# Chapter 36: GitOps with Flux

While ArgoCD provides a comprehensive platform with a centralized UI and API-driven workflows, Flux takes a fundamentally different approach to GitOps. Developed by Weaveworks and donated to the Cloud Native Computing Foundation (CNCF), Flux treats GitOps operations as standard Kubernetes reconciliations, embedding the control plane directly into the cluster without external dependencies or centralized servers. This architecture aligns with Kubernetes' philosophy of declarative, eventually consistent state management, making Flux particularly suitable for environments prioritizing automation, security through simplicity, and native Kubernetes integration.

This chapter explores Flux's modular architecture, its declarative dependency management capabilities, and its native integration with existing Kubernetes tooling like Kustomize and Helm. We examine how Flux's lightweight, controller-native design enables sophisticated multi-tenant scenarios and progressive delivery patterns while maintaining a minimal operational footprint.

## 36.1 Flux Architecture

Flux operates as a set of specialized controllers that run within the target cluster, continuously reconciling the cluster state with configuration defined in Git repositories, Helm charts, or S3-compatible storage. Unlike ArgoCD's centralized architecture, Flux distributes functionality across focused, composable controllers.

### Core Components

**Source Controller**
The foundation of Flux, managing artifact acquisition and verification. It handles:
- **GitRepository**: Clones Git repositories, monitors branches/tags, and verifies GPG signatures or SSH known hosts
- **HelmRepository**: Indexes Helm chart repositories (HTTP/S or OCI)
- **Bucket**: Synchronizes artifacts from S3-compatible storage (MinIO, AWS S3, GCS, Azure Blob)
- **OCIRepository**: Pulls OCI artifacts (Helm charts packaged as OCI images, plain manifests)

The Source Controller produces artifact tarballs that downstream controllers consume, enabling artifact caching and verification.

**Kustomize Controller**
Specializes in applying Kubernetes manifests using Kustomize. It:
- Downloads artifacts from Source Controller
- Runs `kustomize build` to generate raw manifests
- Applies resources using server-side apply
- Prunes resources no longer in Git
- Health assessment of deployed resources

**Helm Controller**
Manages Helm releases declaratively:
- Sources charts from HelmRepository or GitRepository
- Handles Helm release lifecycle (install, upgrade, rollback, uninstall)
- Supports Helm values from ConfigMaps, Secrets, or inline
- Automated remediation on failed releases

**Notification Controller**
Handles event dispatch and webhook processing:
- Receives events from other controllers
- Dispatches notifications to Slack, Discord, Microsoft Teams, or generic webhooks
- Manages inbound webhooks for GitHub, GitLab, Bitbucket, Harbor, etc.
- Triggers reconciliation based on external events

**Image Automation Controllers** (Optional but critical for CI/CD)
- **ImageReflector Controller**: Scans container registries for new image tags
- **ImageAutomation Controller**: Updates Git repositories with new image references based on policies

### Architectural Philosophy

Flux embraces the **Unix philosophy**: small, focused tools that compose together. Each controller can operate independently—you can use Flux for image automation without using Kustomize, or use Helm Controller without Git sources by pointing to OCI repositories.

**Controller Interactions:**
```
GitRepository (Source) 
    ↓ (produces artifact)
Kustomization (Kustomize Controller)
    ↓ (applies)
Kubernetes API
    ↓ (events)
Notification Controller
    ↓ (alerts)
Slack/Teams/Webhook
```

### GitOps Toolkit

Flux is built on the **GitOps Toolkit**, a set of composable APIs and controllers that can be used to build custom GitOps solutions. The toolkit provides:
- Standardized conditions and status fields for all resources
- Event recording and metrics
- Retry mechanisms with exponential backoff
- Leader election for high availability

## 36.2 Installation and Bootstrap

Flux installation follows a declarative bootstrap pattern where the CLI generates the manifests needed to run Flux, commits them to Git, and then installs them into the cluster. This ensures Flux manages its own lifecycle.

