You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
GitOps is an operational model that uses Git as the single source of truth for declarative infrastructure and application configuration. Changes are made through pull requests, and an automated system reconciles the live environment with the desired state stored in Git. On Google Cloud, GitOps is most commonly implemented with GKE, Config Sync, and Cloud Build or Cloud Deploy.
GitOps applies the principles of Git-based version control to infrastructure and application operations:
| Principle | Description |
|---|---|
| Declarative | The entire system is described declaratively (YAML, HCL, etc.) |
| Versioned | All changes are stored in Git with full history |
| Automated | An agent automatically applies changes from Git |
| Self-healing | If the live state drifts from Git, the agent corrects it |
| Observable | The system state is always auditable through Git history |
| Aspect | Traditional CI/CD | GitOps |
|---|---|---|
| Source of truth | CI/CD pipeline | Git repository |
| Deployment trigger | Pipeline execution | Git commit |
| State reconciliation | Manual or ad-hoc | Continuous and automatic |
| Drift detection | Manual terraform plan | Automatic by the agent |
| Rollback | Re-run pipeline | Git revert |
| Audit trail | Pipeline logs | Git commit history |
Config Sync is Google's GitOps agent for GKE. It continuously synchronises cluster configuration from a Git repository, ensuring that the cluster state always matches the declared state in Git.
# Enable Config Sync on a GKE cluster
gcloud container fleet config-management apply \
--membership=my-cluster \
--config=config-sync.yaml
# config-sync.yaml
apiVersion: configmanagement.gke.io/v1
kind: ConfigManagement
metadata:
name: config-management
spec:
sourceFormat: unstructured
git:
syncRepo: https://github.com/my-org/k8s-config
syncBranch: main
secretType: token
policyDir: clusters/production
configSync:
enabled: true
sourceType: git
syncRepo: https://github.com/my-org/k8s-config
syncBranch: main
policyDir: clusters/production
k8s-config/
clusters/
production/
namespaces/
payments/
deployment.yaml
service.yaml
hpa.yaml
orders/
deployment.yaml
service.yaml
policies/
network-policy.yaml
resource-quotas.yaml
staging/
namespaces/
payments/
deployment.yaml
service.yaml
While Config Sync handles Kubernetes resources, you can also apply GitOps principles to Terraform:
1. Developer creates a branch
2. Modifies Terraform code
3. Opens a pull request
4. CI runs: terraform fmt, validate, plan
5. Plan output is posted to the PR as a comment
6. Reviewer approves
7. On merge to main, CD runs: terraform apply
# cloudbuild-terraform.yaml
steps:
# Initialise Terraform
- name: 'hashicorp/terraform:1.7'
args: ['init']
dir: 'environments/production'
# Run terraform plan
- name: 'hashicorp/terraform:1.7'
args: ['plan', '-out=tfplan']
dir: 'environments/production'
# Apply (only on main branch)
- name: 'hashicorp/terraform:1.7'
args: ['apply', 'tfplan']
dir: 'environments/production'
Atlantis is a popular open-source tool for Terraform GitOps on GCP:
| Feature | Description |
|---|---|
| Plan on PR | Automatically runs terraform plan on every PR |
| Comment-driven | Apply changes by commenting atlantis apply on the PR |
| Locking | Prevents concurrent modifications to the same state |
| Policy checks | Integrates with OPA/Conftest for policy enforcement |
You can implement GitOps for Cloud Run using Cloud Build and Cloud Deploy:
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.