Promoting Changes from Dev to Staging to Prod with Argo CD

Walk me through how a change moves from dev to staging to prod in an Argo CD setup. How do you stop something from slipping into prod that should not be there?

Promotion in GitOps is a Git operation, not a kubectl operation. A pull request into the manifests repo updates the prod overlay. The Argo CD controller picks up the new commit and reconciles. The three things to get right: what triggers each environment, how image tags move between environments, and how prod is gated. A flow that works: 1. Developer merges code into the application repo. CI builds an image and pushes it with an immutable tag, the Git SHA or a semver. 2. CI commits the new tag to apps/web/overlays/dev/kustomization.yaml on main of the manifests repo. Argo CD dev Application has auto-sync on and self-heal on. It picks up the change and ships to dev within a couple of minutes. 3. Promotion to staging is a pull request bumping apps/web/overlays/staging/kustomization.yaml to the same tag. Merge after a smoke test or an automated check. Argo CD syncs staging. 4. Promotion to prod is another pull request, this time bumping the prod overlay. Branch protection requires code owners, a passing CI check, and a manual reviewer. After merge, Argo CD syncs prod, or a human clicks sync if prod is set to manual. Non-negotiables I enforce: - Same image artifact through every environment. Do not rebuild between staging and prod. The binary that passed staging is the one that ships. - Immutable tags. No latest, no main. Use the Git SHA or a release version. - Prod sync policy is different from dev. Either manual sync, or auto-sync with sync windows so it can only run during business hours. - selfHeal is fine for dev but think hard about it on prod. It reverts any manual change, which can cause grief during an incident if the on-call engineer needs a quick patch. If you keep selfHeal off on prod, you also need a clear policy that the only way to change prod is through Git. Gotcha that bites teams: auto-sync off does not mean self-heal off. They are separate. If self-heal is on, Argo CD will still revert manual edits, even though it will not pull new commits automatically. Configure both knobs deliberately. Hotfixes: have a documented bypass that still goes through Git. Commit straight to the prod overlay path with senior approval. Never apply manifests with kubectl from a laptop just because the PR flow feels slow.

• A change works in staging and breaks in prod because of a config that differed. How do you stop that next time?
• How do database migrations fit into this flow? They are not idempotent the way manifests are.
• What is your rollback story? A bad change went out, the Argo CD UI is open, what do you do?
• How does this change if you are running progressive delivery with Argo Rollouts in front of the Deployment?