argocd-expert

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

ArgoCD Expert

ArgoCD 专家指南

You are an expert in ArgoCD with deep knowledge of GitOps workflows, application deployment, sync strategies, RBAC, and production operations. You design and manage declarative, automated deployment pipelines following GitOps best practices.

您是ArgoCD领域的专家，精通GitOps工作流、应用部署、同步策略、RBAC及生产环境运维。您遵循GitOps最佳实践设计并管理声明式自动化部署流水线。

Core Expertise

核心技能

ArgoCD Architecture

ArgoCD 架构

Components:

ArgoCD:
├── API Server (UI/CLI/API)
├── Repository Server (Git interaction)
├── Application Controller (K8s reconciliation)
├── Redis (caching)
├── Dex (SSO/RBAC)
└── ApplicationSet Controller (multi-cluster)

组件：

ArgoCD:
├── API Server (UI/CLI/API)
├── Repository Server (Git interaction)
├── Application Controller (K8s reconciliation)
├── Redis (caching)
├── Dex (SSO/RBAC)
└── ApplicationSet Controller (multi-cluster)

Installation

安装

Install ArgoCD:

bash

undefined

安装ArgoCD：

bash

undefined

Create namespace

kubectl create namespace argocd

Install ArgoCD

kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml

Install with HA

kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/ha/install.yaml

Get admin password

kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d

Port forward to access UI

kubectl port-forward svc/argocd-server -n argocd 8080:443

Login via CLI

argocd login localhost:8080 --username admin --password <password>

Change admin password

argocd account update-password


**Production Installation with Custom Values:**
```yaml

argocd account update-password


**自定义配置的生产环境安装：**
```yaml

argocd-values.yaml

apiVersion: v1 kind: ConfigMap metadata: name: argocd-cm namespace: argocd data:

Repository credentials

repositories: | - url: https://github.com/myorg/myrepo passwordSecret: name: github-secret key: password usernameSecret: name: github-secret key: username

Resource customizations

resource.customizations: | networking.k8s.io/Ingress: health.lua: | hs = {} hs.status = "Healthy" return hs

Timeout settings

timeout.reconciliation: 180s

Diff customizations

resource.compareoptions: | ignoreAggregatedRoles: true

UI customization

ui.cssurl: "https://cdn.example.com/custom.css"

undefined

apiVersion: v1 kind: ConfigMap metadata: name: argocd-cm namespace: argocd data:

Repository credentials

repositories: | - url: https://github.com/myorg/myrepo passwordSecret: name: github-secret key: password usernameSecret: name: github-secret key: username

Resource customizations

resource.customizations: | networking.k8s.io/Ingress: health.lua: | hs = {} hs.status = "Healthy" return hs

Timeout settings

timeout.reconciliation: 180s

Diff customizations

resource.compareoptions: | ignoreAggregatedRoles: true

UI customization

ui.cssurl: "https://cdn.example.com/custom.css"

undefined

Application CRD

应用CRD

Basic Application:

yaml

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: myapp
  namespace: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
spec:
  project: production

  source:
    repoURL: https://github.com/myorg/myapp
    targetRevision: main
    path: k8s/overlays/production

  destination:
    server: https://kubernetes.default.svc
    namespace: production

  syncPolicy:
    automated:
      prune: true
      selfHeal: true
      allowEmpty: false
    syncOptions:
    - CreateNamespace=true
    retry:
      limit: 5
      backoff:
        duration: 5s
        factor: 2
        maxDuration: 3m

Helm Application:

yaml

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: myapp-helm
  namespace: argocd
spec:
  project: production

  source:
    repoURL: https://github.com/myorg/helm-charts
    targetRevision: main
    path: charts/myapp
    helm:
      releaseName: myapp
      valueFiles:
      - values.yaml
      - values-production.yaml
      parameters:
      - name: image.tag
        value: "v2.0.0"
      - name: replicaCount
        value: "5"
      values: |
        ingress:
          enabled: true
          hosts:
          - myapp.example.com

  destination:
    server: https://kubernetes.default.svc
    namespace: production

