惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Cloudbric
Cloudbric
有赞技术团队
有赞技术团队
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
T
Threat Research - Cisco Blogs
L
LangChain Blog
Simon Willison's Weblog
Simon Willison's Weblog
Project Zero
Project Zero
Latest news
Latest news
S
Schneier on Security
Cisco Talos Blog
Cisco Talos Blog
MyScale Blog
MyScale Blog
C
Check Point Blog
IT之家
IT之家
P
Palo Alto Networks Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
C
CERT Recently Published Vulnerability Notes
Scott Helme
Scott Helme
The Hacker News
The Hacker News
C
CXSECURITY Database RSS Feed - CXSecurity.com
G
Google Developers Blog
T
Tor Project blog
T
Threatpost
D
DataBreaches.Net
博客园 - 【当耐特】
酷 壳 – CoolShell
酷 壳 – CoolShell
T
Troy Hunt's Blog
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Vercel News
Vercel News
云风的 BLOG
云风的 BLOG
NISL@THU
NISL@THU
P
Privacy & Cybersecurity Law Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
C
Cisco Blogs
博客园_首页
S
Securelist
T
The Exploit Database - CXSecurity.com
Last Week in AI
Last Week in AI
量子位
U
Unit 42
Know Your Adversary
Know Your Adversary
Hugging Face - Blog
Hugging Face - Blog
S
Security Affairs
Google Online Security Blog
Google Online Security Blog
Hacker News: Ask HN
Hacker News: Ask HN
Webroot Blog
Webroot Blog
S
SegmentFault 最新的问题
Engineering at Meta
Engineering at Meta
N
News and Events Feed by Topic
P
Proofpoint News Feed
阮一峰的网络日志
阮一峰的网络日志

