πŸ“šBook Signing at KubeCon EU 2026Meet us at Booking.com HQ (Mon 18:30-21:00) & vCluster booth #521 (Tue 24 Mar, 12:30-1:30pm) β€” free book giveaway!RSVP Booking.com Event
KubernetesRecipes
Deployments intermediate ⏱ 15 minutes K8s 1.28+

ArgoCD ApplicationSets for Multi-Tenant GPUs

Use ArgoCD ApplicationSets to auto-discover and provision GPU tenant overlays from Git directories with per-tenant sync policies.

By Luca Berton β€’ β€’ πŸ“– 5 min read

πŸ’‘ Quick Answer: Use an ApplicationSet with a git generator targeting cluster-config/overlays/prod/tenants/*/ β€” ArgoCD auto-discovers tenant directories and creates an Application per tenant. Adding a tenant = adding a directory to Git.

The Problem

With 10+ GPU tenants, manually creating ArgoCD Applications is tedious and error-prone. When a new tenant overlay is added to Git, someone must also create the corresponding ArgoCD Application. This manual step breaks the GitOps promise.

The Solution

ApplicationSet with Git Generator

apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
  name: gpu-tenants
  namespace: openshift-gitops
spec:
  generators:
    - git:
        repoURL: https://git.internal.example.com/platform/gpu-gitops.git
        revision: main
        directories:
          - path: cluster-config/overlays/prod/tenants/*
  template:
    metadata:
      name: 'tenant-{{path.basename}}'
      namespace: openshift-gitops
      labels:
        app.kubernetes.io/part-of: gpu-platform
        tenant: '{{path.basename}}'
    spec:
      project: gpu-tenants
      source:
        repoURL: https://git.internal.example.com/platform/gpu-gitops.git
        targetRevision: main
        path: '{{path}}'
      destination:
        server: https://kubernetes.default.svc
      syncPolicy:
        automated:
          prune: true
          selfHeal: true
        syncOptions:
          - CreateNamespace=true
          - ServerSideApply=true
        retry:
          limit: 3
          backoff:
            duration: 5s
            factor: 2
            maxDuration: 1m

ArgoCD Project for Tenants

apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
  name: gpu-tenants
  namespace: openshift-gitops
spec:
  description: GPU tenant configurations
  sourceRepos:
    - https://git.internal.example.com/platform/gpu-gitops.git
  destinations:
    - namespace: 'tenant-*'
      server: https://kubernetes.default.svc
  clusterResourceWhitelist:
    - group: ''
      kind: Namespace
  namespaceResourceWhitelist:
    - group: ''
      kind: '*'
    - group: 'networking.k8s.io'
      kind: NetworkPolicy
    - group: 'rbac.authorization.k8s.io'
      kind: Role
    - group: 'rbac.authorization.k8s.io'
      kind: RoleBinding

Add Tenant Workflow

# 1. Create tenant overlay
mkdir -p cluster-config/overlays/prod/tenants/delta

# 2. Add kustomization.yaml with tenant patches
cat > cluster-config/overlays/prod/tenants/delta/kustomization.yaml << 'EOF'
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
  - ../../../../base/tenant-template
patches:
  - target:
      kind: Namespace
      name: tenant-PLACEHOLDER
    patch: |
      - op: replace
        path: /metadata/name
        value: tenant-delta
      - op: replace
        path: /metadata/labels/tenant
        value: delta
EOF

# 3. Git commit and push
git add cluster-config/overlays/prod/tenants/delta/
git commit -m "Add GPU tenant: delta"
git push origin main

# 4. ArgoCD auto-discovers and syncs
# No manual Application creation needed!
oc get applications -n openshift-gitops | grep tenant-delta
graph TD
    A[Git: tenants directory] --> B[ApplicationSet generator]
    
    B --> C[Application: tenant-alpha]
    B --> D[Application: tenant-beta]
    B --> E[Application: tenant-gamma]
    B --> F[New directory detected]
    
    F --> G[Auto-create Application: tenant-delta]
    
    C --> H[Sync NS + RBAC + Quotas]
    D --> I[Sync NS + RBAC + Quotas]
    G --> J[Sync NS + RBAC + Quotas]

Common Issues

  • ApplicationSet not detecting new directory β€” check Git generator poll interval; verify repo URL and credentials
  • Sync fails on new tenant β€” ensure tenant template base exists and kustomization.yaml is valid
  • Tenant removal doesn’t delete resources β€” set prune: true in syncPolicy; remove directory from Git to deprovision

Best Practices

  • One ApplicationSet for all tenants β€” auto-discovery eliminates manual Application management
  • Use AppProject to restrict tenant Applications to tenant-* namespaces only
  • Enable prune + selfHeal for automatic cleanup and drift correction
  • Adding a tenant = adding a Git directory; removing = deleting the directory
  • Retry policy handles transient sync failures gracefully

Key Takeaways

  • ApplicationSet with git generator auto-discovers tenant overlay directories
  • No manual ArgoCD Application creation β€” truly GitOps-driven provisioning
  • AppProject restricts tenant applications to authorized namespaces and resource types
  • Adding a tenant is a git commit; removing is deleting the directory
  • Auto-prune ensures removed tenants are fully cleaned up
#argocd #applicationsets #multi-tenant #gitops #gpu
Luca Berton
Written by Luca Berton

Principal Solutions Architect specializing in Kubernetes, AI/GPU infrastructure, and cloud-native platforms. Author of Kubernetes Recipes and creator of CopyPasteLearn courses.

🌐 πŸ’Ό πŸ’»

πŸŽ“ Deepen Your Skills β€” Hands-on Courses

πŸ§ͺ
MLflow on Kubernetes β€” MLOps

Master ML lifecycle management with MLflow on Kubernetes β€” tracking, registry, and deployment.

Start Learning β†’

Courses by CopyPasteLearn.com β€” Learn IT by Doing

Kubernetes Recipes book cover

Want More Kubernetes Recipes?

This recipe is from Kubernetes Recipes, our 750-page practical guide with hundreds of production-ready patterns.

Get the Book β†’ ← More Deployments Recipes
← Back to All Recipes
Luca Berton Ansible Pilot Ansible by Example Open Empower K8s Recipes Terraform Pilot CopyPasteLearn ProteinLens