### Prerequisites

- Kubernetes cluster (1.24+)
- kubectl configured to communicate with the cluster
- Git repository initialized (GitHub, GitLab, or generic Git)
- Flux CLI installed

```bash
# macOS/Linux
curl -s https://fluxcd.io/install.sh | sudo bash

# Verify
flux --version
```

### Bootstrap Process

The bootstrap creates a symbiotic relationship where Flux manages itself:

```bash
# Export GitHub token (or GitLab token)
export GITHUB_TOKEN=<your-token>

# Bootstrap Flux
flux bootstrap github \
  --owner=$GITHUB_USER \
  --repository=fleet-infra \
  --branch=main \
  --path=./clusters/production \
  --personal \
  --components-extra=image-reflector-controller,image-automation-controller
```

**What Bootstrap Does:**
1. Creates the Git repository `fleet-infra` if it doesn't exist
2. Generates Flux manifests (CRDs, controllers, RBAC)
3. Commits manifests to `./clusters/production/flux-system/`
4. Installs Flux controllers into the `flux-system` namespace
5. Configures Flux to synchronize with the repository at the specified path

### Bootstrap Manifest Structure

After bootstrap, your repository contains:

```
fleet-infra/
└── clusters/
    └── production/
        └── flux-system/
            ├── gotk-components.yaml    # Controller deployments
            ├── gotk-sync.yaml          # GitRepository and Kustomization for self-management
            └── kustomization.yaml      # Kustomize configuration
```

**gotk-sync.yaml** (Auto-generated):
```yaml
apiVersion: source.toolkit.fluxcd.io/v1
kind: GitRepository
metadata:
  name: flux-system
  namespace: flux-system
spec:
  interval: 1m0s
  ref:
    branch: main
  secretRef:
    name: flux-system
  url: https://github.com/$GITHUB_USER/fleet-infra
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
  name: flux-system
  namespace: flux-system
spec:
  interval: 10m0s
  path: ./clusters/production
  prune: true
  sourceRef:
    kind: GitRepository
    name: flux-system
```

### Multi-Cluster Bootstrap

For managing multiple clusters from a single repository:

```bash
# Production cluster
flux bootstrap github \
  --owner=company \
  --repository=infrastructure \
  --path=clusters/production \
  --context=production

# Staging cluster  
flux bootstrap github \
  --owner=company \
  --repository=infrastructure \
  --path=clusters/staging \
  --context=staging
```

Repository structure:
```
infrastructure/
├── clusters/
│   ├── production/
│   │   └── flux-system/
│   └── staging/
│       └── flux-system/
└── infrastructure/
    ├── base/
    └── overlays/
```

## 36.3 Source Management

Sources define the origin of configuration and application code. Flux supports multiple source types to accommodate different workflows.

### GitRepository

The most common source type, monitoring Git repositories:

```yaml
apiVersion: source.toolkit.fluxcd.io/v1
kind: GitRepository
metadata:
  name: podinfo
  namespace: flux-system
spec:
  interval: 1m  # How often to check for changes
  url: https://github.com/stefanprodan/podinfo
  ref:
    branch: master
    # Alternative: tag semver filtering
    # semver: ">=6.0.0 <7.0.0"
    # commit: "sha:abc123"
  # Verification (highly recommended)
  verify:
    mode: head  # Verify HEAD commit
    secretRef:
      name: pgp-public-keys  # ConfigMap containing public keys
  
  # Include/exclude paths
  ignore: |
    # Exclude all except kustomize
    /*
    !/kustomize/
  
  # Suspend reconciliation (maintenance mode)
  suspend: false
```

**Authentication Methods:**

**HTTPS with Token (GitHub/GitLab):**
```yaml
spec:
  url: https://github.com/org/repo
  secretRef:
    name: https-credentials
---
apiVersion: v1
kind: Secret
metadata:
  name: https-credentials
  namespace: flux-system
stringData:
  username: flux
  password: ghp_xxxxxxxxxxxxxxxxxxxx  # Personal access token
```

