DEV Community: Szymon Matuszewski The latest articles on DEV Community by Szymon Matuszewski (@szymon_4). https://dev.to/szymon_4 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3895969%2F7ad9e496-02b9-4e08-9849-684cb5b87b29.png DEV Community: Szymon Matuszewski https://dev.to/szymon_4 en Kargo: The Missing Piece Between CI and ArgoCD Szymon Matuszewski Fri, 24 Apr 2026 11:50:08 +0000 https://dev.to/szymon_4/kargo-the-missing-piece-between-ci-and-argocd-5g7h https://dev.to/szymon_4/kargo-the-missing-piece-between-ci-and-argocd-5g7h <p>ArgoCD deploys what's in Git. That's the whole point. It watches a repository, diffs the desired state against the cluster, and reconciles.</p> <p>The question nobody answers cleanly: who updates Git?</p> <h2> The Problem </h2> <p>In a typical GitOps setup you have two repositories. The application repo where developers write code, and the GitOps repo where Kubernetes manifests live. CI builds a container image, pushes it to a registry, and then... someone or something needs to update the image tag in the GitOps repo so ArgoCD picks it up.</p> <p>The common approach is to have the CI pipeline commit directly to the GitOps repo. GitLab CI finishes building your Docker image, pushes it to ECR, then runs a job that clones the GitOps repo, updates a YAML file, commits, and pushes. It works.</p> <p>It also couples your application pipeline to the structure of your GitOps repository. If you reorganize your Kustomize overlays, you're updating CI pipelines in every service repo. If a team wants to change how deployments flow through environments, they're editing <code>.gitlab-ci.yml</code> files. The CI pipeline knows too much about things that aren't its concern.</p> <p>I hit this exact scenario on a greenfield project. We had GitLab CI for builds, AWS ECR as the registry, and ArgoCD managing deployments. The CI-commits-to-GitOps approach felt too tightly coupled. I wanted something that owned the space between "artifact exists in a registry" and "manifest is updated in Git."</p> <p>That's where <a href="https://kargo.io" rel="noopener noreferrer">Kargo</a> comes.</p> <h2> What Kargo Does </h2> <p>Kargo is a continuous promotion platform built by <a href="https://akuity.io" rel="noopener noreferrer">Akuity</a>, the company behind ArgoCD. It doesn't replace ArgoCD - it complements it. ArgoCD handles deployment (cluster state matches Git). Kargo handles promotion (Git state gets updated when new artifacts appear).</p> <p>The core concepts map cleanly to what you'd build yourself if you had the time:</p> <ul> <li> <strong>Warehouses</strong> monitor registries for new artifacts (container images, Helm charts, Git commits). When something new appears, a Warehouse packages the references into a piece of <strong>Freight</strong>.</li> <li> <strong>Freight</strong> is a meta-artifact - a box containing references to specific versions of your images and charts. It travels through your pipeline as a unit.</li> <li> <strong>Stages</strong> are promotion targets, roughly equivalent to environments. They form a pipeline: dev, staging, prod. Freight moves from one Stage to the next.</li> <li> <strong>PromotionTasks</strong> define the actual steps to execute when promoting Freight to a Stage. Clone a repo, update a YAML value, commit, push.</li> <li> <strong>Projects</strong> provide tenancy and policy. Each project gets its own namespace and RBAC.</li> </ul> <p>For the full picture, the <a href="https://docs.kargo.io/user-guide/core-concepts" rel="noopener noreferrer">Kargo documentation</a> covers these concepts well.</p> <h2> The Architecture </h2> <p>Here's the flow we ended up with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Developer commits code | v GitLab CI: test, build, push | v Container image + Helm chart land in AWS ECR | v Kargo Warehouse detects new artifact | v Freight is created | v Stage "dev" promotes automatically (or manually) - ClusterPromotionTask clones GitOps repo - Updates image tag / chart version in overlay YAML - Commits and pushes | v ArgoCD detects Git change, syncs to cluster | v Stage "prod" promotes manually from Kargo UI - Same ClusterPromotionTask, different overlay path | v ArgoCD syncs prod </code></pre> </div> <p>The CI pipeline stops caring after the artifact hits the registry. It doesn't know about Kustomize overlays, environment structures, or ArgoCD. Kargo handles all of that.</p> <h2> ClusterPromotionTasks: Standardized and Reusable </h2> <p>One of the things I appreciated most about Kargo is the separation between <strong>ClusterPromotionTasks</strong> and <strong>PromotionTasks</strong>.</p> <p>A <strong>ClusterPromotionTask</strong> is cluster-wide. You define it once, and every Kargo project can reference it. This is where you standardize your promotion logic. In our case, we have two:</p> <p><strong>Image promotion</strong> - clones the GitOps repo, updates the image tag in a specific YAML file, commits, and pushes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kargo.akuity.