Skip to main content
Welcome to the GitOps Certified Associate course. I’m Siddharth, and I’ll be your guide through GitOps—the modern, pull-based approach transforming how teams deploy and operate cloud-native applications. Organizations such as Spotify, Apple, Fidelity, and Intuit use GitOps to accelerate deployments, reduce human errors, and scale operations. CNCF surveys show GitOps adoption is growing across enterprises. This course is practical and hands-on: you’ll work through labs, make mistakes safely, and learn by doing so you can apply GitOps patterns and tooling in real-world scenarios.
The image shows a split screen with a text-based task on the left explaining how to access a Gitea server and a terminal window on the right displaying a welcome message from KodeKloud. There is also a video overlay of a person speaking.
This course emphasizes labs and exercises so you can practice GitOps patterns and tooling in realistic scenarios.

What you’ll learn (at a glance)

  • GitOps fundamentals: continuous and declarative concepts, desired state, state drift, reconciliation, and feedback loops.
  • GitOps principles: why Git as the single source of truth matters and the core principles that define GitOps.
  • Reconciliation engines: hands-on with Argo CD and Argo Rollouts.
  • Manifests and packaging: Kustomize, Helm charts, and OCI-based Git/registry workflows.
  • Secrets management: working with Bitnami Sealed Secrets and kubeseal.
  • Observability: integrating Prometheus, Grafana, and Alertmanager for metrics and alerts.
  • CI integration: building pipelines that publish artifacts and update Git for pull-based delivery.
  • Release patterns: rolling updates, recreate, blue/green, and canary releases.
  • Metrics & best practices: DORA metrics, operational guardrails, and security-first practices.
  • Mock exams and practice questions to validate readiness for certification.

Course modules overview

ModuleCore TopicsExample Tools
GitOps fundamentalsDesired state, reconciliation, feedback loopsGit, Argo CD
Manifests & packagingKustomize overlays, Helm chartsKustomize, Helm
Secrets managementEncrypting secrets for GitBitnami Sealed Secrets, kubeseal
Reconciliation & deliveryPull-based deployments, rolloutsArgo CD, Argo Rollouts
CI integrationBuild, push, update Git workflowJenkins, GitHub Actions
ObservabilityMetrics, dashboards, alertingPrometheus, Grafana, Alertmanager
Best practices & metricsDORA, security, IaC vs CaCVarious

Hands-on labs and learning approach

This course is lab-first. Each lesson pairs conceptual material with guided exercises so you can test patterns, iterate, and learn troubleshooting techniques that matter in production environments.

GitOps patterns — storing secrets safely with Bitnami Sealed Secrets

A common, secure flow to keep secrets in Git using Bitnami Sealed Secrets:
  1. Create a Kubernetes Secret manifest locally (without applying it to the cluster).
  2. Encrypt that secret with kubeseal to produce a SealedSecret.
  3. Commit the SealedSecret to Git; your GitOps controller (for example, Argo CD) will apply it and the Sealed Secrets controller will decrypt it inside the cluster.
Warning: Never commit plain Secret YAML (base64 or otherwise) to public repositories.
Always ensure the private key for Sealed Secrets remains secure. Only encrypted SealedSecret manifests belong in Git. Avoid storing unencrypted secrets or private keys in repositories.
Example: create a Secret manifest locally and produce a sealed secret
# Create a Kubernetes Secret manifest (not applied to the cluster)
kubectl create secret generic mysql-password \
  --from-literal=password='s1Ddh@rttF' \
  --dry-run=client -o yaml > mysql-password_k8s-secret.yaml

# Use kubeseal (installed separately) to encrypt the secret into a SealedSecret
# Apply the sealed secret to the cluster (Sealed Secrets controller will decrypt it)
# kubectl apply -f sealed-secret.yaml
Local Kubernetes Secret manifest example:
apiVersion: v1
kind: Secret
metadata:
  name: mysql-password
type: Opaque
data:
  # Base64-encoded password (example)
  password: czFEZGhAcnQj
Once you have a sealed-secret.yaml, you can manage it in Git and create an Argo CD application that points to the chart or repository hosting the Sealed Secrets controller:
argocd app create sealed-secrets \
  --repo https://bitnami-labs.github.io/sealed-secrets \
  --helm-chart sealed-secrets \
  --revision 2.2.0 \
  --dest-namespace kube-system \
  --dest-server https://1.2.3.4
Recommended references:

