@@okitsalexI don't think so. ArgoCD has an RBAC system. You just give your CI runners read access needed to do diff. GitOps is concerned with write access to your cluster.
@@okitsalexYou need network access to ArgoCD's API. If that isn't something you are able to expose for regulatory reasons then won't be a feasible option. You do *not* need access to the K8S control plane, though.
5:01 Store rendered manifests (aka build artifacts) in an OCI registry, along with images and other artifacts. Using git branches is an unnecessary hack.
Manifests in Git Branches, Git folders, OCI? It's just "Storage your deployment controller can read from". Use what gives the most benefits (visibility, tracking etc). Ie, OCI is probably NOT IT today.
![CNCF [Cloud Native Computing Foundation]](http://yt3.ggpht.com/txe66EjpkDQQlx_4jDV0yA0PPsww0rqQrFhMpDqagLWN2-EUBBO65IuIyy5tEFVmpI4_RRduzXc=s48-c-k-c0x00ffffff-no-rj)
ArgoCD diffs can be generated as part of CI checks and included in PRs. This will show you the actual changes to rendered manifests.
The issue is your CI agent now needs access to argo and that kind of violates Gitops no?
@@okitsalexI don't think so. ArgoCD has an RBAC system. You just give your CI runners read access needed to do diff. GitOps is concerned with write access to your cluster.
@@Muaahaa do you need access to the cluster as well?
@@okitsalexYou need network access to ArgoCD's API. If that isn't something you are able to expose for regulatory reasons then won't be a feasible option. You do *not* need access to the K8S control plane, though.
That makes sense, thanks!
@@Muaahaa
Am I right in understanding that you're duplicating a wheel like terraform, and the second git repository is the state file of terraform.
5:01 Store rendered manifests (aka build artifacts) in an OCI registry, along with images and other artifacts. Using git branches is an unnecessary hack.
Manifests in Git Branches, Git folders, OCI? It's just "Storage your deployment controller can read from". Use what gives the most benefits (visibility, tracking etc). Ie, OCI is probably NOT IT today.