GitOps, a term coined by Alexis Richardson (CEO of Weaveworks) in 2017, represents a modern approach to continuous deployment and infrastructure management that leverages Git as its core technological foundation [1]. At its essence, GitOps extends the familiar Git workflow patterns from application development to infrastructure management, establishing Git repositories as the single source of truth for declarative infrastructure and applications [7].
In this blog post we want to summarize GitOps’ principles, describe best and bad practices and reflect on challenges, implementing GitOps can bring along.
Core Concept
The core concept of GitOps centers around state management: the entire system state is described declaratively and stored in version control [3], [4], [5], [6]. Rather than executing changes through various interfaces or command-line tools, all modifications to the system are made through version-controlled configuration files that represent the desired state [1], [3], [4]. This approach transforms traditional infrastructure management by treating infrastructure configurations with the same rigor as application code.
This desired state undergoes the standard Git workflow: changes are proposed through pull requests, undergo peer review, and are merged into the main branch. The key technological innovation lies in the automated operator – a software component that continuously monitors the actual system state and compares it with the desired state defined in Git, automatically reconciling any detected divergences [1], [4], [5], [7].
Key Principles
The GitOps methodology is built on five fundamental principles that work together to ensure reliable and reproducible system management:
The first principle is declarative system description. Instead of maintaining scripts that detail how to achieve a particular state, GitOps employs declarative configurations that specify the desired end state, allowing the system to determine the optimal path to reach that state [1], [3].
Second, Git serves as the version-controlled single source of truth. All system configurations reside in Git repositories, providing not only a complete change history but also enabling powerful features like rollbacks and audit trails [2], [3], [4], [5].
The third principle introduces automated change application. Once changes receive approval and merge into the main branch, automated processes handle the deployment and configuration updates, minimizing human error and ensuring consistent deployment processes [1], [4], [5], [7].
Fourth, continuous reconciliation ensures system reliability. A GitOps operator constantly compares the actual system state against the desired state defined in Git, automatically initiating corrective actions when discrepancies are detected [1], [2], [3].
Finally, system observability enables effective monitoring and troubleshooting. The system provides comprehensive visibility into the deployment process and current state, allowing teams to track changes and resolve issues efficiently [3], [4].
These principles work together to create a robust and reproducible system management approach that aligns with modern software engineering practices. By leveraging Git’s version control capabilities and combining them with automated reconciliation, GitOps provides a foundation for reliable infrastructure management.
How is GitOps different from traditional DevOps?
While traditional DevOps practices have significantly improved software delivery by breaking down silos between development and operations, modern enterprise IT faces increasing challenges with scale, complexity, and reliability. GitOps builds upon DevOps principles while introducing key technological innovations to address these challenges [2].
Fundamental Differences
Traditional DevOps emphasizes collaboration between development and operations teams, utilizing various tools and automation to streamline the software delivery process [8]. GitOps takes this foundation and adds strict version control and automation principles, fundamentally changing how infrastructure and deployments are managed [5], [6].
To illustrate these differences, consider a typical microservice deployment scenario:
In a traditional DevOps workflow, the development team pushes code changes to a repository, triggering a CI pipeline that builds and tests the application. The operations team then reviews the deployment request and manually configures deployment settings [7] . Various tools and scripts are employed to deploy the application, followed by manual verification [7] . If issues arise, manual rollback procedures must be initiated.
In contrast, in a GitOps workflow Developers push both code and configuration changes to the repository [7]. After the CI pipeline builds and tests the application, team members create a pull request with the updated configuration [7]. Following review and approval, changes merge into the main branch [7]. The GitOps operator automatically detects this change and reconciles the system state to match the desired state. In case of issues, reverting the Git commit automatically rolls back the system [4], [6].
Key Technical Distinctions
Besides these differences in concept, three fundamental technical characteristics distinguish GitOps from traditional DevOps:
Firstly, state management differs significantly. Traditional DevOps environments often maintain state across multiple tools and systems, potentially leading to inconsistencies. GitOps consolidates this by using Git repositories as the single source of truth for system state [3], [6], [7].
Secondly, automation in GitOps is more comprehensive. While traditional DevOps automates many processes, it often relies on a mix of automated and manual steps, particularly in configuration and deployment. GitOps implements full automation through continuous reconciliation between desired and actual states [3], [4], [7]
Thirdly, change management follows a stricter pattern. Traditional DevOps allows changes through various interfaces and tools, while GitOps mandates that all changes flow through Git, ensuring consistent version control and audit capabilities [3], [6].
