Guardrails That Stop It
- Promotion without rebuild:
staging-*is retagged toproduction-*to maintain immutability. - Immutable tags: Environment/version tags are required (no
latest). - Git write-back: Flux image automation writes all image updates back to Git for auditability.
- GitOps-first rollback: Rollback is performed via commit revert, not manual cluster changes.
Immutable Artifact Identity Rule
Promotion must reference the exact artifact identity from the tested environment. Use:
- Immutable tag pattern:
production-vX.Y.Z-<sha>-<ts> - Digest-pinned image:
image@sha256:<digest>
No rebuild is allowed between the tested and promoted artifact.
Image Automation Pipeline
Flux Image Automation removes manual tag updates. Three resources work together:
ImageRepository: Watches the container registry (e.g., GHCR) for new tags.ImagePolicy: Filters tags using regex and selects the latest by timestamp.ImageUpdateAutomation: Commits the selected tag back to the Git repository manifests.
Why this logic?
The regex pattern ^develop-v.*-(?P<ts>[0-9]+)$ is the critical guardrail here:
^develop-v.*: Ensures we ONLY look at development images, preventing a production tag from accidentally landing in a dev environment.(?P<ts>[0-9]+): This is a named capture group. It tells Flux to treat the last part of the tag as a Unix timestamp (ts), allowing it to calculate which image is truly “newest” regardless of alphabetical order.
Image automation layout
Show the image automation objects
---
apiVersion: image.toolkit.fluxcd.io/v1
kind: ImageRepository
metadata:
name: backend
namespace: flux-system
spec:
image: ${image_registry}/backend
interval: 1m0s
secretRef:
name: ghcr-credentials-docker
accessFrom:
namespaceSelectors:
- matchLabels:
environment: development
- matchLabels:
environment: staging
- matchLabels:
environment: production
Safe Workflow (Step-by-Step)
- Confirm Staging: Verify the tested artifact in
stagingand capture its digest. - Promote Identity: Retag the staging image to a production tag (no rebuild).
- Open Promotion PR: Open a PR with the immutable target tag and a review checklist.
- Verify Flux: Check the
ImagePolicystatus and confirm the new digest is live. - Prepare Rollback: Keep the previous commit reference ready for an immediate revert if needed.
This builds on: Encrypted secrets (Chapter 03) — Git as source of truth requires safe commits. This enables: CI/CD guardrails (Chapter 05) — automation enforces the GitOps contract.