The Certified GitOps Associate (CGOA) is the Linux Foundation's vendor-neutral cert validating your understanding of the GitOps operating model. It's a 60-question, 90-minute multiple-choice exam that costs $250 and is one of the easier CNCF associates to pass — but it covers a surprisingly broad set of concepts beyond just Argo CD and Flux.
What is GitOps, Officially?
The CGOA exam aligns with the four OpenGitOps principles published by the CNCF GitOps Working Group:
- Declarative — the desired state of the system is described declaratively
- Versioned and immutable — desired state is stored in a way that preserves history (Git)
- Pulled automatically — software agents pull state from the source of truth
- Continuously reconciled — software agents continuously observe actual vs desired state and act to reconcile
Memorise these four principles word-for-word. They appear directly on the exam and underpin most other questions.
Exam At a Glance
| Attribute | Value |
|---|---|
| Exam code | CGOA |
| Cost (USD) | $250 |
| Format | 60 multiple-choice questions |
| Duration | 90 minutes |
| Passing score | 75% |
| Validity | 3 years |
| Free retake | 1 included |
| Prerequisites | None (KCNA recommended) |
Domain Breakdown
| Domain | Weight |
|---|---|
| 1. GitOps Terminology | 15% |
| 2. GitOps Principles | 30% |
| 3. Related Practices (CI/CD, IaC, DevOps) | 15% |
| 4. GitOps Patterns | 20% |
| 5. GitOps Tooling Landscape | 20% |
Key Topics
Push vs Pull Models
The exam tests your ability to distinguish push-based CI/CD (Jenkins, GitHub Actions) from pull-based GitOps reconcilers (Argo CD, Flux). Understand why pull-based is preferred for security (no cluster credentials in CI) and consistency (continuous reconciliation vs one-shot deploy).
The Source of Truth Pattern
Repo structure choices: monorepo vs polyrepo, app-of-apps, environment-per-folder, environment-per-branch. Know the trade-offs of each.
Drift Detection and Reconciliation
How reconcilers detect divergence between live state and Git state, what "self-heal" mode does, and how reconciliation loops handle hooks and sync waves.
Argo CD vs Flux at a Conceptual Level
| Aspect | Argo CD | Flux |
|---|---|---|
| UI | Rich first-party UI | CLI-first; UI via Weave GitOps |
| Application model | Application CRD | Kustomization & HelmRelease CRDs |
| Multi-tenancy | AppProjects | Tenancy via namespaces & RBAC |
| Helm integration | Helm templates rendered server-side | HelmController reconciles real Helm releases |
| Progressive delivery | Argo Rollouts | Flagger |
Image Updaters and Promotion Pipelines
How tools like Argo CD Image Updater or Flux's Image Automation Controller close the loop between CI artifact builds and Git-stored manifests. Be ready for questions on image policy types (SemVer, Alphabetical, Regex).
Secrets in GitOps
You can't commit plain secrets to Git. Know the common patterns:
- Sealed Secrets (Bitnami)
- External Secrets Operator with Vault / AWS Secrets Manager / GCP Secret Manager
- SOPS with KMS
- SPIFFE/SPIRE for runtime identity (lower frequency on the exam)
Progressive Delivery
Distinguish blue/green, canary, and feature-flag-driven rollouts. Know that Argo Rollouts and Flagger implement these on top of GitOps.
4-Week Study Plan
| Week | Focus | Practical task |
|---|---|---|
| 1 | OpenGitOps principles + terminology | Read the OpenGitOps v1.0 spec end-to-end |
| 2 | Argo CD deep tour | Install Argo CD on KIND, deploy app-of-apps |
| 3 | Flux deep tour + secrets patterns | Install Flux, set up Sealed Secrets |
| 4 | Practice exams + progressive delivery | Two full-length practice attempts |
Recommended Free Resources
- OpenGitOps v1.0 specification at opengitops.dev — the canonical source
- Argo CD & Flux documentation — focus on the "Concepts" sections
- CNCF GitOps Working Group white papers on GitOps principles and patterns
- Codefresh's GitOps Certification course (free) — closely mapped to CGOA
- Weaveworks GitOps Fundamentals course (free, archived)
Common Pitfalls
- Confusing "Infrastructure as Code" (any declarative IaC) with "GitOps" (declarative + Git + reconciler). All GitOps is IaC; not all IaC is GitOps.
- Assuming GitOps means Kubernetes only. The OpenGitOps principles are platform-agnostic; the exam expects you to apply them to non-Kubernetes systems too.
- Conflating CI and CD. CI builds and tests; CD (in GitOps) is delivered by the reconciler, not by the CI pipeline.
- Mixing up Argo CD
syncPolicy.automatedand self-heal. Automated sync triggers on Git changes; self-heal reconciles drift in the cluster.
Should You Take CGOA?
CGOA is the right cert if:
- You're a platform engineer, DevOps engineer, or SRE adopting GitOps
- You want a low-cost ($250) signal on your resume that you understand modern delivery
- You plan to follow up with CAPA (Argo) or hands-on CKA/CKAD
It's a 2-week investment for most candidates with some Kubernetes exposure, and it positions you well for senior platform roles where GitOps fluency is now a default expectation.