Data Flow: GitOps
Purpose: For platform engineers, explains how a Git push propagates through FluxCD to become running Kubernetes resources.
Flow Summary
Components
| Component | Namespace | Role |
|---|---|---|
| Source Controller | flux-system | Polls Git repositories and Helm registries for changes |
| Kustomize Controller | flux-system | Applies Kustomization manifests, handles SOPS decryption |
| Helm Controller | flux-system | Renders and applies HelmRelease resources |
| Notification Controller | flux-system | Sends reconciliation events to external systems |
Sequence
- Developer pushes a commit to the monitored Git branch.
- Source Controller detects the new revision (poll interval or webhook).
- Source Controller downloads and stores the artifact (tarball of repo contents).
- Kustomize Controller picks up Kustomization resources referencing that source.
- Kustomize Controller builds the manifests (overlays, patches, variable substitution).
- If manifests contain SOPS-encrypted values, Kustomize Controller decrypts them using the Age key in
flux-system. - Built manifests are applied to the Kubernetes API server.
- Helm Controller processes any HelmRelease resources similarly (template → apply).
- Notification Controller emits events for success/failure.
Reconciliation Behavior
- Default poll interval: 1 minute (configurable per
GitRepository). - Failed reconciliations retry with exponential backoff.
- Drift detection: resources modified outside Git are reverted on the next reconciliation cycle.
- Dependency ordering:
Kustomization.spec.dependsOncontrols apply sequence.
Related
- Logical Diagram — full cluster architecture