New engagements · 24h
Skip to main content
Home / Architectures / GitOps Platform
Production Tested GitOps

GitOps Platform

Automated delivery with Git as the single source of truth. Every deployment is tracked, versioned and automatically rolled back if something fails.

Overview

This platform separates CI (build, test, push) from CD (deploy, verify). GitHub Actions owns the CI pipeline and produces a container image tagged with the commit SHA. ArgoCD owns the CD pipeline and applies whatever the Git configuration repository declares as the desired state.

No human or machine has direct kubectl access to production. Every change must go through a pull request to the configuration repository. ArgoCD detects the change and applies it. If the new pods fail health checks, ArgoCD stops and reverts. Every deployment is auditable — the Git commit history is the deployment history.

Architecture Diagram

Architecture Diagram

GitOps Platform — CI/CD Flow

Developer git push feature/... App Repo source code GitHub PR → merge GitHub Actions CI ① Lint + Unit Tests ② SAST (SonarQube) ③ Docker Build ④ ECR Push (:sha) ⑤ Update config repo image.tag → commit sha OIDC — no static keys Config Repo Helm values ArgoCD Applications ArgoCD Watch config repo Detect drift Apply to EKS Health check Rollback on failure EKS Cluster Rolling update · HPA auto rollback ECR Container images
Separation of CI (build) and CD (deploy) with Git as the source of truth for both.

Pipeline Stages

CI — Code quality

Lint, unit tests, SAST scan with SonarQube. Coverage gate ≥80%. If any stage fails, the pipeline stops. No image is built from code that fails quality gates.

CI — Build and push

Multi-stage Dockerfile. Non-root user. Image tagged with full commit SHA — never "latest" in production. Pushed to ECR private registry.

CI — Update config repo

Automated PR to config repo updating image.tag in Helm values. Triggers ArgoCD sync detection. Uses OIDC token — no Git credentials stored in CI.

CD — ArgoCD sync

ArgoCD detects config repo change. Compares desired state (Git) with actual state (EKS). Applies Helm release with rolling update strategy.

CD — Health verification

ArgoCD monitors pod health probes during rollout. If readiness probe fails, deployment is halted and reverted to previous revision automatically.

Stack

ArgoCD Helm GitHub Actions OIDC ECR EKS SonarQube Docker

Need this implemented?

We implement complete GitOps platforms from pipeline to cluster. Turnkey delivery in 3–4 weeks.

Start a conversation →