---
title: "Integrate Cloudsmith with Argo CD"
description: "Use Cloudsmith as the artifact registry behind your Argo CD GitOps workflows. Securely store Helm charts and Docker images, authenticate with OIDC or Entitlement tokens, and automate Kubernetes deployments with confidence."
canonical_url: "https://cloudsmith.com/product/integrations/argocd"
last_updated: "2026-05-07T10:36:29Z"
---
# Integrate Cloudsmith with Argo CD

## Ship Kubernetes workloads faster with **Argo CD** and Cloudsmith

Cloudsmith gives your Argo CD pipelines a secure, fully-managed source of truth for Helm charts and Docker images. Authenticate with Entitlement tokens or OIDC, enforce access policies, and sync the right artifacts to every cluster without managing brittle credentials.

## How we support **Argo CD**

Cloudsmith integrates directly into your Argo CD GitOps workflow, giving you a secure, auditable registry for every artifact your clusters consume.

[Read our Argo CD documentation](https://docs.cloudsmith.com/integrations/integrating-with-argocd)

### Helm chart hosting

Push Helm charts to Cloudsmith and register the repository directly in Argo CD via CLI or the Web UI. Every chart version is immutable, indexed, and available the moment Argo CD needs to sync.

### Docker image delivery

Store Docker images in Cloudsmith and create Kubernetes image pull secrets so Argo CD can pull them securely from private repositories during application deployment.

### Entitlement token and OIDC auth

Use Entitlement tokens for read-only pull access or OIDC for short-lived, keyless authentication. Both approaches eliminate long-lived credentials from your deployment manifests.

### Secrets kept out of manifests

Cloudsmith authentication integrates with Kubernetes secrets so sensitive credentials are never hardcoded in your Argo CD application manifests or Git repositories.

### Auto-sync ready

Cloudsmith's registry is always available for Argo CD's auto-sync feature, ensuring your clusters pull the latest verified artifacts on every reconciliation cycle.

## Why teams integrate Cloudsmith with **Argo CD**

Argo CD brings GitOps discipline to Kubernetes deployments, but it depends entirely on the quality and security of the artifact registry behind it. Cloudsmith closes that gap.

| Without Cloudsmith | With Cloudsmith |

| --- | --- |

| Teams store Helm charts and Docker images across public registries and ad-hoc storage. Argo CD syncs from sources that have no consistent access control, no audit trail, and no vulnerability scanning. | Every Helm chart and Docker image Argo CD consumes comes from a single, governed Cloudsmith registry with full audit logs, policy enforcement, and vulnerability scanning on every artifact. |

| Long-lived API keys and plaintext credentials end up hardcoded in Argo CD application manifests or GitOps repositories, creating a persistent security exposure across every cluster that syncs them. | Cloudsmith's Entitlement token support and OIDC integration mean Argo CD authenticates with short-lived or scoped credentials stored in Kubernetes secrets, not in source control. |

| When an Argo CD sync fails due to a missing chart version or a misconfigured image tag, engineers have no central place to verify what was published, when, and by whom, making debugging slow and error-prone. | Cloudsmith's client logs and audit trail give your team instant visibility into every push and pull. Sync failures are diagnosed in seconds because you can see exactly what artifacts are in the registry and when they arrived. |

## Frequently asked questions

### How does Cloudsmith work with Argo CD?

Cloudsmith acts as the artifact registry that Argo CD pulls from during deployments. You push Helm charts and Docker images to Cloudsmith, configure Argo CD to point to those repositories, and Argo CD syncs the correct versions to your Kubernetes clusters automatically.

### What authentication methods does Cloudsmith support for Argo CD?

Cloudsmith supports Entitlement tokens for read-only pull access, API keys for programmatic authentication, and OIDC for short-lived, keyless token-based access. Entitlement tokens are recommended for Argo CD because it only pulls artifacts and does not need write permissions.

### How do I add a Cloudsmith Helm repository to Argo CD?

Use the Argo CD CLI or Web UI to register the Cloudsmith Helm repository URL. You provide the repository endpoint along with your Cloudsmith credentials, and Argo CD can then reference charts from that repository in any Application manifest. Full setup steps are in the Cloudsmith docs.

### How do I pull private Docker images from Cloudsmith in Argo CD?

Create a Kubernetes image pull secret containing your Cloudsmith credentials in the namespace where your application runs. Reference that secret in your deployment manifest and Argo CD will use it to authenticate with Cloudsmith when pulling the image during sync.

### Can I use OIDC instead of API keys for Argo CD authentication?

Yes. Cloudsmith's OIDC support lets Argo CD authenticate using short-lived JWT tokens rather than long-lived API keys, removing static credentials from your GitOps workflows and reducing the risk of credential leakage.

### Does Cloudsmith scan Helm charts and Docker images for vulnerabilities?

Yes. Cloudsmith runs vulnerability scanning on packages stored in your repositories, including Docker images and other artifacts. You can configure policies to block delivery of packages that fail security checks before they ever reach an Argo CD sync.

### What happens if Argo CD tries to sync a chart version that does not exist in Cloudsmith?

Argo CD will report a sync error. Cloudsmith's audit and client logs let you quickly verify whether a chart was pushed, when it arrived, and what version is currently in the repository, so you can resolve the mismatch without guessing.

### Can I use Cloudsmith with Argo CD across multiple Kubernetes clusters?

Yes. Cloudsmith is a cloud-native, globally distributed registry accessible from any cluster, regardless of cloud provider or region. All clusters reference the same Cloudsmith repository, so artifact consistency across environments is guaranteed.

### How do I control which teams can push or pull artifacts used by Argo CD?

Cloudsmith gives you fine-grained access controls at the repository level. You can assign read-only Entitlement tokens to Argo CD service accounts and restrict push access to your CI pipeline, ensuring only verified artifacts reach your GitOps registry.

### Is there a guide to getting started with Cloudsmith and Argo CD?

Yes. The Cloudsmith documentation at docs.cloudsmith.com covers the full setup for both Helm chart and Docker image workflows with Argo CD, including authentication configuration, image pull secrets, and auto-sync setup.
