Implementing GitOps for Kubernetes with ArgoCD: Enterprise DevOps Guide

In modern DevOps, GitOps is the practice of managing infrastructure and application deployments through Git repositories. Instead of manually applying changes with kubectl or scripts, the Git repository becomes the single source of truth.

All changes to infrastructure, services, and applications are:

• Version-controlled

• Auditable

• Automatically applied to the target environment

This guide demonstrates a complete GitOps workflow using ArgoCD on Kubernetes, suitable for development, staging, and production environments.

Real-Life Scenario

Company Example: A SaaS company runs multiple microservices on Kubernetes. Their challenges:

1. Multiple environments: dev, staging, production

2. Frequent application updates: every 2–3 days

3. Compliance needs: full audit trail of changes

4. High availability: zero manual downtime

Solution: GitOps workflow with ArgoCD

• All Kubernetes manifests live in Git

• Developers push changes to the repo → automatically applied via ArgoCD

• Rollbacks happen in seconds if a change breaks the system

Prerequisites

• Linux server (Ubuntu, Debian, RHEL, AlmaLinux, Rocky)

• Kubernetes cluster (single-node or multi-node)

• kubectl installed

• Helm installed

• ArgoCD CLI installed (argocd)

• Git repository with Kubernetes manifests (or Helm charts)

Verify Kubernetes:

kubectl version --client

Verify Helm:

helm version

Verify ArgoCD CLI:

argocd version

Step 1: Install ArgoCD on Kubernetes

Create namespace:

kubectl create namespace argocd

Install ArgoCD via manifests:

kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml

Verify pods are running:

kubectl get pods -n argocd

Expected Output:

Why: Each pod serves a purpose:

• argocd-server: Web dashboard + API

• argocd-repo-server: Connects to Git repositories

• application-controller: Syncs Git manifests to cluster

• dex-server: Optional OAuth2 authentication

Step 2: Expose ArgoCD Dashboard

Option 1 – NodePort (Quick Test):

kubectl patch svc argocd-server -n argocd -p '{"spec": {"type": "NodePort"}}'
kubectl get svc -n argocd argocd-server

Access dashboard via: https://<server-ip>:<nodeport>

Option 2 – Ingress (Production):

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: argocd-ingress
  namespace: argocd
spec:
  rules:
  - host: argocd.example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: argocd-server
            port:
              number: 443

Why: Ingress enables SSL termination and centralized access for production environments.

Step 3: Login to ArgoCD CLI

Get the initial password:

kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d

Login:

argocd login <server-ip-or-hostname> --username admin --password <password> --insecure

Step 4: Connect Your Git Repository

Scenario: You have a Git repo with separate folders for environments:

repo/
├─ dev/
│  └─ k8s/
├─ staging/
│  └─ k8s/
└─ production/
   └─ k8s/

Create ArgoCD app for dev:

argocd app create my-app-dev \
--repo https://github.com/company/repo.git \
--path dev/k8s \
--dest-server https://kubernetes.default.svc \
--dest-namespace dev \
--sync-policy automated

Explanation:

• --path dev/k8s → Only deploy dev manifests

• --dest-namespace dev → Isolate dev environment

• --sync-policy automated → Auto-apply changes from Git

Step 5: Sync and Monitor Application

Force sync manually:

argocd app sync my-app-dev

Check status:

argocd app get my-app-dev

Output Example:

Name:               my-app-dev
Project:            default
Sync Status:        Synced to HEAD
Health Status:      Healthy

Why: Ensures the cluster matches Git repository exactly.

Step 6: Rollback Example

Scenario: A recent commit broke your application in dev. Rollback to previous commit:

argocd app rollback my-app-dev 2

• 2 → Revision number from Git history

• Changes applied immediately to Kubernetes

• No downtime required

Step 7: Multi-Environment Workflow

1. Developers push changes to dev branch

2. CI pipeline validates manifests

3. ArgoCD syncs dev environment automatically

4. QA approves changes → merge to staging branch

5. ArgoCD applies changes to staging environment

6. After approval, merge to production → ArgoCD syncs production

Benefit: Full audit trail and compliance. Every environment reflects Git history.

Step 8: Security Best Practices

• Use SSH keys or personal access tokens for Git repo

• Enable RBAC in ArgoCD to control access

• Enforce TLS for ArgoCD dashboard

• Use automated sync carefully in production

• Enable SSO via OAuth2 / LDAP

Step 9: Real-World Examples

• Netflix: Uses GitOps patterns with ArgoCD to manage microservices across hundreds of clusters.

• Red Hat OpenShift: Supports GitOps natively with ArgoCD integration.

• Banks / Financial Services: Maintain audit logs and ensure compliance while automating deployments.

Step 10: Observability & Alerting

• Enable ArgoCD Notifications to send Slack/email alerts for sync failures.

• Integrate Prometheus & Grafana to monitor:

argocd-metrics -> Prometheus -> Grafana

• Create dashboards for deployment success, health, and drift detection.

Benefits Recap

• Immutable Infrastructure: Git is the single source of truth

• Automated Deployments: Reduce human error

• Audit & Compliance: Track every change

• Fast Rollback: Instant recovery from failed deployments

• Consistency Across Environments: Dev, staging, and production stay synchronized