DevSecOps18 min readFlowNexa Team

Practical DevSecOps for Business Websites: CI/CD, GitOps, Kubernetes, and Monitoring

How FlowNexa deploys a Next.js website and Strapi CMS on Kubernetes with CI/CD, security scanning, a GitOps deployment branch, monitoring, backup, and restore drills.

Jun 29, 2026

Facebook Zalo LinkedIn

Practical DevSecOps for Business Websites: CI/CD, GitOps, Kubernetes, and Monitoring

When a business website moves into production, the question is no longer simply “how do we deploy?”. The more important question is: how do we deploy safely, with control, rollback capability, testing, security gates, and long-term operational stability?

That is why FlowNexa built its website around DevSecOps and GitOps from the start. Instead of manual deploys from a laptop or direct edits on a server, every change flows through testing pipelines, image builds, security scans, manifest updates, and controlled Kubernetes rollouts.

FlowNexa currently runs its public website on Next.js, its CMS on Strapi, and deploys both to Kubernetes for staging and production. Beyond CI/CD, the platform includes monitoring, backup, restore drills, and production resource dashboards.

GitHub Actions pipeline tổng quan cho FlowNexa web và CMS — GitHub Actions pipeline kiểm tra web, CMS và build image trước khi release

Production readiness

Why production websites need more than one deploy command

Once a website has a CMS, multiple environments, SEO, backups, monitoring, and real production traffic, risk grows quickly if deployment stays manual.

Practical DevSecOps for Business Websites: CI/CD, GitOps, Kubernetes, and Monitoring

Why production websites need more than one deploy command

Related insights

What is an AI-ready PMS, and why should hospitality teams prepare now?

Hotel AI assistants are not just chatbots: they need data, context, and workflows

Unknown running version

No security scan

Staging/production drift

Hard rollback

Operator dependency

No post-deploy verify

High-level architecture

CI on main: verify before building images

Checkout repository

Setup Node.js

Install dependencies

Verify web application

SonarQube Cloud scan

Security and quality belong in the pipeline

Operating principle

Build images with immutable tags

Exact traceability

Commit linkage

Fast rollback

Less confusion

Release transparency

GitOps deployment branch: separate source code from deployment state

Staging is production rehearsal

Deploy the new image

Verify web and CMS

Validate CMS media

Backup and restore drill

Capture UI/UX

Check runtime errors

Production readiness on Kubernetes

Web HPA

Single CMS replica

PostgreSQL PVC

Uploads PVC

Dual backup

Verify and monitoring

Operable architecture

Post-deploy monitoring: the part CI/CD often forgets

CPU and memory

Workloads and pods

Post-deploy trends

Resource configuration

Monitoring storage: database, uploads, and backups

Mount mapping

Requested capacity

StorageClass

Usage percentage

Backup volume

Backup principle

DevSecOps is a lifecycle

GitOps manages state

Monitoring answers operations

Production readiness is continuous

Business websites need production readiness, not just deployability