Zuplo
Learning Center
API Gateway

What Is GitOps? A Practical Guide for API Teams

Josh TwistJosh Twist
July 19, 2024
10 min read

GitOps uses Git as the single source of truth for infrastructure and API configuration. Learn the core principles, tooling options, and how to apply GitOps to your API gateway.

If you manage APIs, you’ve probably hit the same wall every growing team does: configuration drift between environments, no clear audit trail for who changed what, and deployments that feel more like a leap of faith than a repeatable process. GitOps solves these problems by treating Git as the single source of truth for your entire system — infrastructure, application code, and API configuration included.

In this guide, we’ll cover the fundamentals of GitOps, walk through its core principles, compare the most popular tooling options, and show you exactly how GitOps applies to API management with real configuration examples.

What Is GitOps?

GitOps is a set of operational practices that use Git repositories as the single source of truth for declarative infrastructure and application configuration. Every change — whether it’s a new route on your API gateway, updated rate limiting rules, or a Kubernetes deployment — is made through a Git commit. That commit is reviewed in a pull request, merged, and then automatically applied to your live environment.

The term was coined by Weaveworks in 2017, but the idea builds on decades of version-control best practices. What GitOps adds is a specific operational model: the state of your running systems should always match the state declared in Git, and an automated process should enforce that continuously.

How GitOps Differs from Traditional CI/CD

In a traditional CI/CD pipeline, a central system pushes changes to your environments. You write a pipeline script that builds, tests, and deploys your code. The pipeline has credentials to your production systems and imperatively executes commands to make changes happen.

GitOps flips this model. Instead of a pipeline pushing changes out, an agent running inside (or alongside) your environment pulls the desired state from Git and reconciles it. The key differences:

  • Declarative vs. imperative: You describe what the system should look like, not the steps to get there.
  • Pull vs. push: An agent pulls state from Git rather than a pipeline pushing commands to production.
  • Continuous reconciliation: The agent doesn’t just deploy once — it continuously compares actual state to desired state and corrects any drift.

The Four Principles of GitOps

The OpenGitOps project, a CNCF sandbox initiative, formalized four principles that define a GitOps system:

1. Declarative Configuration

Your entire system — infrastructure, networking, application config, security policies — must be described declaratively. You define the desired end state, not the sequence of steps to reach it. Tools like Kubernetes manifests, Terraform HCL, and Zuplo’s routes.oas.json are all examples of declarative configuration.

2. Versioned and Immutable

The desired state is stored in Git, which gives you version history, immutability (every commit is a snapshot), and a complete audit trail. You can answer “what changed, when, and who approved it?” for any point in your system’s history.

3. Pulled Automatically

Approved changes are automatically applied to the system. Software agents pull the declared state from Git and apply it to the target environment, removing manual deployment steps and reducing the chance of human error.

4. Continuously Reconciled

Agents don’t just deploy and walk away. They continuously compare the actual state of the system to the desired state in Git. If someone makes a manual change that causes drift, the agent detects it and corrects it — bringing the system back in line with what’s declared in the repository.

Benefits of GitOps

Adopting GitOps gives your team concrete operational advantages:

  • Faster, safer deployments: Every change goes through a pull request. Reviews catch problems before they reach production, and rollbacks are as simple as reverting a commit.
  • Complete audit trail: Git’s commit history records every change, who made it, who approved it, and when. This is critical for compliance in regulated industries.
  • Reduced configuration drift: Continuous reconciliation ensures your environments match what’s in Git. No more “works on staging but not production” surprises caused by manual changes.
  • Better collaboration: Pull-request workflows give every team member visibility into infrastructure and configuration changes, not just the engineers who made them.
  • Simplified disaster recovery: Your entire system’s state is in Git. To recover, you point a fresh environment at the same repository and let the agents reconcile.

GitOps Tooling: ArgoCD, Flux, and API-Native Approaches

If you’re working with Kubernetes, two open-source GitOps operators dominate the landscape: ArgoCD and Flux. But for API teams, there’s a third category worth understanding — API-native GitOps, where the platform itself is built around Git workflows.

ArgoCD

ArgoCD is a declarative, GitOps continuous delivery tool for Kubernetes. It watches a Git repository for changes to Kubernetes manifests (or Helm charts, Kustomize overlays, etc.) and automatically syncs those changes to your cluster.

ArgoCD is well-suited for teams that manage API infrastructure on Kubernetes — for example, deploying Kong or Ambassador as an ingress controller. You define your gateway’s configuration as Kubernetes custom resources, commit them to Git, and ArgoCD keeps the cluster in sync.

