GIT VS HUMAN (DRIFT & SELF-HEALING)
𧩠Task 1: Prove Humans Cannot Change Production
Action (Human tries to scale):
kubectl -n grade scale deployment grade-submission-api --replicas=3
Observe:
- Argo CD β App becomes OutOfSync
- Seconds later β Argo reverts to replicas:
1
Kubernetes accepts human commands.
Argo rejects human authority.
𧩠Task 2: Manual Image Change (Hotfix Attempt)
kubectl -n grade edit deployment grade-submission-api
Change:
image: nginx:latest
Observe:
- Pod restarts
- Argo detects image drift
- Reverts back to Git image
Emergency hotfixes without Git are temporary illusions.
𧩠Task 3: Delete Pod Manually
kubectl -n grade delete pod -l app=grade-submission-api
Observe:
- Pod recreated automatically
- Same image, same config
Teaching Point:
Kubernetes heals pods.
Argo heals configuration.
- Git = authority
- Humans = temporary actors
- Argo = enforcer
FAILURE, ROLLBACK, SYNC CONTROL
𧩠Task 4: Break App via Git (Controlled Failure)
In CI repo (app.js):
throw new Error("Production crash");
Commit & push.
Observe:
- CI builds image
- GitOps repo updated
- Argo deploys broken version
- Pod enters CrashLoopBackOff
GitOps does NOT prevent bugs.
It makes them traceable.
𧩠Task 5: Diagnose via Argo CD UI
Inside app view:
- Health β Degraded
- Click Pod β Logs
Show:
- Crash error
- Image SHA
Argo CD shows what is broken, not why code is bad.
𧩠Task 6: Rollback Using Git Only
git revert <bad_commit>
git push
Observe:
- CI triggers
- GitOps updated
- Argo redeploys previous version
- App recovers
Rollback is Git history, not kubectl.
𧩠Task 7: Disable Auto-Sync (Manual Control Mode)
Edit Application:
syncPolicy: {}
Apply change.
Now:
- Git changes
- App becomes OutOfSync
- Deployment waits
Click SYNC manually.
| Mode | Use |
|---|---|
| Auto-sync | Dev |
| Manual | Prod |
PRODUCTION SAFETY & GOVERNANCE
𧩠Task 8: Prune (Delete via Git)
Delete deployment from GitOps repo:
git rm deployment.yaml
git commit -m "remove app"
git push
Observe:
- Argo deletes Deployment
- Pods disappear
If itβs not in Git, it must not exist.
𧩠Task 9: Re-Add Deployment (Recovery)
Restore file:
git checkout HEAD~1 deployment.yaml
git commit -m "restore app"
git push
Observe:
- Argo recreates everything
Git is both destruction and recovery.
𧩠Task 10: Add Resource via Git Only
Add Service manifest.
Commit & push.
Observe:
- Argo creates Service
- No kubectl used
Git is the only deployment interface.
𧩠Task 11: Simulate Unauthorized Change
kubectl -n grade delete svc <service-name>
Observe:
- Argo recreates it
Argo enforces compliance automatically.
𧩠Task 12: Governance Discussion (No Commands)
Discuss:
- Remove kubectl access
- Read-only prod access
- Argo audit logs
- PR approvals
βHow would you safely deploy a hotfix in production?β
Expected answer:
- Create PR
- Review
- Merge
- Argo deploys
βYou are no longer deploying applications.
You are managing desired state.β
π¦ WHAT THIS LAB PROVES
β
GitOps authority
β
Drift detection
β
Self-healing
β
Rollback via Git
β
Production safety
β
Enterprise patterns
second project:
MODULE 1 β Argo Rollouts (Progressive Delivery)
Goal
Show that:
- Deployment β Release
- Argo CD deploys
- Argo Rollouts controls traffic
This is next-level DevOps.
Traditional Deployment:
- Replace pods
- Users immediately see new version
Argo Rollouts:
- Canary
- Blue-Green
- Pause, approve, rollback
- Metrics-driven decisions
βKubernetes deploys pods.
