CI/CD for Kubernetes: From Pipeline to Production

A typical CI/CD pipeline for Kubernetes has four stages: build (compile and test), package (build Docker image and push to registry), update (modify the image tag in Kubernetes manifests or Helm values), and deploy (apply to the cluster). Keep the build and deploy concerns separated: the CI pipeline should produce an artifact (a tagged image), and the deployment mechanism should consume it. This separation allows different deployment strategies (push-based, pull-based, manual approval) without changing the build process.

In a push-based model, your GitHub Actions workflow authenticates to the cluster using a kubeconfig stored as a repository secret, then runs `kubectl apply` or `helm upgrade --install`. Use the `docker/build-push-action` to build and push images to ECR, GCR, or Docker Hub. Tag images with the Git SHA for traceability. Add a `--wait` flag to `helm upgrade` so the job fails if pods do not become ready. For multi-environment setups, use GitHub Environments with required reviewers to gate production deployments behind manual approval.

ArgoCD is a pull-based deployment tool that watches a Git repository for changes to Kubernetes manifests or Helm charts. When it detects a drift between the repository and the cluster, it syncs automatically (or waits for manual approval). Install ArgoCD in your cluster and create an Application resource pointing to your Git repo, path, and target cluster. ArgoCD provides a web UI showing sync status, health, and resource tree. It handles rollbacks by reverting to a previous Git commit. The CI pipeline's only job is to update the image tag in the Git repo; ArgoCD handles everything else.

Promote images across environments by updating the image tag in environment-specific branches or directories. A common pattern: CI builds the image and updates `environments/staging/values.yaml` with the new tag, ArgoCD deploys to staging automatically. After QA approval, a PR updates `environments/production/values.yaml`, and ArgoCD deploys to production. This gives you a full audit trail in Git of what was deployed, when, and by whom. Tools like Kustomize overlays also work well for this pattern, using a base manifest with per-environment patches.