The latest articles on Forem by varun varde (@varunvarde). https://forem.com/varunvarde https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3761696%2Fecce1536-897c-45d3-ba4f-11e7d0b344ed.jpg https://forem.com/varunvarde en varun varde Tue, 14 Apr 2026 09:05:05 +0000 https://forem.com/varunvarde/building-production-grade-observability-opentelemetry-grafana-stack-9mc https://forem.com/varunvarde/building-production-grade-observability-opentelemetry-grafana-stack-9mc <p>Stop guessing what's broken in production. Here's a complete, deploy-it-this-week observability stack built on OpenTelemetry and Grafana — the same stack I've deployed for three clients in the last 18 months.</p> <p>This isn't a toy setup. This is production-grade: traces, metrics, and logs unified under a single pane of glass, with auto-instrumentation for the most common runtimes, alerting that pages on symptoms not causes, and dashboards your non-SRE teammates can actually read.</p> <p>What you'll build:</p> <ul> <li><p>OpenTelemetry Collector (gateway mode) for vendor-agnostic telemetry collection</p></li> <li><p>Grafana Tempo for distributed tracing</p></li> <li><p>Prometheus + Grafana Mimir for metrics at scale</p></li> <li><p>Loki for structured log aggregation</p></li> <li><p>Grafana dashboards with pre-built SLO panels</p></li> <li><p>AlertManager rules tied to error budgets</p></li> </ul> <p>Prerequisites: Kubernetes 1.25+, Helm 3, basic familiarity with YAML. Estimated time: 3–5 hours end to end.</p> <h2> Why OpenTelemetry? The vendor-lock argument settled once and for all </h2> <p>You’ve heard it before: “Just use Datadog.” Then the bill arrives. Or “Use Prometheus alone.” Then you lose traces.</p> <p>OpenTelemetry (OTel) is the single CNCF standard for generating and exporting telemetry data. Here’s why it wins:</p> <ul> <li><p>One instrumentation, many backends: Instrument your app once with OTel SDKs. Send to Tempo, Jaeger, Datadog, or New Relic simultaneously.</p></li> <li><p>No vendor lock-in: Your telemetry data remains in your control (S3 for traces, block storage for metrics).</p></li> <li><p>Automatic context propagation: Trace IDs flow seamlessly across services, even across different languages (Java → Python → Node.js).</p></li> <li><p>Future-proof: New backends emerge? Point your OTel Collector there. No code changes.</p></li> </ul> <p>The bottom line: OTel is the USB-C of observability. Stop writing custom exporters.</p> <h2> Architecture overview: Collector, Backends, Visualization </h2> <p>Here’s what you’re deploying:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[Your App] --(OTLP)--&gt; [OTel Collector (Gateway)] --+--&gt; [Tempo] (traces) +--&gt; [Mimir] (metrics) +--&gt; [Loki] (logs) | [Grafana] (visualization) | [AlertManager] (paging) </code></pre> </div> <ul> <li><p>OTel Collector (Gateway mode): Receives OTLP from all services. Validates, batches, and routes telemetry. Single ingress point.</p></li> <li><p>Tempo: Object-storage-backed tracing. Cheap, scalable, no indexing costs.</p></li> <li><p>Mimir: Horizontally scalable Prometheus-compatible metrics store.</p></li> <li><p>Loki: Log aggregation with low-cost object storage.</p></li> <li><p>Grafana: Unified UI with Explore, dashboards, and alerting.</p></li> <li><p>AlertManager: Deduplicates, groups, and routes alerts to PagerDuty/Slack.</p></li> </ul> <p>Storage requirements (minimal): 50GB for Loki, 100GB for Tempo (can use S3/GCS/MinIO), 50GB for Mimir.</p> <h2> Installing the OTel Collector (gateway mode Helm values) </h2> <p>Create otel-collector-values.yaml<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">mode</span><span class="pi">:</span> <span class="s">deployment</span> <span class="c1"># gateway mode (as opposed to daemonset for agent mode)</span> <span class="na">config</span><span class="pi">:</span> <span class="na">receivers</span><span class="pi">:</span> <span class="na">otlp</span><span class="pi">:</span> <span class="na">protocols</span><span class="pi">:</span> <span class="na">grpc</span><span class="pi">:</span> <span class="na">endpoint</span><span class="pi">:</span> <span class="s">0.0.0.0:4317</span> <span class="na">http</span><span class="pi">:</span> <span class="na">endpoint</span><span class="pi">:</span> <span class="s">0.0.0.0:4318</span> <span class="na">processors</span><span class="pi">:</span> <span class="na">batch</span><span class="pi">:</span> <span class="na">timeout</span><span class="pi">:</span> <span class="s">1s</span> <span class="na">send_batch_size</span><span class="pi">:</span> <span class="m">1024</span> <span class="na">memory_limiter</span><span class="pi">:</span> <span class="na">check_interval</span><span class="pi">:</span> <span class="s">1s</span> <span class="na">limit_mib</span><span class="pi">:</span> <span class="m">512</span> <span class="na">attributes</span><span class="pi">:</span> <span class="na">actions</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">key</span><span class="pi">:</span> <span class="s">environment</span> <span class="na">value</span><span class="pi">:</span> <span class="s">production</span> <span class="na">action</span><span class="pi">:</span> <span class="s">upsert</span> <span class="na">exporters</span><span class="pi">:</span> <span class="na">otlp/tempo</span><span class="pi">:</span> <span class="na">endpoint</span><span class="pi">:</span> <span class="s2">"</span><span class="s">tempo-distributor:4317"</span> <span class="na">tls</span><span class="pi">:</span> <span class="na">insecure</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">prometheusremotewrite/mimir</span><span class="pi">:</span> <span class="na">endpoint</span><span class="pi">:</span> <span class="s2">"</span><span class="s">http://mimir-distributor:8080/api/v1/push"</span> <span class="na">loki</span><span class="pi">:</span> <span class="na">endpoint</span><span class="pi">:</span> <span class="s2">"</span><span class="s">http://loki-gateway:3100/loki/api/v1/push"</span> <span class="na">service</span><span class="pi">:</span> <span class="na">pipelines</span><span class="pi">:</span> <span class="na">traces</span><span class="pi">:</span> <span class="na">receivers</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">otlp</span><span class="pi">]</span> <span class="na">processors</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">memory_limiter</span><span class="pi">,</span> <span class="nv">batch</span><span class="pi">,</span> <span class="nv">attributes</span><span class="pi">]</span> <span class="na">exporters</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">otlp/tempo</span><span class="pi">]</span> <span class="na">metrics</span><span class="pi">:</span> <span class="na">receivers</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">otlp</span><span class="pi">]</span> <span class="na">processors</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">memory_limiter</span><span class="pi">,</span> <span class="nv">batch</span><span class="pi">]</span> <span class="na">exporters</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">prometheusremotewrite/mimir</span><span class="pi">]</span> <span class="na">logs</span><span class="pi">:</span> <span class="na">receivers</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">otlp</span><span class="pi">]</span> <span class="na">processors</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">memory_limiter</span><span class="pi">,</span> <span class="nv">batch</span><span class="pi">]</span> <span class="na">exporters</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">loki</span><span class="pi">]</span> </code></pre> </div> <p>Deploy<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>helm repo add open-telemetry https://open-telemetry.github.io/opentelemetry-helm-charts helm upgrade <span class="nt">--install</span> otel-collector open-telemetry/opentelemetry-collector <span class="nt">-f</span> otel-collector-values.yaml </code></pre> </div> <h2> Auto-instrumentation: Java, Python, Node.js, Go </h2> <p>No code changes for traces/metrics/logs. Use OTel's auto-instrumentation agents.