Skip to content

somethingwithproof/gitops-infrastructure-demo

BranchesTags

Repository files navigation

GitOps Infrastructure Demo

Terraform Kubernetes ArgoCD Argo Rollouts License: MIT

Production-ready GitOps reference architecture demonstrating modern Kubernetes deployment patterns with progressive delivery, policy enforcement, and observability.

🏗️ Architecture

flowchart TB subgraph Developer["Developer Workflow"] DEV[Developer] -->|push code| GIT[GitHub] GIT -->|trigger| CI[GitHub Actions] CI -->|build & push| ECR[ECR Registry] CI -->|update| VALUES[Helm Values] end subgraph GitOps["GitOps Control Plane"] VALUES -->|watch| ARGO[ArgoCD] ARGO -->|sync| K8S[Kubernetes Cluster] end subgraph Cluster["EKS Cluster"] K8S --> ROLLOUT[Argo Rollouts] ROLLOUT -->|canary 10%| CANARY[Canary Pods] ROLLOUT -->|stable 90%| STABLE[Stable Pods] end subgraph Observability["Observability"] K8S --> PROM[Prometheus] PROM --> GRAF[Grafana] PROM -->|analysis| ROLLOUT end
Loading

Full architecture documentation →

✨ What This Demonstrates

Capability Implementation Location
GitOps Workflow ArgoCD with App of Apps pattern argocd/
Progressive Delivery Argo Rollouts with canary analysis rollouts/
Infrastructure as Code Terraform modules for EKS terraform/
Policy as Code Kyverno admission policies policies/
Observability Prometheus, Grafana, AlertManager observability/
Secret Management External Secrets Operator + AWS SM secrets/
Multi-Environment Dev → Staging → Prod promotion argocd/applicationsets/

📂 Repository Structure

├── terraform/ # Infrastructure provisioning │ ├── modules/ │ │ ├── eks/ # EKS cluster module │ │ ├── vpc/ # VPC networking │ │ └── argocd/ # ArgoCD bootstrap │ └── environments/ │ └── dev/ # Environment configs ├── argocd/ # ArgoCD application definitions │ ├── apps/ # Application manifests │ ├── projects/ # ArgoCD projects (RBAC) │ └── applicationsets/ # Dynamic multi-env generation ├── helm/ # Helm charts │ └── sample-app/ # Example application chart ├── rollouts/ # Argo Rollouts strategies │ └── canary-strategy.yaml # Canary with Prometheus analysis ├── policies/ # Kyverno policies │ └── kyverno/ # Security & best practice policies ├── observability/ # Monitoring stack │ └── prometheus/ # Prometheus, Grafana, alerts ├── secrets/ # External Secrets configuration ├── docs/ # Documentation │ ├── architecture.md # System architecture │ └── adr/ # Architecture Decision Records └── .github/ └── workflows/ # CI/CD pipelines

Prerequisites

  • AWS CLI configured with appropriate credentials
  • Terraform >= 1.6
  • kubectl >= 1.28
  • Helm >= 3.13
  • ArgoCD CLI (optional)

Quick Start

1. Provision Infrastructure

cd terraform/environments/dev terraform init terraform plan terraform apply

2. Configure kubectl

aws eks update-kubeconfig --name gitops-demo-dev --region us-west-2

3. Access ArgoCD

# Get initial admin password kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d # Port forward kubectl port-forward svc/argocd-server -n argocd 8080:443

Module Structure

See Repository Structure above for detailed organization.

Variables

Module-specific variables are documented in each module's variables.tf:

  • terraform/modules/vpc/variables.tf - VPC configuration
  • terraform/modules/eks/variables.tf - EKS cluster settings
  • terraform/modules/argocd/variables.tf - ArgoCD bootstrap

Outputs

Module outputs are defined in respective outputs.tf files:

  • Cluster endpoint and certificate authority
  • VPC and subnet IDs
  • ArgoCD initial admin password

Development

Format Terraform code:

terraform fmt -recursive

Validate configuration:

terraform validate

Run linting:

tflint

Testing

CI/CD pipeline includes:

  • Terraform validation and formatting checks
  • Security scanning with tfsec
  • Kubernetes manifest validation
  • Container image scanning with Trivy

🔄 Progressive Delivery

This repo demonstrates canary deployments with automated analysis:

strategy: canary: steps: - setWeight: 10 # 10% traffic to canary - pause: {duration: 2m} - analysis: # Check error rate via Prometheus templates: - templateName: success-rate - setWeight: 50 # Promote to 50% - setWeight: 100 # Full rollout

Automatic rollback triggers when:

  • Error rate > 1%
  • P99 latency > 500ms
  • Pod restarts detected

See full rollout configuration →

🛡️ Policy Enforcement

Kyverno policies enforce security and best practices:

Policy Enforcement Description
require-labels Enforce Standard labels for all workloads
require-resource-limits Enforce CPU/memory limits required
disallow-privileged Enforce No privileged containers
require-probes Audit Liveness/readiness probes

See all policies →

📊 Observability

Pre-configured alerting for GitOps workflows:

  • ArgoCD App Out of Sync (>15 min)
  • ArgoCD App Health Degraded
  • Rollout Stalled (>30 min)
  • High Error Rate (>1%)
  • High Latency (P99 > 500ms)

See alerting rules →

📚 Architecture Decision Records

Key decisions documented:

🔐 Security Features

  • RBAC: Fine-grained access control for ArgoCD projects
  • Network Policies: Namespace isolation and traffic control
  • External Secrets: AWS Secrets Manager integration (no secrets in Git)
  • Kyverno Policies: Admission control for security standards
  • Image Scanning: Trivy integration in CI pipeline

Author

Thomas Vincent — Senior DevOps Engineer

License

MIT License - see LICENSE for details.

About

GitOps reference architecture with ArgoCD, Helm, Terraform, and Kubernetes

Resources

Readme

License

MIT license

Contributing

Contributing
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages