Install Argo CD and Deploy Your First Application

Argo CD watches a Git repository and reconciles your cluster against it continuously. When someone pushes a change, Argo CD applies it. When someone applies a change directly to the cluster without going through Git, Argo CD reverts it. The Git repository becomes the source of truth — not whoever last ran kubectl apply.

This tutorial installs Argo CD, connects a Git repo, and creates an Application with automated sync and self-healing enabled.

Step 1: Create the argocd namespace

kubectl create namespace argocd

Step 2: Apply the install manifest

The stable manifest installs the Argo CD API server, repo server, application controller, dex SSO provider, and Redis:

kubectl apply -n argocd -f \
  https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml

stable is a floating branch alias. For production installs, pin to a specific version — replace stable with a tag like v2.13.0. Check the Argo CD releases page for the current stable tag.

Step 3: Wait for the server to be ready

kubectl wait --for=condition=available --timeout=300s \
  deployment/argocd-server -n argocd

Expected output:

deployment.apps/argocd-server condition met

Step 4: Get the initial admin password

Argo CD generates a random initial password stored in a Secret:

kubectl get secret argocd-initial-admin-secret \
  -n argocd \
  -o jsonpath="{.data.password}" | base64 -d && echo

Copy this password — you'll need it in the next step.

Step 5: Port-forward the UI

kubectl port-forward svc/argocd-server -n argocd 8080:443

Open https://localhost:8080. Your browser will show a TLS warning — this is expected for the local port-forward. Accept and continue.

Log in with username admin and the password from step 4.

Step 6: Install the Argo CD CLI

# macOS
brew install argocd

# Linux
curl -sSL -o argocd https://github.com/argoproj/argo-cd/releases/latest/download/argocd-linux-amd64
chmod +x argocd && sudo mv argocd /usr/local/bin/

Step 7: Log in via CLI

argocd login localhost:8080 \
  --username admin \
  --password <initial-password> \
  --insecure

--insecure skips TLS verification and is only appropriate for a localhost port-forward. Never use --insecure when connecting to a real Argo CD server — use a trusted certificate instead.

Step 8: Change the admin password

The initial password is auto-generated and stored in plaintext. Change it immediately:

argocd account update-password \
  --current-password <initial-password> \
  --new-password <your-secure-password>

After changing the password, delete the initial admin secret — it is no longer needed and leaving it in place is a security risk:

kubectl delete secret argocd-initial-admin-secret -n argocd

Step 9: Connect your Git repository

For public repositories, credentials are optional. For private repositories, use a GitHub personal access token:

argocd repo add https://github.com/your-org/your-repo \
  --username git \
  --password <github-personal-access-token>

Verify it was added successfully:

argocd repo list

Step 10: Create your first Application

An Argo CD Application points at a path in your Git repo and a destination namespace in your cluster:

1argocd app create my-app \
2  --repo https://github.com/your-org/your-repo \
3  --path k8s/my-app \
4  --dest-server https://kubernetes.default.svc \
5  --dest-namespace default \
6  --sync-policy automated \
7  --auto-prune \
8  --self-heal

The three flags that matter:

• --sync-policy automated — syncs automatically when Git changes
• --auto-prune — deletes Kubernetes resources that are removed from Git
• --self-heal — reverts manual kubectl changes back to what's in Git

--auto-prune and --self-heal are silently inert without --sync-policy automated. All three flags are needed together to get the full automated GitOps behaviour.

Step 11: Trigger the first sync

argocd app sync my-app
argocd app get my-app

Expected output:

Name:               argocd/my-app
Project:            default
Server:             https://kubernetes.default.svc
Namespace:          default
URL:                https://localhost:8080/applications/my-app
Repo:               https://github.com/your-org/your-repo
Target:
Path:               k8s/my-app
Sync Status:        Synced to HEAD (abc1234)
Health Status:      Healthy

Step 12: Test self-healing

Delete a resource that Argo CD manages to confirm self-heal works:

# Delete a deployment managed by Argo CD
kubectl delete deployment my-app -n default

# Watch Argo CD recreate it (typically within seconds)
kubectl get deployment my-app -n default --watch

Argo CD detects the drift almost immediately via Kubernetes watch events and re-applies the resource from Git. The 3-minute interval is a hard resync fallback — self-healing typically fires within seconds of the manual change.

What you built

Argo CD is watching your Git repository. Every push to the tracked path triggers an automatic sync — no CI pipeline kubectl step needed. Any out-of-band change to the cluster gets reverted. Resources deleted from Git get pruned from the cluster. You now have a complete GitOps loop where Git is the only way to change cluster state.

For adding Helm-based applications, use --helm-set and --values flags on argocd app create, or manage ApplicationSets for fleet-wide deployments across multiple clusters.