Skip to content

ArgoCD

Declarative GitOps continuous delivery tool for Kubernetes — the CNCF Graduated standard for multi-cluster application delivery.

Overview

Argo CD is a centralized, hub-and-spoke GitOps engine that continuously reconciles Kubernetes cluster state with desired state declared in Git repositories. It provides a rich web UI, CLI, RBAC, SSO via Dex/OIDC, and supports Helm, Kustomize, Jsonnet, and plain YAML. It is a CNCF Graduated project and the most widely adopted GitOps tool.

Key Facts

Attribute Detail
Repository github.com/argoproj/argo-cd
Stars ~18k+ ⭐
Latest Stable v3.3; v3.4 RC (GA ~May 2026)
Language Go
License Apache 2.0
Governance CNCF Graduated (Argo Project)

Evaluation

Pros Cons
Rich web UI with live diff Central hub is SPOF (needs HA)
Multi-cluster management No built-in image automation
ApplicationSet for fleet management Resource-heavy (Redis, repo-server)
Helm, Kustomize, Jsonnet, plain YAML RBAC complexity at scale
PreDelete hooks, sync waves Requires external CI pipeline
CNCF Graduated, massive community Monorepo performance needs tuning
Drift detection + auto-healing

Architecture

flowchart TB
    subgraph ArgoHub["Argo CD (Management Cluster)"]
        API_A["API Server\n(UI, CLI, gRPC)"]
        AppCtrl["Application Controller\n(reconciliation engine)"]
        RepoSvr["Repository Server\n(Git cache, manifest render)"]
        Redis_A["Redis\n(cache)"]
        Dex_A["Dex\n(SSO / OIDC)"]
        AppSet["ApplicationSet Controller\n(fleet management)"]
    end

    Git["Git Repository\n(source of truth)"]
    Cluster1["Target Cluster 1"]
    Cluster2["Target Cluster 2"]
    ClusterN["Target Cluster N"]

    RepoSvr -->|"pull"| Git
    AppCtrl -->|"compare"| RepoSvr
    AppCtrl -->|"reconcile"| Cluster1
    AppCtrl -->|"reconcile"| Cluster2
    AppCtrl -->|"reconcile"| ClusterN
    API_A --> Redis_A

    style ArgoHub fill:#e65100,color:#fff

v3.3 / v3.4 Highlights

Feature Version Detail
PreDelete Hooks v3.3 Run Jobs before app deletion (data export, traffic drain)
Shallow Cloning v3.3 Faster Git fetch for large monorepos
OIDC Background Refresh v3.3 Prevent session timeouts
Cluster-Level Pause v3.4 Halt reconciliation during incidents
ApplicationSet Cache Sync v3.4 Better consistency for fleet ops
MS Teams Webhook v3.4 Notification via Power Automate

Notes

Sources

Questions

Open

Answered

  • Q: What is the performance impact at 1,000+ Applications? — ArgoCD can handle 1,000+ applications with tuning. Key bottlenecks are: (1) argocd-repo-server CPU during manifest rendering -- scale to 2+ replicas and increase --parallelism-limit to 8-16; (2) argocd-application-controller memory and reconciliation queue depth -- increase status.processors to 20-50 and operation.processors to 10-25 in argocd-cmd-params-cm; (3) Redis cache pressure -- size Redis appropriately or use external Redis HA. For 50+ clusters, enable controller sharding (--shard-count). Use ApplicationSets with generators instead of individual Application CRDs to reduce API server load. Monitor argocd_application_controller metrics (reconciliation duration, queue depth) to identify saturation. Reference: https://argo-cd.readthedocs.io/en/stable/operator-manual/high_availability/

  • Q: Best practice for ArgoCD + Vault/SOPS secret management? — The recommended pattern is External Secrets Operator (ESO) as the abstraction layer. ArgoCD deploys ExternalSecret and SecretStore CRDs as part of normal GitOps sync; ESO then fetches actual secret values from HashiCorp Vault, AWS Secrets Manager, GCP Secret Manager, or Azure Key Vault and creates native Kubernetes Secrets. This keeps secrets out of Git entirely. Alternative: use SOPS-encrypted files committed to Git with the ksops Kustomize plugin or ArgoCD Vault Plugin (AVP), which replaces <path:secret#key> placeholders at render time. The ESO approach is preferred for production because it supports dynamic secrets, rotation, and audit trails in Vault. Reference: https://external-secrets.io/latest/provider/hashicorp-vault/

  • Q: Does ArgoCD support Helm v4? — Not yet as of v3.3. FluxCD v2.8 supports it first.