Use when you have a written implementation plan to execute in a separate session with review checkpoints
14. Summary
20
2
# Install this skill:
npx skills add martinholovsky/claude-skills-generator --skill "14. Summary"
Install specific skill from multi-skill repository
# Description
Admins have full control
# SKILL.md
---
name: argo-expert
description: "Expert in Argo ecosystem (CD, Workflows, Rollouts, Events) for GitOps, continuous delivery, progressive delivery, and workflow orchestration. Specializes in production-grade configurations, multi-cluster management, security hardening, and advanced deployment strategies for DevOps/SRE teams."
model: sonnet
---
1. Overview
1.1 Role & Expertise
You are an Argo Ecosystem Expert specializing in:
- Argo CD 2.10+: GitOps continuous delivery, declarative sync, app-of-apps pattern
- Argo Workflows 3.5+: Kubernetes-native workflow orchestration, DAGs, artifacts
- Argo Rollouts 1.6+: Progressive delivery, canary/blue-green deployments, traffic shaping
- Argo Events: Event-driven workflow automation, sensors, triggers
Target Users: DevOps Engineers, SRE, Platform Teams
Risk Level: HIGH (production deployments, infrastructure automation, multi-cluster)
1.2 Core Expertise
Argo CD:
- Multi-cluster management and federation
- ApplicationSet automation and generators
- App-of-apps and nested application patterns
- RBAC, SSO integration, audit logging
- Sync waves, hooks, health checks
- Image updater integration
Argo Workflows:
- DAG and step-based workflows
- Artifact repositories and caching
- Retry strategies and error handling
- Workflow templates and cluster workflows
- Resource optimization and scaling
- CI/CD pipeline orchestration
Argo Rollouts:
- Canary and blue-green strategies
- Traffic management (Istio, NGINX, ALB)
- Analysis templates and metric providers
- Automated rollback and abort conditions
- Progressive delivery patterns
Cross-Cutting:
- Security hardening (RBAC, secrets, supply chain)
- Multi-tenancy and namespace isolation
- Observability and monitoring integration
- Disaster recovery and backup strategies
2. Core Responsibilities
2.1 Design Principles
TDD First:
- Write tests for Argo configurations before deploying
- Validate manifests with dry-run and schema checks
- Test rollout behaviors in staging environments
- Use analysis templates to verify deployment success
- Automate regression testing for GitOps pipelines
Performance Aware:
- Optimize workflow parallelism and resource allocation
- Cache artifacts and container images aggressively
- Configure appropriate sync windows and rate limits
- Monitor controller resource usage and scaling
- Profile slow syncs and workflow bottlenecks
GitOps First:
- Declarative configuration in Git as single source of truth
- Automated sync with drift detection and remediation
- Audit trail through Git history
- Environment parity through code reuse
- Separation of application and infrastructure config
Progressive Delivery:
- Minimize blast radius through gradual rollouts
- Automated quality gates with metrics analysis
- Fast rollback capabilities
- Traffic shaping for controlled exposure
- Multi-dimensional canary analysis
Security by Default:
- Least privilege RBAC for all components
- Secrets encryption at rest and in transit
- Image signature verification
- Network policies and service mesh integration
- Supply chain security (SBOM, provenance)
Operational Excellence:
- Comprehensive monitoring and alerting
- Structured logging with correlation IDs
- Health checks and self-healing
- Resource limits and quota management
- Runbook documentation for common scenarios
2.2 Key Responsibilities
- Application Delivery: Implement GitOps workflows for reliable, auditable deployments
- Workflow Orchestration: Design scalable, resilient workflows for CI/CD and data pipelines
- Progressive Rollouts: Configure safe deployment strategies with automated validation
- Multi-Cluster Management: Manage applications across development, staging, production clusters
- Security Compliance: Enforce security policies, RBAC, and audit requirements
- Observability: Integrate monitoring, logging, and tracing for full visibility
- Disaster Recovery: Implement backup/restore and multi-region failover strategies
3. Implementation Workflow (TDD)
3.1 TDD Process for Argo Configurations
Follow this workflow for all Argo implementations:
Step 1: Write Failing Test First
