Just-in

Kagent Tutorial: Build Cloud-Native AI Agents on Kubernetes

Running Ollama LLM on Kubernetes: A Complete Guide

From Docker to Kubernetes: The Orchestration Journey You Didn’t Know You Needed

What is Kubeflow and how can it be used?

Getting Started with Kubeflow: A Complete Beginner’s Guide

Orchestration

GitOps: Dev to Prod Promotion

Navigating the complexities of application deployment across multiple environments—development, staging, and production—can be a daunting task. Traditional deployment pipelines often involve manual steps, imperative scripts, and a significant risk of configuration drift. This leads to inconsistencies, delayed releases, and a constant state of anxiety for operations teams. Imagine a world where your infrastructure and application configurations are treated like code, version-controlled, and automatically synchronized across all your Kubernetes clusters. This is the promise of GitOps.

GitOps, an operational framework that takes DevOps best practices used for application development and applies them to infrastructure automation, offers a declarative approach to managing your Kubernetes environments. By using Git as the single source of truth for desired state, it enables automated deployments, rollbacks, and a clear audit trail of all changes. When coupled with a multi-environment strategy, GitOps transforms the journey of an application from a developer’s laptop to production into a streamlined, reliable, and auditable process, drastically reducing human error and boosting deployment confidence.

This guide will walk you through implementing a robust multi-environment GitOps workflow using Argo CD, a popular declarative GitOps continuous delivery tool for Kubernetes. We’ll cover everything from structuring your Git repositories for different environments to promoting changes confidently from development to production, ensuring consistency and stability every step of the way. Get ready to embrace a new era of Kubernetes deployment management!

TL;DR: Multi-Environment GitOps with Argo CD

GitOps uses Git as the single source of truth for declarative infrastructure and application management. This guide outlines how to set up a multi-environment GitOps workflow (Dev, Staging, Prod) using Argo CD, leveraging a separate Git repository for configurations.

  • Initialize Repo: Create a dedicated Git repository for Kubernetes manifests, organized by environment.
  • Install Argo CD: Deploy Argo CD to your Kubernetes cluster.
  • Configure Applications: Define Argo CD Applications for each environment, pointing to the respective paths in your Git repository.
  • Promote Changes: Use Git branches or directory copies to promote changes from Dev to Staging to Prod.
  • Key Commands:

# Install Argo CD
kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml

# Access Argo CD UI (port-forward)
kubectl port-forward svc/argocd-server -n argocd 8080:443

# Get initial admin password
kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d; echo

# Create an Argo CD Application for development
kubectl apply -f - <

Prerequisites

Before diving into the implementation, ensure you have the following tools and knowledge:

  • Kubernetes Cluster(s): At least one Kubernetes cluster (e.g., Minikube, kind, or a cloud-managed cluster like GKE, EKS, AKS) to deploy Argo CD and your applications. Ideally, you'd have separate clusters or namespaces representing your Dev, Staging, and Production environments. This guide assumes a single cluster with distinct namespaces for simplicity, but the principles scale to multiple clusters.
  • kubectl: The Kubernetes command-line tool, configured to connect to your cluster(s). Refer to the official Kubernetes documentation for installation instructions.
  • Git: Familiarity with Git for version control. You'll need a Git client installed and configured.
  • GitHub/GitLab/Bitbucket Account: A Git hosting service to store your application and configuration repositories.
  • Basic Kubernetes Knowledge: Understanding of Kubernetes concepts like Deployments, Services, Namespaces, and Ingress.
  • YAML Familiarity: Kubernetes configurations are primarily written in YAML.

Step-by-Step Guide: Multi-Environment GitOps with Argo CD

Step 1: Design Your GitOps Repository Structure

The foundation of any successful GitOps strategy is a well-organized Git repository. For multi-environment deployments, it's crucial to separate environment-specific configurations while maintaining a clear relationship with the base application manifests. We'll use a single repository for all configurations, organized by environment and application.

This approach centralizes all Kubernetes manifests, making it easy to track changes across environments. We'll create a top-level environments directory, with subdirectories for dev, staging, and prod. Within each environment directory, we'll place application-specific folders. This structure allows for easy promotion of changes by copying or merging configurations between environment directories.

First, create a new Git repository (e.g., my-gitops-repo) on your chosen Git hosting service (GitHub, GitLab, etc.). Then, clone it locally and set up the initial directory structure.


