Skip to content

Deployment Repository Standard

Deployment repositories do not build application images. They validate the desired state that Argo CD will consume.

Required CI: YAML lint, Helm dependency/lint/template where present, Kustomize build where present, kubeconform against rendered manifests, Trivy Config against source and rendered output, Gitleaks, and optional Nexa policy checks.

All environment overlays are renderable in CI without cluster credentials. Repository documentation identifies applications, clusters/environments, image update policy, owners, and rollback method.

A deployment repository separates shared application definitions from environment-specific values or overlays. It avoids copying complete manifests between AWS and Azure when only registry, ingress, storage class, identity, or resource sizing differs. Environment folders include a short README explaining purpose and any approved deviation from the base.

Changes to image policy, RBAC, ingress, network exposure, persistence, secrets integration, and production resources require Platform Engineering review. Application teams may propose configuration changes, but ownership remains explicit through CODEOWNERS. CI produces rendered artifacts as downloadable evidence when diagnosis requires seeing the final Kubernetes objects.