Adopt a layered monorepo structure with Kyverno for policy enforcement, ServerSideApply, and clear separation of infrastructure and application workloads to maintain golden state integrity.

Golden applications require operational discipline, not just tooling. A monorepo for ArgoCD must balance flexibility for diverse workloads (infra, web apps, custom services) while preventing drift through policy-as-code and declarative automation.

Actionable Workflow

1. Define Boundaries

   • Split manifests into infra/ and apps/ directories.
   • Use Kustomize overlays for environment-specific tweaks (e.g., dev/, prod/).
   • Enforce naming conventions: cluster-addons/argocd, apps/django-service.

2. Policy-Driven Governance

   • Deploy Kyverno with fail and warn policies for critical requirements (e.g., image updates, resource limits).
   • Apply ServerSideApply: true and sync-wave labels to manage dependency order.

3. Automate Drift Detection

   • Use ArgoCD Image Updater with imageGenerations to track base image changes.
   • Integrate with External Secrets Operator for secure secret management.

4. Validate Sync Order

   • Annotate critical applications with argoproj.io/sync-wave: "1" to ensure infra deploys first.
   • Test policy conflicts in staging before prod.

Policy Example: Enforce POD_ID for Observability

apiVersion: kyverno.io/v1  
kind: ClusterPolicy  
metadata:  
  name: enforce-pod-id-env  
spec:  
  validationFailureAction: fail  
  rules:  
  - name: check-pod-id  
    match:  
      resources:  
        kinds:  
        - Pod  
    validate:  
      message: "POD_ID environment variable is required"  
      pattern:  
        spec:  
          containers:  
          - env:  
            - name: POD_ID  
              value: "*"  

Tooling Stack

• ArgoCD: Deploy with --set server.args={'--server-side-apply','--sync-wave'}.
• Kyverno: 1.7+ for SSA compatibility and policy dry-run.
• External Secrets Operator: Sync secrets from AWS Secrets Manager or Vault.
• Kustomize: Manage overlays without duplicating manifests.

Tradeoffs & Caveats

• Complexity: Kyverno policies add evaluation latency; test in non-prod first.
• False Positives: Overly strict policies can block valid workloads (e.g., debug containers).
• Sync Conflicts: Misordered sync-wave labels may cause transient failures.

Troubleshooting Common Issues

• Stuck Syncs: Check ArgoCD logs for pre-sync-wave failures. Ensure infra apps (e.g., cert-manager) are in wave 1.
• Policy Violations: Use kyverno get generatingpolicies to debug conflicting rules.
• Image Updater Conflicts: Disable for apps with custom image promotion workflows.

In 2026, the goal isn’t a “perfect” monorepo—it’s one that enforces guardrails without stifling teams. Start with policy-as-code for non-negotiables (security, observability), automate the rest, and accept that edge cases will require manual exceptions.

Source thread: It’s 2026. Golden Applications and if you could re-write the argocd monorepo what pattern would you use?