Addressing Modern Enterprise Challenges
These technical distinctions enable GitOps to effectively address several critical challenges in modern enterprise IT. It manages increasing complexity by providing a consistent, declarative approach to handling distributed systems and cloud-native architectures.
For example, the automated reconciliation process prevents configuration drift, which happens when someone manually edits a system’s configuration without applying the same changes to the configuration files used to originally setup the system [1]. This is a frequent problem in enterprise contexts where many developers work on the same infrastructure.
Furthermore, the GitOps approach particularly excels in cloud-native environments, where it naturally aligns with container orchestration platforms and microservices architectures [3], [5]. Its emphasis on declarative configurations and automated reconciliation makes it especially suitable for managing the complexity of modern cloud infrastructure [4].
Theory of GitOps
While the previous sections established what GitOps is and how it differs from traditional approaches, understanding its theoretical foundations is crucial for successful implementation. GitOps combines several software engineering principles into a cohesive system for managing infrastructure and applications.
System Architecture and Core Components
The GitOps architecture centers around three primary components that work together to maintain system state: the Git repository, the GitOps operator, and the target infrastructure [1]. This architecture implements a control loop pattern, where the operator continuously monitors and reconciles system state [1].
The Git repository functions as the single source of truth, containing declarative descriptions of the desired infrastructure state [3], [6]. These descriptions typically use formats like YAML or JSON [5], chosen for their clear structure and machine-readable nature. The repository not only stores current configurations but also maintains a complete history of all system states through Git’s version control capabilities [1], [3].
The GitOps operator serves as the core automation component, implementing a control loop that continuously monitors both the Git repository and the target infrastructure. This operator follows the controller pattern common in distributed systems, where a controller works to make the current state match the desired state. The operator detects changes through either polling mechanisms or webhook notifications, ensuring rapid response to configuration updates [3], [4], [6], [8].
State Management and Reconciliation
The reconciliation process represents the heart of GitOps operations. This process follows a defined pattern:
The operator first observes the current state of both the Git repository (desired state) and the target infrastructure (actual state) [3], [4], [5]. It then compares these states to identify any divergence [2], [3], [4]. When differences are detected, the operator calculates the necessary actions to align the actual state with the desired state [1], [2], [4]. Finally, it executes these actions in a controlled, automated manner [2], [3], [5].
This process implements a form of eventual consistency, where the system continuously works to achieve and maintain the desired state [1]. The operator logs all actions and state changes, providing crucial audit trails and debugging information [1].
Event Flow and Automation
The automation in GitOps relies on a well-defined event flow. When developers commit changes to the Git repository, this triggers a series of automated processes [2], [4], [5]:
First, the change notification propagates either through webhooks or periodic polling [2], [4]. The GitOps operator receives this notification and retrieves the updated configuration [2], [4], [6], [8]. After validating the new configuration, the operator begins the reconciliation process to implement the changes [1], [3].
Webhooks play a particularly important role in this flow, enabling real-time reactions to configuration changes. They provide a push-based mechanism for notification, reducing the delay between configuration changes and their implementation while minimizing unnecessary polling operations [2].
Infrastructure as Code Integration
Infrastructure as Code (IaC) forms a crucial foundation for GitOps, providing the declarative approach to infrastructure management [4], [6]. In the GitOps context, IaC manifests as configuration files that describe the desired infrastructure state rather than procedural scripts detailing how to achieve that state [3], [6], [7].
This declarative approach offers several advantages: it makes configurations more predictable, easier to validate, and simpler to version control [1]. The GitOps operator can interpret these declarations and determine the appropriate actions to achieve the desired state, abstracting away the complexity of infrastructure management [1].
Big Trendsetters
In the realm of GitOps operators there are two big names around: Argo CD and Flux. Both
operators target the popular Kubernetes ecosystem.
Argo CD
Argo CD is developed by the authors of the Argo project. The Argo project develops open-source software under the governance of the Cloud Native Computing Foundation [9].
It allows the management of operations on multiple Kubernetes clusters from a central location. Through its web interface, users can view the applications currently deployed on the managed clusters and manually adjust settings. However, true to the principles of GitOps the main way of changing the configuration is to adjust it in the Git repositories referenced in the application metadata managed by Argo CD.
Furthermore, it supports the package formats helm and kustomize for Kubernetes [10]. Helm is a fully functional package manager for Kubernetes that uses the Go templating engine for the creation of so called helm charts [11]. In combination with YAML-formatted values that are used to fill in the templates with custom configuration parameters, these helm charts can be deployed on any Kubernetes cluster. Kustomize on the other side implements a template-free approach to customizing Kubernetes manifests with patches [12].
Both workflows are fully supported in Argo CD. Additionally, Argo CD’s tool support can be extended through plugins [10]. This makes it possible to also add some other formats like helmfile to Argo CD’s repertoire [13].
Flux
Flux is also developed as open-source software under the governance of the Cloud Native Computing Foundation. However, its focus is somewhat different from Argo CD’s UI centric approach.
Flux only provides a command line interface and components for installation on a Kubernetes
cluster. There are multiple third-party GUIs for Flux, but it is out of the project’s scope to provide a
first-party solution [14].
Different from Argo CD, all of Flux’s configuration is created through custom Kubernetes resources
which makes it possible for the Flux configuration to also be defined through the GitOps principle:
in a Git repository as a single source of truth.
Other Environments
Of course, there are also solutions for employing GitOps in other environments than Kubernetes. For
example, the RedHat Ansible Automation Platform – and their upstream open-source projects – can
be used to employ GitOps principles with the more traditional Ops Tool Ansible [15].
This shows that GitOps is not about the tools in use but about the workflow that is implemented
using those tools. That’s why the GitOps principle is compatible with almost any technology stack –
even with legacy stacks from decades ago.
GitOps in Practice
While this sounds all good in theory so far, there are still some hurdles when implementing a GitOps
deployment strategy in existing projects or planning new projects with GitOps as a deployment
strategy in mind.
Security
First and foremost, there is the inherent question of security of the newly adopted GitOps principles. The core feature of having all configuration and state management in Git repositories and having the development team pushing configuration changes to a Git repository could lead to insecure configuration being applied to production environments. Therefore, a solid reviewing strategy is a must when implementing a GitOps strategy.
Another problem regarding security is the management of secrets [16]. Those cannot be handled the same as any other configuration option because when they end up in a potentially public Git repository, they become compromised. Even private Git repositories are not suitable for storing secrets as they are potentially available to the platforms providing the Git infrastructure (e.g. GitHub, BitBucket or GitLab). Besides that, there are probably more people accessing a private Git repository than people who actually need to know the secrets. There are solutions to this problem such as using secret vaults and encrypting these secrets before checking them in to the Git repository. However, these solutions introduce more complexity to the deployment procedure while GitOps was initially meant to reduce said complexity.
GitOps also introduces problems with auditing. While Git provides the commit history and blame feature for looking up the author and date of a change, these statistics can easily be tampered with if commit signing is not enforced and force-push is allowed [17]. And with large-scale applications auditing can be even harder: Matching configuration managed in a Git repository to a specific application can be hard and with large-scale applications there potentially could be dozens of
different infrastructure repositories in place [16]. That said, enforcing commit signatures and prohibiting the use of force-push on GitOps repositories solves the first half of the problem. The second half could be solved by implementing observability tools on top of GitOps to help in matching configuration with the corresponding application and environment. This however
contradicts the goal of simplicity that has been set by GitOps in the first place [16].
Version Promotion Across Environments
In many projects it rightfully is standard practice to test new versions of a software in multiple stages before they are rolled out to the production environment. However, this pattern is not very easily translated to the GitOps world. Most of the time, the only way to manage multiple environments using GitOps is to copy configuration between different files that correspond to the various deployments on multiple stages [18]. This is inconvenient but also increases the risk of configuration mistakes. For example, performance critical configuration such as memory and CPU budgets are sometimes reduced in testing environments to decrease costs. Now, one could say that this is just a bad implementation of the multi-stage pattern but there are various other configuration options that simply cannot be shared between environments such as database connection parameters. One solution to this problem is, once again, a reliable review process. But to prevent such mistakes from happening it is also advisable to keep environment specific configuration in a separate configuration file that is only changed when necessary.
Shifting Responsibilities
Implementing GitOps principles inevitably shifts a considerable amount of responsibility from the operations teams to the development teams. While this is not a problem per se, developers need to expand their knowledge to operations-related topics.
Besides that, GitOps also requires the operations team to learn working with the GitOps operator –
solutions such as the presented Argo CD and Flux.
As continuous training is part of being a software developer or operations engineer, this shift of responsibilities must be considered when implementing a GitOps process and be communicated transparently to every stakeholder involved.
Best Practices
From these problems and solutions a few best practices can be extracted:
- A solid, reliable review process is crucial when implementing GitOps.
- Security controls must be robust enough to guarantee trustable access control and allow for auditing, e.g. through enforcing commit signatures, disallowing force-pushs and rebases and providing enough observability tools to allow auditing of changes.
