Flask Full CI/CD GitOps Pipeline Diagram

GitHub Actions builds and scans the image, pushes it to Docker Hub, updates the GitOps deploy repository, and Argo CD syncs the application into Kubernetes.

This architecture separates CI and CD clearly. The application repository handles testing, Docker build, Trivy security scan, and Docker Hub push. The deploy repository stores Helm configuration and Argo CD watches that repository as the source of truth for Kubernetes deployment.
1. Source Code
2. CI with GitHub Actions
3. Security Scan & Image Push
4. GitOps Repo Update
5. Argo CD Sync to Kubernetes
🐙

App Repository

Source code for the Flask application, tests, Dockerfile, and GitHub Actions workflow.

flask-trivy-actions

Main Files

app/
tests/
requirements.txt
Dockerfile
.github/workflows/ci.yml
⚙️
GitHub Actions CI
1. Checkout CodePull the latest Flask app source
2. Install Dependenciesrequirements-dev.txt for testing
3. Run PytestValidate Flask routes and app logic
4. Build Docker ImageCreate runtime image for Flask app
5. Trivy ScanFail on HIGH / CRITICAL vulnerabilities
6. Push to Docker HubPublish version tag and latest tag
7. Update Deploy RepoWrite new image tag into Helm values
🐳

Docker Hub

Container registry storing the application image built by GitHub Actions.

ahmad09x/python-flask-app:20f2ab9
ahmad09x/python-flask-app:latest
Only scanned images are pushed
Image registry used by Kubernetes during deployment
📦

GitOps Deploy Repository

Separate repository that stores deployment configuration and acts as the single source of truth for CD.

flask-argocd-deploy
Helm chart in helm/python-app/
Argo CD Application in argocd/python-app.yaml
values.yaml updated with new image tag

What GitHub Actions changes

It updates image.repository and image.tag inside Helm values, commits the change, and pushes it to this repository.
🚀

Argo CD + Kubernetes

Argo CD watches the deploy repository, detects the updated image tag, and syncs Kubernetes using Helm.

Argo CD Application Sync
Helm Upgrade / GitOps Reconciliation
LoadBalancer Service
🐍Flask Pod
🐍Flask Pod
🐍Flask Pod

Automated Sync

prune: true removes old resources and selfHeal: true corrects drift automatically.
End-to-end pipeline: A developer pushes code to the Flask application repository. GitHub Actions runs tests, builds the Docker image, scans it with Trivy, and pushes the approved image to Docker Hub. The workflow then updates the deployment repository with the new image tag. Argo CD watches that GitOps repository and automatically syncs the change into Kubernetes using Helm, updating the running Flask application behind a LoadBalancer service.