GitOps

Confessions of a recovering GitOps addict

There’s a moment in every tech trend’s lifecycle when the magic starts to wear off. It’s like realizing the artisanal, organic, free-range coffee you’ve been paying eight dollars for just tastes like… coffee. For me, and many others in the DevOps trenches, that moment has arrived for GitOps.

We once hailed it as the silver bullet, the grand unifier, the one true way. Now, I’m here to tell you that the romance is over. And something much more practical is taking its place.

The alluring promise of a perfect world

Let’s be honest, we all fell hard for GitOps. The promise was intoxicating. A single source of truth for our entire infrastructure, nestled right in the warm, familiar embrace of Git. Pull Requests became the sacred gates through which all changes must pass. CI/CD pipelines were our holy scrolls, and tools like ArgoCD and Flux were the messiahs delivering us from the chaos of manual deployments.

It was a world of perfect order. Every change was audited, every state was declared, and every rollback was just a git revert away. It felt clean. It felt right. It felt… professional. For a while, it was the hero we desperately needed.

The tyranny of the pull request

But paradise had a dark side, and it was paved with endless YAML files. The first sign of trouble wasn’t a catastrophic failure, but a slow, creeping bureaucracy that we had built for ourselves.

Need to update a single, tiny secret? Prepare for the ritual. First, the offering: a Pull Request. Then, the prayer for the high priests (your colleagues) to grant their blessing (the approval). Then, the sacrifice (the merge). And finally, the tense vigil, watching ArgoCD’s sync status like it’s a heart monitor, praying it doesn’t flatline.

The lag became a running joke. Your change is merged… but has it landed in production? Who knows! The sync bot seems to be having a bad day. When everything is on fire at 2 AM, Git is like that friend who proudly tells you, “Well, according to my notes, the plan was for there not to be a fire.” Thanks, Git. Your record of intent is fascinating, but I need a fire hose, not a historian.

We hit our wall during what should have been a routine update.

# deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: auth-service
spec:
  replicas: 3
  template:
    spec:
      containers:
      - name: auth-service-container
        image: our-app:v1.12.4
        envFrom:
        - secretRef:
            name: production-credentials

A simple change to the production-credentials secret required updating an encrypted file, PR-ing it, and then explaining in the commit message something like, “bumping secret hash for reasons”. Nobody understood it. Infrastructure changes started to require therapy sessions just to get merged.

And then, the tools fought back

When a system creates more friction than it removes, a rebellion is inevitable. And the rebels have arrived, not with pitchforks, but with smarter, more flexible tools.

First, the idea that developers should be fluent in YAML began to die. Internal Developer Platforms (IDPs) like Backstage and Port started giving developers what they always wanted: self-service with guardrails. Instead of wrestling with YAML syntax, they click a button in a portal to provision a database or spin up a new environment. Git becomes a log of what happened, not a bottleneck to make things happen.

Second, we remembered that pushing things can be good. The pull-based model was trendy, but let’s face it: push is immediate. Push is observable. We’ve gone back to CI pipelines pushing manifests directly into clusters, but this time they’re wearing body armor.

# This isn't your old wild-west kubectl apply
# It's a command wrapped in an approval system, with observability baked in.
deploy-cli --service auth-service --env production --approve

The change is triggered precisely when we want it, not when a bot feels like syncing. Finally, we started asking a radical question: why are we describing infrastructure in a static markup language when we could be programming it? Tools like Pulumi and Crossplane entered the scene. Instead of hundreds of lines of YAML, we’re writing code that feels alive.

import * as aws from "@pulumi/aws";

// Create an S3 bucket with versioning enabled.
const bucket = new aws.s3.Bucket("user-uploads-bucket", {
    versioning: {
        enabled: true,
    },
    acl: "private",
});

Infrastructure can now react to events, be composed into reusable modules, and be written in a language with types and logic. YAML simply can’t compete with that.

A new role for the abdicated king

So, is GitOps dead? No, that’s just clickbait. But it has been demoted. It’s no longer the king ruling every action; it’s more like a constitutional monarch, a respected elder statesman.

It’s fantastic for auditing, for keeping a high-level record of intended state, and for infrastructure teams that thrive on rigid discipline. But for high-velocity product teams, it’s become a beautifully crafted anchor when what we need is a motor.