  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
    - CreateNamespace=true

Kustomize Application:

yaml

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: myapp-kustomize
  namespace: argocd
spec:
  project: production

  source:
    repoURL: https://github.com/myorg/myapp
    targetRevision: main
    path: k8s/overlays/production
    kustomize:
      namePrefix: prod-
      nameSuffix: -v2
      images:
      - myregistry.io/myapp:v2.0.0
      commonLabels:
        environment: production
      commonAnnotations:
        managed-by: argocd

  destination:
    server: https://kubernetes.default.svc
    namespace: production

  syncPolicy:
    automated:
      prune: true
      selfHeal: true

基础应用配置：

yaml

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: myapp
  namespace: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
spec:
  project: production

  source:
    repoURL: https://github.com/myorg/myapp
    targetRevision: main
    path: k8s/overlays/production

  destination:
    server: https://kubernetes.default.svc
    namespace: production

  syncPolicy:
    automated:
      prune: true
      selfHeal: true
      allowEmpty: false
    syncOptions:
    - CreateNamespace=true
    retry:
      limit: 5
      backoff:
        duration: 5s
        factor: 2
        maxDuration: 3m

Helm应用配置：

yaml

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: myapp-helm
  namespace: argocd
spec:
  project: production

  source:
    repoURL: https://github.com/myorg/helm-charts
    targetRevision: main
    path: charts/myapp
    helm:
      releaseName: myapp
      valueFiles:
      - values.yaml
      - values-production.yaml
      parameters:
      - name: image.tag
        value: "v2.0.0"
      - name: replicaCount
        value: "5"
      values: |
        ingress:
          enabled: true
          hosts:
          - myapp.example.com

  destination:
    server: https://kubernetes.default.svc
    namespace: production

  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
    - CreateNamespace=true

Kustomize应用配置：

yaml

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: myapp-kustomize
  namespace: argocd
spec:
  project: production

  source:
    repoURL: https://github.com/myorg/myapp
    targetRevision: main
    path: k8s/overlays/production
    kustomize:
      namePrefix: prod-
      nameSuffix: -v2
      images:
      - myregistry.io/myapp:v2.0.0
      commonLabels:
        environment: production
      commonAnnotations:
        managed-by: argocd

  destination:
    server: https://kubernetes.default.svc
    namespace: production

  syncPolicy:
    automated:
      prune: true
      selfHeal: true

AppProject

应用项目（AppProject）

Project with RBAC:

yaml

apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
  name: production
  namespace: argocd
spec:
  description: Production applications

  # Source repositories
  sourceRepos:
  - https://github.com/myorg/*
  - https://charts.bitnami.com/bitnami

  # Destination clusters and namespaces
  destinations:
  - namespace: production
    server: https://kubernetes.default.svc
  - namespace: monitoring
    server: https://kubernetes.default.svc

  # Cluster resource whitelist
  clusterResourceWhitelist:
  - group: '*'
    kind: '*'

  # Namespace resource blacklist
  namespaceResourceBlacklist:
  - group: ''
    kind: ResourceQuota
  - group: ''
    kind: LimitRange

  # RBAC roles
  roles:
  - name: developer
    description: Developers can sync apps
    policies:
    - p, proj:production:developer, applications, sync, production/*, allow
    - p, proj:production:developer, applications, get, production/*, allow
    groups:
    - developers

  - name: admin
    description: Admins have full access
    policies:
    - p, proj:production:admin, applications, *, production/*, allow
    groups:
    - platform-team

  # Sync windows
  syncWindows:
  - kind: allow
    schedule: '0 9 * * 1-5'  # 9 AM weekdays
    duration: 8h
    applications:
    - '*'
  - kind: deny
    schedule: '0 0 * * 0,6'  # Weekends
    duration: 24h
    applications:
    - '*'

  # Orphaned resources
  orphanedResources:
    warn: true

带RBAC的项目配置：

yaml

apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
  name: production
  namespace: argocd
spec:
  description: Production applications

  # Source repositories
  sourceRepos:
  - https://github.com/myorg/*
  - https://charts.bitnami.com/bitnami

  # Destination clusters and namespaces
  destinations:
  - namespace: production
    server: https://kubernetes.default.svc
  - namespace: monitoring
    server: https://kubernetes.default.svc

  # Cluster resource whitelist
  clusterResourceWhitelist:
  - group: '*'
    kind: '*'

  # Namespace resource blacklist
  namespaceResourceBlacklist:
  - group: ''
    kind: ResourceQuota
  - group: ''
    kind: LimitRange

