← Back to homePlatform · GitOps

GitOps on EKS

Git is the source of truth — the cluster just follows.

An end-to-end GitOps pipeline: Terraform provisions an EKS cluster, ArgoCD deploys a Flask app via the App-of-Apps pattern, and the kube-prometheus-stack watches it all — every change driven by a Git commit, every rollout automatic.

Year2026
TimelineSolo build
FocusReference architecture
ServicesPlatform engineeringKubernetesCI/CDObservability
Stack
TerraformAmazon EKSArgo CDHelmGitHub ActionsPrometheusTerraformAmazon EKSArgo CDHelmGitHub ActionsPrometheusTerraformAmazon EKSArgo CDHelmGitHub ActionsPrometheusTerraformAmazon EKSArgo CDHelmGitHub ActionsPrometheus

The problem

Hand-rolled kubectl deploys drift, aren't auditable, and turn 'what's actually running?' into a guessing game. Infrastructure and apps need one reviewable source of truth.

Our approach

Put Git in charge. A push triggers GitHub Actions to build, Trivy-scan and push the image to ECR, then commit the new tag to the Helm values. ArgoCD sees the diff and reconciles the cluster automatically — zero-downtime rolling updates, with HPA scaling and Grafana watching.

What we built

  • EKS + VPC provisioned entirely in Terraform
  • OIDC auth — no long-lived CI credentials
  • GitHub Actions: build → Trivy → ECR → bump tag
  • ArgoCD App-of-Apps auto-sync from Git
  • Zero-downtime rolling updates + HPA
  • kube-prometheus-stack (Prometheus + Grafana)

Shipped

runGitOps on EKS

The outcome

0%GitOps-drivenEvery change is a reviewable Git commit.
0Downtime deploysRolling updates with maxUnavailable=0.
~0minAuto-syncArgoCD reconciles drift from Git on its own.
0Source of truthInfra + apps, both defined in Git.

Push to main, walk away — the cluster converges to Git on its own.