GitOps Integration and the Road Ahead

By the time we finished governance in Blog 4, the platform was safe — but not yet frictionless. 

Developers still waited for approvals, and ops still handled manual rollbacks. 

One day the CTO asked, 
“Why can’t our infrastructure move at the same speed as our code?”  
That question marked our next chapter — bringing GitOps with ArgoCD into Crossplane to make every change declarative, auditable, and rollback-ready.  

Takeaway: “We didn’t just automate infra. We automated trust.”

This article is part of a five-blog series where we share a real client use case — how we reimagined their cloud infrastructure strategy with Crossplane, GitOps, and a hybrid approach with Terraform.

Missed the previous blog? Read Blog 4 – Governance, Security & Lifecycle Protection.

Bridging from Blog 4

In Blog 4, we built guardrails with Kyverno, RBAC, IRSA, and lifecycle safeguards — enough to stop accidental “oops” moments in production. But governance alone wasn’t enough. If we wanted to scale across multiple teams and regions, we needed something bigger:

• Declarative → everything in YAML
• Git-driven → no manual kubectl apply
• Auditable → every change tracked
• Rollback-ready → safe recovery in minutes, not hours

Enter GitOps with ArgoCD — the final piece that turned our Crossplane adoption into a globally scalable platform.

Setting Up ArgoCD for GitOps

ArgoCD is the GitOps engine that continuously syncs your manifests from Git into Kubernetes (and Crossplane). Setup takes just 3 steps:

Step 1: Install ArgoCD

Step 2: Expose ArgoCD Server

Once the LoadBalancer is ready, you can access the ArgoCD UI in your browser.

Step 3: Get Initial Admin Password

Log in with admin + password, and you’re good to go.

Why GitOps with Crossplane?

Crossplane already runs inside Kubernetes, so GitOps was a natural extension.

• Source of truth = Git → no manual kubectl apply.
• Every infra change = Pull Request → peer-reviewed before merge.
• Continuous reconciliation → ArgoCD keeps everything in sync.
• Safe rollbacks → revert a commit, ArgoCD syncs back.

Together, Git + ArgoCD gave us a developer-friendly, operations-safe workflow.

Sync-Waves: Ordering Matters

Infra has dependencies:

Infra has dependencies — VPCs must come before Amazon Elastic Kubernetes Service (Amazon EKS), Amazon EKS before NodeGroups, and Kubernetes NodeGroups before RDS. Without ordering, things collapse like dominoes.

That’s where ArgoCD sync-waves saved us:

Each resource applied in the right order → no race conditions, no surprises.

Drift Prevention

With Terraform, drift was a silent killer — infra could change in the AWS Management console, and no one noticed until things broke.

With Crossplane + ArgoCD:

• Crossplane continuously reconciles → auto-fixes drift.
• ArgoCD highlights “Out of Sync” resources instantly.
• Kyverno blocks unsafe YAML before it applies.

Drift went from a hidden risk → a visible, auto-corrected event. 

Ephemeral Environments per PR

One of the client’s biggest asks: ephemeral environments for PR testing.

• Developer opens a PR → a new namespace spins up.
• Crossplane provisions temporary infra (Amazon RDS, Amazon Simple Storage Service, etc.).
• On merge/close → ArgoCD cleans up automatically.

Benefits?

• No shared-state conflicts.
• Faster feature testing.
• Zero leftover infra bills. 

Safe Rollbacks with Git

Terraform rollbacks often felt like firefighting — destroy/apply chaos and long nights. 

With GitOps:

• Release fails → just git revert.
• ArgoCD syncs infra back to a known-good state.

Recovery time went from hours → minutes. 

A Real-World Example

Expanding to multiple AWS regions used to mean:

• Terraform → separate state files, duplication, drift risk.

With Crossplane + GitOps:

• Just update region values in YAML.
• ArgoCD syncs across clusters.
• Sync-waves ensure dependencies are respected.

Multi-region infra parity in days, not weeks. 

Key Learnings:

• Git became the single source of truth.
• Sync-waves solved infra ordering.
• Continuous reconciliation killed drift.
• Ephemeral PR envs boosted developer speed.
• Rollbacks became simple Git reverts.
• Multi-region parity came from reusable manifests.

The Road Ahead:

• Multi-region sync with ArgoCD → global infra parity.
• Drift auto-heal + Slack/Teams alerts → faster visibility.
• Expanded coverage → S3, SQS, SNS, AWS IAM.
• Central Helm chart → standardization for all teams.
• Declarative Disaster Recovery → infra failover as code.

Takeaway: “GitOps didn’t replace governance — it operationalized it.

Where Crossplane Shines

• GitOps-native cloud infra management.
• Continuous reconciliation for critical resources.
• Safe imports of existing production infra.
• Team-friendly → developers work in YAML, no Terraform state file headaches.
• Perfect for dynamic, short-lived, or multi-tenant infra needs (e.g., ephemeral environments).

Where Crossplane May Not Be the Best Fit

• Large, static foundational infra (e.g., networking sprawl, multi-account bootstrap) → Terraform is usually simpler and more battle-tested.
• Complex multi-cloud strategies where fine-grained governance outside Kubernetes is needed → OPA/Service Catalog might fit better.
• When teams lack Kubernetes expertise → Crossplane adds cognitive overhead if developers aren’t familiar with CRDs, reconciliation, and GitOps workflows.

Important Learning

Terraform gave us stability. Crossplane gave us control. GitOps gave us velocity.   Together, they created a self-healing, auditable, and developer-friendly cloud platform.  

 Takeaway: “GitOps wasn’t the end — it was the point where automation met trust.”  

Crossplane Learning Checklist / Cheat Sheet

a) Prerequisites

• AWS EKS cluster ready
• kubectl, helm, aws-cli
• Namespace: crossplane-system
• AWS creds (IRSA or Secret)

b) Install Crossplane

c) Install AWS Provider

d) Configure ProviderConfig → Secret or IRSA

e) Create First MR (RDS, S3, etc.) with deletionPolicy: Orphan

f) Import Existing Resource → external-name + ObserveOnly

g) Governance (Kyverno) → validation + mutation policies

h) GitOps (ArgoCD) → sync-waves, drift correction, PR envs

i) Lifecycle Protection → always use Orphan + ObserveOnly; secure with RBAC + IRSA

This is everything you need to adopt Crossplane end-to-end.

Crossplane Adoption Journey: Blog Series Recap

Crossplane Journey Recap:

• Blog 1: Why We Looked Beyond Terraform
• Blog 2: Designing a Hybrid Crossplane Architecture
• Blog 3: Onboarding & Importing AWS Resources
• Blog 4: Governance, Security & Lifecycle Protection
• Blog 5: GitOps Integration and the Road Ahead 

From Terraform bottlenecks → Crossplane adoption → GitOps-powered infra, the journey is complete.