From manual kubectl commands to fully automated infrastructure management - here's how I built a production-ready GitOps pipeline
TL;DR
I built a complete GitOps infrastructure management system using:
- π― Argo CD for GitOps automation
- β‘ Crossplane for infrastructure provisioning
- π App-of-Apps pattern for scalable application management
- π¦ MetalLB as the infrastructure example
- π Sync waves for dependency management
Result: Infrastructure changes now happen through Git commits, with full automation and zero manual intervention.
The Problem I Solved
Managing Kubernetes infrastructure traditionally sucks:
# The old way - manual and error-prone
kubectl apply -f metallb-config.yaml
kubectl apply -f ingress-controller.yaml
kubectl apply -f monitoring-stack.yaml
# Oh no! Order matters... π₯
# Which version is running in production? π€·ββοΈ
# Who made that change? π΅οΈββοΈ
I wanted infrastructure that:
- β Lives in Git (version controlled)
- β Deploys automatically (no manual steps)
- β Handles dependencies (no ordering issues)
- β Self-heals (drift detection & correction)
- β Provides audit trails (who, what, when)
The Solution Architecture
graph LR
A[Git Commit] --> B[Argo CD]
B --> C[Crossplane]
C --> D[Kubernetes Resources]
B --> E[Sync Waves]
E --> F[Ordered Deployment]
π― Step 1: App-of-Apps Pattern
Instead of managing 50+ individual Argo CD applications, I use the App-of-Apps pattern:
# One app to rule them all
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: homelab-root
annotations:
argocd.argoproj.io/sync-wave: "-1"
spec:
source:
repoURL: https://github.com/jamilshaikh07/homelab-gitops.git
path: apps # π All child apps live here
syncPolicy:
automated:
prune: true # ποΈ Clean up deleted resources
selfHeal: true # π§ Fix manual changes
Benefits:
- One root app manages everything
- New apps = just add YAML files
- Automatic discovery and deployment
β‘ Step 2: Crossplane for Infrastructure
Crossplane lets me manage infrastructure through Kubernetes APIs. Here's the magic:
# Instead of direct kubectl apply...
apiVersion: kubernetes.crossplane.io/v1alpha1
kind: Object
metadata:
name: metallb-ipaddresspool
annotations:
argocd.argoproj.io/sync-wave: "2" # π Depends on provider
spec:
providerConfigRef:
name: in-cluster
forProvider:
manifest:
apiVersion: metallb.io/v1beta1
kind: IPAddressPool
metadata:
name: homelab-pool
namespace: metallb-system
spec:
addresses:
- 10.20.0.81-10.20.0.99 # π― My LoadBalancer IP range
Why Crossplane Objects?
- π Continuous reconciliation (drift detection)
- π Rich status reporting (health, errors)
- π Dependency management (waits for providers)
- π RBAC integration (secure access)
π Step 3: Sync Waves for Dependencies
Order matters in infrastructure! I use sync waves to ensure proper sequencing:
# Wave -1: Root app-of-apps
argocd.argoproj.io/sync-wave: "-1"
# Wave 0: Install Crossplane providers
argocd.argoproj.io/sync-wave: "0"
# Wave 1: Provider configs + RBAC
argocd.argoproj.io/sync-wave: "1"
# Wave 2: Infrastructure resources
argocd.argoproj.io/sync-wave: "2"
Result: No more "CRD not found" or "provider not ready" errors! π
π Step 4: RBAC - The Critical Missing Piece
Crossplane needs permissions to manage your infrastructure. This is often overlooked:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: crossplane-provider-kubernetes-metallb
rules:
- apiGroups: ["metallb.io"]
resources: ["ipaddresspools", "l2advertisements"]
verbs: ["*"]
---
# Bind to the provider's service account
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: crossplane-provider-kubernetes-metallb
roleRef:
kind: ClusterRole
name: crossplane-provider-kubernetes-metallb
subjects:
- kind: ServiceAccount
name: provider-kubernetes-xxxxx # π Get from kubectl
namespace: crossplane-system
Pro tip: Restart provider pods after RBAC changes!