</p> <p><strong>Java (Spring Boot, any JVM app)</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">ENV</span><span class="s"> JAVA_TOOL_OPTIONS="-javaagent:/otel/opentelemetry-javaagent.jar"</span> <span class="k">ENV</span><span class="s"> OTEL_SERVICE_NAME=payment-service</span> <span class="k">ENV</span><span class="s"> OTEL_EXPORTER_OTLP_ENDPOINT=http://otel-collector:4317</span> </code></pre> </div> <p><strong>Python (Django, Flask, FastAPI)</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>opentelemetry-distro opentelemetry-exporter-otlp opentelemetry-bootstrap <span class="nt">-a</span> <span class="nb">install </span>otel-instrument <span class="se">\</span> <span class="nt">--service_name</span> checkout-service <span class="se">\</span> <span class="nt">--exporter_otlp_endpoint</span> http://otel-collector:4317 <span class="se">\</span> python app.py </code></pre> </div> <p><strong>Node.js (Express, NestJS)</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install</span> @opentelemetry/auto-instrumentations-node npx opentelemetry-instrument <span class="se">\</span> <span class="nt">--service_name</span><span class="o">=</span>api-gateway <span class="se">\</span> <span class="nt">--exporter_otlp_endpoint</span><span class="o">=</span>http://otel-collector:4317 <span class="se">\</span> node server.js </code></pre> </div> <p><strong>Go (manual instrumentation required, but minimal)</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">import</span> <span class="p">(</span> <span class="s">"go.opentelemetry.io/otel"</span> <span class="s">"go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc"</span> <span class="p">)</span> <span class="k">func</span> <span class="n">initTracer</span><span class="p">()</span> <span class="p">{</span> <span class="n">exporter</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="n">otlptracegrpc</span><span class="o">.</span><span class="n">New</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">otlptracegrpc</span><span class="o">.</span><span class="n">WithEndpoint</span><span class="p">(</span><span class="s">"otel-collector:4317"</span><span class="p">),</span> <span class="n">otlptracegrpc</span><span class="o">.</span><span class="n">WithInsecure</span><span class="p">())</span> <span class="c">// ... standard setup (5 lines)</span> <span class="p">}</span> </code></pre> </div> <p>Verify: Check Collector logs for TraceID spans.</p> <h2> Deploying Tempo for distributed tracing </h2> <p>Tempo is designed for cost-effective tracing. It stores traces in object storage (S3/MinIO) and indexes only by trace ID.</p> <p>tempo-values.yaml<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">tempo</span><span class="pi">:</span> <span class="na">storage</span><span class="pi">:</span> <span class="na">trace</span><span class="pi">:</span> <span class="na">backend</span><span class="pi">:</span> <span class="s">s3</span> <span class="na">s3</span><span class="pi">:</span> <span class="na">bucket</span><span class="pi">:</span> <span class="s">tempo-traces</span> <span class="na">endpoint</span><span class="pi">:</span> <span class="s">minio.minio:9000</span> <span class="na">access_key</span><span class="pi">:</span> <span class="s2">"</span><span class="s">minioadmin"</span> <span class="na">secret_key</span><span class="pi">:</span> <span class="s2">"</span><span class="s">minioadmin"</span> <span class="na">insecure</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">pool</span><span class="pi">:</span> <span class="na">max_workers</span><span class="pi">:</span> <span class="m">100</span> <span class="na">queue_depth</span><span class="pi">:</span> <span class="m">10000</span> <span class="na">overrides</span><span class="pi">:</span> <span class="na">defaults</span><span class="pi">:</span> <span class="na">ingestion</span><span class="pi">:</span> <span class="na">rate_limit_bytes</span><span class="pi">:</span> <span class="m">15000000</span> <span class="c1"># 15MB/s</span> <span class="na">burst_size_bytes</span><span class="pi">:</span> <span class="m">20000000</span> <span class="na">distributor</span><span class="pi">:</span> <span class="na">config</span><span class="pi">:</span> <span class="na">receivers</span><span class="pi">:</span> <span class="na">otlp</span><span class="pi">:</span> <span class="na">protocols</span><span class="pi">:</span> <span class="na">grpc</span><span class="pi">:</span> <span class="na">endpoint</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0.0.0.0:4317"</span> </code></pre> </div> <p>Deploy<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>helm repo add grafana https://grafana.github.io/helm-charts helm upgrade <span class="nt">--install</span> tempo grafana/tempo <span class="nt">-f</span> tempo-values.yaml </code></pre> </div> <p>Query Tempo from Grafana: Add data source → Tempo → URL: <a href="http://tempo-query-frontend:16686" rel="noopener noreferrer">http://tempo-query-frontend:16686</a></p> <h2> Prometheus + Mimir for long-term metrics storage </h2> <p>Mimir replaces single-instance Prometheus. It provides horizontal scaling, replication, and long-term retention.</p> <p>mimir-values.yaml<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">mimir</span><span class="pi">:</span> <span class="na">structuredConfig</span><span class="pi">:</span> <span class="na">blocks_storage</span><span class="pi">:</span> <span class="na">backend</span><span class="pi">:</span> <span class="s">s3</span> <span class="na">s3</span><span class="pi">:</span> <span class="na">endpoint</span><span class="pi">:</span> <span class="s">minio.minio:9000</span> <span class="na">bucket_name</span><span class="pi">:</span> <span class="s">mimir-blocks</span> <span class="na">access_key_id</span><span class="pi">:</span> <span class="s2">"</span><span class="s">minioadmin"</span> <span class="na">secret_access_key</span><span class="pi">:</span> <span class="s2">"</span><span class="s">minioadmin"</span> <span class="na">insecure</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">ingester</span><span class="pi">:</span> <span class="na">ring</span><span class="pi">:</span> <span class="na">replication_factor</span><span class="pi">:</span> <span class="m">3</span> <span class="c1"># for HA</span> <span class="na">ruler</span><span class="pi">:</span> <span class="na">rule_path</span><span class="pi">:</span> <span class="s">/data/rules</span> <span class="na">alertmanager_url</span><span class="pi">:</span> <span class="s">http://alertmanager:9093</span> <span class="na">ingester</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">3</span> <span class="na">distributor</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">2</span> <span class="na">querier</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">2</span> </code></pre> </div> <p>Deploy<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>helm upgrade <span class="nt">--install</span> mimir grafana/mimir <span class="nt">-f</span> mimir-values.yaml </code></pre> </div> <p><strong>Migrate existing Prometheus data</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>promtool tsdb create-blocks-from-rules <span class="nt">--rules-file</span><span class="o">=</span>recording-rules.yaml data/ </code></pre> </div> <p>Then point Prometheus remote write to <a href="http://mimir-distributor:8080/api/v1/push" rel="noopener noreferrer">http://mimir-distributor:8080/api/v1/push</a>.