CoursesArgo CDIntermediate

Helm & Kustomize sources

Render tools inside Argo.

Advanced12 min · lesson 8 of 12

Argo CD does not require plain manifests — it renders Helm charts and Kustomize overlays itself as part of reconciliation, so your Git source can be a chart or a kustomization and Argo CD produces the manifests before diffing. For Helm, you point at a chart (in Git or a repo) and supply values; for Kustomize, you point at an overlay directory. This means the Helm and Kustomize skills from those courses apply directly inside GitOps.

application.yaml (Helm source)
spec:
source:
repoURL: https://git.acme.internal/apps/payments.git
path: chart
targetRevision: v1.4.0
helm:
valueFiles: [values-prod.yaml]
parameters:
- { name: image.tag, value: "2.1.0" }

Values, and keeping secrets out

You supply Helm values or Kustomize patches from Git, per environment, exactly as in those tools — Argo CD just runs the render for you. The same rule carries over: keep secrets out of values and manifests in Git. Use SOPS (with a decryption plugin), the External Secrets Operator, or a sealed-secrets approach so what is in Git is ciphertext or a reference, never a plaintext credential. Argo CD renders and applies whatever is in Git, so a plaintext secret there is a plaintext secret deployed.

Rendering runs tools — mind plugins and their trust
Argo CD rendering Helm/Kustomize (and especially custom config-management plugins) executes those tools on its repo-server with access to your Git content; a malicious chart or plugin is code running in the Argo CD control plane. Pin chart and overlay sources to trusted, versioned references, be cautious with third-party config-management plugins, and keep the repo-server’s permissions minimal. The convenience of in-cluster rendering is also an execution surface.