About Teletype
Join
3
@3ng1n33r
July 17

fluxcd

Установим flux

brew install fluxcd/tap/flux

flux check --pre
► checking prerequisites
✔ Kubernetes 1.30.0 >=1.28.0-0
✔ prerequisites checks passed

Создадим в Gitlab Personal Access Token , права write api

https://fluxcd.io/flux/installation/bootstrap/gitlab/

Выполним установку flux в кластер

export GITLAB_TOKEN="glpat-XXXXXXXXXXXXXX"
export GITLAB_USER="s045724"

flux bootstrap gitlab \
  --deploy-token-auth \
  --owner=$GITLAB_USER \
  --repository=flux-example \
  --branch=main \
  --path=clusters/my-cluster \
  --personal
► connecting to https://gitlab.com
► cloning branch "main" from Git repository "https://gitlab.com/s045724/flux-example.git"
✔ cloned repository
► generating component manifests
✔ generated component manifests
✔ committed component manifests to "main" ("04d61bdec300d8c1a5bba13cdfba2931910530e0")
► pushing component manifests to "https://gitlab.com/s045724/flux-example.git"
► installing components in "flux-system" namespace
✔ installed components
✔ reconciled components
► checking to reconcile deploy token for source secret
✔ configured deploy token "flux-system-main-flux-system-./clusters/my-cluster" for "https://gitlab.com/s045724/flux-example"
► determining if source secret "flux-system/flux-system" exists
► generating source secret
► applying source secret "flux-system/flux-system"
✔ reconciled source secret
► generating sync manifests
✔ generated sync manifests
✔ committed sync manifests to "main" ("df3a29a031b6448907cb7bac5e755b4b47941eb0")
► pushing sync manifests to "https://gitlab.com/s045724/flux-example.git"
► applying sync manifests
✔ reconciled sync configuration
◎ waiting for GitRepository "flux-system/flux-system" to be reconciled
✔ GitRepository reconciled successfully
◎ waiting for Kustomization "flux-system/flux-system" to be reconciled
✔ Kustomization reconciled successfully
► confirming components are healthy
✔ helm-controller: deployment ready
✔ kustomize-controller: deployment ready
✔ notification-controller: deployment ready
✔ source-controller: deployment ready
✔ all components are healthy
flux check
► checking prerequisites
✔ Kubernetes 1.30.0 >=1.28.0-0
► checking version in cluster
✔ distribution: flux-v2.3.0
✔ bootstrapped: true
► checking controllers
✔ helm-controller: deployment ready
► ghcr.io/fluxcd/helm-controller:v1.0.1
✔ kustomize-controller: deployment ready
► ghcr.io/fluxcd/kustomize-controller:v1.3.0
✔ notification-controller: deployment ready
► ghcr.io/fluxcd/notification-controller:v1.3.0
✔ source-controller: deployment ready
► ghcr.io/fluxcd/source-controller:v1.3.0
► checking crds
✔ alerts.notification.toolkit.fluxcd.io/v1beta3
✔ buckets.source.toolkit.fluxcd.io/v1beta2
✔ gitrepositories.source.toolkit.fluxcd.io/v1
✔ helmcharts.source.toolkit.fluxcd.io/v1
✔ helmreleases.helm.toolkit.fluxcd.io/v2
✔ helmrepositories.source.toolkit.fluxcd.io/v1
✔ kustomizations.kustomize.toolkit.fluxcd.io/v1
✔ ocirepositories.source.toolkit.fluxcd.io/v1beta2
✔ providers.notification.toolkit.fluxcd.io/v1beta3
✔ receivers.notification.toolkit.fluxcd.io/v1
✔ all checks passed

kubectl get gitrepositories.source.toolkit.fluxcd.io -n flux-system
NAME          URL                                           AGE     READY   STATUS
flux-system   https://gitlab.com/s045724/flux-example.git   8m22s   True    stored artifact for revision 'main@sha1:df3a29a031b6448907cb7bac5e755b4b47941eb0'

Установим sealed-secrets-controller

https://fluxcd.io/flux/guides/sealed-secrets/

flux create source helm sealed-secrets \
--url="https://bitnami-labs.github.io/sealed-secrets" \
--interval="10m" \
--export > "/Users/3ng1n33r/Library/Mobile Documents/com~apple~CloudDocs/Projects/flux-example/clusters/my-cluster/helm/repositories/sealed-secrets.yaml"

SEALED_SECRETS_CHART_VERSION="2.16.0"

flux create helmrelease "sealed-secrets-controller" \
  --release-name="sealed-secrets-controller" \
  --source="HelmRepository/sealed-secrets" \
  --chart="sealed-secrets" \
  --chart-version "$SEALED_SECRETS_CHART_VERSION" \
  --values="/Users/3ng1n33r/Library/Mobile Documents/com~apple~CloudDocs/Projects/flux-example/clusters/my-cluster/helm/sealed-secrets-values.yaml" \
  --target-namespace="flux-system" \
  --crds=CreateReplace \
  --export > "/Users/3ng1n33r/Library/Mobile Documents/com~apple~CloudDocs/Projects/flux-example/clusters/my-cluster/helm/releases/sealed-secrets-v${SEALED_SECRETS_CHART_VERSION}.yaml"