Sealos Blog

Build a Full-Stack App with Claude Code + InsForge — Zero Backend Code | Sealos Blog InsForge vs Supabase: Which Backend for AI-Powered Development? | Sealos Blog Kubernetes NodePort Exhaustion: SSH Gateway Solution | Sealos Blog Claude Code Metrics Dashboard: Grafana Setup (2026) | Sealos Blog What Is RustFS? Apache 2.0 MinIO Alternative (2026) | Sealos Blog Claude Code Mobile: iPhone, Android & SSH (2026) | Sealos Blog Eaglercraft Server Hosting: Fast Setup (2026) | Sealos Blog An Honest Review: Migrating a Complex Microservice App from Heroku to Sealos | Sealos Blog The Ultimate Guide to Kubernetes Audit Logging for Security and Compliance | Sealos Blog Cost Optimization Shootout: Sealos Autonomous FinOps vs. Kubecost Manual Reports | Sealos Blog For CTOs: How to Cut Your Cloud Bill by 50% Without Sacrificing Performance | Sealos Blog Building Resilient Systems: A Deep Dive into Sealos High-Availability and Auto-Failover | Sealos Blog Building a Scalable Event-Driven Architecture with Sealos Managed Kafka | Sealos Blog Beyond kubectl apply: 5 GitOps Best Practices for Production-Ready CI/CD on Sealos | Sealos Blog Advanced RAG Pipelines: Why Your Choice of Vector Database (like Milvus) Matters | Sealos Blog Advanced MLOps: How to Monitor and Evaluate LLM Applications in Production | Sealos Blog A Developer's Guide to Kubernetes RBAC: Securing Your Cluster the Easy Way with Sealos | Sealos Blog A CISO's Guide to Cloud Development: Securing the CI/CD Pipeline with Sealos DevBox | Sealos Blog What is Kubernetes Multi-Tenancy? A Guide for Platform Engineers | Sealos Blog What is Infrastructure from Code (IfC)? The Next Step After Infrastructure as Code (IaC) | Sealos Blog What is GitOps? A Beginner's Guide to "Push-to-Deploy" Workflows | Sealos Blog What is eBPF? The Future of Kubernetes Networking and Security | Sealos Blog What is an "AI-Native" Platform? (And Why You Need One for MLOps) | Sealos Blog What is an Agentic Workflow? Building the Next Generation of AI Apps | Sealos Blog What is a Kubernetes Chargeback Model (And How Does it Save You Money?) | Sealos Blog What is a "Headless" Development Environment? (And How it Works with VS Code) | Sealos Blog What is a Graph-Based Vector Database? (And When to Use It Over Milvus) | Sealos Blog What is a "Cloud Operating System"? The Next Evolution of PaaS Explained | Sealos Blog The Real Cost of EKS: How Sealos Delivers a Simpler, Cheaper Kubernetes Experience | Sealos Blog The 3 Types of Kubernetes Autoscaling (HPA, VPA, CA) and How Sealos Manages Them for You | Sealos Blog Sealos vs Vercel: Why a Cloud OS Beats a Frontend Platform for Full-Stack Apps | Sealos Blog Sealos vs. Render vs. Fly.io: A 2025 Guide to the Best Heroku Alternatives | Sealos Blog Sealos vs. OpenShift: Kubernetes for Developers vs. Kubernetes for Ops Teams | Sealos Blog Sealos vs. Netlify: When to Choose a Full Kubernetes Platform over a Static Site Hoster | Sealos Blog Sealos vs. DigitalOcean App Platform: A Head-to-Head Comparison on Cost, Features, and Scalability | Sealos Blog Sealos vs. AWS Elastic Beanstalk: The Modern PaaS for Developers Who Hate YAML | Sealos Blog Sealos DevBox vs. AWS Cloud9: Why Your CDE Should Be Platform-Agnostic | Sealos Blog For Developers: Stop Wasting Time on DevOps. A 10-Minute Guide to Shipping Faster with DevBox. | Sealos Blog Deploying n8n with Docker: From Local Setups to a Radically Simple Cloud Alternative | Sealos Blog The Impact of Prompt Bloat: How the Sealos AI Proxy Can Cache Queries and Cut LLM Costs | Sealos Blog The FinOps Playbook: How to Implement Kubernetes Chargebacks and Showbacks with Sealos | Sealos Blog Smoke Testing for ML Pipelines: Catching Data and Model Errors Before They Hit Production | Sealos Blog Optimizing PostgreSQL Performance: A Guide to Sealos Managed Database Tuning | Sealos Blog Managing Kubernetes Multi-Tenancy: How Sealos Enforces Resource Quotas and Network Policies | Sealos Blog From Days to Minutes: How to Standardize Developer Environments for Your Entire Engineering Org | Sealos Blog For Platform Engineers: How to Build a Golden Path IDP (Internal Developer Platform) with Sealos | Sealos Blog For FinOps Managers: The 5 Leakiest Buckets in Your Kubernetes Budget (And How to Plug Them) | Sealos Blog For Educators & IT Admins: How to Provide a Secure, Scalable Cloud Lab for 1000+ Students on a Budget | Sealos Blog What is a Vector Database? A Beginner's Guide to Milvus, Pinecone, and More | Sealos Blog Why Your Microservices Architecture is Failing (And How a Cloud OS Can Fix It) | Sealos Blog The Power of Autoscaling: A Deep Dive into HPA, VPA, and Cluster Autoscaler | Sealos Blog The Total Economic Impact of Cloud Development Environments (CDEs) | Sealos Blog The Illustrated Guide to the Kubernetes Control Plane | Sealos Blog The MLOps Lifecycle Explained: From Data Prep to Model Deployment | Sealos Blog Beyond Vercel's AI Cloud: The Case for an AI-Native Operating System | Sealos Blog The Architecture of a Modern AI Application: A 2025 Blueprint | Sealos Blog GitHub Codespaces is Great, But Your Workflow is Incomplete. Here's Why. | Sealos Blog The Best Heroku Alternatives in 2025 for Scalability and Cost | Sealos Blog CAST AI vs. Kubecost vs. Sealos: Choosing the Right K8s Cost Management Tool | Sealos Blog DevBox vs. Gitpod vs. Replit: An Unbiased Comparison for 2025 | Sealos Blog Unlocking Hidden Savings: A Guide to Using Spot Instances Safely in Kubernetes | Sealos Blog Can a CDE Really Replace Your MacBook Pro? A Performance Benchmark | Sealos Blog The End of "Works on My Machine": Achieving 100% Reproducible Builds with DevBox | Sealos Blog The Ultimate Guide to GPU Provisioning and Management in Kubernetes | Sealos Blog Rightsizing Kubernetes Workloads: How to Stop Wasting Money on CPU and Memory Requests | Sealos Blog The 2025 Guide to Kubernetes Cost Optimization: 10 Strategies to Cut Your Bill in Half | Sealos Blog FinOps for Startups: How to Build a Cost-Conscious Culture from Day One | Sealos Blog How to Onboard a New Developer in Under 5 Minutes with Sealos DevBox | Sealos Blog Calculating Kubernetes Costs: A Breakdown of EKS, GKE, and AKS Pricing Models | Sealos Blog Case Study: How We Reduced Our Kubernetes Bill by 87% with Sealos | Sealos Blog Are You Overpaying for Managed Kubernetes? The True Cost of Vendor Lock-in | Sealos Blog Beyond Monitoring: How Sealos Autonomously Optimizes Your Cloud Spend | Sealos Blog A Practical Guide to Kubernetes Security: Hardening Your Cluster in 2025 | Sealos Blog A Secure-by-Design Development Workflow with Isolated Cloud Environments | Sealos Blog Setting Up a Collaborative Python Data Science Environment with DevBox | Sealos Blog Using the Sealos AI Proxy to Manage and Cache LLM API Calls | Sealos Blog Migration Guide: Moving Your Node.js & Postgres App from Heroku to Sealos in Under an Hour | Sealos Blog Serving Machine Learning Models at Scale: A Guide to Inference Optimization | Sealos Blog Headless Development with Sealos: Using Your Local VS Code with a Powerful Cloud Backend | Sealos Blog How to Build and Deploy a RAG Pipeline with Llama 3 and Milvus on Sealos | Sealos Blog From Localhost to Production in 15 Minutes: A Full-Stack CDE Workflow with Sealos DevBox | Sealos Blog Fine-Tuning Open-Source LLMs on a Budget with Sealos | Sealos Blog From Docker Compose to Kubernetes: A Simple Migration Path with Sealos | Sealos Blog Building an AI Agentic Workflow with LangChain and Sealos | Sealos Blog What is Helm for Kubernetes? The Ultimate Package Manager Explained | Sealos Blog What is a Custom Resource Definition (CRD) in Kubernetes? | Sealos Blog What is a Kubernetes StatefulSet? A Practical Guide | Sealos Blog What is a Kubernetes Ingress Controller? A Guide to Smart Traffic Routing | Sealos Blog What is a Kubernetes Operator? Automating Complex Applications | Sealos Blog What is a Kubernetes Service? A Simple Guide for Developers | Sealos Blog Streamlining Your CI/CD Pipeline with a DevBox Build Environment | Sealos Blog Why Standardized Development Environments Are Key to Team Velocity | Sealos Blog What Is GitHub Codespace? | Sealos Blog DevBox Install? Skip It Entirely. Get a Ready-to-Code Environment in One Click with Sealos DevBox. | Sealos Blog How to Set Up a DevBox: The Ultimate Guide to 1-Click Cloud Development | Sealos Blog Empowering Indie Devs and Startup Teams: How Sealos DevBox Accelerates Agile Development | Sealos Blog From Chaos to Consistency: How Sealos DevBox Transforms Enterprise Development Workflows | Sealos Blog From Campus Labs to Cloud Freedom: How Sealos DevBox Supercharges Student Development | Sealos Blog How Sealos DevBox Cut Container Commit Time from 15 Minutes to 1 Second | Sealos Blog DevBox vs Codespaces: Which Remote Dev Environment Fits You Best? | Sealos Blog
GitOps on Autopilot: Implementing a CI/CD Pipeline with Sealos and GitHub Actions | Sealos Blog
Sealos · 2025-09-03 · via Sealos Blog

