GitOps Platform Architecture

Executive Summary

This document outlines a production-grade GitOps architecture I designed and implemented featuring complete environment isolation, automated CI/CD pipelines, and enterprise security patterns. The solution demonstrates modern infrastructure-as-code practices suitable for high-volume, 24/7 production environments in financial services and other regulated industries.

Multi-Cluster Architecture

This implementation uses separate EKS clusters for DEV and PROD environments, each with its own ArgoCD instance and namespace isolation—a pattern ensuring complete blast radius containment and compliance auditability.

☁️ AWS Account

DEV CLUSTER gitops-dev

🔄 ArgoCD Instance

• api-app-dev

• demo-app-dev

✓ Auto-sync enabled

📦 Namespaces

• api-app-dev (2 pods)

• demo-app-dev (2 pods)

⚖️ ALB Ingress Controller

Application Load Balancer

PROD CLUSTER gitops-prod

🔄 ArgoCD Instance

• api-app-prod

• demo-app-prod

⚠ Manual sync only

📦 Namespaces

• api-app-prod (3 pods)

• demo-app-prod (3 pods)

⚖️ ALB Ingress Controller

Application Load Balancer

Design Benefits

🛡️ Blast Radius

DEV issues cannot affect PROD systems

🔐 Security

Different IAM roles/policies per environment

🧪 Testing

Test cluster upgrades on DEV first

📋 Compliance

PROD requires manual sync (audit trail)

💰 Cost Control

Scale DEV down during off-hours

CI/CD Pipeline Architecture

GITHUB ACTIONS WORKFLOW

📤

Push to Main

Trigger

→

🧪

Run Tests

npm test

→

🔨

Build Image

Multi-arch

→

🐳

Push Registry

Docker Hub

→

📝

Update GitOps

DEV overlay

⬇️ ArgoCD detects change → Auto-syncs DEV cluster

Pipeline Features

Feature	Implementation
Multi-Platform Builds	Docker buildx for AMD64 + ARM64 support
Automated Testing	Unit tests with coverage reporting before build
Semantic Versioning	Automated image tags using GitHub run numbers
GitOps Integration	Automated PR to deployment repository
Environment Promotion	DEV auto-deploys; PROD requires manual approval

Secrets Management Architecture

🔐

AWS Secrets Manager

gitops/demo-api/dev

gitops/demo-api/prod

Encrypted & Audited

→

🔄

External Secrets Operator

ExternalSecret CRD

1-hour refresh interval

→

☸️

Kubernetes Secret

Injected via envFrom

Pod environment variables

Security Approach Comparison

Approach	Use Case	Security Level
Git Secrets	CI/CD build-time only	⚠️ Good for pipelines
K8s Secrets (plain)	Quick testing	❌ Base64 encoded, not encrypted
External Secrets + AWS	Production runtime	✅ Encrypted, rotatable, audited

API Documentation

The API App provides a full REST API for testing. Available endpoints:

Method	Endpoint	Description
`GET`	/api	API info and available endpoints
`GET`	/api/health	Health check
`GET`	/api/tasks	List all tasks
`POST`	/api/tasks	Create a new task
`GET`	/api/echo?message=hello	Echo service for testing
`GET`	/api/protected/stats	Protected endpoint (requires x-api-key header)

Metrics & Outcomes

Metric	Result
Deployment Frequency	Multiple per day (DEV), controlled (PROD)
Lead Time for Changes	Minutes from commit to DEV deployment
MTTR (Rollback)	< 2 minutes via git revert
Change Failure Rate	Reduced via automated testing gates
Infrastructure Drift	Eliminated via GitOps reconciliation

Relevant Certifications

Introduction to DevOps & SRE (LFS162)

Linux Foundation • 2025

Introduction to GitOps (LFS169)

Linux Foundation • 2025

Mastering Observability with OpenTelemetry

LinkedIn • 2025

AWS

Developing Generative AI Applications

Amazon Web Services • 2025

HashiCorp Vault

Udemy • 2023

K8s

Introduction to Kubernetes

edX • 2022