GitOps starter: deploy a micro-app with OIDC access and EU data residency guarantees

Ship a secure EU-resident micro-app with GitOps, OIDC, and RBAC — starter repo included

Hook: If your deployment pipeline is fragile, cloud bills surprise you, and legal teams keep asking how you guarantee data stays inside the EU — this starter kit is for the team that needs a repeatable, audited GitOps pattern today.

What you'll get

• A downloadable GitOps repository with ArgoCD manifests and Helm overlays
• Working OIDC SSO integration for user login and ArgoCD UI access
• Kubernetes RBAC examples for least-privilege access to the micro-app
• Policy-as-code (Gatekeeper/OPA) constraints enforcing EU-only storage
• Reference StorageClass and cloud policy snippets to lock data to EU regions

The repo is ready to run on any managed Kubernetes cluster but includes optional configs targeting EU sovereign regions (for example: AWS European Sovereign Cloud, Azure Confidential Regions, or Google Sovereign Clouds).

Why this matters in 2026

GitOps is the de facto delivery pattern for teams that want repeatability and auditable change history. In late 2025 and early 2026 we've seen two trends accelerate:

• Sovereign infrastructure options: Cloud providers released dedicated European sovereign regions and stronger legal controls (for example, AWS announced the European Sovereign Cloud in Jan 2026). That makes it realistic to meet EU residency guarantees without custom networking hacks.
• OIDC and workload identity convergence: OIDC-based SSO and cloud workload identity (IRSA, Workload Identity Federation) are replacing long-lived secrets. ArgoCD and Kubernetes ecosystems now have first-class support for OIDC flows and short-lived tokens.

Combine these with policy-as-code and you can ship micro-apps quickly while providing audit trails and verifiable data residency.

Architecture overview

High-level components in the starter repo:

• Git repository: declarative manifests for app, infra, and policies (ArgoCD uses this repo as the single source of truth)
• ArgoCD: GitOps controller to sync manifests to the cluster and manage lifecycle
• OIDC provider: Keycloak (self-hosted) or your cloud IdP (Azure AD, Google Identity, or AWS IAM Identity Center)
• oauth2-proxy + Ingress: Authentication front for the micro-app (optional: replace with OIDC-aware Ingress like Kong or Traefik)
• Policy engine: OPA Gatekeeper to enforce EU-residency and RBAC invariants
• EU-resident storage: Example using S3-compatible bucket with region restriction and a managed Postgres instance pinned to an EU region

Prerequisites

• kubectl (v1.27+ recommended)
• argocd CLI (for manual login and troubleshooting)
• helm and kustomize (for local templating and testing)
• A Kubernetes cluster in an EU region (or a sovereign EU cloud account)
• Optional: a Keycloak instance or cloud IdP configured for OIDC

Get the repo

Clone the starter template to follow along and deploy in minutes:

git clone https://github.com/deployed-cloud/gitops-microapp-eu.git
cd gitops-microapp-eu

Bootstrap ArgoCD and sync the GitOps repo

1. Install ArgoCD (manifest or Helm). Example (quick):

kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml

Wait for pods to be ready, then port-forward or expose the service.

2. Create an ArgoCD Application that points at the repo. Example:

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: microapp-root
  namespace: argocd
spec:
  project: default
  source:
    repoURL: 'https://github.com/deployed-cloud/gitops-microapp-eu'
    targetRevision: HEAD
    path: apps/microapp/overlays/eu
  destination:
    server: 'https://kubernetes.default.svc'
    namespace: microapp-eu
  syncPolicy:
    automated:
      prune: true
      selfHeal: true

This Application triggers ArgoCD to apply the overlay that contains EU-specific configuration.

OIDC: user SSO and ArgoCD integration

Goal: Use OIDC for both UI logins and for token exchange to grant GitOps operators access without long-lived passwords.

Two common options:

• Cloud IdP (recommended for enterprises) — configure Azure AD, Google Identity, or AWS IAM Identity Center as an OIDC provider and connect ArgoCD.
• Self-hosted Keycloak — useful for isolated or sovereign deployments.

