The latest articles on Forem by Jamil Shaikh (@justasflash). https://forem.com/justasflash https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F160709%2F321d65aa-5b75-4986-b2e8-651f847f30b2.jpg https://forem.com/justasflash en Jamil Shaikh Fri, 29 Aug 2025 21:12:55 +0000 https://forem.com/justasflash/building-a-gitops-infrastructure-pipeline-with-crossplane-and-argo-cd-431 https://forem.com/justasflash/building-a-gitops-infrastructure-pipeline-with-crossplane-and-argo-cd-431 <p><em>From manual kubectl commands to fully automated infrastructure management - here's how I built a production-ready GitOps pipeline</em></p> <h2> TL;DR </h2> <p>I built a complete GitOps infrastructure management system using:</p> <ul> <li>🎯 <strong>Argo CD</strong> for GitOps automation</li> <li>⚡ <strong>Crossplane</strong> for infrastructure provisioning</li> <li>🔄 <strong>App-of-Apps pattern</strong> for scalable application management</li> <li>📦 <strong>MetalLB</strong> as the infrastructure example</li> <li>🎭 <strong>Sync waves</strong> for dependency management</li> </ul> <p><strong>Result</strong>: Infrastructure changes now happen through Git commits, with full automation and zero manual intervention.</p> <h2> The Problem I Solved </h2> <p>Managing Kubernetes infrastructure traditionally sucks:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># The old way - manual and error-prone</span> kubectl apply <span class="nt">-f</span> metallb-config.yaml kubectl apply <span class="nt">-f</span> ingress-controller.yaml kubectl apply <span class="nt">-f</span> monitoring-stack.yaml <span class="c"># Oh no! Order matters... 💥</span> <span class="c"># Which version is running in production? 🤷‍♂️</span> <span class="c"># Who made that change? 🕵️‍♂️</span> </code></pre> </div> <p>I wanted infrastructure that:</p> <ul> <li>✅ Lives in Git (version controlled)</li> <li>✅ Deploys automatically (no manual steps)</li> <li>✅ Handles dependencies (no ordering issues)</li> <li>✅ Self-heals (drift detection &amp; correction)</li> <li>✅ Provides audit trails (who, what, when)</li> </ul> <h2> The Solution Architecture </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>graph LR A[Git Commit] --&gt; B[Argo CD] B --&gt; C[Crossplane] C --&gt; D[Kubernetes Resources] B --&gt; E[Sync Waves] E --&gt; F[Ordered Deployment] </code></pre> </div> <h2> 🎯 Step 1: App-of-Apps Pattern </h2> <p>Instead of managing 50+ individual Argo CD applications, I use the <strong>App-of-Apps pattern</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># One app to rule them all</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Application</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">homelab-root</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">argocd.argoproj.io/sync-wave</span><span class="pi">:</span> <span class="s2">"</span><span class="s">-1"</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">source</span><span class="pi">:</span> <span class="na">repoURL</span><span class="pi">:</span> <span class="s">https://github.com/jamilshaikh07/homelab-gitops.git</span> <span class="na">path</span><span class="pi">:</span> <span class="s">apps</span> <span class="c1"># 👈 All child apps live here</span> <span class="na">syncPolicy</span><span class="pi">:</span> <span class="na">automated</span><span class="pi">:</span> <span class="na">prune</span><span class="pi">:</span> <span class="kc">true</span> <span class="c1"># 🗑️ Clean up deleted resources</span> <span class="na">selfHeal</span><span class="pi">:</span> <span class="kc">true</span> <span class="c1"># 🔧 Fix manual changes</span> </code></pre> </div> <p><strong>Benefits:</strong></p> <ul> <li>One root app manages everything</li> <li>New apps = just add YAML files</li> <li>Automatic discovery and deployment</li> </ul> <h2> ⚡ Step 2: Crossplane for Infrastructure </h2> <p>Crossplane lets me manage infrastructure through Kubernetes APIs. Here's the magic:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Instead of direct kubectl apply...</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kubernetes.crossplane.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Object</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">metallb-ipaddresspool</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">argocd.argoproj.io/sync-wave</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2"</span> <span class="c1"># 👈 Depends on provider</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">providerConfigRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">in-cluster</span> <span class="na">forProvider</span><span class="pi">:</span> <span class="na">manifest</span><span class="pi">:</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">metallb.