ArgoCD — GitOps Deployment Platform¶
STATUS: ACTIVE OWNER: Alex (Infrastructure, Team Alfa), Tjitte (Infrastructure, Team Bravo) CATEGORY: Infrastructure, Deployment INSTALLED: 2026-04-01 VERSION: v2.14 (CNCF Graduated)
EU Service Provider Policy Compliance¶
| Check | Status |
|---|---|
| Open source | YES — Apache 2.0 |
| Self-hosted | YES — running on fort-knox-dev k3s |
| Data residency | EU — all data on local cluster |
| No external API calls | YES — talks to local GitLab only |
| No cloud dependency | YES — fully self-contained |
| CNCF status | Graduated (highest maturity level) |
| EU policy verdict | COMPLIANT |
What It Does¶
ArgoCD watches our GitLab repository for changes to k8s manifests.
When manifests change on the main branch, ArgoCD automatically
syncs the changes to the k8s cluster. No more manual kubectl apply.
Applications Configured¶
| Application | Source Path | Namespace | Sync Policy |
|---|---|---|---|
| ge-agents | k8s/base/agents | ge-agents | Auto (selfHeal) |
| ge-system | k8s/base/core | ge-system | Auto (selfHeal) |
| ge-monitoring | k8s/base/monitoring | ge-monitoring | Auto (selfHeal) |
Access¶
- Web UI: http://argocd.ge.internal (via Traefik ingress)
- CLI:
argocd(installed at /usr/local/bin/argocd) - Credentials: Vault at
secret/ge/argocd(field: admin-password)
How Deployment Works¶
1. Developer/agent commits k8s manifest change to main
2. GitLab CI pipeline runs and passes
3. ArgoCD detects the change (polls every 3 min)
4. ArgoCD applies the manifest diff to the cluster
5. ArgoCD reports sync status (Synced/OutOfSync/Degraded)
Managed By¶
- Alex (Team Alfa Infrastructure) — primary operator
- Tjitte (Team Bravo Infrastructure) — secondary operator
- Arjan (Infrastructure Architect) — architecture decisions
Configuration Files¶
- Application manifests:
k8s/base/ci/argocd/ge-agents-app.yaml - Ingress: created via kubectl (TODO: add to k8s/base/ci/argocd/)
Pitfalls¶
- ArgoCD needs the GitLab repo registered with credentials (PAT stored in Vault at secret/ge/gitlab-pat)
- The repo URL must be resolvable from inside the argocd namespace (CoreDNS NodeHosts must include gitlab.ge.internal)
prune: falseprevents ArgoCD from deleting resources not in git (safe default — enable pruning only after validation)