Make Git the single source of truth — commit a change and the cluster syncs itself.
Advanced A3 · Argo CD watches your Helm chart in Git and reconciles the cluster to match.
Advanced GitOps ~65 mingit push — and watch Argo correct manual drift automaticallyPrerequisites: A2 (Helm) — we deploy the notes-chart you built. A running k3d cluster and a GitHub account.
In A2 you deployed with helm upgrade from your laptop. That's push-based: a human (or CI runner) pushes changes into the cluster. It works, but it has problems — who ran what, when? Is the cluster still what we think it is? What if someone kubectl edits something by hand?
There's no single record of "what should be running," manual hotfixes silently diverge from your YAML (drift), and rollback means remembering the last good command. Credentials to the cluster also have to live in your CI system.
GitOps flips it: a Git repo holds the desired state of the cluster, and an in-cluster agent (Argo CD) continuously pulls from Git and makes reality match. Git becomes the single source of truth and the audit log.
| Push (helm/kubectl) | GitOps (Argo CD) | |
|---|---|---|
| Trigger | You run a command | You merge a commit |
| Source of truth | Whatever's in the cluster | The Git repo |
| Drift | Goes unnoticed | Detected & auto-corrected |
| Audit | Shell history, maybe | Full Git history |
| Rollback | Re-run an old command | git revert |
| Cluster creds | In your CI | Stay inside the cluster |
Argo CD runs in your cluster and loops forever: read desired state from Git → compare to live state → reconcile.
| Term | What it is |
|---|---|
| Application | An Argo CD object: "deploy this path/chart from this repo into this namespace." |
| Sync | Applying the desired state to the cluster. |
| Sync status | Synced (matches Git) or OutOfSync (drifted). |
| Self-heal | Auto-revert any manual change back to Git's version. |
| Prune | Delete resources removed from Git. |
| App-of-Apps | One Application that manages many others — how teams scale GitOps. |
We'll put the notes-chart in Git and let Argo CD deploy and maintain it. Use your k3d cluster from A1/A2.
Create a repo (e.g. notes-gitops) containing your notes-chart/ from A2, and push it to GitHub:
Get the auto-generated admin password and port-forward the UI:
Browse to https://localhost:8081 (accept the self-signed cert), log in as admin. Optionally log in with the CLI too:
This is the heart of GitOps: an Application telling Argo CD which repo/chart to deploy where. Save as application.yaml (point repoURL at your repo):
Within seconds Argo CD pulls your chart from Git and deploys the whole notes stack — you never ran helm install. The app's tile in the UI turns green: Synced & Healthy.
In the UI, click the notes app to see the live resource tree (Deployment → ReplicaSet → Pods, plus the StatefulSet and Services) with health dots.
No more helm upgrade. Change the chart in Git and Argo rolls it out. Bump replicas in your repo:
Argo detects the new commit (auto, or click Refresh) and syncs — a third and fourth web pod appear. Your git push was the deploy.
This is GitOps' superpower. Manually change the cluster — Argo reverts it because Git says otherwise:
With selfHeal: true, the cluster can't drift from Git — any out-of-band change is reverted within seconds. The repo is the truth, always.
A bad change went out? Revert the commit — Argo syncs the cluster back automatically:
Your deployment history is your Git history. Every change is reviewable, attributable, and reversible with one commit.
| Command | What it does |
|---|---|
argocd login HOST | Log in to the Argo CD API |
argocd app list | List all Applications |
argocd app get NAME | Sync status, health, resource tree |
argocd app sync NAME | Manually trigger a sync |
argocd app diff NAME | Show desired-vs-live differences |
argocd app history NAME | Deployment revisions |
argocd app rollback NAME N | Roll back to revision N |
argocd app set NAME -p k=v | Override a Helm parameter |
argocd app delete NAME | Remove the app (and prune) |
kubectl get applications -n argocd | Apps are just CRDs — manage as YAML |
You almost never run argocd app sync in steady state — you change Git and let Argo do the rest. The CLI is mostly for inspection and the occasional manual nudge.
| Symptom | Likely cause & fix |
|---|---|
App stuck OutOfSync | Auto-sync off — enable it, or run argocd app sync. Check the diff. |
ComparisonError / repo not found | Wrong repoURL/path, private repo with no creds — add the repo in Settings. |
| Image won't pull on k3d | Argo deploys fine, but k3d still needs the local image imported (k3d image import). |
| Manual edits keep reverting | That's selfHeal working as designed — change Git, not the cluster. |
| Can't reach the UI | Keep the port-forward running; use https:// and accept the cert. |
| Resources not deleted | prune is off — enable it so removed-from-Git means removed-from-cluster. |
notes-dev using values-dev.yaml in its own namespace — one repo, two environments.Application manifests themselves to Git and manage them with an App-of-Apps.argocd.argoproj.io/sync-wave).OutOfSync badge appear when you edit a resource.argocd app wait in CI) when a sync completes.Run Argo CD, declare an Application that deploys your Helm chart from Git, enable auto-sync/self-heal/prune, deploy by committing, watch drift auto-correct, and roll back with git revert. Git is now your control plane.
Next up: A4 — Progressive Delivery, where you'll ship new versions safely with canary and blue-green rollouts — gradually shifting traffic and auto-rolling-back on failure, all driven from Git.