GitOps with ArgoCD in Production: Complete Deployment Automation Guide
DevOps
Why GitOps Is the Standard for Kubernetes Deployment in 2026
Kubernetes deployment has evolved from manual kubectl to CI/CD pipelines to GitOps. In 2026, GitOps is the de facto standard for Kubernetes deployment. The core reason is simple: Git is the Single Source of Truth.
Traditional CI/CD uses a "push model" — the CI system needs cluster credentials to push changes via kubectl apply. This creates security risks, state drift, and audit difficulties. GitOps uses a "pull model" — an in-cluster agent continuously watches the Git repository and automatically applies the declared state.
| Feature | Traditional CI/CD | GitOps |
|---|---|---|
| Deploy Model | Push | Pull |
| State Source | CI System | Git Repository |
| Cluster Credentials | Held by CI | Held in-cluster |
| State Drift | Hard to detect | Auto-detect and remediate |
| Audit Trail | CI logs | Git history |
| Rollback | Re-run pipeline | git revert |
| Multi-cluster | Complex | Unified management |
| Emergency Changes | kubectl (no audit) | Git PR (audited) |
| Learning Curve | Low | Medium |
ArgoCD Architecture and Core Concepts
Architecture
┌─────────────────────────────────────────────────────┐
│ Git Repository │
│ ┌──────────┐ ┌──────────┐ ┌──────────┐ │
│ │ app.yaml │ │ helm/ │ │ kustomize│ │
│ └──────────┘ └──────────┘ └──────────┘ │
└──────────────────────┬──────────────────────────────┘
│ git clone/pull
┌──────────────────────▼──────────────────────────────┐
│ ArgoCD Controller │
│ ┌──────────────┐ ┌──────────────┐ │
│ │ Repo Server │ │ App Controller│ │
│ └──────────────┘ └──────────────┘ │
└──────────────────────┬──────────────────────────────┘
│ kubectl apply
┌──────────────────────▼──────────────────────────────┐
│ Kubernetes Cluster │
└─────────────────────────────────────────────────────┘
Complete Setup: Install, Configure, First Application
kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v2.13.0/manifests/install.yaml
kubectl wait --for=condition=available --timeout=300s deployment/argocd-server -n argocd
kubectl -n argocd get secret argocd-initial-admin-secret \
-o jsonpath="{.data.password}" | base64 -d
kubectl port-forward svc/argocd-server -n argocd 8080:443
First Application
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: my-app
namespace: argocd
spec:
project: default
source:
repoURL: https://github.com/myorg/my-app-manifests.git
targetRevision: main
path: overlays/production
destination:
server: https://kubernetes.default.svc
namespace: my-app
syncPolicy:
automated:
prune: true
selfHeal: true
allowEmpty: false
syncOptions:
- CreateNamespace=true
- ServerSideApply=true
retry:
limit: 3
backoff:
duration: 5s
factor: 2
maxDuration: 3m
Multi-Cluster Management
argocd cluster add production-cluster --name prod-us-east
argocd cluster add production-cluster-eu --name prod-eu-west
ApplicationSet for Multi-Cluster
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
name: my-app-multi-cluster
namespace: argocd
spec:
generators:
- clusters:
selector:
matchLabels:
environment: production
template:
metadata:
name: 'my-app-{{name}}'
spec:
project: production
source:
repoURL: https://github.com/myorg/my-app-manifests.git
targetRevision: main
path: overlays/production
destination:
name: '{{name}}'
namespace: my-app
syncPolicy:
automated:
prune: true
selfHeal: true
Progressive Delivery with Argo Rollouts
kubectl create namespace argo-rollouts
kubectl apply -n argo-rollouts -f https://github.com/argoproj/argo-rollouts/releases/download/v1.7.0/install.yaml
Rollout Configuration
apiVersion: argoproj.io/v1alpha1
kind: Rollout
metadata:
name: my-app
namespace: my-app
spec:
replicas: 10
strategy:
canary:
steps:
- setWeight: 10
- pause: { duration: 5m }
- setWeight: 20
- pause: { duration: 5m }
- analysis:
templates:
- templateName: success-rate
- setWeight: 50
- pause: { duration: 10m }
- setWeight: 100
canaryService: my-app-canary
stableService: my-app-stable
selector:
matchLabels:
app: my-app
template:
metadata:
labels:
app: my-app
spec:
containers:
- name: my-app
image: myorg/my-app:v2.0.0