</p> <h2> Loki for log aggregation with structured querying </h2> <p>Loki is like Prometheus for logs. It indexes only labels, not full text, making it cheap at scale.</p> <p>loki-values.yaml<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">loki</span><span class="pi">:</span> <span class="na">storage</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">s3</span> <span class="na">s3</span><span class="pi">:</span> <span class="na">endpoint</span><span class="pi">:</span> <span class="s">minio.minio:9000</span> <span class="na">bucketnames</span><span class="pi">:</span> <span class="s">loki-chunks</span> <span class="na">access_key_id</span><span class="pi">:</span> <span class="s2">"</span><span class="s">minioadmin"</span> <span class="na">secret_access_key</span><span class="pi">:</span> <span class="s2">"</span><span class="s">minioadmin"</span> <span class="na">s3forcepathstyle</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">insecure</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">schemaConfig</span><span class="pi">:</span> <span class="na">configs</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">from</span><span class="pi">:</span> <span class="s">2024-01-01</span> <span class="na">store</span><span class="pi">:</span> <span class="s">boltdb-shipper</span> <span class="na">object_store</span><span class="pi">:</span> <span class="s">s3</span> <span class="na">schema</span><span class="pi">:</span> <span class="s">v12</span> <span class="na">index</span><span class="pi">:</span> <span class="na">prefix</span><span class="pi">:</span> <span class="s">loki_index_</span> <span class="na">period</span><span class="pi">:</span> <span class="s">24h</span> <span class="na">limits_config</span><span class="pi">:</span> <span class="na">ingestion_rate_mb</span><span class="pi">:</span> <span class="m">10</span> <span class="na">ingestion_burst_size_mb</span><span class="pi">:</span> <span class="m">20</span> <span class="na">max_global_streams_per_user</span><span class="pi">:</span> <span class="m">10000</span> <span class="na">chunk_store_config</span><span class="pi">:</span> <span class="na">max_look_back_period</span><span class="pi">:</span> <span class="s">672h</span> <span class="c1"># 28 days</span> </code></pre> </div> <p>Deploy<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>helm upgrade <span class="nt">--install</span> loki grafana/loki <span class="nt">-f</span> loki-values.yaml </code></pre> </div> <p><strong>Query example (LogQL)</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>{namespace="production", app="payment-service"} |= "error" | json | latency_ms &gt; 500 | line_format "{{.trace_id}} - {{.message}}" </code></pre> </div> <h2> Grafana: Connecting all three data sources </h2> <p>grafana-values.yaml<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">datasources</span><span class="pi">:</span> <span class="na">datasources.yaml</span><span class="pi">:</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="m">1</span> <span class="na">datasources</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Prometheus-Mimir</span> <span class="na">type</span><span class="pi">:</span> <span class="s">prometheus</span> <span class="na">url</span><span class="pi">:</span> <span class="s">http://mimir-query-frontend:8080/prometheus</span> <span class="na">access</span><span class="pi">:</span> <span class="s">proxy</span> <span class="na">isDefault</span><span class="pi">:</span> <span class="kc">true</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Tempo</span> <span class="na">type</span><span class="pi">:</span> <span class="s">tempo</span> <span class="na">url</span><span class="pi">:</span> <span class="s">http://tempo-query-frontend:16686</span> <span class="na">access</span><span class="pi">:</span> <span class="s">proxy</span> <span class="na">jsonData</span><span class="pi">:</span> <span class="na">tracesToLogs</span><span class="pi">:</span> <span class="na">datasourceUid</span><span class="pi">:</span> <span class="s1">'</span><span class="s">loki'</span> <span class="na">tags</span><span class="pi">:</span> <span class="pi">[</span><span class="s1">'</span><span class="s">service.name'</span><span class="pi">,</span> <span class="s1">'</span><span class="s">pod'</span><span class="pi">]</span> <span class="na">serviceMap</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Loki</span> <span class="na">type</span><span class="pi">:</span> <span class="s">loki</span> <span class="na">url</span><span class="pi">:</span> <span class="s">http://loki-gateway:3100</span> <span class="na">access</span><span class="pi">:</span> <span class="s">proxy</span> <span class="na">jsonData</span><span class="pi">:</span> <span class="na">derivedFields</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">trace_id</span> <span class="na">matcherRegex</span><span class="pi">:</span> <span class="s1">'</span><span class="s">trace_id=(\w+)'</span> <span class="na">url</span><span class="pi">:</span> <span class="s1">'</span><span class="s">$${__value.raw}'</span> <span class="na">datasourceUid</span><span class="pi">:</span> <span class="s1">'</span><span class="s">tempo'</span> <span class="na">dashboardProviders</span><span class="pi">:</span> <span class="na">dashboardproviders.yaml</span><span class="pi">:</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="m">1</span> <span class="na">providers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s1">'</span><span class="s">slo'</span> <span class="na">orgId</span><span class="pi">:</span> <span class="m">1</span> <span class="na">folder</span><span class="pi">:</span> <span class="s1">'</span><span class="s">SLO</span><span class="nv"> </span><span class="s">Dashboards'</span> <span class="na">type</span><span class="pi">:</span> <span class="s">file</span> <span class="na">options</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/var/lib/grafana/dashboards</span> </code></pre> </div> <p>Deploy<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>helm upgrade <span class="nt">--install</span> grafana grafana/grafana <span class="nt">-f</span> grafana-values.yaml </code></pre> </div> <p>Test correlation: In Loki, find a log with trace_id=abc123. Click it → jumps to Tempo trace. In Tempo, see affected service → jumps to Mimir metrics for that service.