GitOps with OpenChoreo
OpenChoreo embraces GitOps principles by treating Git repositories as the single source of truth for both platform configuration and application deployments. This approach enables declarative, versioned, and auditable infrastructure and application management across multiple Environments and clusters.
GitOps Principlesβ
OpenChoreo implements GitOps through the four OpenGitOps principles:
- Declarative: The desired state of the system is expressed declaratively through OpenChoreo CRDs and YAML manifests
- Versioned and Immutable: Desired state is stored in Git, which enforces immutability, versioning, and retains a complete version history
- Pulled Automatically: GitOps agents (such as Flux CD) automatically pull the desired state declarations from the Git repository
- Continuously Reconciled: Software agents continuously observe the actual system state and attempt to apply the desired state
Repository Organization Patternsβ
OpenChoreo is designed to work with any repository structure by adhering to core GitOps principles. Choose the pattern that best fits your team's size, structure, and governance requirements.
Mono Repositoryβ
A single repository containing all OpenChoreo resources - ideal for smaller teams or organizations where platform and development teams work closely together.
.
βββ platform-shared/ # cluster-scoped resources
β βββ cluster-workflow-templates/
β βββ argo/
β βββ docker.yaml
β βββ bulk-gitops-release-template.yaml
β
βββ namespaces/ # namespace-scoped resources
βββ <namespace>/
βββ namespace.yaml
β
βββ platform/ # platform-level resources (managed by platform team)
β βββ infra/
β β βββ deployment-pipelines/
β β β βββ standard.yaml
β β βββ environments/
β β βββ development.yaml
β β βββ staging.yaml
β β βββ production.yaml
β βββ component-types/
β β βββ service.yaml
β β βββ webapp.yaml
β β βββ scheduled-task.yaml
β βββ traits/
β β βββ persistent-volume.yaml
β β βββ api-management.yaml
β βββ component-workflows/
β β βββ docker-with-gitops.yaml
β βββ workflows/
β β βββ bulk-gitops-release.yaml
β βββ secret-references/
β βββ database-secret-reference.yaml
β
βββ projects/ # application resources (managed by development teams)
βββ <project-name>/
βββ project.yaml
βββ components/
βββ <component-name>/
βββ component.yaml
βββ workload.yaml
βββ releases/
β βββ <component>-<date>-<revision>.yaml
βββ release-bindings/
βββ <component>-development.yaml
βββ <component>-staging.yaml
Multi Repositoryβ
Separate repositories for platform configuration and application resources. This pattern is recommended for larger organizations where platform teams and development teams have different access controls, approval workflows, and release cadences.
Platform Configuration Repository - Managed by platform engineers:
.
βββ platform-shared/ # cluster-scoped resources
β βββ cluster-workflow-templates/
β βββ argo/
β βββ docker.yaml
β βββ bulk-gitops-release-template.yaml
β
βββ namespaces/
βββ <namespace>/
βββ namespace.yaml
βββ platform/
βββ infra/
β βββ deployment-pipelines/
β β βββ standard.yaml
β βββ environments/
β βββ development.yaml
β βββ staging.yaml
β βββ production.yaml
βββ component-types/
β βββ service.yaml
β βββ webapp.yaml
β βββ scheduled-task.yaml
βββ traits/
β βββ persistent-volume.yaml
β βββ api-management.yaml
βββ component-workflows/
β βββ docker-with-gitops.yaml
βββ workflows/
β βββ bulk-gitops-release.yaml
βββ secret-references/
βββ database-secret-reference.yaml
Application Repository - Managed by development teams:
.
βββ namespaces/
βββ <namespace>/
βββ projects/
βββ <project-name>/
βββ project.yaml
βββ components/
βββ <component-name>/
βββ component.yaml
βββ workload.yaml
βββ releases/
β βββ <component>-<date>-<revision>.yaml
βββ release-bindings/
βββ <component>-development.yaml
βββ <component>-staging.yaml
Benefits of Multi Repository:
- Clear ownership boundaries - Platform teams control infrastructure; development teams control applications
- Independent access controls - Different permissions and approval workflows per repository
- Separate release cadences - Platform changes can be reviewed and deployed independently from application changes
- Reduced blast radius - Changes to one repository don't affect the other
- Easier compliance and auditing - Clear separation for regulatory requirements
The patterns above are common starting points, but OpenChoreo is designed to work with any repository structure that fits your team's needs. Since OpenChoreo reconciles resources based on their content rather than their location, you have complete flexibility in how you organize your Git repositories. Other patterns you might consider:
- Repository per Project - Each development team owns their Project in a dedicated repository
- Repository per Component - Individual Components managed in separate repositories for maximum isolation
- Separate ReleaseBindings repository - Keep ReleaseBindings in a dedicated repository for centralized deployment control
- Environment-based repositories - Separate repositories for production vs non-production configurations
- Hybrid approaches - Combine patterns based on team structure and security requirements
Choose the structure that aligns with your team's governance policies, boundaries, and operational workflows.
