GitOps with ArgoCD
How STOA leverages GitOps for declarative, auditable configuration management across multiple environments.
GitOps Philosophyβ
STOA embraces GitOps principles where Git is the single source of truth for all platform configuration:
- Declarative Configuration β Desired state defined in YAML, not imperative scripts
- Git as Source of Truth β All configuration stored, versioned, and auditable in Git
- Automated Sync β ArgoCD continuously reconciles actual vs desired cluster state
- Self-Healing β Drift detected automatically, cluster state restored to match Git
- Audit Trail β Every change has a Git commit with author, timestamp, and rationale
Architectureβ
STOA uses ArgoCD for Kubernetes resource management. Each managed component is an ArgoCD Application:
| Component | ArgoCD App | Sync Policy |
|---|---|---|
| STOA Gateway | stoa-gateway | Auto-sync + self-heal |
| Control Plane API | control-plane-api | Auto-sync + self-heal |
| Console UI | control-plane-ui | Auto-sync + self-heal |
| Developer Portal | stoa-portal | Auto-sync + self-heal |
Multi-Environment Promotion (ADR-040)β
STOA implements a "Born GitOps" model where environments are first-class citizens, not an afterthought.
Three Environmentsβ
| Environment | Mode | Color | Purpose |
|---|---|---|---|
| Development | full | Green | Unrestricted β create, modify, delete |
| Staging | full | Amber | Pre-production validation |
| Production | read-only | Red | Locked β changes via promotion only |
Promotion Flowβ
- Develop in
devβ full CRUD access, rapid iteration - Promote to
stagingβ automated tests, integration validation - Approve for
prodβ manual gate, read-only enforcement prevents direct edits
Environment-Scoped Operationsβ
The Console UI reflects the current environment with visual indicators:
- Green dot β Development (all actions available)
- Amber dot β Staging (all actions available)
- Red dot + lock icon β Production (read-only, no create/edit/delete)
API queries are environment-scoped: GET /v1/apis?environment=staging returns only staging APIs.
ArgoCD Application Exampleβ
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: stoa-gateway
namespace: argocd
spec:
project: default
source:
repoURL: https://github.com/stoa-platform/stoa
targetRevision: main
path: stoa-gateway/k8s
destination:
server: https://kubernetes.default.svc
namespace: stoa-system
syncPolicy:
automated:
prune: true # Delete resources removed from Git
selfHeal: true # Revert manual cluster changes
syncOptions:
- CreateNamespace=true
Sync Policiesβ
| Policy | Effect |
|---|---|
automated.prune: true | Resources deleted from Git are removed from cluster |
automated.selfHeal: true | Manual kubectl changes are reverted to match Git |
syncOptions: CreateNamespace | Namespace auto-created if missing |
CI/CD Integrationβ
ArgoCD integrates with STOA's CI pipeline:
| Step | Tool | Trigger |
|---|---|---|
| Code push | GitHub | Developer merge |
| CI pipeline | GitHub Actions | Push to main |
| Docker build | GitHub Actions | CI success |
| ArgoCD sync | ArgoCD | Image change detected |
| Health check | ArgoCD | Post-sync probe |
| Alerting | Prometheus | Health degraded |
Image Update Strategyβ
STOA uses imagePullPolicy: Always with kubectl rollout restart to deploy new images. ArgoCD monitors the deployment and reports sync status.
Drift Detectionβ
ArgoCD continuously compares the live cluster state with the Git-defined state:
| Status | Meaning | Action |
|---|---|---|
| Synced + Healthy | Cluster matches Git, pods running | None |
| OutOfSync | Git changed, cluster not yet updated | Auto-sync applies changes |
| Degraded | Pods failing health checks | Investigate, potential rollback |
| Unknown | ArgoCD can't reach the app | Check repo access |
When self-heal is enabled, STOA automatically reverts any manual changes made via kubectl β ensuring Git remains the single source of truth.
Configuration Repository Structureβ
stoa/
βββ stoa-gateway/
β βββ k8s/
β βββ deployment.yaml # Gateway K8s manifest
βββ control-plane-ui/
β βββ k8s/
β βββ deployment.yaml # Console UI manifest
βββ portal/
β βββ k8s/
β βββ deployment.yaml # Portal manifest
βββ charts/
βββ stoa-platform/
βββ crds/ # CRD definitions (Tool, ToolSet)
βββ templates/ # Helm templates
βββ values.yaml # Default values
Best Practicesβ
- Never manually edit cluster resources β All changes through Git PRs
- Use PRs for all changes β Code review + CI validation before merge
- Environment separation β Dev for experimentation, staging for validation, prod via promotion
- Secrets via Infisical β Never store secrets in Git; use external secret management
- Monitor ArgoCD sync status β Grafana dashboard with sync/health alerts
- Rollback via Git β
git revertthe problematic commit, ArgoCD auto-syncs
Relatedβ
- Quick Start β Get started with STOA
- Architecture Overview β System architecture
- ADR-007: GitOps with ArgoCD β Architecture decision
- ADR-040: Born GitOps β Multi-environment architecture
- Deployment Guide β Hybrid deployment options