GitOps / State Management

Scribe

Reverse GitOps — Automatically capture runtime state changes from your Kubernetes cluster and persist them to Git as the source of truth.

Learn More Get Started

Overview

Scribe is a Kubernetes operator that enables capturing runtime state changes from cluster resources and automatically committing them back to Git. Unlike traditional GitOps tools like ArgoCD and Flux that synchronize from Git to cluster, Scribe does the opposite: it watches your running workloads for changes, extracts specified fields, and persists them to your repository as the authoritative source of truth.

Resources change at runtime for a variety of reasons. When Autoscalers scale your deployments, when FinOps tools adjust your quotas, when operators like cert-manager generate certificates, or when manual changes need to become the new baseline, Scribe captures these runtime-generated values and commits them to Git. Your repository always reflects the actual desired state, enabling true declarative infrastructure with full audit trails and cross-cluster state synchronization.

Features

Field Extraction & CEL Transforms

Extract specific fields using JSONPath expressions like `.spec.replicas` or `.status.loadBalancer.ingress[0].ip`. Apply CEL (Common Expression Language) transformations to modify values before writing, enabling computed fields and data normalization.

Dynamic Resource Watching

Watch any Kubernetes resource type with on-demand informer creation. No operator restart required when adding new resource types. Supports label selectors, namespace filtering, and multi-resource monitoring with reference-counted lifecycle management.

Intelligent Change Detection

LRU cache-based change detection with hashing prevents redundant commits. Per-resource, per-field tracking ensures only actual changes trigger Git operations.

Batching & Rate Limiting

Time-windowed change aggregation combines multiple updates into single commits. Configurable rate limits (commits per hour, minimum push interval) protect your Git server and reduce history noise while ensuring timely synchronization.

Multiple Output Formats

Write captured state in YAML patch (minimal diff), full YAML, JSON, or Kustomize patch format. Choose strategic merge, JSON merge, or full replacement patch strategies to match your GitOps workflow requirements.

Pull Request Workflows

Create pull requests instead of direct commits with support for GitHub, GitLab, Bitbucket, and Gitea. Configure branch strategies, auto-merge policies, custom reviewers, and CI integration for governed change management.

Use Cases

HPA Replica Persistence

When Horizontal Pod Autoscaler scales your deployments, capture the updated replica count and persist it to Git. After cluster rebuilds or failovers, your applications start with the right capacity instead of reverting to original values.
Operator-Generated Value Capture

Capture values auto-generated by operators like rightsizing tools, cert-manager certificates, external-secrets resolutions, or cloud provider annotations. Persist derived configuration without exposing sensitive data, enabling consistent cross-cluster deployments.
Audit Trail & Compliance

Create an immutable audit trail of all configuration changes in Git history. Track exactly what changed, when it changed, and correlate with the events that triggered changes for compliance reporting and incident investigation.
Cross-Cluster State Synchronization

Capture runtime state from production clusters and propagate it to staging or disaster recovery environments via Git. Enable consistent configuration across your fleet without manual synchronization or custom tooling.

Custom Resources

ScribePolicy

Defines what resources to watch, which fields to capture, and where to write them. Specifies source resources via API version, kind, and selectors; field extraction paths with optional CEL transforms; and target repository, path template, and output format.
Source Selector Configuration

Within ScribePolicy, the source selector enables precise resource targeting using label selectors, namespace selectors, or explicit resource names. Supports watching across multiple namespaces with fine-grained filtering.
GitRepository

Represents a Git repository connection that policies reference for writing captured state. Configures repository URL, branch, authentication method (SSH, HTTPS Basic, HTTPS Token, or GitHub App), commit author identity, fetch intervals, and rate limiting policies.
Sync Configuration

Controls synchronization behavior including reconciliation interval, batch window duration, maximum batch size, and optional pull request workflow settings. Enables tuning for different environments from rapid development to governed production.
Pull Request Configuration

Optional PR-based workflow configuration supporting multiple Git providers. Includes branch naming strategies (per-batch, per-policy, per-resource), customizable PR templates, reviewer assignment, and auto-merge with configurable merge strategies.

Example Workflow

This example demonstrates capturing HPA-managed replica counts from Deployments and persisting them to a Git repository. When the autoscaler adjusts replicas, Scribe automatically commits the new values, ensuring your Git repository always reflects the actual running state.

# 1. Create a GitRepository resource to connect to your config repo
  oc apply -f - <<EOF
  apiVersion: scribe.cosmosdevops.co.uk/v1alpha1
  kind: GitRepository
  metadata:
    name: platform-config
    namespace: scribe-system
  spec:
    url: https://github.com/your-org/platform-config.git
    branch: main
    auth:
      type: https-token
      secretRef:
        name: git-credentials
  EOF

  # 2. Create a ScribePolicy to capture Deployment replicas
  oc apply -f - <<EOF
  apiVersion: scribe.cosmosdevops.co.uk/v1alpha1
  kind: ScribePolicy
  metadata:
    name: capture-replicas
    namespace: default
  spec:
    source:
      apiVersion: apps/v1
      kind: Deployment
      selector:
        matchLabels:
          scribe.cosmosdevops.co.uk/capture: "true"
    fields:
      - path: ".spec.replicas"
    target:
      repositoryRef:
        name: platform-config
        namespace: scribe-system
      pathTemplate: "apps/{{ .Namespace }}/{{ .Name }}.yaml"
      format: yaml-patch
    sync:
      interval: 5m
      batchWindow: 30s
  EOF

  # 3. Label Deployments you want to capture
  oc label deployment my-app scribe.cosmosdevops.co.uk/capture=true

  # 4. Verify the policy is active and syncing
  oc get scribepolicy capture-replicas -o yaml | grep -A 10 status

Ready to implement reverse GitOps?

Start capturing runtime state changes and persisting them to Git. Close the loop on GitOps with automatic state synchronization from cluster to repository.

Get Started

Overview

Features

Field Extraction & CEL Transforms

Dynamic Resource Watching

Intelligent Change Detection

Batching & Rate Limiting

Multiple Output Formats

Pull Request Workflows

Use Cases

HPA Replica Persistence

Operator-Generated Value Capture

Audit Trail & Compliance

Cross-Cluster State Synchronization

Custom Resources

ScribePolicy

Source Selector Configuration

GitRepository

Sync Configuration

Pull Request Configuration

Example Workflow

Ready to implement reverse GitOps?