**SSH with Private Key:**
```yaml
spec:
  url: ssh://git@github.com/org/repo
  secretRef:
    name: ssh-credentials
---
apiVersion: v1
kind: Secret
metadata:
  name: ssh-credentials
  namespace: flux-system
stringData:
  identity: |
    -----BEGIN OPENSSH PRIVATE KEY-----
    ...
    -----END OPENSSH PRIVATE KEY-----
  known_hosts: |
    github.com ssh-ed25519 AAAAC3NzaC...
```

### HelmRepository

Indexes Helm chart repositories:

```yaml
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
  name: bitnami
  namespace: flux-system
spec:
  interval: 1h
  url: https://charts.bitnami.com/bitnami
  # OCI-based repositories (recommended for Helm 3.8+)
  type: oci
  url: oci://registry-1.docker.io/bitnamicharts
  secretRef:
    name: registry-credentials
```

### OCIRepository (Modern Artifact Source)

For OCI artifacts (Helm charts as OCI images, plain manifests):

```yaml
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: OCIRepository
metadata:
  name: podinfo
  namespace: flux-system
spec:
  interval: 5m
  url: oci://ghcr.io/stefanprodan/manifests/podinfo
  ref:
    semver: ">=6.0.0"
  verify:
    provider: cosign  # Verify signatures with Cosign
    secretRef:
      name: cosign-public-key
```

### Bucket (S3-Compatible)

For storing manifests in object storage:

```yaml
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: Bucket
metadata:
  name: my-app-manifests
  namespace: flux-system
spec:
  interval: 5m
  endpoint: s3.amazonaws.com
  bucketName: my-company-manifests
  region: us-east-1
  secretRef:
    name: aws-credentials
  # Prefix/path within bucket
  prefix: production/apps/
```

## 36.4 Kustomization and Configuration Management

The Kustomization CRD extends Kustomize with health checking, dependency management, and automated reconciliation.

### Basic Kustomization

```yaml
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
  name: apps
  namespace: flux-system
spec:
  interval: 10m
  path: ./apps/production
  prune: true  # Remove resources not in Git
  sourceRef:
    kind: GitRepository
    name: fleet-infra
  # Target namespace for all resources
  targetNamespace: production
  # Wait for all resources to become ready
  wait: true
  # Timeout for health checks
  timeout: 2m
```

### Advanced Configuration

```yaml
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
  name: infrastructure
  namespace: flux-system
spec:
  interval: 1h
  path: ./infrastructure/overlays/production
  sourceRef:
    kind: GitRepository
    name: fleet-infra
  
  # Post-build variable substitution (similar to Kustomize configMapGenerator)
  postBuild:
    substitute:
      cluster_name: "production-us-east"
      region: "us-east-1"
    substituteFrom:
      - kind: ConfigMap
        name: cluster-vars
  
  # Health checks for specific resources
  healthChecks:
    - apiVersion: apps/v1
      kind: Deployment
      name: cert-manager
      namespace: cert-manager
    - apiVersion: apps/v1
      kind: Deployment
      name: ingress-nginx
      namespace: ingress-nginx
  
  # Service account to use for applying (RBAC)
  serviceAccountName: flux-admin
  
  # Retry configuration
  retryInterval: 2m
  
  # Decryption (SOPS integration)
  decryption:
    provider: sops
    secretRef:
      name: sops-gpg
```

### Dependency Management

Kustomizations can depend on others, ensuring ordering (e.g., install CRDs before applications):

```yaml
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
  name: apps
  namespace: flux-system
spec:
  dependsOn:
    - name: infrastructure  # Must be Ready before this applies
    - name: crds
  # ... other spec
```

**Health Check Propagation:**
If `infrastructure` fails health checks (e.g., cert-manager deployment not ready), `apps` will not reconcile until the dependency is healthy.