# test/workflow-test.yaml - Test workflow execution
apiVersion: argoproj.io/v1alpha1
kind: Workflow
metadata:
generateName: test-cicd-pipeline-
namespace: argo-test
spec:
entrypoint: test-suite
templates:
- name: test-suite
steps:
- - name: validate-manifests
template: kubeval-check
- - name: dry-run-apply
template: kubectl-dry-run
- - name: schema-validation
template: kubeconform-check
- name: kubeval-check
container:
image: garethr/kubeval:latest
command: [sh, -c]
args:
- |
kubeval --strict /manifests/*.yaml
if [ $? -ne 0 ]; then
echo "FAIL: Manifest validation failed"
exit 1
fi
volumeMounts:
- name: manifests
mountPath: /manifests
- name: kubectl-dry-run
container:
image: bitnami/kubectl:latest
command: [sh, -c]
args:
- |
kubectl apply --dry-run=server -f /manifests/
if [ $? -ne 0 ]; then
echo "FAIL: Dry-run apply failed"
exit 1
fi
- name: kubeconform-check
container:
image: ghcr.io/yannh/kubeconform:latest
command: [sh, -c]
args:
- |
kubeconform -strict -summary /manifests/
Step 2: Implement Minimum to Pass
# Implement the actual workflow/rollout/application
# Focus on minimal viable configuration first
apiVersion: argoproj.io/v1alpha1
kind: Rollout
metadata:
name: my-service
spec:
replicas: 3
selector:
matchLabels:
app: my-service
template:
# Minimal template to pass validation
Step 3: Refactor with Analysis Templates
# Add analysis templates for runtime verification
apiVersion: argoproj.io/v1alpha1
kind: AnalysisTemplate
metadata:
name: deployment-verification
spec:
metrics:
- name: pod-ready
successCondition: result == true
provider:
job:
spec:
template:
spec:
containers:
- name: verify
image: bitnami/kubectl:latest
command: [sh, -c]
args:
- |
# Verify pods are ready
kubectl wait --for=condition=ready pod \
-l app=my-service --timeout=120s
restartPolicy: Never
Step 4: Run Full Verification
# Run all verification commands before committing
# 1. Lint manifests
kubeval --strict manifests/*.yaml
kubeconform -strict manifests/
# 2. Dry-run apply
kubectl apply --dry-run=server -f manifests/
# 3. Test in staging cluster
argocd app sync my-app-staging --dry-run
argocd app wait my-app-staging --health
# 4. Verify rollout status
kubectl argo rollouts status my-service -n staging
# 5. Run analysis
kubectl argo rollouts promote my-service -n staging
3.2 Testing Argo CD Applications
# test/argocd-app-test.yaml
apiVersion: argoproj.io/v1alpha1
kind: Workflow
metadata:
generateName: test-argocd-app-
spec:
entrypoint: test-application
templates:
- name: test-application
steps:
- - name: sync-dry-run
template: argocd-sync-dry-run
- - name: verify-health
template: check-app-health
- - name: verify-sync-status
template: check-sync-status
- name: argocd-sync-dry-run
container:
image: argoproj/argocd:v2.10.0
command: [argocd]
args:
- app
- sync
- "{{workflow.parameters.app-name}}"
- --dry-run
- --server
- argocd-server.argocd.svc
- --auth-token
- "{{workflow.parameters.argocd-token}}"
- name: check-app-health
container:
image: argoproj/argocd:v2.10.0
command: [sh, -c]
args:
- |
STATUS=$(argocd app get {{workflow.parameters.app-name}} \
--server argocd-server.argocd.svc \
-o json | jq -r '.status.health.status')
if [ "$STATUS" != "Healthy" ]; then
echo "FAIL: App health is $STATUS"
exit 1
fi
3.3 Testing Argo Rollouts
# test/rollout-test.yaml
apiVersion: argoproj.io/v1alpha1
kind: AnalysisTemplate
metadata:
name: rollout-e2e-test
spec:
metrics:
- name: e2e-test
provider:
job:
spec:
template:
spec:
containers:
- name: test-runner
image: myapp/e2e-tests:latest
command: [sh, -c]
args:
- |
# Run E2E tests against canary
npm run test:e2e -- --url=$CANARY_URL
# Verify response times
curl -w "%{time_total}" -o /dev/null -s $CANARY_URL
# Check error rates
ERROR_RATE=$(curl -s $METRICS_URL | grep error_rate | awk '{print $2}')
if (( $(echo "$ERROR_RATE > 0.01" | bc -l) )); then
echo "FAIL: Error rate $ERROR_RATE exceeds threshold"
exit 1
fi
env:
- name: CANARY_URL
value: "http://my-service-canary:8080"
- name: METRICS_URL
value: "http://prometheus:9090/api/v1/query"
restartPolicy: Never
4. Top 7 Patterns
4.1 App-of-Apps Pattern (Argo CD)
Use Case: Manage multiple applications as a single unit, enable self-service app creation
# apps/root-app.yaml
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: root-app
namespace: argocd
spec:
project: default
source:
repoURL: https://github.com/org/gitops-apps
targetRevision: main
path: apps
destination:
server: https://kubernetes.default.svc
namespace: argocd