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterPromotionTask</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cluster-promote-image-git</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">vars</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">branch</span> <span class="na">value</span><span class="pi">:</span> <span class="s">master</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">repoURL</span> <span class="na">value</span><span class="pi">:</span> <span class="s">git@gitlab.com:my-org/gitops-repo.git</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">yamlFilename</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">envPath</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">image</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">git-clone</span> <span class="na">config</span><span class="pi">:</span> <span class="na">repoURL</span><span class="pi">:</span> <span class="s">${{ vars.repoURL }}</span> <span class="na">checkout</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">branch</span><span class="pi">:</span> <span class="s">${{ vars.branch }}</span> <span class="na">create</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">path</span><span class="pi">:</span> <span class="s">./out-image</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">yaml-update</span> <span class="na">as</span><span class="pi">:</span> <span class="s">update-image</span> <span class="na">config</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">./out-image/${{ vars.envPath }}/${{ vars.yamlFilename }}</span> <span class="na">updates</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">key</span><span class="pi">:</span> <span class="s">spec.source.helm.valuesObject.image.tag</span> <span class="na">value</span><span class="pi">:</span> <span class="s">${{ quote(imageFrom( vars.image ).Tag) }}</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">git-commit</span> <span class="na">as</span><span class="pi">:</span> <span class="s">commit</span> <span class="na">config</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">./out-image</span> <span class="na">message</span><span class="pi">:</span> <span class="s">${{ task.outputs['update-image'].commitMessage }}</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">git-push</span> <span class="na">config</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">./out-image</span> </code></pre> </div> <p><strong>Chart promotion</strong> - same pattern, but updates the Helm chart version:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kargo.akuity.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterPromotionTask</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cluster-promote-helm-git</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">vars</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">branch</span> <span class="na">value</span><span class="pi">:</span> <span class="s">master</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">repoURL</span> <span class="na">value</span><span class="pi">:</span> <span class="s">git@gitlab.com:my-org/gitops-repo.git</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">chart</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">envPath</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">yamlFilename</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">git-clone</span> <span class="na">config</span><span class="pi">:</span> <span class="na">repoURL</span><span class="pi">:</span> <span class="s">${{ vars.repoURL }}</span> <span class="na">checkout</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">branch</span><span class="pi">:</span> <span class="s">${{ vars.branch }}</span> <span class="na">create</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">path</span><span class="pi">:</span> <span class="s">./out-chart</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">yaml-update</span> <span class="na">as</span><span class="pi">:</span> <span class="s">update-chart</span> <span class="na">config</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">./out-chart/${{ vars.envPath }}/${{ vars.yamlFilename }}</span> <span class="na">updates</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">key</span><span class="pi">:</span> <span class="s">spec.source.targetRevision</span> <span class="na">value</span><span class="pi">:</span> <span class="s">${{ quote(chartFrom( vars.chart ).Version) }}</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">git-commit</span> <span class="na">as</span><span class="pi">:</span> <span class="s">commit</span> <span class="na">config</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">./out-chart</span> <span class="na">message</span><span class="pi">:</span> <span class="s">${{ task.outputs['update-chart'].commitMessage }}</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">git-push</span> <span class="na">config</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">./out-chart</span> </code></pre> </div> <p>Both tasks use variables for the environment path and filename, making them work across any application and any environment overlay. The defaults (repo URL, branch) are set once at the cluster level. Individual Stages only provide what's unique to them.