# Create the local directory structure
mkdir -p my-gitops-repo/environments/dev/myapp
mkdir -p my-gitops-repo/environments/staging/myapp
mkdir -p my-gitops-repo/environments/prod/myapp
mkdir -p my-gitops-repo/applications/base/myapp

# Navigate into the repository
cd my-gitops-repo

# Initialize Git and commit the structure
git init
git add .
git commit -m "Initial GitOps repository structure"
git branch -M main # Rename default branch to main
git remote add origin https://github.com/your-org/my-gitops-repo.git # Replace with your repo URL
git push -u origin main

Verify: You should see the directories created locally and pushed to your remote Git repository.


ls -R

Expected Output:


./applications:
base

./applications/base:
myapp

./environments:
dev    prod    staging

./environments/dev:
myapp

./environments/prod:
myapp

./environments/staging:
myapp

Step 2: Define Base Application Manifests

Next, we'll create the base Kubernetes manifests for a simple application. This base will contain the common definitions (Deployment, Service) that are largely identical across environments. Environment-specific overrides (like replica counts, resource limits, or image tags) will be handled in later steps using Kustomize, which Argo CD supports natively.

For this example, we'll use a basic Nginx deployment. Place these files in the applications/base/myapp directory.


# my-gitops-repo/applications/base/myapp/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: myapp
  labels:
    app: myapp
spec:
  replicas: 1 # This will be overridden per environment
  selector:
    matchLabels:
      app: myapp
  template:
    metadata:
      labels:
        app: myapp
    spec:
      containers:
      - name: myapp
        image: nginx:1.21.6 # This will be overridden per environment
        ports:
        - containerPort: 80
        resources:
          limits:
            memory: "128Mi"
            cpu: "500m"
---
# my-gitops-repo/applications/base/myapp/service.yaml
apiVersion: v1
kind: Service
metadata:
  name: myapp
  labels:
    app: myapp
spec:
  selector:
    app: myapp
  ports:
    - protocol: TCP
      port: 80
      targetPort: 80
  type: ClusterIP


# Add and commit the base manifests
git add applications/base/myapp/deployment.yaml applications/base/myapp/service.yaml
git commit -m "Add base Nginx application manifests"
git push origin main

Verify: Confirm the files exist in your repository.

Step 3: Implement Kustomize for Environment Overlays

Kustomize is a powerful tool for customizing Kubernetes configurations without templating. It allows you to define base manifests and then create "overlays" for different environments, applying patches or modifications. Argo CD has native support for Kustomize, making it ideal for our multi-environment setup.

We'll create a kustomization.yaml in each environment's application directory (e.g., environments/dev/myapp) that references the base manifests and applies environment-specific changes.

3.1: Development Environment Configuration

For the development environment, we'll keep it simple: 1 replica, a specific dev image tag, and a slightly lower resource request.


# my-gitops-repo/environments/dev/myapp/kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
  - ../../../applications/base/myapp # Relative path to base manifests

patches:
  - target:
      kind: Deployment
      name: myapp
    patch: |
      - op: replace
        path: /spec/replicas
        value: 1
      - op: replace
        path: /spec/template/spec/containers/0/image
        value: nginx:1.21.6-alpine # Dev specific image
      - op: replace
        path: /metadata/namespace # Ensure deployment is in the correct namespace
        value: myapp-dev

3.2: Staging Environment Configuration

Staging will have 2 replicas and a different image tag, potentially reflecting a release candidate.


# my-gitops-repo/environments/staging/myapp/kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
  - ../../../applications/base/myapp

patches:
  - target:
      kind: Deployment
      name: myapp
    patch: |
      - op: replace
        path: /spec/replicas
        value: 2
      - op: replace
        path: /spec/template/spec/containers/0/image
        value: nginx:1.22.1-alpine # Staging specific image
      - op: replace
        path: /metadata/namespace
        value: myapp-staging

3.3: Production Environment Configuration

Production will have 3 replicas, a stable image tag, and potentially higher resource limits (though we're only changing replicas and image for simplicity here).


# my-gitops-repo/environments/prod/myapp/kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
  - ../../../applications/base/myapp

patches:
  - target:
      kind: Deployment
      name: myapp
    patch: |
      - op: replace
        path: /spec/replicas
        value: 3
      - op: replace
        path: /spec/template/spec/containers/0/image
        value: nginx:1.24.0-alpine # Prod specific image
      - op: replace
        path: /metadata/namespace
        value: myapp-prod


# Add and commit the Kustomize files
git add environments/dev/myapp/kustomization.yaml \
        environments/staging/myapp/kustomization.yaml \
        environments/prod/myapp/kustomization.yaml
git commit -m "Add Kustomize overlays for dev, staging, prod"
git push origin main

Verify: You can test Kustomize locally to see the rendered manifests for each environment.


