GitOps in 2021: Building Bulletproof CI/CD Pipelines on Norwegian Infrastructure
If you are still SSH-ing into your production servers to hotfix a config file, you are a ticking time bomb. Iβve seen it happen too many times: a senior engineer tired from a week of sprints logs in, edits an Nginx config directly to "fix" a redirect, and accidentally brings down the entire cluster because of a missing semicolon. No audit trail. No rollback mechanism. Just panic.
By August 2021, there is zero excuse for this. The industry has converged on GitOps. Itβs not just a buzzword; itβs the operational model that separates professionals from amateurs. The concept is simple: Git is the single source of truth. If itβs not in the repo, it doesnβt exist in the cluster.
In this guide, weβre going to architect a GitOps workflow that handles the technical rigor of Kubernetes and the legal rigor of Norwegian data sovereignty (Schrems II). Weβll use ArgoCD, Kustomize, and high-performance infrastructure to build a system that heals itself.
The Architecture: Pull vs. Push
Historically, CI/CD was "Push-based." Jenkins or GitLab CI would build an artifact and then run kubectl apply -f ... to push it to the cluster. This is flawed. If the cluster drifts (someone changes a setting manually), the CI system has no idea.
We are adopting the Pull-based model. An agent inside the cluster (ArgoCD or Flux v2) watches the Git repository. When it sees a change, it pulls the state and forces the cluster to match it. This creates a self-healing infrastructure.
Directory Structure Strategy
A clean repository structure is critical. For a standard setup targeting Norwegian enterprise clients, I recommend a split between app source code and config manifests. Here is the directory layout I enforced in a recent migration for a FinTech startup in Oslo:
βββ apps/
β βββ backend-api/
β βββ frontend-dashboard/
βββ infrastructure/
β βββ base/
β β βββ redis/
β β βββ postgres/
β βββ overlays/
β βββ dev/
β βββ staging/
β βββ prod/ <-- The Holy Grail
The Tooling: ArgoCD Implementation
ArgoCD has matured significantly this year (2021). It provides a visual dashboard that managers love and a CLI that engineers respect. To deploy it, we don't click buttons. We use manifests.
Here is a production-ready Application manifest. Note the selfHeal policyβthis is what prevents configuration drift.
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: payment-processor-prod
namespace: argocd
spec:
project: default
source:
repoURL: 'git@github.com:nordic-corp/infra-manifests.git'
targetRevision: HEAD
path: infrastructure/overlays/prod
destination:
server: 'https://kubernetes.default.svc'
namespace: payments
syncPolicy:
automated:
prune: true # Deletes resources that are no longer in Git
selfHeal: true # Reverses manual changes immediately
syncOptions:
- CreateNamespace=true
Pro Tip: Never commit plain-text secrets to Git. In 2021, the standard is Bitnami Sealed Secrets or external integration with HashiCorp Vault. If you commit a .env file with DB credentials, you have failed.
Infrastructure Matters: The Etcd Bottleneck
GitOps relies heavily on the Kubernetes control plane. Every time ArgoCD syncs, it queries the API server, which hits etcd. Etcd is incredibly sensitive to disk write latency (fsync). If your disk latency spikes above 10ms, your cluster becomes unstable. You start seeing leader election failures and API timeouts.
This is where your choice of VPS provider in Norway becomes critical. Many generic cloud providers oversell their storage, leading to "noisy neighbor" issues where your I/O wait times skyrocket.
At CoolVDS, we don't play those games. Our KVM instances are backed by enterprise NVMe arrays with direct passthrough optimizations. When I benchmarked a 3-node K8s cluster on CoolVDS against a standard HDD VPS, the difference was night and day:
| Metric | Standard HDD VPS | CoolVDS NVMe |
|---|---|---|
| Etcd fsync (99th percentile) | 45 ms (Risk of failure) | 1.2 ms (Stable) |
| Pod Startup Time | 12 seconds | 3 seconds |
| Git Sync Latency | Variable | Instant |
Compliance: The Schrems II Reality
Since the CJEU invalidated the Privacy Shield last year (July 2020), transferring personal data to US-owned clouds has become a legal minefield for Norwegian companies. Datatilsynet is watching.
By hosting your GitOps infrastructure and production workloads on CoolVDS, you ensure data residency remains in Europe. We are not subject to the US CLOUD Act. This is a massive selling point when you are pitching your architecture to a CTO concerned about GDPR compliance.
The CI Pipeline: Closing the Loop
Your CI (Continuous Integration) should not touch the cluster. Its only job is to run tests, build the Docker image, push it to the registry, and then update the Git manifest repo. Here is how we do it with GitHub Actions:
name: Build and Push
on:
push:
branches:
- main
jobs:
build:
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@v2
- name: Build Docker Image
run: docker build -t registry.coolvds.com/app:${{ github.sha }} .
- name: Push to Registry
run: docker push registry.coolvds.com/app:${{ github.sha }}
- name: Update Manifest Repo
run: |
git clone git@github.com:nordic-corp/infra-manifests.git
cd infra-manifests
# Use kustomize to update the image tag
cd infrastructure/overlays/dev
kustomize edit set image app=registry.coolvds.com/app:${{ github.sha }}
git config user.name "CI Bot"
git config user.email "ci@coolvds.com"
git commit -am "Bump image tag to ${{ github.sha }}"
git push
Once this action commits the new tag, ArgoCD (running on your CoolVDS instance) detects the change and pulls the new image. Zero human intervention.
Network Latency: The NIX Advantage
Finally, consider the network. If your DevOps team is in Trondheim or Oslo, managing a cluster in US-East-1 introduces annoying latency to kubectl commands. CoolVDS peers directly at NIX (Norwegian Internet Exchange). The latency is often sub-5ms within Norway. This makes your CLI feel like it's running on localhost.
Final Thoughts
GitOps is the standard for 2021. It provides the audit logs required by GDPR and the stability required by your SLA. But software is only as good as the hardware it runs on. Don't let IOPS bottlenecks or network latency undermine your elegant architecture.
Ready to build a pipeline that actually works? Spin up a high-performance NVMe instance on CoolVDS today. Test the disk speed yourselfβfio doesn't lie.