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpmryyya9aygvc9k2sxdl.jpeg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpmryyya9aygvc9k2sxdl.jpeg" alt="Kargo UI showing a completed promotion with step-by-step execution of two ClusterPromotionTasks"></a></p> <p>A <strong>PromotionTask</strong> (without the "Cluster" prefix) is namespaced - scoped to a single Kargo project. If a specific application needs custom promotion logic (maybe it requires a database migration step, or a Slack notification, or a different Git update strategy), you define a PromotionTask in that project's namespace. It overrides or extends the cluster-wide standard without affecting anything else.</p> <p>This gives you standardized pipelines across the cluster, with per-project escape hatches when needed. Check the <a href="https://docs.kargo.io/user-guide/reference-docs/promotion-steps" rel="noopener noreferrer">promotion steps reference</a> for the full list of built-in steps.</p> <h2> Per-Application Pipelines </h2> <p>Each application gets its own Kargo Project with Warehouses, Stages, and promotion policies. Here's what a typical backend service looks like.</p> <p><strong>Project and policies</strong> - auto-promote to dev, manual gate for prod:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kargo.akuity.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Project</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">my-backend</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kargo.akuity.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ProjectConfig</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">my-backend</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">my-backend</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">promotionPolicies</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">dev</span> <span class="na">autoPromotionEnabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="pi">-</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">prod</span> <span class="na">autoPromotionEnabled</span><span class="pi">:</span> <span class="kc">false</span> </code></pre> </div> <p><strong>Warehouses</strong> - watching ECR for new images and Helm charts:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kargo.akuity.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Warehouse</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">ecr-images</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">my-backend</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">freightCreationPolicy</span><span class="pi">:</span> <span class="s">Automatic</span> <span class="na">subscriptions</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">image</span><span class="pi">:</span> <span class="na">repoURL</span><span class="pi">:</span> <span class="s">123456789.dkr.ecr.eu-south-1.amazonaws.com/my-org/backend</span> <span class="na">allowTagsRegexes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">^[a-f0-9]{8}$</span> <span class="na">ignoreTagsRegexes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">^latest$</span> <span class="na">imageSelectionStrategy</span><span class="pi">:</span> <span class="s">NewestBuild</span> <span class="na">discoveryLimit</span><span class="pi">:</span> <span class="m">20</span> <span class="na">cacheByTag</span><span class="pi">:</span> <span class="kc">true</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kargo.akuity.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Warehouse</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">ecr-charts</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">my-backend</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">freightCreationPolicy</span><span class="pi">:</span> <span class="s">Automatic</span> <span class="na">subscriptions</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">chart</span><span class="pi">:</span> <span class="na">repoURL</span><span class="pi">:</span> <span class="s">oci://123456789.dkr.ecr.eu-south-1.amazonaws.com/my-org/backend</span> <span class="na">discoveryLimit</span><span class="pi">:</span> <span class="m">5</span> </code></pre> </div> <p>In a trunk-based workflow, every merge to main produces an image tagged with the commit SHA. A single Warehouse watches for those tags and creates Freight. The same Freight then travels through the pipeline - dev first, prod after. The <code>NewestBuild</code> strategy picks the most recently built image, not just the lexicographically newest tag.