name: argocd-gitops
description: Argo CD GitOps reconciliation loop for agent infrastructure. App-of-Apps pattern, sync policies, drift detection, progressive rollouts, and automated self-healing from Git as single source of truth. Sources: argoproj/argo-cd (Apache-2.0).
origin: yana-ai — synthesized from argoproj/argo-cd (Apache-2.0)
license: Apache-2.0
version: 1.0.0
compatibility: yana-ai >= 1.3.52
/argocd-gitops
When to Use
- Git repo = single source of truth for cluster state; any manual change is auto-reverted
- Continuous delivery: merge to main → Argo CD syncs cluster automatically
- Drift detection: alert/auto-fix when someone kubectl-edits a resource directly
- App-of-Apps: one root Application manages 50+ sub-applications declaratively
Do NOT use for
- Non-Kubernetes deployments
- Secrets management (combine with External Secrets Operator or Sealed Secrets)
Application manifest
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: yamtam-prod
namespace: argocd
spec:
project: default
source:
repoURL: https://github.com/org/yamtam-config
targetRevision: main
path: charts/yamtam-agent
helm:
valueFiles:
- values-prod.yaml
parameters:
- name: image.tag
value: "1.3.52"
destination:
server: https://kubernetes.default.svc
namespace: yamtam
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
- PrunePropagationPolicy=foreground
- ApplyOutOfSyncOnly=true
retry:
limit: 3
backoff: { duration: 5s, factor: 2, maxDuration: 3m }
App-of-Apps pattern
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: root
namespace: argocd
spec:
source:
repoURL: https://github.com/org/yamtam-config
targetRevision: main
path: apps/
destination:
server: https://kubernetes.default.svc
namespace: argocd
syncPolicy:
automated: { prune: true, selfHeal: true }
Sync via Argo CD CLI
argocd app sync yamtam-prod
argocd app wait yamtam-prod --timeout 120
argocd app get yamtam-prod
argocd app rollback yamtam-prod
argocd app diff yamtam-prod
Drift detection webhook (Node.js)
import express from 'express'
const app = express()
app.post('/argocd/webhook', express.json(), (req, res) => {
const { application, operation } = req.body
if (operation?.sync?.result?.resources?.some(r => r.status === 'OutOfSync')) {
console.warn('[argocd] DRIFT DETECTED in', application.metadata.name)
alertOncall({ app: application.metadata.name, status: 'OutOfSync' })
}
if (operation?.sync?.result?.phase === 'Failed') {
console.error('[argocd] SYNC FAILED:', application.metadata.name)
}
res.sendStatus(200)
})
Anti-Fake-Pass Checklist
❌ automated.selfHeal: false → drift from manual changes persists until next manual sync
❌ automated.prune: false → deleted resources from Git remain in cluster (ghost resources)
❌ Secrets in Git → Argo CD syncs them in plaintext; use External Secrets Operator
❌ No retry policy → transient webhook/network error causes permanent OutOfSync state
❌ App-of-Apps without wave sync-order → child apps create resources before CRDs exist
❌ targetRevision: HEAD → always tracks latest commit including broken commits; use branch or tag