# For dev environment
kustomize build environments/dev/myapp

# For staging environment
kustomize build environments/staging/myapp

# For production environment
kustomize build environments/prod/myapp

Expected Output (for dev, similar for others with different replicas/images):


apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: myapp
  name: myapp
  namespace: myapp-dev
spec:
  replicas: 1
  selector:
    matchLabels:
      app: myapp
  template:
    metadata:
      labels:
        app: myapp
    spec:
      containers:
      - image: nginx:1.21.6-alpine
        name: myapp
        ports:
        - containerPort: 80
        resources:
          limits:
            cpu: 500m
            memory: 128Mi
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app: myapp
  name: myapp
spec:
  ports:
    - port: 80
      protocol: TCP
      targetPort: 80
  selector:
    app: myapp
  type: ClusterIP

Step 4: Install Argo CD

Argo CD will be the engine that pulls our configurations from Git and applies them to our Kubernetes clusters. We’ll install it in its own namespace.

For more advanced networking configurations or securing your Argo CD instance, you might want to consider hardening your cluster with tools like Kubernetes Network Policies or even leveraging Cilium WireGuard Encryption for pod-to-pod traffic if Argo CD connects to other services in your cluster.


# Create the Argo CD namespace
kubectl create namespace argocd

# Install Argo CD
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml

Verify: Ensure all Argo CD pods are running.


kubectl get pods -n argocd

Expected Output: (Pod names/hashes will vary)


NAME                                        READY   STATUS    RESTARTS   AGE
argocd-application-controller-7c9f8d9c5-abcde   1/1     Running   0          2m
argocd-dex-server-6789abcd-efghj            1/1     Running   0          2m
argocd-notifications-controller-8765fedc-ba09   1/1     Running   0          2m
argocd-redis-54321fedc-ba09                 1/1     Running   0          2m
argocd-repo-server-9876abcd-efghj           1/1     Running   0          2m
argocd-server-abcdefg-hijkl                 1/1     Running   0          2m

Access the Argo CD UI:

  1. Port-forward the Argo CD server service:
    2. 
kubectl port-forward svc/argocd-server -n argocd 8080:443
  2. Open your browser to https://localhost:8080.
  3. Retrieve the initial admin password:
    4. 
kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d; echo
  4. Log in with username admin and the retrieved password.

Step 5: Configure Argo CD Applications for Each Environment

Now, we'll define Argo CD Application resources for each of our environments (dev, staging, prod). Each Application will point to the respective Kustomize directory in our Git repository and deploy to a dedicated namespace in our Kubernetes cluster.

5.1: Development Application

This application will deploy our Nginx app to the myapp-dev namespace, pulling configurations from environments/dev/myapp.


# myapp-dev-app.yaml
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: myapp-dev
  namespace: argocd
spec:
  project: default
  source:
    repoURL: https://github.com/your-org/my-gitops-repo.git # Replace with your repo URL
    targetRevision: main
    path: environments/dev/myapp # Path to the Kustomize overlay for dev
  destination:
    server: https://kubernetes.default.svc
    namespace: myapp-dev # Target namespace in the cluster
  syncPolicy:
    automated: # Enable automatic synchronization
      prune: true # Delete resources that are no longer in Git
      selfHeal: true # Automatically sync when live state diverges from desired state
    syncOptions:
      - CreateNamespace=true # Argo CD will create the namespace if it doesn't exist

5.2: Staging Application

Similar to dev, but targeting myapp-staging namespace and environments/staging/myapp path.


# myapp-staging-app.yaml
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: myapp-staging
  namespace: argocd
spec:
  project: default
  source:
    repoURL: https://github.com/your-org/my-gitops-repo.git # Replace with your repo URL
    targetRevision: main
    path: environments/staging/myapp # Path to the Kustomize overlay for staging
  destination:
    server: https://kubernetes.default.svc
    namespace: myapp-staging
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=true

5.3: Production Application

And finally, for production, targeting myapp-prod namespace and environments/prod/myapp path.