</p> <p><strong>Stages</strong> - dev gets Freight directly from the Warehouse, prod requires Freight that passed through dev first:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">kind</span><span class="pi">:</span> <span class="s">Stage</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kargo.akuity.io/v1alpha1</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">dev</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">my-backend</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">requestedFreight</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">origin</span><span class="pi">:</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Warehouse</span> <span class="na">name</span><span class="pi">:</span> <span class="s">ecr-images</span> <span class="na">sources</span><span class="pi">:</span> <span class="na">direct</span><span class="pi">:</span> <span class="kc">true</span> <span class="pi">-</span> <span class="na">origin</span><span class="pi">:</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Warehouse</span> <span class="na">name</span><span class="pi">:</span> <span class="s">ecr-charts</span> <span class="na">sources</span><span class="pi">:</span> <span class="na">direct</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">promotionTemplate</span><span class="pi">:</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">task</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cluster-promote-image-git</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterPromotionTask</span> <span class="na">vars</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">image</span> <span class="na">value</span><span class="pi">:</span> <span class="s">123456789.dkr.ecr.eu-south-1.amazonaws.com/my-org/backend</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">envPath</span> <span class="na">value</span><span class="pi">:</span> <span class="s">applications/overlays/dev/my-backend</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">yamlFilename</span> <span class="na">value</span><span class="pi">:</span> <span class="s">patches.yaml</span> <span class="pi">-</span> <span class="na">task</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cluster-promote-helm-git</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterPromotionTask</span> <span class="na">vars</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">chart</span> <span class="na">value</span><span class="pi">:</span> <span class="s">oci://123456789.dkr.ecr.eu-south-1.amazonaws.com/my-org/backend</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">envPath</span> <span class="na">value</span><span class="pi">:</span> <span class="s">applications/overlays/dev/my-backend</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">yamlFilename</span> <span class="na">value</span><span class="pi">:</span> <span class="s">patches.yaml</span> <span class="nn">---</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Stage</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kargo.akuity.io/v1alpha1</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">prod</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">my-backend</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">requestedFreight</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">origin</span><span class="pi">:</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Warehouse</span> <span class="na">name</span><span class="pi">:</span> <span class="s">ecr-images</span> <span class="na">sources</span><span class="pi">:</span> <span class="na">availabilityStrategy</span><span class="pi">:</span> <span class="s">All</span> <span class="na">stages</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">dev</span> <span class="pi">-</span> <span class="na">origin</span><span class="pi">:</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Warehouse</span> <span class="na">name</span><span class="pi">:</span> <span class="s">ecr-charts</span> <span class="na">sources</span><span class="pi">:</span> <span class="na">availabilityStrategy</span><span class="pi">:</span> <span class="s">All</span> <span class="na">stages</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">dev</span> <span class="na">promotionTemplate</span><span class="pi">:</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">task</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cluster-promote-image-git</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterPromotionTask</span> <span class="na">vars</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">image</span> <span class="na">value</span><span class="pi">:</span> <span class="s">123456789.dkr.ecr.eu-south-1.amazonaws.com/my-org/backend</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">envPath</span> <span class="na">value</span><span class="pi">:</span> <span class="s">applications/overlays/prod/my-backend</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">yamlFilename</span> <span class="na">value</span><span class="pi">:</span> <span class="s">patches.yaml</span> <span class="pi">-</span> <span class="na">task</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cluster-promote-helm-git</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterPromotionTask</span> <span class="na">vars</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">chart</span> <span class="na">value</span><span class="pi">:</span> <span class="s">oci://123456789.dkr.ecr.eu-south-1.amazonaws.com/my-org/backend</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">envPath</span> <span class="na">value</span><span class="pi">:</span> <span class="s">applications/overlays/prod/my-backend</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">yamlFilename</span> <span class="na">value</span><span class="pi">:</span> <span class="s">patches.yaml</span> </code></pre> </div> <p>The key detail in the prod Stage: <code>stages: [dev]</code> under sources. Freight isn't available for promotion to prod until it has been successfully promoted to dev. This is the natural flow - the same artifact proves itself in dev before it can move forward.