13 KiB
T02- creating ⚗️TEST env on our ☁️CLOUDY cluster
Let's take a look at our ☁️CLOUDY cluster!
☁️CLOUDY is a Kubernetes cluster created with Scaleway Kapsule managed service
This managed cluster comes preinstalled with specific features:
- Kubernetes dashboard
- specific Storage Classes based on Scaleway IaaS block storage offerings
- a
CiliumCNI stack already set up
Accessing the managed Kubernetes cluster
To access our cluster, we'll connect via shpod
.lab[
- If you already have a kubectl on your desktop computer
kubectl -n shpod run shpod --image=jpetazzo/shpod
kubectl -n shpod exec -it shpod -- bash
- or directly via ssh
ssh -p myPort k8s@mySHPODSvcIpAddress
]
Flux installation
Once Flux is installed,
the ⚙️OPS team exclusively operates its clusters by updating a code base in a Github repository
GitOps and Flux enable the ⚙️OPS team to rely on the first-class citizen pattern in Kubernetes' world through these steps:
- describe the desired target state
- and let the automated convergence happens
Checking prerequisites
The Flux CLI is available in our shpod pod
Before installation, we need to check that:
FluxCLI is correctly installed- it can connect to the
API server - our versions of
Fluxand Kubernetes are compatible
.lab[
k8s@shpod:~$ flux --version
flux version 2.5.1
k8s@shpod:~$ flux check --pre
► checking prerequisites
✔ Kubernetes 1.32.3 >=1.30.0-0
✔ prerequisites checks passed
]
Git repository for Flux configuration
The ⚙️OPS team uses Flux CLI
- to create a
gitrepository namedfleet-config-using-flux-XXXXX(⚠ replaceXXXXXby a personnal suffix) - in our
Githuborganization namedcontainer-training-fleet
Prerequisites are:
-
FluxCLI needs aGithubpersonal access token (PAT)- to create and/or access the
Githubrepository - to give permissions to existing teams in our
Githuborganization
- to create and/or access the
-
The PAT needs CRUD permissions on our
Githuborganization- repositories
-
As ⚙️OPS team, let's creates a
Githubpersonal access token…
class: pic
Creating dedicated Github repo to host Flux config
.lab[
- let's replace the
GITHUB_TOKENvalue by our Personal Access Token - and the
GITHUB_REPOvalue by our specific repository name
k8s@shpod:~$ export GITHUB_TOKEN="my-token" && \
export GITHUB_USER="container-training-fleet" && \
export GITHUB_REPO="fleet-config-using-flux-XXXXX"
k8s@shpod:~$ flux bootstrap github \
--owner=${GITHUB_USER} \
--repository=${GITHUB_REPO} \
--team=OPS \
--team=ROCKY --team=MOVY \
--path=clusters/CLOUDY
]
class: extra-details
Here is the result
✔ repository "https://github.com/container-training-fleet/fleet-config-using-flux-XXXXX" created
► reconciling repository permissions
✔ granted "maintain" permissions to "OPS"
✔ granted "maintain" permissions to "ROCKY"
✔ granted "maintain" permissions to "MOVY"
► reconciling repository permissions
✔ reconciled repository permissions
► cloning branch "main" from Git repository "https://github.com/container-training-fleet/fleet-config-using-flux-XXXXX.git"
✔ cloned repository
► generating component manifests
✔ generated component manifests
✔ committed component manifests to "main" ("7c97bdeb5b932040fd8d8a65fe1dc84c66664cbf")
► pushing component manifests to "https://github.com/container-training-fleet/fleet-config-using-flux-XXXXX.git"
✔ component manifests are up to date
► installing components in "flux-system" namespace
✔ installed components
✔ reconciled components
► determining if source secret "flux-system/flux-system" exists
► generating source secret