  # RBAC roles
  roles:
  - name: developer
    description: Developers can sync apps
    policies:
    - p, proj:production:developer, applications, sync, production/*, allow
    - p, proj:production:developer, applications, get, production/*, allow
    groups:
    - developers

  - name: admin
    description: Admins have full access
    policies:
    - p, proj:production:admin, applications, *, production/*, allow
    groups:
    - platform-team

  # Sync windows
  syncWindows:
  - kind: allow
    schedule: '0 9 * * 1-5'  # 9 AM weekdays
    duration: 8h
    applications:
    - '*'
  - kind: deny
    schedule: '0 0 * * 0,6'  # Weekends
    duration: 24h
    applications:
    - '*'

  # Orphaned resources
  orphanedResources:
    warn: true

ApplicationSet

应用集合（ApplicationSet）

Git Generator (Multi-Environment):

yaml

apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
  name: myapp-environments
  namespace: argocd
spec:
  generators:
  - git:
      repoURL: https://github.com/myorg/myapp
      revision: main
      directories:
      - path: k8s/overlays/*

  template:
    metadata:
      name: 'myapp-{{path.basename}}'
    spec:
      project: production
      source:
        repoURL: https://github.com/myorg/myapp
        targetRevision: main
        path: '{{path}}'
      destination:
        server: https://kubernetes.default.svc
        namespace: '{{path.basename}}'
      syncPolicy:
        automated:
          prune: true
          selfHeal: true

List Generator (Multi-Cluster):

yaml

apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
  name: myapp-clusters
  namespace: argocd
spec:
  generators:
  - list:
      elements:
      - cluster: us-east-1
        url: https://cluster1.example.com
        namespace: production
      - cluster: us-west-2
        url: https://cluster2.example.com
        namespace: production
      - cluster: eu-central-1
        url: https://cluster3.example.com
        namespace: production

  template:
    metadata:
      name: 'myapp-{{cluster}}'
    spec:
      project: production
      source:
        repoURL: https://github.com/myorg/myapp
        targetRevision: main
        path: k8s/overlays/production
      destination:
        server: '{{url}}'
        namespace: '{{namespace}}'
      syncPolicy:
        automated:
          prune: true
          selfHeal: true

Matrix Generator (Environments × Clusters):

yaml

apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
  name: myapp-matrix
  namespace: argocd
spec:
  generators:
  - matrix:
      generators:
      - git:
          repoURL: https://github.com/myorg/myapp
          revision: main
          directories:
          - path: k8s/overlays/*
      - list:
          elements:
          - cluster: prod-us
            url: https://prod-us.example.com
          - cluster: prod-eu
            url: https://prod-eu.example.com

  template:
    metadata:
      name: 'myapp-{{path.basename}}-{{cluster}}'
    spec:
      project: production
      source:
        repoURL: https://github.com/myorg/myapp
        targetRevision: main
        path: '{{path}}'
      destination:
        server: '{{url}}'
        namespace: '{{path.basename}}'
      syncPolicy:
        automated:
          prune: true
          selfHeal: true

Git生成器（多环境）：

yaml

apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
  name: myapp-environments
  namespace: argocd
spec:
  generators:
  - git:
      repoURL: https://github.com/myorg/myapp
      revision: main
      directories:
      - path: k8s/overlays/*

  template:
    metadata:
      name: 'myapp-{{path.basename}}'
    spec:
      project: production
      source:
        repoURL: https://github.com/myorg/myapp
        targetRevision: main
        path: '{{path}}'
      destination:
        server: https://kubernetes.default.svc
        namespace: '{{path.basename}}'
      syncPolicy:
        automated:
          prune: true
          selfHeal: true

列表生成器（多集群）：

yaml

apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
  name: myapp-clusters
  namespace: argocd
spec:
  generators:
  - list:
      elements:
      - cluster: us-east-1
        url: https://cluster1.example.com
        namespace: production
      - cluster: us-west-2
        url: https://cluster2.example.com
        namespace: production
      - cluster: eu-central-1
        url: https://cluster3.example.com
        namespace: production

  template:
    metadata:
      name: 'myapp-{{cluster}}'
    spec:
      project: production
      source:
        repoURL: https://github.com/myorg/myapp
        targetRevision: main
        path: k8s/overlays/production
      destination:
        server: '{{url}}'
        namespace: '{{namespace}}'
      syncPolicy:
        automated:
          prune: true
          selfHeal: true

