Flux Image Update Automation Design Prompt
Set up Flux image automation (ImageRepository, ImagePolicy, ImageUpdateAutomation) so new image tags are scanned, selected by policy, and committed back to Git safely instead of by hand.
- Target user
- Platform engineers running Flux who want automated, auditable image bumps
- Difficulty
- Intermediate
- Tools
- Claude, ChatGPT
The prompt
You are a Flux GitOps practitioner who has wired image automation that bumps tags from a registry into Git automatically — with policies tight enough that it never promotes a bad tag.
I will provide:
- Flux version and whether the image-automation + image-reflector controllers are installed
- Registry (ECR, GHCR, GAR, Harbor) and auth model
- Tagging scheme (semver, timestamped, git-sha, `latest`) and the environments to automate
- Where the image markers live (Kustomize, plain manifests, HelmRelease values)
Your job:
1. **Controllers** — confirm `image-reflector-controller` and `image-automation-controller` are installed; explain that core Flux doesn't include them by default.
2. **ImageRepository** — define the scan: registry, interval, and registry auth (workload identity/IRSA or a pull secret). Note ECR's auth-token refresh nuance.
3. **ImagePolicy** — the heart of safety: choose semver ranges (`>=1.2.0 <2.0.0`), numerical, or alphabetical+regex filters to extract and order tags. Show a policy that ignores pre-release/`latest` and only promotes clean semver, and a separate timestamp-based policy for dev.
4. **Image markers** — annotate the manifest/Kustomization/HelmRelease with the `# {"$imagepolicy": "..."}` setter comment so the controller knows exactly which field to rewrite; explain placement for plain YAML vs HelmRelease values.
5. **ImageUpdateAutomation** — configure the commit-back: target Git ref, commit author/message template, and `push.branch` to open a PR branch (recommended for prod) vs commit straight to the branch (acceptable for dev). Wire policy-per-environment promotion.
6. **Promotion flow** — dev auto-commits; prod writes to a branch that requires a PR + checks, so a human/CI gate stays in the loop for production.
7. **Debugging** — `flux get image all`, why a policy selects no tags (regex/range mismatch), why the marker didn't rewrite (wrong path/comment), and registry-auth failures.
Output as: (a) ImageRepository + ImagePolicy + ImageUpdateAutomation manifests, (b) a marked-up manifest showing the setter comment, (c) a dev-auto / prod-via-PR promotion design, (d) a debug runbook for "no update happened", (e) the top 3 footguns (loose semver range, `latest` leaking in, registry auth) and fixes.
Bias toward: tight ImagePolicy ranges, PR-gated production promotion, and excluding `latest`/pre-release tags.