π§ͺ Testing the Complete Pipeline
Time for the moment of truth:
# 1. Bootstrap (one-time manual step)
kubectl apply -f argocd/app-of-apps.yaml
# 2. Check GitOps automation
kubectl -n argocd get applications
NAME SYNC STATUS HEALTH STATUS
crossplane-provider-kubernetes Synced Healthy β
homelab-root Synced Healthy β
metallb-config Synced Healthy β
# 3. Verify infrastructure was created
kubectl -n metallb-system get ipaddresspools.metallb.io
NAME ADDRESSES
homelab-pool ["10.20.0.81-10.20.0.99"] β
# 4. Test LoadBalancer functionality
kubectl create deployment nginx --image=nginx
kubectl expose deployment nginx --type=LoadBalancer --port=80
kubectl get svc nginx
NAME TYPE EXTERNAL-IP PORT(S)
nginx LoadBalancer 10.20.0.82 80:30114/TCP β
# 5. Verify connectivity
curl http://10.20.0.82
<!DOCTYPE html>
<html>
<head><title>Welcome to nginx!</title></head>
# π SUCCESS!
It works! Infrastructure deployed entirely through GitOps! π
π Repository Structure
homelab-gitops/
βββ argocd/
β βββ app-of-apps.yaml # π Root application
βββ apps/
β βββ crossplane-provider-kubernetes-app.yaml
β βββ metallb-config-app.yaml # πΆ Child applications
βββ crossplane/
β βββ provider-kubernetes/
β βββ provider.yaml # β‘ Crossplane provider
β βββ providerconfig.yaml # βοΈ Configuration
β βββ rbac.yaml # π Permissions
βββ metallb/
βββ metallb-ipaddresspool.yaml # π Infrastructure
βββ metallb-l2advertisement.yaml # π¦ Resources
π‘ Key Lessons Learned
1. API Versions Are Critical
Different provider versions use different APIs:
# v0.13.0 uses v1alpha1
apiVersion: kubernetes.crossplane.io/v1alpha1
# Newer versions use v1alpha2
apiVersion: kubernetes.crossplane.io/v1alpha2
2. Bootstrap is Still Manual
Even with full GitOps, you need one manual step:
kubectl apply -f argocd/app-of-apps.yaml
After this, everything else is automated!
3. RBAC Debugging
If Crossplane objects stay "NotReady":
# Check provider permissions
kubectl -n crossplane-system describe object metallb-ipaddresspool
# Common fix: restart provider after RBAC changes
kubectl -n crossplane-system delete pod -l pkg.crossplane.io/provider=provider-kubernetes
4. YAML Formatting Matters
Watch your indentation! This kept my root app OutOfSync:
# β Wrong
destination:
server: https://kubernetes.default.svc
namespace: crossplane-system
# β
Correct
destination:
server: https://kubernetes.default.svc
namespace: crossplane-system
π What's Next?
This foundation scales to manage ANY infrastructure:
# Database clusters
kind: PostgreSQLCluster
# Service meshes
kind: Istio
# Monitoring stacks
kind: PrometheusStack
# Certificate management
kind: ClusterIssuer
# Storage solutions
kind: StorageClass
The pattern stays the same:
- Define in YAML
- Commit to Git
- Argo CD syncs automatically
- Crossplane provisions infrastructure
- Profit! π°
π Results
Before:
- Manual
kubectlcommands - Configuration drift
- No audit trail
- Deployment anxiety π°
After:
- Infrastructure as Code
- Git-driven deployments
- Automatic drift correction
- Pull request reviews
- Confidence in production π
Infrastructure changes are now as simple as creating a pull request!
π Resources
- π Complete repository
- π Crossplane documentation
- π― Argo CD documentation
- ποΈ App-of-Apps pattern
What infrastructure will you GitOps next? Drop a comment and let me know what you're planning to automate! π
Follow me for more cloud-native and DevOps content! π
Top comments (1)
This is a textbook example of how GitOps can evolve from a deployment strategy into full-stack infrastructure orchestration. The use of Crossplane as a control plane abstraction paired with Argo CDβs sync waves is a brilliant way to tame dependency hell and enforce sequencing without brittle scripts.
The App-of-Apps pattern adds clarity and scalability, especially in environments where infra and app lifecycles diverge. And the RBAC integration with Crossplane? Thatβs the kind of operational hygiene that often gets overlooked until it breaks something critical.
Appreciate how youβve framed this not just as tooling, but as a mindset shift from manual ops to declarative, auditable infrastructure. Posts like this help teams move from βGitOps curiousβ to production-ready.