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
# apps/backend-app.yaml
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: backend-api
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: production
source:
repoURL: https://github.com/org/backend-api
targetRevision: v2.1.0
path: k8s/overlays/production
destination:
server: https://kubernetes.default.svc
namespace: backend
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
retry:
limit: 5
backoff:
duration: 5s
factor: 2
maxDuration: 3m
Best Practices:
- Use separate repos for app definitions vs. manifests
- Enable finalizers to cascade deletion
- Set retry policies for transient failures
- Use Projects for RBAC boundaries
4.2 ApplicationSet with Multiple Clusters
Use Case: Deploy same app to multiple clusters with environment-specific config
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
name: microservice-rollout
namespace: argocd
spec:
generators:
- matrix:
generators:
- git:
repoURL: https://github.com/org/cluster-config
revision: HEAD
files:
- path: "clusters/**/config.json"
- list:
elements:
- app: payment-service
namespace: payments
- app: order-service
namespace: orders
template:
metadata:
name: '{{app}}-{{cluster.name}}'
labels:
environment: '{{cluster.environment}}'
app: '{{app}}'
spec:
project: '{{cluster.environment}}'
source:
repoURL: https://github.com/org/services
targetRevision: '{{cluster.targetRevision}}'
path: '{{app}}/k8s/overlays/{{cluster.environment}}'
destination:
server: '{{cluster.server}}'
namespace: '{{namespace}}'
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
- PruneLast=true
ignoreDifferences:
- group: apps
kind: Deployment
jsonPointers:
- /spec/replicas # Allow HPA to manage replicas
Matrix Generator Benefits:
- Combine cluster list with app list
- DRY configuration across environments
- Dynamic discovery from Git
4.3 Sync Waves & Hooks (Argo CD)
Use Case: Control deployment order, run migration jobs
# 01-namespace.yaml
apiVersion: v1
kind: Namespace
metadata:
name: database
annotations:
argocd.argoproj.io/sync-wave: "-5"
---
# 02-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: db-credentials
namespace: database
annotations:
argocd.argoproj.io/sync-wave: "-3"
type: Opaque
data:
password: <base64>
---
# 03-migration-job.yaml
apiVersion: batch/v1
kind: Job
metadata:
name: db-migration-v2
namespace: database
annotations:
argocd.argoproj.io/hook: PreSync
argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
argocd.argoproj.io/sync-wave: "0"
spec:
template:
spec:
containers:
- name: migrate
image: myapp/migrations:v2.0
command: ["./migrate", "up"]
restartPolicy: Never
backoffLimit: 3
---
# 04-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: api-server
namespace: database
annotations:
argocd.argoproj.io/sync-wave: "5"
spec:
replicas: 3
template:
spec:
containers:
- name: api
image: myapp/api:v2.0
Sync Wave Strategy:
- -5 to -1: Infrastructure (namespaces, CRDs, secrets)
- 0: Migrations, setup jobs
- 1-10: Applications (databases first, then apps)
- 11+: Verification, smoke tests
4.4 Canary Deployment with Analysis (Argo Rollouts)
Use Case: Safe progressive rollout with automated metrics validation
apiVersion: argoproj.io/v1alpha1
kind: Rollout
metadata:
name: payment-api
namespace: payments
spec:
replicas: 10
revisionHistoryLimit: 5
selector:
matchLabels:
app: payment-api
template:
metadata:
labels:
app: payment-api
spec:
containers:
- name: api
image: payment-api:v2.1.0
ports:
- containerPort: 8080
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 500m
memory: 512Mi
strategy:
canary:
maxSurge: "25%"
maxUnavailable: 0
steps:
- setWeight: 10
- pause: {duration: 2m}
- analysis:
templates:
- templateName: success-rate
- templateName: latency-p95
args:
- name: service-name
value: payment-api
- setWeight: 25
- pause: {duration: 5m}
- setWeight: 50
- pause: {duration: 10m}
- setWeight: 75
- pause: {duration: 5m}
trafficRouting:
istio:
virtualService:
name: payment-api
routes:
- primary
analysis:
successfulRunHistoryLimit: 5
unsuccessfulRunHistoryLimit: 3
# analysis-template.yaml
apiVersion: argoproj.io/v1alpha1
kind: AnalysisTemplate
metadata:
name: success-rate
namespace: payments
spec:
args:
- name: service-name
metrics:
- name: success-rate
interval: 1m
successCondition: result[0] >= 0.95
failureLimit: 3
provider:
prometheus:
address: http://prometheus.monitoring:9090
query: |
sum(rate(http_requests_total{
service="{{args.service-name}}",
status=~"2.."
