GitOps Full Loop

Connect Tekton (CI) and ArgoCD (CD) into a complete pipeline: code change triggers a build, build updates a manifest, ArgoCD deploys the update.

Time: ~25 minutes Difficulty: Advanced

Resources: This demo needs ~2GB RAM (Tekton + ArgoCD overhead). Clean up other demos first: task clean:all

What You Will Learn

How Tekton and ArgoCD connect in a GitOps workflow
The two-repo model: source repo (Tekton watches) and config repo (ArgoCD watches)
Writing a Tekton Pipeline with multiple tasks
Defining an ArgoCD Application custom resource
Walking through the full CI/CD loop step by step

Architecture

Git Push  -->  Tekton Pipeline  -->  Push to Registry  -->  ArgoCD detects  -->  Deploys to cluster
               (test + build)       (simulated)             config change        (sync)

The two-repo model:

Source Repo (app code)              Config Repo (K8s manifests)
    |                                       |
    v                                       v
Tekton watches for changes          ArgoCD watches for changes
    |                                       |
    v                                       v
Pipeline: test -> build -> update   ArgoCD: detect diff -> sync -> deploy
    |                                       ^
    +--- updates image tag in config repo --+

In this demo, we simulate both repos within the cluster using ConfigMaps and local resources. The concepts translate directly to real Git repositories.

Prerequisites

This demo requires Tekton and ArgoCD to be installed in your cluster. If you have not set them up yet:

Tekton: Install from Tekton Basics or run:

kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/latest/release.yaml

ArgoCD: Install from ArgoCD or run:

kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml

Verify both are running:

kubectl get pods -n tekton-pipelines
kubectl get pods -n argocd

Deploy

Navigate to the demo directory:

cd demos/gitops-full-loop

Step 1: Create the namespace

kubectl apply -f manifests/namespace.yaml

Step 2: Deploy the application source (simulated source repo)

kubectl apply -f manifests/app-source.yaml

Step 3: Deploy the application that ArgoCD will manage

kubectl apply -f manifests/deployment.yaml

Step 4: Create the Tekton Pipeline

kubectl apply -f manifests/tekton-pipeline.yaml

Step 5: Create the ArgoCD Application

kubectl apply -f manifests/argocd-app.yaml

Verify

# Check the application is running
kubectl get pods -n gitops-demo

# Check the Tekton Pipeline exists
kubectl get pipeline -n gitops-demo

# Check ArgoCD sees the application
kubectl get applications -n argocd

# Access the app
kubectl port-forward svc/gitops-app 8080:80 -n gitops-demo

Open http://localhost:8080 to see the nginx welcome page with custom content.

Walking Through the Full Loop

Here is what happens in a real GitOps workflow, and how each piece maps to this demo:

1. Developer pushes code

In production, a Git webhook triggers Tekton. In this demo, we manually start the pipeline:

kubectl create -f - <<EOF
apiVersion: tekton.dev/v1
kind: PipelineRun
metadata:
  generateName: gitops-pipeline-run-
  namespace: gitops-demo
spec:
  pipelineRef:
    name: gitops-pipeline
  workspaces:
    - name: shared-workspace
      emptyDir: {}
EOF

2. Tekton Pipeline runs

Watch the pipeline execute:

kubectl get pipelinerun -n gitops-demo -w

The pipeline runs three tasks in sequence:

validate-source: Checks that the source files exist and are valid
build-image: Simulates building and pushing a container image
update-manifests: Simulates updating the deployment manifest with a new image tag

3. ArgoCD detects the change

In production, ArgoCD polls the config repo (default every 3 minutes) or receives a webhook. When it detects the manifests have drifted from the live state, it syncs.

Check ArgoCD status:

kubectl get applications -n argocd

4. ArgoCD deploys

ArgoCD applies the updated manifests to the cluster. The Deployment rolls out new pods with the updated image.

kubectl get pods -n gitops-demo -w

What is Happening

manifests/
  namespace.yaml         # gitops-demo namespace
  app-source.yaml        # ConfigMap simulating source repo (index.html + nginx.conf)
  tekton-pipeline.yaml   # Pipeline with 3 tasks: validate, build, update
  argocd-app.yaml        # ArgoCD Application CR pointing to gitops-demo
  deployment.yaml        # nginx Deployment + Service that ArgoCD manages

Tekton handles the CI side: it validates source, builds images, and updates manifests. Each task runs in its own pod. The pipeline defines the order and data flow between tasks.

ArgoCD handles the CD side: it watches for manifest changes and applies them to the cluster. It continuously reconciles the desired state (Git) with the actual state (cluster).

The connection point between CI and CD is the manifest update. Tekton updates the image tag in the deployment manifest, and ArgoCD detects that change and deploys it.

Experiment

Check the Tekton PipelineRun logs:

kubectl get pipelinerun -n gitops-demo
# Use the name from above
kubectl logs -n gitops-demo -l tekton.dev/pipeline=gitops-pipeline --all-containers

Trigger another pipeline run and watch the full flow:

kubectl create -f - <<EOF
apiVersion: tekton.dev/v1
kind: PipelineRun
metadata:
  generateName: gitops-pipeline-run-
  namespace: gitops-demo
spec:
  pipelineRef:
    name: gitops-pipeline
  workspaces:
    - name: shared-workspace
      emptyDir: {}
EOF

Force an ArgoCD sync:

kubectl patch application gitops-app -n argocd \
  --type=merge -p '{"operation":{"sync":{"revision":"HEAD"}}}'

View ArgoCD in the UI:
Terminal window
```
kubectl port-forward svc/argocd-server 8443:443 -n argocd
```
Open https://localhost:8443 (accept the self-signed cert).

Cleanup

kubectl delete namespace gitops-demo
kubectl delete application gitops-app -n argocd

Note: This only removes the demo resources. Tekton and ArgoCD remain installed for other demos.

Next Step

Move on to Multi-Tenant to explore namespace isolation and resource quotas for multi-team clusters.