</p> <h3> Adapting to Branch-Based Workflows </h3> <p>Not every team uses trunk-based development, and Kargo adapts to that. If your CI produces branch-prefixed tags (e.g., <code>dev-abc1234</code> from the dev branch, <code>master-abc1234</code> from master), you can split the image Warehouses per branch:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kargo.akuity.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Warehouse</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">ecr-images-dev</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">my-backend</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">subscriptions</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">image</span><span class="pi">:</span> <span class="na">repoURL</span><span class="pi">:</span> <span class="s">123456789.dkr.ecr.eu-south-1.amazonaws.com/my-org/backend</span> <span class="na">allowTagsRegexes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">^dev-.*</span> <span class="na">imageSelectionStrategy</span><span class="pi">:</span> <span class="s">NewestBuild</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kargo.akuity.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Warehouse</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">ecr-images-master</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">my-backend</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">subscriptions</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">image</span><span class="pi">:</span> <span class="na">repoURL</span><span class="pi">:</span> <span class="s">123456789.dkr.ecr.eu-south-1.amazonaws.com/my-org/backend</span> <span class="na">allowTagsRegexes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">^master-.*</span> <span class="na">imageSelectionStrategy</span><span class="pi">:</span> <span class="s">NewestBuild</span> </code></pre> </div> <p>In this setup, the dev Stage pulls from <code>ecr-images-dev</code> and the prod Stage pulls from <code>ecr-images-master</code> directly, rather than requiring Freight to flow through dev first. The Warehouses, tag filters, and Stage wiring change - the ClusterPromotionTasks stay exactly the same. That's the flexibility: Kargo's promotion logic is decoupled from how your team manages branches and tagging.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsyd010emi29xufgeqafp.jpeg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsyd010emi29xufgeqafp.jpeg" alt="Kargo UI pipeline view showing Warehouses, Freight, and Stages for a backend service"></a></p> <p>Notice how the Stages just reference the ClusterPromotionTasks and pass environment-specific variables. The promotion logic itself is defined once. Adding a new application means creating a new set of Warehouses, Stages, and a Project - not writing new promotion logic.</p> <h2> Kargo for Infrastructure Too </h2> <p>This is where Kargo surprised me. I initially set it up for application deployments, but quickly realized it works just as well for tracking infrastructure component versions.</p> <p>We have Traefik deployed via Helm from the upstream chart. Keeping Helm charts up to date across environments is one of those tasks that's easy to forget. You check the release page every few weeks, maybe.</p> <p>With Kargo, a Warehouse watches the upstream Helm chart repository:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kargo.akuity.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Warehouse</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">ghcr-charts</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">kargo-traefik</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">freightCreationPolicy</span><span class="pi">:</span> <span class="s">Automatic</span> <span class="na">subscriptions</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">chart</span><span class="pi">:</span> <span class="na">repoURL</span><span class="pi">:</span> <span class="s">oci://ghcr.io/traefik/helm/traefik</span> <span class="na">discoveryLimit</span><span class="pi">:</span> <span class="m">10</span> </code></pre> </div> <p>When a new Traefik chart version is published, Freight appears in the Kargo UI. I can see what version I'm running, what's available, and promote with a click. It's effectively a dependency dashboard that also handles the update.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fypr91vg49eg34cz2ocgk.jpeg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fypr91vg49eg34cz2ocgk.jpeg" alt="Kargo UI showing available Traefik Helm chart versions ready to promote"></a></p> <p>For infrastructure components, we keep auto-promotion disabled for both dev and prod. These updates should be intentional. Kargo just makes sure you know there's something new and gives you a one-click path to deploy it.