✔ public key: ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBFqaT8B8SezU92qoE+bhnv9xONv9oIGuy7yVAznAZfyoWWEVkgP2dYDye5lMbgl6MorG/yjfkyo75ETieAE49/m9D2xvL4esnSx9zsOLdnfS9W99XSfFpC2n6soL+Exodw==
✔ configured deploy key "flux-system-main-flux-system-./clusters/CLOUDY" for "https://github.com/container-training-fleet/fleet-config-using-flux-XXXXX"
► applying source secret "flux-system/flux-system"
✔ reconciled source secret
► generating sync manifests
✔ generated sync manifests
✔ committed sync manifests to "main" ("11035e19cabd9fd2c7c94f6e93707f22d69a5ff2")
► pushing sync manifests to "https://github.com/container-training-fleet/fleet-config-using-flux-XXXXX.git"
► applying sync manifests
✔ reconciled sync configuration
◎ waiting for GitRepository "flux-system/flux-system" to be reconciled
✔ GitRepository reconciled successfully
◎ waiting for Kustomization "flux-system/flux-system" to be reconciled
✔ Kustomization reconciled successfully
► confirming components are healthy
✔ helm-controller: deployment ready
✔ kustomize-controller: deployment ready
✔ notification-controller: deployment ready
✔ source-controller: deployment ready
✔ all components are healthy
Flux configures Github repository access for teams
Fluxsets up permissions that allow teams within our organization to access theGithubrepository as maintainers- Teams need to exist before
Fluxproceeds to this configuration
⚠️ Disclaimer
-
In this lab, adding these teams as maintainers was merely a demonstration of how
FluxCLI sets up permissions in Github -
But there is no need for dev teams to have access to this
Githubrepository -
One advantage of GitOps lies in its ability to easily set up 💪🏼 Separation of concerns by using multiple
Fluxsources
The PAT is not needed anymore!
- During the install process,
Fluxcreates ansshkey pair so that it is able to contribute to theGithubrepository.
► generating source secret
✔ public key: ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBFqaT8B8SezU92qoE+bhnv9xONv9oIGuy7yVAznAZfyoWWEVkgP2dYDye5lMbgl6MorG/yjfkyo75ETieAE49/m9D2xvL4esnSx9zsOLdnfS9W99XSfFpC2n6soL+Exodw==
✔ configured deploy key "flux-system-main-flux-system-./clusters/CLOUDY" for "https://github.com/container-training-fleet/fleet-config-using-flux-XXXXX"
► applying source secret "flux-system/flux-system"
✔ reconciled source secret
- You can now delete the formerly created Personal Access Token:
Fluxwon't use it anymore.
📂 Flux config files
Flux has been successfully installed onto our ☁️CLOUDY Kubernetes cluster!
Its configuration is managed through a Gitops workflow sourced directly from our Github repository
Let's review our Flux configuration files we've created and pushed into the Github repository…
… as well as the corresponding components running in our Kubernetes cluster
class: pic
class: extra-details
Flux resources 1/2
.lab[
k8s@shpod:~$ kubectl get all --namespace flux-system
NAME READY STATUS RESTARTS AGE
pod/helm-controller-b6767d66-h6qhk 1/1 Running 0 5m
pod/kustomize-controller-57c7ff5596-94rnd 1/1 Running 0 5m
pod/notification-controller-58ffd586f7-zxfvk 1/1 Running 0 5m
pod/source-controller-6ff87cb475-g6gn6 1/1 Running 0 5m
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/notification-controller ClusterIP 10.104.139.156 <none> 80/TCP 5m1s
service/source-controller ClusterIP 10.106.120.137 <none> 80/TCP 5m
service/webhook-receiver ClusterIP 10.96.28.236 <none> 80/TCP 5m
(…)
]
class: extra-details
Flux resources 2/2
.lab[
k8s@shpod:~$ kubectl get all --namespace flux-system
(…)
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/helm-controller 1/1 1 1 5m
deployment.apps/kustomize-controller 1/1 1 1 5m
deployment.apps/notification-controller 1/1 1 1 5m
deployment.apps/source-controller 1/1 1 1 5m
NAME DESIRED CURRENT READY AGE
replicaset.apps/helm-controller-b6767d66 1 1 1 5m
replicaset.apps/kustomize-controller-57c7ff5596 1 1 1 5m
replicaset.apps/notification-controller-58ffd586f7 1 1 1 5m
replicaset.apps/source-controller-6ff87cb475 1 1 1 5m
]
Flux components
-
the
source controllermonitorsGitrepositories to apply Kubernetes resources on the cluster -
the
Helm controllerchecks for newHelmcharts releases inHelmrepositories and installs updates as needed -
CRDs store
Fluxconfiguration within the Kubernetes control plane
class: extra-details
Flux resources that have been created
.lab[
k8s@shpod:~$ flux get all --all-namespaces
NAMESPACE NAME REVISION SUSPENDED
READY MESSAGE
flux-system gitrepository/flux-system main@sha1:d48291a8 False
True stored artifact for revision 'main@sha1:d48291a8'
NAMESPACE NAME REVISION SUSPENDED
READY MESSAGE
flux-system kustomization/flux-system main@sha1:d48291a8 False
True Applied revision: main@sha1:d48291a8
]
Flux CLI
Flux Command-Line Interface fulfills 3 primary functions:
- It installs and configures first mandatory
Fluxresources in a Gitopsgitrepository
- ensuring proper access and permissions
- It locally generates
YAMLfiles for desiredFluxresources so that we just need togit pushthem
- tenants
- sources
- …
- It requests the API server to manage
Flux-related resources- operators
- CRDs
- logs
class: extra-details
Flux -- for more info
Please, refer to the Flux chapter in the High Five M3 module
Flux relies on Kustomize
The Flux component named kustomize controller look for Kustomize resources in Flux code-based sources
-
Kustomizelook forYAMLmanifests listed in thekustomization.yamlfile -
and aggregates, hydrates and patches them following the
kustomizationconfiguration
class: extra-details
2 different kustomization resources
⚠️ Flux uses 2 distinct resources with kind: kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: kustomization
describes how Kustomize (the CLI tool) appends and transforms YAML manifests into a single bunch of YAML described resources
apiVersion: kustomize.toolkit.fluxcd.io/v1 group
kind: Kustomization
describes where Flux kustomize-controller looks for a kustomization.yaml file in a given Flux code-based source
class: extra-details
Kustomize -- for more info
Please, refer to the Kustomize chapter in the High Five M3 module
class: extra-details
Group / Version / Kind -- for more info
For more info about how Kubernetes resource natures are identified by their Group / Version / Kind triplet…
… please, refer to the Kubernetes API chapter in the High Five M5 module
🗺️ Where are we in our scenario?
%%{init:
{
"theme": "default",
"gitGraph": {
"mainBranchName": "OPS",
"mainBranchOrder": 0
}
}
}%%
gitGraph
commit id:"0" tag:"start"
branch ROCKY order:3
branch MOVY order:4
branch YouRHere order:5
checkout OPS
commit id:'Flux install on CLOUDY cluster' tag:'T01'
branch TEST-env order:1
commit id:'FLUX install on TEST' tag:'T02' type: HIGHLIGHT
checkout YouRHere
commit id:'x'
checkout OPS
merge YouRHere id:'YOU ARE HERE'
checkout OPS
commit id:'Flux config. for TEST tenant' tag:'T03'
commit id:'namespace isolation by RBAC'
checkout TEST-env
merge OPS id:'ROCKY tenant creation' tag:'T04'
checkout OPS
commit id:'ROCKY deploy. config.' tag:'R01'
checkout TEST-env
merge OPS id:'TEST ready to deploy ROCKY' type: HIGHLIGHT tag:'R02'
checkout ROCKY
commit id:'ROCKY' tag:'v1.0.0'
checkout TEST-env
merge ROCKY tag:'ROCKY v1.0.0'