argocd
Declarative GitOps continuous delivery for Kubernetes
Component Information
| Property | Value |
|---|---|
| Chart Version | latest |
| Chart Type | application |
| Upstream Project | argocd |
| Maintainers | Platform Engineering Team (repo) |
Why ArgoCD?
ArgoCD continuously reconciles what’s defined in Git with what’s running in the cluster. The platform uses it for several specific features:
- ApplicationSets: Generate Applications dynamically from templates, enabling patterns like
“deploy to all namespaces matching this label” (see
GitOps, Policy, and Eventingfor the App‑of‑AppSets model) - Sync Waves: Orchestrate deployment order (namespaces before CRDs, CRDs before applications);
see the Sync Waves section in
GitOps, Policy, and Eventing - Prometheus Metrics: Observability into sync status, reconciliation loops, and resource health
- Multicluster Support: Can manage multiple clusters from a single control plane
- UI: Visual representation of application deployment status
ArgoCD handles single-cluster and multicluster setups with the same architecture. It exposes Prometheus metrics for integration with the observability stack, and works alongside other Argo ecosystem tools (Workflows, Events).
Alternatives like Flux exist and are viable. ArgoCD was chosen here primarily for its UI and ApplicationSet capabilities, which align well with the platform’s requirements.
Architecture Role
ArgoCD operates at Layer 2 of the platform, the Automation & Governance layer. It’s the brain that translates declarative manifests in Git into cluster state.
Key integration points:
- Git Provider: Pulls manifests and monitors for changes
- Kubernetes API: Applies resources and continuously reconciles desired state
- Kyverno: Works in tandem during admission control (Kyverno validates what ArgoCD deploys)
- External Secrets: ArgoCD deploys ExternalSecret resources, which trigger secret synchronization from Vault
- Prometheus: Exposes metrics on sync status, application health, and reconciliation performance
The configuration here uses resourceTrackingMethod: annotation for better performance (avoids
label length limits) and excludes high-frequency resources like CiliumEndpoint and PolicyReport
from reconciliation to reduce API server load.
ArgoCD has selfHeal: true enabled in ApplicationSets, meaning any manual changes to resources
are automatically reverted to match Git. This enforces GitOps discipline and ensures the cluster
state is always reproducible.
See GitOps Model for how ArgoCD orchestrates the entire platform.
Redis Cache
ArgoCD uses Redis as an internal cache to improve reconciliation performance. The application controller caches cluster state in Redis to reduce load on the Kubernetes API server during large-scale reconciliation loops.
Current Configuration:
- Single Redis instance (bundled with ArgoCD chart)
- Resources: 100m CPU / 128Mi RAM requests, 250m CPU / 256Mi RAM limits
How It Works:
When ArgoCD reconciles applications, it queries the Kubernetes API server for resource states. Redis caches these queries to:
- Reduce API server load during sync operations
- Speed up application health assessments
- Improve UI responsiveness when viewing application details
Production Considerations:
- For high-availability setups, use external Redis with persistence
- Consider Redis Sentinel or Redis Cluster for multi-replica deployments
- Monitor cache hit rates via ArgoCD controller metrics
See the Configuration Values section below for Redis resource tuning.