ports:
- containerPort: 8080
Analysis Template
apiVersion: argoproj.io/v1alpha1
kind: AnalysisTemplate
metadata:
name: success-rate
namespace: my-app
spec:
metrics:
- name: success-rate
interval: 60s
count: 5
successCondition: result[0] >= 0.99
provider:
prometheus:
address: http://prometheus.monitoring:9090
query: |
sum(rate(http_requests_total{app="my-app",status!~"5.."}[1m]))
/
sum(rate(http_requests_total{app="my-app"}[1m]))
Secret Management with Sealed Secrets
kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.27.0/controller.yaml
kubectl create secret generic my-app-secret \
--from-literal=db-password='super-secret-password' \
--namespace my-app \
--dry-run=client -o yaml > secret.yaml
kubeseal --format yaml < secret.yaml > sealed-secret.yaml
Backup Sealed Secrets Certificate
kubectl get secret -n kube-system sealed-secrets-key -o yaml > sealed-secrets-key-backup.yaml
ArgoCD vs Flux vs Spinnaker
| Dimension | ArgoCD | Flux | Spinnaker |
|---|---|---|---|
| Language | Go | Go | Java/Kotlin |
| UI | Excellent | Basic | Excellent |
| Multi-cluster | Native | Native | Native |
| RBAC | Fine-grained | Basic | Fine-grained |
| Progressive Delivery | Argo Rollouts | Flagger | Native |
| Secret Management | Sealed Secrets | SOPS | Halyard |
| Learning Curve | Medium | Low | High |
| Resource Usage | Medium | Low | High |
| Best For | Mid-large teams | Small teams | Large enterprises |
5 Common Pitfalls
1. Auto-sync Causing Production Incidents
spec:
syncPolicy:
automated:
prune: false
selfHeal: false
2. Ignoring Resource Hooks
metadata:
annotations:
argocd.argoproj.io/hook: PreSync
argocd.argoproj.io/hook-delete-policy: HookSucceeded
3. Too Many Applications Causing Performance Issues
data:
status.processors: "20"
task.result.workers: "10"
4. Sealed Secrets Certificate Not Backed Up
kubectl get secret -n kube-system sealed-secrets-key -o yaml > backup.yaml
5. Poor Git Repository Structure
├── clusters/
│ ├── production/
│ │ ├── apps/
│ │ └── infrastructure/
│ └── staging/
├── helm-charts/
├── kustomize/
│ ├── base/
│ └── overlays/
└── argocd/
├── projects/
└── applicationsets/
10 Error Troubleshooting
| # | Symptom | Possible Cause | Resolution |
|---|---|---|---|
| 1 | Application always OutOfSync | Git changes not triggering sync | Check Webhook and syncPolicy |
| 2 | Sync fails | Invalid manifest format | argocd app diff my-app |
| 3 | Image pull error | Missing registry credentials | Configure imagePullSecrets |
| 4 | Multi-cluster connection fails | Insufficient RBAC | Check argocd-manager ServiceAccount |
| 5 | Helm Chart render error | Values reference issue | Verify with helm template |
| 6 | Resources unexpectedly deleted | prune: true misconfigured | Check syncPolicy.prune |
| 7 | Rollout stuck | Analysis metrics not met | kubectl argo rollouts get rollout my-app |
| 8 | SealedSecret decryption fails | Certificate mismatch | Ensure controller cert matches |
| 9 | Git connection timeout | Network policy restriction | Check NetworkPolicy and proxy |
| 10 | OOM | Too many Applications | Increase repo-server resources |
argocd app get my-app
argocd app sync my-app --dry-run
argocd app diff my-app
kubectl logs -n argocd deployment/argocd-application-controller
Recommended Tools
- JSON Formatter: Use /en/json/format to format ArgoCD Application configs
- Base64 Encoder: Use /en/encode/base64 for Secret data encoding/decoding
- Hash Calculator: Use /en/encode/hash for config file integrity verification
Summary: GitOps uses Git as the single source of truth, solving traditional CI/CD's security and consistency problems through a "pull model." ArgoCD is the most mature Kubernetes GitOps tool in 2026, combined with Argo Rollouts for progressive delivery, Sealed Secrets for secret management, and ApplicationSet for multi-cluster management. Key practices: use auto-sync cautiously in production, back up Sealed Secrets certificates, organize Git repository structure properly, and use Analysis Templates as quality gates.
Try these browser-local tools — no sign-up required →
#GitOps#ArgoCD#Kubernetes#持续交付#Argo Rollouts#Sealed Secrets#多集群#渐进式交付