Flux2 Install and Usage

May 07, 2021

Page content

In this post I will show you how you can use Install and Use the GitOps Tool Flux2.

Parts of the K8S Gitops series

Part1: GitOps solutions for Kubernetes
Part2: ArgoCD and kubeseal to encript secrets
Part3: Argo CD Image Updater for automate image update
Part4: Flux2 Install and Usage
Part5: Flux2 and kubeseal to encrypt secrets
Part6: Flux2 and Mozilla SOPS to encrypt secrets
Part7: Flagger NGINX Canary Deployments

Install Flux2 cli

curl -s https://fluxcd.io/install.sh | sudo bash

Bootstrap Flux2 Server components

Flux is installed in a GitOps way and its manifest will be pushed to the repository, so you will also need a GitHub account and a personal access token that can create repositories (check all permissions under repo) to enable Flux do this.

export GITHUB_TOKEN=<token>
export GITHUB_USER=devopstales

flux check --pre

flux bootstrap github \
  --owner=$GITHUB_USER \
  --repository=gitops-repo \
  --branch=main \
  --path=./01_flux2/ \
  --personal

If you try to install in a secure Kubernetes cluster with runAsNonRoot psp the notification-controller and the source-controller can’t start because it runs as root.

nano rb.yaml
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: psp-rolebinding-flux-system
  namespace: flux-system
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system-unrestricted-psp-role
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:serviceaccounts

kubectl apply -f rb.yaml

With --path you can configure the directory which will be used to reconcile the target cluster.

./01_flux2/
└── flux-system # <- namespace dir generated by bootstrap
    ├── gotk-components.yaml
    ├── gotk-sync.yaml
    ├── rb.yaml # <- RoleBinding for psp created by me
    └── kustomization.yaml

Deploy application

Add an application to the cluster and upload to the git repository:

./01_flux2/
├── 00_guestbook # <- guestbook application
│   ├── 00_ns.yaml
│   ├── 01_rb.yaml
│   ├── 02_guestbook-ui-svc.yaml
│   └── 03_guestbook-ui-deployment.yaml
└── flux-system # <- namespace dir generated by bootstrap
    ├── gotk-components.yaml
    ├── gotk-sync.yaml
    ├── rb.yaml # <- RoleBinding for psp created by me
    └── kustomization.yaml

Add another Git repository

We will be using a public repository github.com/stefanprodan/podinfo, podinfo is a tiny web application made with Go. Create a GitRepository manifest pointing to podinfo repository’s master branch:

mkdir ./01_flux2/01_podinfo

flux create source git podinfo \
  --url=https://github.com/stefanprodan/podinfo \
  --branch=master \
  --interval=30s \
  --export > ./01_flux2/01_podinfo/podinfo-source.yaml

cat 01_flux2/01_podinfo/podinfo-source.yaml
---
apiVersion: source.toolkit.fluxcd.io/v1beta1
kind: GitRepository
metadata:
  name: podinfo
  namespace: flux-system
spec:
  interval: 30s
  ref:
    branch: master
  url: https://github.com/stefanprodan/podinfo

./01_flux2/
├── 00_guestbook # <- guestbook application
│   ├── 00_ns.yaml
│   ├── 01_rb.yaml
│   ├── 02_guestbook-ui-svc.yaml
│   └── 03_guestbook-ui-deployment.yaml
├── 01_podinfo
│   └── podinfo-source.yaml
└── flux-system # <- namespace dir generated by bootstrap
    ├── gotk-components.yaml
    ├── gotk-sync.yaml
    ├── rb.yaml # <- RoleBinding for psp created by me
    └── kustomization.yaml

Kustomization

We will create a Flux Kustomization manifest for podinfo. This configures Flux to apply the kustomize directory located in the podinfo repository.

flux create kustomization podinfo \
  --source=podinfo \
  --path="./kustomize" \
  --prune=true \
  --validation=client \
  --interval=5m \
  --export > ./01_flux2/01_podinfo/podinfo-kustomization.yaml

cat ./01_flux2/01_podinfo/podinfo-kustomization.yaml
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta1
kind: Kustomization
metadata:
  name: podinfo
  namespace: flux-system
spec:
  interval: 5m0s
  path: ./kustomize
  prune: true
  sourceRef:
    kind: GitRepository
    name: podinfo
  validation: client

./01_flux2/
├── 00_guestbook # <- guestbook application
│   ├── 00_ns.yaml
│   ├── 01_rb.yaml
│   ├── 02_guestbook-ui-svc.yaml
│   └── 03_guestbook-ui-deployment.yaml
├── 01_podinfo
│   ├── podinfo-kustomization.yaml
│   └── podinfo-source.yaml
└── flux-system # <- namespace dir generated by bootstrap
    ├── gotk-components.yaml
    ├── gotk-sync.yaml
    ├── rb.yaml # <- RoleBinding for psp created by me
    └── kustomization.yaml

Manage Helm Releases

I usually use Ransher’s helm operator but Flux has it’s own. It has two part the HelmRepository and the HelmRelease:

apiVersion: source.toolkit.fluxcd.io/v1beta1
kind: HelmRepository
metadata:
  name: chartmuseum
  namespace: flux-system
spec:
  url: https://chartmuseum.github.io/charts
  interval: 10m
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
  name: chartmuseum
  namespace: flux-system
spec:
  interval: 5m
  chart:
    spec:
      chart: chartmuseum
      version: "2.14.2"
      sourceRef:
        kind: HelmRepository
        name: chartmuseum
        namespace: flux-system
      interval: 1m
  values:
    env:
      open:
        AWS_SDK_LOAD_CONFIG: true
        STORAGE: amazon
        STORAGE_AMAZON_BUCKET: "bucket-name"
        STORAGE_AMAZON_PREFIX: ""
        STORAGE_AMAZON_REGION: "region-name"
    serviceAccount:
      create: true
      annotations:
        eks.amazonaws.com/role-arn: "role-arn"
    securityContext:
      enabled: true
      fsGroup: 65534

It is possible to define a list of ConfigMap and Secret resources from which to take values.

spec:
  valuesFrom:
  - kind: ConfigMap
    name: prod-env-values
    valuesKey: values-prod.yaml
  - kind: Secret
    name: prod-tls-values
    valuesKey: crt
    targetPath: tls.crt