Argo Rollouts deploys risk-controlled releases.β
Lab 1.1 β Install Argo Rollouts
kubectl create namespace argo-rollouts
kubectl apply -n argo-rollouts \
-f https://raw.githubusercontent.com/argoproj/argo-rollouts/stable/manifests/install.yaml
Verify:
kubectl get pods -n argo-rollouts
Lab 1.2 β Convert Deployment β Rollout (GitOps)
In GitOps repo, replace Deployment with Rollout.
apiVersion: argoproj.io/v1alpha1
kind: Rollout
metadata:
name: grade-submission-api
namespace: grade
spec:
replicas: 3
strategy:
canary:
steps:
- setWeight: 20
- pause: { duration: 30 }
- setWeight: 50
- pause: {}
selector:
matchLabels:
app: grade-submission-api
template:
metadata:
labels:
app: grade-submission-api
spec:
containers:
- name: app
image: ghcr.io/jumptotechschooldevops/k8s-ci-build:PLACEHOLDER
Commit & push.
Lab 1.3 β Observe Rollout via Argo CD
Show:
- Rollout object in tree
- ReplicaSets
- Pause state
Use CLI:
kubectl argo rollouts get rollout grade-submission-api -n grade
Resume:
kubectl argo rollouts promote grade-submission-api -n grade
- Canary != Deployment
- Rollouts are Git-driven
- Promotion is controlled, not automatic
- Rollbacks are instant
Interview takeaway:
βWe use Argo CD for GitOps and Argo Rollouts for progressive delivery.β
MODULE 2 β Helm + Argo CD (Real-World GitOps)
Goal
Show that:
- Helm is NOT a deploy tool
- Argo CD is NOT a template engine
- Together they form production GitOps
Helm:
- Templates YAML
Argo CD:
- Applies and enforces YAML
Correct mental model:
βHelm renders.
Argo enforces.β
Lab 2.1 β Helm-Based GitOps Repo
Restructure GitOps repo:
grade-api-gitops/
βββ chart/
β βββ Chart.yaml
β βββ values.yaml
β βββ templates/
β βββ rollout.yaml
Put Rollout YAML into templates/.
Lab 2.2 β Argo Application with Helm Source
spec:
source:
repoURL: https://github.com/jumptotechschooldevops/grade-api-gitops
targetRevision: main
path: chart
helm:
valueFiles:
- values.yaml
Apply:
kubectl apply -f grade-api-app.yaml
Lab 2.3 β Change Values Only (No YAML Change)
Change image tag via CI β GitOps values.yaml.
Observe:
- Helm renders new YAML
- Argo detects diff
- Argo applies change
- Why Helm is still used
- Why kubectl helm upgrade is dangerous
- Why Argo + Helm is the industry standard
Interview sentence:
βHelm handles templating, Argo CD handles reconciliation.β
MODULE 3 β RBAC LOCK-DOWN (PRODUCTION SAFETY LAB)
Goal
Show:
- Humans cannot touch prod
- Git is the only interface
- Argo enforces governance
This is platform engineering.
Lab 3.1 β Create Read-Only Kubernetes Role
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: read-only
namespace: grade
rules:
- apiGroups: ["", "apps"]
resources: ["pods", "deployments", "services"]
verbs: ["get", "list", "watch"]
Bind it:
kind: RoleBinding
subjects:
- kind: User
name: dev-user
roleRef:
kind: Role
name: read-only
Lab 3.2 β Prove kubectl Is Blocked
kubectl -n grade scale deployment grade-submission-api --replicas=5
Result:
Error: forbidden
Explain:
Even if Argo didnβt exist, humans are locked out.
Lab 3.3 β Argo CD RBAC (App-Level)
Edit argocd-rbac-cm:
policy.csv: |
p, role:readonly, applications, get, *, allow
p, role:readonly, applications, sync, *, deny
Map users to role.
Lab 3.4 β Demo UI Restrictions
Log in as:
- Read-only user
Show:
- Cannot Sync
- Cannot Delete
- Cannot Edit
But:
- Can view state
- Can view logs
- Prod safety is designed, not hoped
- kubectl access is removed
- Git approvals replace manual changes
Interview sentence:
βIn production, engineers donβt deploy β Argo does.β
| Topic | Skill Level |
|---|---|
| Argo CD Dashboard | Core GitOps |
| Drift & Self-Healing | Mid |
| Rollouts | Advanced |
| Helm + Argo | Senior |
| RBAC Lockdown | Platform |
| Governance | Staff/Lead |
Top comments (0)