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">IPAddressPool</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">homelab-pool</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">metallb-system</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">addresses</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">10.20.0.81-10.20.0.99</span> <span class="c1"># 🎯 My LoadBalancer IP range</span> </code></pre> </div> <p><strong>Why Crossplane Objects?</strong></p> <ul> <li>🔄 <strong>Continuous reconciliation</strong> (drift detection)</li> <li>📊 <strong>Rich status reporting</strong> (health, errors)</li> <li>🎭 <strong>Dependency management</strong> (waits for providers)</li> <li>🔒 <strong>RBAC integration</strong> (secure access)</li> </ul> <h2> 🎭 Step 3: Sync Waves for Dependencies </h2> <p>Order matters in infrastructure! I use sync waves to ensure proper sequencing:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Wave -1: Root app-of-apps</span> <span class="na">argocd.argoproj.io/sync-wave</span><span class="pi">:</span> <span class="s2">"</span><span class="s">-1"</span> <span class="c1"># Wave 0: Install Crossplane providers</span> <span class="na">argocd.argoproj.io/sync-wave</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0"</span> <span class="c1"># Wave 1: Provider configs + RBAC</span> <span class="na">argocd.argoproj.io/sync-wave</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1"</span> <span class="c1"># Wave 2: Infrastructure resources</span> <span class="na">argocd.argoproj.io/sync-wave</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2"</span> </code></pre> </div> <p><strong>Result:</strong> No more "CRD not found" or "provider not ready" errors! 🎉</p> <h2> 🔐 Step 4: RBAC - The Critical Missing Piece </h2> <p>Crossplane needs permissions to manage your infrastructure. This is often overlooked:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRole</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">crossplane-provider-kubernetes-metallb</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">metallb.io"</span><span class="pi">]</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">ipaddresspools"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">l2advertisements"</span><span class="pi">]</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">*"</span><span class="pi">]</span> <span class="nn">---</span> <span class="c1"># Bind to the provider's service account</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRoleBinding</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">crossplane-provider-kubernetes-metallb</span> <span class="na">roleRef</span><span class="pi">:</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRole</span> <span class="na">name</span><span class="pi">:</span> <span class="s">crossplane-provider-kubernetes-metallb</span> <span class="na">subjects</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">name</span><span class="pi">:</span> <span class="s">provider-kubernetes-xxxxx</span> <span class="c1"># 👈 Get from kubectl</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">crossplane-system</span> </code></pre> </div> <p><strong>Pro tip:</strong> Restart provider pods after RBAC changes!</p> <h2> 🧪 Testing the Complete Pipeline </h2> <p>Time for the moment of truth:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 1. Bootstrap (one-time manual step)</span> kubectl apply <span class="nt">-f</span> argocd/app-of-apps.yaml <span class="c"># 2. Check GitOps automation</span> kubectl <span class="nt">-n</span> argocd get applications NAME SYNC STATUS HEALTH STATUS crossplane-provider-kubernetes Synced Healthy ✅ homelab-root Synced Healthy ✅ metallb-config Synced Healthy ✅ <span class="c"># 3. Verify infrastructure was created</span> kubectl <span class="nt">-n</span> metallb-system get ipaddresspools.metallb.io NAME ADDRESSES homelab-pool <span class="o">[</span><span class="s2">"10.20.0.81-10.20.0.99"</span><span class="o">]</span> ✅ <span class="c"># 4. Test LoadBalancer functionality</span> kubectl create deployment nginx <span class="nt">--image</span><span class="o">=</span>nginx kubectl expose deployment nginx <span class="nt">--type</span><span class="o">=</span>LoadBalancer <span class="nt">--port</span><span class="o">=</span>80 kubectl get svc nginx NAME TYPE EXTERNAL-IP PORT<span class="o">(</span>S<span class="o">)</span> nginx LoadBalancer 10.20.0.82 80:30114/TCP ✅ <span class="c"># 5. Verify connectivity</span> curl http://10.20.0.82 &lt;<span class="o">!</span>DOCTYPE html&gt; &lt;html&gt; &lt;<span class="nb">head</span><span class="o">&gt;</span>&lt;title&gt;Welcome to nginx!&lt;/title&gt;&lt;/head&gt; <span class="c"># 🎉 SUCCESS!</span> </code></pre> </div> <p><strong>It works!