9th Week :- GitOps with ArgoCD: Automate Kubernetes Deployments from Code to Cluster

Table of contents
- β What is GitOps?
- β What is ArgoCD?
- π¦ Traditional Deployment vs GitOps Deployment
- π GitOps Deployment Workflow (End-to-End)
- π§© GitOps Flow Recap (Visual)
- β Why GitOps with ArgoCD is Awesome
- π Useful Commands
- π What is a Personal Access Token (PAT) in GitHub?
- π οΈ How to Create a PAT on GitHub (Step-by-Step)
- π How to Use PAT to Push to GitHub from CI/CD
- β οΈ Tips & Best Practices
- β Final Thoughts
β What is GitOps?
GitOps is a modern DevOps approach where Git becomes the single source of truth for your entire infrastructure and application deployments. Instead of manually running kubectl apply
or using scripts, you declare your desired state (like app version, replicas, configs) in a Git repository. Then tools like ArgoCD continuously sync those changes to your Kubernetes cluster.
π In GitOps, your deployment flow becomes:
Git Commit β Git Push β ArgoCD Sync β Kubernetes Deployment
β What is ArgoCD?
ArgoCD is a powerful GitOps tool that:
Watches a Git repository for changes in Kubernetes manifests.
Automatically syncs those changes to a Kubernetes cluster.
Visualizes applications and sync status via a UI or CLI.
Provides rollback, version control, and audit capabilities.
π§ Think of ArgoCD as a Kubernetes-native deployment controller powered by Git.
π¦ Traditional Deployment vs GitOps Deployment
Feature | Traditional Way | GitOps Way |
Source of Truth | Your terminal or CI/CD tool | Git Repository |
Manual Work | kubectl apply after every build | Auto sync via ArgoCD |
Rollbacks | Manual | One-click from Git history |
Security | Depends on user access | Controlled by Git permissions |
Audit Trail | None or via logs | Built-in Git commit history |
π GitOps Deployment Workflow (End-to-End)
Letβs walk through how to deploy a Node.js backend application using GitOps with ArgoCD.
π§ Step-by-Step GitOps Flow
1. Write Code
- Build a simple Node.js backend app.
// server.js
const express = require('express');
const app = express();
app.get('/', (req, res) => res.send('Node backend working!'));
app.listen(3000, () => console.log('Server started on port 3000'));
2. Dockerize the App
Create a Dockerfile
in the project:
FROM node:18
WORKDIR /app
COPY package*.json ./
RUN npm install
COPY . .
EXPOSE 3000
CMD ["node", "server.js"]
3. CI Pipeline (GitHub Actions)
Weβll automate Docker build and push to DockerHub.
# .github/workflows/docker-ci.yml
name: Build and Push Docker Image
on:
push:
branches: [main]
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout Repo
uses: actions/checkout@v3
- name: Login to DockerHub
run: echo "${{ secrets.DOCKER_PASSWORD }}" | docker login -u ${{ secrets.DOCKER_USERNAME }} --password-stdin
- name: Build and Push Image
run: |
docker build -t ${{ secrets.DOCKER_USERNAME }}/node-backend:latest .
docker push ${{ secrets.DOCKER_USERNAME }}/node-backend:latest
π Store DockerHub credentials in GitHub Secrets.
4. GitOps Repository Setup
Create a second repo, e.g., node-backend-ops
, for Kubernetes manifests.
deployment.yaml:
apiVersion: apps/v1
kind: Deployment
metadata:
name: node-backend
spec:
replicas: 2
selector:
matchLabels:
app: node-backend
template:
metadata:
labels:
app: node-backend
spec:
containers:
- name: node
image: your-docker-username/node-backend:latest
ports:
- containerPort: 3000
service.yaml:
apiVersion: v1
kind: Service
metadata:
name: node-backend-service
spec:
selector:
app: node-backend
ports:
- protocol: TCP
port: 80
targetPort: 3000
type: LoadBalancer
5. Update CI to Trigger GitOps
After pushing Docker image, commit new image tag to ops repo.
# Add a job in docker-ci.yml (add after Docker push)
- name: Update GitOps Repo
run: |
git config --global user.name "GitOps Bot"
git config --global user.email "bot@example.com"
git clone https://x-access-token:${{ secrets.GITOPS_TOKEN }}@github.com/your-org/node-backend-ops.git
cd node-backend-ops
sed -i 's|image:.*|image: your-docker-username/node-backend:latest|' deployment.yaml
git commit -am "Update image to latest"
git push
β You can also use tools like Kustomize or [Helm] for templating versions.
