Deployment Overview
How code in main becomes prod
GitOps over K3s. Every merge to main flows to prod automatically.
Stack
- Ansible provisions the VPS and installs K3s — Provisioning
- K3s runs the workloads — Kubernetes access
- ArgoCD syncs manifests from
main— ArgoCD setup - ArgoCD Image Updater promotes new image tags without any git commit — CI/CD
- SOPS + age encrypts workload secrets; Sealed Secrets encrypts ArgoCD-level secrets
Flow
Release tags (v*) annotate the GitHub release with image references but do not trigger a separate deploy — see Releases.
Repository layout
kustomization.yaml
See the infrastructure/kubernetes/ README for directory-level details.
Where to look
| Task | Go here |
|---|---|
| Access the cluster | Kubernetes access |
| Understand the CD pipeline | CI/CD |
| Rollback a bad deploy | CI/CD → Rollback |
| Cut a release | Releases |
| Decrypt or rotate secrets | Kubernetes access → Secrets |
| Image Updater internals | image-updater README |
| Renew TLS certs | TLS certificate |