Best Practicesβ
Repository Organizationβ
OpenChoreo's declarative nature means it works with any repository structure - resources are reconciled based on their content, not their location. However, following consistent patterns provides significant benefits:
Choose the right repository strategy
- Use a mono repository for smaller teams or when platform and development teams collaborate closely
- Use multi repository for larger teams requiring strict access controls and independent workflows
- See Repository Organization Patterns for detailed structures
Use consistent directory structures
While OpenChoreo doesn't enforce directory layouts, consistent structure helps teams:
- Quickly locate resources across projects
- Onboard new team members faster
- Apply automation and tooling uniformly
Configuration Managementβ
OpenChoreo handles resource dependencies automatically
OpenChoreo resources don't require specific ordering or dependency management. The controllers reconcile resources based on their relationships, not their application order.
OpenChoreo supports multiple Environments natively
Unlike traditional Kubernetes GitOps where you need separate branches or Kustomize overlays per environment, OpenChoreo handles multi-environment deployments through its built-in resources (Environment, ComponentRelease, ReleaseBinding). You define your Component once and use ReleaseBindings to deploy it across Environments.
Consider Kustomize for operational concerns (optional)
While not required for environment management, tools like Kustomize can be useful for operational tasks. For example, when using Flux CD, you can use Flux Kustomization resources to inject the target namespace for all resources in a path:
# flux/platform-kustomization.yaml
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: platform
namespace: flux-system
spec:
interval: 5m
path: ./namespaces/default/platform
prune: true
targetNamespace: default # inject namespace for all resources
sourceRef:
kind: GitRepository
name: my-gitops-repo
Version Control Practicesβ
- Use pull requests for all changes - Enable code review and maintain audit trails
- Implement branch protection - Require reviews for changes affecting production Environments
- Tag releases - Use semantic versioning for traceability and rollback capabilities
- Write meaningful commit messages - Document the intent behind configuration changes
Security Practicesβ
- Never commit plaintext secrets - Use SecretReference resources to reference external secret stores
- Define Code Owners - Use a
CODEOWNERSfile to protect critical files and directories by requiring review from designated owners before merging changes.
Secrets Managementβ
OpenChoreo integrates with the External Secrets Operator (ESO) to provide secure, GitOps-friendly secrets management. Platform teams define SecretReference resources to bring in secrets from external secret stores without committing plaintext secrets to Git.
In a GitOps repository, SecretReference resources are typically organized under the platform-level directory (e.g., namespaces/<namespace>/platform/secret-references/), managed by the platform team alongside other infrastructure resources.
For complete setup instructions, provider configuration, and usage examples, see the Secret Management guide.
Deployment Strategyβ
OpenChoreo uses a two-resource model for deployments that enables GitOps-friendly, Environment-aware releases:
| Resource | Purpose |
|---|---|
| ComponentRelease | Immutable snapshot of a Component version (workload, traits, configurations) |
| ReleaseBinding | Binds a ComponentRelease to an Environment with optional overrides |
This separation allows the same ComponentRelease to be deployed across multiple Environments with Environment-specific configurations. To promote a Component, create a ReleaseBinding that references the same ComponentRelease in the target Environment. To roll back, update the ReleaseBinding to reference a previous ComponentRelease.
For a hands-on walkthrough of this promotion workflow, see the Flux CD Tutorial.
occ)The occ CLI simplifies common GitOps operations such as creating Workloads, generating ComponentReleases, managing ReleaseBindings, and automating promotions. See the CLI Reference for available commands.
Monitoring and Observabilityβ
GitOps Tool Monitoringβ
GitOps operators provide built-in monitoring for sync status, drift detection, reconciliation metrics, and event logging. Refer to your tool's documentation for specific setup:
OpenChoreo Resource Monitoringβ
OpenChoreo tracks the health of deployed resources through ReleaseBinding status conditions:
| Condition | Description |
|---|---|
| ReleaseSynced | Whether the Release was successfully created/updated |
| ResourcesReady | Whether all resources in the DataPlane are healthy |
| Ready | Overall readiness of the deployment |
Use kubectl to check deployment status:
kubectl get releasebindings -A -o wide
kubectl describe releasebinding <name> -n <namespace>
Next Stepsβ
Get started on GitOps with OpenChoreo:
- Flux CD Getting Started - Set up Flux CD with OpenChoreo