GitOps Kubernetes Platform
A self-healing, production-grade Kubernetes platform on immutable Talos Linux, managing the entire cluster state declaratively through ArgoCD with an app-of-apps pattern — 24 applications across four sync-wave tiers, all reconciled from Git.
The platform runs on a six-node Talos Linux cluster (three control-plane, three workers) and treats the entire cluster as a single declarative artifact. ArgoCD self-manages from a root Application; one ApplicationSet then generates every other Application from a Git files generator over per-app config files, so onboarding a new workload never touches central wiring. Secrets are sealed at rest (SealedSecrets), TLS is issued automatically, and identity is centralized through an OIDC provider fronted by a Traefik ForwardAuth middleware.
Key Technical Highlights
- One ApplicationSet, every app: A single ArgoCD ApplicationSet with a Git files generator discovers every application from a per-app config.yaml. Adding an app is adding a directory — no central allowlist to edit.
- Declarative from OS to app: Immutable Talos Linux (API-only, no SSH) underneath; every workload, namespace, sync wave, and sync policy declared in Git and reconciled by ArgoCD.
- Tiered rollout: Four tiers (infra → data → services → user) with sync-wave bands bring dependencies up in the right order; auto-sync is opt-in per app.
- Batteries included: Traefik ingress, cert-manager wildcard TLS, Longhorn distributed storage, MetalLB, and OIDC SSO (Pocket ID + oauth2-proxy ForwardAuth) — all GitOps-managed.