Trigger argocd app sync from CI completions, image pushes, or any HTTP signal. Add manual approval gates between staging and prod, retry transient sync failures, poll until Synced and Healthy, and chain Terraform, Ansible, and Argo CD in one execution history.
Argo CD reconciles desired state from Git. Kestra wraps that controller with the orchestration layer above it: when a sync fires, what runs before, who approves the promotion to prod, and where the cross-tool audit trail lives. The Argo CD server, the Application objects, and the cluster reconciliation stay where they are.
Argo CD reconciles when its controller polls Git, which adds reconcile lag on every change. Kestra fires argocd app sync the moment upstream signals arrive: a GitHub Actions completion, a Docker image push to the registry, a Terraform apply finishing, or any HTTP webhook. The flow waits for upstream confirmation, then triggers the sync directly with the matching revision.
The native Pause task suspends the flow after the staging sync confirms Synced and Healthy via apps.Status. A named reviewer reads the staging diff in the Kestra UI and explicitly resumes. Only then does the prod sync fire. The reviewer identity and timestamp are recorded in the execution history alongside the Argo CD revision.
terraform apply provisions the cluster and writes outputs (kubeconfig, ingress IP). ansible-playbook configures the underlying nodes. argocd app sync deploys the app stack. All three share one execution history. If Ansible fails, only the Ansible step retries. The Terraform apply does not re-run.
apps.Status returns syncStatus and healthStatus. Pair it with a retry block to wait until both report green, with a hard timeout. On Degraded or sync timeout, the errors branch sends a Slack alert with the app name, the failing revision, and a direct link to the Argo CD UI.
Trivy scans the candidate image for critical CVEs. Cosign verifies the signature against the keyless attestation from the build. A manifest validator checks the Kustomize or Helm output. Each runs as a flow step before apps.Sync. If any check fails, the sync never fires and on-call gets a structured alert with the scan output.
Pass the Argo CD app name and Git revision as flow inputs. The same flow promotes the same revision through staging, qa, and prod Argo apps in sequence, with a Pause gate before every environment beyond staging. No duplicate YAML per environment, the inputs determine which app gets synced.
Patterns platform teams run in production today. Each one shows the flow end to end, with the real plugin classes in play.
A GitHub Actions webhook fires when the build artifact is signed and pushed. The flow validates the payload, triggers argocd app sync at the new revision, polls apps.Status until Synced and Healthy, then posts to Slack with the revision and the application URL. No more reconcile lag while the Argo CD git poller catches up to the new commit.
The sync runs the moment CI finishes, not when Argo CD's controller next polls Git. Cuts minutes from the deploy lag.
The flow passes the exact commit SHA from the webhook payload to apps.Sync, so the sync hits the verified build.
Slack only posts :white_check_mark: once apps.Status reports both Synced and Healthy.
On Degraded or timeout, the errors branch pages on-call with the application name and a direct link to the Argo CD UI.
terraform apply provisions the EKS cluster and writes the cluster endpoint to a task artifact. ansible-playbook configures the underlying nodes using that endpoint, with per-step retries. argocd app sync deploys the app stack. Slack confirms when all three steps succeed. If Ansible fails, only Ansible retries. The Terraform apply does not re-run.
Terraform outputs flow forward to Ansible. Ansible's host facts flow forward to the Argo CD step. One UI to debug.
If ansible-playbook hits a transient SSH error, Kestra retries only that step. Terraform apply does not re-run.
A Pause task between Terraform and Ansible lets a reviewer inspect the new infra before configuration starts.
Kestra coordinates the chain. Argo CD still owns the cluster reconciliation, the manifests, and the rollback target.
The flow takes a revision SHA as input. apps.Sync deploys it to the staging Argo app. apps.Status waits for Synced and Healthy. An HTTP probe runs smoke tests against the staging endpoint. A Pause task gates the promotion. Once a reviewer resumes, the same revision deploys to the prod Argo app, followed by another status poll and probe.
The flow pins the same Git SHA across staging and prod. No drift between what was tested and what ships.
The Pause task records who approved the prod sync and when. The Argo CD revision links back from the audit log.
