GitOps in Production: Surviving the "Drift" on Nordic Infrastructure
If you are still running kubectl apply -f . from your laptop, you are a ticking time bomb. Iβve seen it happen too many times. A junior dev hot-fixes a config map directly in the cluster to solve a P1 incident, forgets to commit the change, and three weeks later, the next deployment wipes out the fix. Downtime returns. The CEO screams. It's a mess.
In late 2021, manual cluster manipulation isn't just "bad practice"; it's professional negligence. We need a single source of truth. We need GitOps.
But implementing GitOps isn't just about installing ArgoCD and calling it a day. It's about architecture, latency, andβespecially here in Europeβdata sovereignty. With the fallout from the Schrems II ruling last year, where you host your management plane matters just as much as where you host your app.
The War Story: The "Ghost" Config
I was consulting for a fintech startup in Oslo last month. They had a decent Kubernetes setup, but they were suffering from "phantom bugs." Services would degrade randomly.
The culprit? Configuration drift. Their CI/CD pipeline (Jenkins) pushed manifests, but nothing monitored the cluster state afterwards. Someone had manually tweaked the readinessProbe settings on the load balancer to handle a traffic spike, but the Git repo still had the old, aggressive timeout values. The next automated deploy reverted the change during peak hours. Total outage.
The Fix: We moved to a pull-based GitOps workflow. The cluster now updates itself. If a human changes something manually, the operator detects the drift and reverts it immediately. Ruthless consistency.
Choosing Your Weapon: ArgoCD vs. Flux v2
Right now, the ecosystem is dominated by two giants. I've deployed both on CoolVDS instances, and here is how they stack up for the current 2021 landscape.
| Feature | ArgoCD (v2.1) | Flux (v2) |
|---|---|---|
| Architecture | Centralized Management Plane (Hub & Spoke) | Headless, native Kubernetes controllers |
| UI | Excellent visual dashboard | CLI / limited UI |
| Multi-tenancy | Native SSO & RBAC integration | Relies on Kubernetes RBAC |
| Best For | Teams needing visibility & visual diffs | Pure automation & low footprint |
Pro Tip: If your team needs to show audit logs to Datatilsynet (Norwegian Data Protection Authority), ArgoCD's visual history is a lifesaver. It creates a clear, undeniable timeline of who merged what and when it synced.
The Architecture: Hosting the Control Plane
Here is where many fail. They put their GitOps controller inside the same cluster it manages, or worse, on a sluggish cloud instance across the Atlantic. Don't do this.
Your management plane needs high I/O. ArgoCD (specifically the Application Controller and Redis cache) performs heavy manifest generation and comparison operations. If your etcd latency spikes, your sync status lags.
We host our management clusters on CoolVDS NVMe instances in Oslo. Why? Two reasons:
- Latency: Connecting to the NIX (Norwegian Internet Exchange) ensures our sync operations to local clusters are near-instant.
- Data Sovereignty: Your Git repositories contain secrets (even if encrypted with SealedSecrets or SOPS) and infrastructure maps. Keeping the reconciliation loop on Norwegian soil simplifies GDPR compliance significantly post-Schrems II.
Implementation: The "App of Apps" Pattern
To manage multiple clusters (e.g., Staging in Bergen, Production in Oslo), use the App of Apps pattern. This allows you to manage the ArgoCD configuration itself via Git.
Here is a directory structure that works:
βββ bootstrap/
β βββ argo-cd/
β βββ clusters/
β βββ production-oslo/
β βββ staging-bergen/
βββ charts/
βββ apps/
βββ payment-service/
βββ frontend-dashboard/And here is the root application definition you apply to your CoolVDS management node:
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: production-oslo-root
namespace: argocd
spec:
project: default
source:
repoURL: 'git@github.com:your-org/infra-repo.git'
targetRevision: HEAD
path: bootstrap/clusters/production-oslo
destination:
server: 'https://kubernetes.default.svc'
namespace: argocd
syncPolicy:
automated:
prune: true
selfHeal: trueNotice selfHeal: true. This is the magic flag. If I manually delete a deployment on the server, ArgoCD notices the drift and restores it within seconds.
Handling Secrets without Leaking to Git
You cannot commit raw secrets. In 2021, the standard is Bitnami Sealed Secrets. It uses asymmetric encryption. You can commit the encrypted secret to a public repo, but only the controller running on your secure CoolVDS instance can decrypt it.
Step 1: Install the controller (server-side)
helm repo add sealed-secrets https://bitnami-labs.github.io/sealed-secrets
helm install sealed-secrets -n kube-system --set-string fullnameOverride=sealed-secrets-controller sealed-secrets/sealed-secretsStep 2: Encrypt your secret (client-side)
# Create a raw secret, dry-run it to json, and pipe it to kubeseal
kubectl create secret generic database-creds \
--from-literal=password="SuperSecureNorwegianPwd123!" \
--dry-run=client -o json > secret.json
kubeseal < secret.json > sealed-secret.jsonThe resulting sealed-secret.json is safe to commit. Even if your GitHub is compromised, the data is useless without the private key stored on your secure VPS.
Performance Tuning: Don't Let Redis Choke
As you scale to hundreds of apps, the default ArgoCD Redis settings will bottleneck. Iβve seen sync operations hang on standard cloud instances because of IOPS throttling.
On CoolVDS, we utilize the high I/O capabilities of the underlying NVMe storage to handle the aggressive caching required by the repo server. However, you should still tune your resource limits in the argocd-cmd-params-cm ConfigMap:
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-cmd-params-cm
namespace: argocd
data:
# Tune the repo server to utilize available CPU cores
reposerver.parallelism.limit: "4"
# Increase processing capability for larger monorepos
controller.processors: "20"The CoolVDS Advantage for GitOps
GitOps is resource-intensive. The reconciliation loop constantly compares the desired state (Git) with the actual state (Cluster). This generates significant CPU load and network traffic.
While container solutions are great for apps, I prefer running the Control Plane (the Kubernetes master nodes or the GitOps management instance) on dedicated KVM-based VPS resources. It prevents "noisy neighbor" issues from affecting your deployment pipeline. If your deployment tool lags, your time-to-recovery (TTR) increases.
With CoolVDS offering direct peering in Oslo, your latency to major Nordic ISPs is minimal, ensuring that kubectl commands and Git webhooks fire without delay.
Final Thoughts
GitOps is not just a trend; it is the operating model for the 2020s. It provides the audit trail required by European regulations and the stability required by your users. But remember: a pipeline is only as reliable as the infrastructure it runs on.
Don't let slow I/O or network latency kill your deployment velocity. Secure your pipeline on infrastructure built for the Nordic market.
Ready to harden your workflow? Deploy a high-performance CoolVDS KVM instance in Oslo today and build a control plane that actually scales.