### SOPS Integration for Secrets

Flux natively supports Mozilla SOPS for encrypting secrets in Git:

```yaml
# .sops.yaml (in repo root)
creation_rules:
  - path_regex: infrastructure/.*\.yaml
    encrypted_regex: ^(data|stringData)$
    pgp: 'FINGERPRINT'
```

Kustomization automatically decrypts:
```yaml
spec:
  decryption:
    provider: sops
```

Encrypted secret in Git:
```yaml
apiVersion: v1
kind: Secret
metadata:
  name: api-keys
stringData:
  api-key: ENC[AES256_GCM,data:...,iv:...,type:str]
sops:
  pgp:
    - fp: FINGERPRINT
      created_at: '2024-01-01T00:00:00Z'
      enc: ...
```

## 36.5 Helm Releases with Flux

The HelmRelease CRD provides declarative Helm release management with automated remediation.

### Basic Helm Release

```yaml
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
  name: redis
  namespace: database
spec:
  interval: 5m
  chart:
    spec:
      chart: redis
      version: "18.x"
      sourceRef:
        kind: HelmRepository
        name: bitnami
        namespace: flux-system
      interval: 1m
  # Values (inline)
  values:
    architecture: standalone
    auth:
      enabled: true
      existingSecret: redis-password
    master:
      persistence:
        size: 10Gi
```

### Advanced Helm Configuration

```yaml
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
  name: my-app
  namespace: production
spec:
  interval: 10m
  chart:
    spec:
      chart: my-app
      sourceRef:
        kind: GitRepository
        name: charts
      reconcileStrategy: Revision  # Upgrade on new Git revision
  
  # Values from multiple sources
  valuesFrom:
    - kind: ConfigMap
      name: my-app-defaults
      valuesKey: defaults.yaml
    - kind: Secret
      name: my-app-secrets
      valuesKey: secrets.yaml
      optional: true
  
  # Post-renderers (Kustomize patches to Helm output)
  postRenderers:
    - kustomize:
        patches:
          - target:
              kind: Deployment
              name: my-app
            patch: |
              - op: add
                path: /spec/template/spec/securityContext
                value:
                  runAsNonRoot: true
  
  # Automated remediation
  install:
    remediation:
      retries: 3
      remediateLastFailure: true  # Rollback on failure
  upgrade:
    remediation:
      retries: 3
      remediateLastFailure: true
      strategy: rollback  # Rollback to previous version on failure
    # Automated rollback on deadline exceeded
    timeout: 5m
  
  # Test hooks (Helm tests)
  test:
    enable: true
    ignoreFailures: false
```

### OCI-Based Helm Charts

Modern Helm supports OCI registries:

```yaml
spec:
  chart:
    spec:
      chart: oci://ghcr.io/company/charts/my-app
      version: "1.2.3"
      sourceRef:
        kind: OCIRepository
        name: company-charts
```

## 36.6 Dependencies and Health Checks

Flux provides sophisticated dependency management ensuring resources deploy in correct order and remain healthy.

### Health Assessment

The Kustomize controller performs health assessment for built-in resources:

- **Deployments**: Available replicas >= desired replicas
- **StatefulSets**: Ready replicas >= desired replicas  
- **DaemonSets**: Number ready >= desired number scheduled
- **Services**: Endpoints exist (for ClusterIP)
- **Jobs**: Completed successfully
- **Custom Resources**: If a `CustomHealthCheck` is defined

### Cross-Namespace Dependencies

```yaml
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
  name: backend-api
  namespace: apps
spec:
  dependsOn:
    - name: database
      namespace: infrastructure  # Cross-namespace reference
```

### Ready State Propagation

A Kustomization is `Ready: True` only when:
1. Source artifact is successfully retrieved
2. All manifests are applied without errors
3. All health checks pass (if specified)
4. No dependency is blocking

### Gates and Approvals

For manual approval workflows, suspend Kustomizations:

```yaml
spec:
  suspend: true  # Pause reconciliation
```

Resume via CLI:
```bash
flux resume kustomization backend-api
```

Or use the Notification Controller to automate approvals based on external signals.

## 36.7 Image Automation

Flux's Image Automation controllers enable automated updates of container images in Git, creating a bridge between CI (building images) and CD (deploying them).

