Side Project Ops (GitOps Platform)
An ArgoCD App-of-Apps GitOps repository that centrally manages Kubernetes deployments for all side projects via automated CI/CD pipelines.
Project Overview
A GitOps monorepo that serves as the single source of truth for all Kubernetes deployments across multiple side projects. Uses ArgoCD's App-of-Apps pattern: a single root application bootstraps all child application definitions, which in turn manage their namespace, Kustomize manifests, and Sealed Secrets. Projects currently managed include chat-app, gf-soap (frontend/backend/admin), lazybacktest (frontend/backend), personal-site, and hexo-blog. CI pipelines in source repos build Docker images, push to GHCR, then commit the new image tag here to trigger ArgoCD auto-sync.
Technical Challenges & Solutions
App-of-Apps Bootstrap
Managing dozens of ArgoCD Application manifests individually becomes unwieldy. Needed a scalable pattern for adding new projects without manual ArgoCD UI interaction.
Secret Management in Git
Storing Kubernetes Secrets (database passwords, API keys) in a Git repository is a security risk.
Private Registry Image Pulls
K3s pods need to pull Docker images from private GHCR repositories across all namespaces.
Architecture
Repository structure: apps/ (ArgoCD Application YAMLs), projects/<name>/<component>/ (Kustomize manifests). Root app (root-app.yaml) watches the apps/ directory. kubeseal encrypts secrets into SealedSecret objects safe to commit. Private GHCR images use a shared ghcr-pull-secret. A _template/ directory enables rapid onboarding of new projects.
Learnings
Building this GitOps platform gave me a practical understanding of the ArgoCD App-of-Apps pattern and the full GitOps workflow cycle: code push → Docker build → GHCR push → tag commit → ArgoCD sync → rolling update. Managing secrets with kubeseal made me appreciate the importance of keeping encrypted secrets in Git for auditability.