Giant Swarm offers a flux Managed App which can be installed in tenant clusters. Here we define the flux chart with its templates and default configuration.
It can be used to install flux2 toolkit.
If you want to install the Flux CRDs - crds.install
value, enabled by default - and your Flux CRs as well,
then you need to install the App in 2 steps. First install without the CRs so Helm can create the Flux CRDs
for you. Then in a following apply of the App add your Flux CRs - sources
and kustomizations
values.
The reason for this is how Helm manages CRDs and validation of manifests before it applies them to the cluster. You cannot install CRDs and CRs using those CRDs in the same run as Helm will fail to validate the manifests against the API. It is possible with the Helm 3 native way of installing CRDs but that does not support updating them in the future. Therefore, we install the CRDs using a Job which solves upgrading the CRDs but does not solve installing them at the same time with CRs using those CRDs. In theory the CRs could be installed with a separate Job as well but then those resources are not managed by Helm and would require and another Job upon uninstallation to get cleaned up but this adds a lot a complexity and the risk of deleting resources that were not intended to be deleted by the post install hook of the CR clean-up.
This chart allows to add flux GitRepository
and Kustomization
CRs through values.yaml
You need to create a GitHub token.
Example yaml:
sources:
- kind: GitRepository
name: my-git-source
url: https://github.com/my-org/my-repo.git
provider: github
credentials:
username: my-username
password: github-token
interval: 1m0s
branch: the-branch
kustomizations:
- name: my-kustomization
source_name: my-git-source
path: ./the-path
postBuild:
substitute:
environment: "my-env"
substituteFrom:
- kind: ConfigMap
name: my-env-vars
prune: false
interval: 10m0s
Since your configuration will sometimes contain sensitive data, flux provides several mechanisms to store and handle that data securely. This chart is able to install a gpg secret key for usage with sops. The public key from that same secret can then be used to encrypt the sensitive parts of your configuration, while flux will be able to decrypt it when pulling the configuration.
For this to work, export your secret key using gpg --export-secret-keys --armor <your-gpg-key-id>
.
sopsEncryption:
enabled: true
encryptionKeys:
- |
<output of gpg --export-secret-keys --armor <your-gpg-key-id>>
- |
<output of gpg --export-secret-keys --armor <your-other-gpg-key-id>>
This is the SOPS configuration part for flux-app
. Now we need to set it up as a user secret for App Platform.
Take the above piece of configuration and base64 encode it and save it in a file called let's say user-secret.yaml
.
apiVersion: v1
kind: Secret
metadata:
name: sops-gpg
namespace: my-namespace
data:
values: "<<BASE64_ENCODED_CONFIGURATION_WITH_SECRETS>>"
Then encrypt your secrets using SOPS.
sops --encrypt \
--pgp=<your-gpg-key-id> \
--encrypted-regex '^(data|stringData)$' \
--in-place user-secret.yaml
Finally, you should reference the secret in your App CR:
apiVersion: application.giantswarm.io/v1alpha1
kind: App
metadata:
labels:
app.kubernetes.io/name: flux-app
name: flux-app
namespace: my-namespace
spec:
# ...
userConfig:
secret:
name: sops-gpg
namespace: my-namespace
The App configuration layers will be merged together by the App Platform. You can read more about layer, merging order and example here.
You can read more about managing secrets with Flux here.
This example shows how to import a gpg key into your local keychain and add it to a secret.
- Import public key
gpg --import file-with-public-key
(Exported usinggpg --export --armor KEYID
) sops updatekeys filename
. This requires a.sops.yaml
file which contains all pgp key ids.
To change the encrypted file, one must have all public keys in their keychain. Then its possible to use sops filename
to change the contents of the file.
- When encrypting secrets with SOPS, it's possible to use a 'common' gpg key which is only used for decryption on the cluster. Just add the key id to the
.sops.yaml
file and update the keys used as described in the section above. Now only the private key of the 'common' key needs to be present on the cluster.
Please refer to the contributing guide.