Add Flux GitOps for ff: app deployment and image automation#27
Merged
rgardner4012 merged 1 commit intomainfrom Feb 25, 2026
Merged
Add Flux GitOps for ff: app deployment and image automation#27rgardner4012 merged 1 commit intomainfrom
rgardner4012 merged 1 commit intomainfrom
Conversation
…izations
- apps/ff: ExternalSecrets for deploy key and registry auth (OpenBAO,
consistent with ADR 003 — no SOPS needed since ESO is already running)
- GitRepositories ff-main and ff-dev (private repo, SSH deploy key)
- ImageRepository scanning ghcr.io/rgardner4012/flockfeed (private)
- ImagePolicy ff-dev: selects latest dev-YYYYMMDDHHmmss tag
- ImagePolicy ff-production: selects latest main-YYYYMMDDHHmmss tag
- ImageUpdateAutomation: commits updated tags back to dev/main branches
- Kustomizations apps-ff-dev and apps-ff-production: deploy from
k8s/overlays/{dev,production}, depend on infra-ff-postgres
- infra-ff-postgres: add wait:true so app waits for DB on first deploy
Bootstrap: populate ff/deploy-key and ff/registry-auth in OpenBAO
before reconciling (see PR description for key format).
There was a problem hiding this comment.
Pull request overview
This PR implements comprehensive Flux GitOps with automated image updates for the "ff" (flockfeed) application across development and production environments. The setup enables automatic deployment when new container images are built and pushed to the registry.
Changes:
- Added Flux GitOps configuration for ff app with separate dev and production environments
- Configured image automation to automatically update manifests when new images are published
- Added
wait: trueto postgres Kustomization to ensure database readiness before app deployment
Reviewed changes
Copilot reviewed 14 out of 14 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| clusters/hlcl1/kustomization.yaml | Added apps/ff to cluster resources |
| clusters/hlcl1/infra/databases/postgres/ks-config.yaml | Added wait: true to ensure postgres is healthy before app deployment |
| clusters/hlcl1/apps/ff/kustomization.yaml | Main kustomization file listing all ff app Flux resources |
| clusters/hlcl1/apps/ff/externalsecret-deploy-key.yaml | SSH deploy key for flockfeed repo (enables write access for image automation) |
| clusters/hlcl1/apps/ff/externalsecret-registry-auth.yaml | Container registry authentication for ghcr.io |
| clusters/hlcl1/apps/ff/gitrepository-main.yaml | Watches main branch of flockfeed repository |
| clusters/hlcl1/apps/ff/gitrepository-dev.yaml | Watches dev branch of flockfeed repository |
| clusters/hlcl1/apps/ff/imagerepository.yaml | Scans ghcr.io/rgardner4012/flockfeed for new container images |
| clusters/hlcl1/apps/ff/imagepolicy-dev.yaml | Selects latest dev-YYYYMMDDHHmmss tagged images |
| clusters/hlcl1/apps/ff/imagepolicy-production.yaml | Selects latest main-YYYYMMDDHHmmss tagged images |
| clusters/hlcl1/apps/ff/imageupdateautomation-dev.yaml | Commits updated image tags to flockfeed dev branch |
| clusters/hlcl1/apps/ff/imageupdateautomation-production.yaml | Commits updated image tags to flockfeed main branch |
| clusters/hlcl1/apps/ff/ks-dev.yaml | Deploys ff app dev environment from k8s/overlays/dev path |
| clusters/hlcl1/apps/ff/ks-production.yaml | Deploys ff app production environment from k8s/overlays/production path |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Wires the ff app into Flux with full GitOps and image automation.
apps/ff/
ExternalSecretdeploy-keyff/deploy-key)ExternalSecretregistry-authff/registry-auth)GitRepositoryff-main / ff-devImageRepositoryffghcr.io/rgardner4012/flockfeedfor new tagsImagePolicyff-devdev-YYYYMMDDHHmmsstagImagePolicyff-productionmain-YYYYMMDDHHmmsstagImageUpdateAutomationff-devdevbranchImageUpdateAutomationff-productionmainbranchKustomizationapps-ff-devk8s/overlays/dev, depends oninfra-ff-postgresKustomizationapps-ff-productionk8s/overlays/production, depends oninfra-ff-postgresAlso adds
wait: truetoinfra-ff-postgresso the app waits for the DB to be healthy on first deploy.End-to-end flow
Bootstrap: populate secrets in OpenBAO before merging
1. SSH deploy key (
ff/deploy-key) — needs write access to flockfeed repo for image automation commits:2. Registry credentials (
ff/registry-auth) — GitHub PAT withread:packagesscope: