IDP Blueprint

argo-events

Version: 2.4.12 Type: application Homepage

Event-driven workflow automation for Kubernetes

Component Information

PropertyValue
Chart Version2.4.12
Chart Typeapplication
Upstream Projectargo-events
MaintainersPlatform Engineering Team (repo)

Why Argo Events?

Argo Events is the shared nervous system of the IDP Blueprint. It listens to Kubernetes, Git, and external systems, then fans out triggers to Argo Workflows, ArgoCD, or any HTTP target. The stack is deployed from K8s/events/* and synchronized through task stacks:events, so every environment boots the same event bus, governance objects, and controller configuration.

The event-driven model decouples producers from consumers. Event sources emit events to a bus, sensors listen to the bus and trigger actions. This pattern enables reactive automation: Git pushes trigger CI/CD workflows, certificate renewals trigger application restarts, and SLO breaches trigger remediation workflows.

Argo Events integrates with the Argo ecosystem (Workflows and ArgoCD), making it a natural fit for GitOps-based platforms. Event sources and sensors are Kubernetes resources, so they’re versioned in Git and deployed declaratively.

Architecture Role

Argo Events operates at Layer 2 of the platform, the Automation & Governance layer. It provides event-driven orchestration across all platform components.

Key integration points:

  • Argo Workflows: Sensors trigger workflow templates based on events
  • ArgoCD: Events can trigger intelligent application syncs
  • Git Providers: Webhook event sources listen to repository events
  • Prometheus/Alertmanager: Alert events trigger remediation workflows
  • NATS EventBus: Internal message bus for event distribution

The configuration uses a three-node NATS cluster as the default EventBus. All event sources publish to this bus, and all sensors subscribe to it. This provides reliable event delivery with at-least-once semantics.

See CI/CD Model for how Argo Events integrates into the platform automation.

Scheduling & Reliability

  • Both controller and webhook use the platform-events PriorityClass and pin to control-plane nodes through node affinity and tolerations so automation continues even if worker nodes are under pressure (values.yaml).
  • Rolling updates use maxUnavailable: 0 / maxSurge: 1 to enforce zero-downtime restarts for the controller.
  • The EventBus (eventbus.yaml) provisions a three-node NATS cluster with token auth; it is the single default bus referenced by all Sensors.

Building Sensors and Event Sources

  1. Create a folder under K8s/events/<source>-<purpose>/.
  2. Add EventSource and Sensor manifests that point to the default EventBus.
  3. Label everything with the canonical metadata (app.kubernetes.io/part-of: idp, owner: platform-team, etc.) and include governance files if the folder introduces its own namespace.
  4. Commit and let the ApplicationSet reconcile it—no manual registration is required.

Common recipes:

  • Git webhooks → trigger Argo Workflows templates or invoke the ArgoCD API for intelligent syncs.
  • Alertmanager or Prometheus burn-rate alerts → Sensor that dispatches remediation workflows.
  • Cron-style schedulesCalendar trigger to fan out maintenance jobs.

Event Source Types

Argo Events supports multiple event source types:

TypeUse CaseExample
WebhookHTTP endpoints for external systemsGitHub push events
CalendarCron-like scheduled eventsPeriodic backups
ResourceKubernetes resource changesConfigMap updates
AMQPMessage queue eventsRabbitMQ, Azure Service Bus
KafkaStream processingHigh-throughput event streams
NATSPub/sub messagingInter-service communication
RedisCache and pub/subSession events
AWS SNS/SQSCloud eventsAWS service notifications
GCP Pub/SubCloud eventsGCP service notifications

Sensor Patterns

Sensors define what happens when events occur:

Trigger Argo Workflow

apiVersion: argoproj.io/v1alpha1
kind: Sensor
metadata:
  name: git-push-workflow
spec:
  dependencies:
    - name: github-push
      eventSourceName: github-webhook
      eventName: push
  triggers:
    - template:
        name: build-workflow
        argoWorkflow:
          operation: submit
          source:
            resource:
              apiVersion: argoproj.io/v1alpha1
              kind: Workflow
              metadata:
                generateName: build-
              spec:
                workflowTemplateRef:
                  name: docker-build-push

Trigger ArgoCD Sync

triggers:
  - template:
      name: argocd-sync
      http:
        url: http://argocd-server.argocd/api/v1/applications/my-app/sync
        method: POST
        headers:
          Authorization: Bearer <token>
```text


### Fan-Out Pattern


```yaml
triggers:
  - template:
      name: workflow-1
      argoWorkflow: {...}
  - template:
      name: workflow-2
      argoWorkflow: {...}
  - template:
      name: notification
      http: {...}

Observability & Operations

  • Metrics: the controller exposes /metrics on port 7777; a ServiceMonitor with selector prometheus: kube-prometheus is created automatically so Prometheus scrapes it.
  • Health: kubectl -n argo-events get pods verifies controller/webhook readiness; kubectl -n argo-events get eventbus shows NATS replicas.
  • Event Sources: kubectl -n argo-events get eventsource lists configured event sources
  • Sensors: kubectl -n argo-events get sensor lists active sensors
  • EventBus Status: kubectl -n argo-events get eventbus default -o yaml shows NATS cluster health
  • Redeploy: task stacks:events reapplies the ApplicationSet and Helm release; use it after changing values or adding new sources.
  • Cleanup/testing: task deploy already includes the Events stack; task destroy removes it with the rest of the platform.