</p> <h2> Building your first SLO dashboard (template included) </h2> <p>Save as slo-dashboard.json and mount into Grafana<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"title"</span><span class="p">:</span><span class="w"> </span><span class="s2">"SLO Dashboard - Payment Service"</span><span class="p">,</span><span class="w"> </span><span class="nl">"panels"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"title"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Availability (30d SLI)"</span><span class="p">,</span><span class="w"> </span><span class="nl">"targets"</span><span class="p">:</span><span class="w"> </span><span class="p">[{</span><span class="w"> </span><span class="nl">"expr"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sum(rate(http_requests_total{status!~'5..'}[$__range])) / sum(rate(http_requests_total[$__range]))"</span><span class="p">,</span><span class="w"> </span><span class="nl">"legendFormat"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Availability SLI"</span><span class="w"> </span><span class="p">}],</span><span class="w"> </span><span class="nl">"thresholds"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="nl">"color"</span><span class="p">:</span><span class="w"> </span><span class="s2">"red"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="kc">null</span><span class="p">,</span><span class="w"> </span><span class="nl">"op"</span><span class="p">:</span><span class="w"> </span><span class="s2">"lt"</span><span class="p">,</span><span class="w"> </span><span class="nl">"valueType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"absolute"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="mf">0.995</span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="nl">"color"</span><span class="p">:</span><span class="w"> </span><span class="s2">"yellow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="kc">null</span><span class="p">,</span><span class="w"> </span><span class="nl">"op"</span><span class="p">:</span><span class="w"> </span><span class="s2">"lt"</span><span class="p">,</span><span class="w"> </span><span class="nl">"valueType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"absolute"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="mf">0.999</span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="nl">"color"</span><span class="p">:</span><span class="w"> </span><span class="s2">"green"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="kc">null</span><span class="p">,</span><span class="w"> </span><span class="nl">"op"</span><span class="p">:</span><span class="w"> </span><span class="s2">"gte"</span><span class="p">,</span><span class="w"> </span><span class="nl">"valueType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"absolute"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="mf">0.999</span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"title"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Error Budget Remaining (30d)"</span><span class="p">,</span><span class="w"> </span><span class="nl">"targets"</span><span class="p">:</span><span class="w"> </span><span class="p">[{</span><span class="w"> </span><span class="nl">"expr"</span><span class="p">:</span><span class="w"> </span><span class="s2">"(1 - (sum(rate(http_requests_total{status=~'5..'}[30d])) / sum(rate(http_requests_total[30d])))) / 0.999"</span><span class="p">,</span><span class="w"> </span><span class="nl">"legendFormat"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Budget remaining"</span><span class="w"> </span><span class="p">}],</span><span class="w"> </span><span class="nl">"fieldConfig"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"defaults"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"unit"</span><span class="p">:</span><span class="w"> </span><span class="s2">"percentunit"</span><span class="p">,</span><span class="w"> </span><span class="nl">"min"</span><span class="p">:</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="nl">"max"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="nl">"color"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="nl">"mode"</span><span class="p">:</span><span class="w"> </span><span class="s2">"thresholds"</span><span class="p">},</span><span class="w"> </span><span class="nl">"thresholds"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="nl">"color"</span><span class="p">:</span><span class="w"> </span><span class="s2">"red"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="kc">null</span><span class="p">,</span><span class="w"> </span><span class="nl">"op"</span><span class="p">:</span><span class="w"> </span><span class="s2">"lt"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="mf">0.7</span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="nl">"color"</span><span class="p">:</span><span class="w"> </span><span class="s2">"yellow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="kc">null</span><span class="p">,</span><span class="w"> </span><span class="nl">"op"</span><span class="p">:</span><span class="w"> </span><span class="s2">"lt"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="mf">0.9</span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="nl">"color"</span><span class="p">:</span><span class="w"> </span><span class="s2">"green"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="kc">null</span><span class="p">,</span><span class="w"> </span><span class="nl">"op"</span><span class="p">:</span><span class="w"> </span><span class="s2">"gte"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="mf">0.9</span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"title"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Latency P99 (30d SLI)"</span><span class="p">,</span><span class="w"> </span><span class="nl">"targets"</span><span class="p">:</span><span class="w"> </span><span class="p">[{</span><span class="w"> </span><span class="nl">"expr"</span><span class="p">:</span><span class="w"> </span><span class="s2">"histogram_quantile(0.99, sum(rate(http_request_duration_seconds_bucket[$__range])) by (le))"</span><span class="p">,</span><span class="w"> </span><span class="nl">"legendFormat"</span><span class="p">:</span><span class="w"> </span><span class="s2">"P99 latency"</span><span class="w"> </span><span class="p">}]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>SLO math explained</strong></p> <ul> <li><p>Availability target: 99.9% → error budget = 0.1% of requests can fail.</p></li> <li><p>Budget remaining: (actual_availability - target) / (1 - target) → 1.0 means on track, 0 means exhausted.</p></li> </ul> <h2> AlertManager: Alerting on symptoms, not causes </h2> <p>Bad alert: <em>"CPU on pod payment-7d8f9 is 92%"</em> (cause)<br> Good alert: "Payment service error budget exhausted" (symptom)</p> <p>alertmanager-config.yaml<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">route</span><span class="pi">:</span> <span class="na">group_by</span><span class="pi">:</span> <span class="pi">[</span><span class="s1">'</span><span class="s">alertname'</span><span class="pi">,</span> <span class="s1">'</span><span class="s">service'</span><span class="pi">]</span> <span class="na">group_wait</span><span class="pi">:</span> <span class="s">10s</span> <span class="na">group_interval</span><span class="pi">:</span> <span class="s">10s</span> <span class="na">repeat_interval</span><span class="pi">:</span> <span class="s">12h</span> <span class="na">receiver</span><span class="pi">:</span> <span class="s1">'</span><span class="s">pagerduty-critical'</span> <span class="na">routes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">match</span><span class="pi">:</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">critical</span> <span class="na">receiver</span><span class="pi">:</span> <span class="s">pagerduty-critical</span> <span class="na">continue</span><span class="pi">:</span> <span class="kc">false</span> <span class="pi">-</span> <span class="na">match</span><span class="pi">:</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">warning</span> <span class="na">receiver</span><span class="pi">:</span> <span class="s">slack-warnings</span> <span class="na">receivers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s1">'</span><span class="s">pagerduty-critical'</span> <span class="na">pagerduty_configs</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">service_key</span><span class="pi">:</span> <span class="s">&lt;your-pd-key&gt;</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">critical</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s1">'</span><span class="s">slack-warnings'</span> <span class="na">slack_configs</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">api_url</span><span class="pi">:</span> <span class="s">&lt;webhook&gt;</span> <span class="na">channel</span><span class="pi">:</span> <span class="s1">'</span><span class="s">#alerts-warning'</span> </code></pre> </div> <p><strong>Prometheus alerting rule example</strong> (slo-alerts.yaml)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">groups</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">slo</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">alert</span><span class="pi">:</span> <span class="s">ErrorBudgetExhausted</span> <span class="na">expr</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">(1 - (sum(rate(http_requests_total{status=~"5.."}[30d])) </span> <span class="s">/ sum(rate(http_requests_total[30d])))) / 0.999 &lt; 0.2</span> <span class="na">for</span><span class="pi">:</span> <span class="s">5m</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">critical</span> <span class="na">service</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{$labels.service}}"</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">summary</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Error</span><span class="nv"> </span><span class="s">budget</span><span class="nv"> </span><span class="s">for</span><span class="nv"> </span><span class="s">{{$labels.service}}</span><span class="nv"> </span><span class="s">is</span><span class="nv"> </span><span class="s">below</span><span class="nv"> </span><span class="s">20%"</span> <span class="na">description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Remaining</span><span class="nv"> </span><span class="s">budget:</span><span class="nv"> </span><span class="s">{{$value</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">humanizePercentage}}"</span> </code></pre> </div> <p>Deploy<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl create configmap alertmanager-config <span class="nt">--from-file</span><span class="o">=</span>alertmanager.yaml<span class="o">=</span>alertmanager-config.yaml helm upgrade <span class="nt">--install</span> prometheus prometheus-community/prometheus <span class="se">\</span> <span class="nt">--set</span> alertmanager.enabled<span class="o">=</span><span class="nb">true</span> <span class="se">\</span> <span class="nt">--set</span> alertmanager.configFromSecret<span class="o">=</span>alertmanager-config </code></pre> </div> <h2> The 3 dashboards every on-call engineer needs </h2> <p>Stop building 50-panel dashboards. Start with these three.</p> <p><strong>Dashboard 1: Service Health (RED method)</strong></p> <ul> <li><p>Rate (requests per second) per endpoint</p></li> <li><p>Errors (5xx rate, grouped by status code)</p></li> <li><p>Duration (P50, P95, P99 latency)</p></li> <li><p>Saturation (CPU/memory per pod, queue depth)</p></li> </ul> <p>PromQL snippets<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Rate sum(rate(http_requests_total[1m])) by (service, endpoint) # Error ratio sum(rate(http_requests_total{status=~"5.."}[1m])) / sum(rate(http_requests_total[1m])) # P99 latency histogram_quantile(0.99, sum(rate(http_request_duration_seconds_bucket[5m])) by (le, service)) </code></pre> </div> <p><strong>Dashboard 2: Trace Explorer</strong></p> <ul> <li><p>Top 10 slowest traces in last hour</p></li> <li><p>Trace heatmap (duration vs. timestamp)</p></li> <li><p>Service dependency graph (from Tempo service graph)</p></li> <li><p>High-error traces panel (filter by status.error=true)</p></li> </ul> <p><strong>Dashboard 3: The "Burndown" Chart</strong></p> <ul> <li><p>Error budget remaining (daily trend line)</p></li> <li><p>SLO burn rate (1h, 6h, 24h windows)</p></li> <li><p>Multi-burn alert status (green/yellow/red)</p></li> <li><p>Top offending services by error budget consumption</p></li> </ul> <p>Why this works: On-call opens Dashboard 1 → sees elevated latency → clicks a trace in Dashboard 2 → finds slow database query → checks Dashboard 3 to decide if paging SREs is urgent.</p> <p>Final checklist for production readiness</p> <p>Before you sleep soundly:</p> <ul> <li><p>Ingestion testing: curl a test span/metric/log through the Collector.</p></li> <li><p>Retention: Set Mimir 30d, Tempo 14d, Loki 30d (adjust to compliance).</p></li> <li><p>Auth: Add Grafana OAuth (Google/GitHub) and basic auth for Mimir/Loki ingesters.</p></li> <li><p>Backups: Object storage (MinIO/S3) should have versioning enabled.</p></li> <li><p>Alert testing: Silence a service, verify PagerDuty gets the page.</p></li> <li><p>Runbook: Link each alert to a Confluence doc (e.g., "ErrorBudgetExhausted → <a href="https://wiki/runbooks/slo%22" rel="noopener noreferrer">https://wiki/runbooks/slo"</a>).</p></li> </ul> <p>What’s next? Add OpenTelemetry for your database (PostgreSQL, Redis, MongoDB) using OTel collector receivers. Or add synthetic monitoring with Blackbox exporter.</p> <p>You now have the same stack that cost my clients $0/month (excluding storage) instead of $15k/month for Datadog. Ship it.</p> devops kubernetes sre grafana varun varde Tue, 07 Apr 2026 13:33:40 +0000 https://forem.com/varunvarde/from-github-actions-to-argocd-a-complete-gitops-migration-guide-4kd4 https://forem.com/varunvarde/from-github-actions-to-argocd-a-complete-gitops-migration-guide-4kd4 <p>I've done this migration three times now. Each time, I learn something new about what NOT to do. This guide is the documentation I wish I'd had the first time: the complete migration from a multi-stage GitHub Actions deployment pipeline to a fully declarative GitOps workflow with ArgoCD including the parts every other tutorial glosses over.</p> <p>What you'll build: Production ready ArgoCD installation, ApplicationSet for multi cluster management, Image Updater for automated rollouts, RBAC configuration for multi-team environments, Rollback procedures that work under pressure.</p> <p>Prerequisites: Kubernetes cluster (1.24+), kubectl, Helm 3, existing GitHub Actions CI pipeline. Estimated time: 4-6 hours for learning setup (30 days for production migration).</p> <h2> Phase 1: Assessment — Mapping Your Existing GitHub Actions Pipeline </h2> <p>Every successful migration begins with clarity. Before introducing GitOps, the existing CI/CD topology must be dissected—methodically, not casually.</p> <p>Start by inventorying workflows<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .github/workflows/deploy.yml</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Deploy Service</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">main</span><span class="pi">]</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v3</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">docker build -t myapp .</span> <span class="na">deploy</span><span class="pi">:</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">build</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">kubectl apply -f k8s/</span> </code></pre> </div> <p>This pipeline reveals implicit assumptions:</p> <ul> <li><p>Deployment is tightly coupled with CI</p></li> <li><p>Kubernetes manifests are applied imperatively</p></li> <li><p>No state reconciliation exists</p></li> </ul> <p>Map each component</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Component</th> <th>Purpose</th> </tr> </thead> <tbody> <tr> <td>Build Step</td> <td>Artifact creation</td> </tr> <tr> <td>Deploy Step</td> <td>Cluster mutation</td> </tr> <tr> <td>Secrets</td> <td>Runtime configuration</td> </tr> </tbody> </table></div> <p>The goal is not replication but transformation. GitOps demands declarative intent, not procedural execution.</p> <h2> Phase 2: ArgoCD Installation (Production-Grade Helm Values) </h2> <p>A default installation is rarely sufficient. Production demands rigor secure ingress, RBAC, and resource constraints.</p> <p>Install ArgoCD using Helm<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>helm repo add argo https://argoproj.github.io/argo-helm helm <span class="nb">install </span>argocd argo/argo-cd <span class="nt">-n</span> argocd <span class="nt">--create-namespace</span> <span class="nt">-f</span> values.yaml </code></pre> </div> <p>A hardened values.yaml might resemble<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">server</span><span class="pi">:</span> <span class="na">service</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">ClusterIP</span> <span class="na">ingress</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">hosts</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">argocd.example.com</span> <span class="na">configs</span><span class="pi">:</span> <span class="na">params</span><span class="pi">:</span> <span class="na">server.insecure</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">cm</span><span class="pi">:</span> <span class="na">url</span><span class="pi">:</span> <span class="s">https://argocd.example.com</span> <span class="na">redis</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">controller</span><span class="pi">:</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s">500m</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">512Mi</span> </code></pre> </div> <p>Security is not ornamental. It is foundational. Misconfigured access at this stage invites future instability.</p> <h2> Phase 3: Structuring Your GitOps Repository </h2> <p>Git becomes the single source of truth. Structure, therefore, becomes paramount.</p> <p>A canonical layout<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>gitops-repo/ ├── apps/ │ ├── payments/ │ ├── auth/ ├── environments/ │ ├── dev/ │ ├── staging/ │ └── prod/ └── infrastructure/ ├── ingress/ └── monitoring/ </code></pre> </div> <p>Each directory encapsulates intent.</p> <p>Example application manifest<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Application</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">payments-service</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">source</span><span class="pi">:</span> <span class="na">repoURL</span><span class="pi">:</span> <span class="s">https://github.com/org/gitops-repo</span> <span class="na">path</span><span class="pi">:</span> <span class="s">apps/payments</span> <span class="na">targetRevision</span><span class="pi">:</span> <span class="s">HEAD</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">server</span><span class="pi">:</span> <span class="s">https://kubernetes.default.svc</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">payments</span> <span class="na">syncPolicy</span><span class="pi">:</span> <span class="na">automated</span><span class="pi">:</span> <span class="na">prune</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">selfHeal</span><span class="pi">:</span> <span class="kc">true</span> </code></pre> </div> <p>Declarative. Predictable. Auditable.</p> <h2> Phase 4: ApplicationSet Configuration for Multi-Team </h2> <p>At scale, manually defining applications becomes untenable. ApplicationSet introduces dynamic orchestration.</p> <p>A Git generator example<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ApplicationSet</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">team-apps</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">generators</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">git</span><span class="pi">:</span> <span class="na">repoURL</span><span class="pi">:</span> <span class="s">https://github.com/org/gitops-repo</span> <span class="na">revision</span><span class="pi">:</span> <span class="s">HEAD</span> <span class="na">directories</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="s">apps/*</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s1">'</span><span class="s">{{path.basename}}'</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">project</span><span class="pi">:</span> <span class="s">default</span> <span class="na">source</span><span class="pi">:</span> <span class="na">repoURL</span><span class="pi">:</span> <span class="s">https://github.com/org/gitops-repo</span> <span class="na">targetRevision</span><span class="pi">:</span> <span class="s">HEAD</span> <span class="na">path</span><span class="pi">:</span> <span class="s1">'</span><span class="s">{{path}}'</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">server</span><span class="pi">:</span> <span class="s">https://kubernetes.default.svc</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s1">'</span><span class="s">{{path.basename}}'</span> </code></pre> </div> <p>Teams simply add a folder. The system reacts autonomously.</p> <p>This is where GitOps begins to feel almost sentient responsive, adaptive, yet deterministic.</p> <h2> Phase 5: Migrating Your First Service (with Rollback Plan) </h2> <p>Start small. Select a non-critical service. Minimize risk while maximizing insight.</p> <p><strong>Step 1: Remove Deploy Step from CI</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Keep build, remove kubectl apply</span> - run: docker build <span class="nt">-t</span> myapp <span class="nb">.</span> </code></pre> </div> <p><strong>Step 2: Push Kubernetes Manifests to GitOps Repo</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">myapp</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">2</span> </code></pre> </div> <p><strong>Step 3: Let ArgoCD Sync</strong></p> <p>ArgoCD reconciles desired state with actual state.