where configuration lives in Git. The key distinction is the reconciliation loop: GitOps systems continuously compare actual state to desired state and correct discrepancies. Traditional CI/CD pipelines are triggered by events and push changes; GitOps agents pull changes and continuously reconcile.
The distinction between push-based and pull-based deployment models is fundamental to understanding GitOps. While traditional CI/CD uses a push model, GitOps embraces a pull model that offers significant operational advantages.
Push-Based Deployment (Traditional CI/CD):
In a push model, an external CI/CD system detects changes and pushes updates to the target environment. The CI/CD system needs credentials to access the deployment target.
Pull-Based Deployment (GitOps):
In a pull model, an agent running inside the target environment monitors the Git repository and pulls changes when they occur. The agent only needs read access to Git and write access to its local environment—no external system needs credentials to the deployment target.
| Aspect | Push-Based (Traditional) | Pull-Based (GitOps) |
|---|---|---|
| Credential Management | CI/CD needs production credentials | Agent runs in-cluster, minimal external exposure |
| Security Posture | Broader attack surface | Reduced attack surface |
| Drift Detection | Only at deployment time | Continuous monitoring and correction |
| Firewall Requirements | Inbound access to target environment | Only outbound access to Git |
| Recovery Model | Rerun pipeline manually | Automatic reconciliation |
| Multi-Cluster Scaling | Complex credential distribution | Each cluster pulls independently |
In practice, many organizations use hybrid approaches. CI/CD pipelines handle building, testing, and updating manifests in Git, while GitOps agents handle the actual deployment. This combines the rich tooling of CI/CD with the security and reconciliation benefits of GitOps.
The foundation of GitOps is declarative configuration—describing what you want rather than how to achieve it. This paradigm shift has profound implications for how infrastructure is managed, understood, and evolved.
Imperative vs Declarative:
Consider provisioning a load balancer:
12345678910111213141516171819202122
#!/bin/bash# Imperative: Specify HOW to create # Check if LB existsif aws elb describe-load-balancers \ --names my-app-lb 2>/dev/null; then echo "LB exists, checking config..." # Compare current config vs desired # Update if different # Handle various edge caseselse echo "Creating load balancer..." aws elb create-load-balancer \ --name my-app-lb \ --listeners "Protocol=HTTP,..."fi # Check listener configuration# Add missing listeners# Remove extra listeners# Update health check settings# ... many more conditionals12345678910111213141516171819
# Declarative: Specify WHAT you wantapiVersion: v1kind: Servicemetadata: name: my-app-lbspec: type: LoadBalancer selector: app: my-app ports: - protocol: TCP port: 80 targetPort: 8080 healthCheckPath: /health healthCheckInterval: 30s # The system figures out HOW# to reach this state from# any starting pointWhy Declarative Is Superior for GitOps:
Declarative configuration provides several key benefits that make it essential for GitOps:
Some operations are inherently imperative: database migrations, one-time data transformations, secret rotation. GitOps handles these through Job resources or separate management planes. Don't force imperative operations into declarative patterns—recognize the boundaries and design accordingly.
In GitOps, Git is not merely a storage location for configuration—it is the authoritative source of truth for the desired state of all systems. This is a strong statement with significant implications.
What 'Source of Truth' Really Means:
Repository Structure Patterns:
Organizations typically use one of several repository structures for GitOps:
| Pattern | Description | Best For |
|---|---|---|
| Monorepo | All applications and infrastructure in one repository | Small teams, tight coupling, simplified tooling |
| Environment Repos | Separate repo per environment (dev, staging, prod) | Strong environment isolation, different access controls |
| App + Config Separation | Application code and deployment config in separate repos | Decoupling deployment from development, config-only changes |
| Tenant Repos | Separate repos per team or tenant | Multi-tenant platforms, strong team isolation |
12345678910111213141516171819202122232425262728293031323334353637
# Example GitOps Repository Structuregitops-config/├── README.md├── clusters/│ ├── production/│ │ ├── kustomization.yaml│ │ ├── apps/│ │ │ ├── frontend/│ │ │ │ ├── kustomization.yaml│ │ │ │ ├── deployment.yaml│ │ │ │ ├── service.yaml│ │ │ │ └── ingress.yaml│ │ │ └── backend/│ │ │ ├── kustomization.yaml│ │ │ └── ...│ │ └── infrastructure/│ │ ├── cert-manager/│ │ ├── ingress-nginx/│ │ └── monitoring/│ ├── staging/│ │ ├── kustomization.yaml│ │ └── apps/│ └── development/│ ├── kustomization.yaml│ └── apps/├── base/│ ├── apps/│ │ ├── frontend/│ │ │ ├── kustomization.yaml│ │ │ ├── deployment.yaml│ │ │ └── service.yaml│ │ └── backend/│ └── infrastructure/└── components/ ├── observability/ ├── security/ └── networking/Branch Strategies for GitOps:
The branching model affects how changes flow to different environments:
Most mature GitOps implementations favor the single-branch-with-paths approach, as it simplifies reasoning about state and avoids the complexity of cross-branch merges.
Secrets are the main exception to 'everything in Git.' Secrets should NOT be stored in plain text in Git. Solutions include: encrypted secrets (SOPS, sealed-secrets), external secret managers (Vault, AWS Secrets Manager), or operators that inject secrets at runtime (External Secrets Operator).
The true power of GitOps emerges from continuous reconciliation—the constant comparison and correction of actual state versus desired state. This is what transforms GitOps from a deployment method into an operational paradigm.
