Core Track Guardrails-first chapter in core learning path.

Estimated Time

  • Reading: 20-25 min
  • Lab: 45-60 min
  • Quiz: 10-15 min

Prerequisites

Source Code References

  • backend-image-repo.yaml Members
  • develop/ Members
  • gitops-workflow.md Members
  • production/ Members

Sign in to view source code.

What You Will Produce

A reproducible lab result plus quiz verification and incident-safe operating evidence.

Guardrails That Stop It

  • Promotion without rebuild: staging-* is retagged to production-* to maintain immutability.
  • Immutable tags: Environment/version tags are required (no latest).
  • Git write-back: Flux image automation writes all image updates back to Git for auditability.
  • GitOps-first rollback: Rollback is performed via commit revert, not manual cluster changes.

Immutable Artifact Identity Rule

Promotion must reference the exact artifact identity from the tested environment. Use:

  • Immutable tag pattern: production-vX.Y.Z-<sha>-<ts>
  • Digest-pinned image: image@sha256:<digest>

No rebuild is allowed between the tested and promoted artifact.

Image Automation Pipeline

Flux Image Automation removes manual tag updates. Three resources work together:

  1. ImageRepository: Watches the container registry (e.g., GHCR) for new tags.
  2. ImagePolicy: Filters tags using regex and selects the latest by timestamp.
  3. ImageUpdateAutomation: Commits the selected tag back to the Git repository manifests.

Why this logic? The regex pattern ^develop-v.*-(?P<ts>[0-9]+)$ is the critical guardrail here:

  • ^develop-v.*: Ensures we ONLY look at development images, preventing a production tag from accidentally landing in a dev environment.
  • (?P<ts>[0-9]+): This is a named capture group. It tells Flux to treat the last part of the tag as a Unix timestamp (ts), allowing it to calculate which image is truly “newest” regardless of alphabetical order.

Image automation layout

Show the image automation objects
---
apiVersion: image.toolkit.fluxcd.io/v1
kind: ImageRepository
metadata:
  name: backend
  namespace: flux-system
spec:
  image: ${image_registry}/backend
  interval: 1m0s
  secretRef:
    name: ghcr-credentials-docker
  accessFrom:
    namespaceSelectors:
      - matchLabels:
          environment: development
      - matchLabels:
          environment: staging
      - matchLabels:
          environment: production

Safe Workflow (Step-by-Step)

  1. Confirm Staging: Verify the tested artifact in staging and capture its digest.
  2. Promote Identity: Retag the staging image to a production tag (no rebuild).
  3. Open Promotion PR: Open a PR with the immutable target tag and a review checklist.
  4. Verify Flux: Check the ImagePolicy status and confirm the new digest is live.
  5. Prepare Rollback: Keep the previous commit reference ready for an immediate revert if needed.

This builds on: Encrypted secrets (Chapter 03) — Git as source of truth requires safe commits. This enables: CI/CD guardrails (Chapter 05) — automation enforces the GitOps contract.