Tooling and repository layouts

You will practice operating both manifest-based repos and Helm chart repositories. A typical navigation example:
# Example repository navigation
cd cgoa-demos/manifests/helm/
ls
# Output:
# highway-chart
cd highway-chart/
Consider organizing repos with clear boundaries:
  • infrastructure/ for cluster-level manifests (ingress, storage)
  • applications/ for per-app Helm charts or Kustomize overlays
  • ci/ for pipeline definitions that update Git

CI pipelines that update Git (example pattern)

A common GitOps pattern: CI builds and publishes an image, then updates a manifest in Git (e.g., bumps an image tag). The GitOps controller then reconciles that change to the cluster. Below is a cleaned Jenkins pipeline that demonstrates the pattern.
pipeline {
  agent any
  environment {
    REPO_URL = "http://localhost:5000/kk-org/cgoa-demos"
    BRANCH = "feature-gitea"
    REMOTE_AUTH = "http://587fcc78b44a416b7497ad5065dad577d722708@localhost:5000/kk-org/cgoa-demos"
  }
  stages {
    stage('Checkout') {
      steps {
        script {
          if (fileExists('cgoa-demos')) {
            echo 'Cloned repo already exists - Pulling latest changes'
            dir('cgoa-demos') {
              sh 'git pull'
            }
          } else {
            echo 'Repo does not exist - Cloning the repo'
            sh "git clone -b ${BRANCH} ${REPO_URL}"
          }
        }
      }
    }

    stage('Update Manifest') {
      steps {
        dir('cgoa-demos/jenkins-demo') {
          // Replace placeholder image with the new image tag in deployment.yaml
          sh 'sed -i "s|${IMAGE_REPO}/${NAME}:${VERSION}|${NEW_IMAGE}|g" deployment.yaml'
          sh 'cat deployment.yaml'
        }
      }
    }

    stage('Commit & Push') {
      steps {
        dir('cgoa-demos/jenkins-demo') {
          sh '''
            git config --global user.email "jenkins@ci.com"
            git remote set-url origin ${REMOTE_AUTH}
            git checkout ${BRANCH}
            git add -A || true
            git commit -m "Update manifest: set image to ${NEW_IMAGE}" || true
            git push origin ${BRANCH} || true
          '''
        }
      }
    }
  }
}
This pattern demonstrates the separation of concerns:
  • CI: build/publish artifacts and update Git (push change).
  • GitOps controller: continuously reconcile the cluster to match Git.

Infrastructure as Code (IaC) vs Configuration as Code (CaC)

Understanding IaC vs CaC clarifies responsibilities:
ConcernIaCCaC
Primary focusProvisioning infrastructure (clusters, VMs, networks)Application configuration and runtime manifests
Typical toolsTerraform, Pulumi, CloudFormationHelm, Kustomize, plain Kubernetes manifests
GitOps roleOften used in provisioning pipelines or as upstream inputPrimary driver for reconciliation engines (Argo CD)
Use IaC to create and manage platform resources; use CaC to manage how workloads run on those platforms.
The image compares Infrastructure as Code (IaC) and Configuration as Code (CaC), highlighting their primary focus, what they manage, common tools, context in GitOps, and analogies.

Other topics covered

  • Moving from DevOps to DevSecOps: integrating security into GitOps workflows.
  • CI/CD best practices and how CI pipelines feed pull-based delivery.
  • Observability: Prometheus metrics, Grafana dashboards, and Alertmanager for alerts and incident detection.
  • DORA metrics: measuring lead time, deployment frequency, MTTR, and change failure rate.
  • Labs, exercises, and mock exams to validate your knowledge and certification readiness.
Are you ready to become a GitOps Certified Associate and lead cloud-native operational excellence? This course will prepare you with the practical skills and exam-focused practice to succeed.

Watch Video