Skip to content

Week 17 - GitOps: ArgoCD and Flux

17.1 Conceptual Core

  • GitOps = the cluster's desired state is the contents of a git repo. A controller in the cluster watches the repo and reconciles drift.
  • The two dominant tools:
  • ArgoCD-UI-rich, opinionated about app structure (Application CRD), wide adoption.
  • Flux-CLI/CRD-first, more composable (Kustomization, HelmRelease, GitRepository, OCIRepository), favored by CNCF-style purists.
  • Both implement the same control loop: pull manifests from git → render (Kustomize/Helm) → apply → reconcile drift.

17.2 Mechanical Detail

  • ArgoCD Application: spec.source (git path or Helm chart), spec.destination (cluster + namespace), spec.syncPolicy (manual vs automatic, prune, self-heal).
  • ApplicationSet (Argo)-generate many Apps from templates; the foundation for multi-tenant fleet management.
  • Flux Kustomization + HelmRelease-separate CRs for source-of-truth, transform, and apply.
  • Sync waves / dependencies: both tools support ordering. Critical for "install CRDs before the resources that use them."
  • Drift detection: tools auto-revert manual changes by default. Sometimes that is not what you want during incident response-know how to disable temporarily.

17.3 Lab-"Two GitOps Stacks"

  1. Install ArgoCD. Set up an Application for a small app from a git repo. Verify auto-sync and auto-prune.
  2. Install Flux. Set up the equivalent. Compare ergonomics.
  3. Use ApplicationSet (Argo) to deploy the same app to three environment overlays (dev, staging, prod). Verify per-environment configuration via Kustomize overlays.

17.4 Hardening Drill

  • ArgoCD/Flux talk to a git repo with read access. Use SSH deploy keys or fine-scoped GitHub apps; never broad PATs. Encrypt secrets at rest with sealed-secrets or sops.

17.5 Operations Slice

  • Wire ArgoCD/Flux metrics: per-Application sync rate, drift rate, reconciliation duration. Alert on persistent OutOfSync or Failed states.

Comments