⚙️ Infrastructure Advanced ⏱️ 11 min

Shipping GraphRAG with GitOps: Kustomize Overlays + ExternalSecrets

An end-to-end deployment walkthrough for introducing a new AI service with environment overlays, secret wiring, and production-safe defaults.

By Victor Robin Updated:
gitopskustomizeexternalsecretsgraphragkubernetes

Introduction

Adding a new AI service is mostly an infrastructure and operations problem: image delivery, environment overlays, secrets, connectivity, and observability all have to align.

Commit Signals

  • f05595f: GraphRAG manifests added for base + dev/staging/prod.
  • 8c287cd: fixed ExternalSecret store refs and key names.
  • 64a1c53: corrected Qdrant port and OTEL endpoint.

Deployment Blueprint

  1. Define base manifests with stable labels and probes.
  2. Apply per-environment overlays for replicas/resources.
  3. Wire secrets through ExternalSecrets only.
  4. Validate service endpoints and telemetry destinations.

Conclusion

GitOps makes GraphRAG rollout repeatable and auditable. The key is treating secrets and runtime endpoints as first-class deployment concerns.

Related reading:

  • /kustomize-overlays-multi-environment/
  • /external-secrets-infisical-kubernetes/