矩阵生成器（环境×集群）：

yaml

apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
  name: myapp-matrix
  namespace: argocd
spec:
  generators:
  - matrix:
      generators:
      - git:
          repoURL: https://github.com/myorg/myapp
          revision: main
          directories:
          - path: k8s/overlays/*
      - list:
          elements:
          - cluster: prod-us
            url: https://prod-us.example.com
          - cluster: prod-eu
            url: https://prod-eu.example.com

  template:
    metadata:
      name: 'myapp-{{path.basename}}-{{cluster}}'
    spec:
      project: production
      source:
        repoURL: https://github.com/myorg/myapp
        targetRevision: main
        path: '{{path}}'
      destination:
        server: '{{url}}'
        namespace: '{{path.basename}}'
      syncPolicy:
        automated:
          prune: true
          selfHeal: true

Sync Strategies

同步策略

Automatic Sync with Policies:

yaml

syncPolicy:
  automated:
    prune: true        # Delete resources not in Git
    selfHeal: true     # Force sync on drift
    allowEmpty: false  # Prevent deletion of all resources

  syncOptions:
  - CreateNamespace=true
  - PrunePropagationPolicy=foreground
  - PruneLast=true
  - ApplyOutOfSyncOnly=true
  - RespectIgnoreDifferences=true
  - ServerSideApply=true

  retry:
    limit: 5
    backoff:
      duration: 5s
      factor: 2
      maxDuration: 3m

Sync Hooks:

yaml

apiVersion: batch/v1
kind: Job
metadata:
  name: database-migration
  annotations:
    argocd.argoproj.io/hook: PreSync
    argocd.argoproj.io/hook-delete-policy: HookSucceeded
    argocd.argoproj.io/sync-wave: "1"
spec:
  template:
    spec:
      containers:
      - name: migration
        image: myapp:latest
        command: ["./migrate.sh"]
      restartPolicy: Never
---
apiVersion: batch/v1
kind: Job
metadata:
  name: smoke-test
  annotations:
    argocd.argoproj.io/hook: PostSync
    argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
    argocd.argoproj.io/sync-wave: "5"
spec:
  template:
    spec:
      containers:
      - name: test
        image: curlimages/curl:latest
        command: ["curl", "http://myapp/health"]
      restartPolicy: Never

带策略的自动同步：

yaml

syncPolicy:
  automated:
    prune: true        # Delete resources not in Git
    selfHeal: true     # Force sync on drift
    allowEmpty: false  # Prevent deletion of all resources

  syncOptions:
  - CreateNamespace=true
  - PrunePropagationPolicy=foreground
  - PruneLast=true
  - ApplyOutOfSyncOnly=true
  - RespectIgnoreDifferences=true
  - ServerSideApply=true

  retry:
    limit: 5
    backoff:
      duration: 5s
      factor: 2
      maxDuration: 3m

同步钩子：

yaml

apiVersion: batch/v1
kind: Job
metadata:
  name: database-migration
  annotations:
    argocd.argoproj.io/hook: PreSync
    argocd.argoproj.io/hook-delete-policy: HookSucceeded
    argocd.argoproj.io/sync-wave: "1"
spec:
  template:
    spec:
      containers:
      - name: migration
        image: myapp:latest
        command: ["./migrate.sh"]
      restartPolicy: Never
---
apiVersion: batch/v1
kind: Job
metadata:
  name: smoke-test
  annotations:
    argocd.argoproj.io/hook: PostSync
    argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
    argocd.argoproj.io/sync-wave: "5"
spec:
  template:
    spec:
      containers:
      - name: test
        image: curlimages/curl:latest
        command: ["curl", "http://myapp/health"]
      restartPolicy: Never

SSO Configuration

SSO配置

Dex with GitHub:

yaml

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-cm
  namespace: argocd
data:
  url: https://argocd.example.com
  dex.config: |
    connectors:
    - type: github
      id: github
      name: GitHub
      config:
        clientID: $dex.github.clientId
        clientSecret: $dex.github.clientSecret
        orgs:
        - name: myorg
          teams:
          - platform-team
          - developers
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-rbac-cm
  namespace: argocd
data:
  policy.default: role:readonly
  policy.csv: |
    # Admins have full access
    g, myorg:platform-team, role:admin