ArgoCD OIDC example (in argocd-cm)

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-cm
  namespace: argocd
data:
  oidc.config: |
    name: EU-IdP
    issuer: https://idp.example.eu/auth/realms/eu
    clientID: argocd-client
    clientSecret: $oidc.argocd-client-secret
    requestedScopes: ["openid", "profile", "email"]

Store the client secret as a Kubernetes secret and reference it in ArgoCD. The repo includes a sample Keycloak realm and an Ansible/terraform role to provision the IdP in an EU region.

RBAC: least privilege for humans and CI

Kubernetes RBAC and ArgoCD RBAC are both required. Use the principle of least privilege and group-based bindings.

Kubernetes Role and RoleBinding (example)

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: microapp-eu
  name: microapp-deployer
rules:
- apiGroups: ["apps"]
  resources: ["deployments", "replicasets"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
  resources: ["pods", "services", "configmaps", "secrets"]
  verbs: ["get", "list", "watch"]

---

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: bind-microapp-deployer
  namespace: microapp-eu
subjects:
- kind: Group
  name: 'eu-dev-team@example.com'
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: microapp-deployer
  apiGroup: rbac.authorization.k8s.io

Use ArgoCD's RBAC to control who can sync Applications and who can override values. Example in argocd-rbac-cm:

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-rbac-cm
  namespace: argocd
data:
  policy.csv: |
    p, role:eu-dev, applications, sync, microapp-root/*, allow
    g, eu-dev@example.com, role:eu-dev

Enforce EU data residency with policy-as-code

The GitOps repo includes Gatekeeper ConstraintTemplates and Constraints that reject resource creations if storage or region labels don't meet EU rules.

Constraint example: require storage to have eu-region label

apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
  name: k8srequiredlabel
spec:
  crd:
    spec:
      names:
        kind: K8sRequiredLabel
  targets:
  - target: admission.k8s.gatekeeper.sh
    rego: |
      package k8srequiredlabel
      violation[{
        "msg": msg
      }] {
        input.review.object.metadata.labels["eu-region"] == ""
        msg := "All storage resources must include metadata.labels.eu-region with an EU location"
      }

---

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabel
metadata:
  name: storage-must-be-eu
spec:
  match:
    kinds:
    - apiGroups: [""]
      kinds: ["PersistentVolumeClaim", "ConfigMap"]

This rejects PVCs that lack the eu-region label. Combine this with CI checks that verify cloud resources (S3 buckets, managed DBs) are provisioned in EU regions.

Cloud storage: how to make an S3 bucket EU-only

Cloud providers offer region-scoped buckets, but misconfiguration and cross-region replication can leak data. Use both cloud settings and GitOps-enforced policies.

Example S3 bucket policy to restrict cross-region access

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::microapp-eu-bucket/*",
      "Condition": {
        "StringNotEquals": {
          "aws:RequestedRegion": "eu-west-1"
        }
      }
    }
  ]
}

For sovereign clouds, the provider may offer additional legal assurances. The repo contains Terraform modules with region variables to provision buckets and RDS instances in EU-only locations.

Secrets and key management

Do not store long-lived secrets in Git. The starter template shows two patterns:

• Vault with transit KMS: HashiCorp Vault deployed in an EU region, using the cloud KMS for auto-unseal (keys managed in the EU)
• Workload Identity Federation: Configure the cluster to assume an ephemeral role/token from your cloud provider and fetch secrets at runtime

Deploying the micro-app (step-by-step)

1. Clone the repo and choose the EU overlay: git checkout overlays/eu
2. Install ArgoCD and register the cluster (if using multi-cluster)
3. Provision IdP (Keycloak realm or cloud IdP client) and configure OIDC in ArgoCD
4. Apply Gatekeeper and the included constraints to block non-EU storage
5. Provision storage via Terraform modules in the repo (bucket + Postgres) in the EU region
6. Let ArgoCD sync the microapp Application — it will create Deployment, Service, Ingress, and attach persistent storage

Validation and testing

Use these commands to validate the deployment and residency guarantees:

• ArgoCD app health:

  argocd app get microapp-root

• Check Pod location:

  kubectl get pods -n microapp-eu -o wide

• Verify PVC label enforced:

  kubectl get pvc -n microapp-eu -o yaml | yq .metadata.labels

• Confirm S3 bucket region and policy using cloud CLI:

  aws s3api get-bucket-location --bucket microapp-eu-bucket

Operational and security checklist

• Audit logs: Enable and centralize cloud audit logs in an EU-located logging account.
• Drift detection: Use ArgoCD self-heal + periodic audits from Policy-as-Code to catch out-of-band changes.
• Least privilege: Review ArgoCD and cluster RBAC quarterly; prefer group mappings rather than individual accounts.
• Short-lived credentials: Adopt OIDC-backed workload identities for controllers and CI systems.
• Secrets lifecycle: Rotate database and KMS keys regularly and enforce rotation via Vault policies.

