In security-sensitive or regulated environments — such as banking, healthcare, or industrial control systems — strict network segmentation policies prevent direct communication between development and production infrastructure. As a result, software delivery processes in these contexts often rely on manual workflows, including detecting new Docker images, transferring them across isolated domains, and manually applying deployment updates. This paper presents a self-managed, lightweight CI/CD framework specifically designed for such disconnected environments. Rather than managing containers directly, the system automates a critical subset of the DevOps workflow: the detection, transfer, and deployment of updated Docker images across network-isolated zones. It operates from a bastion host with access to both segments, utilizing open-source tools: Diun for monitoring external Docker registries, Skopeo for transferring images securely between registries, and ‘kubectl‘ for updating the corresponding Kubernetes deployments. Notifications are sent via Postfix to maintain traceability at every stage of the process. The main contribution of this work lies in adapting DevOps automation principles to segmented infrastructures without relying on cloud services or central control, a scenario largely unsupported by existing tools. The proposed solution requires no internet access, cloud platforms, or third-party services, making it suitable for environments with strict connectivity restrictions. It is modular, reproducible, and vendor-neutral. Validation in a simulated enterprise scenario confirms the system’s reliability across both successful and failure cases. By targeting the image propagation stage of the deployment pipeline, this work contributes a practical, focused automation tool for CI/CD under constrained network conditions. Source code and deployment artifacts are publicly available to facilitate reuse in similarly restricted environments.
