GitOps: Managing Infrastructure and Applications with Git
Article date
08 15 2025
Article Author
Pavel Galkin
Reading Time
5 minutes
When the term GitOps is heard for the first time, it may seem like just another trendy DevOps term, similar to FinOps or MLOps. However, in practice, GitOps offers a fundamentally new approach to managing infrastructure and applications.
Imagine this: instead of logging into servers via SSH, manually editing configs, or running deployment scripts from a local machine, the entire infrastructure is described as code and lives in a Git repository. Something is changed in the code, and the changes were automatically applied in production. A commit is rolled back, and the infrastructure rolled back as well.
The idea itself didn't come up yesterday. Weaveworks formalized the concept in 2017, although many teams were already moving in this direction. It's just that these disparate practices now have a common name.
Imagine this: instead of logging into servers via SSH, manually editing configs, or running deployment scripts from a local machine, the entire infrastructure is described as code and lives in a Git repository. Something is changed in the code, and the changes were automatically applied in production. A commit is rolled back, and the infrastructure rolled back as well.
The idea itself didn't come up yesterday. Weaveworks formalized the concept in 2017, although many teams were already moving in this direction. It's just that these disparate practices now have a common name.
How it works in practice
GitOps is based on four simple principles, which are not always easy to implement:
Declarative Configuration
Everything is described declaratively. No bash scripts in the style of "first install this, then configure that". Only a description of the final state — what should work, with what parameters, and how many replicas. Kubernetes YAML, Terraform HCL, and Helm charts — everything that describes "what we want" rather than "how to do it".
Git as Single Source of Truth
Git as the only source of truth. All changes to the infrastructure must be committed to the Git repository. If something is not in the repository, it should not be in the system. If you need to change the settings, you can create a pull request. All changes go through the standard code review process.
Automated Change Application
Automatic application of changes. Once you merge the PR into main, the changes are automatically applied to the cluster. It is not necessary to manually run kubectl apply or log in to your cloud provider's administration to make changes.
Continuous State Synchronization
Continuous synchronization. The system ensures that the actual state matches the one described in Git. If someone has personally modified something in the cluster (which can happen), it will revert to its original state in the repository.
Declarative Configuration
Everything is described declaratively. No bash scripts in the style of "first install this, then configure that". Only a description of the final state — what should work, with what parameters, and how many replicas. Kubernetes YAML, Terraform HCL, and Helm charts — everything that describes "what we want" rather than "how to do it".
Git as Single Source of Truth
Git as the only source of truth. All changes to the infrastructure must be committed to the Git repository. If something is not in the repository, it should not be in the system. If you need to change the settings, you can create a pull request. All changes go through the standard code review process.
Automated Change Application
Automatic application of changes. Once you merge the PR into main, the changes are automatically applied to the cluster. It is not necessary to manually run kubectl apply or log in to your cloud provider's administration to make changes.
Continuous State Synchronization
Continuous synchronization. The system ensures that the actual state matches the one described in Git. If someone has personally modified something in the cluster (which can happen), it will revert to its original state in the repository.
What is required to get started
To get started, the minimum requirements will needed, they include:
Git Repository Structure
A Git repository with configuration files. You can start with a simple structure, with folders for different environments (dev, staging, and prod), and YAML files within them that describe the services. Over time, this can evolve into a more complex organization, but it is easy to get started.
GitOps Agents
A GitOps agent. The most popular are ArgoCD and Flux. ArgoCD gives a nice web interface where you can see what is happening with deployments. Flux is more about minimalism and integration with the CNCF ecosystem. The choice depends on the team and requirements.
Target Platforms
Target platform. Usually it is Kubernetes, but GitOps works with both regular servers via Ansible and cloud infrastructure via Terraform.
Monitoring Requirements
Monitoring. Without it, you can't go anywhere. You need to see what happens to the system after changes, otherwise it can take a long time to find out where and what broke.
Git Repository Structure
A Git repository with configuration files. You can start with a simple structure, with folders for different environments (dev, staging, and prod), and YAML files within them that describe the services. Over time, this can evolve into a more complex organization, but it is easy to get started.
GitOps Agents
A GitOps agent. The most popular are ArgoCD and Flux. ArgoCD gives a nice web interface where you can see what is happening with deployments. Flux is more about minimalism and integration with the CNCF ecosystem. The choice depends on the team and requirements.
Target Platforms
Target platform. Usually it is Kubernetes, but GitOps works with both regular servers via Ansible and cloud infrastructure via Terraform.
Monitoring Requirements
Monitoring. Without it, you can't go anywhere. You need to see what happens to the system after changes, otherwise it can take a long time to find out where and what broke.
Real-life experience
What works well
When everything is set up, the deployment process becomes predictable. I created a feature branch, adjusted the configs, and opened a PR. My colleagues looked at what was changing and provided comments. After a couple of minutes, the changes were deployed to production.
Rollback is also simple: Git revert and wait. You don't need to remember which commands were run for deployment; just roll back the commit.
Another advantage is visibility. At any time, you can look at the repository and understand how the system is configured. The history of changes, who made what changes, and why - all of this is available.
