GitOps with ArgoCD: Managing Kubernetes the Right Way
GitOps makes Kubernetes deployments predictable and auditable. Learn how to set up ArgoCD and implement GitOps practices for your clusters.
Video transcript
Ever deployed something to Kubernetes only to realize nobody can trace who changed what, or when, or why? That's the nightmare GitOps solves. Today we're diving into how A rgo C D makes your cluster a source of truth instead of a black box. Without GitOps, deployments become tribal knowledge. One engineer knows the magic kubectl commands, infrastructure drifts from your actual code, and when something breaks at two A M, you're digging through logs instead of reading your Git history. Teams waste seventy-two hours on average just finding what went wrong. GitOps flips the script by making Git your single source of truth. Think of it like this: instead of manually running commands, you declare what your cluster should look like in a repository. A rgo C D watches that repo and automatically syncs reality to match your intentions. No guessing, no drift. A rgo C D's declarative model means every change is a commit. When you update a deployment Y A M L and push to main, A rgo C D spots the difference and applies it instantly. It's audit trail gold. Security teams love it because you can answer "who deployed this" by checking Git blame. The third pillar is automation with safety rails. A rgo C D can roll back a bad deployment in under five minutes by reverting a single commit. Your entire cluster state lives in version control, so disaster recovery isn't panic. It's just git checkout. Start small: create one Git repository for a single namespace and point A rgo C D at it. Watch how quickly your deployments become predictable and your team stops fighting infrastructure chaos. Read the complete guide at protego dot me.
Why GitOps Changed How I Think About Deployments
Before GitOps, my Kubernetes deployments were a mess. Kubectl commands run from laptops, different versions in different clusters, no clear audit trail.
GitOps flips this around: Git becomes the single source of truth. What's in Git is what's running. No exceptions.
GitOps Principles
- Declarative: Describe what you want, not how to get there
- Versioned: All changes go through Git
- Automated: Changes in Git automatically apply to clusters
- Auditable: Git history shows who changed what and when
Setting Up ArgoCD
Installation
Create the argocd namespace and apply the installation manifest. Wait for pods to be ready, then get the initial admin password from the secret.
CLI Installation
Install the ArgoCD CLI using brew on macOS or download the binary for Linux.
Repository Structure
gitops-repo/
├── apps/ # Application definitions
│ ├── production/
│ ├── staging/
│ └── dev/
├── base/ # Base Kubernetes manifests
├── overlays/ # Environment-specific patches
└── projects/ # ArgoCD project definitionsCreating Your First Application
Create an Application resource that points to your Git repo, specifies the path to your manifests, and defines where to deploy.
Enable automated sync with prune (delete resources not in Git) and selfHeal (fix drift automatically).
Deployment Workflows
Standard Workflow
- Developer creates PR with manifest changes
- CI validates YAML and runs security scans (if using Azure DevOps for CI, see our [Azure DevOps Pipelines setup guide](/blog/azure-devops-pipelines-beginners-guide))
- PR review and approval
- Merge to main
- ArgoCD detects change and syncs
Image Updates
Use ArgoCD Image Updater to automatically update image tags in your Git repo when new images are pushed.
Multi-Cluster Management
App of Apps Pattern
Manage multiple applications with one parent Application.
ApplicationSet for Multi-Cluster
Deploy the same app to multiple clusters using ApplicationSet with cluster generators.
Security Best Practices
RBAC Configuration
Create AppProjects that restrict repos, clusters, and who can sync.
Sealed Secrets
Never store plain secrets in Git. Use Sealed Secrets or external secret managers.
Getting Started Checklist
- Install ArgoCD in your cluster
- Set up a GitOps repository
- Create your first Application resource
- Enable auto-sync on a non-production app
- Set up sealed secrets
- Configure RBAC
- Add monitoring and alerting
- Document your deployment process
GitOps takes some setup, but the payoff is huge: predictable deployments, easy rollbacks, and a complete audit trail.
Frequently Asked Questions
What is GitOps and how does it differ from traditional CI/CD?
GitOps is a deployment model where Git is the single source of truth for infrastructure and application state. A GitOps agent (such as ArgoCD) continuously reconciles the live cluster state with the desired state declared in Git, automatically applying changes when Git is updated. Traditional CI/CD pipelines push changes to the cluster imperatively; GitOps uses a pull model where the cluster agent pulls and applies changes, providing automatic drift correction and a complete audit trail of every change.
What is ArgoCD and what does it do?
ArgoCD is a declarative GitOps continuous delivery tool for Kubernetes. It watches Git repositories containing Kubernetes manifests and automatically syncs the live cluster state to match the desired state in Git. ArgoCD provides a visual dashboard showing application sync status, detects and alerts on drift, supports multi-cluster deployments, and enables one-click rollbacks to any previous Git commit.
How do I secure secrets in a GitOps repository?
Never store plaintext secrets in a GitOps repository. The two most common approaches are Sealed Secrets (encrypts secrets with a cluster-specific public key so only that cluster can decrypt them, making it safe to commit encrypted secrets to Git) and External Secrets Operator (fetches secrets from an external secrets manager like HashiCorp Vault, AWS Secrets Manager, or Azure Key Vault at runtime and injects them as Kubernetes secrets). Sealed Secrets is simpler; External Secrets Operator is better for organizations with existing secrets management infrastructure.
What is the ArgoCD App of Apps pattern?
The App of Apps pattern is a way to manage multiple ArgoCD applications using a single parent ArgoCD Application. The parent application points to a directory containing Application resource definitions for each child application. When you add a new application definition to that directory, ArgoCD automatically creates and manages the new application. This pattern enables GitOps management of ArgoCD itself: all application definitions live in Git and changes are applied through the same GitOps workflow.
Can ArgoCD manage multiple Kubernetes clusters?
Yes. ArgoCD can manage applications across multiple Kubernetes clusters from a single ArgoCD installation. You register target clusters in ArgoCD and specify the destination cluster in each Application resource. The ApplicationSet resource extends this further, enabling you to generate Application resources automatically for all clusters matching a selector, making it straightforward to deploy the same application to dozens of clusters with a single configuration.
Get weekly security insights
Cloud security, zero trust, and identity guides — straight to your inbox.
Microsoft Cloud Solution Architect
Cloud Solution Architect with deep expertise in Microsoft Azure and a strong background in systems and IT infrastructure. Passionate about cloud technologies, security best practices, and helping organizations modernize their infrastructure.
Share this article
Questions & Answers
Related Articles
Okta vs Microsoft Entra ID: Identity Provider Comparison (2026)
12 min read
Eliminate Your Domain Controller: A Practical Guide to Migrating to Microsoft Entra ID with Minimum Risk and Downtime
32 min read
Conditional Access for Workload Identities: How to Protect Service Principals in Microsoft Entra ID
16 min read
Need Help with Your Security?
Our team of security experts can help you implement the strategies discussed in this article.
Contact Us