GitOps continuous delivery — Git as the single source of truth for Kubernetes deployments, auto-sync, rollbacks, and multi-cluster management.
10
Chapters
20+
Examples
100%
Free
01🔄
What is GitOps?
Git as Single Source of Truth
GitOps is a practice where your entire Kubernetes infrastructure is defined in Git. Instead of running kubectl apply manually or having Jenkins push changes, ArgoCD WATCHES your Git repo and automatically applies any changes it detects. Git commit = deployment. Rollback = git revert. Audit trail = git log. Simple, powerful, auditable.
Traditional CI/CD vs GitOps
Aspect
Traditional (Push)
GitOps (Pull)
Who deploys?
CI pipeline runs kubectl apply
ArgoCD pulls from Git and applies
Source of truth
Whatever is in the cluster right now
Whatever is in Git
Drift detection
None — manual changes go unnoticed
ArgoCD detects and auto-fixes drift
Audit trail
Check Jenkins/pipeline logs
Check Git log — who, when, what, why
Rollback
Re-run old pipeline or manual kubectl
git revert → ArgoCD auto-deploys previous state
Security
CI needs cluster credentials
Only ArgoCD has cluster access (fewer credentials)
💡 The Key Insight
In GitOps, Git is the ONLY way to change your cluster. No one runs kubectl apply manually. If someone makes a manual change, ArgoCD detects the drift and reverts it. The cluster ALWAYS matches Git. This is incredibly powerful for security and compliance.
02🏗️
ArgoCD Architecture
How It Works Inside
ArgoCD runs inside your Kubernetes cluster. It continuously monitors your Git repositories and compares what is defined in Git with what is actually running in the cluster. If they differ, ArgoCD either auto-syncs or alerts you.
🔄
Application Controller
The brain. Continuously compares Git state with cluster state. Detects drift. Triggers sync when changes are found.
🖥️
API Server
Serves the ArgoCD web UI and API. You interact with ArgoCD through this — create apps, view status, trigger syncs.
📂
Repo Server
Clones Git repos, renders Helm charts and Kustomize overlays, generates Kubernetes manifests. Caches results for speed.
🔐
Dex (SSO)
Optional SSO integration. Connect ArgoCD login to your company's Okta, Azure AD, LDAP, or GitHub.
FLOWHow ArgoCD works — step by step:
1. Developer pushes change to Git
(updates k8s/deployment.yaml → image: myapp:v2.1)
2. ArgoCD Repo Server detects the change
(polls Git every 3 minutes, or webhook for instant)
3. Application Controller compares:
Git state: image=myapp:v2.1
Cluster state: image=myapp:v2.0
Result: OUT OF SYNC
4. If auto-sync enabled:
ArgoCD applies the change automatically
kubectl apply -f k8s/ (internally)
5. If manual sync:
ArgoCD shows "Out of Sync" in UI
Engineer clicks "Sync" button
6. ArgoCD verifies:
Pods rolling out → Health: Progressing
Pods ready → Health: Healthy
Deployment complete!
03📥
Installation & Setup
Get ArgoCD Running in 5 Minutes
TERMINAL# Install ArgoCD in your K8s cluster
kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml
# Wait for pods to be ready
kubectl wait --for=condition=ready pod -l app.kubernetes.io/name=argocd-server -n argocd --timeout=120s
# Get initial admin password
kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d
# Access the UI (port-forward for local access)
kubectl port-forward svc/argocd-server -n argocd 8443:443
# Open: https://localhost:8443
# Username: admin
# Password: (from above command)
# Install ArgoCD CLI
curl -sSL -o argocd https://github.com/argoproj/argo-cd/releases/latest/download/argocd-linux-amd64
chmod +x argocd && sudo mv argocd /usr/local/bin/
argocd login localhost:8443
04📋
ArgoCD Applications
Define What to Deploy
An ArgoCD Application connects a Git repository to a Kubernetes cluster. It says: "take the manifests from THIS Git repo and apply them to THAT cluster namespace."
Application YAML — The Core Object
APPLICATIONapiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: order-service
namespace: argocd
spec:
project: default
source:
repoURL: https://github.com/myorg/k8s-manifests.git
targetRevision: main # Git branch to watch
path: apps/order-service # Folder with K8s manifests
destination:
server: https://kubernetes.default.svc # This cluster
namespace: production
syncPolicy:
automated: # Auto-deploy on Git change
prune: true # Delete resources removed from Git
selfHeal: true # Fix manual changes (drift)
syncOptions:
- CreateNamespace=true # Create namespace if missing
💡 Repo Structure
Keep K8s manifests in a SEPARATE repo from application code. App repo (code) → CI pipeline builds Docker image. Config repo (manifests) → ArgoCD deploys. This separation is GitOps best practice.
ArgoCD supports raw YAML, Helm charts, and Kustomize overlays. Helm uses templates with values files. Kustomize uses patches on base manifests. Both are production-standard.