We’ve moved from “Let’s define everything in Git” to “Let’s ship faster, safer, and saner with the right tools for the job.”

Our current stack is a hybrid, a practical mix of the old and new:

Backstage to abstract away complexity for developers.
Push-based pipelines with strong guardrails for immediate, observable deployments.
Pulumi for typed, programmable, and composable infrastructure.
Minimal GitOps for what it does best: providing a clear, auditable trail of our intentions.

GitOps wasn’t a mistake; it was the strict but well-meaning grandparent of infrastructure management. It taught us discipline and the importance of getting approval before touching anything important. But now that we’re grown up, that level of supervision feels less like helpful guidance and more like having someone watch over your shoulder while you type, constantly asking, “Are you sure you want to save that file?” The world is moving on to flexibility, developer-first platforms, and code you can read without a decoder ring. If you’re still spending your nights appeasing the YAML gods with Pull Request sacrifices for trivial changes… you’re not just living in the past, you’re practically a fossil.

If your Kubernetes YAML looks Like hieroglyphics, this post is for you

It all started, as most tech disasters do, with a seductive whisper. “Just describe your infrastructure with YAML,” Kubernetes cooed. “It’ll be easy,” it said. And we, like fools in a love story, believed it.

At first, it was a beautiful romance. A few files, a handful of lines. It was elegant. It was declarative. It was… manageable. But entropy, the nosy neighbor of every DevOps team, had other plans. Our neat little garden of YAML files soon mutated into a sprawling, untamed jungle of configuration.

We had 12 microservices jostling for position, spread across 4 distinct environments, each with its own personality quirks and dark secrets. Before we knew it, we weren’t writing infrastructure anymore; we were co-authoring a Byzantine epic in a language seemingly designed by bureaucrats with a fetish for whitespace.

The question that broke the camel’s back

The day of reckoning didn’t arrive with a server explosion or a database crash. It came with a question. A question that landed in our team’s Slack channel with the subtlety of a dropped anvil, courtesy of a junior engineer who hadn’t yet learned to fear the YAML gods.

“Hey, why does our staging pod have a different CPU limit than prod?”

Silence. A deep, heavy, digital silence. The kind of silence that screams, “Nobody has a clue.”

What followed was an archaeological dig into the fossil record of our own repository. We unearthed layers of abstractions we had so cleverly built, peeling them back one by one. The trail led us through a hellish labyrinth:

We started at deployment.yaml, the supposed source of all truth.
That led us to values.yaml, the theoretical source of all truth.
From there, we spelunked into values.staging.yaml, where truth began to feel… relative.
We stumbled upon a dusty patch-cpu-emergency.yaml, a fossil from a long-forgotten crisis.
Then we navigated the dark forest of custom/kustomize/base/deployment-overlay.yaml.
And finally, we reached the Rosetta Stone of our chaos: an argocd-app-of-apps.yaml.

The revelation was as horrifying as finding a pineapple on a pizza: we had declared the same damn value six times, in three different formats, using two tools that secretly despised each other. We weren’t managing the configuration. We were performing a strange, elaborate ritual and hoping the servers would be pleased.

That’s when we knew. This wasn’t a configuration problem. It was an existential crisis. We were, without a doubt, deep in YAML Hell.

The tools that promised heaven and delivered purgatory

Let’s talk about the “friends” who were supposed to help. These tools promised to be our saviors, but without discipline, they just dug our hole deeper.

Helm, the chaotic magician

Helm is like a powerful but slightly drunk magician. When it works, it pulls a rabbit out of a hat. When it doesn’t, it sets the hat on fire, and the rabbit runs off with your wallet.

The Promise: Templating! Variables! A whole ecosystem of charts!

The Reality: Debugging becomes a form of self-torment that involves piping helm template into grep and praying. You end up with conditionals inside your templates that look like this:

image:
  repository: {{ .Values.image.repository | quote }}
  tag: {{ .Values.image.tag | default .Chart.AppVersion }}
  pullPolicy: {{ .Values.image.pullPolicy | default "IfNotPresent" }}

This looks innocent enough. But then someone forgets to pass image.tag for a specific environment, and you silently deploy :latest to production on a Friday afternoon. Beautiful.

