GitOps promises declarative infrastructure, auditable changes, and self-healing systems. But its real power emerges when these tools are carefully orchestrated in harmony. Yet, if you’re new to GitOps—or even an experienced operator—the sheer number of moving parts can be daunting.

This post aims to demystify how each tool—Flux, Harbor, Prometheus, Terraform, and more—fits into a cohesive GitOps Kubernetes pipeline to forge a secure, self-healing environment. We’ll see these components in action using my fully-managed Kubernetes homelab as an example. Is hosting a blog in Kubernetes overkill? Absolutely. But like a mechanic who rebuilds engines for fun, this setup is my playground for mastering GitOps—and you’re invited to steal the blueprint.

1. Flux: The GitOps Engine

Why It’s Core:

Flux isn’t just a sync tool—it’s a reconciliation engine. By watching your Git repository, it ensures your cluster state always matches what’s committed, even recovering from manual interventions.

Key Features:

• Kustomize Integration: Manage environment-specific overrides (dev vs. prod) without duplicating manifests.
• Dependency Ordering: Deploy databases and secrets before apps that need them, using Flux’s dependsOn.
• Drift Detection: Scheduled checks automatically revert resources to the primary state if someone directly edits them with kubectl.

Why It’s Here:
Flux transforms Git into your cluster’s declarative control plane, enforcing state consistency through reconciliation loops rather than imperative commands. No more “what’s actually running” questions.

2. Harbor: Secure Image Management

Why It’s Essential:

Public registries like Docker Hub prioritize convenience over security, while many private registry solutions charge enterprise pricing for features you might not need. Harbor bridges the gap by offering self-hosted, open-source security features without the licensing overhead.

• Vulnerability Scanning: Trivy integration can block deployments if critical CVEs are found.
• RBAC: Fine-grained access controls over image push/pull permissions.
• Replication: Mirror images across registries for redundancy or air-gapped environments.

Integration with Flux:

Flux’s ImageUpdateAutomation can be configured to watch Harbor for new image tags. Push a patched v1.2.3 image, and Flux updates your manifests automatically—no human YAML editing.

3. Prometheus + Grafana: Observability Built-In

Why Monitoring Isn’t Optional:

GitOps ensures correct deployments, but you still need to confirm everything runs smoothly:

• Prometheus: Collects metrics from nodes, pods, and custom endpoints.
• Grafana: Dashboards visualize metrics, from traffic to resource usage.

Alerts:

Set up alerts for disk pressure, pod crashes, certificate expiration, and more. Feed them into Slack, email, PagerDuty—wherever you track system health. This completes the loop between deployment and operation.

4. Terraform + External Secrets: Safe Secret Handling

The Problem:

Secrets in Git (even encrypted) is risky.

The Solution

• Terraform Provisions: Creates and stores credentials in AWS Secrets Manager (or another secret manager).
• External Secrets Operator (ESO): Pulls secrets into Kubernetes on demand.

Workflow Example

1. Terraform creates a harbor-admin-password in AWS.
2. ESO generates a Kubernetes Secret from that password, scoped to the Harbor namespace.
3. Flux deploys Harbor, referencing the Secret by name.

Terraform and ESO work in tandem like a well-orchestrated pipeline: Terraform provisions secrets externally, while ESO ensures they’re injected precisely where needed—no manual intervention required.

5. JupyterHub: Developer-Friendly Compute

Why Include It?

Data teams have better things to do than debug helm charts. JupyterHub provides:

• Multi-User Isolation: Separate notebooks with resource quotas.
• Prebuilt Environments: Launch Python/R/Julia kernels as Pods.

GitOps Synergy:

Collaboration is key to GitOps. JupyterHub lets data scientists share work, while MLOps can optimize models for production earlier in the process.

How It All Fits Together

1. Commit: A developer pushes a Helm chart update.
2. Sync: Flux detects the change and deploys it.
3. Build Safely & Privately: CI pushes new image(s) to Harbor, which scans for vulnerabilities and enforces RBAC.
4. Secure: ESO injects database credentials from AWS Secrets Manager.
5. Monitor: Prometheus collects data; alerts highlight issues.
6. Iterate: Grafana dashboards inform continuous improvement.

This loop is fully automated, self-healing, and auditable via Git history.

Why These Tools?

• Flux Over ArgoCD: Flux’s simpler CRDs and smaller footprint fit my homelab experiment. Both are great—this just worked better for my setup.
• Harbor Over Nexus: Built-in vulnerability scanning and OCI artifact support.
• ESO Over Sealed Secrets: Cloud-agnostic and leverages existing vaults (AWS/GCP/Azure) without storing encrypted secrets in Git.

The stack avoids vendor lock-in while prioritizing security and automation.

From Overkill to Operational

Setting up a GitOps stack from scratch can feel overwhelming—so many tools, integrations, and security concerns. That’s where the k8s-flux-starter comes in. It’s a pragmatic foundation that demonstrates a sane default configuration, letting you focus on what matters most:

• Automation that removes toil without sacrificing control.
• Security that shields you from threats without halting innovation.
• Collaboration that unites teams instead of siloing them.

Whether you’re tinkering with a homelab or orchestrating enterprise clusters, the principle is the same:

The best infrastructure isn’t the most elaborate—it’s the most reliable.

Is hosting a blog in Kubernetes elaborate and overkill? Absolutely. It’s like building a flamethrower to light a candle. But here’s the secret: once you’ve built the flamethrower, lighting candles is easy—and you’re ready to torch bigger problems next.

Clone the repo, break it, fix it, or roast me in the issues if you spot a typo. And if you’ve ever kubectl delete namespace’d prod at 5PM… welcome to the club. Flux won’t bring back your cluster, but it will make sure you never do it again. Probably. Even if you do, Flux’s drift detection ensures manual changes don’t stick—turning your next ‘oops’ into a fleeting blip rather than a disaster.