Articles

ArgoCD in Production: Hardening and Best Practices (2026)

April 16, 2026 4 min read

Argo CD is a declarative GitOps continuous delivery tool.

Argo CD is more than just a deployment tool; it’s a system that continuously monitors your Git repositories and Kubernetes clusters, ensuring the desired state defined in Git is always reflected in your live environment. This means if someone manually changes a resource in your cluster, Argo CD will detect the drift and automatically correct it, bringing it back in line with what’s defined in Git. This Git-as-the-source-of-truth approach is the core of GitOps.

Let’s see Argo CD in action. Imagine you have a simple Nginx deployment defined in a Git repository.

# nginx-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  namespace: default
spec:
  replicas: 2
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:1.21.6
        ports:
        - containerPort: 80

You’d configure Argo CD to watch this Git repository and a specific Kubernetes cluster. Argo CD then periodically fetches the manifest from Git and compares it with the live state of the cluster. If there’s a discrepancy (e.g., the cluster has only 1 replica instead of the desired 2), Argo CD will show this as a "Drift" and offer to synchronize the cluster to match Git.

The fundamental problem Argo CD solves is the inherent complexity and fragility of manual Kubernetes deployments and ongoing cluster management. Without a system like Argo CD, keeping track of what’s deployed, ensuring consistency across environments, and recovering from errors becomes a significant operational burden. It introduces a reliable, auditable, and automated way to manage your application lifecycle.

Internally, Argo CD operates as a control loop. It consists of several components:

  • API Server: Exposes the Argo CD API for UI, CLI, and other integrations.
  • Controller: The heart of Argo CD. It watches Git repositories for changes and the Kubernetes API for cluster state. It reconciles differences by applying necessary changes to the cluster.
  • Repo Server: Fetches manifests from Git repositories and renders them using tools like Helm or Kustomize.
  • Application Controller: Manages the lifecycle of Argo CD Application resources, which define what to sync and where.
  • Redis: Used for caching and storing Argo CD’s state.

The levers you control are primarily through the Argo CD Application custom resource. This resource tells Argo CD what to sync (which Git repo, which path, which revision) and where to sync it (which cluster, which namespace).

# my-nginx-app.yaml
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: nginx-app
  namespace: argocd # Argo CD's own namespace
spec:
  project: default
  source:
    repoURL: https://github.com/your-org/your-gitops-repo.git
    targetRevision: HEAD
    path: nginx-app/overlays/production
  destination:
    server: https://kubernetes.default.svc
    namespace: default
  syncPolicy:
    automated:
      prune: true
      selfHeal: true

In this Application manifest:

  • repoURL specifies the Git repository.
  • targetRevision points to the branch or commit to track (e.g., HEAD for the latest on the default branch, or a specific commit hash).
  • path indicates the directory within the repository containing your Kubernetes manifests.
  • destination.server is the API endpoint of your target Kubernetes cluster.
  • destination.namespace is the namespace within that cluster where the application should be deployed.
  • syncPolicy.automated.prune: true means Argo CD will remove resources that are no longer defined in Git.
  • syncPolicy.automated.selfHeal: true means Argo CD will automatically correct drift.

Argo CD’s diffing algorithm is notoriously sensitive to certain Kubernetes resource fields that are managed by the cluster itself, not by your manifests. For instance, resourceVersion and uid are added by Kubernetes and will always cause a "drift" if you’re not careful. Argo CD’s diffing is designed to ignore these common cluster-managed fields by default, but it can be configured to ignore many other fields if you encounter persistent, non-actionable diffs.

When you run argocd repoclients get, you’re not just fetching a list of repositories; you’re seeing the cached state of Argo CD’s understanding of your Git sources, which is crucial for its reconciliation loop.

The next concept you’ll grapple with is managing multiple environments (dev, staging, prod) efficiently using Argo CD, often involving strategies like directory-based or Helm-based multi-tenancy.

Want structured learning?

Take the full Argocd course →