57 lines
1.7 KiB
Text
57 lines
1.7 KiB
Text
= FluxCD
|
|
== Install FluxCD into a cluster
|
|
|
|
Here i install it with connection to codeberg:
|
|
|
|
* the path is just for the cluster
|
|
* the url a repo where fluxcd (in given path) install itself and monitor
|
|
* i just install my needed components (i skip notification-controller, i prefer prometheus and alerting)
|
|
|
|
[source,bash]
|
|
----
|
|
flux bootstrap git --components source-controller,kustomize-controller,helm-controller --path=<path> --url ssh://git@codeberg.org/wrenix/<repo>.git
|
|
----
|
|
|
|
=== Secure with verify
|
|
|
|
Afterwards we need to setup a verification with GPG, so that nobody else could commit any workload in your cluster.
|
|
That is because i select an public git hosting (here codeberg), i trust them but maybe it get compromised one time.
|
|
|
|
in your repository the flux cli has created an `<path>/flux-system/kustomization.yaml`, we will edit them.
|
|
|
|
[source,patch]
|
|
----
|
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
|
kind: Kustomization
|
|
resources:
|
|
- gotk-components.yaml
|
|
- gotk-sync.yaml
|
|
|
|
+patches:
|
|
+ - target:
|
|
+ kind: GitRepository
|
|
+ name: flux-system
|
|
+ patch: |-
|
|
+ apiVersion: source.toolkit.fluxcd.io/v1
|
|
+ kind: GitRepository
|
|
+ metadata:
|
|
+ name: flux-system
|
|
+ spec:
|
|
+ verify: <1>
|
|
+ mode: HEAD
|
|
+ secretRef:
|
|
+ name: gpg-publickey
|
|
+
|
|
+generatorOptions:
|
|
+ disableNameSuffixHash: true <2>
|
|
+
|
|
+secretGenerator:
|
|
+ - name: gpg-publickey <3>
|
|
+ namespace: flux-system
|
|
+ files:
|
|
+ - gpg-publickey/wrenix.gpg <4>
|
|
----
|
|
<1> add verify, that only HEAD git commit with valide gpg signature is used
|
|
<2> on the next generate, do not add hash
|
|
<3> generate kubernetes Secret with the name `gpg-publickey` which is used in the patched GitRepository, see <1>
|
|
<4> Add list of valide gpg key files
|