CtrlK
BlogDocsLog inGet started
Tessl Logo

nitinjain999/platform-skills

Production-grade platform engineering handbook — Kubernetes, Terraform, Flux CD, GitHub Actions, AWS, and more.

67

Quality

84%

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Passed

No known issues

Overview
Quality
Evals
Security
Files

README.mdexamples/fluxcd/image-automation/

Image Automation with Flux

Status: Beta

Two side-by-side models for automating container image updates with Flux CD:

ModelHow it worksBest for
Git-basedFlux commits updated image tag to Git; normal reconciliation followsPR-gated promotion, Git as canonical version record
GitlessCI pushes OCI artifact with new tag; ResourceSetInputProvider picks it up; no Git commitFlux Operator deployments, fleet management, no bot credentials

Git-based image automation

Components

  • ImageRepository — polls a container registry for available tags
  • ImagePolicy — selects the tag to deploy (semver, alphabetical, numerical)
  • ImageUpdateAutomation — commits the selected tag back to the GitOps branch

Files

image-automation/
└── git-based/
    ├── imagerepository.yaml
    ├── imagepolicy.yaml
    └── imageupdateautomation.yaml

Setup

  1. Apply the resources:

    kubectl apply -f git-based/

  2. Mark the image field in your Deployment:

    containers:
  - name: my-app
    image: ghcr.io/my-org/my-app:1.0.0  # {"$imagepolicy": "flux-system:my-app"}

  3. Verify the policy selected a tag:

    kubectl -n flux-system get imagepolicy my-app \
  -o jsonpath='{.status.latestImage}'

Safety rules

  • Set push.branch to a staging branch — not main — for staging clusters
  • Use a dedicated deploy key with write access only to the image automation path
  • Use semver ranges, not :latest

Gitless image automation (recommended for Flux Operator)

Components

  • ResourceSetInputProvider (type: OCIArtifactTag) — polls OCI registry for new tags
  • ResourceSet — generates Kustomizations with << inputs.tag >> substituted

Files

image-automation/
└── gitless/
    ├── resourcesetinputprovider.yaml
    └── resourceset.yaml

How it works

  1. CI builds and pushes a new image tag: ghcr.io/my-org/my-app:1.4.2
  2. ResourceSetInputProvider detects the new tag (polls every 5m or via webhook)
  3. ResourceSet regenerates the Kustomization with APP_IMAGE_TAG: 1.4.2
  4. kustomize-controller applies the updated manifest — no Git commit required

Verify

# Check the input provider is polling
kubectl describe resourcesetinputprovider app-image-tag -n flux-system

# Check the ResourceSet generated the Kustomization
kubectl get kustomization -l resourceset.fluxcd.io/name=my-app -A

# Check the generated Kustomization status
flux get kustomization my-app -n flux-system

Troubleshooting

SymptomCauseFix
ImageRepository not ready, auth errorRegistry credentials wrong or expiredRecreate registry-credentials Secret
ImagePolicy shows no latestImageNo tags match the semver rangeVerify pushed tags with crane ls <image>
No Git commit despite policy selecting a tagMissing # {"$imagepolicy": ...} markerAdd marker comment on same line as image:
ImageUpdateAutomation failing to pushDeploy key lacks write accessRotate deploy key with write permission
ResourceSetInputProvider not detecting new tagWrong semver filter or auth issueCheck provider status and registry credentials

examples

fluxcd

image-automation

README.md

README.md

BEFORE_AFTER.md

CHANGELOG.md

CODE_OF_CONDUCT.md

COMMANDS.md

CONTRIBUTING.md

EDITOR_INTEGRATIONS.md

GETTING_STARTED.md

HOW_IT_WORKS.md

install.sh

INSTALLATION.md

LAUNCH.md

PROMPTS.md

QUICKSTART.md

README.md

renovate.json

SECURITY.md

SKILL.md

tessl.json

tile.json