GitOps Patterns for Multi-Cloud (2025)
GitOps has evolved significantly to address the complexities of multi-cloud environments. This guide presents modern GitOps patterns for 2025 that enable reliable, consistent management of infrastructure and applications across AWS, Azure, and GCP.
Core GitOps Principles: 2025 Edition
The foundational principles of GitOps have expanded to accommodate multi-cloud realities:
Declarative Infrastructure - All infrastructure, not just applications, is defined declaratively
Git as Single Source of Truth - All changes across clouds are tracked in version control
Pull-Based Deployments - Controllers in each cloud pull desired state from Git
Continuous Reconciliation - System automatically corrects drift from the desired state
Immutable Infrastructure - Resources are replaced, not modified
Security by Default - Security controls are embedded in the GitOps workflow
Observability Integration - GitOps workflows emit metrics, logs, and traces
Implementation Architecture
Centralized vs. Federated GitOps Models
1. Centralized Model
In a centralized model, a single Git repository contains configurations for all clouds, with separate directories for each provider:
infrastructure/
├── aws/
│ ├── eks/
│ ├── networking/
│ └── security/
├── azure/
│ ├── aks/
│ ├── networking/
│ └── security/
└── gcp/
├── gke/
├── networking/
└── security/Benefits:
Unified view across all environments
Consistent policies and patterns
Simplified cross-cloud orchestration
Single approval workflow
Challenges:
Repository can become large and complex
Teams may have different cloud ownership
Security boundaries might be more complex
Example implementation with Flux:
# Root Kustomization for multi-cloud deployment
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: infrastructure
namespace: flux-system
spec:
interval: 10m
path: ./infrastructure
prune: true
sourceRef:
kind: GitRepository
name: flux-system
---
# Cloud-specific Kustomizations
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: aws-infrastructure
namespace: flux-system
spec:
dependsOn:
- name: infrastructure
interval: 10m
path: ./infrastructure/aws
prune: true
sourceRef:
kind: GitRepository
name: flux-system
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: azure-infrastructure
namespace: flux-system
spec:
dependsOn:
- name: infrastructure
interval: 10m
path: ./infrastructure/azure
prune: true
sourceRef:
kind: GitRepository
name: flux-system2. Federated Model
In a federated model, separate repositories exist for each cloud provider with a "meta-repo" that references them:
# Meta repository structure
fleet/
├── aws-fleet.yaml
├── azure-fleet.yaml
└── gcp-fleet.yamlEach cloud-specific repository contains its own configuration:
# aws-infrastructure repository
eks/
networking/
security/Benefits:
Clear separation of concerns
Independent team ownership
Granular access control
Smaller, more focused repositories
Challenges:
Cross-cloud coordination is more complex
Requires additional synchronization mechanisms
Can be challenging to implement holistic policies
Example implementation with ArgoCD:
# Application of applications pattern
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: fleet-of-clouds
namespace: argocd
spec:
project: default
source:
repoURL: https://github.com/organization/fleet.git
targetRevision: HEAD
path: .
destination:
server: https://kubernetes.default.svc
namespace: argocd
---
# AWS-specific application in fleet repo
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: aws-infrastructure
namespace: argocd
spec:
project: default
source:
repoURL: https://github.com/organization/aws-infrastructure.git
targetRevision: HEAD
path: .
destination:
server: https://kubernetes.default.svc
namespace: aws-infraMulti-Cloud GitOps Tools
1. Flux
Flux is a set of continuous and progressive delivery solutions for Kubernetes that can be extended to manage cloud resources.
# Example Flux Terraform Controller deployment
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: GitRepository
metadata:
name: terraform-aws
namespace: flux-system
spec:
interval: 1m
url: https://github.com/organization/terraform-aws
ref:
branch: main
---
apiVersion: infra.contrib.fluxcd.io/v1alpha1
kind: Terraform
metadata:
name: aws-vpc
namespace: flux-system
spec:
interval: 10m
path: ./vpc
sourceRef:
kind: GitRepository
name: terraform-aws
approvePlan: auto
writeOutputsToSecret:
name: aws-vpc-outputs2. ArgoCD
ArgoCD is a declarative GitOps continuous delivery tool for Kubernetes that can be extended with plugins for multi-cloud scenarios.