</p> <p><strong>Rollback Strategy</strong></p> <p>Rollback becomes trivial<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git revert &lt;commit-hash&gt; git push origin main </code></pre> </div> <p>No manual intervention. No frantic patching. Just version control.</p> <h2> Phase 6: Image Updater for CI Integration </h2> <p>CI still builds images. But deployment is decoupled.</p> <p>ArgoCD Image Updater bridges the gap<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Application</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">argocd-image-updater.argoproj.io/image-list</span><span class="pi">:</span> <span class="s">myapp=repo/myapp</span> <span class="na">argocd-image-updater.argoproj.io/update-strategy</span><span class="pi">:</span> <span class="s">latest</span> </code></pre> </div> <p>Pipeline pushes image<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker push repo/myapp:1.2.3 </code></pre> </div> <p>Image Updater modifies Git<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">image</span><span class="pi">:</span> <span class="s">repo/myapp:1.2.3</span> </code></pre> </div> <p>ArgoCD syncs automatically.</p> <p>Elegant. Autonomous.</p> <h2> Phase 7: RBAC and Multi-Tenant Configuration </h2> <p>As teams proliferate, governance becomes essential.</p> <p>Define roles<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">argocd-rbac-cm</span> <span class="na">data</span><span class="pi">:</span> <span class="na">policy.csv</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">p, role:dev, applications, get, */*, allow</span> <span class="s">p, role:dev, applications, sync, */*, allow</span> <span class="s">g, team-dev, role:dev</span> </code></pre> </div> <p>Namespace isolation<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">spec</span><span class="pi">:</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">team-a</span> </code></pre> </div> <p>Each team operates within boundaries autonomous yet controlled.</p> <h2> Phase 8: Observability for Your GitOps Pipelines </h2> <p>Visibility transforms guesswork into certainty.</p> <p>Enable metrics<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">controller</span><span class="pi">:</span> <span class="na">metrics</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> </code></pre> </div> <p>Scrape with Prometheus<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">job_name</span><span class="pi">:</span> <span class="s1">'</span><span class="s">argocd'</span> <span class="na">static_configs</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">targets</span><span class="pi">:</span> <span class="pi">[</span><span class="s1">'</span><span class="s">argocd-metrics:8082'</span><span class="pi">]</span> </code></pre> </div> <p>Key metrics</p> <ul> <li><p>Sync status</p></li> <li><p>Reconciliation duration</p></li> <li><p>Drift detection</p></li> </ul> <p>Logs provide narrative<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl logs deployment/argocd-application-controller </code></pre> </div> <p>Without observability, GitOps becomes a black box. With it, a glass box.</p> <h2> The 5 Things No Tutorial Mentions (Learned the Hard Way) </h2> <p><strong>1. Git Becomes Your Bottleneck</strong></p> <p>Frequent commits can overwhelm repositories. Optimize branching strategies. Avoid unnecessary churn.</p> <p><strong>2. Drift Happens More Than Expected</strong></p> <p>Manual changes in clusters still occur. ArgoCD corrects them—but not always instantly. Expect transient inconsistencies.</p> <p><strong>3. Secrets Are a Persistent Challenge</strong></p> <p>Plain YAML is insufficient. Integrate tools like sealed secrets or external secret managers.</p> <p><strong>4. ApplicationSet Can Spiral into Complexity</strong></p> <p>Dynamic generation is powerful—but dangerous. Poor templates create cascading misconfigurations.</p> <p><strong>5. Human Behavior Is the Hardest Problem</strong></p> <p>Engineers accustomed to imperative deployments resist change. Training is not optional. It is essential.</p> <p>Migrating to ArgoCD is not merely a tooling shift. It is a philosophical transition—from imperative control to declarative intent.</p> <p>The rewards are substantial. Stability. Traceability. Confidence.</p> <p>But the journey demands discipline. And a willingness to relinquish old habits in favor of something far more resilient.</p> gitops argocd kubernetes devops varun varde Thu, 26 Mar 2026 08:27:40 +0000 https://forem.com/varunvarde/zero-downtime-cloud-migration-the-6-phase-playbook-13p8 https://forem.com/varunvarde/zero-downtime-cloud-migration-the-6-phase-playbook-13p8 <p>Phase 1 is never 'lift and shift.' Here's the framework that keeps production stable throughout the entire move.</p> <p>After leading migrations for organizations ranging from 200 to 4,000 engineers, I've distilled it into 6 phases that keep production alive and teams sane.</p> <p><strong>Phase 1: Discovery &amp; Dependency Mapping</strong><br> Before touching a single VM, audit everything.</p> <ul> <li><p>Inventory all services: apps, databases, middleware, integrations</p></li> <li><p>Map inter service dependencies including the undocumented ones (ask the engineers who've been there longest)</p></li> <li><p>Tag everything by criticality, data sensitivity, migration complexity</p></li> <li><p>Identify the "spiders in the web" services everything else depends on</p></li> </ul> <p>Tools: AWS Application Discovery Service, Cloudamize, or a structured spreadsheet + interviews.</p> <p><strong>Phase 2: Cloud Foundation &amp; Landing Zone</strong><br> Build the platform before you migrate anything.</p> <ul> <li><p>Set up your VPC architecture (hub spoke or flat decide now)</p></li> <li><p>Implement IAM roles, SCPs, and guardrails</p></li> <li><p>Deploy centralized logging, monitoring, and alerting</p></li> <li><p>Establish your IaC standard (Terraform modules, Pulumi stacks — standardize before day one)</p></li> <li><p>Set cost budgets and alerts BEFORE anything runs<br> Never skip this. Teams that migrate first and "sort out governance later" always regret it.</p></li> </ul> <p><strong>Phase 3: Pilot Migration (Noncritical workloads)</strong><br> Start small. Build confidence.</p> <ul> <li><p>Choose a non-critical, low traffic service</p></li> <li><p>Run full migration lifecycle: move → validate → monitor → optimize</p></li> <li><p>Document everything. This becomes your runbook for every subsequent migration</p></li> <li><p>Identify gaps in tooling and process while the stakes are low</p></li> </ul> <p><strong>Phase 4: Wave Based Migration</strong><br> Organize workloads into migration waves by complexity:</p> <ul> <li><p>Wave 1: Stateless apps (easiest)</p></li> <li><p>Wave 2: Stateful apps with managed DB alternatives</p></li> <li><p>Wave 3: Complex integrations and legacy services</p></li> <li><p>Wave 4 (optional): Services that require refactoring before migration</p></li> </ul> <p>Run each wave over 2–4-week sprints. Include a 2-week stabilization window after each wave before proceeding.</p> <p><strong>Phase 5: Cutover &amp; Traffic Management</strong><br> Zero-downtime means dual running, not big-bang.