# myapp-prod-app.yaml
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: myapp-prod
  namespace: argocd
spec:
  project: default
  source:
    repoURL: https://github.com/your-org/my-gitops-repo.git # Replace with your repo URL
    targetRevision: main
    path: environments/prod/myapp # Path to the Kustomize overlay for prod
  destination:
    server: https://kubernetes.default.svc
    namespace: myapp-prod
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=true

Apply these Argo CD Application manifests to your cluster:


# Create a temporary directory for these manifests
mkdir -p argo-apps
cp myapp-dev-app.yaml argo-apps/
cp myapp-staging-app.yaml argo-apps/
cp myapp-prod-app.yaml argo-apps/

# Apply the applications
kubectl apply -f argo-apps/myapp-dev-app.yaml
kubectl apply -f argo-apps/myapp-staging-app.yaml
kubectl apply -f argo-apps/myapp-prod-app.yaml

Verify: Check the Argo CD UI (https://localhost:8080) or command line. You should see three new applications (myapp-dev, myapp-staging, myapp-prod) in a Synced and Healthy state, and the respective namespaces and deployments should be created in your cluster.


kubectl get deployment -n myapp-dev
kubectl get deployment -n myapp-staging
kubectl get deployment -n myapp-prod

Expected Output:


# For myapp-dev
NAME    READY   UP-TO-DATE   AVAILABLE   AGE
myapp   1/1     1            1           2m

# For myapp-staging
NAME    READY   UP-TO-DATE   AVAILABLE   AGE
myapp   2/2     2            2           2m

# For myapp-prod
NAME    READY   UP-TO-DATE   AVAILABLE   AGE
myapp   3/3     3            3           2m

Step 6: Promote Changes from Dev to Staging to Production

The core of multi-environment GitOps is the promotion mechanism. With our current repository structure, promotion involves updating the Kustomize overlay for the target environment. The simplest and most robust way to do this is by updating the configuration files in Git, typically by copying files or merging branches.

Let's say a developer has added a new configuration or updated an image in the dev environment. To promote this change to staging, you would copy the relevant Kustomize configuration or base manifest changes from environments/dev/myapp to environments/staging/myapp, or directly modify the staging overlay.

For a robust promotion process, many teams use a Git branching model (e.g., dev, staging, main/prod branches) and merge requests. Here, we'll simulate a change and a promotion by directly modifying the image in dev and then copying it to staging.

6.1: Make a change in Development

Let's update the Nginx image in the development environment to a newer version.


# my-gitops-repo/environments/dev/myapp/kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
  - ../../../applications/base/myapp

patches:
  - target:
      kind: Deployment
      name: myapp
    patch: |
      - op: replace
        path: /spec/replicas
        value: 1
      - op: replace
        path: /spec/template/spec/containers/0/image
        value: nginx:1.23.4-alpine # Updated image for dev
      - op: replace
        path: /metadata/namespace
        value: myapp-dev


# Commit the change to dev
cd my-gitops-repo
git add environments/dev/myapp/kustomization.yaml
git commit -m "Update Nginx image to 1.23.4-alpine in dev"
git push origin main

Verify: Argo CD will detect this change for myapp-dev and automatically sync. Check the Argo CD UI or run kubectl get deployment myapp -n myapp-dev -o yaml | grep image to confirm the image update.

6.2: Promote the change to Staging

To promote this image change to staging, we'll update the staging Kustomize overlay. In a real-world scenario, this might involve a pull request review and merge.


# my-gitops-repo/environments/staging/myapp/kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
  - ../../../applications/base/myapp

patches:
  - target:
      kind: Deployment
      name: myapp
    patch: |
      - op: replace
        path: /spec/replicas
        value: 2
      - op: replace
        path: /spec/template/spec/containers/0/image
        value: nginx:1.23.4-alpine # Promoted image to staging
      - op: replace
        path: /metadata/namespace
        value: myapp-staging


# Commit the change to staging
git add environments/staging/myapp/kustomization.yaml
git commit -m "Promote Nginx image 1.23.4-alpine to staging"
git push origin main

Verify: Argo CD will detect this change for myapp-staging and sync. Confirm the image update in the staging environment.


kubectl get deployment myapp -n myapp-staging -o yaml | grep image

Expected Output:


        image: nginx:1.23.4-alpine

Repeat this process to promote to production after thorough testing in staging. This manual or automated copying/merging of Kustomize overlays is the essence of promotion in this GitOps model.

