Workloads and Bindings
Complete guide to workload definitions, binding types, scaffold matrix, overlay editing, and values management.
Workloads and bindings are the core deployment primitives in GitOpsHQ. A workload defines what to deploy; a binding defines where to deploy it. Together, they form the scaffold matrix that maps every deployable unit to its target tenant-environments.
Core Concepts
Workload
A workload (also called a service definition) represents a single deployable unit within a project. Each workload is backed by a Helm chart from the organization's chart registry.
Binding
A binding associates a deployable artifact (workload, Kustomize base, or manifest bundle) with one or more tenant-environment pairs. Bindings carry per-target configuration such as Helm values, Kustomize overlays, or manifest patches.
Scaffold Matrix
The scaffold matrix is the cross-product of workloads (rows) and tenant-environments (columns). Each cell represents a potential deployment slot. The matrix visually shows which workloads are assigned to which tenant-environments.
Three Binding Types
GitOpsHQ supports three binding types, each optimized for a different configuration paradigm.
Workload Bindings (Helm)
Workload bindings are Helm-based. They link a workload (chart reference) to tenant-environments and carry Helm values configuration. Each binding gets its own Helm values file, edited via Monaco editor with chart schema context. Values inheritance allows layered configuration, and chart version tracking with upgrade indicators keeps you informed when newer chart versions are available.
Values inheritance chain:
Each layer can override keys from the previous layer. The delivery generator resolves the full merge at generation time.
Creating a workload binding:
{
"workloadId": "wl_01H5K...",
"tenantSlug": "acme",
"environment": "production",
"clusterId": "cls_01H5K...",
"values": {
"replicaCount": 3,
"image": {
"tag": "v2.3.1"
},
"resources": {
"limits": {
"memory": "512Mi",
"cpu": "500m"
}
}
}
}Kustomize Bindings
Kustomize bindings link an org-level Kustomize base to tenant-environments with per-binding overlay editing. Base configuration is defined at the org level and shared across projects. Each binding can add overlays (patches, transformers, generators). Build preview shows the kustomize build output before deploying, and merge preview shows how overlays combine with the base.
Overlay types supported:
| Overlay Type | Description |
|---|---|
| Strategic Merge Patch | Kubernetes-native merge patches |
| JSON Patch | RFC 6902 JSON patch operations |
| Image Transformer | Override image names, tags, and digests |
| Generators | ConfigMap and Secret generators |
| Components | Reusable Kustomize components |
Manifest Bindings
Manifest bindings link an org-level manifest bundle to tenant-environments with per-binding raw YAML customization. This is the simplest binding type — raw Kubernetes YAML. Org-level bundles define the base manifests, per-binding overlays allow customization per tenant-environment, and there is no templating engine: what you write is what gets applied. Common use cases include CRDs and cluster-scoped resources, simple one-off deployments, and legacy manifests being migrated into GitOpsHQ.
Creating Workloads
Select Chart
From the project detail page, click Add Workload. Select a Helm chart from the organization's chart registry. The registry shows all available charts with their versions.
Define Workload
Provide a workload name (e.g., api-gateway). This name is used in the scaffold matrix and in generated file paths.
Configure Defaults
Set default Helm values for this workload. These defaults apply across all tenant-environments unless overridden.
Assign to Matrix
Use the scaffold matrix to assign the workload to specific tenant-environment cells. Each assignment creates a binding.
Scaffold Matrix
The scaffold matrix is the central view for managing workload assignments. It appears on the project detail page and provides a grid of workloads x tenant-environments.
Matrix Cell States
| State | Icon | Meaning |
|---|---|---|
| Assigned | ✅ | Workload is bound to this tenant-environment |
| Unassigned | ⬜ | No binding exists; workload is not deployed here |
| Pending | 🔄 | Binding created but scaffold not yet generated |
| Failed | ❌ | Scaffold generation failed; see error details |
| Deployed | 🟢 | Binding is active and in sync with the cluster |
| Drifted | 🟡 | Deployed state differs from desired state |
Assignment Strategies
| Strategy | Description | Use Case |
|---|---|---|
| Single Cell | Click an individual cell to toggle assignment | Fine-grained per-tenant control |
| Bulk Assignment | Select a workload, then assign to multiple tenant-environments at once | Rolling out a new service to all tenants |
| Row Assignment | Assign a workload to all environments for a specific tenant | Onboarding a new tenant |
| Column Assignment | Assign all workloads to a specific environment for a tenant | Promoting all services to production |
Quick Add
From the matrix view, you can click Quick Add on an empty cell to create a new binding with default values. This opens a minimal form with just the essential fields.
Bulk operations return per-item results, not just a global success/failure. If 8 out of 10 assignments succeed, you see the specific 2 that failed with their error reasons.
Binding Assignments
Each binding links to a specific cluster target and carries sync configuration.
