ALL_SERIES
SERIES_OVERVIEW // CURRICULUM_MAP

Learn State-of-the-Art GitOps/IaC Pipeline

// Skill map, mental model, target competence, and deliberate practice plan for mastering production-grade GitOps and Infrastructure-as-Code pipeline engineering.

40 Lessons869 Min Total04 Phases

This overview is designed to help you choose the right entry point quickly. Follow the full track from lesson one, continue from your last checkpoint, or jump straight into a phase that matches what you need right now.

admission-controlaiapi-designapply-pipelinearchitecture+125 more

Curriculum Map

Navigate by phase, then choose the lesson that matches your current depth.

01

Kaufman Skill Map

18 min

Skill map, mental model, target competence, and deliberate practice plan for mastering production-grade GitOps and Infrastructure-as-Code pipeline engineering.

02

GitOps/IaC Is an Operating Model, Not a Toolchain

17 min

Why GitOps and IaC should be designed as an operating model instead of a pile of tools, with practical boundaries, state machines, control loops, and production-grade decision rules.

03

System Boundaries and Pipeline Invariants

23 min

System boundaries, trust boundaries, ownership boundaries, and production invariants for designing a safe GitOps/IaC pipeline.

04

Reference Architecture of a Modern GitOps/IaC Platform

20 min

End-to-end reference architecture for a modern GitOps/IaC platform, from pull request to plan, policy, approval, apply, reconciliation, observability, and audit evidence.

05

Repository Topologies for Apps, Infra, Environments, and Policies

22 min

Repository topology decision framework for applications, infrastructure, environments, policies, secrets references, and platform control planes in a production GitOps/IaC pipeline.

06

Branching, Promotion, and Change Flow

19 min

Branching, promotion, approval, merge, apply, reconciliation, emergency changes, and rollback flow for production-grade GitOps/IaC platforms.

07

IaC Engine Selection: Terraform, OpenTofu, Pulumi, Crossplane

26 min

Decision framework for selecting Terraform, OpenTofu, Pulumi, Crossplane, cloud-native engines, and reconciliation patterns in a production-grade GitOps/IaC platform.

08

Terraform/OpenTofu State Model and Failure Modes

20 min

Deep dive into Terraform/OpenTofu state, backend design, locking, workspaces, state boundaries, drift, partial failure, state corruption, secrets, and recovery playbooks.

09

Production-Grade IaC Module System Design

22 min

Production-grade IaC module system design: module boundaries, API contracts, versioning, provider handling, composition, migration, testing, policy compatibility, and failure modes.

10

Environment Modeling Without YAML Hell

21 min

Environment modeling without YAML hell: dimensions, hierarchy, overlays, promotion, stack boundaries, workspace risks, configuration contracts, and scalable environment topology.

11

Terragrunt and Stack Orchestration Patterns

27 min

Terragrunt and stack orchestration patterns for production GitOps/IaC platforms: units, DAGs, dependency outputs, run queues, orchestration boundaries, blast radius, and failure modeling.

12

Designing the Plan Pipeline

22 min

Designing the IaC plan pipeline: diff classification, affected units, speculative plans, saved plans, plan JSON, policy gates, cost/risk summaries, approval binding, and evidence artifacts.

13

Designing the Apply Pipeline

23 min

Designing the IaC apply pipeline as a controlled state transition system: approval binding, locking, execution identity, saved plans, re-planning, partial failure, retries, cancellation, evidence, rollback, and break-glass operation.

14

PR-Driven IaC Automation: Atlantis-Style Workflow

20 min

PR-driven IaC automation using Atlantis-style workflows: webhook architecture, plan/apply commands, autoplanning, locking, project configuration, security boundaries, policy gates, approvals, monorepo design, failure modes, and production rollout patterns.

15

Managed IaC Runners and Remote Execution

27 min

Managed IaC runners and remote execution patterns for Terraform/OpenTofu, Pulumi, Crossplane-adjacent workflows, HCP Terraform-style remote runs, Spacelift/Scalr/env0-style orchestration, agent pools, isolation, run queues, network boundaries, policy hooks, artifacts, and production failure modes.

16

Credentials, Identity, and Least-Privilege Execution

21 min

Credentials, workload identity, OIDC federation, least-privilege role design, trust policies, short-lived credentials, human approval versus machine authorization, GitOps controller identities, break-glass access, auditability, and failure modes for production IaC pipelines.

17

Secrets Management in GitOps/IaC

19 min

Production-grade secrets management for GitOps and IaC pipelines: secret lifecycle, secret zero, SOPS, External Secrets Operator, Vault, cloud secret managers, Kubernetes Secrets, rotation, bootstrap, access control, auditability, and failure modes.

18

Policy as Code Foundation

13 min

A production-grade foundation for policy as code in GitOps and IaC platforms: policy taxonomy, enforcement points, OPA/Rego, Sentinel, Conftest, Checkov, Kyverno, decision contracts, testing, rollout, exceptions, evidence, and failure modes.

19

IaC Policy Gates Before Apply

23 min

Production-grade design of IaC policy gates before apply, covering plan JSON evaluation, policy input contracts, severity models, context enrichment, approvals, exceptions, destructive-change control, cost/security/compliance gates, evidence, rollout, testing, and failure modes.

20

Kubernetes Admission Policy in GitOps

19 min

Production-grade Kubernetes admission policy design for GitOps platforms, covering admission control mental models, Kyverno, OPA Gatekeeper, ValidatingAdmissionPolicy, pre-merge versus runtime enforcement, mutate/validate/generate policies, progressive rollout, policy exceptions, multi-tenancy, observability, failure modes, and operational runbooks.

21

Supply Chain Security for GitOps/IaC

23 min

Production-grade software supply chain security design for GitOps and IaC platforms, covering artifact integrity, SBOM, provenance, SLSA, in-toto attestations, registry trust, Terraform/OpenTofu provider and module supply chain, policy gates, evidence, and operational failure modes.

22

Sigstore, Cosign, and Keyless Attestation

14 min

Deep implementation handbook for Sigstore, Cosign, keyless signing, Fulcio, Rekor, TUF roots, attestations, SLSA provenance, SBOM signing, identity-based verification, Kubernetes admission enforcement, and production rollout patterns in GitOps/IaC platforms.