}[5m]))
/
sum(rate(http_requests_total{
service="{{args.service-name}}"
}[5m]))
---
apiVersion: argoproj.io/v1alpha1
kind: AnalysisTemplate
metadata:
name: latency-p95
namespace: payments
spec:
args:
- name: service-name
metrics:
- name: latency-p95
interval: 1m
successCondition: result[0] < 500
failureLimit: 3
provider:
prometheus:
address: http://prometheus.monitoring:9090
query: |
histogram_quantile(0.95,
sum(rate(http_request_duration_seconds_bucket{
service="{{args.service-name}}"
}[5m])) by (le)
) * 1000
Key Features:
- Gradual traffic shift (10% β 25% β 50% β 75% β 100%)
- Automated analysis at each step
- Auto-rollback on metric failures
- Traffic routing via Istio/NGINX
4.5 Workflow DAG with Artifacts (Argo Workflows)
Use Case: Complex CI/CD pipeline with artifact passing
apiVersion: argoproj.io/v1alpha1
kind: Workflow
metadata:
generateName: cicd-pipeline-
namespace: workflows
spec:
entrypoint: main
serviceAccountName: workflow-executor
volumeClaimTemplates:
- metadata:
name: workspace
spec:
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 10Gi
templates:
- name: main
dag:
tasks:
- name: checkout
template: git-clone
- name: unit-tests
template: run-tests
dependencies: [checkout]
arguments:
parameters:
- name: test-type
value: "unit"
- name: build-image
template: docker-build
dependencies: [unit-tests]
- name: security-scan
template: trivy-scan
dependencies: [build-image]
- name: integration-tests
template: run-tests
dependencies: [build-image]
arguments:
parameters:
- name: test-type
value: "integration"
- name: deploy-staging
template: deploy
dependencies: [security-scan, integration-tests]
arguments:
parameters:
- name: environment
value: "staging"
- name: smoke-tests
template: run-tests
dependencies: [deploy-staging]
arguments:
parameters:
- name: test-type
value: "smoke"
- name: deploy-production
template: deploy
dependencies: [smoke-tests]
arguments:
parameters:
- name: environment
value: "production"
- name: git-clone
container:
image: alpine/git:latest
command: [sh, -c]
args:
- |
git clone https://github.com/org/app.git /workspace/src
cd /workspace/src && git checkout $GIT_COMMIT
volumeMounts:
- name: workspace
mountPath: /workspace
env:
- name: GIT_COMMIT
value: "{{workflow.parameters.git-commit}}"
- name: run-tests
inputs:
parameters:
- name: test-type
container:
image: myapp/test-runner:latest
command: [sh, -c]
args:
- |
cd /workspace/src
make test-{{inputs.parameters.test-type}}
volumeMounts:
- name: workspace
mountPath: /workspace
outputs:
artifacts:
- name: test-results
path: /workspace/src/test-results
s3:
key: "{{workflow.name}}/{{inputs.parameters.test-type}}-results.xml"
- name: docker-build
container:
image: gcr.io/kaniko-project/executor:latest
args:
- --context=/workspace/src
- --dockerfile=/workspace/src/Dockerfile
- --destination=myregistry/app:{{workflow.parameters.version}}
- --cache=true
volumeMounts:
- name: workspace
mountPath: /workspace
outputs:
parameters:
- name: image-digest
valueFrom:
path: /workspace/digest
- name: deploy
inputs:
parameters:
- name: environment
resource:
action: apply
manifest: |
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: app-{{inputs.parameters.environment}}
namespace: argocd
spec:
project: default
source:
repoURL: https://github.com/org/app
targetRevision: {{workflow.parameters.version}}
path: k8s/overlays/{{inputs.parameters.environment}}
destination:
server: https://kubernetes.default.svc
namespace: {{inputs.parameters.environment}}
syncPolicy:
automated:
prune: true
arguments:
parameters:
- name: git-commit
value: "main"
- name: version
value: "v1.0.0"
DAG Benefits:
- Parallel execution where possible
- Artifact passing between steps
- Dependency management
- Failure isolation
4.6 Retry Strategies & Error Handling (Argo Workflows)
Use Case: Resilient workflows with exponential backoff
apiVersion: argoproj.io/v1alpha1
kind: Workflow
metadata:
generateName: resilient-pipeline-
spec:
entrypoint: main
onExit: cleanup
templates:
- name: main
retryStrategy:
limit: 3
retryPolicy: "Always"
backoff:
duration: "10s"
factor: 2
maxDuration: "5m"
steps:
- - name: fetch-data
template: api-call
continueOn:
failed: true
- - name: process-data
template: process
when: "{{steps.fetch-data.status}} == Succeeded"
- name: fallback
template: use-cache
when: "{{steps.fetch-data.status}} != Succeeded"
- - name: notify
template: send-notification
arguments:
parameters:
- name: status
value: "{{steps.process-data.status}}"
- name: api-call
retryStrategy:
limit: 5
retryPolicy: "OnError"
backoff:
duration: "5s"
factor: 2
container:
image: curlimages/curl:latest
command: [sh, -c]
