All projects

GitOps Kubernetes Platform

KubernetesArgoCDGitOpsTalosHelm

A self-healing, production-grade Kubernetes platform on immutable Talos Linux, managing the entire cluster state declaratively through ArgoCD with an app-of-apps pattern — 23 applications across four sync-wave tiers, all reconciled from Git.

View Code on GitHub

App-of-apps reconciliation

Diagram: App-of-apps reconciliation

The platform runs on a six-node Talos Linux cluster (three control-plane, three workers) and treats the entire cluster as a single declarative artifact. ArgoCD self-manages from a root Application; one ApplicationSet then generates every other Application from a Git files generator over per-app config files, so onboarding a new workload never touches central wiring.

The discovery contract

Every application — infrastructure and user apps alike — lives in its own directory and carries a small config.yaml declaring its metadata: destination namespace, sync wave, whether it opts into automated sync, and any per-app sync options. The ApplicationSet’s files generator turns each of those files into an ArgoCD Application. The config file is the wiring: no directory without one ever becomes an Application, and adding an app never means editing a shared manifest. Behavior lives next to the app it describes instead of in a central allowlist.

Ordered rollout, deliberate sync

The four tiers map to sync-wave bands: cluster primitives and ingress first, then the shared data layer (PostgreSQL and Valkey, with per-app database provisioning jobs), then platform services, then user-facing apps. Auto-sync is intentionally opt-in per application — routine changes flow through Git and a reviewed, manual sync, while low-risk apps that want full reconciliation declare it themselves.

Security as a platform property

Secrets exist in Git only as SealedSecrets, generated by a purpose-built CLI. TLS is a wildcard certificate issued via a DNS-01 challenge and shared by every route. Single sign-on is a platform primitive rather than an app feature: a self-hosted OIDC provider plus an oauth2-proxy ForwardAuth middleware mean any application — even one with no auth of its own — is protected by referencing one shared Traefik middleware in its route.

CI that never touches the cluster

The pipeline detects which app directories changed, renders each with Kustomize, and validates the output with kubeconform against a baked-in CRD catalog — schema-checking Applications, IngressRoutes, and SealedSecrets without any cluster access. What merges is what syncs.

Key Technical Highlights

  • One ApplicationSet, every app: A single ArgoCD ApplicationSet with a Git files generator discovers every application from a per-app config.yaml. Adding an app is adding a directory — no central allowlist to edit.
  • Declarative from OS to app: Immutable Talos Linux (API-only, no SSH) underneath; every workload, namespace, sync wave, and sync policy declared in Git and reconciled by ArgoCD.
  • Tiered rollout: Four tiers (infra → data → services → user) with sync-wave bands bring dependencies up in the right order; auto-sync is opt-in per app.
  • Batteries included: Traefik ingress, cert-manager wildcard TLS, Longhorn distributed storage, MetalLB, and OIDC SSO (Pocket ID + oauth2-proxy ForwardAuth) — all GitOps-managed.

Tiered sync-wave rollout

Diagram: Tiered sync-wave rollout
Sync-wave bands bring each tier up only after everything it depends on is healthy.

Technologies

KubernetesArgoCDHelmKustomizeTraefikLonghorncert-managerGo