Software delivery shouldn’t depend on late-night kubectl commands, manual edits, or tribal knowledge. You commit code, a robot does the rest. That’s the promise of GitOps—your cluster simply reflects what’s declared in Git, while automated pipelines handle the “how.” In this article, we’ll build a practical GitOps pipeline that pairs Sealos (a cloud operating system built on Kubernetes) with GitHub Actions and Argo CD to put your deployments on autopilot.

You’ll learn what GitOps is, why it matters, how the pieces fit together, and how to implement a real-world setup with multi-environment promotion, image scanning, and optional self-hosted GitHub runners on your Sealos cluster.


GitOps is an operational model where Git is the single source of truth for both application code and the desired state of your infrastructure and applications. Instead of running imperative commands to change environments, you declaratively define the desired state in Git and let a controller (e.g., Argo CD) reconcile your cluster to match that state.

Key ideas:

  • Declarative definitions: Everything from Deployments to Ingress is expressed in code (YAML, Helm charts, Kustomize overlays).
  • Pull-based reconciliation: A controller continuously watches Git and converges your cluster toward the specified state.
  • Versioned, auditable changes: Every change is a Git commit or pull request, providing traceability and rollbacks.

Think of GitOps as an “autopilot” for your Kubernetes clusters—consistent, auditable, and repeatable.


  • Sealos: Sealos is a cloud operating system built around Kubernetes. It simplifies running and managing clusters, multi-tenancy, and platform services on top of Kubernetes. You can run it yourself or use Sealos-hosted options to quickly provision a cluster and manage apps.
  • GitHub Actions: A powerful CI platform that integrates tightly with GitHub, supports reusable workflows, and scales from hobby to enterprise use cases.

