GitOps Implementation for Iconicto's Kubernetes Cluster Using Weaveworks' FluxCD
Disclaimer : This repo only contains configs for open source projects maintained by Iconicto, All the configs and helm charts for private/client's projects are stored in private repository for security and privacy concerns
- https://www.weave.works/technologies/gitops
- https://github.com/fluxcd/helm-operator
- https://github.com/fluxcd/helm-operator-get-started
- https://helm.workshop.flagger.dev
- https://github.com/bitnami-labs/sealed-secrets
The first step in automating Helm releases with Flux is to create a Git repository with your charts source code.
Add FluxCD repository to Helm repos:
helm repo add fluxcd https://charts.fluxcd.ioCreate the fluxcd namespace:
kubectl create ns fluxcdInstall Flux:
helm upgrade -i flux fluxcd/flux --wait \
--namespace fluxcd \
--set registry.pollInterval=1m \
--set git.pollInterval=1m \
--set [email protected]:Iconicto/Kubernetes-Config.git \
--set syncGarbageCollection.enabled=trueInstall Flux Helm Operator with Helm v3 support:
helm upgrade -i helm-operator fluxcd/helm-operator --wait \
--namespace fluxcd \
--set git.ssh.secretName=flux-git-deploy \
--set git.pollInterval=1m \
--set chartsSyncInterval=1m \
--set helm.versions=v3 \
--set createCRD=trueThe Flux Helm operator provides an extension to Flux that automates Helm Chart releases for it. A Chart release is described through a Kubernetes custom resource named HelmRelease. The Flux daemon synchronizes these resources from git to the cluster, and the Flux Helm operator makes sure Helm charts are released as specified in the resources.
Note that Flux Helm Operator works with Kubernetes 1.11 or newer.
At startup, Flux generates a SSH key and logs the public key. Find the public key with:
fluxctl identity --k8s-fwd-ns fluxcdIn order to sync your cluster state with Git you need to copy the public key and create a deploy key with write access on your GitHub repository.
Open GitHub, navigate to your fork, go to Setting > Deploy keys click on Add deploy key, check Allow write access, paste the Flux public key and click Add key.
A Kubernetes controller and tool for one-way encrypted Secrets
At startup, the sealed-secrets controller generates a RSA key and logs the public key. Using kubeseal you can save your public key as kubeseal-cert.pem, the public key can be safely stored in Git, and can be used to encrypt secrets without direct access to the Kubernetes cluster:
kubeseal --fetch-cert \
--controller-namespace=fluxcd \
--controller-name=sealed-secrets \
> kubeseal-cert.pemUpdate the FILE variable with kubernetes secret object you want to encrypt
FILE=everything-flutter/secrets.yaml; mkdir -p "secrets/$(dirname $FILE)" && kubeseal --format=yaml --cert=kubeseal-cert.pem < decrypted/$FILE > secrets/$FILEThen push to origin and Flux will pull it descrypt and deploy it
git add $FILE
git commit -m "Added $FILE Secret"
git push $ENV