Extending to Other Stacks

Treat Events as a cross-cutting concern:

  • CI/CD: Workflows triggered by Sensor payloads instead of manual submissions.
  • Security: Stream Trivy or Kyverno reports into Sensors for auto-ticketing or rollback automation.
  • SRE automation: Watch Gateway/Certificate events and run recovery flows.

Design Sensors so they emit structured CloudEvents (or JSON payloads) that downstream tasks can parse consistently.

Security Considerations

  • EventBus Authentication: The NATS EventBus uses token-based authentication to prevent unauthorized event publishing
  • RBAC: Event sources and sensors require specific ServiceAccounts with minimal RBAC permissions
  • Network Policies: Cilium network policies restrict event source webhook endpoints to authorized sources
  • Secret Management: Webhook tokens and API keys are stored in Vault and synced via External Secrets Operator

Common Use Cases

Continuous Deployment Pipeline

GitHub Push Event → EventSource (webhook)
                  → Sensor (filters by branch)
                  → Argo Workflow (build + test + push image)
                  → ArgoCD Sync (deploy to cluster)

Automated Incident Response

Prometheus Alert → Alertmanager webhook → EventSource
                                        → Sensor (filters by severity)
                                        → Argo Workflow (remediation script)
                                        → Slack notification

Scheduled Maintenance

Calendar EventSource (cron: 0 2 * * *)
  → Sensor
  → Argo Workflow (database backup)
  → Argo Workflow (cleanup old resources)
  → Notification on completion

Configuration Values

argo-events

Version: 2.4.12

Component Information

Property Value
Chart Version 2.4.12
Chart Type ``
Upstream Project N/A

Configuration Values

The following table lists the configurable parameters:

Values

Key Type Default Description
controller.affinity object {"nodeAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":{"nodeSelectorTerms":[{"matchExpressions":[{"key":"node-role.kubernetes.io/control-plane","operator":"Exists"}]}]}}} Node affinity for controller (schedule on control-plane for stability)
controller.deploymentStrategy object {"rollingUpdate":{"maxSurge":1,"maxUnavailable":0},"type":"RollingUpdate"} Rolling update strategy for zero-downtime updates
controller.deploymentStrategy.rollingUpdate.maxSurge int 1 Maximum surge pods during update
controller.deploymentStrategy.rollingUpdate.maxUnavailable int 0 Maximum unavailable pods during update (0 for zero-downtime)
controller.metrics object {"enabled":true,"path":"/metrics","port":7777,"serviceMonitor":{"additionalLabels":{"prometheus":"kube-prometheus"},"enabled":true}} Metrics configuration for the controller
controller.metrics.enabled bool true Enable Prometheus metrics endpoint
controller.metrics.path string "/metrics" Path for metrics endpoint
controller.metrics.port int 7777 Port for metrics endpoint
controller.metrics.serviceMonitor.additionalLabels object {"prometheus":"kube-prometheus"} Additional labels for ServiceMonitor
controller.metrics.serviceMonitor.additionalLabels.prometheus string "kube-prometheus" Prometheus selector label
controller.metrics.serviceMonitor.enabled bool true Create ServiceMonitor for controller metrics
controller.priorityClassName string "platform-events" Priority class for controller pods
controller.replicas int 1 Number of controller replicas
controller.resources object {"limits":{"cpu":"200m","memory":"256Mi"},"requests":{"cpu":"50m","memory":"64Mi"}} Resource requests and limits for the controller
controller.resources.limits.cpu string "200m" CPU limit for the controller
controller.resources.limits.memory string "256Mi" Memory limit for the controller
controller.resources.requests.cpu string "50m" CPU request for the controller
controller.resources.requests.memory string "64Mi" Memory request for the controller
controller.tolerations list [{"effect":"NoSchedule","key":"node-role.kubernetes.io/control-plane","operator":"Exists"}] Tolerations for controller to run on control-plane node
crds.install bool true Install Argo Events CRDs
crds.keep bool true Keep CRDs on chart uninstall
global.image object {"pullPolicy":"IfNotPresent"} Image pull policy for all components
webhook.affinity object {"nodeAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":{"nodeSelectorTerms":[{"matchExpressions":[{"key":"node-role.kubernetes.io/control-plane","operator":"Exists"}]}]}}} Node affinity for webhook (schedule on control-plane for stability)
webhook.enabled bool true Enable the validating admission webhook
webhook.priorityClassName string "platform-events" Priority class for webhook pods
webhook.resources object {"limits":{"cpu":"100m","memory":"128Mi"},"requests":{"cpu":"25m","memory":"32Mi"}} Resource requests and limits for the webhook
webhook.resources.limits.cpu string "100m" CPU limit for the webhook
webhook.resources.limits.memory string "128Mi" Memory limit for the webhook
webhook.resources.requests.cpu string "25m" CPU request for the webhook
webhook.resources.requests.memory string "32Mi" Memory request for the webhook
webhook.tolerations list [{"effect":"NoSchedule","key":"node-role.kubernetes.io/control-plane","operator":"Exists"}] Tolerations for webhook to run on control-plane node