ArgoCD GitOps Patterns

Core GitOps workflow patterns for declarative infrastructure management.

Sync Wave Ordering

Sync waves control deployment order. Lower numbers deploy first.

Wave Purpose Examples

-10

Storage (CSI) Mayastor

-3

Secrets vault OpenBao

-2

Secrets sync External Secrets

-1

Observability, VPN Jaeger, Kilo

0

Default Most operators

1

Application layer KubeAI, apps

2

Dependent services Harbor

metadata: annotations: argocd.argoproj.io/sync-wave: "-2"

App-of-Apps Pattern

Parent application deploys child applications:

apiVersion: argoproj.io/v1alpha1 kind: Application metadata: name: platform-apps namespace: argocd spec: project: platform source: repoURL: https://github.com/5dlabs/cto targetRevision: develop path: infra/gitops/applications/platform directory: recurse: false destination: server: https://kubernetes.default.svc namespace: argocd

Multi-Source Applications

Combine Helm chart with local manifests:

spec: sources: # Source 1: Helm chart - repoURL: https://charts.example.io chart: myapp targetRevision: 1.0.0 helm: values: | replicas: 2

# Source 2: Supplementary manifests
- repoURL: https://github.com/5dlabs/cto
  targetRevision: develop
  path: infra/gitops/manifests/myapp
  directory:
    include: "*.yaml"

Helm Values Configuration

Inline values in ArgoCD Application:

spec: source: repoURL: https://charts.example.io chart: myapp targetRevision: 1.0.0 helm: values: | # Pod labels for log collection podLabels: platform.5dlabs.io/log-collection: enabled

    # Resource limits
    resources:
      requests:
        cpu: 100m
        memory: 256Mi
      limits:
        cpu: 500m
        memory: 512Mi

ignoreDifferences Patterns

Prevent spurious diffs from dynamic fields:

spec: ignoreDifferences: # Webhook CA bundles (managed by cert-manager) - group: admissionregistration.k8s.io kind: ValidatingWebhookConfiguration jsonPointers: - /webhooks/0/clientConfig/caBundle

# StatefulSet volumeClaimTemplates (K8s normalizes)
- group: apps
  kind: StatefulSet
  jsonPointers:
    - /spec/volumeClaimTemplates

# CRD annotations (managed by operator)
- group: apiextensions.k8s.io
  kind: CustomResourceDefinition
  jsonPointers:
    - /metadata/annotations

Sync Policy

Standard sync policy for automated GitOps:

spec: syncPolicy: automated: prune: true # Remove resources not in git selfHeal: true # Revert manual changes allowEmpty: false # Prevent accidental deletion

syncOptions:
  - CreateNamespace=true
  - ServerSideApply=true
  - PrunePropagationPolicy=foreground
  - RespectIgnoreDifferences=true

retry:
  limit: 5
  backoff:
    duration: 10s
    factor: 2
    maxDuration: 3m

Project Configuration

Define allowed sources and destinations:

apiVersion: argoproj.io/v1alpha1 kind: AppProject metadata: name: platform namespace: argocd spec: sourceRepos: - https://github.com/5dlabs/* - https://charts.external-secrets.io destinations: - namespace: '' server: https://kubernetes.default.svc clusterResourceWhitelist: - group: '' kind: '*'

Validation Commands

Check application status

argocd app get <app-name> argocd app diff <app-name>

Sync manually (if needed)

argocd app sync <app-name>

Check sync waves

kubectl get applications -n argocd -o custom-columns=
'NAME:.metadata.name,WAVE:.metadata.annotations.argocd.argoproj.io/sync-wave'

Best Practices

• Use sync waves - Deploy dependencies before dependents

• Define ignoreDifferences - Prevent unnecessary reconciliation

• Enable selfHeal - Auto-revert manual drift

• Use ServerSideApply - Better handling of large manifests

• Set retry policies - Handle transient failures gracefully

• Label for observability - Add platform.5dlabs.io/log-collection: enabled