Unattended Flux installation for GitHub repos (automatic add of deploy key)

[mumoshu]

You don't need to manually add GitHub deploy keys anymore.

This feature enables you to install Flux via eksctl in an unattended way, by automatically creating GitHub deply key on cluster creation and on eksctl enable repo, and by automatically deleting the deploy key on cluster deletion.

All you need to use this feature is providing GITHUB_TOKEN that has access to your repository's deploy keys, and a standard cluster.yaml that contains a git configuration for installing Flux.

Usage

eksctl create cluster

eksctl automatically creates a deploy key named eksctl-REGION-NAME from the public ssh key generated by Flux

$ eksctl create cluster -f cluster.yaml
*snip*

[ℹ]  created "flux:Deployment.apps/memcached"
[ℹ]  created "flux:Service/memcached"
[ℹ]  created "flux:Secret/flux-git-deploy"
[ℹ]  created "flux:ServiceAccount/helm-operator"
[ℹ]  created "ClusterRole.rbac.authorization.k8s.io/helm-operator"
[ℹ]  created "ClusterRoleBinding.rbac.authorization.k8s.io/helm-operator"
[ℹ]  Waiting for Helm Operator to start
[ℹ]  Helm Operator started successfully
[ℹ]  see https://docs.fluxcd.io/projects/helm-operator for details on how to use the Helm Operator
[ℹ]  Waiting for Flux to start
[ℹ]  fetching public SSH key from Flux
[ℹ]  Flux started successfully
[ℹ]  see https://docs.fluxcd.io/projects/flux for details on how to use Flux
[ℹ]  Flux will only operate properly once it has write-access to the Git repository
[ℹ]  Creating GitHub deploy key from Flux SSH public key
[ℹ]  eksctl-flux-us-east-2-gitops1-br8qufsllhcifvnfv0k0 configured with Flux SSH public key
2020-05-30T10:12:45.276+0900 [DEBUG] plugin.terraform-provider-eksctl: ssh-rsa AAAAB3NzaC1yc2EAAAADAQA*OMITTED*

eksctl delete cluster

eksctl automatically deletes the deploy key named eksctl-REGION-NAME by calling GitHub API.

$ eksctl delete cluster -f cluster.yaml
[ℹ]  using region us-east-2
[ℹ]  deleting EKS cluster "gitops1-br8qufsllhcifvnfv0k0"
[ℹ]  deleted 0 Fargate profile(s)
[✔]  kubeconfig has been updated
[ℹ]  cleaning up LoadBalancer services
[ℹ]  3 sequential tasks: { delete nodegroup "ng1", delete IAM OIDC provider, delete cluster control plane "gitops1-br8qufsllhcifvnfv0k0" }
[ℹ]  will delete stack "eksctl-gitops1-br8qufsllhcifvnfv0k0-nodegroup-ng1"
[ℹ]  waiting for stack "eksctl-gitops1-br8qufsllhcifvnfv0k0-nodegroup-ng1" to get deleted
[ℹ]  will delete stack "eksctl-gitops1-br8qufsllhcifvnfv0k0-cluster"
[ℹ]  waiting for stack "eksctl-gitops1-br8qufsllhcifvnfv0k0-cluster" to get deleted
[✔]  all cluster resources were deleted
[ℹ]  Deleting GitHub deploy key
[ℹ]  Deleted GitHub deploy key eksctl-flux-us-east-2-gitops1-br8qufsllhcifvnfv0k0

eksctl enable repo

eksctl automatically creates a deploy key named eksctl-REGION-NAME from the public ssh key generated by Flux

$ eksctl enable repo -f cluster.yaml

Please also note that this feature has an option to make the deploy key "read-only". With the read-only deploy key, you can effectively block Flux from ever pushing commits to the repository.

This can be enabled by setting git.readOnly to true or passing --readonly to eksctl enable repo.

This can be enabled by setting git.operator.readOnly to true or passing --read-only to eksctl enable repo.

git.operator.readOnly affects Flux only and doesn't prevent eksctl from writing to the git repo for Flux manifests. Use git.commitOperatorManifests: false for that.

Resolves #2273

Description

Checklist

• Added tests that cover your change (if possible)
• Added/modified documentation as required (such as the README.md, or the userdocs directory)
• Manually tested
• Added labels for change area (e.g. area/nodegroup), target version (e.g. version/0.12.0) and kind (e.g. kind/improvement)
• Make sure the title of the PR is a good description that can go into the release notes

[mumoshu]

@stefanprodan Hey! Thanks for reviewing. Just added e212ee1 to hopefully address every point.

[stefanprodan]

Why is this conditioned by readonly?

[mumoshu]

I thought the intention of the user would be that they won't like eksctl to write to the repo as well if you want Flux to be read-only. Is that a right assumption?

If not, maybe we'd better split this to two configuration fields, the one for eksctl as e.g. git.commitManifestsOnStart or git.commitOperatorManifestsOnInstall, and one for flux as e.g.git.operator.readOnly.

WDYT?

[mumoshu]

Anyway, I've added an additional commit to implement what I think best now based on your review: 18f7d76

It's now:

git:
  # NEW: Commit and push Flux manifests to the Git Repo on install
  # The default value is true for backward-compatbiility, so explicitly set to `false `to disable
  #commitOperatorManifests: false
  repo:
    url: "git@github.com:mumoshu/gitops-demo.git"
    branch: master
    fluxPath: "flux/"
    user: "gitops"
    email: "gitops@myorg.com"
    privateSSHKeyPath: /Users/c-ykuoka/.ssh/id_rsa
  operator:
    namespace: "flux"
    # NEW: Instruct Flux to read-only mode and create the deploy key as read-only
    readOnly: true

And commands like eksctl enable repo has been given respective common flux flags:

      --read-only                         Instruct Flux to read-only mode and create the deploy key as read-only
      --commit-operator-manifests         Commit and push Flux manifests to the Git Repo on install (default true)

[martina-if]

@mumoshu Thank you so much for taking the time to build this. We need to discuss in the team if we want to keep this functionality here or somewhere else. I will mark this PR as "changes requested" so we don't accidentally merge it before we have decided.

[martina-if]

Blocked so we don't accidentally merge it

[martina-if]

Hi @mumoshu I took a quick look but didn't have time to look at the tests. I will do that tomorrow.

[martina-if]

Thanks @mumoshu!

[stefanprodan]

LGTM

We need to update the docs but this can come later. Thanks @mumoshu 🏅