Architecting Enterprise GitOps: Scaling Argo CD on OKE

May 13, 2026 Pavan Madduri App-of-Apps Pattern, ApplicationSets, Argo CD, automation, Cloud Controller Manager (CCM), Configuration Drift, continuous deployment, Enterprise Cloud-Native., External Secrets Operator (ESO), GitOps, IAM Policies, Infrastructure as Code (IaC), Kubernetes Secret Management, multi-cluster orchestration, OCI Flexible Load Balancer, OCI Vault, OCIR, OIDC, OKE, Oracle Kubernetes Engine, Private VCN, Pull-based CI/CD, workload identity, Zero-Trust Architecture

by Pavan Madduri

Managing state and configuration drift across a fleet of Kubernetes clusters is a well-documented enterprise challenge. As organizations scale their cloud-native footprints across multiple regions, traditional push-based CI/CD pipelines often become brittle, leading to unauthorized out-of-band changes and security blind spots.

The industry standard solution is the shift to pull-based GitOps using Argo CD.

However, deploying Argo CD in an enterprise environment requires more than just applying a Helm chart. It demands robust identity management, secure secret injection and scalable multi-cluster orchestration.

In this deep dive, we will explore how to architect a production-ready GitOps workflow on Oracle Kubernetes Engine (OKE) by leveraging OCI-native services such as OCI Vault and Workload Identity to build a zero-trust deployment pipeline.

The Architectural Blueprint

A resilient GitOps architecture on OCI integrates several managed services to ensure security and high availability:

Compute: OKE deployed within a private OCI virtual cloud network (VCN).

Artifact Registry: Oracle Cloud Infrastructure Registry (OCIR) acting as the immutable repository for container images and Helm charts.

Secrets Management: OCI Vault integrated into the OKE cluster via the External Secrets Operator (ESO).

Identity: OCI IAM Workload Identity for pod-level authentication, eliminating the need to manage static credentials.

Bootstrapping OKE With Workload Identity

Before deploying Argo CD, the underlying OKE cluster must be configured to securely interact with the broader OCI ecosystem. Historically, granting pods access to OCI APIs required mounting static API keys — a significant security anti-pattern.

With OCI IAM Workload Identity, we can grant specific Kubernetes ServiceAccounts direct access to OCI resources. By configuring a dynamic routing gateway (DRG) and mapping OCI IAM policies to the OKE cluster’s OpenID Connect (OIDC) issuer, pods can authenticate dynamically. This is a prerequisite for securely fetching images from private OCIR repositories and secrets from OCI Vault.

Hardening the Argo CD Deployment

Deploying Argo CD on OKE follows standard declarative practices, but exposing it securely requires OCI-specific ingress configurations.

When deploying the Argo CD server, we utilize the OCI cloud controller manager (CCM) to provision an OCI flexible load balancer. By passing specific annotations in our Service or Ingress manifest, we can enforce internal-only routing or attach OCI web application firewall (WAF) policies.

apiVersion: v1 kind: Service metadata:

namespace: argocd

annotations:

oci.oraclecloud.com/load-balancer-type: “lb”

oci.oraclecloud.com/load-balancer-shape: “flexible”

oci.oraclecloud.com/load-balancer-shape-min-bandwidth: “10”

oci.oraclecloud.com/load-balancer-shape-max-bandwidth: “100”

# Ensure this is internal if accessed via VPN/FastConnect

oci.oraclecloud.com/load-balancer-is-internal: “true” spec:

type: LoadBalancer

ports:

– port: 443

targetPort: 8080

selector:

app.kubernetes.io/name: argocd-server

The Secrets Challenge: OCI Vault and ESO

The most critical rule of GitOps is that sensitive data — database passwords, API tokens, TLS certificates — must never be committed to Git in plaintext.

To solve this on OKE, we deploy the ESO. ESO bridges the gap between our Git repository and OCI Vault. Instead of committing a Kubernetes Secret, we commit an ExternalSecret custom resource definition (CRD).

First, we authenticate ESO to OCI Vault using the Workload Identity we established earlier:

apiVersion: external-secrets.io/v1beta1 kind: ClusterSecretStore

metadata:

provider:

oracle:

vault: “ocid1.vault.oc1.iad.amaaaaaa…” # Your OCI Vault OCID

region: “us-ashburn-1”

auth:

workloadIdentity:

clusterOcid: “ocid1.cluster.oc1.iad.amaaaaaa…” # Your OKE Cluster OCID

serviceAccountRef:

namespace: external-secrets

With the ClusterSecretStore authenticated, Argo CD can safely sync an ExternalSecret manifest from our Git repository. ESO intercepts this, retrieves the encrypted payload from OCI Vault and injects it into a native Kubernetes Secret for the application pod to consume:

apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret

metadata:

namespace: production-app spec:

refreshInterval: “1h”

secretStoreRef:

kind: ClusterSecretStore

target:

data:

– secretKey: password

remoteRef:

key: “prod-db-password-secret-name-in-oci-vault”

Scaling Across Regions: The App-of-Apps Pattern

Once the foundational security is established, managing fleets of OKE clusters becomes a matter of Git repository architecture.

By implementing the ‘App-of-Apps’ pattern or utilizing Argo CD ‘ApplicationSets’, a single ‘control plane’ Argo CD instance on OKE can manage the state of downstream OKE clusters across multiple OCI regions. A commit to a central cluster-config directory can automatically provision baseline infrastructure (Prometheus, Fluentd, ESO) to newly spun-up OKE clusters, achieving true infrastructure as code at scale.

Conclusion

Transitioning to GitOps requires careful architectural planning, particularly regarding identity and secrets management. By deploying Argo CD on OKE and natively integrating with OCI Vault and Workload Identity, engineering teams can build a highly secure, automated and auditable deployment engine capable of handling the most rigorous enterprise workloads.