Common pitfalls and troubleshooting

ArgoCD unable to login to Git

Check that ArgoCD has credentials for the repo. Use a deploy key or a read-only token and store it in a Kubernetes secret. For private submodules, make sure SSH keys are accessible to ArgoCD repo-server.

Gatekeeper blocks legitimate resources

Gatekeeper policies are strict by design. Use a staging namespace to iterate, enable audit mode for constraints, and only enforce them after CI runs example deployments.

OIDC login fails

Common causes: mismatch between the IdP redirect_uris and ArgoCD callback URL, wrong client secret, or clock skew. Ensure your IdP and ArgoCD time are synchronized (NTP) and that the issuer URL matches exactly.

Advanced strategies and future-proofing (2026+)

• Policy as code + supply chain security: Integrate SLSA attestation checks into your GitOps pipeline so ArgoCD only deploys artifacts with provenance metadata.
• Immutable infra tags: Tag every resource with gitCommit, environment, and eu-residency metadata to make audits trivial.
• Zero-trust networking: Use mTLS (e.g., Istio) and network policies to reduce blast radius for micro-apps.
• Cost observability: Use deployment sizing templates in the repo and automate cost guardrails (limits for CPU/memory and scheduled scale-down for non-prod).

Why choose GitOps + OIDC + RBAC + EU residency now

In 2026, teams face both faster expectations to ship and stricter legal/regulatory requirements. The combination below is the practical sweet spot:

• GitOps provides auditable, pull-based deployments with built-in rollback.
• OIDC centralizes identity, reduces credential sprawl, and integrates with enterprise SSO providers.
• RBAC enforces least privilege across humans and machine actors.
• EU residency controls reduce legal risk and provide provable evidence for auditors.

“Build once, prove residency once, and reuse the pattern across teams.”

Actionable takeaways

1. Clone the repo and deploy ArgoCD in a staging EU cluster in less than 30 minutes.
2. Provision IdP clients in your EU IdP (Keycloak or cloud provider) and enable ArgoCD OIDC.
3. Enable Gatekeeper constraints in audit mode first, then switch to enforcing after a pilot run.
4. Use workload identity federation to remove long-lived secrets and enforce rotation via Vault or cloud KMS.
5. Tag every resource with eu-region and git metadata to make audits and cost allocation reliable.

Download the starter repo

Start here: https://github.com/deployed-cloud/gitops-microapp-eu

The repo contains a step-by-step README, Terraform modules for EU resource provisioning, ArgoCD Applications, and example OIDC realm exports for Keycloak. Fork it, customize the cloud-region variables, and run the included bootstrap script to automate most steps.

Need a jumpstart?

If you want hands-on help: deploy the repo to a sandbox EU cluster, run a smoke test, and generate an audit report that proves data residency and access controls — reach out to the team at deployed.cloud for a guided workshop.

Final thoughts and predictions (2026)

Expect continued growth of sovereign cloud offerings and stronger tooling around workload identity and GitOps. Teams that adopt OIDC-first identity, strict RBAC, and policy-as-code now will reduce compliance overhead and ship micro-apps with confidence.

Call to action

Download the GitOps starter today, run it against an EU cluster, and validate residency and policy enforcement. Your next sprint should be about features — not firefighting infra misconfigurations.

Related Reading

• How Beauty Stunts Raise the Bar for Fragrance Launches: Lessons from a Gravity-Defying Mascara
• Commuter E-Bike Backpacks: What to Look For If You Ride a 500W Electric Bike
• Is Your Pet-Tech a Scam? Red Flags from CES and the Wellness Wild West
• How to Candy Buddha’s Hand and Use It in Mexican Baking
• Privacy & Compliance Guide for Creators: Navigating Age-Verification and Child Safety Rules