Together with Argo CD (for continuous delivery), this stack gives you:

  • End-to-end automation: Build, test, package, and deliver via GitHub Actions, then deploy via Argo CD.
  • Clear separation of concerns: App repo for code, config repo for environment manifests.
  • Repeatability and security: PR-based changes, signed container images (optional), and policy enforcement.

We’ll implement a two-repo GitOps setup with Argo CD reconciling your Sealos cluster:

  • App repository (e.g., my-org/demo-app)

    • Source code
    • Dockerfile
    • CI workflow to build/test and push images to a registry (e.g., GHCR)
    • A job to update the config repository with the new image tag
  • Config repository (e.g., my-org/demo-config)

    • Kustomize or Helm definitions
    • Environments: dev, staging, prod (as folders)
    • Argo CD Application manifests referencing these folders
  • Sealos cluster

    • Kubernetes cluster where your apps run
    • Argo CD installed; Auto-sync enabled
    • Optional: Ingress, secrets management (Sealed Secrets/External Secrets), policy, observability

Flow:

  1. Developer merges code to main in the app repo.
  2. GitHub Actions builds a container image, pushes it to GHCR, and creates a PR to bump the image tag in the config repo (for dev).
  3. Argo CD sees the updated config repo and synchronizes the Sealos cluster.
  4. Promotion from dev → staging → prod is performed via PRs in the config repo.

  • A running Sealos-based Kubernetes cluster and access to its kubeconfig.
  • kubectl installed locally and configured for your cluster.
  • GitHub repositories:
    • One for the application code
    • One for Kubernetes manifests/config
  • Container registry access (GHCR is convenient with GitHub Actions).
  • Basic familiarity with Kubernetes and GitHub Actions.

Note: If you’re using a hosted Sealos platform, you can create a Kubernetes cluster and download the kubeconfig through the Sealos console. If self-hosting Sealos, follow the official documentation to provision the cluster, then verify access with:


For illustration, we’ll use a minimal Node.js service.

Example: Node.js App

server.js:

package.json:

Dockerfile:

Build locally to test:


Structure your config repo like this:

Base manifests

base/deployment.yaml:

base/service.yaml:

base/kustomization.yaml:

Environment overlays

environments/dev/kustomization.yaml:

environments/staging/kustomization.yaml:

environments/prod/kustomization.yaml:

Note: Argo CD will apply these overlays per environment. Our CI will update the image tags for each environment via PRs.


Install Argo CD on your Sealos Kubernetes cluster:

Wait until all pods are ready:

To access the Argo CD UI (for initial setup), you can port-forward:

Default admin password (on initial install) can be obtained from:

For production, configure a proper Ingress and SSO/OIDC. Ensure network access is secured.


Create Argo CD Applications that point to your config repo’s environment folders. Example for dev:

argocd/app-dev.yaml:

Apply it:

Repeat for staging and prod (change name, namespace, and path accordingly).


In your app repository, add a workflow to build, test, and push images to GHCR, then propose a change in the config repo to bump the image tag for the dev environment.

.github/workflows/ci.yml:

Notes:

  • The workflow uses the GitHub-provided GITHUB_TOKEN for pushing to GHCR. Ensure packages: write permission is enabled.
  • To create PRs in the config repo, you typically need a token with repo write permissions. Use CONFIG_REPO_TOKEN as a repository secret in the app repo (preferably from a GitHub App or a fine-scoped PAT).
  • This creates a PR for dev. For staging/prod, promotion should be manual via PRs in the config repo to keep control.

Once the PR in the config repo is merged, Argo CD will:

  • Detect the tag bump in environments/dev/kustomization.yaml.
  • Apply changes to your Sealos cluster in the demo-dev namespace.
  • Keep reconciling and self-healing as needed.

You can watch status in the Argo CD UI or via:


Depending on your Sealos cluster setup, you can expose the service via an Ingress, a LoadBalancer, or port-forwarding.

Example Ingress (if you have an Ingress controller):

Add this to environments/dev as another Kustomize resource and configure DNS accordingly.


To promote to staging:

  • Create a PR in the config repo that bumps environments/staging/kustomization.yaml image tag to the tested dev image tag.
  • Merge the PR → Argo CD deploys to staging.

Similarly for production:

  • Controlled via PRs to environments/prod, such as bumping the tag from stable to the new version.

This PR-based promotion ensures:

  • Human review gates between environments.
  • Full auditability and rollback via Git history.