Configuration Values
argocd
Component Information
| Property | Value |
|---|---|
| Chart Version | 8.6.0 |
| Chart Type | `` |
| Upstream Project | N/A |
Configuration Values
The following table lists the configurable parameters:
Values
RBAC
| Key | Type | Default | Description |
|---|---|---|---|
| createClusterRoles | bool | true |
Create cluster roles for ArgoCD |
Other Values
| Key | Type | Default | Description |
|---|---|---|---|
| applicationSet.deploymentStrategy | object | {"rollingUpdate":{"maxSurge":1,"maxUnavailable":0},"type":"RollingUpdate"} |
Rolling update strategy for zero-downtime updates |
| applicationSet.deploymentStrategy.rollingUpdate.maxSurge | int | 1 |
Maximum surge pods during update |
| applicationSet.deploymentStrategy.rollingUpdate.maxUnavailable | int | 0 |
Maximum unavailable pods during update (0 for zero-downtime) |
| applicationSet.enabled | bool | true |
Enable ApplicationSet controller |
| applicationSet.metrics.enabled | bool | true |
Enable metrics |
| applicationSet.metrics.serviceMonitor.enabled | bool | true |
Enable ServiceMonitor |
| applicationSet.metrics.serviceMonitor.interval | string | "60s" |
Scrape interval for template rendering |
| applicationSet.metrics.serviceMonitor.scrapeTimeout | string | "40s" |
Scrape timeout |
| applicationSet.priorityClassName | string | "platform-infrastructure" |
Priority class |
| applicationSet.resources.limits.cpu | string | "250m" |
CPU limit |
| applicationSet.resources.limits.memory | string | "512Mi" |
Memory limit |
| applicationSet.resources.requests.cpu | string | "125m" |
CPU request |
| applicationSet.resources.requests.memory | string | "256Mi" |
Memory request |
| certificate.enabled | bool | false |
Enable certificate management (handled by cert-manager) |
| certificate.format | string | "json" |
Global logging format |
| certificate.level | string | "warn" |
Global logging level |
| configs.cm."admin.enabled" | bool | true |
Enable local admin user |
| configs.cm."application.resourceTrackingMethod" | string | "annotation" |
Resource tracking method for performance |
| configs.cm."exec.enabled" | bool | true |
Enable exec feature in Argo UI |
| configs.cm."kustomize.buildOptions" | string | "--enable-helm" |
Enable Helm support in Kustomize builds |
| configs.cm."resource.exclusions" | string | "### Network resources created by the Kubernetes control plane and excluded to reduce the number of watched events and UI clutter\n- apiGroups:\n - ''\n - discovery.k8s.io\n kinds:\n - Endpoints\n - EndpointSlice\n### Internal Kubernetes resources excluded reduce the number of watched events\n- apiGroups:\n - coordination.k8s.io\n kinds:\n - Lease\n### Internal Kubernetes Authz/Authn resources excluded reduce the number of watched events\n- apiGroups:\n - authentication.k8s.io\n - authorization.k8s.io\n kinds:\n - SelfSubjectReview\n - TokenReview\n - LocalSubjectAccessReview\n - SelfSubjectAccessReview\n - SelfSubjectRulesReview\n - SubjectAccessReview\n### Intermediate Certificate Request excluded reduce the number of watched events\n- apiGroups:\n - certificates.k8s.io\n kinds:\n - CertificateSigningRequest\n- apiGroups:\n - cert-manager.io\n kinds:\n - CertificateRequest\n### Cilium internal resources excluded reduce the number of watched events and UI Clutter\n- apiGroups:\n - cilium.io\n kinds:\n - CiliumIdentity\n - CiliumEndpoint\n - CiliumEndpointSlice\n### Kyverno intermediate and reporting resources excluded reduce the number of watched events and improve performance\n- apiGroups:\n - kyverno.io\n - reports.kyverno.io\n - wgpolicyk8s.io\n kinds:\n - PolicyReport\n - ClusterPolicyReport\n - EphemeralReport\n - ClusterEphemeralReport\n - AdmissionReport\n - ClusterAdmissionReport\n - BackgroundScanReport\n - ClusterBackgroundScanReport\n - UpdateRequest\n" |
Exclude high-frequency resources from reconciliation |
| configs.cm."statusbadge.enabled" | string | true |
Enable status badges |
| configs.cm."timeout.reconciliation" | string | "60s" |
Timeout to discover new manifest versions |
| configs.params | object | {"server.insecure":true} |
ArgoCD server command-line parameters Required for TLS termination at reverse proxy/gateway |
| configs.params."server.insecure" | bool | true |
Run server without TLS (required when behind TLS-terminating proxy) The Gateway handles TLS termination, so ArgoCD receives plain HTTP |