The Reconciliation Loop:
A GitOps agent continuously executes the following cycle:
What Reconciliation Handles:
Continuous reconciliation automatically addresses scenarios that would require manual intervention in traditional systems:
| Setting | Typical Value | Purpose |
|---|---|---|
| Sync Interval | 1-5 minutes | How often to check for changes |
| Retry Interval | 1 minute | How often to retry failed syncs |
| Timeout | 10 minutes | Maximum time for a sync operation |
| Prune | enabled/disabled | Whether to delete resources removed from Git |
| Self-Heal | enabled/disabled | Whether to revert manual changes |
Enabling 'prune' means resources deleted from Git will be deleted from the cluster. This is powerful but dangerous if not carefully managed. Many organizations start with prune disabled and enable it only after establishing strong Git workflow discipline.
Several mature tools implement GitOps patterns, each with different strengths and design philosophies. Understanding the landscape helps in selecting the right tool for your context.
Major GitOps Implementations:
| Tool | Approach | Key Strengths | Considerations |
|---|---|---|---|
| ArgoCD | application-centric controller with rich UI | Excellent visualization, application grouping, progressive delivery | More opinionated, requires CRDs for configuration |
| Flux | toolkit of modular controllers | Highly composable, native Kustomize/Helm support, lightweight | Less visual UI, steeper initial learning curve |
| Jenkins X | full CI/CD platform with GitOps | Integrated pipeline + GitOps, familiar Jenkins ecosystem | Heavier footprint, more complexity |
| Rancher Fleet | multi-cluster at scale | Designed for thousands of clusters, GitOps bundles | Best for large fleet management scenarios |
123456789101112131415161718192021222324252627282930313233343536373839
# ArgoCD Application DefinitionapiVersion: argoproj.io/v1alpha1kind: Applicationmetadata: name: my-frontend-app namespace: argocd finalizers: - resources-finalizer.argocd.argoproj.iospec: project: default source: repoURL: https://github.com/org/gitops-config.git targetRevision: main path: clusters/production/apps/frontend # Kustomize configuration kustomize: images: - my-registry/frontend:v1.2.3 destination: server: https://kubernetes.default.svc namespace: frontend syncPolicy: automated: prune: true # Delete resources removed from Git selfHeal: true # Revert manual changes allowEmpty: false # Don't allow empty syncs syncOptions: - CreateNamespace=true - PruneLast=true retry: limit: 5 backoff: duration: 5s factor: 2 maxDuration: 3mChoose ArgoCD if you value visualization and have teams that prefer GUI-based workflows. Choose Flux if you want maximum flexibility and prefer a 'Kubernetes-native' composition approach. Both are CNCF graduated projects and production-ready.
While GitOps is often associated with Kubernetes application deployments, its principles apply equally to infrastructure management. Extending GitOps beyond applications creates a unified operational model for everything.
Infrastructure GitOps Patterns:
123456789101112131415161718192021222324252627282930313233343536
# Managing AWS RDS via GitOps with CrossplaneapiVersion: database.aws.crossplane.io/v1beta1kind: RDSInstancemetadata: name: production-database namespace: infrastructurespec: forProvider: region: us-west-2 allocatedStorage: 100 dbInstanceClass: db.r5.large engine: postgres engineVersion: "15.4" masterUsername: admin dbName: production publiclyAccessible: false storageEncrypted: true storageType: gp3 vpcSecurityGroupIds: - sg-0123456789abcdef0 dbSubnetGroupName: private-subnets backupRetentionPeriod: 30 multiAZ: true deletionProtection: true # Credentials stored in Kubernetes Secret writeConnectionSecretToRef: namespace: production name: rds-connection ---# This RDS instance is now managed by GitOps:# - Changes in Git trigger reconciliation# - Drift is automatically detected and corrected# - Full audit trail in Git history# - Rollback by reverting commitsThe Terraform + GitOps Integration:
For organizations with existing Terraform investments, several tools bridge Terraform and GitOps:
These tools apply GitOps principles (PR-based workflow, automated application, state tracking) while preserving Terraform's strengths for cloud resource management.
Crossplane and similar tools leverage Kubernetes as a universal control plane. Any resource—cloud or on-premises—can be managed through Kubernetes-native APIs. This unifies operations across platforms and enables GitOps for everything, not just containers.
Adopting GitOps is as much a cultural transformation as a technical one. The shift from imperative, ad-hoc operations to declarative, Git-centered workflows requires changes in how teams work, communicate, and think about system management.
Key Cultural Shifts:
Skills Development:
GitOps requires new skills across the organization:
Adoption Strategies:
Successful GitOps adoption typically follows this pattern:
One common objection: 'What if we need to fix something urgently and can't wait for a PR?' This is valid. GitOps maturity requires fast PR workflows (auto-merge for low-risk changes) and 'break glass' procedures for genuine emergencies. But emergency access should be audited, and any manual changes should trigger alerts and prompt cleanup.
GitOps represents a maturation of infrastructure and deployment practice, applying software engineering discipline to operations. The key principles to remember:
What's Next:
Now that you understand GitOps principles, the next page explores Pull Request Workflows—the structured processes through which changes enter the Git repository and ultimately flow to your systems.
You now understand the core principles of GitOps, the distinction between push and pull deployment models, and how continuous reconciliation enables self-healing systems. You're prepared to evaluate GitOps adoption for your organization.