Kustomize the master of patches

Kustomize is the “sensible” one. It’s built into kubectl. It promises clean, layered configurations. It’s like organizing your Tupperware drawer with labels.

The Promise: A clean base and tidy overlays for each environment.

The Reality: Your patch files quickly become a mystery box. You see this in your kustomization.yaml:

patchesStrategicMerge:
  - increase-replica-count.yaml
  - add-resource-limits.yaml
  - disable-service-monitor.yaml

Where are these files? What do they change? Why does disable-service-monitor.yaml only apply to the dev environment? Good luck, detective. You’ll need it.

ArgoCD, the all-seeing eye (that sometimes blinks)

GitOps is the dream. Your Git repo is the single source of truth. No more clicking around in a UI. ArgoCD or Flux will make it so.

The Promise: Declarative, automated sync from Git to cluster. Rollbacks are just a git revert away.

The Reality: If your Git repo is a dumpster fire of conflicting YAML, ArgoCD will happily, dutifully, and relentlessly sync that dumpster fire to production. It won’t stop you. One bad merge, and you’ve automated a catastrophe.

Our escape from YAML hell was a five-step sanity plan

We knew we couldn’t burn it all down. We had to tame the beast. So, we gathered the team, drew a line in the sand, and created five commandments for configuration sanity.

1. We built a sane repo structure

The first step was to stop the guesswork. We enforced a simple, predictable layout for every single service.

├── base/
│   ├── deployment.yaml
│   ├── service.yaml
│   └── configmap.yaml
└── overlays/
    ├── dev/
    │   ├── kustomization.yaml
    │   └── values.yaml
    ├── staging/
    │   ├── kustomization.yaml
    │   └── values.yaml
    └── prod/
        ├── kustomization.yaml
        └── values.yaml

This simple change eliminated 80% of the “wait, which file do I edit?” conversations.

2. One source of truth for values

This was a sacred vow. Each environment gets one values.yaml file. That’s it. We purged the heretics:

values-prod-final.v2.override.yaml
backup-of-values.yaml
donotdelete-temp-config.yaml

If a value wasn’t in the designated values.yaml for that environment, it didn’t exist. Period.

3. We stopped mixing Helm and Kustomize

You have to pick a side. We made a rule: if a service requires complex templating logic, use Helm. If it primarily needs simple overlays (like changing replica counts or image tags per environment), use Kustomize. Using both on the same service is like trying to write a sentence in two languages at once. It’s a recipe for suffering.

4. We render everything before deploying

Trust, but verify. We added a mandatory step in our CI pipeline to render the final YAML before it ever touches the cluster.

# For Helm + Kustomize setups
helm template . --values overlays/prod/values.yaml | \
kustomize build | \
kubeval -

This simple script does three magical things:

It validates that the output is syntactically correct YAML.
It lets us see exactly what is about to be applied.
It has completely eliminated the “well, that’s not what I expected” class of production incidents.

5. We built a simple config CLI

To make the right way the easy way, we built a small internal CLI tool. Now, instead of navigating the YAML jungle, an engineer simply runs:

$ ops-cli config generate --app=user-service --env=prod

This tool:

Pulls the correct base templates and overlay values.
Renders the final, glorious YAML.
Validates it against our policies.
Shows the developer a diff of what will change in the cluster.
Saves lives and prevents hair loss.

YAML is now a tool again, not a trap.

The afterlife is peaceful

YAML didn’t ruin our lives. We did, by refusing to treat it with the respect it demands. Templating gives you incredible power, but with great power comes great responsibility… and redundancy, and confusion, and pull requests with 10,000 lines of whitespace changes. Now, we treat our YAML like we treat our application code. We lint it. We test it. We render it. And most importantly, we’ve built a system that makes it difficult to do the wrong thing. It’s the institutional equivalent of putting childproof locks on the kitchen cabinets. A determined toddler could probably still get to the cleaning supplies, but it would require a conscious, frustrating effort. Our system doesn’t make us smarter; it just makes our inevitable moments of human fallibility less catastrophic. It’s the guardrail on the scenic mountain road of configuration. You can still drive off the cliff, but you have to really mean it. Our infrastructure is no longer a hieroglyphic. It’s just… configuration. And the resulting boredom is a beautiful thing.

