Mastering GitOps: From Spaghetti Scripts to Deterministic State
If you are still SSH-ing into your production servers to restart a service, or running kubectl apply -f . from your laptop, you are a ticking time bomb. I’ve seen entire clusters in Oslo go dark because a junior dev applied a YAML file with the wrong indentation during a Friday deploy. The solution isn't stricter rules; it's removing human hands from the cluster entirely.
GitOps isn't just a buzzword. It is the operational framework where Git is the single source of truth for your infrastructure and applications. The actual state of your cluster must match the state in Git. If it doesn't, the automation fixes it. No drift. No "I tweaked it manually." Just pure, deterministic state.
We are going to build a workflow that fits the strict data sovereignty requirements of Norway (Datatilsynet compliant) while leveraging raw compute power. We aren't using managed control planes that hide the messy details. We are building on robust KVM-based VPS instances because we need control over the etcd latency.
The Core Stack: 2024 Edition
For this architecture, we stick to tools that have survived the hype cycle:
- Orchestrator: Kubernetes v1.29 (Stable, proven).
- Reconciliation: ArgoCD v2.10+.
- Config Management: Kustomize (Native, no templating headaches like Helm for simple apps).
- Infrastructure: CoolVDS NVMe instances (Debian 12 Bookworm).
Why bare VPS instead of Managed K8s? Latency and Cost. In the Nordics, managed options often route control plane traffic through central Europe. By deploying K8s directly on CoolVDS instances in Oslo, you keep your latency to NIX (Norwegian Internet Exchange) under 3ms. Plus, you avoid the "management tax."
Step 1: The Infrastructure Layer (Terraform/OpenTofu)
Before we touch Kubernetes, we need iron. We don't click buttons in a UI. We define the server state. In 2024, following the HashiCorp license shift, many of us shifted to OpenTofu, but the syntax remains familiar. Here is how we provision a high-performance node suitable for a K8s worker.
Pro Tip: Kubernetes relies heavily on etcd, which is incredibly sensitive to disk write latency. Spinning disks or standard SSDs often cause leader election failures. Always use NVMe storage. On CoolVDS, the NVMe passthrough ensures your fsync latency stays negligible.resource "coolvds_instance" "k8s_worker_01" {
name = "k8s-worker-osl-01"
region = "no-oslo-1"
plan = "vds-nvme-32gb"
image = "debian-12"
ssh_keys = [var.ssh_key_id]
# Critical for K8s networking performance
enable_ipv6 = true
# Cloud-init to bootstrap containerd
user_data = file("${path.module}/scripts/bootstrap-k8s.sh")
}Step 2: The GitOps Operator (ArgoCD)
Once the cluster is up, we install ArgoCD. This is the heart of the operation. It sits inside your cluster and pulls changes from your Git repository. It acts as a firewall between your CI system and your production environment. Your CI pipeline builds Docker images; ArgoCD deploys them.
The standard installation is straightforward, but for production, we need to tune the repo server to handle high concurrency.
kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yamlHowever, the default install isn't secure enough for a bank or a healthcare provider in Norway. We need to enforce strict resource limits and network policies.
Configuring the App of Apps
Don't manage applications individually. Use the "App of Apps" pattern. One root application manages all other applications.
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: infrastructure-root
namespace: argocd
spec:
project: default
source:
repoURL: 'git@github.com:org/infra-repo.git'
targetRevision: HEAD
path: applications/overlays/production
destination:
server: 'https://kubernetes.default.svc'
namespace: argocd
syncPolicy:
automated:
prune: true
selfHeal: trueNote the selfHeal: true flag. This is the magic. If someone manually deletes a deployment, ArgoCD puts it back immediately. It fights entropy.
Step 3: Handling Secrets (The GDPR Headache)
You cannot check passwords into Git. That is a violation of basic security and definitely a violation of GDPR principles regarding data protection. In 2024, the standard approach is External Secrets Operator or Sealed Secrets.
I prefer Sealed Secrets for smaller teams because it doesn't require an external vault dependency. You encrypt the secret on your laptop using the cluster's public key, and only the controller inside the cluster can decrypt it.
# Install kubeseal
brew install kubeseal
# Encrypt a secret
kubectl create secret generic db-creds \
--from-literal=password=SuperSecurePass123! \
--dry-run=client -o yaml | \
kubeseal --controller-name=sealed-secrets \
--controller-namespace=kube-system \
--format yaml > db-creds-sealed.yamlYou can safely commit db-creds-sealed.yaml to your public Git repo. Even if the NSA looks at it, they can't decrypt it without the private key sitting on your CoolVDS instance.
Performance Tuning: The Hidden Configs
A GitOps workflow is only as good as the platform it runs on. A common issue we see in the Nordic hosting market is "noisy neighbors" stealing CPU cycles, causing the ArgoCD repo server to time out during syncs. This leads to "Unknown" application states.
We solve this by tweaking the kernel parameters on the underlying host. Since CoolVDS gives you true KVM virtualization, you have access to modify sysctl values that are often locked on container-based VPS providers.
Optimizing for Low Latency Networking
Add these to your /etc/sysctl.conf to handle high-traffic ingress controllers:
# Increase the range of ephemeral ports
net.ipv4.ip_local_port_range = 1024 65535
# Allow more connections to be handled
net.core.somaxconn = 65535
# Fast recycling of TIME_WAIT sockets (use with caution, but necessary for high throughput)
net.ipv4.tcp_tw_reuse = 1
# BBR Congestion Control for better throughput over the internet
net.core.default_qdisc = fq
net.ipv4.tcp_congestion_control = bbrAfter applying this, reload with sysctl -p. We've seen this reduce 99th percentile latency by 40% on high-load nginx ingress controllers.
Compliance and Data Residency
In Norway, the interpretation of Schrems II means you need to know exactly where your bits live. Using a US-based cloud provider's "Oslo Region" often involves control plane metadata traveling back to US servers. This is a legal grey area many CTOs prefer to avoid.
By building your GitOps cluster on CoolVDS, you ensure:
- Data Residency: The disk, the memory, and the CPU are physically in the datacenter you selected.
- Auditability: You control the OS logs. There is no "black box" managed service layer hiding access logs from you.
War Story: The "Friday Deploy" Disaster
Last year, we took over a project for a media streaming company in Stockholm. They used manual deployments. During a high-traffic event (Eurovision), a developer manually patched a live deployment to increase memory limits. He made a typo: 200Mi became 200M (invalid in K8s, though some parsers ignore it, this one caused a crash loop). The service went down.
Because the change was manual, there was no git commit to revert. We spent 45 minutes diagnosing it. We migrated them to the GitOps workflow described above. Two weeks later, a similar bad config was pushed. ArgoCD caught the syntax error before it even applied the sync (thanks to dry-run validation), and the pipeline failed safely. Zero downtime.
Conclusion
GitOps is not optional for serious operations. It provides the audit trail required by law and the stability required by your users. But software needs hardware. A fragile VPS will undermine the most robust GitOps pipeline.
If you need an environment where etcd doesn't choke and network latency is measured in single-digit milliseconds within Scandinavia, you need infrastructure built for the job. Don't let slow I/O kill your SEO or your uptime.
Ready to harden your stack? Deploy a CoolVDS NVMe instance in Oslo today and start building your deterministic future.