ArgoCD cheatsheet.

Install

kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml

# Initial admin password
kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d

# UI
kubectl -n argocd port-forward svc/argocd-server 8080:443
# Open https://localhost:8080

CLI

brew install argocd

argocd login localhost:8080
argocd app list
argocd app get my-app
argocd app sync my-app
argocd app diff my-app
argocd app rollback my-app
argocd app delete my-app

Application

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: my-app
  namespace: argocd
spec:
  project: default
  source:
    repoURL: https://github.com/me/manifests
    targetRevision: main
    path: overlays/prod
  destination:
    server: https://kubernetes.default.svc
    namespace: prod
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=true
      - PrunePropagationPolicy=foreground
    retry:
      limit: 5
      backoff: { duration: 5s, factor: 2, maxDuration: 3m }

Sync options

  • prune: delete resources removed from git.
  • selfHeal: revert manual changes.
  • automated: auto-sync; remove for manual.

Multi-source

spec:
  sources:
    - repoURL: https://github.com/me/manifests
      path: overlays/prod
      targetRevision: main
    - repoURL: https://charts.bitnami.com/bitnami
      chart: redis
      targetRevision: 19.5.0
      helm:
        valueFiles:
          - $values/values/redis-prod.yaml

Helm

spec:
  source:
    repoURL: https://charts.bitnami.com/bitnami
    chart: redis
    targetRevision: 19.5.0
    helm:
      values: |
        replica:
          replicaCount: 3
        auth:
          existingSecret: redis-auth

Kustomize

spec:
  source:
    repoURL: ...
    path: overlays/prod
    kustomize:
      images:
        - ghcr.io/me/web=ghcr.io/me/web:v1.2.3

App of Apps pattern

One Application that manages other Applications:

# Root Application
spec:
  source:
    repoURL: ...
    path: apps/

apps/ contains many Application YAMLs.

ApplicationSet (generator)

apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata: { name: my-apps, namespace: argocd }
spec:
  generators:
    - git:
        repoURL: https://github.com/me/manifests
        directories:
          - path: overlays/*
  template:
    metadata: { name: '{{path.basename}}' }
    spec:
      project: default
      source:
        repoURL: https://github.com/me/manifests
        path: '{{path}}'
      destination:
        server: https://kubernetes.default.svc
        namespace: '{{path.basename}}'

Per-overlay app auto-generated.

Generators: git directories, git files, list, cluster, matrix, scm provider, pull request.

AppProject

apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata: { name: team-a, namespace: argocd }
spec:
  description: Team A apps
  sourceRepos:
    - https://github.com/team-a/*
  destinations:
    - namespace: team-a-*
      server: https://kubernetes.default.svc
  clusterResourceWhitelist:
    - { group: "*", kind: Namespace }
  namespaceResourceWhitelist:
    - { group: "*", kind: "*" }
  roles:
    - name: developer
      policies:
        - p, proj:team-a:developer, applications, sync, team-a/*, allow

Scoped permissions per team.

Hooks (sync waves + hooks)

metadata:
  annotations:
    argocd.argoproj.io/sync-wave: "1"          # order
    argocd.argoproj.io/hook: PreSync           # or Sync, PostSync, SyncFail
    argocd.argoproj.io/hook-delete-policy: HookSucceeded

PreSync: run DB migration job before app deploy.

Health

ArgoCD reports app health based on resource state. Customize via Lua scripts in argocd-cm.

Notifications

# Slack via argocd-notifications
# Configure ConfigMap with templates + triggers

SSO

OIDC integration (Google, GitHub, Okta) via argocd-cm:

data:
  url: https://argocd.example.com
  oidc.config: |
    name: GitHub
    issuer: https://github.com
    clientID: $github-oauth:clientID
    clientSecret: $github-oauth:clientSecret
    requestedScopes: ["openid", "profile", "email", "groups"]

Drift detection

argocd app diff my-app           # show drift
argocd app sync my-app           # apply

Argo Rollouts (canary / blue-green)

apiVersion: argoproj.io/v1alpha1
kind: Rollout
metadata: { name: web }
spec:
  replicas: 5
  strategy:
    canary:
      steps:
        - setWeight: 20
        - pause: { duration: 5m }
        - setWeight: 50
        - pause: { duration: 10m }
        - setWeight: 100
  selector: { matchLabels: { app: web } }
  template: { ... }                # same as Deployment

Gradual rollout with analysis steps.

Blue/green

strategy:
  blueGreen:
    activeService: web-active
    previewService: web-preview
    autoPromotionEnabled: false

Common mistakes

  • Manual kubectl apply over ArgoCD-managed resources → drift.
  • prune: false + removed manifests → orphaned resources.
  • Long-lived feature branches → drift.
  • ApplicationSet cluster generator missing in-cluster decorator.
  • Webhook timeouts on slow git providers.

Read this next

If you want my ArgoCD + ApplicationSet templates, they’re at rajpoot.dev .

Building something AI-, backend-, or data-heavy and want a second pair of eyes? I do consulting and freelance work — see my projects and ways to reach me at rajpoot.dev .