| configs.repositories.aqua.name | string | "aqua" |
Repository name |
| configs.repositories.aqua.type | string | "helm" |
Repository type |
| configs.repositories.aqua.url | string | "https://aquasecurity.github.io/helm-charts/" |
Repository URL |
| configs.repositories.argo-project.name | string | "argo-project" |
Repository name |
| configs.repositories.argo-project.type | string | "helm" |
Repository type |
| configs.repositories.argo-project.url | string | "https://argoproj.github.io/argo-helm" |
Repository URL |
| configs.repositories.bitnami.name | string | "bitnami" |
Repository name |
| configs.repositories.bitnami.type | string | "helm" |
Repository type |
| configs.repositories.bitnami.url | string | "https://charts.bitnami.com/bitnami" |
Repository URL |
| configs.repositories.cilium.name | string | "cilium" |
Repository name |
| configs.repositories.cilium.type | string | "helm" |
Repository type |
| configs.repositories.cilium.url | string | "https://helm.cilium.io/" |
Repository URL |
| configs.repositories.external-secrets.name | string | "external-secrets" |
Repository name |
| configs.repositories.external-secrets.type | string | "helm" |
Repository type |
| configs.repositories.external-secrets.url | string | "https://charts.external-secrets.io" |
Repository URL |
| configs.repositories.fluent.name | string | "fluent" |
Repository name |
| configs.repositories.fluent.type | string | "helm" |
Repository type |
| configs.repositories.fluent.url | string | "https://fluent.github.io/helm-charts" |
Repository URL |
| configs.repositories.grafana.name | string | "grafana" |
Repository name |
| configs.repositories.grafana.type | string | "helm" |
Repository type |
| configs.repositories.grafana.url | string | "https://grafana.github.io/helm-charts" |
Repository URL |
| configs.repositories.hashicorp.name | string | "hashicorp" |
Repository name |
| configs.repositories.hashicorp.type | string | "helm" |
Repository type |
| configs.repositories.hashicorp.url | string | "https://helm.releases.hashicorp.com" |
Repository URL |
| configs.repositories.jetstack.name | string | "jetstack" |
Repository name |
| configs.repositories.jetstack.type | string | "helm" |
Repository type |
| configs.repositories.jetstack.url | string | "https://charts.jetstack.io/" |
Repository URL |
| configs.repositories.kyverno.name | string | "kyverno" |
Repository name |
| configs.repositories.kyverno.type | string | "helm" |
Repository type |
| configs.repositories.kyverno.url | string | "https://kyverno.github.io/kyverno/" |
Repository URL |
| configs.repositories.open-telemetry.name | string | "open-telemetry" |
Repository name |
| configs.repositories.open-telemetry.type | string | "helm" |
Repository type |
| configs.repositories.open-telemetry.url | string | "https://open-telemetry.github.io/opentelemetry-helm-charts" |
Repository URL |
| configs.repositories.pixie-operator.name | string | "pixie-operator" |
Repository name |
| configs.repositories.pixie-operator.type | string | "helm" |
Repository type |
| configs.repositories.pixie-operator.url | string | "https://artifacts.px.dev/helm_charts/operator" |
Repository URL |
| configs.repositories.policy-reporter.name | string | "policy-reporter" |
Repository name |
| configs.repositories.policy-reporter.type | string | "helm" |
Repository type |
| configs.repositories.policy-reporter.url | string | "https://kyverno.github.io/policy-reporter" |
Repository URL |
| configs.repositories.prometheus-community.name | string | "prometheus-community" |
Repository name |
| configs.repositories.prometheus-community.type | string | "helm" |
Repository type |
| configs.repositories.prometheus-community.url | string | "https://prometheus-community.github.io/helm-charts" |
Repository URL |
| configs.repositories.sonarsource.name | string | "sonarsource" |
Repository name |
| configs.repositories.sonarsource.type | string | "helm" |
Repository type |
| configs.repositories.sonarsource.url | string | "https://SonarSource.github.io/helm-chart-sonarqube" |
Repository URL |
| configs.secret.argocdServerAdminPassword | string | Vault-generated bcrypt hash | Admin password hash (managed by Vault) |
| configs.secret.createSecret | bool | true |
Create secret for admin credentials |
| controller.deploymentStrategy | object | {"rollingUpdate":{"maxSurge":1,"maxUnavailable":0},"type":"RollingUpdate"} |