# ArgoCD with AWS plugin
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: aws-resources
namespace: argocd
spec:
project: default
source:
repoURL: https://github.com/organization/aws-resources.git
targetRevision: HEAD
path: .
plugin:
name: argocd-vault-plugin
destination:
server: https://kubernetes.default.svc
namespace: aws-resources3. Crossplane
Crossplane is a control plane that enables platform teams to create cloud-native applications using managed services from multiple providers.
# Crossplane AWS VPC configuration
apiVersion: ec2.aws.crossplane.io/v1beta1
kind: VPC
metadata:
name: production-vpc
spec:
forProvider:
region: us-west-2
cidrBlock: 10.0.0.0/16
enableDnsSupport: true
enableDnsHostNames: true
tags:
environment: production
providerConfigRef:
name: aws-providerAdvanced GitOps Patterns
1. Multi-Cluster Configuration Management
For organizations managing multiple Kubernetes clusters across different clouds:
# Centralized configuration with cluster-specific overlays
clusters/
├── base/
│ ├── monitoring/
│ │ └── prometheus.yaml
│ └── security/
│ └── network-policies.yaml
└── overlays/
├── aws-prod/
│ ├── kustomization.yaml
│ └── monitoring/
│ └── prometheus-aws.yaml
├── azure-prod/
│ ├── kustomization.yaml
│ └── monitoring/
│ └── prometheus-azure.yaml
└── gcp-prod/
├── kustomization.yaml
└── monitoring/
└── prometheus-gcp.yaml2. Progressive Delivery Across Clouds
Implementing canary and blue/green deployments across multiple cloud environments:
# Flux Canary Release for multi-cloud
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: podinfo
namespace: podinfo
spec:
interval: 5m
chart:
spec:
chart: podinfo
version: '>=6.0.0'
sourceRef:
kind: HelmRepository
name: podinfo
values:
replicaCount: 3
upgrade:
# Gradual rollout across clusters
remediation:
remediateLastFailure: true
strategy:
canary:
steps:
- setWeight: 5
- pause: {duration: 5m}
- setWeight: 20
- pause: {duration: 10m}
- setWeight: 50
- pause: {duration: 10m}3. Policy-as-Code Integration
Enforcing consistent policies across all cloud environments:
# OPA/Gatekeeper constraint template
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
name: k8srequiredlabels
spec:
crd:
spec:
names:
kind: K8sRequiredLabels
validation:
openAPIV3Schema:
type: object
properties:
labels:
type: array
items:
type: string
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8srequiredlabels
violation[{"msg": msg}] {
provided := {label | input.review.object.metadata.labels[label]}
required := {label | label := input.parameters.labels[_]}
missing := required - provided
count(missing) > 0
msg := sprintf("Missing required labels: %v", [missing])
}4. Secret Management in GitOps Workflows
Secure handling of secrets across multiple clouds:
# External Secrets Operator with AWS Parameter Store
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: aws-secret
spec:
refreshInterval: "1h"
secretStoreRef:
name: aws-parameterstore
kind: ClusterSecretStore
target:
name: application-secrets
creationPolicy: Owner
data:
- secretKey: dbPassword
remoteRef:
key: /myapp/production/db-passwordCI/CD Integration with GitOps
1. Pull Request Workflows
Modern GitOps implementations include CI processes that validate changes before they're merged:
# GitHub Actions workflow for multi-cloud validation
name: Validate Changes
on:
pull_request:
branches: [ main ]
paths:
- 'infrastructure/**'
jobs:
validate:
runs-on: ubuntu-latest
strategy:
matrix:
provider: [aws, azure, gcp]
include:
- provider: aws
workdir: ./infrastructure/aws
validate_cmd: terraform validate
- provider: azure
workdir: ./infrastructure/azure
validate_cmd: az bicep build --file main.bicep
- provider: gcp
workdir: ./infrastructure/gcp
validate_cmd: gcloud beta terraform vet
steps:
- uses: actions/checkout@v3
- name: Setup provider tools
run: |
if [ "${{ matrix.provider }}" == "aws" ]; then
# AWS setup
curl -s "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install
# Install Terraform
curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -
sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main"
sudo apt-get update && sudo apt-get install terraform
elif [ "${{ matrix.provider }}" == "azure" ]; then
