{"product_id":"argocd-gitops-deployment-blueprint","title":"ArgoCD GitOps Deployment Blueprint","description":"\u003ch3\u003eArgoCD GitOps Deployment Blueprint\u003c\/h3\u003e\n\u003cp\u003eGitOps with ArgoCD sounds simple until you realize that a git merge to the deployment repository does not mean the cluster is in the desired state — it means ArgoCD will eventually try to reconcile. The gap between \"merged\" and \"deployed\" is where incidents live. At an enterprise I consulted for, a team merged a Kubernetes manifest with a typo in the resource limits (\u003ccode\u003e100m\u003c\/code\u003e CPU instead of \u003ccode\u003e1000m\u003c\/code\u003e). ArgoCD synced it immediately, the pods started OOMKilling, and nobody noticed for 40 minutes because they assumed \"merged means deployed successfully.\" This template adds sync validation, health checks, and drift alerting.\u003c\/p\u003e\n\n\u003cp\u003eThis GitOps pipeline combines a CI workflow (GitHub Actions or GitLab CI) that builds and tests the application with ArgoCD managing the deployment side. The CI pipeline updates manifests in a separate GitOps repo; ArgoCD detects the change and reconciles.\u003c\/p\u003e\n\n\u003ch3\u003ePipeline Stages\u003c\/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cstrong\u003eCI: build-and-test\u003c\/strong\u003e — Standard CI pipeline: lint, test, build container image, scan with Trivy, push to registry with digest tag.\u003c\/li\u003e\n\u003cli\u003e\n\u003cstrong\u003eCI: update-manifests\u003c\/strong\u003e — Uses \u003ccode\u003ekustomize edit set image app=registry\/app@sha256:abc123\u003c\/code\u003e to update the GitOps repo manifest with the new image digest. Commits to the GitOps repo's \u003ccode\u003edev\u003c\/code\u003e branch.\u003c\/li\u003e\n\u003cli\u003e\n\u003cstrong\u003eArgoCD: auto-sync dev\u003c\/strong\u003e — ArgoCD Application for dev is configured with \u003ccode\u003eautomated: { prune: true, selfHeal: true }\u003c\/code\u003e. Syncs within 3 minutes of the manifest change. Health check validates pod readiness.\u003c\/li\u003e\n\u003cli\u003e\n\u003cstrong\u003eCI: promote-staging\u003c\/strong\u003e — After dev integration tests pass, the CI pipeline opens a PR from \u003ccode\u003edev\u003c\/code\u003e to \u003ccode\u003estaging\u003c\/code\u003e branch in the GitOps repo. Manual review required.\u003c\/li\u003e\n\u003cli\u003e\n\u003cstrong\u003eArgoCD: sync staging\u003c\/strong\u003e — ArgoCD Application for staging with \u003ccode\u003eautomated: { prune: false, selfHeal: false }\u003c\/code\u003e. Requires manual sync click or CLI command after PR merge. Sync wave annotations control resource ordering.\u003c\/li\u003e\n\u003cli\u003e\n\u003cstrong\u003eCI: promote-prod\u003c\/strong\u003e — PR from \u003ccode\u003estaging\u003c\/code\u003e to \u003ccode\u003emain\u003c\/code\u003e in the GitOps repo. Two required reviewers. Includes the diff of all Kubernetes manifests in the PR description.\u003c\/li\u003e\n\u003cli\u003e\n\u003cstrong\u003eArgoCD: sync prod\u003c\/strong\u003e — Manual sync with \u003ccode\u003e--prune=false\u003c\/code\u003e for safety. Progressive delivery via Argo Rollouts: canary at 10%, analysis at 50%, full rollout at 100%. Automatic rollback on analysis failure.\u003c\/li\u003e\n\u003c\/ul\u003e\n\n\u003ch3\u003eSecurity Gates\u003c\/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cstrong\u003eImage digest pinning\u003c\/strong\u003e — Manifests always reference images by SHA256 digest, never by mutable tag. ArgoCD verifies the digest at sync time.\u003c\/li\u003e\n\u003cli\u003e\n\u003cstrong\u003eOPA\/Kyverno admission\u003c\/strong\u003e — Cluster admission controller validates that synced resources meet security policies: no privileged containers, resource limits required, approved registries only.\u003c\/li\u003e\n\u003cli\u003e\n\u003cstrong\u003eGit commit signing\u003c\/strong\u003e — Manifest changes in the GitOps repo require signed commits. ArgoCD can be configured to verify commit signatures before syncing.\u003c\/li\u003e\n\u003cli\u003e\n\u003cstrong\u003eRBAC per Application\u003c\/strong\u003e — ArgoCD RBAC restricts which teams can sync which Applications. The frontend team cannot sync backend Applications.\u003c\/li\u003e\n\u003c\/ul\u003e\n\n\u003ch3\u003eWhat Breaks First\u003c\/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cstrong\u003eArgoCD sync stuck in \"Progressing\"\u003c\/strong\u003e — A deployment's readiness probe fails because the new image crashes on startup. ArgoCD shows \"Progressing\" indefinitely. Fix: set \u003ccode\u003etimeout.reconciliation\u003c\/code\u003e in the Application spec and configure health check with \u003ccode\u003eprogressDeadlineSeconds\u003c\/code\u003e on the Deployment.\u003c\/li\u003e\n\u003cli\u003e\n\u003cstrong\u003eManifest drift from kubectl edit\u003c\/strong\u003e — Someone runs \u003ccode\u003ekubectl edit\u003c\/code\u003e directly, causing ArgoCD to show \"OutOfSync.\" With \u003ccode\u003eselfHeal: true\u003c\/code\u003e, ArgoCD reverts the change, potentially undoing an emergency fix. Fix: disable selfHeal in production and use the GitOps repo for all changes, including emergency patches.\u003c\/li\u003e\n\u003cli\u003e\n\u003cstrong\u003eSync wave ordering failure\u003c\/strong\u003e — CRDs in wave 0, operators in wave 1, custom resources in wave 2. If the operator is not ready before wave 2 starts, the custom resources fail to apply. Fix: add health checks to the operator Application that verify CRD registration before proceeding.\u003c\/li\u003e\n\u003c\/ul\u003e","brand":"Citadel Cloud Management","offers":[{"title":"Default Title","offer_id":54890410967331,"sku":"CCM-DEV-002","price":42.0,"currency_code":"USD","in_stock":true}],"thumbnail_url":"\/\/cdn.shopify.com\/s\/files\/1\/0979\/8539\/7027\/files\/citadel-devops-product.png?v=1775137832","url":"https:\/\/www.citadelcloudmanagement.com\/products\/argocd-gitops-deployment-blueprint","provider":"Citadel Cloud Management","version":"1.0","type":"link"}