Delivery Generator and Targets
Complete guide to manifest generation, cluster targeting, delivery profiles, artifact resolution, and ArgoCD integration.
The Delivery Generator is the core engine that transforms your project configuration — workload bindings, Helm values, Kustomize overlays, and manifest patches — into ArgoCD Application and ApplicationSet YAML files ready for deployment. It resolves all dependencies, merges values across the hierarchy, and commits the output to the .argocd/ directory in the project's Git repository where ArgoCD picks it up.
Key Concept
Delivery is the bridge between intent (what you configured in GitOpsHQ) and execution (what runs on your clusters). Every delivery operation is a Git commit — fully auditable and reversible.
Delivery Page Overview
The Delivery page is accessible at /projects/:slug/delivery and provides a unified workspace for managing how your project reaches its target clusters.
Agent Bindings link your project's delivery pipeline to specific cluster agents. Each binding declares that a particular agent is responsible for deploying manifests to its cluster.
- View all bound agents with connection status
- Bind or unbind agents with single-click actions
- See agent health, last sync time, and version
- Multi-select agents for bulk bind/unbind operations
Cluster Targets designate which clusters receive the generated manifests. Each target maps a tenant/environment combination to a specific cluster endpoint and optional namespace.
- Configure
serverURL andnamespaceper target - Assign targets to tenant/environment pairs
- Visual indicators for missing or incomplete targets
- Override default namespace at the target level
Workload Matrix is a visual grid showing workloads across tenants and environments, mapped to their cluster targets.
- Rows represent workload bindings (Helm chart, Kustomize base, or manifest bundle)
- Columns represent tenant/environment combinations
- Each cell shows the target cluster assignment and status
- Empty cells indicate missing bindings that need attention
Preview performs a dry-run delivery generation. Generate commits the results to Git.
- Preview shows exactly what manifests would be generated
- Generate writes the output to the project's Git repository
- Both actions respect the current binding and target configuration
- Generation creates an atomic Git commit with all output files
Delivery Architecture
The following diagram illustrates how the delivery generator processes your configuration into deployable manifests:
Cluster Targets
Cluster targets define where your generated manifests will be deployed. Each target is a combination of:
| Field | Description | Example |
|---|---|---|
| Tenant | The tenant this target serves | acme-corp |
| Environment | The deployment environment | production |
| Server | Kubernetes API server URL | https://k8s.prod.example.com |
| Namespace | Target namespace (optional) | acme-production |
| Agent | The cluster agent responsible for deployment | prod-agent-01 |
Target Resolution
The delivery generator builds its target map using tenantSlug/environment as the lookup key. Resolution follows a two-step approach:
- Explicit binding — If a target is bound to the exact
tenantSlug/environmentcombination, use the configuredserverURL andnamespace. - Default fallback — If no explicit binding exists, the generator falls back to
https://kubernetes.default.svcwith namespacedefault.
Missing Target Warning
If no explicit target is configured for a tenant/environment combination, the generator uses the in-cluster default. Always configure explicit targets for production environments to avoid unintended routing.
Agent Bindings
Agent bindings connect your project to the cluster agents that will execute deployments.
Select Agents
Navigate to the Delivery page and open the Agent Bindings panel. Select one or more agents from the available agent list.
Configure Binding Scope
For each binding, specify which tenant/environment combinations this agent should handle. An agent can serve multiple environments.
Verify Connectivity
Confirm the agent status shows Connected and the agent version is compatible with your cluster's Kubernetes version.
Save Bindings
Commit the binding configuration. The delivery generator will now include this agent's clusters in target resolution.
Workload Matrix
The workload matrix provides a bird's-eye view of your entire delivery topology:
│ acme/dev │ acme/staging │ acme/prod │ beta/dev │
────────────────┼───────────┼──────────────┼────────────┼───────────┤
api-server │ ✅ dev-01 │ ✅ stg-01 │ ✅ prod-01 │ ✅ dev-02 │
worker │ ✅ dev-01 │ ✅ stg-01 │ ⚠️ — │ ✅ dev-02 │
redis │ ✅ dev-01 │ ✅ stg-01 │ ✅ prod-01 │ ❌ — │- Green checkmark: Binding and target are complete
- Warning icon: Binding exists but target is missing or incomplete
- Red X: No binding configured for this cell
Artifact Resolution
The delivery generator resolves artifact versions using a hierarchical lookup:
Tenant-Level Override
Check if the tenant has a pinned artifact version for this workload. If yes, use it.