- Version promotion across environments must be considered and manually copying configuration between environments must be prevented wherever possible.
There are many more challenges that could occur due to special requirements or existing workflows
and habits that are interrupted or obstructed by GitOps principles. Therefore, the biggest best
practice about GitOps is that it is not a solution to all problems. Do not implement GitOps for the
sake of GitOps! Consider if it benefits your existing workflows and actually solves any prevalent
problems.
Pros and Cons
We think it should’ve become clear that while GitOps provides many advantages over traditional
DevOps processes. However, in practice there often are big disadvantages. To prevent you from
tripping into those pitfalls, we want to summarize all pros and cons about GitOps:
Pros of GitOps
- Configuration and Code in the Same Place: One of the standout features of GitOps is its ability to unify configuration and code management. By storing both in a single repository, teams can manage them using the same tools and workflows, ensuring consistency and reducing complexity.
- Consistent, Declarative Approach: GitOps relies on a declarative model where the desired state of the system is defined in configuration files. This approach simplifies the deployment of distributed systems by providing a predictable and consistent way to manage infrastructure and applications.
- Perfect Fit for Containerized Applications: The automatic reconciliation process in GitOps works exceptionally well with containerized environments. Changes to the desired state are automatically detected and applied by operators like ArgoCD or Flux, ensuring that the actual state matches the intended state without manual intervention.
- Full Automation: With GitOps, deployment processes can be fully automated. By leveraging Git as the single source of truth, teams can trigger deployments automatically through pull requests or commits, to streamline their workflow.
Cons of GitOps
- Special Security Practices Required: While GitOps simplifies deployments, it introduces unique security challenges. For example, a strategy for storing secrets must be developed and potentially requires the employment of external tools like secret vaults.
- Auditing Challenges Without Observability: Without robust observability solutions in place, auditing applications deployed via GitOps can become difficult. Teams need tools to monitor changes effectively and ensure compliance with organizational policies.
- Potential Stakeholder Misalignment: Shifting responsibilities – such as developers taking on operational tasks—can lead to disagreements among stakeholders if roles are not clearly defined before implementation. Proper communication and planning are essential to avoid friction.
- Complexity in Version Promotion: Promoting versions between environments (e.g., from staging to production) can be more challenging with GitOps compared to deploying the traditional way. Teams need to establish clear guidlines for environment-specific configurations to prevent mistakes while copying configuration options between environments.
Conclusions
In conclusion, GitOps represents a significant evolution in deployment and infrastructure management practices, fundamentally changing how organizations approach their DevOps workflows. Through this analysis, we’ve seen how GitOps principles transform traditional operations by establishing Git repositories as the single source of truth and implementing automated reconciliation processes.
The core strength of GitOps lies in its unified approach to configuration and code management, providing a consistent, declarative methodology that particularly excels in containerized environments. Our analysis has shown that while GitOps offers powerful benefits in terms of automation and consistency, organizations must carefully navigate challenges around security, auditability, and stakeholder alignment. The success of tools like Argo CD and Flux demonstrates the practical viability of GitOps principles, especially in Kubernetes environments.
GitOps itself is a fairly new trend topic in the DevOps space, however there are several other emerging developments shaping the future trajectory of DevOps. While GitOps enables enhanced automation capabilities, moving toward the complete elimination of manual controls in deployment processes, security practices are becoming more deeply integrated through the DevSecOps approach [19].
In the prospect of GitOps itself, it can be observed that application of GitOps principles is expanding beyond traditional boundaries, now encompassing multi-cluster and hybrid cloud environments. This expansion is accompanied by a growing emphasis on self-service capabilities for development teams, enabling more autonomous operations while maintaining consistent governance [1].
Furthermore, industry working groups are driving the standardization of GitOps principles, creating a more unified approach across different implementations. Besides that, the scope of GitOps is extending beyond traditional infrastructure management into new domains such as database management and network configuration, indicating its growing versatility and adoption [1], [2].
Recommendations for Implementation
For organizations considering or implementing GitOps, a systematic approach to adoption is essential. The foundation of successful implementation begins with a thorough assessment of existing workflows and infrastructure. Organizations should establish clear policies for Git repository management and access control, while implementing robust secret management solutions before storing any configuration in Git.
In terms of process implementation, organizations benefit from starting with smaller, contained projects to build experience and confidence. This approach should include developing clear guidelines for environment-specific configurations and establishing a solid review process with clearly defined roles and responsibilities. Comprehensive documentation serves as a crucial resource for both development and operations teams during this transition. It should be noted, that within a project, GitOps should be implemented completely or not at all, to avoid undetermenistic state.