Rolling update strategy for zero-downtime updates |
| controller.deploymentStrategy.rollingUpdate.maxSurge | int | 1 |
Maximum surge pods during update |
| controller.deploymentStrategy.rollingUpdate.maxUnavailable | int | 0 |
Maximum unavailable pods during update (0 for zero-downtime) |
| controller.metrics.enabled | bool | true |
Enable Prometheus metrics |
| controller.metrics.serviceMonitor.enabled | bool | true |
Enable ServiceMonitor for Prometheus Operator |
| controller.metrics.serviceMonitor.interval | string | "30s" |
Scrape interval for GitOps reconciliation tracking |
| controller.metrics.serviceMonitor.scrapeTimeout | string | "25s" |
Scrape timeout |
| controller.priorityClassName | string | "platform-infrastructure" |
Priority class for controller pods |
| controller.resources.limits.cpu | string | "1000m" |
CPU limit |
| controller.resources.limits.memory | string | "1Gi" |
Memory limit |
| controller.resources.requests.cpu | string | "250m" |
CPU request |
| controller.resources.requests.memory | string | "512Mi" |
Memory request |
| crds.install | bool | true |
Install CRDs |
| crds.keep | bool | true |
Keep CRDs on chart uninstall |
| dex.enabled | bool | false |
Enable Dex federated OpenID Connect provider |
| ha.enabled | bool | false |
Enable High Availability mode for production deployments |
| redis.deploymentStrategy | object | {"rollingUpdate":{"maxSurge":1,"maxUnavailable":0},"type":"RollingUpdate"} |
Rolling update strategy for zero-downtime updates |
| redis.deploymentStrategy.rollingUpdate.maxSurge | int | 1 |
Maximum surge pods during update |
| redis.deploymentStrategy.rollingUpdate.maxUnavailable | int | 0 |
Maximum unavailable pods during update (0 for zero-downtime) |
| redis.resources.limits.cpu | string | "250m" |
CPU limit |
| redis.resources.limits.memory | string | "256Mi" |
Memory limit |
| redis.resources.requests.cpu | string | "100m" |
CPU request |
| redis.resources.requests.memory | string | "128Mi" |
Memory request |
| repoServer.deploymentStrategy | object | {"rollingUpdate":{"maxSurge":1,"maxUnavailable":0},"type":"RollingUpdate"} |
Rolling update strategy for zero-downtime updates |
| repoServer.deploymentStrategy.rollingUpdate.maxSurge | int | 1 |
Maximum surge pods during update |
| repoServer.deploymentStrategy.rollingUpdate.maxUnavailable | int | 0 |
Maximum unavailable pods during update (0 for zero-downtime) |
| repoServer.metrics.enabled | bool | true |
Enable metrics |
| repoServer.metrics.serviceMonitor.enabled | bool | true |
Enable ServiceMonitor |
| repoServer.metrics.serviceMonitor.interval | string | "60s" |
Scrape interval for background git operations |
| repoServer.metrics.serviceMonitor.scrapeTimeout | string | "40s" |
Scrape timeout |
| repoServer.priorityClassName | string | "platform-infrastructure" |
Priority class |
| repoServer.resources.limits.cpu | string | "500m" |
CPU limit |
| repoServer.resources.limits.memory | string | "512Mi" |
Memory limit |
| repoServer.resources.requests.cpu | string | "250m" |
CPU request |
| repoServer.resources.requests.memory | string | "256Mi" |
Memory request |
| server.deploymentStrategy | object | {"rollingUpdate":{"maxSurge":1,"maxUnavailable":0},"type":"RollingUpdate"} |
Rolling update strategy for zero-downtime updates |
| server.deploymentStrategy.rollingUpdate.maxSurge | int | 1 |
Maximum surge pods during update |
| server.deploymentStrategy.rollingUpdate.maxUnavailable | int | 0 |
Maximum unavailable pods during update (0 for zero-downtime) |
| server.ingress.enabled | bool | false |
Enable ingress |
| server.ingress.tls | bool | false |
Enable TLS |
| server.metrics.enabled | bool | true |
Enable metrics |
| server.metrics.serviceMonitor.enabled | bool | true |
Enable ServiceMonitor |
| server.metrics.serviceMonitor.interval | string | "30s" |
Scrape interval for user-facing API latency |
| server.metrics.serviceMonitor.scrapeTimeout | string | "25s" |
Scrape timeout |
| server.priorityClassName | string | "platform-infrastructure" |
Priority class for server pods |
| server.resources.limits.cpu | string | "250m" |
CPU limit |
| server.resources.limits.memory | string | "256Mi" |
Memory limit |
| server.resources.requests.cpu | string | "125m" |
CPU request |
| server.resources.requests.memory | string | "128Mi" |
Memory request |