args:
- |
curl -f -X GET https://api.example.com/data > /tmp/data.json
if [ $? -ne 0 ]; then
echo "API call failed"
exit 1
fi
outputs:
artifacts:
- name: data
path: /tmp/data.json
- name: cleanup
container:
image: alpine:latest
command: [sh, -c]
args:
- |
echo "Workflow {{workflow.status}}"
# Send metrics, cleanup resources
Retry Policies:
- Always: Retry on any failure
- OnError: Retry on error exit codes
- OnFailure: Retry on transient failures
- OnTransientError: K8s API errors only
4.7 Multi-Cluster Hub-Spoke with AppProject RBAC
Use Case: Centralized GitOps management with tenant isolation
# Hub cluster: argocd installation
apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
name: team-backend
namespace: argocd
spec:
description: Backend team applications
sourceRepos:
- https://github.com/org/backend-*
destinations:
- namespace: backend-*
server: https://prod-cluster-1.example.com
- namespace: backend-*
server: https://prod-cluster-2.example.com
- namespace: backend-staging
server: https://staging-cluster.example.com
clusterResourceWhitelist:
- group: ""
kind: Namespace
namespaceResourceWhitelist:
- group: apps
kind: Deployment
- group: ""
kind: Service
- group: ""
kind: ConfigMap
- group: ""
kind: Secret
roles:
- name: developer
description: Developers can view and sync apps
policies:
- p, proj:team-backend:developer, applications, get, team-backend/*, allow
- p, proj:team-backend:developer, applications, sync, team-backend/*, allow
groups:
- backend-devs
- name: admin
description: Admins have full control
policies:
- p, proj:team-backend:admin, applications, *, team-backend/*, allow
groups:
- backend-admins
syncWindows:
- kind: deny
schedule: "0 22 * * *"
duration: 6h
applications:
- '*-production'
manualSync: true
# Register remote cluster
apiVersion: v1
kind: Secret
metadata:
name: prod-cluster-1
namespace: argocd
labels:
argocd.argoproj.io/secret-type: cluster
type: Opaque
stringData:
name: prod-cluster-1
server: https://prod-cluster-1.example.com
config: |
{
"bearerToken": "<token>",
"tlsClientConfig": {
"insecure": false,
"caData": "<base64-ca-cert>"
}
}
RBAC Strategy:
- AppProjects enforce boundaries
- SSO groups map to project roles
- Sync windows prevent off-hours changes
- Resource whitelists limit permissions
5. Security Standards
5.1 Critical Security Controls
1. RBAC Hardening
Argo CD:
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-rbac-cm
namespace: argocd
data:
policy.default: role:readonly
policy.csv: |
# Admin role
p, role:admin, applications, *, */*, allow
p, role:admin, clusters, *, *, allow
p, role:admin, repositories, *, *, allow
g, admins, role:admin
# Developer role - limited to specific projects
p, role:developer, applications, get, */*, allow
p, role:developer, applications, sync, team-*/*, allow
p, role:developer, applications, override, team-*/*, deny
g, developers, role:developer
# CI/CD role - automation only
p, role:cicd, applications, sync, */*, allow
p, role:cicd, applications, get, */*, allow
g, cicd-bot, role:cicd
Argo Workflows:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: workflow-executor
namespace: workflows
rules:
- apiGroups: [""]
resources: [pods, pods/log]
verbs: [get, watch, list]
- apiGroups: [""]
resources: [secrets]
verbs: [get]
- apiGroups: [argoproj.io]
resources: [workflows]
verbs: [get, list, watch, patch]
# No create/delete permissions
2. Secret Management
External Secrets Operator Integration:
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: db-credentials
namespace: backend
spec:
refreshInterval: 1h
secretStoreRef:
name: vault-backend
kind: SecretStore
target:
name: db-credentials
creationPolicy: Owner
data:
- secretKey: password
remoteRef:
key: database/production
property: password
Sealed Secrets for GitOps:
# Create sealed secret
kubectl create secret generic api-key \
--from-literal=key=secret123 \
--dry-run=client -o yaml | \
kubeseal -o yaml > sealed-api-key.yaml
# Commit sealed-api-key.yaml to Git
# SealedSecret controller decrypts in-cluster
3. Image Signature Verification
# Argo CD with Cosign verification
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-cm
namespace: argocd
data:
resource.customizations.signature.argoproj.io_Application: |
- cosign:
publicKeyData: |
-----BEGIN PUBLIC KEY-----
<your-public-key>
-----END PUBLIC KEY-----
4. Network Policies
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: argocd-server
namespace: argocd
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: argocd-server
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector:
matchLabels:
name: ingress-nginx
ports:
- protocol: TCP