When you have 50 microservices, you don't want to manually create 50 ArgoCD Applications. The App of Apps pattern creates ONE parent Application that points to a folder containing child Application YAMLs. Add a new YAML file → new app auto-appears in ArgoCD.
YAML# Parent Application — watches a folder of Application YAMLs
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: platform-apps
namespace: argocd
spec:
project: default
source:
repoURL: https://github.com/myorg/argocd-apps.git
path: apps/ # Folder containing child Application YAMLs
destination:
server: https://kubernetes.default.svc
namespace: argocd
# Inside apps/ folder:
# apps/
# order-service.yaml ← ArgoCD Application for order-service
# user-service.yaml ← ArgoCD Application for user-service
# payment-service.yaml ← ArgoCD Application for payment-service
# frontend.yaml ← ArgoCD Application for frontend
#
# Add new file → new app auto-created
# Delete file → app removed
# ALL managed through Git!
💡 This is How Netflix/Spotify Scale
App of Apps is the industry-standard pattern for managing hundreds of microservices. One Git commit adds or removes an entire application from the cluster. Platform teams love this pattern.
08🔐
RBAC & Security
Control Who Can Do What
ArgoCD has its own RBAC system. Define roles that control who can view, sync, or delete applications. Integrate with SSO (Okta, Azure AD) for enterprise authentication.
One ArgoCD instance manages multiple K8s clusters (dev, staging, prod, DR). Register clusters with argocd cluster add. Centralized management.
🖼️
Image Updater
ArgoCD Image Updater watches container registries. When a new image tag appears, it auto-updates the Git manifest. CI pushes image → Git auto-updated → ArgoCD deploys. Fully automated.
🔔
Notifications
Send Slack/Teams/email alerts on sync success, failure, or health degradation. Install argocd-notifications controller.
📊
Metrics
ArgoCD exposes Prometheus metrics. Monitor sync duration, app count, health status. Build Grafana dashboards for ArgoCD observability.
The Complete GitOps Flow
FLOWDeveloper pushes code
↓
CI Pipeline (Jenkins/GitLab/GitHub Actions)
→ Build → Test → Security Scan → Docker Build → Push to ECR
↓
CI updates image tag in Git config repo
(git commit -m "update order-service to v2.1.0")
↓
ArgoCD detects Git change
→ Compares Git vs Cluster
→ Out of Sync detected
↓
ArgoCD syncs (auto or manual)
→ kubectl apply internally
→ Rolling update: v2.0 → v2.1
↓
Health check passes → Deployment complete!
Rollback needed?
→ git revert → ArgoCD auto-deploys previous version
→ Or click "Rollback" in ArgoCD UI
10💼
Interview Questions
ArgoCD & GitOps Q&A
❓
What is GitOps?
Practice where Git is the single source of truth for infrastructure. All changes go through Git. ArgoCD watches Git and ensures the cluster matches. Git commit = deployment. git revert = rollback.
❓
Push vs Pull deployment?
Push (traditional): CI pipeline runs kubectl apply (pushes changes to cluster). Pull (GitOps): ArgoCD watches Git and pulls changes into the cluster. Pull is more secure — fewer credentials exposed.
❓
What is ArgoCD?
A GitOps continuous delivery tool for Kubernetes. Runs inside the cluster, watches Git repos, and ensures cluster state matches Git state. Has web UI, CLI, and API.
❓
What is Sync?
The process of making the cluster match Git. If Git says 3 replicas but cluster has 2, sync creates the 3rd. Auto-sync does this automatically. Manual sync requires human approval.
❓
What is Self-Heal?
When someone makes a manual kubectl change, ArgoCD detects the drift and reverts it to match Git. Prevents configuration drift. Essential for production compliance.
❓
What is App of Apps?
A pattern where one parent Application manages a folder of child Application YAMLs. Add a YAML file → new app auto-created. Used to manage 50+ microservices at scale.
❓
Helm vs Kustomize in ArgoCD?
Both supported. Helm: template engine with values files (popular for complex charts). Kustomize: patch-based overlays on base manifests (simpler, built into kubectl). Choice depends on team preference.
❓
ArgoCD vs Flux?
Both are GitOps tools. ArgoCD has a beautiful web UI, app-of-apps, multi-cluster. Flux is lighter, more Kubernetes-native, uses CRDs. ArgoCD is more popular in enterprises. Flux is CNCF graduated.
❓
How to rollback?
Option 1: git revert the commit → ArgoCD auto-syncs to previous state. Option 2: Click History → select previous sync → click Rollback in ArgoCD UI. Both work, git revert is preferred (auditable).
❓
What are Sync Waves?
Control the order resources are applied. Wave 0 first (namespaces, configmaps), Wave 1 (migrations), Wave 2 (deployments), Wave 3 (ingress). Prevents deploying app before its config exists.
