GitOps is the operational model where Git is the single source of truth for both application and infrastructure state. Every change to a running system is made through a Git commit β never by running kubectl apply directly against the cluster. The cluster continuously reconciles its actual state against the desired state declared in Git.
This setup implements GitOps for the Backstage Internal Developer Portal, using a two-repository pattern, ArgoCD for continuous deployment, GitHub Actions for CI, and Argo Rollouts for safe progressive delivery.
The GitOps workflow is split across two GitHub repositories:
| Repository | Purpose |
|---|---|
igfurlan/backstage | Application source code, Dockerfile, GitHub Actions workflows |
igfurlan/backstage-gitops | Kubernetes manifests, Kustomize overlays, Argo Rollout definition |
This separation is intentional: it decouples the application lifecycle (builds, tests) from the deployment lifecycle (manifest changes, environment promotions). ArgoCD only watches the GitOps repo β it never has access to the application source code.
The backstage-gitops repository uses a Kustomize overlay pattern:
backstage-gitops/βββ base/β βββ kustomization.yaml # Assembles all base resourcesβ βββ namespace.yaml # backstage namespaceβ βββ rollout.yaml # Argo Rollout (replaces Deployment)β βββ service.yaml # ClusterIP serviceβ βββ httproute.yaml # Gateway API HTTPRouteβ βββ analysis-template.yaml # Prometheus-based canary analysisβ βββ sealed-secret.yaml # Encrypted DB credentialsβββ overlays/ βββ production/ βββ kustomization.yaml # Extends base βββ patches/ βββ resources.yaml # Image tag + resource limits patchThe base/ layer defines the universal configuration. The production/ overlay applies environment-specific patches β most importantly, the container image tag, which is updated automatically by the CI pipeline on every successful push to main.
ArgoCD monitors the overlays/production path in the GitOps repository:
apiVersion: argoproj.io/v1alpha1kind: Applicationmetadata: name: backstage namespace: argocdspec: project: default source: repoURL: https://github.com/igfurlan/backstage-gitops.git targetRevision: main path: overlays/production destination: server: https://kubernetes.default.svc namespace: backstage syncPolicy: automated: prune: true selfHeal: true syncOptions: - CreateNamespace=trueKey policies:
automated β ArgoCD syncs automatically when the GitOps repo changes; no manual approval neededprune: true β resources removed from Git are also removed from the clusterselfHeal: true β if someone manually changes a resource in the cluster, ArgoCD reverts it to match Git within seconds
The CI pipeline in backstage/.github/workflows/ci.yaml runs two jobs depending on the event type:
Job: validate
Triggered when a PR is opened against main. Builds the Docker image using BuildKit cache but does not push it. This validates that the Dockerfile is correct and the build succeeds without spending registry storage.
Steps:
type=gha)Job: deploy
Triggered when a commit is merged to main. This is the full deployment pipeline.
Steps:
git rev-parse --short HEAD)ghcr.io/igfurlan/backstage:sha-<shortsha> (immutable, for rollback)ghcr.io/igfurlan/backstage:latest (floating, for local dev)backstage-gitops repo (using a GITOPS_PAT secret)overlays/production/patches/resources.yaml"deploy: backstage sha-<shortsha>"The pipeline uses GitHub Actions cache (type=gha) for Docker layer caching. Build times drop significantly after the first run because unchanged layers are reused from the cache.
# Image tag update step (from ci.yaml)- name: Update image tag run: | cd gitops sed -i "s|value: ghcr.io/igfurlan/backstage:sha-.*|\ value: ghcr.io/igfurlan/backstage:sha-${{ steps.sha.outputs.short }}|" \ overlays/production/patches/resources.yaml git add . git diff --staged --quiet || \ git commit -m "deploy: backstage sha-${{ steps.sha.outputs.short }}" git push
Instead of a standard Kubernetes Deployment, Backstage uses an Argo Rollout resource. This enables canary deployments β gradually shifting traffic to the new version while monitoring error rates and latency in real time.
The canary strategy is defined in base/rollout.yaml:
strategy: canary: analysis: templates: - templateName: backstage-canary-check startingStep: 1 steps: - setWeight: 20 # 20% of traffic to new version - pause: { duration: 60s } - setWeight: 50 # 50% of traffic - pause: { duration: 60s } - setWeight: 80 # 80% of traffic - pause: { duration: 30s } # Full 100% promotion happens automatically if analysis passesThe rollout progresses through 3 traffic weight stages, pausing at each to observe metrics. At step 1, an AnalysisRun begins and runs continuously throughout the rollout.
The AnalysisTemplate (backstage-canary-check) queries Prometheus at 30-second intervals throughout the canary rollout. Three metrics are evaluated:
Error Rate
Metric: HTTP 5xx error rate on Traefik service requests
Query: sum(rate(traefik_service_requests_total{...code=~"5.."}[2m])) / sum(rate(...))
Threshold: β€ 25% error rate (result[0] <= 0.25)
Failure limit: 3 consecutive failures before rollback
p95 Latency
Metric: 95th percentile request duration via Traefik histogram
Query: histogram_quantile(0.95, sum(rate(traefik_service_request_duration_seconds_bucket{...}[2m])) by (le))
Threshold: β€ 5 seconds
Failure limit: 3 consecutive failures before rollback
Pod Restarts
Metric: Container restart count increase in the backstage namespace
Query: sum(increase(kube_pod_container_status_restarts_total{namespace="backstage",...}[2m]))
Threshold: < 2 restarts
Failure limit: 2 consecutive failures before rollback
If any metric exceeds its threshold too many times, the AnalysisRun fails and Argo Rollouts automatically rolls back to the previous stable version β without any human intervention.
# From analysis-template.yamlmetrics: - name: error-rate interval: 30s successCondition: len(result) == 0 || isNaN(result[0]) || result[0] <= 0.25 failureLimit: 3 provider: prometheus: address: http://kube-prometheus-stack-prometheus.monitoring.svc.cluster.local:9090 query: | sum(rate(traefik_service_requests_total{exported_service=~"backstage-backstage-.*",code=~"5.."}[2m])) / sum(rate(traefik_service_requests_total{exported_service=~"backstage-backstage-.*"}[2m]))This integration closes the loop between the observability stack (Prometheus + Traefik metrics) and the deployment pipeline, creating a true automated feedback loop.
Storing Kubernetes secrets in Git is normally a security anti-pattern β secrets would be visible to anyone with repository access. Sealed Secrets (by Bitnami) solves this by allowing secrets to be encrypted before being committed to Git.
The backstage database credentials (POSTGRES_HOST, POSTGRES_USER, POSTGRES_PASSWORD, POSTGRES_PORT, BACKEND_SECRET) are stored as a SealedSecret resource in base/sealed-secret.yaml.
The workflow:
Secret locally (never committed)kubeseal, using the clusterβs public key: kubeseal --format yaml < secret.yaml > sealed-secret.yamlSealedSecret YAML to Git (safe β itβs ciphertext)sealed-secrets-controller decrypts it and creates the real Secret in the clusterThe sealed data can only be decrypted by the cluster that holds the corresponding private key. Even if the GitOps repository is public, the encrypted secrets are worthless to an attacker without access to the cluster.
