How to Set Up GitOps with ArgoCD
GitOps with ArgoCD: manifests in Git → agent in Kubernetes automatically applies → UI shows sync status. Setup in 15 min: install ArgoCD via manifests, create Application CRD pointing at Git repo, enable auto-sync. Changes in Git = changes in cluster automatically. Rollback = git revert.
Below: step-by-step, working examples, common pitfalls, FAQ.
Step-by-Step Setup
- Install ArgoCD:
kubectl create namespace argocd && kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml - Get initial password:
kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d - Port-forward UI:
kubectl port-forward svc/argocd-server -n argocd 8080:443→ https://localhost:8080 - Create Git repo for manifests (separate from app code)
- Define Application CRD: source=Git path, destination=cluster namespace
- Enable auto-sync:
syncPolicy: { automated: { prune: true, selfHeal: true } } - Test: commit a change to Git → within 3 min applied to cluster
Working Examples
| Scenario | Config |
|---|---|
| First Application | apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: my-app
namespace: argocd
spec:
project: default
source:
repoURL: https://github.com/me/manifests
path: apps/my-app
targetRevision: main
destination:
server: https://kubernetes.default.svc
namespace: my-app
syncPolicy:
automated:
prune: true
selfHeal: true |
| App of Apps pattern | apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: root
spec:
source:
repoURL: https://github.com/me/manifests
path: root
# Directory contains yaml with additional Application CRDs |
| Helm chart via ArgoCD | source:
repoURL: https://charts.bitnami.com/bitnami
chart: postgresql
targetRevision: 13.0.0
helm:
values: |
auth: { postgresPassword: "from-secret" } |
| Sync wave (order resources) | metadata:
annotations:
argocd.argoproj.io/sync-wave: "1" # Deploy this first |
| Notifications to Slack | # Install argocd-notifications addon
data:
service.slack: |
token: $slack-token
subscriptions: |
- recipients: [slack:deployments]
triggers: [on-sync-succeeded, on-sync-failed] |
Common Pitfalls
- auto-sync + prune: true on critical resource → accidental delete on Git revert
- SSH keys for private Git — need Kubernetes secret + correct auth
- App-of-apps without TTL — broken child app keeps parent in Degraded state
- Helm releases managed by ArgoCD conflict with manual helm install
- Multi-cluster: need cluster credentials + certificate auth or kube API token
Learn more
Frequently Asked Questions
ArgoCD for small cluster — overkill?
For 1 app — overkill. For 3+ apps/services in Kubernetes — ArgoCD removes manual kubectl + provides audit trail + rollback.
Private repos — access?
HTTPS: username + personal access token in secret. SSH: deploy key. In UI → Settings → Repositories.
Secrets management?
NOT plain in Git. Sealed Secrets (bitnami) encrypted in Git, decrypted in cluster. Or External Secrets Operator → Vault/AWS SM/SSM.
Multi-env (dev/staging/prod)?
Kustomize overlays + separate Applications per env. Or ApplicationSet for DRY.