🔄 GITOPS & CI/CD

Git is the Source of Truth

Git-driven deployment pipelines with progressive delivery and infrastructure-as-code.

App-of-Apps Pattern

One root Application auto-discovers every YAML in src/apps/. Drop a manifest, ArgoCD picks it up.

app-of-apps.yaml  (root Application → watches src/apps/)
    │
    ├── src/apps/cilium.yaml       → cilium + cilium-configs
    ├── src/apps/keycloak.yaml     → keycloak + keycloak-configs
    ├── src/apps/vault.yaml        → vault (manual sync)
    ├── src/apps/grafana.yaml      → observability stack
    ├── src/apps/harbor.yaml       → harbor (wrapper chart)
    ├── src/apps/supabase.yaml     → supabase (inline configs)
    ├── src/apps/backstage.yaml    → backstage portal
    ├── ... 30+ more ...
    │
    └── src/apps/icebox/           → disabled apps (excluded)
         ├── kyverno.yaml
         └── kubescape.yaml

4 Deployment Patterns

Choose the right pattern based on your application's needs — from simple Helm charts to raw manifests.

Pattern A

Helm + Configs

Two ArgoCD Applications: one for the external Helm chart with local values, one for companion manifests (gateway, external-secret).

When to use: Deploying a third-party Helm chart with local config overrides.

KeycloakCiliumESOLonghornMailpit

Pattern B

Helm + Inline

Single ArgoCD Application combining Helm chart and directory source with exclusion globs.

When to use: When you want a single ArgoCD Application instead of two.

SurrealDBQdrantGarageSupabase

Pattern C

Wrapper Chart

Local Chart.yaml wrapping an external chart as a dependency. Full Helm templating power for custom resources.

When to use: When you need to template K8s manifests alongside the Helm chart (Certificates, ReferenceGrants).

HomepageHarborBackstageFalco

Pattern D

Raw Manifests

Plain Kubernetes YAML files deployed directly. No Helm, no templating — just declarative manifests.

When to use: Operators, CRDs, or simple deployments that don't need Helm.

ArgoCDDragonflyAIBrixMatomo

Terraform IaC Modules

Everything that can't be a Kubernetes manifest is managed by Terraform — secrets, OIDC clients, dashboards.

terraform/vault/

hashicorp/vault

ESO policies, tokens, app secrets, DNS credentials

cert-platform.tf, grafana-mcp.tf, supabase.tf, garage.tf

terraform/keycloak/

mrparkers/keycloak

OIDC realm + 10+ clients for SSO

backstage.tf, apisix.tf, harbor.tf, supabase.tf, affine_client.tf

terraform/grafana/

grafana/grafana

Dashboard provisioning, data sources

dashboards.tf, harbor.tf, n8n_dashboard.tf, affine_dashboard.tf

terraform/harbor/

goharbor/harbor

Registry OIDC auth, robot accounts

main.tf, provider.tf

All Components

Argo CD

production

GitOps continuous delivery tool that reconciles desired state from Git with cluster state.

Role: Core GitOps engine with App-of-Apps pattern managing 40+ applications

Terraform

production

Infrastructure as Code for provisioning and managing cloud-agnostic resources.

Role: Manages Vault secrets, Keycloak OIDC clients, Grafana dashboards, Harbor config

OneDev

production

Self-hosted Git repository manager with integrated CI/CD pipelines and code review.

Role: Private Git hosting with container-based CI runners

Kargo

planned

Progressive delivery engine adding multi-stage promotion workflows on top of Argo CD.

Role: Environment promotion pipelines: dev → staging → production

← BACK TO FULL STACK