As with DevOps as a whole [20] the cultural and organizational adaptation requires significant investment in training programs to bridge the knowledge gap between development and operations teams. Clear communication channels for cross-team collaboration must be established, along with well-defined responsibilities and ownership boundaries. Organizations should foster a culture of continuous learning and adaptation to support the ongoing evolution of their GitOps implementation.
The adoption of GitOps represents more than just a technical change; it constitutes a fundamental shift in how organizations approach infrastructure and application management. While challenges exist, particularly around security and process management, the benefits of increased automation, consistency, and reliability make GitOps a compelling choice for modern software delivery. Success lies not just in the technical implementation, but in the careful consideration of organizational needs and the systematic adoption of GitOps principles.
Sources
[1] B. Yuen, A. Matyushentsev, T. Ekenstam, and J. Suen, GitOps and Kubernetes: continuous deployment with Argo CD, Jenkins X, and Flux. Manning, 2021.
[2] N. Vinto and A. Soto Bueno, GitOps cookbook: Kubernetes automation in practice, First edition.
O’Reilly, 2023.
[3] “Understanding GitOps: Principles, Workflow, and Deployment Types.” Accessed: Dec. 28, 2024 [Online]. Available: https://spot.io/resources/gitops/understanding-gitops-principles-workflows-deployment-types/
[4] “What is GitOps? – Principles, Benefits & how GitOps works.” Accessed: Dec. 28, 2024. [Online]. Available: https://www.opsmx.com/what-is-gitops/
[5] “What is GitOps?.” Accessed: Dec. 28, 2024. [Online]. Available: https://about.gitlab.com/topics/gitops/
[6] “What is GitOps?.” Accessed: Dec. 28, 2024. [Online]. Available: https://www.redhat.com/en/topics/devops/what-is-gitops
[7] T. A. Limoncelli, “GitOps: a path to more self-service IT,” Communications of the ACM, vol. 61, no. 9, pp. 38–42, Aug. 2018, doi: 10.1145/3233241.
[8] R. Salecha, “What Is GitOps?,” in Practical GitOps, Apress, 2023. doi: 10.1007/978-1-4842-8673-9_1.
[9] “The Argo Project: Home.” Accessed: Dec. 28, 2024. [Online]. Available: https://argoproj.github.io/
[10] “Tools – Argo CD – Declarative GitOps CD for Kubernetes.” Accessed: Dec. 28, 2024. [Online]. Available: https://argo-cd.readthedocs.io/en/stable/user-guide/application_sources/
[11] “Helm Architecture.” Accessed: Dec. 28, 2024. [Online]. Available: https://helm.sh/docs/topics/architecture/
[12] “Kustomize – Kubernetes Native Configuration Management.” Accessed: Dec. 28, 2024. [Online]. Available: https://kustomize.io/
[13] T. G. Hansen, “Travisghansen/Argo-Cd-Helmfile.” Accessed: Dec. 28, 2024. [Online]. Available: https://github.com/travisghansen/argo-cd-helmfile
[14] “Frequently Asked Questions.” Accessed: Dec. 28, 2024. [Online]. Available: https://fluxcd.io/flux/faq/
[15] R. Lopez, “Using Ansible and GitOps to Manage the Lifecycle of a Containerized Application.” Accessed: Dec. 29, 2024. [Online]. Available: https://www.redhat.com/en/blog/taking-automation-to-the-next-level-using-ansible-gitops-to-manage-the-lifecycle-of-a-containerized-app
[16] C. Ward, “The Pros and Cons of GitOps | Humanitec.” Accessed: Jan. 04, 2025. [Online]. Available: https://humanitec.com/blog/gitops-pros-and-cons
[17] J. Kuruvilla, “Seven Big Challenges to Get over with GitOps.” Accessed: Jan. 04, 2025. [Online]. Available: https://www.adaptavist.com/blog/seven-big-challenges-to-get-over-with-gitops
[18] C. Stephenson, “When Gitops Doesn’t Make Sense | Humanitec.” Accessed: Jan. 04, 2025. [Online]. Available: https://humanitec.com/blog/when-gitops-doesnt-make-sense
[19] R. Salecha, Practical GitOps: infrastructure management using Terraform, AWS, and GitHub
Actions. Apress, 2023.
[20] F. Beetz and S. Harrer, “GitOps: The Evolution of DevOps?,” IEEE Software, vol. 39, no. 4, pp.
70–75, Jul. 2022, doi: 10.1109/MS.2021.3119106.
Leave a Reply
You must be logged in to post a comment.