GitOps - Flux 心得

  • IaC (Infrastructure as Code): 全部的 state 都使用 git 控管。
    • 每一次的更動都是 atomic, transactional。
    • 透過發 pull request 解決 production 的問題,而不是直接做操作。
  • No more kubectl.
  • 不需要把 Cluster 權限給 CI。
  • 有新的 Image 會自動部署。
    • Watch Docker Registry.

Typical push pipeline with read/write permission outside of the cluster.

Pull pipeline: credentials are kept inside the cluster.


git clone
cd flux

修改 deploy/flux-deployment.yaml (More Config),
改成自己的 Repo:

# Replace or remove the following URL.
- --git-branch=master
kubectl apply -f deploy

這邊如果你希望在 Config Repo 裡面使用 helm,就改用:

kubectl apply -f deploy-helm

不過我個人是已經不使用 helm,改用 Kustomize 了。

Check flux logs

kubectl -n default logs deployment/flux -f

It shows if you don’t check Allow write access.

ts=2019-06-14T09:08:15.453604961Z caller=loop.go:85 component=sync-loop err="git repo not ready: attempt to push tag: fatal: Could not read from remote repository., full output:\n ERROR: The key you are authenticating with has been marked as read only.\nfatal: Could not read from remote repository.\n\nPlease make sure you have the correct access rights\nand the repository exists.\n"

Setup GitOps Config Repo

Fork Repo:

brew install fluxctl
fluxctl identity

Repo -> Setting -> Deploy Keys

  • Add deploy key
    • Allow write access

Annotations "true" "true" "true"



Gasbage Collection

  • --sync-garbage-collection=true
  • 只會刪除由 Flux 創建的資源
    • 如果已經將資源加入 flux "true",再移除資源的話,就會被刪除
  • 更改 source (git repo URL, branch, and paths),會 relabel
    • 如果 git manifest 不一樣,就會當作不是被 Flux 創建的資源

Flux 需要多大的權限?

kind: ClusterRole
name: flux
name: flux
- apiGroups: ['*']
resources: ['*']
verbs: ['*']
- nonResourceURLs: ['*']
verbs: ['*']

基本上就是 cluster-admin 了

ObjectMeta: metav1.ObjectMeta{Name: "cluster-admin"},
Rules: []rbacv1.PolicyRule{

Blue Green Deploy

常用 Commands

fluxctl sync
fluxctl list-workloads -n demo

fluxctl lock --workload=demo:deployment/echov
fluxctl unlock --workload=demo:deployment/echov

Read More