--- name: helm-deploy description: Safe Helm deployment with image verification, cache busting, and rollback safety. Prevents deploying stale images. disable-model-invocation: true --- # Safe Helm Deploy Deploy via Helm with image verification: $ARGUMENTS ## Pre-Deploy Checklist 1. **Verify the image exists in the registry** ```bash # ACR az acr repository show-tags --name --repository --orderby time_desc --top 5 # Docker Hub docker manifest inspect /: ``` 2. **Check what's currently running** ```bash helm list -n kubectl get pods -n -o jsonpath='{range .items[*]}{.metadata.name}{"\t"}{range .spec.containers[*]}{.image}{"\n"}{end}{end}' ``` 3. **Diff the changes before applying** ```bash helm diff upgrade -n \ --set image.tag= \ --set image.pullPolicy=Always \ -f values.yaml ``` ## Deploy Command Template ```bash helm upgrade --install \ --namespace \ --set image.repository=/ \ --set image.tag= \ --set image.pullPolicy=Always \ --atomic \ --wait \ --timeout 5m \ -f values.yaml ``` ## Post-Deploy Verification ```bash # Verify new pods are running kubectl rollout status deployment/ -n # Verify the correct image is running kubectl get pods -n -o jsonpath='{range .items[*]}{.metadata.name}{"\t"}{range .spec.containers[*]}{.image}{"\n"}{end}{end}' # Check pod logs for startup errors kubectl logs -l app= -n --tail=50 ``` ## Rollback (if needed) ```bash helm rollback -n # Or to a specific revision: helm history -n helm rollback -n ``` ## Critical Rules - ALWAYS use `--set image.tag=` with a unique tag (git SHA, semver) - ALWAYS use `--set image.pullPolicy=Always` to force fresh pulls - ALWAYS use `--atomic` for automatic rollback on failure - ALWAYS use `--wait` to confirm pods are healthy - NEVER deploy with `:latest` as the only tag - ALWAYS verify the image exists in registry BEFORE deploying