Decision (2026)
Application delivery: Argo CD [7] ⭐ 23.1k if you need a visual dashboard and native multi-cluster ApplicationSets; Flux CD [8] ⭐ 8.2k for CLI-first, lightweight, or edge deployments — Flux uses the native Helm SDK (hooks preserved), ArgoCD renders via helm template (hooks skipped).[3]
Infrastructure-as-code: Crossplane [12] ⭐ 11.7k is the only IaC tool with native GitOps fit — K8s CRDs, continuous drift correction in seconds, no bridge needed.[5] Terraform and OpenTofu require Atlantis or tf-controller; Pulumi needs its Kubernetes Operator; Ansible is push-only and requires a CI pipeline.[4]
Config Format → GitOps Operator Compatibility
| Config format | Argo CD 3.3 [7] ⭐ 23.1k | Flux CD 2.8 [8] ⭐ 8.2k | Notes |
|---|---|---|---|
| Plain YAML / JSON | ✓ Native | ✓ Native | |
| Helm charts [16] ⭐ 29.8k | ⚠ helm template (hooks skipped) |
✓ Native SDK — Helm v4, hooks preserved[2] | ArgoCD renders charts as static YAML; lifecycle hooks (pre-install, post-upgrade) are not executed.[2] |
| Kustomize | ✓ Native | ✓ Native + post-render | Flux uniquely supports Kustomize post-rendering of Helm output — patch Helm release output before applying.[3] |
| Jsonnet / Tanka | ⚠ Via Config Management Plugin | ✗ Pre-render to YAML required | ArgoCD's Config Management Plugin (CMP) framework supports Jsonnet; Flux has no built-in Jsonnet support. |
| CDK8s (TS / Python → YAML) | ⚠ Via CMP plugin | ⚠ CI pre-render pipeline | Both require a CI step to run cdk8s synth and commit output YAML to Git before the operator syncs. |
| OCI registry artifacts | ✓ v2.4+ | ✓ Native | Both support OCI-stored Helm charts and plain manifests.[3] |
| HCL (Terraform / OpenTofu) | ✗ | ⚠ via tf-controller | Flux tf-controller ⭐ 1.6k bridges Terraform/OpenTofu into the Flux reconciliation loop.[15] |
| Pulumi programs (TS, Python, Go…) | ⚠ via PKO Stack CRD | ⚠ via PKO + Flux Source | Pulumi Kubernetes Operator (PKO) exposes a Stack CRD; ArgoCD manages its lifecycle, Flux can supply source via spec.fluxSource.[18] |
IaC Tool GitOps Fitness
| Tool | Config format | Pull-based | Drift detection | Continuous reconcile | K8s-native | Argo CD | Flux CD | Bridge / caveat |
|---|---|---|---|---|---|---|---|---|
| Terraform [9] ⭐ 48.6k | HCL | ✗ push | ⚠ Manual (plan) |
✗ | ✗ | ✗ direct | ⚠ tf-controller | Atlantis, Terraform Cloud, or Spacelift needed for PR-driven GitOps[1] |
| OpenTofu [10] ⭐ 29k | HCL (Terraform-compatible) | ✗ push | ⚠ Manual (plan) |
✗ | ✗ | ✗ direct | ⚠ tf-controller | Same bridge ecosystem as Terraform; adds built-in state encryption |
| Pulumi [11] ⭐ 25.3k | TS / Python / Go / C# / Java | ⚠ via PKO (periodic poll) | ⚠ via PKO (continueResyncOnCommitMatch) |
⚠ Configurable interval | ⚠ via PKO | ⚠ PKO Stack CRD | ⚠ PKO + Flux Source | PKO ⭐ 287 required; adds in-cluster GitOps semantics[18] |
| Crossplane [12] ⭐ 11.7k | YAML (K8s CRDs) | ✓ pull | ✓ Automatic (seconds) | ✓ | ✓ | ✓ native | ✓ native | No bridge needed — CRDs are standard K8s objects[4] |
| Ansible [13] ⭐ 68.8k | YAML playbooks | ✗ push | ⚠ Scheduled --check mode |
✗ | ✗ | ✗ | ✗ | CI/CD pipeline required; best for VM/bare-metal config outside K8s[6] |
Crossplane v2 (Aug 2025): composite resources now namespaced by default; composition functions replace patch-and-transform; compositions can include any Kubernetes resource — not just Crossplane-managed infra.[5]
Argo CD 3.3 vs Flux CD 2.8