Запушим в репо новые файлы

flux reconcile source git flux-system
► annotating GitRepository flux-system in flux-system namespace
✔ GitRepository annotated
◎ waiting for GitRepository reconciliation
✔ fetched revision main@sha1:5e751089731598671d03f9e3280a09d74dc66ee7

flux get helmrelease sealed-secrets-controller
NAME                     	REVISION	SUSPENDED	READY	MESSAGE                                                                                                      
sealed-secrets-controller	2.16.0  	False    	True 	Helm install succeeded for release flux-system/sealed-secrets-controller.v1 with chart [email protected]

Установим утилиту для работы с контролером 

brew install kubeseal

kubeseal --fetch-cert \
--controller-name=sealed-secrets-controller \
--controller-namespace=flux-system \
> pub-sealed-secrets-my-cluster.pem

Установим графану

flux create source helm grafana \
--url="https://grafana.github.io/helm-charts" \
--interval="10m" \
--export > "/Users/3ng1n33r/Library/Mobile Documents/com~apple~CloudDocs/Projects/flux-example/clusters/my-cluster/helm/repositories/grafana.yaml"

Создадим секрет openssl rand -hex 8

kubectl create secret generic "grafana-credentials" \
  --namespace flux-system \
  --from-literal=grafana_admin_password="c2827e679edae66a" \
  --dry-run=client -o yaml | kubeseal --cert="/Users/3ng1n33r/Library/Mobile Documents/com~apple~CloudDocs/Projects/flux-example/pub-sealed-secrets-my-cluster.pem" \
  --format=yaml > "/Users/3ng1n33r/Library/Mobile Documents/com~apple~CloudDocs/Projects/flux-example/clusters/my-cluster/helm/secrets/grafana-sealed.yaml"

Создадим чарт

export GRAFANA_CHART_VERSION="8.0.2"
flux create helmrelease "grafana" \
  --release-name="grafana" \
  --source="HelmRepository/grafana" \
  --chart="grafana" \
  --chart-version "$GRAFANA_CHART_VERSION" \
  --values="/Users/3ng1n33r/Library/Mobile Documents/com~apple~CloudDocs/Projects/flux-example/grafana-values.yaml" \
  --target-namespace="monitoring" \
  --create-target-namespace=true \
  --export > "/Users/3ng1n33r/Library/Mobile Documents/com~apple~CloudDocs/Projects/flux-example/clusters/my-cluster/helm/releases/grafana-v${GRAFANA_CHART_VERSION}.yaml"
flux logs --kind=HelmRelease
flux get helmrelease grafana
kubectl describe helmrelease grafana -n flux-system

Создадим чарт прометеуса

flux create source helm prometheus \
--url="https://prometheus-community.github.io/helm-charts" \
--interval="10m" \
--export > "/Users/3ng1n33r/Library/Mobile Documents/com~apple~CloudDocs/Projects/flux-example/clusters/my-cluster/helm/repositories/prometheus.yaml"

export PROM_CHART_VERSION="25.21.0"
flux create helmrelease "prometheus" \
  --release-name="prometheus" \
  --source="HelmRepository/prometheus" \
  --chart="prometheus" \
  --chart-version "$PROM_CHART_VERSION" \
  --values="/Users/3ng1n33r/Library/Mobile Documents/com~apple~CloudDocs/Projects/flux-example/prometheus-values.yaml" \
  --target-namespace="monitoring" \
  --create-target-namespace=true \
  --export > "/Users/3ng1n33r/Library/Mobile Documents/com~apple~CloudDocs/Projects/flux-example/clusters/my-cluster/helm/releases/prometheus-v${PROM_CHART_VERSION}.yaml"

sealed-secrets

Получим публичный ключ

1) С помощью kubeseal

kubeseal --controller-namespace=flux-system --fetch-cert > pub-sealed-secrets.pem

2) или если kubeseal не может достучаться

kubectl port-forward service/sealed-secrets-controller 8080:8080 -n flux-system

затем

curl --retry 5 --retry-connrefused localhost:8080/v1/cert.pem > pub-sealed-secrets.pem

Бэкап

Экспортируем приватный ключ

kubectl get secret -n flux-system -l sealedsecrets.bitnami.com/sealed-secrets-key -o yaml > private.key

Затем храните файл private.key в безопасном месте. Для восстановления из резервной копии после какой-либо аварии просто поместите этот секрет обратно перед запуском контроллера - или, если контроллер уже был запущен, замените только что созданные секреты и перезапустите контроллер:

kubectl apply -f private.key

kubectl delete pod -n flux-system -l name=sealed-secrets-controller

https://www.digitalocean.com/community/developer-center/implementing-gitops-using-flux-cd

https://www.digitalocean.com/community/developer-center/how-to-encrypt-kubernetes-secrets-using-sealed-secrets-in-doks#step-2-encrypting-a-kubernetes-secret

@3ng1n33r
July 17, 15:08
0 reactions
0 views