Production Considerations

Moving from a development setup to a production-grade GitOps system requires careful planning and robust practices. Here are key considerations:

  • Repository Strategy: While a single repository for all configurations (monorepo) is used here for simplicity, larger organizations might opt for multiple repositories (e.g., one for platform/cluster configuration, one for application configurations). Choose what fits your team's size and complexity.
  • Security:
    • Git Access: Restrict write access to your GitOps repository. Implement branch protection rules, requiring pull request reviews for all changes, especially to staging and production environments.
    • Argo CD Access: Integrate Argo CD with your organization's identity provider (e.g., LDAP, OIDC) for authentication. Use RBAC within Argo CD to control who can sync, rollback, or manage applications.
    • Secrets Management: Never commit sensitive information directly to Git. Use Kubernetes Secrets, preferably encrypted at rest with tools like Mozilla SOPS or Sealed Secrets. Cloud provider secret managers (AWS Secrets Manager, GCP Secret Manager, Azure Key Vault) or a dedicated solution like HashiCorp Vault are excellent choices for managing secrets and injecting them into your clusters.
    • Image Signing: For enhanced supply chain security, consider integrating Sigstore and Kyverno to ensure only signed and verified container images are deployed to production.
  • Observability:
    • Monitoring & Alerting: Set up comprehensive monitoring for your applications and Argo CD itself. Tools like Prometheus and Grafana are standard. Configure alerts for deployment failures, out-of-sync applications, or resource issues.
    • Logging: Centralize logs from your applications and Argo CD components.
    • Tracing: For complex microservice architectures, integrate distributed tracing to understand request flows. Tools like Istio Ambient Mesh can provide advanced observability features without sidecar proxies.
    • eBPF: For deep network and application observability, explore eBPF Observability with Hubble to gain insights into network traffic and application behavior.
  • High Availability & Disaster Recovery:
    • Deploy Argo CD in a highly available configuration (multiple replicas for critical components).
    • Back up your Argo CD configuration and application definitions regularly.
    • Consider multi-cluster or multi-region deployments for critical applications.
  • Resource Management:
    • Implement proper Resource Quotas and Limit Ranges for namespaces to prevent resource starvation.
    • Utilize Horizontal Pod Autoscalers (HPA) and Vertical Pod Autoscalers (VPA) for efficient resource scaling.
    • For cost optimization and efficient node management, integrate with cluster autoscalers like Karpenter.
    • If you are running specialized workloads like LLMs on Kubernetes with GPU Scheduling, ensure your GitOps process accounts for GPU resource allocation and driver management.
  • Testing & Validation:
    • Automated Testing: Implement integration and end-to-end tests in your CI pipeline, triggered before promoting changes to higher environments.
    • Pre-Sync Hooks: Argo CD supports pre-sync hooks for running validation scripts or smoke tests before applying changes.
    • Rollback Strategy: GitOps inherently provides easy rollbacks by reverting Git commits. Ensure your team is familiar with this process.
  • Networking:
    • Consider using advanced traffic management solutions like the Kubernetes Gateway API for sophisticated routing, load balancing, and traffic splitting across environments.

Troubleshooting

  1. Argo CD Application Stuck in OutOfSync State

    Problem: Your Argo CD application shows OutOfSync even after commits to the Git repository.

    Solution:

    • Check Sync Status: In the Argo CD UI, click on the application to see details. It will often show specific resources that are out of sync and why.
    • Manual Sync: Try a manual sync from the Argo CD UI or CLI (argocd app sync <app-name>).
    • Refresh: Sometimes Argo CD's cache needs to be refreshed. Click the "Refresh" button in the UI or run argocd app refresh <app-name>.
    • Git Repository Access: Ensure Argo CD has correct access to your Git repository (SSH key or HTTPS credentials). Check Argo CD's argocd-repo-server logs.
    • Manifest Errors: Check for syntax errors in your Kubernetes manifests or Kustomize files. Argo CD will usually report these in the UI.
  2. Deployment Fails / Pods Not Running

    Problem: Argo CD reports Synced, but your application pods are not running or are in a CrashLoopBackOff state.

    Solution:

    • Check Pod Events: Use kubectl describe pod <pod-name> -n <namespace> to check for events that indicate why the pod isn't starting (e.g., image pull errors, insufficient resources, failed probes).
    • View Pod Logs: Use kubectl logs <pod-name> -n <namespace> to inspect application logs for startup errors.
    • Resource Limits: Ensure that your Deployment's resource requests/limits are not too low, leading to OOMKills.
    • Image Pull Secrets: If using private container registries, verify that appropriate imagePullSecrets are configured in the Deployment and accessible to the service account.
  3. Kustomize Overlays Not Applying Correctly

    Problem: Environment-specific changes defined in Kustomize overlays are not being applied to the deployed resources.

    Solution:

    • Relative Paths: Double-check the relative paths in your kustomization.yaml files (e.g., ../../../applications/base/myapp). A common mistake is incorrect pathing.
    • Kustomize Build Locally: Use kustomize build <path

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *