Olympus Docs
CookbookDeployment

GitOps deploys (FluxCD / ArgoCD)

Drive Olympus deployments via GitOps tools

GitOps: the git repo is the source of truth for production state. Tools like FluxCD or ArgoCD reconcile cluster state to match git.

Olympus is single-host / Compose-based by default, GitOps via FluxCD is "off-spec" because GitOps was designed for K8s. But you can adapt.

Pattern 1: GitOps for the platform repo only

Even if you're not on K8s, you can GitOps-ish the platform repo:

  1. Git is the source of truth.
  2. deploy.yml workflow watches main.
  3. Any push triggers reconciliation (deploy).

This is already the Olympus model. You're doing GitOps when you push.

The deploy workflow handles drift: if someone SSHes in and edits a file on the VPS, the next deploy clobbers it. Cleaner than manual sync.

Pattern 2: ArgoCD with K8s Olympus

If you're on the K8s path (Cookbook, Kubernetes deployment):

# argocd-app.yaml
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: olympus
  namespace: argocd
spec:
  source:
    repoURL: https://github.com/your-org/olympus-k8s
    targetRevision: HEAD
    path: manifests
  destination:
    server: https://kubernetes.default.svc
    namespace: olympus
  syncPolicy:
    automated:
      prune: true
      selfHeal: true

ArgoCD reconciles: cluster state must match manifests/. Drift is corrected automatically.

For ArgoCD itself authenticating users: use Olympus as the OIDC IdP, see Cookbook, Use Olympus as IdP for ArgoCD.

Pattern 3: FluxCD

Similar to ArgoCD, FluxCD pulls manifests from git and reconciles.

# flux/kustomization.yaml
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
  name: olympus
  namespace: flux-system
spec:
  interval: 5m
  path: ./manifests
  sourceRef:
    kind: GitRepository
    name: olympus-source
  prune: true

Secrets in GitOps

Don't commit secrets. Use:

  • Sealed Secrets (Bitnami): encrypted secrets in git, decryptable only by the controller in the cluster.
  • External Secrets Operator: fetch from AWS Secrets Manager, HashiCorp Vault, etc.
  • Sops: encrypt before committing, decrypt at deploy.

Olympus's secrets pattern with GitHub Actions Secrets translates: the deploy step pulls secrets at deploy time, not from the repo.

Drift detection

GitOps tools alert on drift. For non-K8s Olympus, build your own:

# CI step
ssh prod 'cat /opt/olympus/compose.prod.yml | md5sum'
# Compare to git's compose.prod.yml md5
# Mismatch → alert

Drift = someone made a manual change. Investigate.

When GitOps adds value

  • Multi-environment (prod, staging, dev) where each environment's state is a separate git path.
  • Teams that want PR-based deploy review (changes via PR before they land).
  • Compliance environments requiring deployment audit trails (git log IS the audit trail).

When GitOps is overkill

  • Single operator deployments, git push to main IS GitOps-shaped already.
  • Olympus's deploy workflow handles the reconcile gap fine.

DNS and TLS setup for Olympus

Domain configuration from zero to running

Run Olympus on Kubernetes via Helm

Reference Helm chart for K8s deployments

On this page

Pattern 1: GitOps for the platform repo onlyPattern 2: ArgoCD with K8s OlympusPattern 3: FluxCDSecrets in GitOpsDrift detectionWhen GitOps adds valueWhen GitOps is overkillRelated