Assignment Properties
| Property | Description |
|---|---|
| Binding Type | workload (Helm), kustomize, or manifest |
| Target Cluster | The Kubernetes cluster where this binding deploys |
| Sync Policy | Auto-sync or manual sync |
| Namespace | Target namespace on the cluster |
| Values/Overlays | Binding-specific configuration |
Unified Binding View
The project detail page shows all three binding types in a single unified list, filterable by type (Helm, Kustomize, Manifest). Each row shows the binding name, target tenant-environment, type badge, and sync status.
Workload Upgrades
When a chart has a new version in the org registry, workloads referencing that chart show an upgrade indicator in the UI.
Upgrade Workflow
Detect
The project overview shows a badge: "3 workloads have updates available". Click to see the upgrade candidates.
Review
The upgrade dialog shows the current chart version vs available version, changelog/release notes (if provided), schema diff highlighting new values added/removed/changed, and an impact preview showing which tenant-environments are affected.
Apply
Select which workloads to upgrade. You can upgrade all at once or selectively. The upgrade updates the chart reference and may require values adjustments if the schema changed.
Verify
After upgrading, the delivery generator re-renders affected manifests. Review the diff before creating a release.
Workload upgrades do not automatically deploy. They update the chart reference in the project. A new release must be created and deployed to apply the changes to clusters.
Values Editing
The Values Editor (/projects/:slug/workloads/:id/values) provides a rich editing experience for Helm values.
Editor Features
| Feature | Description |
|---|---|
| Monaco Editor | Full-featured code editor with YAML/JSON support |
| Chart Schema Sidebar | Browse all available values, their types, defaults, and descriptions |
| Defaults Comparison | Toggle to see chart defaults alongside your custom values |
| HQ Variable Insert | Quick-insert variable placeholders from a dropdown |
| Validation | Real-time validation against the chart's JSON schema |
| Diff View | See what changed compared to the last committed version |
Values Editing Flow
Every values save creates a Git commit, ensuring full auditability of who changed what and when.
HQ Variable Placeholders
HQ Variables can be referenced in values files using {{hq.var.KEY}} syntax (or pinned forms like {{hq.var.env.KEY}}). The delivery generator resolves these placeholders at generation time using scope precedence (service → tenant → environment → repository).
Overlay Editors
Kustomize Overlay Editor
The Kustomize overlay editor provides specialized tools for building overlays without writing raw YAML:
| Tool | Description |
|---|---|
| Patch Editor | Visual editor for strategic merge patches and JSON patches |
| Image Transformer | Form-based image name/tag/digest override |
| Generator Editor | ConfigMap and Secret generator configuration |
| Component Manager | Add/remove Kustomize components |
| JSON Patch Editor | RFC 6902 operation builder with add/remove/replace/move/copy |
| Hybrid Builder | Mix visual tools and raw YAML in the same overlay |
| Kustomization Builder | Edit the kustomization.yaml file with guided form fields |
Both Build Preview (see the kustomize build output) and Merge Preview (see how overlays combine with the base, with additions and deletions highlighted) are available before saving.
Manifest Overlay Editor
A raw YAML editor with syntax highlighting, Kubernetes schema validation, diff view against the base bundle, and final merged output preview.
Binding Lifecycle and Scaffold Generation
From creation to deployment, a binding moves through: Created → Scaffolded → Released → Deployed. Failures at scaffold or deploy stage are recoverable via retry.
When a binding is created or modified, the delivery generator: (1) resolves the chart/base/bundle reference, (2) merges values through the inheritance chain, (3) resolves HQ Variable placeholders, (4) applies overlays, (5) writes rendered manifests to the hosted Git repo, and (6) updates scaffold status.
Rollback Safety and Access Control
Bindings support rollback at multiple levels: values rollback (revert a single binding's values to a prior commit), chart rollback (revert a workload to a prior chart version), release rollback (revert all changes in a release), and selective rollback (cherry-pick specific changes to revert; Enterprise only).
Binding operations are governed by project-level resource grants:
| Permission | Actions |
|---|---|
project.bindings.view | View binding list, scaffold status, values (read-only) |
project.bindings.manage | Create, edit, delete bindings; modify values and overlays |
project.bindings.deploy | Deploy bindings to target clusters |
Binding operations always show an impact summary before execution. Bulk operations display the affected tenant-environments and workloads so you can verify the blast radius before confirming.
Error Reference
Best Practices
- Start with the scaffold matrix. Before editing values, get the assignment topology right. The matrix view gives you the full picture of what deploys where.
- Use values inheritance. Put common configuration at the project level. Use tenant and environment overrides only for values that actually differ.
- Preview before committing. Use the build preview (Kustomize) or diff view (Helm) to verify your changes before saving.
- Upgrade workloads in dev first. When a new chart version is available, apply the upgrade in non-production environments before rolling it out to production.
- Use HQ Variables for secrets and environment-specific config. Variables are resolved at generation time and can be scoped to any level in the hierarchy.
- Review scaffold failures promptly. A failed scaffold means the binding cannot be deployed. Check the error details and fix the underlying issue (usually a values schema mismatch or missing chart version).