GitOps Workflow

🤖 智能体与 MCP 增强 (Agent & MCP Enhancements)

本 Skill 支持并推荐配合特定的智能体角色和 MCP 工具使用，以获得最佳效果。

推荐智能体角色

• DevOps Engineer: 详见 AGENTS.md。

• 该角色专注于 IaC (基础设施即代码) 和自动化流水线。

• 启用后，AI 将严格遵循声明式 API 原则，避免命令式操作。

推荐 MCP 工具

• Kubectl MCP: 允许 AI 直接监控集群状态和调试 Pod。

• Git/GitHub MCP: 用于管理 GitOps 仓库的配置变更和 PR 流程。

• mcp-feedback-enhanced: 在配置自动同步策略 (Auto-Sync) 或处理敏感信息 (Secrets) 时，使用 ask_followup_question 确认用户的安全偏好和操作边界。

Complete guide to implementing GitOps workflows with ArgoCD and Flux for automated Kubernetes deployments.

Purpose

Implement declarative, Git-based continuous delivery for Kubernetes using ArgoCD or Flux CD, following OpenGitOps principles.

When to Use This Skill

• Set up GitOps for Kubernetes clusters

• Automate application deployments from Git

• Implement progressive delivery strategies

• Manage multi-cluster deployments

• Configure automated sync policies

• Set up secret management in GitOps

OpenGitOps Principles

• Declarative - Entire system described declaratively

• Versioned and Immutable - Desired state stored in Git

• Pulled Automatically - Software agents pull desired state

• Continuously Reconciled - Agents reconcile actual vs desired state

ArgoCD Setup

1. Installation

Create namespace

kubectl create namespace argocd

Install ArgoCD

kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml

Get admin password

kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d

Reference: See references/argocd-setup.md for detailed setup

2. Repository Structure

gitops-repo/ ├── apps/ │ ├── production/ │ │ ├── app1/ │ │ │ ├── kustomization.yaml │ │ │ └── deployment.yaml │ │ └── app2/ │ └── staging/ ├── infrastructure/ │ ├── ingress-nginx/ │ ├── cert-manager/ │ └── monitoring/ └── argocd/ ├── applications/ └── projects/

3. Create Application

argocd/applications/my-app.yaml

apiVersion: argoproj.io/v1alpha1 kind: Application metadata: name: my-app namespace: argocd spec: project: default source: repoURL: https://github.com/org/gitops-repo targetRevision: main path: apps/production/my-app destination: server: https://kubernetes.default.svc namespace: production syncPolicy: automated: prune: true selfHeal: true syncOptions: - CreateNamespace=true

4. App of Apps Pattern

apiVersion: argoproj.io/v1alpha1 kind: Application metadata: name: applications namespace: argocd spec: project: default source: repoURL: https://github.com/org/gitops-repo targetRevision: main path: argocd/applications destination: server: https://kubernetes.default.svc namespace: argocd syncPolicy: automated: {}

Flux CD Setup

1. Installation

Install Flux CLI

curl -s https://fluxcd.io/install.sh | sudo bash

Bootstrap Flux

flux bootstrap github
--owner=org
--repository=gitops-repo
--branch=main
--path=clusters/production
--personal

2. Create GitRepository

apiVersion: source.toolkit.fluxcd.io/v1 kind: GitRepository metadata: name: my-app namespace: flux-system spec: interval: 1m url: https://github.com/org/my-app ref: branch: main

3. Create Kustomization

apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: my-app namespace: flux-system spec: interval: 5m path: ./deploy prune: true sourceRef: kind: GitRepository name: my-app

Sync Policies

Auto-Sync Configuration

ArgoCD:

syncPolicy: automated: prune: true # Delete resources not in Git selfHeal: true # Reconcile manual changes allowEmpty: false retry: limit: 5 backoff: duration: 5s factor: 2 maxDuration: 3m

Flux:

spec: interval: 1m prune: true wait: true timeout: 5m

Reference: See references/sync-policies.md

Progressive Delivery

Canary Deployment with ArgoCD Rollouts

apiVersion: argoproj.io/v1alpha1 kind: Rollout metadata: name: my-app spec: replicas: 5 strategy: canary: steps: - setWeight: 20 - pause: { duration: 1m } - setWeight: 50 - pause: { duration: 2m } - setWeight: 100

Blue-Green Deployment

strategy: blueGreen: activeService: my-app previewService: my-app-preview autoPromotionEnabled: false

Secret Management

External Secrets Operator

apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: db-credentials spec: refreshInterval: 1h secretStoreRef: name: aws-secrets-manager kind: SecretStore target: name: db-credentials data: - secretKey: password remoteRef: key: prod/db/password

Sealed Secrets

Encrypt secret

kubeseal --format yaml < secret.yaml > sealed-secret.yaml

Commit sealed-secret.yaml to Git

Best Practices

• Use separate repos or branches for different environments

• Implement RBAC for Git repositories

• Enable notifications for sync failures

• Use health checks for custom resources

• Implement approval gates for production

• Keep secrets out of Git (use External Secrets)

• Use App of Apps pattern for organization

• Tag releases for easy rollback

• Monitor sync status with alerts

• Test changes in staging first

Troubleshooting

Sync failures:

argocd app get my-app argocd app sync my-app --prune

Out of sync status:

argocd app diff my-app argocd app sync my-app --force

Related Skills

• k8s-manifest-generator

• For creating manifests

• helm-chart-scaffolding

• For packaging applications