An HTTP probe runs against staging before the gate opens. A 5xx from staging stops the promotion automatically.
application is a flow input, so staging-app, qa-app, and prod-app are three Argo Application objects driven from one flow definition.
The flow runs on every image push to the registry. Trivy scans the new image for critical CVEs. Cosign verifies the keyless signature against the build provenance. If both pass, apps.Sync fires at the matching revision. If either fails, the sync never runs and on-call gets the scan output as a structured Slack message.
An If task evaluates Trivy and Cosign exit codes. If either is non-zero, the sync step never runs.
Trivy's JSON output is captured as a task artifact and attached to the Slack alert, so on-call sees exactly which CVE blocked the deploy.
The image digest from the webhook is the same one passed to Argo CD's revision. No room for a swapped artifact between scan and sync.
Terraform provisions the VM, Ansible configures the application, ArgoCD handles the deployment. All orchestrated through Kestra.
One blueprint per use case above. Copy the YAML, point it at your Argo CD server, ship it.
A GitHub Actions webhook triggers the flow with the new revision. Kestra calls apps.Sync, polls apps.Status until both syncStatus and healthStatus report green, then posts to Slack with the revision and application URL.
terraform apply provisions an EKS cluster. A Pause task gates before configuration. ansible-playbook configures the nodes. argocd app sync deploys the app. apps.Status waits for Healthy. Slack confirms or alerts. Per-step retries keep the chain moving on transient errors.
The flow takes a revision SHA as input. Syncs the staging Argo app, polls until Healthy, runs a smoke test against the staging endpoint, pauses for a named reviewer, then syncs the prod Argo app at the same revision. Slack notifies at each stage.
| Capability | | | | |
|---|---|---|---|---|
| Trigger argocd app sync from non-Git events | Webhook, S3, Kafka, image push, schedule, any HTTP signal | Webhook + custom Action steps | Webhook + custom workflow templates | Git-only by design |
| Approval gate (Pause/resume) between syncs | Native Pause + resume, named reviewer logged | GitHub Environments approval (Action-specific) | Suspend node, no first-class reviewer log | Not native |
| Sync status polling until Synced + Healthy | apps.Status + retry block in one task | Custom polling script in Bash | Workflow loop with delay step | Native, no external polling needed |
| Chain Terraform + Ansible + Argo CD | Native plugin tasks, outputs flow forward | Each tool as a separate Action, manual handoff | Workflow templates per tool, no native chaining | Argo CD-centric, no Terraform or Ansible |
| Pre-sync image scan / signature verify as flow step | Trivy + Cosign as upstream tasks, sync blocked on fail | Action steps, manual conditional skip | Workflow steps, custom conditional | Argo CD does not run scans |
| Multi-environment promotion in one flow | Single flow, app and revision as inputs | One Action per environment, repeated YAML | Workflow per environment | ApplicationSet generates apps, no flow logic |
| Cross-stack execution history | One execution ID across Terraform, Ansible, Argo CD | Action run log, Argo CD events separately | Workflow events, Argo CD events separately | Argo CD events only |
| Self-hosted, air-gapped, OSS edition | Self-hosted by default, OSS edition free | Self-hosted GHE Actions or hosted | Self-hosted Kubernetes | Self-hosted Kubernetes |
| Beyond Argo CD: orchestrate the rest of the stack | 1300+ plugins, cross-stack | Action marketplace, CI-centric | Kubernetes-centric workflow engine | Argo CD app delivery only |
Find answers to your questions right here, and don't hesitate to Contact Us if you couldn't find what you're looking for.
Automate infrastructure workflows in Kestra
How Kestra orchestrates Argo CD, Terraform, Ansible, Docker, Proxmox, and Kubernetes in one declarative flow.
Provision with Terraform, deploy with Argo CD
Why platform teams chain Terraform and Argo CD through Kestra rather than passing artifacts manually between CI and the GitOps controller.
Argo CD plugin reference
Every Argo CD task (apps.Sync, apps.Status) with copy-ready YAML examples and full property reference.
Trigger argocd app sync on CI completions or image pushes, gate promotion to prod with a named reviewer, chain Terraform and Ansible upstream, and verify supply chain checks before every deploy. Open source, self-hosted, event-driven.
