DevOps and Infrastructure

Implementing GitOps Workflows with ArgoCD for Automated Kubernetes Synchronisation

In the modern landscape of cloud-native infrastructure, the traditional CI/CD pipeline is evolving. Enter GitOps: a paradigm that uses Git as the single source of truth for declarative infrastructure and applications. By coupling Git with automated tools, teams can achieve consistent, auditable, and secure deployments. At the heart of this revolution for Kubernetes environments is ArgoCD, a powerful continuous delivery tool that enables automated synchronisation between your Git repositories and your cluster state.

This post explores how to set up ArgoCD, configure application definitions, and leverage its built-in synchronisation features to maintain a robust GitOps workflow.

Understanding the GitOps Core Loop

Before diving into configuration, it is crucial to understand the mechanism. In a GitOps workflow, the developer pushes changes to a Git repository (the desired state). ArgoCD, running inside the Kubernetes cluster, watches that repository. If it detects a drift between the live state in the cluster and the desired state in Git, it automatically syncs them. This pull-based model offers significant advantages over push-based pipelines, such as better security (no need to expose cluster credentials to external CI servers) and instant visibility into cluster health.

Installing ArgoCD

The first step is installing ArgoCD on your Kubernetes cluster. The easiest way is via the official CLI or by applying the manifest directly. Ensure you are targeting the namespace where you want ArgoCD to operate, typically argocd.

kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argocd/stable/manifests/install.yaml

After installation, you can verify the pods are running:

kubectl get pods -n argocd

Once the ArgoCD API server and UI are ready, retrieve the initial admin password:

kubectl get secret argocd-initial-admin-secret -n argocd -o jsonpath="{.data.password}" | base64 -d

Defining Applications with Application CRDs

While the ArgoCD UI allows you to create applications via a web interface, managing them programmatically via Git is the true power of GitOps. We use the Application Custom Resource Definition (CRD) to define what ArgoCD should manage.

Create a directory structure in your Git repository that mirrors your environment structure. For example, create a file named web-app.yml:

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: guestbook
  namespace: argocd
spec:
  project: default
  source:
    repoURL: https://github.com/argoproj/argocd-example-apps.git
    targetRevision: HEAD
    path: guestbook
  destination:
    server: https://kubernetes.default.svc
    namespace: default
  syncPolicy:
    automated:
      prune: true
      selfHeal: true

Let's break down the key sections of this manifest:

  • source: Points to the Git repository containing your Kubernetes manifests. targetRevision: HEAD ensures it always pulls the latest commit.
  • destination: Specifies where the application should be deployed (the cluster URL and namespace).
  • syncPolicy: This is critical for automation. automated.prune: true ensures that resources deleted from Git are also removed from the cluster. selfHeal: true instructs ArgoCD to revert any manual changes made directly to the cluster back to the Git-defined state.

Practical Example: Managing Drift

One of the most common scenarios in Kubernetes management is "drift." Imagine a developer SSHs into a pod and changes an environment variable manually for debugging. In a standard deployment, this change persists, leading to configuration inconsistencies between environments.

With the selfHeal policy enabled in the previous example, ArgoCD continuously reconciles the cluster state with Git. Within seconds, ArgoCD detects the manual change, flags it as "OutOfSync" in the UI, and automatically reverts the pod spec to match the Git definition. This ensures that your production environment remains a pure reflection of your code repository.

Best Practices for Production

While setting up the basic workflow is straightforward, production environments require additional rigor:

  1. Namespace Isolation: Never install ArgoCD in the same namespace as your workloads. Use dedicated namespaces for ArgoCD and your applications.
  2. RBAC Configuration: Define strict Role-Based Access Control policies. Restrict who can modify ArgoCD applications and who can only view the state.
  3. Secret Management: Avoid committing sensitive secrets to Git. Use ArgoCD's Secret Sync feature or integrate with external secret managers like HashiCorp Vault or AWS Secrets Manager to inject secrets at runtime.
  4. Review Processes: Treat changes to Application manifests as code changes. Require Pull Requests and code reviews before merging updates to the Git repository.

Conclusion

Implementing GitOps with ArgoCD transforms how teams deploy and manage Kubernetes applications. By shifting from imperative commands to declarative Git-based workflows, you gain auditability, security, and reliability. The ability to automatically synchronise your cluster state with your version control system reduces human error and accelerates delivery cycles. As you adopt these practices, remember that GitOps is not just a tooling change; it is a cultural shift towards treating infrastructure as code. Start small, automate your synchronisation policies, and gradually expand your GitOps maturity to unlock the full potential of your Kubernetes infrastructure.

Share: