FluxCD GitOps Toolkit components

Flux is a tool for keeping Kubernetes clusters in sync with sources of configuration (like Git repositories), and automating updates to configuration when there is new code to deploy.

Install

---

Install CLI

FluxCLI安装文档

Check your Kubernetes cluster

flux check --pre

Dev install

For testing purposes you can install Flux without storing its manifests in a Git repository:

flux install

Or using kubectl:

kubectl apply -f https://github.com/fluxcd/flux2/releases/latest/download/install.yaml

QuickStart

---

.
├── apps                         # 应用相关信息
│   └── exmaple
├── clusters                     # 集群相关配置
│   ├── gitrepo.yaml             # gitrepository    (CR)
│   ├── terraform.yaml           # terraform        (CR)
│   ├── helm.yaml                # helmrelease      (CR)
│   └── notification.yaml        # alert & provider (CR)
└── infrastructure               # iac 相关配置（主要是 terraform hcl 配置）              
    ├── main.tf
    ├── provider.tf
    └── variable.tf

Source Controller

The main role of the source management component is to provide a common interface for artifacts acquisition. The source API defines a set of Kubernetes objects that cluster admins and various automated operators can interact with to offload the Git and Helm repositories operations to a dedicated controller.

gitrepo.yaml

apiVersion: source.toolkit.fluxcd.io/v1beta1
kind: GitRepository
metadata:
  name: gitrepo
  namespace: flux-system
spec:
  secretRef:
    name: https-credentials
  interval: 1m
  url: https://github.com/blazehu/gitops_example.git
  ref:
    branch: master

---
apiVersion: v1
kind: Secret
metadata:
  name: https-credentials
  namespace: flux-system
type: Opaque
data:
  username: xxx
  password: xxx

• secret 主要是做 git 仓库的认证
• interval 是拉取 git 提交的间隔，每隔一分钟会查看 git 仓库是否会有新的提交

TF Controller

TF-controller is an experimental controller for Flux to reconcile Terraform resources in the GitOps way. With the power of Flux together with Terraform, TF-controller allows you to GitOps-ify infrastructure, and application resources, in the Kubernetes and Terraform universe, at your own pace.

tf config

infrastructure
├── main.tf
├── provider.tf
└── variable.tf

provider.tf

terraform {
  required_providers {
    tencentcloud = {
      source  = "tencentcloudstack/tencentcloud"
      version = "1.60.5"
    }
  }
}

provider "tencentcloud" {
}

main.tf

resource "tencentcloud_clb_instance" "example" {
  target_region_info_region    = var.region
  target_region_info_vpc_id    = var.vpc
  vpc_id                       = var.vpc
  clb_name                     = var.clb_name
  network_type                 = "OPEN"
  project_id                   = 0
  security_groups              = [tencentcloud_security_group.sg1.id]
  internet_bandwidth_max_out   = "10"
  internet_charge_type         = "TRAFFIC_POSTPAID_BY_HOUR"
  load_balancer_pass_to_target = "true"

  lifecycle {
    ignore_changes = [
      tags,
    ]
  }
}

resource "tencentcloud_security_group" "sg1" {
  description = "默认安全组"
  name        = "example-sg1"
  project_id  = "0"
}

resource "tencentcloud_security_group_lite_rule" "sglr1" {
  egress            = ["ACCEPT#0.0.0.0/0#ALL#ALL"]
  ingress           = ["ACCEPT#0.0.0.0/0#80,443#TCP", "DROP#0.0.0.0/0#ALL#ALL"]
  security_group_id = tencentcloud_security_group.sg1.id
}

output "clb_vip" {
  value = tencentcloud_clb_instance.example.clb_vips[0]
}

terraform.yaml

apiVersion: infra.contrib.fluxcd.io/v1alpha1
kind: Terraform
metadata:
  name: tf-example
  namespace: flux-system
spec:
  interval: 1m
  approvePlan: "auto"
  destroyResourcesOnDeletion: true
  path: ./infrastructure
  sourceRef:
    kind: GitRepository
    name: gitrepo
    namespace: flux-system
  varsFrom:
  - kind: Secret
    name: tf-secret
  writeOutputsToSecret:
    name: tf-output

---
apiVersion: v1
kind: Secret
metadata:
  name: tf-secret
  namespace: flux-system
type: Opaque
data:
  secret_id: xxx
  secret_key: xxx
  region: xxx

• writeOutputsToSecret 输出相关信息至 secret 便于其他资源引用
• varsFrom 敏感信息通过该方式在 terraform 中引用

Helm Controller

The Helm Controller is a Kubernetes operator, allowing one to declaratively manage Helm chart releases with Kubernetes manifests.

helm.yaml

apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
  name: example
  namespace: flux-system
spec:
  interval: 1m
  targetNamespace: blazehu
  releaseName: example
  chart:
    spec:
      chart: apps/exmaple
      version: ">=0.0.1"
      valuesFile: ./apps/exmaple/values.yaml
      interval: 1m
      sourceRef:
        kind: GitRepository
        name: gitrepo
        namespace: flux-system
  upgrade:
    remediation:
      remediateLastFailure: true
  valuesFrom:
    - kind: Secret
      name: tf-output
      valuesKey: clb_vip
      targetPath: clb.serviceVIP

• version: a SemVer range (i.e. >=4.0.0 <5.0.0) to automatically upgrade your releases when a new chart version is available in the release’s referenced HelmRepository.
• charts: The name or path the Helm chart is available at in the SourceRef.
• valuesFile: Alternative list of values files to use as the chart values.
• releaseName: Defaults to a composition of ‘[TargetNamespace-]Name’.
• targetNamespace: TargetNamespace to target when performing operations for the HelmRelease. Defaults to the namespace of the HelmRelease.

Notification Controller

The Notification Controller is a Kubernetes operator, specialized in handling inbound and outbound events.

notification.yaml

apiVersion: notification.toolkit.fluxcd.io/v1beta1
kind: Alert
metadata:
  name: example-alert
  namespace: flux-system
spec:
  providerRef: 
    name: generic 
  eventSeverity: info
  eventSources:
    - kind: GitRepository
      name: gitrepo
      namespace: flux-system
    - kind: HelmRelease
      name: example
      namespace: blazehu

---
apiVersion: notification.toolkit.fluxcd.io/v1beta1
kind: Provider
metadata:
  name: generic
  namespace: flux-system
spec:
  type: generic
  address: https://hooks.slack.com/services/YOUR/SLACK/WEBHOOK

Reference documentation

• https://fluxcd.io/docs/components/
• https://weaveworks.github.io/tf-controller/