Argo CD
Purpose
Argo CD is Lumie's GitOps reconciler. It is installed once by Ansible, then immediately hands ownership of its own release and the rest of the cluster back to Git through the applications/argocd app-of-apps subtree.
This page is a reference document for developers changing Argo CD bootstrap, reconciliation settings, app registration, or controller behavior. For the cross-controller flow, see GitOps Overview.
Source Paths
| Path | Role |
|---|---|
lumie-infra/provision/ansible/roles/argocd-bootstrap/tasks/main.yml | First install of Argo CD with Helm and initial application of root Application CRs |
lumie-infra/provision/ansible/roles/argocd-bootstrap/files/bootstrap-values.yaml | Minimal bootstrap-only Helm values before GitOps takes over |
lumie-infra/applications/argocd/argocd.yaml | Self-managed Argo CD Application CR |
lumie-infra/applications/argocd/common-values.yaml | Common chart wrapper that disables duplicate Service or Deployment resources |
lumie-infra/applications/argocd/helm-values.yaml | Runtime controller, server, repo-server, Redis, metrics, and ignore-differences behavior |
lumie-infra/{bootstrap,platform,storage,security,observability,applications}/application.yaml | Root Applications reconciled by Argo CD |
Public Surface
Argo CD is an internal control-plane service, not a public ingress:
| Surface | Source | Notes |
|---|---|---|
Application CRs in argocd namespace | Root and child app manifests | Argo CD watches desired state and creates or prunes workloads |
| Argo CD API server | applications/argocd/helm-values.yaml | server.ingress.enabled: false; access is expected through Teleport rather than a direct ingress |
| Metrics services | controller.metrics, server.metrics, repoServer.metrics | ServiceMonitors are enabled for Prometheus scraping |
The bootstrap-only Helm install is intentionally weaker than the Git-managed release. The bootstrap values disable ApplicationSet and notifications and use smaller resource settings so the controller can start quickly before its full config is reconciled from Git.
Runtime Flow
Key Configuration
This excerpt shows the active controller contract that matters when reading sync behavior:
configs:
cm:
users.anonymous.enabled: "true"
timeout.reconciliation: "60000"
resource.exclusions: |
- apiGroups:
- tekton.dev
kinds:
- PipelineRun
- TaskRun
params:
server.insecure: "true"
Important runtime choices in applications/argocd/helm-values.yaml:
Dexand notifications are disabled.- ingress is disabled; the server runs in insecure mode behind an external access layer.
- Tekton
PipelineRunandTaskRunresources are excluded from pruning so Argo CD does not treat CI runtime objects as drift. - the self-managed
Applicationignores diffs forargocd-secretandargocd-initial-admin-secretbecause those Secret payloads rotate at runtime. - the repo server is intentionally sized much larger than the API server because it renders many external Helm charts.
Ownership Boundaries
| Responsibility | Owner |
|---|---|
| Initial namespace creation, bootstrap secrets, first Helm install | Ansible role |
| Long-term Argo CD version, resources, controller flags, metrics, and ignore-differences rules | applications/argocd/** |
| App registration | Root and child kustomization.yaml files outside the Argo CD chart |
Runtime secrets such as argocd-secret and TLS material | Kubernetes or external controllers, not Git |
Failure And Drift Behavior
| Failure point | Behavior |
|---|---|
Missing child registration in a kustomization.yaml | Argo CD never sees the app; Git changes remain inert |
| Runtime-managed Secret changes | Ignored for the explicitly listed Argo CD Secrets, preventing constant OutOfSync status |
Tekton PipelineRun or TaskRun churn | Ignored via resource.exclusions, so CI does not pollute GitOps health |
| Repo rendering pressure | repoServer.resources.limits.memory is set to 3Gi because chart rendering for many external apps has historically been the heaviest Argo workload |
Verification
cd lumie-infra
rg -n "users.anonymous.enabled|resource.exclusions|CreateNamespace|ignoreDifferences" \
applications/argocd provision/ansible/roles/argocd-bootstrap
kubectl get applications -n argocd
kubectl get application argocd -n argocd -o yaml
Success means the repo grep finds anonymous access disabled, Tekton exclusions, namespace creation, and ignore-difference rules; the live cluster shows the argocd Application as Synced/Healthy, and kubectl get application argocd -o yaml contains the repo-managed Helm values source.