Back to PortfolioDevOps

Migrating CI/CD from Jenkins to Argo CD: A Practical Guide

Nov 20256 min read

Why We Left Jenkins

Our Jenkins setup had grown organically over three years. We had 40+ pipelines, a shared Jenkins master that crashed monthly under load, Groovy scripts that nobody fully understood, and a deployment process that required SSH-ing into production servers. Deployments averaged 45 minutes and required a dedicated engineer. The breaking point came when a misconfigured Jenkinsfile deployed a staging build to production, causing a 4-hour outage. We needed a system where the desired state was declarative, version-controlled, and self-healing.

Why Argo CD?

Argo CD is a declarative GitOps continuous delivery tool for Kubernetes. The principle is simple: your Git repository is the single source of truth for your cluster state. Argo CD continuously monitors your repo and automatically syncs the live cluster state to match. If someone manually changes a deployment, Argo CD detects the drift and either alerts or auto-corrects. This eliminates an entire class of "works on my machine" and "who changed production?" issues.

Migration Strategy

We migrated in three phases over six weeks. Phase 1: containerized all applications and created Helm charts for each service. Phase 2: stood up Argo CD in a dedicated namespace, onboarded non-critical services first, and ran Jenkins and Argo CD in parallel. Phase 3: migrated critical services, set up ApplicationSets for multi-environment management, and decommissioned Jenkins. The parallel-running phase was critical — it gave us confidence that Argo CD was correctly syncing before we cut over.

ApplicationSets for Multi-Environment

One of Argo CD's most powerful features is ApplicationSets, which let you template applications across multiple environments (dev, staging, production) from a single definition. We use a Git Generator that reads environment-specific values files from our repo. Promoting a change from staging to production is now a pull request that updates the production values file — reviewable, auditable, and reversible.

Handling Secrets

The biggest challenge in GitOps is secrets management — you can't commit plain-text secrets to Git. We evaluated Sealed Secrets, SOPS, and HashiCorp Vault, and chose the External Secrets Operator backed by AWS Secrets Manager. Application manifests reference ExternalSecret resources, and the operator syncs the actual secret values from AWS at runtime. This keeps secrets out of Git while maintaining the declarative model.

Results

After the migration, deployment time dropped from 45 minutes to under 5 minutes. We eliminated manual SSH deployments entirely. The team saved approximately 15 hours per month in deployment-related effort. Most importantly, we've had zero deployment-related incidents since the switch — drift detection catches configuration mismatches automatically, and the pull request workflow ensures every change is reviewed.

💡Key Takeaways

  • 1.GitOps eliminates "who changed production?" incidents by making Git the single source of truth.
  • 2.Run the old and new systems in parallel during migration to build confidence.
  • 3.ApplicationSets provide clean multi-environment management without duplication.
  • 4.Use External Secrets Operator to keep secrets out of Git while staying declarative.
  • 5.Our deployment time dropped from 45 minutes to under 5 minutes, saving 15 hours/month.
Read More Articles