Environment-Level Override
Check if the environment has a pinned version. This is common for production environments that pin specific versions.
Project Default
Fall back to the project-level default version configured in the workload binding.
| Resolution Level | Example | Use Case |
|---|---|---|
| Tenant override | acme-corp pins api-chart:2.1.0 | Tenant-specific version lock |
| Environment override | production pins api-chart:2.0.5 | Stable production version |
| Project default | api-chart:latest | Development convenience |
Values Resolution
Helm values are resolved through a layered merge hierarchy. Each layer overrides the previous:
| Layer | Source | Priority |
|---|---|---|
| Chart Defaults | values.yaml from the Helm chart | Lowest |
| Project Values | Project-level value overrides | ↑ |
| Tenant Values | Tenant-specific overrides | ↑ |
| Environment Values | Environment-specific overrides | ↑ |
| Service Values | Service-level fine-tuning | ↑ |
| HQ Variables | Dynamic variables resolved at generation time | Highest |
HQ Variables use {{hq.var.KEY}} interpolation syntax (or explicit scope variants like {{hq.var.env.KEY}}):
image:
repository: "{{hq.var.registry}}/api-server"
tag: "{{hq.var.version}}"
resources:
limits:
cpu: "{{hq.var.cpuLimit}}"
memory: "{{hq.var.memoryLimit}}"Runtime Adapters
The delivery generator currently supports ArgoCD as the runtime adapter. All generated output is written to the .argocd/ directory in the project's Git repository.
ArgoCD Adapter
Generates Application and ApplicationSet resources for ArgoCD.
| Output Resource | When Used |
|---|---|
Application | Single workload bound to a single cluster target |
ApplicationSet | Single workload bound to multiple cluster targets (via generators) |
Configuration options:
- ArgoCD Project: Which ArgoCD project to assign applications to
- Sync Policy: Auto-sync, prune, self-heal toggles
- Retry Policy: Backoff and retry configuration
- Ignore Differences: Fields to ignore during sync comparison
- Include Repo Secret: Whether to generate a repo secret for Git access
Example generated Application:
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: acme-prod-api-server
namespace: argocd
spec:
project: acme
source:
repoURL: https://gitopshq.example.com/git/r/acme-project/repo.git
targetRevision: HEAD
path: .argocd
destination:
server: https://k8s.prod.example.com
namespace: acme-production
syncPolicy:
automated:
prune: true
selfHeal: trueFlux Support
Flux CD is recognized as a delivery runtime constant (DeliveryRuntimeFlux) in the domain model, but the generator does not yet emit Flux manifests. Flux support is planned for a future release.
Delivery Output Structure
The delivery generator writes ArgoCD Application and ApplicationSet YAML files to the .argocd/ directory in the project's Git repository:
.argocd/
├── acme-production-api-gateway.yaml # ArgoCD Application
├── acme-production-web-frontend.yaml # ArgoCD Application
├── acme-staging-api-gateway.yaml # ArgoCD Application
├── acme-staging-web-frontend.yaml # ArgoCD Application
├── beta-corp-production-api-gateway.yaml # ArgoCD Application
└── beta-corp-production-web-frontend.yamlDelivery Preview vs. Generate
| Aspect | Preview | Generate |
|---|---|---|
| Action | Dry-run rendering | Full rendering + Git commit |
| Git Impact | None — read-only | Creates a new commit |
| Output | In-memory manifest list | Files written to .argocd/ in repository |
| Warnings | Displayed in UI | Displayed + persisted in commit message |
| Use Case | Verify before committing | Execute delivery |
Configure Delivery Settings
Set the runtime adapter, ArgoCD project, sync policy, and other generation parameters.
Run Preview
Click Preview Delivery Artifacts to see what would be generated. Review the manifest list, check for warnings, and verify the target routing.