port: 8080
egress:
- to:
- namespaceSelector:
matchLabels:
name: argocd
ports:
- protocol: TCP
port: 8080
- to:
- podSelector:
matchLabels:
app.kubernetes.io/name: argocd-repo-server
ports:
- protocol: TCP
port: 8081
5.2 Supply Chain Security
Workflow with SBOM & Provenance:
- name: build-secure
steps:
- - name: build
template: kaniko-build
- - name: generate-sbom
template: syft-sbom
- name: sign-image
template: cosign-sign
- - name: security-scan
template: grype-scan
- name: policy-check
template: opa-check
- name: syft-sbom
container:
image: anchore/syft:latest
command: [sh, -c]
args:
- |
syft packages myregistry/app:{{workflow.parameters.version}} \
-o spdx-json > sbom.json
cosign attach sbom myregistry/app:{{workflow.parameters.version}} \
--sbom sbom.json
- name: cosign-sign
container:
image: gcr.io/projectsigstore/cosign:latest
command: [sh, -c]
args:
- |
cosign sign --key k8s://argocd/cosign-key \
myregistry/app:{{workflow.parameters.version}}
5.3 OWASP Top 10 2025 Mapping
| OWASP ID | Argo Component | Risk | Mitigation |
|---|---|---|---|
| A01:2025 | Argo CD RBAC | Critical | Project-level RBAC, SSO integration |
| A02:2025 | Secrets in Git | Critical | External Secrets Operator, Sealed Secrets |
| A05:2025 | Argo CD API | High | Disable anonymous access, enforce HTTPS |
| A07:2025 | Image verification | Critical | Cosign signature checks, admission controllers |
| A08:2025 | Workflow logs | Medium | Redact secrets, structured logging |
Reference: For complete security examples, CVE analysis, and threat modeling, see references/argocd-guide.md (Section 6).
6. Performance Patterns
6.1 Workflow Caching
Good: Use memoization for expensive steps
apiVersion: argoproj.io/v1alpha1
kind: Workflow
spec:
templates:
- name: expensive-build
memoize:
key: "{{inputs.parameters.commit-sha}}"
maxAge: "24h"
cache:
configMap:
name: build-cache
container:
image: build-image:latest
command: [make, build]
Bad: Rebuild everything every time
# No caching - rebuilds from scratch on every run
- name: expensive-build
container:
image: build-image:latest
command: [make, build]
6.2 Parallelism Tuning
Good: Configure appropriate parallelism limits
apiVersion: argoproj.io/v1alpha1
kind: Workflow
spec:
parallelism: 10 # Limit concurrent pods
templates:
- name: fan-out
parallelism: 5 # Template-level limit
steps:
- - name: parallel-task
template: worker
withItems: "{{workflow.parameters.items}}"
Bad: Unbounded parallelism exhausts resources
# No limits - can spawn thousands of pods
spec:
templates:
- name: fan-out
steps:
- - name: parallel-task
template: worker
withItems: "{{workflow.parameters.large-list}}" # 10000 items!
6.3 Artifact Optimization
Good: Use artifact compression and GC
apiVersion: argoproj.io/v1alpha1
kind: Workflow
spec:
artifactGC:
strategy: OnWorkflowDeletion
templates:
- name: generate-artifact
outputs:
artifacts:
- name: output
path: /tmp/output
archive:
tar:
compressionLevel: 6 # Compress large artifacts
s3:
key: "{{workflow.name}}/output.tar.gz"
Bad: Uncompressed artifacts fill storage
# No compression, no GC - artifacts accumulate forever
outputs:
artifacts:
- name: output
path: /tmp/large-output
s3:
key: "artifacts/output"
6.4 Sync Window Management
Good: Configure sync windows for controlled deployments
apiVersion: argoproj.io/v1alpha1
kind: AppProject
spec:
syncWindows:
# Allow syncs during business hours
- kind: allow
schedule: "0 9 * * 1-5"
duration: 10h
applications:
- '*'
# Deny syncs during maintenance
- kind: deny
schedule: "0 2 * * 0"
duration: 4h
applications:
- '*-production'
manualSync: true # Allow manual override
# Rate limit auto-sync
- kind: allow
schedule: "*/30 * * * *"
duration: 5m
applications:
- '*'
Bad: Unrestricted syncs cause deployment storms
# No sync windows - apps sync continuously
spec:
syncPolicy:
automated:
prune: true
selfHeal: true
# Missing sync windows = potential deployment storms
6.5 Resource Quotas
Good: Set resource limits for workflows and controllers
# Workflow resource limits
apiVersion: argoproj.io/v1alpha1
kind: Workflow
spec:
podSpecPatch: |
containers:
- name: main
resources:
requests:
memory: "256Mi"
cpu: "100m"
limits:
memory: "512Mi"
cpu: "500m"
activeDeadlineSeconds: 3600 # 1 hour timeout
---
# Argo CD controller tuning
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-cmd-params-cm
data:
controller.status.processors: "20"
controller.operation.processors: "10"
controller.self.heal.timeout.seconds: "5"
controller.repo.server.timeout.seconds: "60"
Bad: No limits cause resource exhaustion
# No resource limits - can exhaust cluster
spec:
templates:
- name: memory-hog
container:
image: myapp:latest
# Missing resource limits!
6.6 ApplicationSet Rate Limiting
Good: Control ApplicationSet generation rate
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
spec:
generators:
- git:
repoURL: https://github.com/org/config
revision: HEAD
files:
- path: "apps/**/config.json"
strategy:
type: RollingSync
rollingSync:
steps:
- matchExpressions:
- key: env
operator: In
values: [staging]
- matchExpressions:
- key: env
operator: In
values: [production]
maxUpdate: 25% # Only update 25% at a time
Bad: Update all applications simultaneously
# No rolling strategy - updates all apps at once
spec:
generators:
- git:
# Generates 100+ applications
# Missing strategy = all apps update simultaneously
6.7 Repo Server Optimization
Good: Configure repo server caching and scaling
apiVersion: apps/v1
kind: Deployment
metadata:
name: argocd-repo-server
spec:
replicas: 3 # Scale for high load
template:
spec:
containers:
- name: argocd-repo-server
env:
- name: ARGOCD_EXEC_TIMEOUT
value: "3m"
- name: ARGOCD_GIT_ATTEMPTS_COUNT
value: "3"
resources:
requests:
cpu: 500m
memory: 1Gi
limits:
cpu: 2
memory: 4Gi
volumeMounts:
- name: repo-cache
mountPath: /tmp
volumes:
- name: repo-cache
emptyDir:
medium: Memory
sizeLimit: 2Gi
Bad: Default repo server config for large deployments
# Single replica, no tuning - becomes bottleneck
spec:
replicas: 1
template:
spec:
containers:
- name: argocd-repo-server
# Default settings - slow for 100+ apps
8. Common Mistakes
8.1 Argo CD Anti-Patterns
Mistake 1: Auto-sync without prune in production
# WRONG: Can leave orphaned resources
syncPolicy:
automated:
selfHeal: true
# Missing prune: true
# CORRECT:
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- PruneLast=true # Delete resources last
Mistake 2: Ignoring sync waves
# WRONG: Random deployment order
# Database and app deploy simultaneously, app crashes
# CORRECT: Use sync waves
metadata:
annotations:
argocd.argoproj.io/sync-wave: "1" # Database first
---
metadata:
annotations:
argocd.argoproj.io/sync-wave: "5" # App second
Mistake 3: No resource finalizers
# WRONG: Deletion leaves resources behind
metadata:
name: my-app
# CORRECT: Cascade deletion
metadata:
name: my-app
finalizers:
- resources-finalizer.argocd.argoproj.io
8.2 Argo Workflows Anti-Patterns
Mistake 4: No resource limits
# WRONG: Can exhaust cluster resources
container:
image: myapp:latest
# No limits!
# CORRECT: Always set limits
container:
image: myapp:latest
resources:
requests:
memory: "256Mi"
cpu: "100m"
limits:
memory: "512Mi"
cpu: "500m"
Mistake 5: Infinite retry loops
# WRONG: Retries forever on permanent failure
retryStrategy:
limit: 999
retryPolicy: "Always"
# CORRECT: Limit retries, use backoff
retryStrategy:
limit: 3
retryPolicy: "OnTransientError"
backoff:
duration: "10s"
factor: 2
maxDuration: "5m"
8.3 Argo Rollouts Anti-Patterns
Mistake 6: No analysis templates
# WRONG: Blind canary without validation
strategy:
canary:
steps:
- setWeight: 50
- pause: {duration: 5m}
# CORRECT: Automated analysis
strategy:
canary:
steps:
- setWeight: 10
- analysis:
templates:
- templateName: success-rate
- templateName: error-rate
- setWeight: 50
Mistake 7: Immediate full rollout
# WRONG: No gradual increase
steps:
- setWeight: 100 # All traffic at once!
# CORRECT: Progressive steps
steps:
- setWeight: 10
- pause: {duration: 2m}
- setWeight: 25
- pause: {duration: 5m}
- setWeight: 50
- pause: {duration: 10m}
8.4 Security Mistakes
Mistake 8: Storing secrets in Git
# WRONG: Plain secrets in Git repo
apiVersion: v1
kind: Secret
data:
password: cGFzc3dvcmQxMjM= # base64 is NOT encryption!
# CORRECT: Use Sealed Secrets or External Secrets
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: db-credentials
spec:
secretStoreRef:
name: vault-backend
Mistake 9: Overly permissive RBAC
# WRONG: Admin for everyone
p, role:developer, *, *, */*, allow
# CORRECT: Least privilege
p, role:developer, applications, get, team-*/*, allow
p, role:developer, applications, sync, team-*/*, allow
Mistake 10: No image verification
# WRONG: Deploy any image
spec:
containers:
- image: myregistry/app:latest # No verification!
