GitOps

The platform ships with a GitOps system pre-configured. Within the values repo, there is a directory named env/manifests/ where any manifest you place is automatically reconciled into the cluster.

The values repository is a Git repository that captures the complete desired state of the platform. Every change made through the platform's web interface or API is committed there automatically, giving you a full audit trail and a single place to inspect or override platform state. ArgoCD watches the values repository continuously and reconciles the cluster to match — no manual apply steps required.

By default, the platform is installed with a lightweight Git server that hosts the values repository. This server does not have web interface but you can interact with local Git client. To obtain the git clone command, open your terminal and execute the following:

kubectl get secret -n apl-secrets apl-git-config -ojsonpath='{.data.gitCloneCmd}' | base64 --decode

Then, perform the git clone command and go to the values directory where you can perform Git operations.

For production environments, it is recommended to use an external Git repository. See BYO Git.

Directory structure

The env/manifests/ directory is organized into two top-level directories:

env/manifests/
  namespaces/
    {namespace}/          # one ArgoCD Application per directory, synced into that namespace
      {resource-type}/    # namespace-scoped resource kinds
  global/                 # one ArgoCD Application, cluster-scoped (no destination namespace)
    {resource-type}/      # cluster-scoped resource kinds

Each directory under namespaces/ maps one-to-one to a Kubernetes namespace and backs a dedicated ArgoCD application — the namespace is created automatically if it does not exist. Subdirectories within it are organizational only; ArgoCD reconciles everything it finds there into that namespace. The global/ directory works the same way but targets no namespace, making it the right place for cluster-scoped resources such as CRDs, ClusterRoles, and StorageClasses.

Operator-owned directories

Not all directories under namespaces/ are yours to modify. Directories prefixed with apl- are operator-owned: the platform writes into them and relies on their contents being intact. Two carry platform-critical state: apl-secrets/, which holds SealedSecrets (Kubernetes Secrets encrypted for safe storage in Git) written by the platform operator; and apl-users/, which holds user-management objects. Every other namespace directory is user-owned.

🚧

Do not add, edit, or delete files in any apl- prefixed directory. Changes there may be overwritten by the operator or break platform behavior.