ADR-0028 — Pull-based GitOps with ArgoCD; separate config repo

V1 Freeze (2026-06-12): Deferred. V1 deploys via Docker Compose (self-host) and direct Helm; no cluster fleet or pull-based CD. Re-opens at P4 (extraction & scale).

Context

BitVault needs continuous delivery to multiple Kubernetes clusters/environments that is auditable, drift-resistant, rollback-able, and secure. The central security question is where do cluster credentials live: a push model (CI runs kubectl/helm upgrade) puts production credentials in CI, the most-attacked surface in the org.

Decision

Adopt pull-based GitOps with ArgoCD:

Consequences

Positive

Negative / costs

Alternatives considered

Scaling

ApplicationSet generators render large matrices from few manifests; Git webhooks give instant sync; controllers shard if needed; mono-GitOps-repo splits per-team via AppProjects only if contention appears.