### ImageRepository

Scans container registries for available tags:

```yaml
apiVersion: image.toolkit.fluxcd.io/v1beta2
kind: ImageRepository
metadata:
  name: my-app
  namespace: flux-system
spec:
  image: ghcr.io/company/my-app
  interval: 1m
  # Authentication
  secretRef:
    name: registry-credentials
  # Certificate verification
  certSecretRef:
    name: ca-cert
```

### ImagePolicy

Defines update strategies:

```yaml
apiVersion: image.toolkit.fluxcd.io/v1beta2
kind: ImagePolicy
metadata:
  name: my-app
  namespace: flux-system
spec:
  imageRepositoryRef:
    name: my-app
  policy:
    # Semantic versioning
    semver:
      range: ">=1.0.0 <2.0.0"
    # Alternative: Regex filtering
    # alphabetical:
    #   order: asc
    #   filter: "^staging-[a-f0-9]+$"
  # Filter tags
  filterTags:
    pattern: '^v(?P<version>.*)$'
    extract: '$version'
```

### ImageUpdateAutomation

Commits image tag updates back to Git:

```yaml
apiVersion: image.toolkit.fluxcd.io/v1beta1
kind: ImageUpdateAutomation
metadata:
  name: flux-system
  namespace: flux-system
spec:
  interval: 1m
  sourceRef:
    kind: GitRepository
    name: flux-system
  git:
    checkout:
      ref:
        branch: main
    commit:
      author:
        name: Flux Bot
        email: flux@company.com
      messageTemplate: |
        Automated image update
        
        Images:
        {{ range .Updated.Images -}}
        - {{.}}
        {{ end }}
      signingKey:
        secretRef:
          name: flux-gpg-signing-key
    push:
      branch: main
  policy:
    # How to update markers in files
```

### Markers in Git

Flux looks for specific markers in YAML files to update:

```yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-app
spec:
  template:
    spec:
      containers:
      - name: app
        image: ghcr.io/company/my-app:v1.2.3 # {"$imagepolicy": "flux-system:my-app"}
```

The comment marker `{"$imagepolicy": ...}` tells Flux which ImagePolicy to use for this field.

## 36.8 Notifications and Alerting

The Notification Controller bridges Flux events with external systems.

### Provider Configuration

Define notification endpoints:

```yaml
apiVersion: notification.toolkit.fluxcd.io/v1beta3
kind: Provider
metadata:
  name: slack
  namespace: flux-system
spec:
  type: slack
  secretRef:
    name: slack-webhook-url
  channel: deployments
  username: Flux
---
apiVersion: notification.toolkit.fluxcd.io/v1beta3
kind: Provider
metadata:
  name: github-status
  namespace: flux-system
spec:
  type: github
  address: https://github.com/company/repo
  secretRef:
    name: github-token
```

### Alert Resources

Route events to providers:

```yaml
apiVersion: notification.toolkit.fluxcd.io/v1beta3
kind: Alert
metadata:
  name: on-call
  namespace: flux-system
spec:
  summary: "Production cluster"
  providerRef:
    name: slack
  eventSeverity: error  # info, error
  eventSources:
    - kind: Kustomization
      name: '*'
      namespace: flux-system
    - kind: HelmRelease
      name: '*'
      namespace: production
  # Rate limiting
  throttling: true
  # Inclusion/exclusion filters
  inclusionList:
    - "error.*"
  exclusionList:
    - ".*progressing"
```

### Webhook Receivers

Trigger reconciliation from external events:

```yaml
apiVersion: notification.toolkit.fluxcd.io/v1
kind: Receiver
metadata:
  name: github-webhook
  namespace: flux-system
spec:
  type: github
  events:
    - ping
    - push
  secretRef:
    name: webhook-token
  resources:
    - apiVersion: source.toolkit.fluxcd.io/v1
      kind: GitRepository
      name: flux-system
```

## 36.9 Progressive Delivery with Flagger

Flagger is a progressive delivery operator that works with Flux to automate canary, A/B testing, and blue/green deployments.

