Slash Command

/gitops-review

GitOps platform review — ArgoCD / Flux / Argo Rollouts. App-of-apps, sync policy, sealed-secrets, progressive delivery, drift, RBAC, DR.

npx claudepluginhub resultakak/argos --plugin argos

Details

Argument<gitops-repo-path>

Prompt Preview

# /gitops-review

## Amaç
Cluster state ↔ Git arası **single source of truth** disiplinini doğrula.
Manuel `kubectl apply`, plain Secret, drift, auto-promote canary gibi
GitOps anti-pattern'lerini yakala.

## Ne Zaman Kullanılır
- Yeni cluster bootstrap (ArgoCD / Flux kurulum)
- App-of-apps pattern review
- Sealed-secrets / SOPS / ESO entegrasyonu
- Progressive delivery (canary / blue-green) tasarım
- Drift alert / reconciliation
- Multi-cluster / multi-tenant yapı
- DR drill / cluster restore plan
- RBAC + AppProject boundary

## Input
- `<gitops-repo-path>` (örn. `gitops-repo/`, `apps/`)
...

Command Content

Stats

Stars0

Forks0

Last CommitMay 11, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

/gitops-review

Amaç

Cluster state ↔ Git arası single source of truth disiplinini doğrula. Manuel kubectl apply, plain Secret, drift, auto-promote canary gibi GitOps anti-pattern'lerini yakala.

Ne Zaman Kullanılır

Yeni cluster bootstrap (ArgoCD / Flux kurulum)
App-of-apps pattern review
Sealed-secrets / SOPS / ESO entegrasyonu
Progressive delivery (canary / blue-green) tasarım
Drift alert / reconciliation
Multi-cluster / multi-tenant yapı
DR drill / cluster restore plan
RBAC + AppProject boundary

Input

<gitops-repo-path> (örn. gitops-repo/, apps/)
Yoksa auto-detect: ArgoCD CRD, Flux CRD, kustomize/helm root

Delege

platform-engineer lider — GitOps disiplini, sync policy, RBAC. Alt-delege:

iac-engineer — cluster bootstrap (Terraform → ArgoCD install)
security-reviewer — sealed-secrets / Vault, RBAC, AppProject
infrastructure-reviewer — manifest review (Deployment → Rollout swap)
deployment-strategist — progressive delivery step %, abort eşik
production-readiness-reviewer — DR plan, restore drill
observability-engineer — drift alert, sync metric

gitops-review skill'i prosedürü taşır.

Beklenen Davranış

rules/kubernetes.md + rules/security.md + rules/cicd.md + rules/observability.md yükle.
Tool tespit (ArgoCD / Flux / Argo Rollouts / Flagger / ESO / sealed-secrets).
Repo yapısı: app-of-apps + per-env + projects/ (RBAC).
Sync policy: automated.prune, selfHeal, retry, serverSideApply.
Secret yönetimi: sealed-secrets / SOPS / ESO; plain Secret block.
Progressive delivery: Rollout step %, analysis template, abort eşik.
Drift: OutOfSync alert, ignoreDifferences minimum.
RBAC: AppProject sourceRepos + destinations + role binding.
DR: cluster restore plan + drill cadence.
Multi-cluster yapı.
Observability: ArgoCD/Flux metric + dashboard + alert.
Action item: sahip + tarih + issue.

Yasaklar

Manuel kubectl apply prod'da — drift garanti.
Plain Secret Git'te — sealed-secrets / ESO zorunlu.
autoSync off + manual sync — GitOps amacı kayıp.
ignoreDifferences = all — drift invisible.
Auto-promote canary analysis fail'de — manual gate olmadan.
* repo / * destination AppProject'te.
Branching environment (env=branch) — per-env directory tercih.
Mono-cluster ArgoCD prod+dev karışımı — blast radius.
DR drill yok — restore süresi bilinmiyor.

Örnek Kullanım

/gitops-review apps/
/gitops-review --argocd argocd/
/gitops-review --flux flux-system/

Örnek Çıktı (özet)

# GitOps Review: gitops-repo/

## Tool / Yapı
- ArgoCD 2.10 + Argo Rollouts 1.7 + sealed-secrets 0.24
- App-of-apps pattern ✓
- Per-env directory (dev/staging/prod) ✓
- 14 Application, 3 AppProject

## Sync Policy
| Env | prune | selfHeal | retry | serverSideApply |
|---|---|---|---|---|
| dev | true | true | 5 | true |
| staging | true | true | 5 | true |
| prod | true | true | 5 | true |

⚠ prod `selfHeal: true` — incident manuel override revert ediyor (High).

## Critical
- [ ] `apps/legacy/billing-secret.yaml` plain `kind: Secret` (base64'lenmiş).
  Çözüm: SealedSecret'a çevir + key'i rotate.
- [ ] `apps/legacy/payment-creds.yaml` plain `Secret`.
- [ ] `default` AppProject `sourceRepos: ['*']` `destinations: ['*']`.
  Çözüm: explicit repo + namespace whitelist.

## High
- [ ] api-svc Rollout step 10/50/100 — çok hızlı; 5/25/50/100 + 5dk pause öner.
- [ ] api-svc analysis success rate sadece HTTP 200; p99 latency dahil et.
- [ ] api-svc canary auto-promote (no manual gate prod) — abort eşik aktif ama
  son adımda manuel onay yok.
- [ ] `ignoreDifferences = all` 3 app'te (monitoring, cert-manager, legacy-billing).
- [ ] DR drill kayıt yok — quarter'da bir cluster restore drill.

## Medium
- [ ] sealed-secrets master key rotate prosedürü dokumented değil.
- [ ] `OutOfSync` alert yok — eklendiğinde 5 dk threshold.
- [ ] AppProject role binding 4 grup için karışık — net sahiplik haritası.

## Action Items
| Öncelik | Aksiyon | Sahip | Bitiş | Issue |
| P0 | 2 plain Secret → SealedSecret + key rotate | @security | 2026-05-12 | #6001 |
| P0 | `default` AppProject explicit whitelist | @platform | 2026-05-14 | #6002 |
| P1 | Rollout step + analysis template güncelleme | @platform | 2026-05-21 | #6003 |
| P1 | Manual gate Rollout son adım prod'da | @platform | 2026-05-21 | #6004 |
| P1 | `ignoreDifferences` precise list | @platform | 2026-05-28 | #6005 |
| P1 | DR drill quarter'da bir + runbook | @sre | 2026-06-04 | #6006 |
| P2 | sealed-secrets rotate prosedürü | @security | 2026-06-04 | #6007 |
| P2 | OutOfSync Prometheus alert | @observability | 2026-05-28 | #6008 |
| P2 | AppProject RBAC haritası dokuman | @platform | 2026-06-11 | #6009 |