6. Configure ArgoCD to Watch Ops Repo
- Install ArgoCD on cluster:
kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml
- Access UI:
kubectl port-forward svc/argocd-server -n argocd 8080:443
- Login:
kubectl get secret argocd-initial-admin-secret -n argocd -o yaml
- Create App in ArgoCD (UI or CLI):
argocd app create node-backend \
--repo https://github.com/your-org/node-backend-ops.git \
--path . \
--dest-server https://kubernetes.default.svc \
--dest-namespace default
- Sync App:
argocd app sync node-backend
π§© GitOps Flow Recap (Visual)
1. Developer writes Node backend code
2. Commit & push to GitHub backend repo
3. GitHub Actions:
ββ Builds Docker image
ββ Pushes to DockerHub
ββ Updates image tag in GitOps repo (deployment.yaml)
4. ArgoCD (connected to GitOps repo):
ββ Detects change in manifest
ββ Applies new image to Kubernetes
β Why GitOps with ArgoCD is Awesome
Benefit | Description |
π§ Declarative | Everything is in Git, version-controlled. |
π Automated | No manual kubectl apply . ArgoCD does it. |
π₯ Collaboration | Team members can propose changes via PRs. |
π Audit Trail | Every change is tracked in Git. |
π₯ Rollbacks | Easily revert to old version with git revert . |
π Secure | CI/CD pipelines donβt need cluster access. |
π Useful Commands
ArgoCD
argocd login <argocd-server>
argocd app list
argocd app sync <app-name>
argocd app rollback <app-name> <revision>
CPU Monitoring
kubectl top nodes
kubectl top pods
π What is a Personal Access Token (PAT) in GitHub?
A PAT (Personal Access Token) is like a password alternative that allows programmatic access to your GitHub account via HTTPS.
β Why use it?
Secure access without exposing your password.
Useful for GitHub Actions, CI/CD, scripts, and Git clients.
Lets you commit, clone, push, pull, and access GitHub APIs.
π οΈ How to Create a PAT on GitHub (Step-by-Step)
Go to GitHub Settings:
- Click your profile picture >
Settings
- Click your profile picture >
Go to Developer Settings:
- Left sidebar >
Developer settings
- Left sidebar >
Choose Personal Access Tokens β Tokens (classic)
Click βGenerate new token (classic)β
Give a Name and Expiration:
Example:
ci-bot-token
Choose expiration (e.g., 30 or 90 days)
Select Required Scopes (Permissions):
For pushing commits to your GitOps (ops) repo, you only need:β repo (Full control of private repositories)
If your ops repo is public, then just:
β public_repo
Generate the Token
π IMPORTANT: Copy the token immediately. You wonβt see it again!
π How to Use PAT to Push to GitHub from CI/CD
β Store PAT in GitHub Secrets
Go to the repo where your CI/CD lives (like your backend code repo)
Settings >
Secrets and variables
>Actions
Click
New repository secret
Name: GITOPS_TOKEN
Value: (paste your PAT)
β Use PAT in GitHub Actions to Commit to Your Ops Repo
Example CI step to push updates to the ops repo:
- name: Push updated manifest to GitOps repo
run: |
git config --global user.name "GitOps Bot"
git config --global user.email "bot@example.com"
git clone https://x-access-token:${{ secrets.GITOPS_TOKEN }}@github.com/your-org/your-ops-repo.git
cd your-ops-repo
sed -i 's|image:.*|image: yourdockerhubuser/node-backend:latest|' deployment.yaml
git commit -am "update image to latest"
git push
π
https://x-access-token:<PAT>@github.com/
...
is how you authenticate with GitHub using the token.
β οΈ Tips & Best Practices
β Use a separate token for automation, not your personal login.
β° Set token expiry (donβt leave it valid forever).
π Limit scopes to only what's needed (
repo
,workflow
, etc.).π Rotate tokens regularly (delete expired/unused ones).
π§ͺ Use environment variables or GitHub Secrets, never hardcode PATs.
β Final Thoughts
GitOps with ArgoCD is a game-changer for Kubernetes-based applications. It brings automation, stability, security, and auditability into the core of your deployment pipeline. With a Git-based flow, teams can scale faster with more control and confidence.
Subscribe to my newsletter
Read articles from Lav kushwaha directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