| Feature | Argo CD 3.3 [7] ⭐ 23.1k | Flux CD 2.8 [8] ⭐ 8.2k |
|---|---|---|
| CNCF status | Graduated | Graduated |
| Architecture | Centralized hub-and-spoke | Distributed — per-cluster agents |
| Web UI | ✓ Native rich dashboard (SSO, diff viewer, health) | ⚠ New Flux Operator web UI (added 2.8) |
| Helm rendering | helm template — hooks not executed[2] |
Native SDK (Helm v4) — hooks preserved[2] |
| Kustomize post-render of Helm | ✗ | ✓ Patch Helm output via Kustomize[3] |
| Multi-cluster | ✓ Native ApplicationSets — single control plane | ✓ Via Git repo structure; no single SPOF |
| RBAC | Custom application-level RBAC + SSO support | Kubernetes-native RBAC only (no custom layer) |
| Resource footprint | 1–4 GB baseline | <500 MB |
| Security model | Central credentials → ⚠ blast-radius risk | Per-cluster credential isolation; no inbound API exposure |
| Drift reconciliation latency | 10–60 s sync cycle | Sub-second interruptible reconcile (v2.8 — cancels health check on fix detection)[3] |
| Image automation | ⚠ Separate add-on (ArgoCD Image Updater) | ✓ Native image-automation-controller |
| OCI artifacts | ✓ v2.4+ | ✓ Native |
| Notable 2026 additions | PreDelete hooks, OIDC background token refresh, shallow clone for monorepos[3] | Helm v4 + Server-Side Apply, interruptible reconcile, new Flux Web UI[3] |
| Best fit | UI-first teams, enterprise multi-cluster, large fleet management, developers who want deployment visibility without CLI | CLI-first teams, edge computing, lightweight footprint, tight multi-tenancy, hook-dependent Helm charts |
Bridge Tools for Non-Native GitOps IaC
| Tool | Bridges | Model | Stars |
|---|---|---|---|
| Atlantis [14] | Terraform / OpenTofu → PR-driven GitOps | PR comments trigger plan; merges trigger apply; self-hosted |
⭐ 9.1k |
| Flux tf-controller [15] | Terraform / OpenTofu → Flux CD | In-cluster Flux controller runs TF; periodic reconciliation against Git source | ⭐ 1.6k |
| Pulumi Kubernetes Operator [19] | Pulumi programs → K8s GitOps | Polls Git or Flux Source; runs pulumi up in-cluster; ArgoCD manages Stack CRD lifecycle |
⭐ 287 |
| Terraform Cloud / Spacelift | Terraform / OpenTofu → SaaS GitOps | VCS-integrated: plan on PR, apply on merge; policy-as-code; commercial | Commercial |
Recommended Combinations
| Use case | Stack | Why |
|---|---|---|
| K8s apps — team wants UI | Argo CD + Kustomize (or Helm) | Visual diff, ApplicationSets for multi-env, SSO, broad plugin ecosystem[1] |
| K8s apps — lightweight / edge | Flux + Kustomize | <500 MB footprint, per-cluster isolation, native image automation, Helm hooks preserved[3] |
| K8s infra + apps, pure GitOps | Crossplane + (Argo CD or Flux) | Crossplane provisions cloud resources as K8s CRDs; the GitOps operator syncs everything from Git — no bridge tooling needed[4] |
| Existing Terraform codebase | Terraform + Atlantis + Argo CD for apps | Atlantis adds PR-driven plan/apply to Terraform; Argo CD handles the application delivery layer independently[1] |
| VM / bare-metal + K8s hybrid | Ansible (CI-triggered) + Flux for K8s | Ansible covers what GitOps operators can't (VMs, network switches, bare metal); Flux owns the K8s side[6] |
| Enterprise full-stack | Terraform + Spacelift + Crossplane + Argo CD | Terraform for legacy / non-K8s infra (4,000+ providers); Crossplane for K8s-adjacent cloud resources; Argo CD for app delivery and observability across clusters[17] |