August 3, 2025 by Fernando SRE Cloud stuff DevOps stuff Kubernetes SRE stuff

GitOps, The Conductor of Cloud Adoption

Let’s embark on a brief journey through the different “buckets” of technology that define our era.

The “Traditional” bucket harks back to days when deploying applications was a lengthy affair, often taking weeks or months. This was the era of WAR, ZIP, and EAR files, where changes were cumbersome and cautious.

Then comes the “New Wave,” synonymous with cloud-native approaches. Here, containers have revolutionized the scene, turning those weeks into mere minutes or seconds. It’s a realm where agility meets efficiency, unlocking rapid deployment and scaling.

Lastly, we reach “Serverless,” where the cloud truly flexes its muscles. In this space, containers are still key, but the real star is the suite of microservices. These tiny, focused units of functionality allow for an unprecedented focus on the application logic without the weight of infrastructure management.

Understanding these buckets is like mapping the terrain before a journey—it sets the stage for a deeper exploration into how modern software development and deployment are evolving.

GitOps: Streamlining Cloud Transition

As we chart a course through the shifting tides of technology, GitOps emerges as a guiding force. Imagine GitOps as a masterful conductor, orchestrating the principles of Git—such as version control, collaboration, compliance, and CI/CD (Continuous Integration and Continuous Delivery)—to create a symphony of infrastructure automation. This method harmonizes development and operational tasks, using familiar tools to manage and deploy in the cloud-native and serverless domains.

Cloud adoption, often seen as a complex migration, is simplified through GitOps. It presents a transparent, traceable, and efficient route, ensuring that the shift to cloud-native and serverless technologies is not just a leap, but a smooth transition. With GitOps, every iteration is a step forward, reliability becomes a standard, and security is enhanced. These are the cornerstones of a solid cloud adoption strategy, paving the way for a future where changes are swift, and innovation is constant.

Tech’s Transformative Trio: From Legacy to Vanguard

Whilst we chart our course through the shifting seas of technology, let’s adopt the idea that change is the only constant. Envision the technology landscape as a vast mosaic, continually shifting under the pressures of innovation and necessity. Within this expanse, three distinct “buckets” stand out, marking the epochs of our digital saga.

First, there’s the “Traditional” bucket—think of it as the grandparent of technology. Here, deploying software was akin to moving mountains, a process measured in weeks or months, where WAR, ZIP, and EAR files were the currency of the realm.

Enter the “New Wave,” the hip cloud-native generation where containers are the cool kids on the block, turning those grueling weeks into minutes or even seconds. This bucket is where flexibility meets speed, a playground for the agile and the brave.

Finally, we arrive at “Serverless,” the avant-garde, where the infrastructure becomes a magician’s vanishing act, leaving nothing but the pure essence of code—microservices that dance to the tune of demand, untethered by the physical confines of hardware.

This transformation from traditional to modern practices isn’t just a change in technology; it’s a revolution in mindset, a testament to the industry’s relentless pursuit of innovation. Welcome to the evolution of technology practices—a journey from the solid ground of the old to the cloud-kissed peaks of the new.

GitOps: Synchronizing the Pulse of Development and Operations

In the heart of our modern tech odyssey lies GitOps, a philosophy that blends the rigors of software development with the dynamism of operations. It’s a term that sparkles with the promise of enhanced deployment frequency and the rock-solid stability of a seasoned sea captain.

Think of GitOps as the matchmaker of Dev and Ops, uniting them under the banner of Git’s version control mastery. By doing so, it forges a union so seamless that the once-staggered deployments now step to a brisk, rhythmic cadence. This is the dance floor of the New Wave and Serverless scenes, where each deployment is a step, each rollback a twirl, all choreographed with precision and grace.

In this convergence, the benefits are as clear as a starlit sky. With GitOps, the deployments aren’t just frequent; they’re also more predictable, and the stability is something you can set your watch to. It’s a world where “Oops” turns into “Ops,” and errors become lessons learned, not catastrophes endured. Welcome to the era where development and operations don’t just meet—they waltz together.

