Production-grade Argo CD GitOps control plane β app-of-apps + ApplicationSets, multi-environment, progressive delivery with Argo Rollouts, secrets via Sealed Secrets / External Secrets Operator.
- π³ App-of-apps root + ApplicationSets for scalable multi-tenant management
- π Multi-env: dev / staging / prod via list & matrix generators
- π¦ Progressive delivery: Argo Rollouts canary + blue-green examples with Prometheus analysis
- π Secrets: External Secrets Operator (GCP Secret Manager via Workload Identity) + Sealed Secrets
- π₯ RBAC: AppProjects scoping access, OIDC-ready
- π Drift detection + auto-heal + automated sync with retry/backoff
- π Sync waves for ordered rollout across environments
- β CI gates: yamllint, kustomize build, kubeconform schema validation
.
βββ bootstrap/ # One-time install: Argo CD Helm values + root app-of-apps
β βββ argocd-install.yaml
β βββ values.yaml
β βββ root-app.yaml # Apply once β bootstraps everything else
βββ projects/ # AppProjects (RBAC scopes)
β βββ platform.yaml # Cluster-wide infra (ingress, observability, policy)
β βββ apps.yaml # Tenant workloads (with developer role)
βββ applicationsets/ # Scalable app generation
β βββ projects.yaml # Apply AppProjects from git
β βββ platform-addons.yaml # Same addons across all envs
β βββ microservices.yaml # Matrix: services Γ environments
βββ apps/ # Sample app manifests (Kustomize)
β βββ base/
β βββ overlays/{dev,staging,prod}/
βββ rollouts-examples/ # Argo Rollouts: canary + blue-green
β βββ canary/
β βββ blue-green/
βββ secrets/ # ESO + Sealed Secrets samples
βββ .github/workflows/ # CI: yamllint, kustomize, kubeconform
# 1. Install Argo CD
helm repo add argo https://argoproj.github.io/argo-helm
helm install argocd argo/argo-cd -n argocd --create-namespace -f bootstrap/values.yaml
# 2. Apply the root app-of-apps β Argo takes over from here
kubectl apply -f bootstrap/root-app.yaml
# 3. (Optional) Login to UI
argocd login argocd.platform.example.com --ssoflowchart LR
Root[root Application] --> AS[ApplicationSets]
AS --> Projects[AppProjects]
AS --> Addons[platform-addons-{dev,staging,prod}]
AS --> Apps[microservices: 3 svcs Γ 3 envs = 9 apps]
Addons --> AddonRepo[(k8s-platform-addons repo)]
Apps --> AppRepo[(microservices-demo-app repo)]
One root β ApplicationSets β ~15 generated Applications. Add a new service or environment β automatically rendered.
| Strategy | Use Case | Example |
|---|---|---|
| Canary (NGINX traffic split + Prometheus analysis) | Stateless web services | rollouts-examples/canary/ |
| Blue-green (preview service + manual promote) | Risky migrations, schema changes | rollouts-examples/blue-green/ |
Analysis templates query Prometheus for success-rate & latency, auto-rollback on regression.
flowchart TB
Dev[Developer] --> Git[git commit ExternalSecret CR]
Git --> Argo[Argo CD]
Argo --> ESO[External Secrets Operator]
ESO --> WI{Workload Identity}
WI --> GSM[GCP Secret Manager]
GSM --> K8sSecret[K8s Secret in cluster]
K8sSecret --> Pod[Pod]
- Plain text never in git β only references
- Workload Identity β no SA keys
- Sealed Secrets as fallback for clusters without ESO
| Project | Who | Permissions |
|---|---|---|
platform |
platform-admins | Cluster-wide, all resources |
apps |
app-developers | sync + get on apps in apps/* (no delete) |
MIT β see LICENSE.
Author: Kushalesh β Senior GKE Platform Engineer