Challenges and Solutions for Cloud‑Native Application Delivery: GitOps with ArgoCD, Tekton, and SOPS

The rapid rise of cloud‑native technologies has turned application delivery into a critical focus, but traditional left‑to‑right pipelines often lead to configuration drift between Git‑stored YAML definitions and the actual state of Kubernetes clusters, requiring frequent manual intervention.

GitOps solves this by treating the entire stack as declarative code: Kubernetes (or any declarative system) serves as the execution base, while Git (GitHub/GitLab) acts as the single source of truth. Changes to YAML files in a Git repository are automatically synchronized to the cluster, ensuring consistency.

Two popular GitOps tools are Flux and ArgoCD; the author selected ArgoCD for its UI, CLI, and API capabilities. ArgoCD runs as a set of pods, listening for Git events and applying the desired state to the cluster.

One major challenge in GitOps is handling sensitive information. The article recommends avoiding hard‑coded secrets, using tools like git‑secrets , encrypting secrets with SOPS (or alternatives such as Vault, Sealed Secrets, AWS/GCP/KMS), and storing encrypted files in Git.

SOPS supports YAML, JSON, ENV, INI, and binary formats and can encrypt using AWS KMS, GCP KMS, Azure Key Vault, age, or PGP. The article includes a brief usage illustration (image omitted).

For continuous integration and image building, the author integrates Tekton. Tekton’s pipeline consists of an EventListener that captures Git events and a PipelineRun that orchestrates tasks. The pipeline pulls source code, builds a Docker image with Kaniko, and pushes it to a registry.

resources:
  - name: source-apim
    resourceSpec:
      type: git
      params:
        - name: revision
          value: master
        - name: url
          value: https://your.source.code.github.com.url.git
  - name: devops
    resourceSpec:
      type: git
      params:
        - name: revision
          value: master
        - name: url
          value: https://your.devops.code.github.com.url.git
  - name: docker-image
    resourceSpec:
      type: image
      params:
        - name: url
          value: your/docker/image/url

- name: image-build-and-push
  image: gcr.io/kaniko-project/executor:v0.17.1
  env:
    - name: "DOCKER_CONFIG"
      value: "/tekton/home/.docker/"
  command:
    - /kaniko/executor
  args:
    - --dockerfile=$(resources.inputs.source-code.path)/Dockerfile
    - --destination=$(resources.outputs.docker-image.url):$(params.image-tag)
    - --context=$(resources.inputs.source-code.path)

Combining these components yields a GitSecOps workflow: Tekton + ArgoCD + Kustomize + SOPS (GPG) = GitSecOps . This pipeline not only automates CI/CD but also secures secret management and image scanning.

Demo videos and the full source code are available on Bilibili and GitHub repositories linked at the end of the article.