</p> <h2> What I Liked </h2> <p><strong>Rollbacks are git commits.</strong> When you roll back in Kargo, it doesn't manipulate ArgoCD's internal state. It makes a new commit to your Git repo with the previous version. Your Git history stays the single source of truth. No hidden state, no "ArgoCD thinks it's running X but Git says Y" confusion.</p> <p><strong>Developers can self-serve.</strong> The Kargo UI is clean and intuitive for daily use. A developer can see what version is in dev, what's available, and promote to prod - all without touching Git or CI. For teams where you want to expose deployment controls without giving everyone access to ArgoCD or the GitOps repo, this is valuable.</p> <p><strong>Clean separation of concerns.</strong> CI builds artifacts and pushes them to a registry. Full stop. It doesn't know about environments, Kustomize overlays, or ArgoCD. Kargo owns the promotion logic. ArgoCD owns the deployment. Each tool does one thing.</p> <p><strong>The abstraction layer works for everyone.</strong> CI/CD pipelines just build and forget. Developers get a visual pipeline with drag-and-drop (or one-click) promotions. DevOps can define and enforce promotion policies per project. Platform teams get a standardized, reusable promotion framework. Different stakeholders interact with the same system at different levels.</p> <h2> The Rough Edges </h2> <p><strong>Namespace proliferation.</strong> Every Kargo Project creates its own namespace. If you have ten services, you get ten Kargo namespaces on top of your existing ones. This was mostly an aesthetic annoyance - it works fine, but <code>kubectl get ns</code> gets busy. This might have been my own design choice rather than a Kargo requirement, but I wanted to separate Kargo resources from application workloads.</p> <p><strong>ArgoCD annotation limitation.</strong> Kargo can trigger an ArgoCD Application refresh after pushing a commit, saving you from waiting for ArgoCD's polling interval. It uses the <code>kargo.akuity.io/authorized-stage</code> annotation on the ArgoCD Application resource to authorize this. The problem: this annotation only supports a single Kargo project and stage. If you use the app-of-apps pattern (which is common), you'd want multiple Kargo projects to be able to refresh your root Application. That's currently not possible - <a href="https://github.com/akuity/kargo/discussions/3232" rel="noopener noreferrer">no comma-delimited or glob support</a>. We fell back to ArgoCD's default polling, which means there's a small delay between Kargo's git push and ArgoCD picking it up. Functional, not ideal.</p> <p><strong>Polling vs webhooks.</strong> Kargo Warehouses poll registries at intervals by default. If the interval is too long, you get delayed Freight creation on top of ArgoCD's polling delay. Too short, and you're hammering your registry. For AWS ECR, there's no official webhook receiver yet. A generic webhook triggered by CI after a successful push would solve this, though it slightly re-couples CI with Kargo (even if it's just a notification). The <a href="https://docs.kargo.io" rel="noopener noreferrer">Kargo docs acknowledge this trade-off</a>.</p> <p><strong>Active development means change.</strong> Kargo is still maturing. The product itself has been rock-solid in our experience - zero failures or downtime. The concern is more about API surface evolution and potential breaking changes between versions. The Akuity team is responsive and the project moves fast, which is both a strength and something to plan for.</p> <h2> Would I Use It Again? </h2> <p>Yes. Without hesitation for a project of similar scope - a small-to-medium team with some tolerance for adopting relatively new tooling.</p> <p>Kargo filled a real gap in our GitOps workflow. The CI pipeline is simpler because it doesn't manage deployment concerns. The GitOps repo stays clean because updates come through a structured, auditable process rather than arbitrary CI commits. Developers have visibility and control over promotions without needing to understand the underlying Git structure.</p> <p>For larger organizations or risk-averse environments, I'd wait until the API surface stabilizes more and the annotation limitation gets resolved. The product is stable. The ecosystem around it is still catching up.</p> <p>One thing I'd do differently: set up webhook notifications from CI to Kargo from day one, rather than relying purely on polling. The extra latency from double-polling (Kargo polls registry + ArgoCD polls Git) is noticeable when you're used to instant feedback.</p> <p>Kargo is built by the ArgoCD creators and feels like a natural part of the ecosystem. If you're running ArgoCD and have solved the "who updates Git?" question differently, I'd be curious how. Are you committing from CI? Using image-updater? Something custom? And if you've tried Kargo - what's been your experience with it at scale?</p> argocd kargo kubernetes gitops