Vucense
Dev Corner kubernetes GitOps & Continuous Delivery

GitOps with Argo CD on K3s 2026: Sovereign Continuous Delivery

🟡Intermediate

Deploy Argo CD on K3s for sovereign GitOps continuous delivery, secure cluster state from Git, automated sync, and progressive rollout policies.

Divya Prakash

Author

Divya Prakash

AI Systems Architect & Founder

Published

Duration

Reading

19 min

GitOps with Argo CD on K3s 2026: Sovereign Continuous Delivery
Article Roadmap

Key Takeaways

  • Install Argo CD on K3s and use Git as the source of truth for self-hosted cluster state.
  • Secure GitOps with SSH repo access, RBAC, TLS ingress, and deploy-key best practices.
  • Use Argo Rollouts for safe progressive delivery and let the GitOps pipeline self-heal drift.
  • Includes actionable commands to install K3s, define application manifests, and validate sync status.

Direct Answer: Deploy Argo CD on K3s to implement sovereign GitOps with declarative Git-backed cluster state, automated application sync, and progressive delivery using Argo Rollouts. The following steps include Ubuntu installation, Git repository structure, secure access, and validation commands.

Why GitOps on K3s?

GitOps is an operational pattern that treats Git as the source of truth for cluster configuration and application deployment. For self-hosted infrastructure, this delivers two important benefits:

  • every change is captured in version control, so the cluster becomes auditable and traceable
  • the deployment process is declarative, so the live state is continuously reconciled against the Git source

K3s is a lightweight Kubernetes distribution that works well for sovereign clusters and edge nodes. Argo CD is the reconciliation engine that watches the repo and applies changes automatically.

Prerequisites

  • Ubuntu 24.04 host
  • curl, kubectl, and git
  • A Git repository for manifests
  • DNS or SSH access to the K3s node

Install K3s

curl -sfL https://get.k3s.io | sh -
sudo kubectl get nodes

Expected output:

NAME      STATUS   ROLES    AGE   VERSION
node-01   Ready    <none>   1m    v1.32.0+k3s1

If the node remains in NotReady, check sudo journalctl -u k3s -n 50 for missing container runtime permissions or CNI errors.

Install Argo CD

kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml
kubectl rollout status -n argocd deployment/argocd-server

Expose the Argo CD server securely:

kubectl port-forward svc/argocd-server -n argocd 8080:443 &

Retrieve the initial admin password:

kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d

Secure Argo CD access

Enable HTTPS and RBAC

For production, use a LoadBalancer or ingress with TLS. A quick secure ingress example:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: argocd-server-ingress
  namespace: argocd
spec:
  tls:
  - hosts:
    - argocd.example.local
    secretName: argocd-tls
  rules:
  - host: argocd.example.local
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: argocd-server
            port:
              number: 443

### Create a GitOps repository structure

A secure GitOps repo should separate environment overlays and base manifests.

Example tree:

```text
gitops/
  apps/
    staging/
      app.yaml
    production/
      app.yaml
  clusters/
    k3s/
      argocd-app.yaml

Create an Argo CD application manifest

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: edge-app
  namespace: argocd
spec:
  project: default
  source:
    repoURL: 'https://git.example.local/gitops.git'
    targetRevision: main
    path: 'apps/production'
  destination:
    server: 'https://kubernetes.default.svc'
    namespace: edge-app
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=true

Apply the application manifest:

```bash
kubectl apply -f clusters/k3s/argocd-app.yaml

Verify sync state

kubectl -n argocd get applications

Expected output:

NAME      SYNCED   HEALTHY   STATUS
edge-app  Synced   Healthy   Synced to main

A live edge-app in this state means the Git manifest and cluster state are aligned. If the status remains OutOfSync, argocd app diff edge-app is the first command to run.

Progressive delivery with Argo Rollouts

Install Argo Rollouts:

kubectl apply -f https://raw.githubusercontent.com/argoproj/argo-rollouts/stable/manifests/install.yaml

Example rollout manifest:

apiVersion: argoproj.io/v1alpha1
kind: Rollout
metadata:
  name: edge-app-rollout
  namespace: edge-app
spec:
  replicas: 3
  strategy:
    canary:
      steps:
        - setWeight: 20
        - pause: {duration: 30s}
        - setWeight: 50
        - pause: {duration: 60s}
  selector:
    matchLabels:
      app: edge-app
  template:
    metadata:
      labels:
        app: edge-app
    spec:
      containers:
      - name: web
        image: harbor.example.local/project/edge-app:stable
        ports:
        - containerPort: 8080

Argo CD can manage the rollout manifest as part of the same Git repository, giving you automated Git-controlled progressive delivery.

## Secure GitOps workflow

- Store Git repo in an on-premise Git server or private Git service
- Use deploy keys and SSH secrets for Argo CD access to repo
- Configure Argo CD `RepositoryCredentials` with read-only access
- Use separate branches or folders for staging and production

Example `RepositoryCredentials` with SSH key:

```yaml
apiVersion: v1
kind: Secret
metadata:
  name: argocd-repo-creds
  namespace: argocd
stringData:
  sshPrivateKey: |-
    -----BEGIN OPENSSH PRIVATE KEY-----
    ...
    -----END OPENSSH PRIVATE KEY-----

## Day 2 operations

- Audit application sync and drift using `argocd app diff`
- Review Argo CD logs: `kubectl -n argocd logs deployment/argocd-server`
- Rotate access tokens and secrets regularly

## Real deployment notes

- Keep the Git repo private and use deploy keys or SSH credentials scoped to the specific manifest repository.
- Store Argo CD secrets in sealed secrets or a secret management system rather than plain Kubernetes secrets.
- Use separate branches or folders for staging and production, and keep automated sync disabled for production until the deployment policy is verified.

## Troubleshooting

### Argo CD application stuck in `OutOfSync`

Inspect the resource difference:

```bash
argocd app diff edge-app

If Git has the desired manifest, ensure the destination namespace exists or use CreateNamespace=true.

K3s cluster reports unhealthy nodes

Check kubectl get nodes and verify the K3s agent and server logs:

sudo journalctl -u k3s -n 100

Rollout pause or failed step

Use the argo rollouts CLI:

kubectl argo rollouts get rollout edge-app-rollout -n edge-app

People Also Ask

Why use Argo CD instead of kubectl apply?

Argo CD stores desired state in Git, compares live state against Git, and automatically heals drift. It provides auditability, team collaboration, and rollback support that manual kubectl apply cannot deliver at scale.

Can Argo CD run on a single-node K3s cluster?

Yes. Argo CD is lightweight enough for single-node K3s clusters used in sovereign labs and edge deployments. For production, use at least one dedicated control-plane node plus worker nodes for higher availability.

How do I secure Argo CD credentials?

Use a secret management strategy, restrict access with Argo CD RBAC, and avoid storing long-lived tokens in plain text. Prefer SSH deploy keys and scoped repo access.

Further Reading

Tested on: Ubuntu 24.04 LTS (Hetzner CX22). Last verified: May 2, 2026.

Previous Log Google Labs Stitch DESIGN.md Goes Open Source: A Deep Dev Corner Review Next Log Best Local Embedding Models 2026: nomic-embed-text, BGE-M3 & sentence-transformers

Further Reading

All Dev Corner
#k8s #gitops #argocd #k3s #ubuntu #dev-corner #2026

Comments