What are the challenges
Secrets. Passwords, API keys, and certificates cannot be simply stored in a Git repository. Instead, you need to use external systems (Vault, AWS Secrets Manager) or encrypt them directly in the repository using tools like SOPS. Both of these add complexity.
Debugging. When something doesn't work, you have to deal not only with the application but also with how the GitOps agent interprets the configuration. There are more layers of abstraction.
Training the team. Not everyone immediately understands why they should give up the familiar "log in to the server, edit the config" approach. It takes time for everyone to get used to working with Git.
Tools to try
ArgoCD — if the team needs a web interface and the ability to see the status of deployments in real time. Lots of customization options, good documentation, and an active community.
Flux — for those who prefer a more "kubernetes-native" approach. It has a less sophisticated interface, but it integrates well with the rest of the CNCF ecosystem.
Jenkins X — if you need a complete platform with automatic CI/CD pipeline configuration. However, it can be quite heavy for smaller projects.
Security is an important consideration
A Git repository with infrastructure configuration is a sensitive thing. It may contain information about which services are deployed where, how the network is configured, and what vulnerabilities exist.
Therefore, access to the repository should be restricted. It is better to divide repositories by teams or projects, use branch protection rules, and require mandatory code review for critical changes.
Handling secrets is a different approach. Options include:
External secret management systems (recommended for production environments);
Encryption in the repository itself through SOPS or Sealed Secrets;
External Secrets Operator, which pulls secrets from external systems at runtime.
When everything is set up, the deployment process becomes predictable. I created a feature branch, adjusted the configs, and opened a PR. My colleagues looked at what was changing and provided comments. After a couple of minutes, the changes were deployed to production.
Rollback is also simple: Git revert and wait. You don't need to remember which commands were run for deployment; just roll back the commit.
Another advantage is visibility. At any time, you can look at the repository and understand how the system is configured. The history of changes, who made what changes, and why - all of this is available.
What are the challenges
Secrets. Passwords, API keys, and certificates cannot be simply stored in a Git repository. Instead, you need to use external systems (Vault, AWS Secrets Manager) or encrypt them directly in the repository using tools like SOPS. Both of these add complexity.
Debugging. When something doesn't work, you have to deal not only with the application but also with how the GitOps agent interprets the configuration. There are more layers of abstraction.
Training the team. Not everyone immediately understands why they should give up the familiar "log in to the server, edit the config" approach. It takes time for everyone to get used to working with Git.
Tools to try
ArgoCD — if the team needs a web interface and the ability to see the status of deployments in real time. Lots of customization options, good documentation, and an active community.
Flux — for those who prefer a more "kubernetes-native" approach. It has a less sophisticated interface, but it integrates well with the rest of the CNCF ecosystem.
Jenkins X — if you need a complete platform with automatic CI/CD pipeline configuration. However, it can be quite heavy for smaller projects.
Security is an important consideration
A Git repository with infrastructure configuration is a sensitive thing. It may contain information about which services are deployed where, how the network is configured, and what vulnerabilities exist.
Therefore, access to the repository should be restricted. It is better to divide repositories by teams or projects, use branch protection rules, and require mandatory code review for critical changes.
Handling secrets is a different approach. Options include:
External secret management systems (recommended for production environments);
Encryption in the repository itself through SOPS or Sealed Secrets;
External Secrets Operator, which pulls secrets from external systems at runtime.
Should it be implemented?
If the team is already working with Kubernetes and has a code review culture, then GitOps is a natural next step. You can start with a single small project or a test environment.
You should not implement GitOps if:
The infrastructure is very simple (a couple of manually configured servers);
The team is against changing processes;
There is no time for training and configuration.
GitOps is not a silver bullet. It is a tool that solves specific problems: makes deployment predictable, simplifies rollbacks, improves visibility of changes. If these problems are relevant, it is worth trying.
You should not implement GitOps if:
The infrastructure is very simple (a couple of manually configured servers);
The team is against changing processes;
There is no time for training and configuration.
GitOps is not a silver bullet. It is a tool that solves specific problems: makes deployment predictable, simplifies rollbacks, improves visibility of changes. If these problems are relevant, it is worth trying.
What is next
GitOps is developing quite actively. Standards are emerging (Open GitOps), multi-cluster deployment support is improving, the number of integrations with cloud providers is growing.
An interesting direction is expanding GitOps beyond Kubernetes. There are already solutions for managing network infrastructure, databases, and security policies through Git.
Another trend is integration with AI tools for automatic change analysis, problem prediction, and resource optimization.
In general, GitOps is turning from an experiment into a standard approach for teams that take infrastructure management seriously. If you haven't tried it yet, I recommend experimenting with a test project!
An interesting direction is expanding GitOps beyond Kubernetes. There are already solutions for managing network infrastructure, databases, and security policies through Git.
Another trend is integration with AI tools for automatic change analysis, problem prediction, and resource optimization.
In general, GitOps is turning from an experiment into a standard approach for teams that take infrastructure management seriously. If you haven't tried it yet, I recommend experimenting with a test project!