luvv to help

Menu

Topic 6 of 8

GitOps Concepts

Learn GitOps Concepts for free with explanations, exercises, and a quick test (for Platform Engineer).

Published: January 23, 2026 | Updated: January 23, 2026

Table of Contents

Why this matters

Promotion strategies
  • Tag promotion: CI builds image v1.4.2; env repo updates image tag via PR.
  • Chart version pinning: bump chart and app version per env via PR.
  • Branch per env: main mirrors prod; release branches for lower envs (simple, but ensure controller tracks the right branch).
Secrets in GitOps

Keep secrets encrypted or externalized. Common options are sealed/encrypted secrets or pulling from a secret manager at runtime. Never commit raw secrets.

Policies and approvals
  • Require pull request reviews and status checks (lint, security scan).
  • Policy-as-code to block risky changes (e.g., disallow latest tags).
  • Signed commits or image provenance for sensitive environments.

Worked examples

Example 1 — Kustomize overlays per environment

Goal: one base manifest and environment-specific differences.

repo/
  apps/
    payments/
      base/
        deployment.yaml
        service.yaml
        kustomization.yaml
      overlays/
        dev/
          kustomization.yaml
          patch-replicas.yaml
        prod/
          kustomization.yaml
          patch-resources.yaml
# base/kustomization.yaml
resources:
  - deployment.yaml
  - service.yaml
# overlays/dev/kustomization.yaml
resources:
  - ../../base
patches:
  - path: patch-replicas.yaml
# overlays/dev/patch-replicas.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: payments
spec:
  replicas: 1

Prod overlay sets higher replicas and resource limits. The controller syncs the chosen overlay directory for each environment.

Example 2 — Image tag updates via PR

Goal: CI builds an immutable image, then a bot updates the env repo to deploy it.

  1. CI builds image registry.example.com/payments:1.7.0 and signs it.
  2. CI opens a PR to env repo changing only the image tag in the dev overlay.
  3. On merge, the controller pulls the new commit and deploys.
# overlays/dev/kustomization.yaml
images:
  - name: registry.example.com/payments
    newTag: 1.7.0

Example 3 — Fast rollback with Git revert

  1. Incident detected after deploy 1.7.0.
  2. Create a revert commit restoring tag 1.6.3 in the env repo.
  3. Merge the revert; controller reconciles back to 1.6.3.

No cluster access needed for rollback; Git history provides a clear audit trail.

Design a minimal GitOps flow

  1. Build: CI builds and scans an image; push with an immutable tag.
  2. Propose: open a PR to env repo updating the image tag for a target env.
  3. Validate: run lint, policy checks, and deployment dry-runs on PR.
  4. Approve: reviewers sign off; required checks pass.
  5. Sync: merge PR; controller reconciles cluster to the new desired state.
  6. Observe: verify health and metrics; roll forward or revert via Git if needed.

Common mistakes and self-check

  • Using mutable tags like latest — makes rollbacks and audits unreliable.
  • Bypassing Git with manual kubectl edits — creates drift and surprises.
  • Mixing app source and env configs without clear boundaries — noisy history.
  • Storing plaintext secrets — always encrypt or externalize.
  • Huge PRs that change many services at once — hard to review and rollback.
  • No health checks — controller may mark sync as healthy while app is failing.
  • Ignoring too many fields in sync — drift hides real issues.

Self-check

  • Can you roll back by reverting a single commit?
  • Can you answer who approved the last production change?
  • Are images and charts pinned to immutable versions?
  • Can a new cluster get to the same state by pointing at the same repo and path?

Exercises

Do these hands-on tasks to cement the concepts. Mirror of the exercises list below.

Exercise 1 — Structure a GitOps repo with Kustomize overlays

Create a base and two overlays (dev, prod) for a simple web app. Dev should run 1 replica; prod should run 4 replicas and add resource limits. Use immutable image tag 1.0.0 in dev and 1.0.1 in prod.

  • Deliver a directory tree plus kustomization files.
  • Include one deployment and one service.
Exercise 2 — Define a promotion flow via PRs

Write a short, actionable PR template and a step-by-step flow to promote an image from dev to prod using GitOps. Include checks and required approvals.

  • Show which files change in each environment.
  • List mandatory validations before merge.

Checklist

  • Env repo separated from app source, or clearly partitioned.
  • Overlays/values pin immutable versions.
  • Promotion uses PRs, not direct pushes to prod.
  • Rollbacks are a single revert commit.

Practical projects

  • Single service GitOps: Deploy a stateless API to dev and prod using overlays; acceptance: PR to bump image tag auto-deploys and is observable.
  • Multi-service rollout: Three services with independent versions; acceptance: promote only one service to prod without touching others.
  • Policy gate: Add a check that rejects PRs using latest or missing resource limits; acceptance: unsafe PRs are blocked until fixed.

Who this is for

  • Platform Engineers building secure, scalable delivery platforms.
  • DevOps/Infra engineers adopting declarative operations.
  • Backend engineers who own deployment reliability.

Prerequisites

  • Comfort with Git (branches, PRs, tags, revert).
  • Basic Kubernetes (deployments, services, namespaces).
  • YAML and either Kustomize or Helm fundamentals.

Learning path

  1. Understand GitOps principles and pull vs. push deployment models.
  2. Create a simple env repo with overlays or values files.
  3. Automate image tag bumps via PRs from CI.
  4. Add policy checks and required approvals.
  5. Practice rollbacks using Git revert.

Next steps

  • Introduce commit signing for production env repo.
  • Add runtime policy checks and deployment health gates.
  • Expand to multi-cluster setups with separate paths per cluster.

Mini challenge

Your CI just built image catalog:2.3.1. Draft the minimal Git diff to promote it to staging only, ensure production remains at 2.3.0, and write one sentence explaining how you would roll back if a regression is found.

Quick Test

Take the quick test to check your understanding. Available to everyone; only logged-in users get saved progress.

Practice Exercises

2 exercises to complete

Instructions

Create a base and overlays for a web app named shop. Requirements:

  • Base: deployment (container port 8080) and cluster-internal service.
  • Dev overlay: 1 replica, image tag 1.0.0.
  • Prod overlay: 4 replicas, image tag 1.0.1, add CPU 200m/Memory 256Mi requests and limits 500m/512Mi.

Deliver directory tree plus kustomization files and patches.

shop/
  base/
    deployment.yaml
    service.yaml
    kustomization.yaml
  overlays/
    dev/
      kustomization.yaml
      patch.yaml
    prod/
      kustomization.yaml
      patch.yaml
Expected Output
A working base with two overlays that produce different replicas and image tags, with resource limits only in prod.

GitOps Concepts — Quick Test

Test your knowledge with 8 questions. Pass with 70% or higher.

8 questions70% to pass
Automated Rollbacks And PromotionsManaging Monorepos And Multi Repo Flows

Have questions about GitOps Concepts?

AI Assistant

Ask questions about this tool