Strengths: Rich UI for visualizing sync status, multi-cluster support, SSO integration, and a large community.

Limitation for API teams: ArgoCD operates at the Kubernetes layer. It manages resources in a cluster, not API-specific concerns like route-level policies, rate limiting configuration, or developer portal settings. You still need to model your API configuration as Kubernetes resources, which adds abstraction.

Flux

Flux is a CNCF graduated project that takes a more modular approach to GitOps. It’s composed of specialized controllers (source-controller, kustomize-controller, helm-controller) that each handle a piece of the GitOps lifecycle.

Flux is a strong choice for teams that want GitOps without a centralized UI — it’s designed to be managed entirely through Git and CLI. Like ArgoCD, it operates at the Kubernetes level.

Strengths: Modular architecture, multi-tenancy support, and tight integration with Helm and Kustomize.

Limitation for API teams: Same as ArgoCD — Flux reconciles Kubernetes resources, not API-level configuration directly.

API-Native GitOps

Some API management platforms are built from the ground up around Git workflows, removing the need for a separate GitOps operator. With this approach, your API gateway configuration lives in a Git repository as declarative files, and the platform deploys directly from Git. No Kubernetes operator layer is required.

Zuplo is an example of this model. Your routes, policies, and custom logic are defined in standard JSON and TypeScript files, stored in Git, and deployed automatically whenever you push. You get the GitOps benefits — version history, pull-request reviews, branch-based environments, rollbacks via git revert — without maintaining a separate reconciliation agent. For a detailed comparison of GitOps capabilities across API platforms, see our platform comparison guide.

Why API Teams Need GitOps

APIs have a unique set of operational challenges that make GitOps particularly valuable. Unlike a typical web application where deployments are mostly about shipping new code, API changes involve configuration that directly affects security, access control, and the experience of every consumer calling your endpoints.

Configuration Is the Product

When you manage an API gateway, your configuration is the product. Route definitions, authentication policies, rate limiting rules, CORS settings, request validation schemas — these aren’t implementation details. They’re the contract your consumers depend on. A misconfigured rate limit can take down a partner integration. A missing authentication policy can expose sensitive data.

GitOps ensures every one of these configuration changes goes through the same review process as your application code. No more clicking through an admin console to make a “quick fix” that nobody else knows about.

Multiple Environments, One Source of Truth

API teams typically manage multiple environments — development, staging, production, and often partner-specific sandboxes. Keeping configuration consistent across these environments is a common pain point that GitOps solves naturally through branch-based workflows. For more on managing API changes and rollbacks across environments, see our dedicated guide.

Compliance and Audit Requirements

If your API handles financial data, health records, or personally identifiable information, you need an audit trail. GitOps gives you one by default — every configuration change is a commit with an author, a timestamp, a review thread, and an approval record.

Declarative API Configuration in Practice

To make this concrete, here’s what GitOps looks like for an API gateway using Zuplo. Your entire API configuration lives in a standard project structure:

plaintext
my-api/
├── config/
│   ├── routes.oas.json   # Route definitions (OpenAPI format)
│   └── policies.json     # Policy configuration
├── modules/
│   └── my-handler.ts     # Custom TypeScript handlers
├── zuplo.jsonc            # Project configuration
└── package.json

Routes are defined in config/routes.oas.json using an extended OpenAPI 3.1 format. Here’s a route with API key authentication and rate limiting, configured entirely in code:

JSONjson
{
  "paths": {
    "/api/v1/orders": {
      "get": {
        "operationId": "get-orders",
        "summary": "List orders",
        "x-zuplo-route": {
          "corsPolicy": "anything-goes",
          "handler": {
            "export": "urlForwardHandler",
            "module": "$import(@zuplo/runtime)",
            "options": {
              "baseUrl": "https://api.example.com"
            }
          },
          "policies": {
            "inbound": ["api-key-inbound", "rate-limit-inbound"]
          }
        }
      }
    }
  }
}

Policies are defined separately in config/policies.json:

JSONjson
{
  "policies": [
    {
      "name": "api-key-inbound",
      "policyType": "api-key-inbound",
      "handler": {
        "export": "ApiKeyInboundPolicy",
        "module": "$import(@zuplo/runtime)"
      }
    },
    {
      "name": "rate-limit-inbound",
      "policyType": "rate-limit-inbound",
      "handler": {
        "export": "RateLimitInboundPolicy",
        "module": "$import(@zuplo/runtime)",
        "options": {
          "rateLimitBy": "ip",
          "requestsAllowed": 100,
          "timeWindowMinutes": 1
        }
      }
    }
  ]
}

This is the entire configuration for a production-ready API route with authentication and rate limiting. It lives in Git, gets reviewed in a PR, and deploys when you push. To learn more about API rate limiting and how it works at the gateway level, see our how-to guide.