</p> <ul> <li><p>Use feature flags and DNS-based traffic shifting (Route 53 weighted routing or equivalent)</p></li> <li><p>Implement a circuit breaker to instantly roll back traffic if error rates spike</p></li> <li><p>Keep on prem running in parallel for 30–60 days post cutover</p></li> <li><p>Don't decommission anything until you've run at least one full billing cycle on cloud</p></li> </ul> <p><strong>Phase 6: Optimize &amp; Decommission</strong><br> The migration isn't over when the apps are running.</p> <ul> <li><p>Right-size instances based on real usage data (wait at least 2 weeks)</p></li> <li><p>Implement autoscaling where you were running fixed capacity</p></li> <li><p>Set up FinOps dashboards cloud spend will be surprising at first</p></li> <li><p>Decommission on prem systematically, not in a rush</p></li> <li><p>Run a migration retrospective with every team involved</p></li> </ul> <p><strong>The Rule I Never Break</strong><br> No service goes to production without observability in place (logs, metrics, traces), a documented runbook, an on-call rotation assigned, and a tested rollback procedure.</p> <p><strong>Save for your next migration kickoff</strong></p> cloudskills aws webpack webdev varun varde Wed, 18 Mar 2026 08:47:03 +0000 https://forem.com/varunvarde/terraform-modules-that-actually-scale-patterns-from-20-years-35j7 https://forem.com/varunvarde/terraform-modules-that-actually-scale-patterns-from-20-years-35j7 <p>Provisioning was once an artisanal craft defined by shell scripts and fragile golden images. We've since pivoted to the declarative, idempotent paradigm of Terraform. But scaling isn't just about resource count it’s about managing the cognitive load of massive environments. At some point, the question stops being how do I write HCL? and becomes how do I stop this complexity from collapsing under its own weight?</p> <p><strong>The Monolith Trap: Why Large State Files Kill Velocity</strong></p> <p>The Mega State is the ultimate architectural debt. Dumping your VPC, EKS cluster, and RDS instances into one root module creates a catastrophic blast radius. One syntax error in a security group shouldn't lock the state file for your entire production database. Scaling demands decoupling. Infrastructure components must be treated as independent lifecycles. Networking is slow and steady app pods are ephemeral. Isolate them to minimize plan times and risk.</p> <p><strong>Strict Typing and Input Orthogonality</strong></p> <p>Ditch type = any. It’s lazy and dangerous. High utility modules require strict object validation to fail fast. If the calling code sends a malformed schema, the plan should die immediately not thirty minutes into a deployment.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"cluster_config"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"EKS spec"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">object</span><span class="p">({</span> <span class="nx">version</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="nx">list</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="nx">node_groups</span> <span class="p">=</span> <span class="nx">map</span><span class="p">(</span><span class="nx">object</span><span class="p">({</span> <span class="nx">instance_types</span> <span class="p">=</span> <span class="nx">list</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="nx">capacity_type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}))</span> <span class="p">})</span> <span class="nx">validation</span> <span class="p">{</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">contains</span><span class="p">([</span><span class="s2">"1.28"</span><span class="p">,</span> <span class="s2">"1.29"</span><span class="p">,</span> <span class="s2">"1.30"</span><span class="p">],</span> <span class="nx">var</span><span class="p">.</span><span class="nx">cluster_config</span><span class="p">.</span><span class="nx">version</span><span class="p">)</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"K8s version restricted by organizational compliance."</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Compositional Strategy: Favoring Layering over Nesting</strong></p> <p>Nesting modules inside modules leads to Prop Drilling a nightmare where a variable is passed through five layers of code just to reach a single resource. It's brittle.</p> <p>Layering is the professional choice. Keep modules flat and use a Composition Root to stitch outputs to inputs. This keeps the logic readable and the dependencies explicit.</p> <p><strong>Cross Account Orchestration via Provider Aliasing</strong></p> <p>Enterprise scale means multiple regions and hundreds of AWS accounts. Never hardcode provider blocks inside a module; it makes them non portable. Use Provider Aliases. This allows you to instantiate the same module across different regions within a single run.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Instance in US-East</span> <span class="nx">module</span> <span class="s2">"s3_east"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/s3"</span> <span class="nx">providers</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">aws</span> <span class="p">=</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">us-east-1</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Instance in US-West</span> <span class="nx">module</span> <span class="s2">"s3_west"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/s3"</span> <span class="nx">providers</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">aws</span> <span class="p">=</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">us-west-2</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Immutable Versioning and Private Registries</strong></p> <p>Local file paths are for hobbyists. In production, referencing a local path means every save on your laptop could theoretically break a CI/CD pipeline. Scaling requires immutable versioning. Use Git tags or a Private Registry. It’s the only way to ensure Production stays on v1.2.0 while Dev experiments with v2.0.0 beta.</p> <p><strong>Automated Validation: Terratest and OPA Integration</strong></p> <p>If you aren't testing, you're guessing. For core modules, Terratest is the standard. It spins up real resources, pings them to ensure they work, and tears them down. Couple this with Open Policy Agent (OPA) to programmatically block anyone from creating an unencrypted volume or a public S3 bucket before the code even leaves the PR.</p> <p><strong>Day 2 Operations: Refactoring with moved Blocks</strong></p> <p>Refactoring used to mean terraform state mv commands that risked corrupting the remote backend. Now, we have the moved block. It allows you to move resources into modules without triggering a "destroy and recreate" cycle.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">moved</span> <span class="p">{</span> <span class="nx">from</span> <span class="p">=</span> <span class="nx">aws_instance</span><span class="p">.</span><span class="nx">legacy_app</span> <span class="nx">to</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">app_cluster</span><span class="p">.</span><span class="nx">aws_instance</span><span class="p">.</span><span class="nx">this</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>This is how you turn a tangled mess of HCL into a robust ecosystem. It’s about predictability, isolation, and strict interfaces.</p> terraform devops webdev tutorial