Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement the cluster sync feature #20

Merged
merged 8 commits into from
Jun 12, 2024
Merged

Implement the cluster sync feature #20

merged 8 commits into from
Jun 12, 2024

Conversation

stefanprodan
Copy link
Member

@stefanprodan stefanprodan commented Jun 10, 2024
edited
Loading

This PR implements the cluster sync feature as defined in RFC-0001. This feature completes the operator goal to offer a viable alternative to Flux Git bootstrap. In addition, the operator can now deploy Flux in sync with an OCI-compliant Container Registry.

Sync configuration

The .spec.sync field is optional and specifies the Flux sync configuration.
When set, a Flux source and a Flux Kustomization are generated to sync
the cluster state with the source repository.

The Flux objects are created in the same namespace where the FluxInstance is deployed
using the namespace name as the Flux source and Kustomization name. The naming convention
matches the one used by flux bootstrap to ensure compatibility with upstream, and
to allow transitioning a bootstrapped cluster to a FluxInstance managed one.

Sync fields:

  • kind: The source kind, supported values are GitRepository, OCIRepository and Bucket.
  • url: The URL of the source repository, can be a Git repository HTTP/S or SSH address, an OCI repository address or a Bucket endpoint.
  • ref: The source reference, can be a Git ref name e.g. refs/heads/main, an OCI tag e.g. latest or a Bucket name.
  • path: The path to the source directory containing the kustomize overlay or plain Kubernetes manifests to sync from.
  • pullSecret: The name of the Kubernetes secret that contains the credentials to pull the source repository. This field is optional.
  • interval: The sync interval. This field is optional, when not set the default is 1m.

Sync from Git over HTTP/S

Example:

spec:
  sync:
    kind: GitRepository
    url: "https://gitlab.com/my-group/my-fleet.git"
    ref: "refs/heads/main"
    path: "clusters/my-cluster"
    pullSecret: "git-token-auth"

If the source repository is private, the Kubernetes secret must be created
in the same namespace where the FluxInstance is deployed, and have the following format:

apiVersion: v1
kind: Secret
metadata:
  name: git-token-auth
  namespace: flux-system
type: Opaque
stringData:
  username: "git-username"
  password: "git-token"

To generate the secret with the Flux CLI:

flux create secret git git-token-auth \
  --namespace flux-system \
  --url=https://gitlab.com/my-group/my-fleet.git \
  --username=git-username \
  --password=git-token

Sync from Git over SSH

Example:

spec:
  sync:
    kind: GitRepository
    url: "ssh://[email protected]/my-org/my-fleet.git"
    ref: "refs/heads/main"
    path: "clusters/my-cluster"
    pullSecret: "git-ssh-auth"

If the source repository is private, the Kubernetes secret must be created
in the same namespace where the FluxInstance is deployed, and have the following format:

apiVersion: v1
kind: Secret
metadata:
  name: git-ssh-auth
  namespace: flux-system
type: Opaque
stringData:
   identity: |
      -----BEGIN OPENSSH PRIVATE KEY-----
      ...
      -----END OPENSSH PRIVATE KEY-----    
   known_hosts: |
      github.com ecdsa-sha2-nistp256 AAAA...

To generate the secret with the Flux CLI:

flux create secret git git-ssh-auth \
  --namespace flux-system \
  --url=ssh://[email protected]/my-org/my-fleet.git \
  --private-key-file=my-private.key

Sync from OCI over HTTP/S

Example:

spec:
  sync:
    kind: OCIRepository
    url: "oci://ghcr.io/my-org/my-fleet-manifests"
    ref: "latest"
    path: "clusters/my-cluster"
    pullSecret: "oci-token-auth"

If the container registry is private, the Kubernetes secret must be created
in the same namespace where the FluxInstance is deployed, and be of type kubernetes.io/dockerconfigjson:

apiVersion: v1
kind: Secret
metadata:
  name: oci-token-auth
  namespace: flux-system
type: kubernetes.io/dockerconfigjson
data:
   .dockerconfigjson: "base64-encoded-docker-config"

To generate the secret with the Flux CLI:

flux create secret oci oci-token-auth \
  --namespace flux-system \
  --url=ghcr.io \
  --username=ghcr-username \
  --password=ghcr-token

Sync from S3-compatible storage over HTTP/S

Example:

spec:
  sync:
    kind: Bucket
    url: "minio.my-org.com"
    ref: "my-bucket-fleet"
    path: "clusters/my-cluster"
    pullSecret: "bucket-auth"

If the Bucket is private, the Kubernetes secret must be created
in the same namespace where the FluxInstance is deployed, and have the following format:

apiVersion: v1
kind: Secret
metadata:
  name: bucket-auth
  namespace: flux-system
type: Opaque
stringData:
  accesskey: "my-accesskey"
  secretkey: "my-secretkey"

@stefanprodan stefanprodan added the enhancement New feature or request label Jun 10, 2024
@stefanprodan stefanprodan requested a review from souleb June 10, 2024 12:28
@stefanprodan stefanprodan force-pushed the sync-cluster-state branch 3 times, most recently from 334407c to d36c194 Compare June 10, 2024 12:58
@stefanprodan stefanprodan mentioned this pull request Jun 10, 2024
Merged
souleb
souleb reviewed Jun 10, 2024
View reviewed changes
README.md Outdated Show resolved Hide resolved
api/v1/fluxinstance_types.go Show resolved Hide resolved
internal/controller/fluxinstance_controller.go Show resolved Hide resolved
@stefanprodan stefanprodan force-pushed the sync-cluster-state branch 2 times, most recently from 2157969 to 292dc33 Compare June 10, 2024 15:11
@stefanprodan stefanprodan changed the title Implement cluster sync feature Implement the cluster sync feature Jun 10, 2024
@stefanprodan
Add sync config to API
84d7690 
Signed-off-by: Stefan Prodan <[email protected]>
@stefanprodan
Generate sync objects
ebad71e 
Signed-off-by: Stefan Prodan <[email protected]>
@stefanprodan
Reconcile sync objects
d357faa 
Signed-off-by: Stefan Prodan <[email protected]>
@stefanprodan
Add sync config to e2e tests
04b00d9 
Signed-off-by: Stefan Prodan <[email protected]>
@stefanprodan
Document sync config
699aab2 
Signed-off-by: Stefan Prodan <[email protected]>
souleb
souleb approved these changes Jun 11, 2024
View reviewed changes
Copy link
Contributor

@souleb souleb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@stefanprodan
Add copyright header
e03ad61 
Signed-off-by: Stefan Prodan <[email protected]>
@stefanprodan stefanprodan mentioned this pull request Jun 11, 2024
Closed
@stefanprodan
Format API docs
1e74d45 
Signed-off-by: Stefan Prodan <[email protected]>
@stefanprodan stefanprodan merged commit c6323ca into main Jun 12, 2024
1 check passed
@stefanprodan stefanprodan deleted the sync-cluster-state branch June 12, 2024 12:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@souleb souleb souleb approved these changes

Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@stefanprodan @souleb