### Flagger Architecture

Flagger works alongside Flux:
1. Flux deploys the baseline deployment
2. Flagger creates canary deployment and analyzes metrics
3. If metrics pass, Flagger promotes canary to primary
4. If metrics fail, Flagger rolls back

### Canary Deployment

```yaml
apiVersion: flagger.app/v1beta1
kind: Canary
metadata:
  name: my-app
  namespace: production
spec:
  targetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: my-app
  service:
    port: 80
    targetPort: 8080
    gateways:
      - istio-gateway
    hosts:
      - my-app.company.com
  analysis:
    interval: 1m
    threshold: 5  # Max failed checks before rollback
    maxWeight: 50
    stepWeight: 10
    metrics:
      - name: request-success-rate
        thresholdRange:
          min: 99
        interval: 1m
      - name: request-duration
        thresholdRange:
          max: 500
        interval: 1m
    webhooks:
      - name: load-test
        url: http://flagger-loadtester.test/
        timeout: 5s
        metadata:
          cmd: "hey -z 1m -q 10 -c 2 http://my-app.company.com/"
  # Reference to Flux HelmRelease or Kustomization
  autoscalerRef:
    apiVersion: autoscaling/v2
    kind: HorizontalPodAutoscaler
    name: my-app
```

### Integration with Flux

Flagger can trigger new analysis on Flux Kustomization changes:

```yaml
spec:
  analysis:
    webhooks:
      - name: flux-helm-release
        type: pre-rollout
        url: http://flagger-loadtester.test/
        timeout: 30s
        metadata:
          type: helmrelease
          name: my-app
          namespace: production
```

## 36.10 Multi-tenancy and RBAC

Flux supports soft multi-tenancy where teams control their namespaces without cluster-admin rights.

### RBAC Impersonation

Each Kustomization or HelmRelease can impersonate a specific service account:

```yaml
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
  name: team-a-apps
  namespace: team-a
spec:
  serviceAccountName: team-a-reconciler
  sourceRef:
    kind: GitRepository
    name: team-a-repo
  path: ./apps
```

**Service Account Setup:**

```yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: team-a-reconciler
  namespace: team-a
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: team-a-manager
  namespace: team-a
rules:
  - apiGroups: ["*"]
    resources: ["*"]
    verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: team-a-binding
  namespace: team-a
subjects:
  - kind: ServiceAccount
    name: team-a-reconciler
    namespace: team-a
roleRef:
  kind: Role
  name: team-a-manager
  apiGroup: rbac.authorization.k8s.io
```

### Cross-Namespace Restrictions

Prevent teams from accessing other namespaces:

```yaml
# Deny cross-namespace refs without proper RBAC
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
  name: bad-example
  namespace: team-a
spec:
  sourceRef:
    kind: GitRepository
    name: other-team-repo
    namespace: team-b  # Blocked unless SA has access to team-b
```

## 36.11 Flux vs. ArgoCD

While both implement GitOps, they serve different operational models:

| Feature | Flux | ArgoCD |
|---------|------|---------|
| **Architecture** | Controllers in cluster | Centralized server + agents |
| **UI** | None native (use Weave GitOps or kubectl) | Rich web UI |
| **Multi-cluster** | Each cluster manages itself (federated) | Centralized control plane |
| **Kustomize/Helm** | Native integration | Supported via repo server |
| **Image Updates** | Built-in automation | Requires Argo Image Updater |
| **Progressive Delivery** | Flagger integration | Argo Rollouts |
| **RBAC** | Kubernetes native RBAC | Internal RBAC + SSO |
| **Bootstrapping** | Self-managing (bootstraps into Git) | Install then configure apps |
| **Resource Usage** | Lightweight (can run on edge) | Heavier, requires Redis |

**Choose Flux when:**
- You prefer Kubernetes-native workflows (kubectl, GitOps without UI)
- Running edge or resource-constrained clusters
- You want controllers to manage themselves without external dependencies
- You need tight integration with existing Kustomize/Helm workflows
- You prefer distributed multi-tenancy (teams own their flux in namespaces)