A GitOps Workflow for API Teams

Here’s what the day-to-day workflow looks like when your API gateway is managed with GitOps:

1. Create a feature branch. A developer creates a branch to add a new endpoint or modify an existing policy.

2. Make changes in code. The developer edits routes.oas.json to add a new route or updates policies.json to adjust rate limits. If custom logic is needed, they write TypeScript in the modules/ directory.

3. Open a pull request. The changes are visible to the entire team. Reviewers can see exactly which routes changed, which policies were added, and what the security implications are.

4. Preview environment spins up. With platforms like Zuplo, pushing a branch automatically creates an isolated preview environment with its own URL. Reviewers can test the changes against a live gateway before merging.

5. Merge and deploy. Once approved, the PR merges to main and the production gateway updates automatically — typically within seconds.

6. Rollback if needed. If something goes wrong, git revert the commit and push. The gateway returns to its previous state. No console clicking, no run-books, no downtime.

This workflow gives you the same Git-based collaboration you use for application code, applied to your API infrastructure. For a deeper dive into setting up these pipelines, read our guide on API gateway CI/CD and GitOps.

Overcoming Common GitOps Challenges

Adopting GitOps isn’t without friction. Here are the most common challenges teams face and how to address them:

Cultural Shift

GitOps requires everyone — not just developers — to make changes through Git. Operations engineers accustomed to admin consoles and security teams used to portal-based policy management need to adopt pull-request workflows. Start with a single service or API and expand as the team builds confidence.

Secrets Management

Secrets should never be stored in Git. Use a dedicated secrets manager (like HashiCorp Vault, AWS Secrets Manager, or your platform’s built-in environment variables) and reference secrets by name in your declarative configuration. Zuplo, for example, supports environment variables that are stored securely outside of Git and injected at deploy time.

Tooling Complexity

For Kubernetes-based setups, you need to choose between ArgoCD, Flux, or other operators, configure RBAC, manage CRDs, and handle multi-cluster sync. API-native platforms like Zuplo reduce this complexity by building GitOps directly into the deployment model — no separate operator to install or maintain.

Managing Multiple APIs at Scale

As your API portfolio grows, you’ll need conventions for organizing repositories, naming branches, and structuring configuration files. Establish these patterns early. A good starting point is one repository per API (or group of related APIs) with a clear directory structure that separates route definitions, policies, and custom logic. For broader guidance on scaling your API program, see our complete guide to API management.

Getting Started with GitOps for Your APIs

If you’re ready to bring GitOps to your API infrastructure, here’s a practical path forward:

  1. Audit your current process. Document how API configuration changes happen today. Where is the source of truth? Who has access to make changes? How are changes reviewed?

  2. Choose your approach. If you’re running API gateways on Kubernetes (Kong, Ambassador, Istio), consider ArgoCD or Flux to reconcile your gateway CRDs from Git. If you want GitOps without the Kubernetes overhead, evaluate API-native platforms that deploy directly from Git.

  3. Start with one API. Don’t try to migrate everything at once. Pick a single API, move its configuration into a Git repository, set up the deployment pipeline, and validate the workflow end to end.

  4. Expand incrementally. Once the first API is running smoothly, bring over the next one. Codify your conventions into templates and documentation so new teams can onboard quickly.

For a hands-on walkthrough of setting up GitOps with Zuplo, this guide covers the full setup — from connecting your Git repository to deploying your first branch-based environment.

Conclusion

GitOps brings the rigor of version control, code review, and automated deployment to infrastructure and API configuration. For API teams specifically, it solves real operational problems: configuration drift across environments, lack of audit trails for security-critical changes, and manual deployment processes that don’t scale.

Whether you use Kubernetes-native tools like ArgoCD and Flux or an API-native platform like Zuplo that builds GitOps into its core, the outcome is the same — your API configuration is versioned, reviewed, and deployed with confidence. If you’re looking for a platform where GitOps isn’t an add-on but the default way of working, sign up for Zuplo and deploy your first API in minutes.