Integrations/Argo CD

Ship Kubernetes workloads faster with Argo CD and Cloudsmith

Cloudsmith gives your Argo CD pipelines a secure, fully-managed source of truth for Helm charts and Docker images. Authenticate with Entitlement tokens or OIDC, enforce access policies, and sync the right artifacts to every cluster without managing brittle credentials.

How we support Argo CD

Cloudsmith integrates directly into your Argo CD GitOps workflow, giving you a secure, auditable registry for every artifact your clusters consume.
    Helm chart hosting
    Push Helm charts to Cloudsmith and register the repository directly in Argo CD via CLI or the Web UI. Every chart version is immutable, indexed, and available the moment Argo CD needs to sync.
    Docker image delivery
    Store Docker images in Cloudsmith and create Kubernetes image pull secrets so Argo CD can pull them securely from private repositories during application deployment.
    Entitlement token and OIDC auth
    Use Entitlement tokens for read-only pull access or OIDC for short-lived, keyless authentication. Both approaches eliminate long-lived credentials from your deployment manifests.
    Secrets kept out of manifests
    Cloudsmith authentication integrates with Kubernetes secrets so sensitive credentials are never hardcoded in your Argo CD application manifests or Git repositories.
    Auto-sync ready
    Cloudsmith's registry is always available for Argo CD's auto-sync feature, ensuring your clusters pull the latest verified artifacts on every reconciliation cycle.

Why teams integrate Cloudsmith with Argo CD

Argo CD brings GitOps discipline to Kubernetes deployments, but it depends entirely on the quality and security of the artifact registry behind it. Cloudsmith closes that gap.
Without CloudsmithTeams store Helm charts and Docker images across public registries and ad-hoc storage. Argo CD syncs from sources that have no consistent access control, no audit trail, and no vulnerability scanning.
With CloudsmithEvery Helm chart and Docker image Argo CD consumes comes from a single, governed Cloudsmith registry with full audit logs, policy enforcement, and vulnerability scanning on every artifact.
Without CloudsmithLong-lived API keys and plaintext credentials end up hardcoded in Argo CD application manifests or GitOps repositories, creating a persistent security exposure across every cluster that syncs them.
With CloudsmithCloudsmith's Entitlement token support and OIDC integration mean Argo CD authenticates with short-lived or scoped credentials stored in Kubernetes secrets, not in source control.
Without CloudsmithWhen an Argo CD sync fails due to a missing chart version or a misconfigured image tag, engineers have no central place to verify what was published, when, and by whom, making debugging slow and error-prone.
With CloudsmithCloudsmith's client logs and audit trail give your team instant visibility into every push and pull. Sync failures are diagnosed in seconds because you can see exactly what artifacts are in the registry and when they arrived.

Frequently asked questions

  1. Cloudsmith acts as the artifact registry that Argo CD pulls from during deployments. You push Helm charts and Docker images to Cloudsmith, configure Argo CD to point to those repositories, and Argo CD syncs the correct versions to your Kubernetes clusters automatically.

  2. Cloudsmith supports Entitlement tokens for read-only pull access, API keys for programmatic authentication, and OIDC for short-lived, keyless token-based access. Entitlement tokens are recommended for Argo CD because it only pulls artifacts and does not need write permissions.

  3. Use the Argo CD CLI or Web UI to register the Cloudsmith Helm repository URL. You provide the repository endpoint along with your Cloudsmith credentials, and Argo CD can then reference charts from that repository in any Application manifest. Full setup steps are in the Cloudsmith docs.

  4. Create a Kubernetes image pull secret containing your Cloudsmith credentials in the namespace where your application runs. Reference that secret in your deployment manifest and Argo CD will use it to authenticate with Cloudsmith when pulling the image during sync.

  5. Yes. Cloudsmith's OIDC support lets Argo CD authenticate using short-lived JWT tokens rather than long-lived API keys, removing static credentials from your GitOps workflows and reducing the risk of credential leakage.

  6. Yes. Cloudsmith runs vulnerability scanning on packages stored in your repositories, including Docker images and other artifacts. You can configure policies to block delivery of packages that fail security checks before they ever reach an Argo CD sync.

  7. Argo CD will report a sync error. Cloudsmith's audit and client logs let you quickly verify whether a chart was pushed, when it arrived, and what version is currently in the repository, so you can resolve the mismatch without guessing.

  8. Yes. Cloudsmith is a cloud-native, globally distributed registry accessible from any cluster, regardless of cloud provider or region. All clusters reference the same Cloudsmith repository, so artifact consistency across environments is guaranteed.

  9. Cloudsmith gives you fine-grained access controls at the repository level. You can assign read-only Entitlement tokens to Argo CD service accounts and restrict push access to your CI pipeline, ensuring only verified artifacts reach your GitOps registry.

  10. Yes. The Cloudsmith documentation at docs.cloudsmith.com covers the full setup for both Helm chart and Docker image workflows with Argo CD, including authentication configuration, image pull secrets, and auto-sync setup.

Integrations

Discover more Cloudsmith Integrations