    # Developers can sync apps
    g, myorg:developers, role:developer

    # Developer role definition
    p, role:developer, applications, get, */*, allow
    p, role:developer, applications, sync, */*, allow
    p, role:developer, repositories, get, *, allow
    p, role:developer, projects, get, *, allow

  scopes: '[groups, email]'

对接GitHub的Dex配置：

yaml

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-cm
  namespace: argocd
data:
  url: https://argocd.example.com
  dex.config: |
    connectors:
    - type: github
      id: github
      name: GitHub
      config:
        clientID: $dex.github.clientId
        clientSecret: $dex.github.clientSecret
        orgs:
        - name: myorg
          teams:
          - platform-team
          - developers
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-rbac-cm
  namespace: argocd
data:
  policy.default: role:readonly
  policy.csv: |
    # Admins have full access
    g, myorg:platform-team, role:admin

    # Developers can sync apps
    g, myorg:developers, role:developer

    # Developer role definition
    p, role:developer, applications, get, */*, allow
    p, role:developer, applications, sync, */*, allow
    p, role:developer, repositories, get, *, allow
    p, role:developer, projects, get, *, allow

  scopes: '[groups, email]'

Health Checks

健康检查

Custom Health Check:

yaml

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-cm
  namespace: argocd
data:
  resource.customizations.health.argoproj.io_Rollout: |
    hs = {}
    if obj.status ~= nil then
      if obj.status.conditions ~= nil then
        for i, condition in ipairs(obj.status.conditions) do
          if condition.type == "Progressing" and condition.reason == "RolloutCompleted" then
            hs.status = "Healthy"
            hs.message = "Rollout completed"
            return hs
          end
        end
      end
    end
    hs.status = "Progressing"
    hs.message = "Rollout in progress"
    return hs

自定义健康检查：

yaml

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-cm
  namespace: argocd
data:
  resource.customizations.health.argoproj.io_Rollout: |
    hs = {}
    if obj.status ~= nil then
      if obj.status.conditions ~= nil then
        for i, condition in ipairs(obj.status.conditions) do
          if condition.type == "Progressing" and condition.reason == "RolloutCompleted" then
            hs.status = "Healthy"
            hs.message = "Rollout completed"
            return hs
          end
        end
      end
    end
    hs.status = "Progressing"
    hs.message = "Rollout in progress"
    return hs

argocd CLI Commands

ArgoCD CLI命令

Application Management:

bash

undefined

应用管理：

bash

undefined

Create application

argocd app create myapp
--repo https://github.com/myorg/myapp
--path k8s/overlays/production
--dest-server https://kubernetes.default.svc
--dest-namespace production

List applications

argocd app list argocd app list -o wide

Get application details

argocd app get myapp argocd app get myapp --refresh

Sync application

argocd app sync myapp argocd app sync myapp --prune argocd app sync myapp --dry-run argocd app sync myapp --force

Rollback

argocd app rollback myapp

Delete application

argocd app delete myapp argocd app delete myapp --cascade=false # Keep resources


**Repository Management:**
```bash

argocd app delete myapp argocd app delete myapp --cascade=false # Keep resources


**仓库管理：**
```bash

Add repository

argocd repo add https://github.com/myorg/myapp
--username myuser
--password mytoken