# CORRECT: Verify signatures
# Use admission controller + cosign
# Or Argo CD image updater with signature checks
13. Critical Reminders
13.1 Pre-Implementation Checklist
Phase 1: Before Writing Code
- [ ] Review existing Argo configurations in the cluster
- [ ] Identify dependencies and sync order requirements
- [ ] Plan rollback strategy and success criteria
- [ ] Write validation tests (kubeval, kubeconform)
- [ ] Define analysis templates for metric verification
- [ ] Document expected behavior and failure modes
Phase 2: During Implementation
Argo CD Deployments:
- [ ] Application uses specific Git commit or tag (not HEAD or main)
- [ ] Sync waves configured for dependent resources
- [ ] Health checks defined for custom resources
- [ ] Finalizers enabled for cascade deletion
- [ ] RBAC configured with least privilege
- [ ] Sync windows configured for production
Argo Workflows:
- [ ] Resource limits set on all containers
- [ ] Retry strategies with backoff configured
- [ ] Artifact retention policies defined
- [ ] ServiceAccount has minimal permissions
- [ ] Workflow timeout configured
- [ ] Memoization for expensive steps
Argo Rollouts:
- [ ] Analysis templates test critical metrics
- [ ] Baseline established for comparisons
- [ ] Rollback triggers configured
- [ ] Traffic routing tested (Istio/NGINX)
- [ ] Canary steps allow observation time
Phase 3: Before Committing
- [ ] Run
kubeval --stricton all manifests - [ ] Run
kubeconform -strictfor schema validation - [ ] Execute
kubectl apply --dry-run=serversuccessfully - [ ] Test sync in staging:
argocd app sync --dry-run - [ ] Verify health status:
argocd app wait --health - [ ] For rollouts:
kubectl argo rollouts statuspasses - [ ] Multi-cluster destinations tested
- [ ] Rollback plan documented and tested
- [ ] Monitoring dashboards ready
- [ ] Alerts configured for failures
13.2 Production Readiness
Observability:
- Structured logging with correlation IDs
- Prometheus metrics exported (Argo exports by default)
- Distributed tracing (Jaeger/Tempo)
- Audit logging enabled
- Dashboard for deployment status
High Availability:
- Argo CD: 3+ replicas for server, repo-server, controller
- Redis HA for session storage
- Database backup/restore tested
- Multi-cluster failover configured
- Cross-region replication for critical apps
Security:
- TLS everywhere (in-transit encryption)
- Secrets encrypted at rest
- Image signatures verified
- Network policies enforced
- Regular CVE scanning
- Audit logs retained
Disaster Recovery:
- Backup CRDs and secrets (Velero)
- Git repos have off-site backups
- Cluster recovery runbook
- RTO/RPO documented
- DR drills scheduled quarterly
14. Summary
You are an Argo Ecosystem Expert guiding DevOps/SRE teams through:
- GitOps Excellence: Declarative, auditable deployments via Argo CD with app-of-apps patterns
- Progressive Delivery: Safe rollouts with Argo Rollouts, canary/blue-green strategies
- Workflow Orchestration: Complex CI/CD pipelines via Argo Workflows with DAGs and artifacts
- Multi-Cluster Management: Centralized control with ApplicationSets and hub-spoke models
- Security First: RBAC, secrets encryption, image verification, supply chain security
- Production Resilience: HA configurations, disaster recovery, observability
Key Principles:
- Git as single source of truth
- Automated validation with quality gates
- Least privilege access control
- Gradual rollouts with fast rollback
- Comprehensive observability
Risk Awareness:
- This is HIGH-RISK work (production infrastructure)
- Always test in staging first
- Have rollback plans ready
- Monitor deployments actively
- Document incident response
Reference Materials:
- references/argocd-guide.md: Complete Argo CD setup, multi-cluster, app-of-apps
- references/workflows-guide.md: Full workflow examples, DAGs, retry strategies
- references/rollouts-guide.md: Canary/blue-green patterns, analysis templates
When in doubt: Prefer safety over speed. Use sync waves, analysis templates, and gradual rollouts. Production stability is paramount.
# Related Skills
Use when starting any conversation - establishes how to find and use skills, requiring Skill...
|
|
# Supported AI Coding Agents
This skill is compatible with the SKILL.md standard and works with all major AI coding agents:
Amp
Antigravity
Claude Code
Clawdbot
Codex
Cursor
Droid
Gemini CLI
GitHub Copilot
Goose
Kilo Code
Kiro CLI
OpenCode
Roo Code
Trae
Windsurf
Learn more about the SKILL.md standard and how to use these skills with your preferred AI coding agent.