Software Systems Atlas

English

中文

English

中文

Theme

Metadata Card

  • Prerequisites: Chapter 7 (K8s Basics), Chapter 9 (SRE Basics)
  • Estimated Time: 40 minutes
  • Core Difficulty: Intermediate
  • Reading Mode: High focus
  • Completion Milestone: Understand IaC core value, manage infrastructure with Terraform, understand GitOps reconciliation vs CI/CD

Your Progress

Your command system runs on K8s. But all underlying infrastructure — VMs, load balancers, DNS records, databases — was created manually. Someone SSH'd in and installed software, someone clicked through a web console, someone ran a quick command-line action and moved on.

Result: nobody on the team knows "what resources are actually running in production." A VM called outpost-alpha-nginx — who created it six months ago, what it has, why it's still running — nobody can say.

Worse: you need to build an environment identical to production for testing. You ask General Lin: "Do we have a production config inventory?"

General Lin says: "Ask Old Zhou — but he's on vacation. Just SSH in and cat the nginx config."

You SSH in and find this machine's setup differs from the adjacent one, despite being supposedly identical. Classic snowflake server problem. Your Task

IaC (Infrastructure as Code) and GitOps core practices. Terraform for declarative resource management, Git as single source of truth, Argo CD/Flux reconciliation.

Terraform: Provider (target system), Resource (declarative description), State (maps config to real resources). Plan (preview changes), Apply (execute). Module (reusable code). Remote state backend (S3 + DynamoDB lock).

Environment Isolation: Separate directory per environment (dev/staging/prod), each with independent state file.

Secrets Management: Never in Git. Use Vault, AWS Secrets Manager, or sops-encrypted files.

GitOps: Git repository holds desired state. GitOps operator (Argo CD/Flux) continuously reconciles cluster state toward Git state. Detects drift, auto-corrects.

Argo CD: Application YAML defines source (Git repo), destination (K8s cluster). Sync policy: prune (delete missing resources), self-heal (revert manual changes).

Flux: Source → Kustomization pipeline. GitRepository (source of config), Kustomization (apply to cluster).

GitOps vs CI/CD: CI/CD handles build/test/packaging. GitOps handles deployment. CI/CD triggers on push; GitOps continuously reconciles.

Common Pitfalls: Secrets in IaC configs. Multiple people running terraform apply on the same state without locking. Manual cloud resource changes not reflected in IaC. Auto-sync without prune: true. Messy branch strategies.

Traveler's Notes

IaC solves "snowflake servers" — each machine is no longer a unique, non-reproducible artifact. GitOps goes further: the cluster continuously and automatically converges toward Git's desired state. You don't SSH in, don't click console buttons, don't keep notebooks — you edit code, commit, review, merge. The rest is handled by the reconciliation loop.

Next: Kubernetes Production Practices (Chapter 11).

Built with VitePress | Software Systems Atlas

Copyright 2026 Steven Yang