# Azure setup
curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
az bicep install
elif [ "${{ matrix.provider }}" == "gcp" ]; then
# GCP setup
echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] http://packages.cloud.google.com/apt cloud-sdk main" | sudo tee -a /etc/apt/sources.list.d/google-cloud-sdk.list
curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key --keyring /usr/share/keyrings/cloud.google.gpg add -
sudo apt-get update && sudo apt-get install google-cloud-sdk
fi
- name: Validate ${{ matrix.provider }} configuration
working-directory: ${{ matrix.workdir }}
run: ${{ matrix.validate_cmd }}
- name: Run Policy Checks
uses: open-policy-agent/conftest-action@v2.0.0
with:
files: ${{ matrix.workdir }}
policy: ./policies/${{ matrix.provider }}2. Post-Merge Verification
After changes are merged to the main branch, automated processes verify successful application:
# GitLab CI post-merge verification
stages:
- validate
- apply
- verify
verify-aws:
stage: verify
script:
- aws cloudformation describe-stacks --stack-name production-stack --query "Stacks[0].StackStatus" | grep -q "COMPLETE"
- aws eks describe-cluster --name production --query "cluster.status" | grep -q "ACTIVE"
only:
- main
verify-azure:
stage: verify
script:
- az deployment group show --name production-deployment --resource-group production --query "properties.provisioningState" | grep -q "Succeeded"
only:
- main
verify-gcp:
stage: verify
script:
- gcloud deployment-manager deployments describe production --format="json" | jq '.operation.status' | grep -q "DONE"
only:
- mainMulti-Cloud GitOps Best Practices
Adopt Common Tooling: Use the same GitOps tools across clouds when possible
Define Consistent Patterns: Create templates and standards that work across providers
Implement Strong RBAC: Use granular permissions to control who can change what
Cross-Cloud Testing: Implement testing across all target environments
Standardize Observability: Use consistent monitoring and alerting across clouds
Automate Drift Detection: Implement regular checks for configuration drift
Document Failure Modes: Plan for GitOps controller failures or Git outages
Implement Backup Strategies: Ensure GitOps state can be recovered
Real-World Examples
Example 1: Financial Services Multi-Cloud Deployment
A financial services company implements GitOps across AWS (primary) and Azure (secondary) for regulatory compliance:
# ArgoCD ApplicationSet for multi-region deployment
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
name: financial-application
spec:
generators:
- list:
elements:
- cloud: aws
region: us-east-1
clusterUrl: https://aws-east.example.com
- cloud: aws
region: us-west-2
clusterUrl: https://aws-west.example.com
- cloud: azure
region: eastus
clusterUrl: https://azure-east.example.com
template:
metadata:
name: '{{cloud}}-{{region}}-app'
spec:
project: default
source:
repoURL: https://github.com/financial-org/app-configs.git
targetRevision: main
path: overlays/{{cloud}}/{{region}}
destination:
server: '{{clusterUrl}}'
namespace: financial-app
syncPolicy:
automated:
prune: true
selfHeal: trueExample 2: Retail Company with Edge Locations
A retail company manages Kubernetes clusters across AWS, Azure, and edge locations:
# Flux deployment with multi-type structure
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: retail-infrastructure
namespace: flux-system
spec:
interval: 10m
path: ./base
prune: true
sourceRef:
kind: GitRepository
name: retail-infrastructure
postBuild:
substituteFrom:
- kind: ConfigMap
name: cluster-config
---
# ConfigMap with cluster-specific values
apiVersion: v1
kind: ConfigMap
metadata:
name: cluster-config
namespace: flux-system
data:
CLUSTER_TYPE: "EDGE" # Alternative: AWS, AZURE
REGION: "store-1234"
RESOURCE_TIER: "small" # Depends on the location's sizeConclusion
Modern GitOps patterns enable organizations to maintain consistency across multi-cloud environments while respecting the unique characteristics of each provider. By implementing these patterns, teams can achieve greater reliability, improved security, and faster deployment cycles across their entire infrastructure.
Resources
Last updated