Engineer • A member of Cloud Native Taiwan User Group (CNTUG) Blog: https://pohsienshih.github.io/ Github: https://github.com/pohsienshih Email: [email protected] 2
concept is using Git as the single source of truth for declarative infrastructure and applications. It means the lifecycle of the program (from development to deployment) can be version controlled in Git, and the automated workflow can also be triggered by Git event (Push, PR, etc). Benefits: 1. Fast deployment 2. Easier rollback/review the changing 3. Easier compliance and auditing 4. Friendly for developers who are already familiar with git 5 Ref: https://www.weave.works/blog/gitops-operations-by-pull-request https://www.weave.works/technologies/gitops/
makes GitOps happen in your cluster. It ensures that the cluster config matches the one in git and automates your deployments (Continue Delivery).” - Weaveworks Official Website. 7 Ref: https://www.weave.works/oss/flux/ Features: • Automated git->cluster synchronisation. • Automated deployment of new container images.
<flux pod name> git clone git@ <git server>:<your manifest repository> -n flux Check the state of Flux workloads. $ fluxctl identity --k8s-fwd-ns flux ssh-rsa AAAAB3N... $ kubectl get all -n flux Get the SSH public key of Flux. Add this key to your Git repository. Make sure Flux daemon has privilege to clone the repository.
& git pull & kubectl apply & git tag Equivalent to the following commands: 1. Get the latest commit from repo. 2. Apply the new version manifest. 3. Push a tag (flux/flux-sync) to the commit which means it has been processed by flux. Implementation
Git Polling Interval • How often does flux looks for new commits. • Five minutes by default. • Control the interval by using flag: --git-poll-interval. e.g. --git-poll-interval=1m30s Flux Sync Interval • How often does flux applies what’s in git repo if there are no new commits. • This can recover the resource affected by unexpected factors. • Five minutes by default. • Control the interval by using flag: --sync-interval. e.g. --sync-interval=1m30s Ref: https://docs.fluxcd.io/en/1.18.0/faq.html#how-often-does-flux-check-for-new-images
Trigger the synchronization by manual: $ fluxctl sync --k8s-fwd-ns <flux daemon deployment namespace> Revision of master to apply is 0cff093 Waiting for 0cff093 to be applied ... Done.
Flux will not get rid of the resources from the cluster if they have been removed in the repository You can enable the garbage collection by using flag: --sync-garbage-collection. Then Flux will use the label: fluxcd.io/sync-gc-mark to recognize the resource created by fluxd and destroy it. Garbage Collection Ref: https://docs.fluxcd.io/en/1.18.0/references/garbagecollection.html apiVersion: apps/v1 kind: Deployment metadata: labels: app: web-service-deployment fluxcd.io/sync-gc-mark: <hashcode> spec: ...
the feature that can temporarily ignore the manifest. This means when flux detect a new image, it will only update the Git manifest repo, and will not update the resource in the cluster. Temporarily Ignore the Manifest Ref: https://docs.fluxcd.io/en/stable/faq.html#can-i-temporarily-make-flux-ignore-a-manifest apiVersion: apps/v1 kind: Deployment metadata: name: my-web ... annotations: fluxcd.io/ignore: true spec: ... Use the following annotation to make flux ignores the manifest.
feature similar to ignore is lock. Locking a workload will stop manual or automated releases to that workload. Changes made in the file will still be synced. Lock the resource Ref: https://docs.fluxcd.io/en/stable/references/fluxctl.html#locking-a-workload apiVersion: apps/v1 kind: Deployment metadata: name: my-web ... annotations: fluxcd.io/locked: 'true' fluxcd.io/locked_user: pohsien <[email protected]> Or you can simply use the command: fluxctl lock --workload= <workload name> --k8s-fwd-ns \ <flux daemon namespace> Use the following annotation to make flux lock the workload:
resource Ref: https://docs.fluxcd.io/en/stable/references/fluxctl.html#locking-a-workload apiVersion: apps/v1 kind: Deployment metadata: name: my-web ... annotations: fluxcd.io/locked: 'true' fluxcd.io/locked_user: pohsien <[email protected]> Or you can simply use the command: fluxctl unlock --workload= <workload name> --k8s-fwd-ns \ <flux daemon namespace> Remove the following annotation to make flux unlock the workload:
Lock Ingore Lock Scan a new Image V V Auto update the manifest and add a commit V X Sync between manifest and workload X V Workload: The workloads executed on Cluster. Manifest: The YAML files in Git repo.
be used to automate container image updates in the cluster. apiVersion: apps/v1 kind: Deployment metadata: name: my-web ... annotations: fluxcd.io/automated: "true" Or you can simply use the command: fluxctl automate --workload= <workload name> --k8s-fwd-ns \ <flux daemon namespace> Use the following annotation to enable auto update mechanism: Ref: https://docs.fluxcd.io/en/stable/references/automated-image-update.html#
kind: Deployment metadata: name: my-web ... annotations: fluxcd.io/automated: "true" Or you can simply use the command: fluxctl deautomate --workload= <workload name> --k8s-fwd-ns \ <flux daemon namespace> Remove the following annotation to disable auto update mechanism:
get the metadata of Image. 2. Update the manifest and push a commit to Git repo. 3. Apply the new version manifest to Kubernetes cluster. 4. Push a tag (flux/flux-sync) to the commit which means it has been processed by flux. Implementation Enable automatic deployment. *Flux doesn’t support the latest tag. Every image tag must be unique.
• The rate limiting that flux scans registry for Image metadata. • As quickly as it can. • Control the interval by using flags: --registry-rps and --registry-burst To avoid to get blacklist by registry, it’s not recommended to increase the rate limiting. Workloads (enable auto-deploy) Update Interval • How often does flux check update for automated workloads. • This can recover the workloads affected by unexpected factors. • Five minutes by default. • Control the interval by using flag: --automation-interval. e.g. --automation-interval=1m30s Ref: https://docs.fluxcd.io/en/1.18.0/faq.html#how-often-does-flux-check-for-new-images
• Exclude images from specific registry --registry-disable-scanning=docker.io/*,quay.io/* • Exclude specific image --registry-exclude-image=<image name>:<tag> e.g. --registry-exclude-image=*test* You can disable Image scanning by configure the following flag:
specific subset of tags. apiVersion: apps/v1 kind: Deployment metadata: annotations: fluxcd.io/automated: "true" fluxcd.io/tag. <container name> : glob:<tag name> fluxcd.io/tag.nginx: glob:test-* ... containers: - name: nginx image: docker.io/pohsien/my-nginx:test-1 Or you can simply use the command: fluxctl policy --workload= <workload name> --tag-all='tag name' --k8s-fwd-ns <flux daemon namespace> Use the following annotation to enable auto update mechanism:
2. Only one Git repo can be processed at a time. 3. Only support Docker container registry. 4. fluxctl doesn't support all flags of Flux daemon yet. 38