Review Warnings
Address any warnings: missing targets, unresolved variables, pinned environment conflicts, or incomplete bindings.
Generate and Commit
Click Generate and Commit Delivery Files to write the output to the .argocd/ directory in Git. The commit includes all generated ArgoCD Application and ApplicationSet manifests.
Verify Output
Open the generated files panel to inspect the commit, review individual manifests, and confirm the delivery output matches expectations.
Delivery Profiles
Delivery profiles are named configurations that encapsulate a set of delivery settings for different deployment strategies.
| Profile | Typical Settings | Use Case |
|---|---|---|
| Development | Auto-sync on, prune on, self-heal on | Fast iteration in dev |
| Staging | Auto-sync on, prune on, self-heal off | Pre-production validation |
| Production | Auto-sync off, prune off, manual approval | Controlled production deploys |
| Canary | Auto-sync on, subset targets only | Progressive rollout |
Profiles can be switched per delivery operation, allowing teams to reuse standardized configurations across projects.
Sync Controls
Each agent binding supports granular sync controls:
| Control | Description | Default |
|---|---|---|
| Auto Sync | Automatically sync when Git changes are detected | Off |
| Prune | Remove resources not present in Git | Off |
| Self Heal | Revert manual cluster changes to match Git state | Off |
| Retry | Automatically retry failed syncs | On |
| Replace | Use kubectl replace instead of kubectl apply | Off |
Production Sync Warning
Enabling auto-sync with prune in production environments means resources deleted from Git will be automatically removed from the cluster. Use this with caution and always pair it with approval policies.
Warning States
The delivery generator surfaces warnings when the configuration is incomplete or ambiguous:
| Warning | Cause | Resolution |
|---|---|---|
| Missing Target | No cluster target for a tenant/environment pair | Configure a target in the Cluster Targets panel |
| Unresolved Variable | An HQ variable reference has no value | Set the variable in project or environment settings |
| Pinned Version Conflict | Wildcard chart version in a pinned environment | Pin a specific version for the environment |
| Agent Disconnected | Bound agent is offline | Check agent connectivity and restart if needed |
| Deprecated API | Generated manifest uses a deprecated Kubernetes API | Update the source chart or Kustomize overlay |
| Validation Error | Generated manifest fails schema validation | Fix the source configuration |
RBAC and Access Control
| Action | Required Permission |
|---|---|
| View delivery page | project.delivery.read |
| Run preview | project.delivery.preview |
| Run generate | project.delivery.generate |
| Manage bindings | project.bindings.manage |
| Manage targets | project.targets.manage |
| Bulk operations | project.bindings.manage + confirmation |
Approval Integration
Production-scoped delivery generation may require approval if an approval policy is bound to the project or environment. The UI displays downstream approval requirements before you execute the generation.
API Reference
| Method | Endpoint | Description |
|---|---|---|
GET | /api/v2/projects/{slug}/delivery/preview | Dry-run delivery generation and return the manifest list |
POST | /api/v2/projects/{slug}/delivery/generate | Generate and commit delivery files to Git |
GET | /api/v2/projects/{slug}/delivery/files | List generated delivery files from the last generation |
Troubleshooting
| Error | Meaning | Resolution |
|---|---|---|
404 project not found | Invalid project context or slug | Verify the project exists and you have access |
400 invalid request body | Malformed delivery settings | Check the delivery form for missing required fields |
500 failed to write delivery manifests | Git commit failure during generation | Check repository health, retry the operation |
400 action must be 'assign' or 'unassign' | Invalid bulk action type | Use the correct action parameter |
409 conflict | Concurrent delivery generation | Wait for the current generation to complete |
Best Practices
- Always preview before generating — Catch issues before they hit Git
- Pin versions in production — Never use
latestor wildcard versions for production environments - Complete the target matrix — Ensure every tenant/environment cell has a target before generating
- Use profiles — Standardize delivery settings across projects with named profiles
- Review warnings — Treat warnings as action items, not noise
- Pair with approval policies — Gate production delivery generation behind approvals
- Monitor sync status — After generation, verify that ArgoCD successfully syncs the new manifests