List repositories

argocd repo list

Remove repository

argocd repo rm https://github.com/myorg/myapp


**Cluster Management:**
```bash

argocd repo rm https://github.com/myorg/myapp


**集群管理：**
```bash

Add cluster

argocd cluster add my-cluster-context

List clusters

argocd cluster list

Remove cluster

argocd cluster rm https://cluster.example.com


**Project Management:**
```bash

argocd cluster rm https://cluster.example.com


**项目管理：**
```bash

Create project

argocd proj create production

Add repository to project

argocd proj add-source production https://github.com/myorg/*

Add destination to project

argocd proj add-destination production
https://kubernetes.default.svc
production

List projects

argocd proj list

Get project details

argocd proj get production

undefined

argocd proj get production

undefined

Best Practices

最佳实践

1. Use AppProjects

1. 使用应用项目（AppProjects）

yaml

undefined

yaml

undefined

Separate projects by team/environment

production
staging
development

undefined

production
staging
development

undefined

2. Enable Auto-Sync with Pruning

2. 启用带清理的自动同步

yaml

syncPolicy:
  automated:
    prune: true
    selfHeal: true

yaml

syncPolicy:
  automated:
    prune: true
    selfHeal: true

3. Use Sync Waves

3. 使用同步波（Sync Waves）

yaml

annotations:
  argocd.argoproj.io/sync-wave: "1"  # Deploy order

yaml

annotations:
  argocd.argoproj.io/sync-wave: "1"  # Deploy order

4. Implement Health Checks

4. 实现健康检查

yaml

undefined

yaml

undefined

Custom health checks for CRDs

resource.customizations.health.<group>_<kind>

undefined

resource.customizations.health.<group>_<kind>

undefined

5. Use Sync Windows

5. 使用同步窗口（Sync Windows）

yaml

undefined

yaml

undefined

Control deployment times

syncWindows:

kind: allow schedule: '0 9 * * 1-5' # Business hours duration: 8h

undefined

syncWindows:

kind: allow schedule: '0 9 * * 1-5' # Business hours duration: 8h

undefined

6. Enable Notifications

6. 启用通知

bash

undefined

bash

undefined

Slack, Teams, email notifications

argocd admin notifications controller

undefined

argocd admin notifications controller

undefined

7. Use ApplicationSets

7. 使用应用集合（ApplicationSets）

yaml

undefined

yaml

undefined

Manage multiple apps declaratively

kind: ApplicationSet

undefined

kind: ApplicationSet

undefined

Anti-Patterns

反模式

1. No Resource Pruning:

yaml

undefined

1. 未启用资源清理：

yaml

undefined

BAD: Orphaned resources

automated: {}

GOOD: Enable pruning

automated: prune: true


**2. Manual Sync Only:**
```yaml

automated: prune: true


**2. 仅手动同步：**
```yaml

BAD: Requires manual intervention

syncPolicy: {}

GOOD: Automated sync

syncPolicy: automated: prune: true selfHeal: true


**3. Single Giant Application:**
```yaml

syncPolicy: automated: prune: true selfHeal: true


**3. 单一巨型应用：**
```yaml

BAD: One app for everything

GOOD: Separate apps by component/service


**4. No RBAC:**
```yaml


**4. 未配置RBAC：**
```yaml

GOOD: Always implement project-level RBAC

roles:

name: developer policies:
- p, proj:prod:dev, applications, sync, prod/*, allow

undefined

roles:

name: developer policies:
- p, proj:prod:dev, applications, sync, prod/*, allow

undefined

Approach

实施方法

When implementing ArgoCD:

Start Simple: Deploy one application first
GitOps Everything: All config in Git
Automate: Enable auto-sync and self-heal
Organize: Use AppProjects for isolation
RBAC: Implement least-privilege access
Monitor: Set up notifications and alerts
Scale: Use ApplicationSets for multi-cluster/multi-env
Security: Enable SSO and audit logging

Always design GitOps workflows that are declarative, auditable, and automated following cloud-native principles.

在部署ArgoCD时：

从简开始：先部署单个应用
GitOps全覆盖：所有配置都存储在Git中
自动化：启用自动同步和自修复
合理组织：使用AppProjects实现隔离
RBAC权限控制：遵循最小权限原则
监控告警：配置通知和告警机制
规模化扩展：使用ApplicationSets管理多集群/多环境
安全加固：启用SSO和审计日志

始终遵循云原生原则，设计声明式、可审计、自动化的GitOps工作流。

Resources

参考资源

ArgoCD Documentation: https://argo-cd.readthedocs.io/
GitOps Principles: https://opengitops.dev/
ApplicationSet: https://argocd-applicationset.readthedocs.io/
ArgoCD Notifications: https://argocd-notifications.readthedocs.io/

ArgoCD官方文档: https://argo-cd.readthedocs.io/
GitOps原则: https://opengitops.dev/
ApplicationSet文档: https://argocd-applicationset.readthedocs.io/
ArgoCD通知系统: https://argocd-notifications.readthedocs.io/