Flux D2 Reference Architecture β Gitless GitOps for Secure Multi-Tenancy
We are excited to release the Flux D2 Reference Architecture, a major evolution in the way GitOps can be securely implemented at scale. Building on the foundations laid by the D1 Reference Architecture, D2 introduces Gitless GitOps powered by OCI Artifacts and a streamlined platform model backed by the new Flux Operator and ResourceSet APIs.
This approach replaces GitRepository reconciliation with OCI Artifact reconciliation, dramatically improving security, reducing control duplication, and simplifying CI/CD for teams operating in highly regulated or large-scale environments.
π Explore the example repos
What Is Gitless GitOps
Traditionally, GitOps centres around storing infrastructure as code in Git repositories, which tools like Flux CD use to reconcile with Kubernetes clusters.
D2 flips this model on its head. Instead of syncing config directly from Git, configurations are now pulled as signed OCI Artifacts stored in container registries.
OCI registries bring several advantages over Git repositories for storing configurations, including:
- Native support for signatures, Software Bill of Materials (SBOMs), and vulnerability scans, improving supply chain security
- Seamless integration with CI pipelines, enabling faster automation
- Centralised management, as OCI registries already house your container images and applications
- Enhanced security for mission-critical workloads
With Flux CD D2, GitOps evolves into a more secure, adaptable, and Git-independent process, providing a significant step forward in Kubernetes deployment practices.
Why D2?
The D1 Reference Architecture demonstrated how to operate multi-tenant GitOps with Flux and GitRepository sources safely. However, in many regulated environments, direct cluster access to Git hosts is discouraged or prohibited. The D2 model introduces a secure, OCI-based alternative: Gitless GitOps.
Signed OCI Artifacts, built during the CI process and stored in container registries, enable secure provenance and veracity checks:
- Signature verification using Cosign and keyless signing
- Rich metadata, including SBOMs and VEX documents
- Workload identity authentication, removing the need for static secrets
In short: weβve decoupled source control from deployment control, while improving auditability and reducing risk.
Architectural Simplicity Meets Scalability
D2βs architecture is as elegant as it is powerful. It splits the codebase into three repositories for cleaner management across different teams and components.
The Three Repositories
- d2-fleet β For cluster-wide components.
- d2-infra β For shared infrastructure, such as monitoring and networking.
- d2-apps β For application-specific configurations.
All components are built, signed, and pushed as OCI Artifacts using GitHub Actions, removing the need for manual tagging or unsafe secret handling. Simple, scalable, and secure for enterprise-grade Kubernetes.
Core Improvements
OCI Native Configuration Delivery
Flux D2 replaces GitRepository reconciliation with OCIRepository sources. OCI Artifacts are produced during CI, signed, and stored in registries such as GHCR or Amazon ECR. This enables:
- Immutable and verifiable deployments
- Reduced blast radius by preventing direct Git-to-cluster connections
- Support for SBOMs and VEX documents as part of your supply chain metadata
Registries become the single source of truth, and Flux handles the secure, validated reconciliation of signed configuration artifacts.
Security Hardening
The move to OCI unlocks advanced security patterns:
- Cosign-based signature verification, tied to GitHub OIDC tokens
- RBAC enforcement in registries, restricting who can push production images
- Cluster-level admission policies, using Kubernetes CEL and ValidatingAdmissionPolicy
- Enhanced guardrails on reconciliation, blocking tampered artifacts from reaching the clusters
These guardrails make it significantly harder to tamper with deployments, even in cases where Git history might be compromised.
Flux Operator & ResourceSet: Declarative, Secure, Scalable
The Flux Operator replaces custom bootstrapping logic and Kyverno-based cloning with a declarative Kubernetes-native API:
- FluxInstance CR simplifies installation, upgrade, and multi-tenancy configuration
- ResourceSet CR enables reusable templates for tenant and application management
- copyFrom annotations eliminate the need for cross-namespace references or policy engines
This makes onboarding new tenants and applications consistent and auditable, reducing onboarding time and operational toil.
CI Pipelines: Secrets-Free & Verified
All artifacts are built and signed in CI using GitHub Actions and keyless signing with OIDC tokens. As we described in the Workload Identities section of the reference architecture it is possible to build and publish configuration artifacts without using long-lived credentials when using supported environments. We also introduce new GitHub actions, such as:
- push-artifact workflows for staging environments
- release-artifact workflows for production releases
This design introduces GitHub-native supply chain verification and secures the path from code to deployment.
Environment Separation by Tags
Where D1 used separate Git branches for staging and production, D2 moves to a single-branch model with tagged OCI Artifacts:
- latest for staging
- latest-stable for production
Clusters reconcile based on tags and paths, with strict policy and signature validation ensuring artifacts were built from main by trusted workflows.
Update Automation
D2 introduces a fully automated update workflow:
- A short-lived Kind cluster is spun up via GitHub Actions
- Flux is bootstrapped with ImageUpdateAutomation controllers
- Updated manifests are pushed to an image-updates branch
- PRs to main trigger new artifact builds and production promotion
Ready for Regulated Environments
Flux D2βs design is informed by the needs of ControlPlane’s enterprise customers, especially those operating in regulated industries. By supporting:
- Gitless GitOps
- Keyless signing
- Secure multi-tenancy
- Secrets-free CI/CD
We’re making Flux safer and easier to run in complex environments.
Use It With or Without Enterprise for Flux
All features described in D2 are available in upstream Flux CD. However, if youβre operating in a high-compliance environment or want guaranteed support and SLAs, consider ControlPlane Enterprise for Flux CD:
- Fully upstream-compatible
- Hardened, signed, FIPS-compliant builds
- Vulnerability scanning and VEX publishing
- Enhanced lifecycle management and expert support
Get Started
The Flux D2 Reference Architecture is live and ready for use.
π Read the full guide
π¬ Chat with us
ControlPlane is committed to secure, sustainable, and open GitOps. Flux D2 is a huge step in that direction, and we canβt wait to see what you build with it.