GitOps - Flux 心得

• IaC (Infrastructure as Code): 全部的 state 都使用 git 控管。
  • 每一次的更動都是 atomic, transactional。
  • 透過發 pull request 解決 production 的問題，而不是直接做操作。
• No more kubectl.
• 不需要把 Cluster 權限給 CI。
• 有新的 Image 會自動部署。
  • Watch Docker Registry.

Typical push pipeline with read/write permission outside of the cluster.

Pull pipeline: credentials are kept inside the cluster.

Start

https://github.com/weaveworks/flux/blob/master/site/get-started.md

git clone https://github.com/weaveworks/flux
cd flux

修改 deploy/flux-deployment.yaml (More Config)，
改成自己的 Repo：

# Replace or remove the following URL.
- --git-url=git@github.com:RammusXu/flux-get-started
- --git-branch=master

kubectl apply -f deploy

這邊如果你希望在 Config Repo 裡面使用 helm，就改用：

kubectl apply -f deploy-helm

不過我個人是已經不使用 helm，改用 Kustomize 了。
https://github.com/weaveworks/flux-kustomize-example

Check flux logs

kubectl -n default logs deployment/flux -f

It shows if you don’t check Allow write access.

ts=2019-06-14T09:08:15.453604961Z caller=loop.go:85 component=sync-loop err="git repo not ready: attempt to push tag: fatal: Could not read from remote repository., full output:\n ERROR: The key you are authenticating with has been marked as read only.\nfatal: Could not read from remote repository.\n\nPlease make sure you have the correct access rights\nand the repository exists.\n"

Setup GitOps Config Repo

Fork Repo: https://github.com/weaveworks/flux-get-started

brew install fluxctl
fluxctl identity

Repo -> Setting -> Deploy Keys

• Add deploy key
  • Allow write access

Annotations

flux.weave.works/automated: "true"
flux.weave.works/ignore: "true"
flux.weave.works/locked: "true"

Doc:

• annotations-tutorial
• filter

Behavior

• 預設同步時間 (拉取 Git Config Repo): 5m
  • https://github.com/weaveworks/flux/blob/master/site/faq.md#how-often-does-flux-check-for-new-git-commits-and-can-i-make-it-sync-faster
    • –git-poll-interval, which controls how often it looks for new commits
    • –sync-interval, which controls how often it will apply what’s in git, to the cluster, absent new commits.
• 手動 deploy 已經被 flux 控管的資源 (flux.weave.works/automated: "true"):
  • kubectl apply -f workloads
  • 會被同步回來
• Disable registry scanning
  • https://github.com/weaveworks/flux/blob/master/site/faq.md#can-i-disable-flux-registry-scanning

Gasbage Collection

https://github.com/weaveworks/flux/blob/master/site/garbagecollection.md

• --sync-garbage-collection=true
• 只會刪除由 Flux 創建的資源
  • 如果已經將資源加入 flux flux.weave.works/automated: "true"，再移除資源的話，就會被刪除
• 更改 source (git repo URL, branch, and paths)，會 relabel
  • 如果 git manifest 不一樣，就會當作不是被 Flux 創建的資源

Flux 需要多大的權限?

https://github.com/weaveworks/flux/blob/master/deploy/flux-account.yaml

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  labels:
    name: flux
  name: flux
rules:
  - apiGroups: ['*']
    resources: ['*']
    verbs: ['*']
  - nonResourceURLs: ['*']
    verbs: ['*']

基本上就是 cluster-admin 了
https://github.com/kubernetes/kubernetes/blob/218a2b078b7289b4ba31664cbfceb917999d01af/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go#L188-L197

ObjectMeta: metav1.ObjectMeta{Name: "cluster-admin"},
Rules: []rbacv1.PolicyRule{
    rbacv1helpers.NewRule("*").Groups("*").Resources("*").RuleOrDie(),
    rbacv1helpers.NewRule("*").URLs("*").RuleOrDie(),
},

Blue Green Deploy

https://github.com/weaveworks/flagger

常用 Commands

fluxctl sync
fluxctl list-workloads -n demo

fluxctl lock --workload=demo:deployment/echov
fluxctl unlock --workload=demo:deployment/echov

Read More

• GitOps Comparison - Argo, Flux
• GitOps - Argo CD Note