**Choose ArgoCD when:**
- You need a centralized control plane for multiple clusters
- Teams require a UI for visualization and manual operations
- You want ApplicationSets for complex multi-cluster templating
- You need fine-grained project-based access control
- You want a platform experience with SSO integration

## 36.12 Best Practices

### Security

**1. Verify Sources**
Always enable signature verification:
```yaml
spec:
  verify:
    mode: head
    secretRef:
      name: cosign-public-key
```

**2. Least Privilege**
Use service account impersonation instead of cluster-admin for Flux.

**3. Network Policies**
Restrict egress from flux-system namespace to only necessary endpoints (Git, registries).

**4. Secrets Management**
Use SOPS or External Secrets Operator; never commit plaintext secrets.

### Operations

**1. Health Checks**
Always specify health checks for critical infrastructure:
```yaml
healthChecks:
  - apiVersion: apps/v1
    kind: Deployment
    name: critical-app
```

**2. Resource Limits**
Set resource limits on Flux controllers to prevent starvation:
```yaml
resources:
  requests:
    cpu: 100m
    memory: 128Mi
  limits:
    cpu: 1000m
    memory: 1Gi
```

**3. Monitoring**
Monitor controller metrics:
```bash
kubectl port-forward -n flux-system svc/source-controller 8080:80
# Scrape /metrics for Prometheus
```

**4. Drift Detection**
Enable notification alerts for drift (resources modified outside Git).

### Troubleshooting

**Check Status:**
```bash
flux get all --all-namespaces
flux logs --level=error --all-namespaces
```

**Debug Reconciliation:**
```bash
flux suspend kustomization <name>
flux resume kustomization <name> --debug
```

**Force Reconcile:**
```bash
flux reconcile source git <name>
flux reconcile kustomization <name>
```

---

## Chapter Summary and Preview

This chapter explored Flux as a Kubernetes-native GitOps implementation, contrasting its decentralized, controller-based architecture with ArgoCD's centralized platform approach. We examined Flux's modular component system comprising the Source Controller for artifact acquisition, Kustomize Controller for configuration management, Helm Controller for package management, and Notification Controller for event handling. The bootstrap process establishes a self-managing GitOps system where Flux manages its own lifecycle through Git.

We detailed Flux's declarative dependency management through `dependsOn` relationships and health checks, ensuring infrastructure components deploy in correct order and applications only roll out when dependencies are ready. The Image Automation controllers bridge the gap between CI systems building container images and CD systems deploying them, automatically updating Git repositories with new image references based on configurable policies.

Progressive delivery capabilities through Flagger integration provide automated canary analysis and rollback mechanisms, while multi-tenancy support via RBAC impersonation allows teams to manage their own applications without cluster-wide permissions. The comparison with ArgoCD highlighted Flux's strengths in resource-constrained environments, edge computing scenarios, and organizations preferring pure Kubernetes-native workflows over centralized platforms.

**Key Takeaways:**
- Flux's controller-native architecture eliminates single points of failure and reduces operational overhead by treating GitOps as standard Kubernetes reconciliation loops.
- Always verify Git commits using GPG or SSH signatures, and container images using Cosign, to prevent supply chain attacks.
- Use Kustomization health checks and dependencies to enforce deployment ordering and ensure infrastructure readiness before application deployment.
- Leverage SOPS integration for encrypting secrets at rest in Git, maintaining security while preserving GitOps benefits.
- For multi-tenant scenarios, use service account impersonation to restrict Flux's permissions to specific namespaces, preventing privilege escalation.

**Next Chapter Preview:**
Chapter 37: Microservices CI/CD addresses the unique challenges of continuous integration and deployment in distributed microservices architectures. We will explore strategies for managing independent service lifecycles, handling inter-service dependencies, implementing contract testing to ensure API compatibility, and coordinating deployments across service boundaries. The chapter covers monorepo versus polyrepo strategies for microservices, database per-service patterns with schema migration strategies, and techniques for maintaining system integrity during partial deployments, building upon the GitOps foundations established in the preceding chapters to create resilient, scalable delivery pipelines for complex distributed systems.