</strong> Infrastructure deployed entirely through GitOps! 🚀</p> <h2> 📁 Repository Structure </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>homelab-gitops/ ├── argocd/ │ └── app-of-apps.yaml # 🏠 Root application ├── apps/ │ ├── crossplane-provider-kubernetes-app.yaml │ └── metallb-config-app.yaml # 👶 Child applications ├── crossplane/ │ └── provider-kubernetes/ │ ├── provider.yaml # ⚡ Crossplane provider │ ├── providerconfig.yaml # ⚙️ Configuration │ └── rbac.yaml # 🔐 Permissions └── metallb/ ├── metallb-ipaddresspool.yaml # 🌐 Infrastructure └── metallb-l2advertisement.yaml # 📦 Resources </code></pre> </div> <h2> 💡 Key Lessons Learned </h2> <h3> 1. <strong>API Versions Are Critical</strong> </h3> <p>Different provider versions use different APIs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># v0.13.0 uses v1alpha1</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kubernetes.crossplane.io/v1alpha1</span> <span class="c1"># Newer versions use v1alpha2 </span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kubernetes.crossplane.io/v1alpha2</span> </code></pre> </div> <h3> 2. <strong>Bootstrap is Still Manual</strong> </h3> <p>Even with full GitOps, you need one manual step:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> argocd/app-of-apps.yaml </code></pre> </div> <p>After this, everything else is automated!</p> <h3> 3. <strong>RBAC Debugging</strong> </h3> <p>If Crossplane objects stay "NotReady":<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Check provider permissions</span> kubectl <span class="nt">-n</span> crossplane-system describe object metallb-ipaddresspool <span class="c"># Common fix: restart provider after RBAC changes</span> kubectl <span class="nt">-n</span> crossplane-system delete pod <span class="nt">-l</span> pkg.crossplane.io/provider<span class="o">=</span>provider-kubernetes </code></pre> </div> <h3> 4. <strong>YAML Formatting Matters</strong> </h3> <p>Watch your indentation! This kept my root app OutOfSync:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># ❌ Wrong</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">server</span><span class="pi">:</span> <span class="s">https://kubernetes.default.svc</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">crossplane-system</span> <span class="c1"># ✅ Correct </span> <span class="na">destination</span><span class="pi">:</span> <span class="na">server</span><span class="pi">:</span> <span class="s">https://kubernetes.default.svc</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">crossplane-system</span> </code></pre> </div> <h2> 🚀 What's Next? </h2> <p>This foundation scales to manage ANY infrastructure:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Database clusters</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">PostgreSQLCluster</span> <span class="c1"># Service meshes </span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Istio</span> <span class="c1"># Monitoring stacks</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">PrometheusStack</span> <span class="c1"># Certificate management</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterIssuer</span> <span class="c1"># Storage solutions</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">StorageClass</span> </code></pre> </div> <p><strong>The pattern stays the same:</strong></p> <ol> <li>Define in YAML</li> <li>Commit to Git </li> <li>Argo CD syncs automatically</li> <li>Crossplane provisions infrastructure</li> <li>Profit! 💰</li> </ol> <h2> 🎉 Results </h2> <p><strong>Before:</strong></p> <ul> <li>Manual <code>kubectl</code> commands</li> <li>Configuration drift</li> <li>No audit trail</li> <li>Deployment anxiety 😰</li> </ul> <p><strong>After:</strong> </p> <ul> <li>Infrastructure as Code</li> <li>Git-driven deployments</li> <li>Automatic drift correction</li> <li>Pull request reviews</li> <li>Confidence in production 😎</li> </ul> <p><strong>Infrastructure changes are now as simple as creating a pull request!</strong></p> <h2> 🔗 Resources </h2> <ul> <li>📝 <a href="https://github.com/jamilshaikh07/homelab-gitops" rel="noopener noreferrer">Complete repository</a> </li> <li>📚 <a href="https://crossplane.io/" rel="noopener noreferrer">Crossplane documentation</a> </li> <li>🎯 <a href="https://argo-cd.readthedocs.io/" rel="noopener noreferrer">Argo CD documentation</a> </li> <li>🏗️ <a href="https://argo-cd.readthedocs.io/en/stable/operator-manual/cluster-bootstrapping/" rel="noopener noreferrer">App-of-Apps pattern</a> </li> </ul> <p><strong>What infrastructure will you GitOps next?</strong> Drop a comment and let me know what you're planning to automate! 👇</p> <p><em>Follow me for more cloud-native and DevOps content! 🚀</em></p> kubernetes argocd linux crossplane