Catching the Cloud: Why the Sky’s the Limit in Tech

Imagine a world where your tech needs can scale as effortlessly as turning the volume knob on your favorite song, where the resources you tap into for your business can expand and contract like an accordion playing a tune. This is the world of cloud technology.

The cloud offers agility; it’s like having an Olympic gymnast at your beck and call, ready to flip and twist at the slightest nudge of demand. Then there’s scalability, akin to a balloon that inflates as much as you need, only without the fear of popping. And let’s not forget cost-efficiency; it’s like shopping at a buffet where you only pay for the spoonfuls you eat, not the entire spread.

Adopting cloud technologies is not just a smart move; it’s an imperative stride into the future. It’s about making sure your tech can keep pace with your ambition, and that, my friends, is why the cloud is not just an option; it’s a necessity in our fast-moving digital world.

Constructing Clouds with GitOps: A Blueprint for Modern Infrastructure

In the digital construction zone of today’s tech, GitOps is the scaffold that supports the towering ambitions of cloud adoption. It’s a practice that takes the guesswork out of building and managing cloud-based services, a bit like using GPS to navigate through the labyrinth of modern infrastructure.

By using Git as a single source of truth for infrastructure as code (IaC), GitOps grants teams the power to manage complex cloud environments with the same ease as ordering a coffee through an app. Version control becomes the wand that orchestrates entire ecosystems, allowing for replication, troubleshooting, and scaling with a few clicks or commands.

Imagine deploying a network of virtual machines as simply as duplicating a file, or rolling back a faulty environment update with the same ease as undoing a typo in a document. GitOps not only builds the bridge to the cloud but turns it into a conveyor belt of continuous improvement and seamless transition. It’s about making cloud adoption not just achievable, but natural, almost instinctive. Welcome to the construction site of tomorrow’s cloud landscapes, where GitOps lays down the bricks with precision and flair.

Safeguarding the Cloudscape: Mastering Risk Management in a Cloud-Native Realm

Embarking on a cloud-native journey brings its own set of weather patterns, with risks and rewards as variable as the climate. In this vibrant ecosystem, risk management becomes a craft of its own, one that requires finesse and a keen eye for the ever-changing horizon.

GitOps emerges as a lighthouse in this environment, guiding ships safely to port. By integrating version control for infrastructure as code, GitOps ensures that each deployment is not just a launch into the unknown but a calculated step with a clear recovery path.

Consider this: in a cloud-native world, risks are like storms; they’re inevitable. GitOps, however, provides the barometer to anticipate them and the tools to weather them. It’s about creating consistent and recoverable states that turn potential disasters into mere moments of adjustment, ensuring that your cloud-native journey is both adventurous and secure.

Let’s set sail with a tangible example. Imagine a financial services company managing their customer data across several cloud services. They decide to update their data encryption across all services to bolster security. In a pre-GitOps world, this could be a treacherous voyage with manual updates, risking human error, and potential data breaches.

Enter GitOps. The company uses a Git repository to manage their infrastructure code, automating deployments through a CI/CD pipeline. The update is coded once, reviewed, and merged into the main branch. The CI/CD pipeline picks up the change, deploying it across all services systematically. When a flaw in the encryption method is detected, rather than panic, they simply roll back to the previous version of the code in Git, instantly reverting all services to the last secure state.

This isn’t just theory; it’s a practice that keeps the company’s digital fleet agile and secure, navigating the cloud seas with the assurance of GitOps as their compass.

Sailing Ahead: Mastering the Winds of Technological Change

As we draw the curtains on our exploration, let’s anchor our thoughts on embracing GitOps for a future-proof voyage into the realms of cloud-native and serverless technologies. Adopting GitOps is not just about upgrading tools; it’s about cultivating an organizational culture that learns, adapts, and trusts in the power of automation.

It’s akin to teaching an entire crew to sail in unison, navigating through the unknown with confidence and precision. By fostering this mindset, we prepare not just for the technology of today but for the innovations of tomorrow, making each organization a flagship of progress and resilience in the digital sea. Let’s set our sails high and embrace these winds of change with the assurance that GitOps provides, charting a course towards a horizon brimming with possibilities.

January 27, 2024 by Fernando SRE Cloud stuff DevOps stuff Git SRE stuff