1) Self-Hosted GitHub Actions Runners on Sealos

For faster builds or private networking, run self-hosted runners in your Sealos cluster using the actions-runner-controller.

High-level steps:

  • Install actions-runner-controller with Helm.
  • Create a RunnerDeployment pointing at your GitHub repo/org.
  • Label and scale as needed.

Example RunnerDeployment:

Then, change runs-on in your workflows to match the runner labels. Ensure appropriate GitHub credentials are configured per controller’s docs.

2) Image Scanning and Policy

  • Scan images during CI using Trivy:
  • Enforce policies with Kyverno:
    • Require signed images (with cosign).
    • Block images with critical vulnerabilities.
    • Enforce label standards.

3) Secret Management

Avoid storing plaintext secrets in Git:

  • Sealed Secrets: Encrypt secrets in Git; decrypt in cluster.
  • External Secrets Operator: Sync secrets from a secret manager (e.g., AWS Secrets Manager, Vault).

Example Sealed Secret workflow:

  • Encrypt a Kubernetes Secret into a SealedSecret.
  • Commit SealedSecret YAML to the config repo.
  • Argo CD applies it; controller decrypts at runtime.

4) Progressive Delivery (Canary, Blue/Green)

Use Argo Rollouts for advanced deployment strategies:

  • Canary: Gradually shift traffic while monitoring metrics.
  • Blue/Green: Swap traffic between stable and new versions instantly with rollback.

Example Rollout partial spec:

5) Observability

Instrument your cluster:

  • Prometheus + Grafana for metrics.
  • Loki for logs.
  • Tempo/Jaeger for traces.

Use dashboards to observe rollout health and resource consumption on Sealos.


  • Least privilege for CI:
    • Use a GitHub App or a minimal-scoped PAT for CONFIG_REPO_TOKEN.
    • If possible, use fine-grained PATs with repo and pull request scopes.
  • Container registry:
    • Prefer OIDC/BYO credentials or the built-in GITHUB_TOKEN for GHCR.
    • Consider image signing with cosign and enforce verification via Kyverno or admission controllers.
  • Cluster access:
    • Argo CD pulls from Git and requires no CI connectivity into the cluster—keep clusters private.
  • Branch protection:
    • Protect main branches in both repos; require PR reviews and status checks.

  • Argo CD application stuck OutOfSync:

    • Check the Application events: kubectl -n argocd describe app demo-dev
    • Ensure the path and targetRevision in Application specs are correct.
    • Verify that Argo CD has permission to create the target namespace.
  • Image never updates:

    • Confirm the config repo PR merged and the new tag is in environments/dev/kustomization.yaml.
    • Verify Argo CD auto-sync is enabled.
    • Check the container image exists in the registry and is accessible by your cluster (pull secrets if needed).
  • GitHub Action fails to create PR:

    • Ensure CONFIG_REPO_TOKEN has write permissions to the config repo.
    • Check branch protection rules and required checks.
  • Kubernetes resources not created:

    • Ensure Kustomize overlays resolve correctly. Run locally:
    • Validate manifests with kubectl:

  1. You push a change to server.js.
  2. GitHub Actions builds a new image and pushes to GHCR.
  3. The workflow opens a PR in the config repo to bump the dev tag to the new image.
  4. You or an automated policy merges the PR.
  5. Argo CD reconciles the Sealos cluster and updates dev.
  6. After verification, you create a PR to bump staging, then production tags—keeping a clear audit trail of what went where and when.

No kubectl apply. No snowflake clusters. Everything is declarative, observable, and repeatable.


  • Microservices at scale: Each service gets its own app repo and a shared config monorepo, or both split per team. Argo CD manages hundreds of Applications with app-of-apps patterns.
  • Regulated environments: PR-based changes with signed commits, policies, and audit logs meet compliance requirements.
  • Multi-tenant platforms: Sealos helps run isolated namespaces or tenants while keeping a unified GitOps control plane.
  • Education and onboarding: New engineers learn by opening PRs rather than memorizing bespoke CLI incantations.

GitOps turns operations into code and code into reliable delivery. By combining Sealos for Kubernetes-based cloud infrastructure, GitHub Actions for CI, and Argo CD for CD, you get a pipeline that:

  • Automates deployments end to end
  • Enforces consistency with Git as the source of truth
  • Simplifies promotion across environments with PRs
  • Improves security, auditability, and rollback

Start small—one service, one environment—then scale to multi-service, multi-environment delivery. With your GitOps autopilot engaged, you’ll spend less time firefighting and more time delivering value.