Deploys the FluxCD toolkit on Kubernetes and stores the manifests in an existing GitHub repository.
Note: If using the default settings, this module will generate an SSH key pair and the public key will be added to the existing GitHub repository. This key pair will be stored unencrypted in the Terraform state. Make sure that only authorized users have direct access to the Terraform state.
It is highly recommended to use a remote state backend supporting encryption at rest. See References for more information.
See the examples to use an externally generated key instead.
Example:
provider "github" {
token = var.github_token
owner = var.github_owner
}
provider "kubernetes" {
config_path = "~/.kube/config"
config_context = "my-context"
}
module "fluxcd" {
source = "github.com/andreswebs/terraform-github-fluxcd-bootstrap"
git_repository_name = "k8s-fleet"
git_branch = "main"
git_target_path = "clusters/your-cluster"
github_owner = "your-github-name"
github_deploy_key_title = "flux-your-cluster"
}If using an externally generated deploy key, first add the deploy public key to the GitHub repository (see instructions). Then create a Kubernetes secret with the contents below:
kubectl create secret generic \
flux-system \
--namespace flux-system \
--from-file=identity \
--from-file=identity.pub \
--from-literal=known_hosts="$(ssh-keyscan github.com)"The key files must be named identity (private key) and identity.pub (public key).
After creating the secret, pass its name to the module:
module "fluxcd" {
source = "github.com/andreswebs/terraform-github-fluxcd-bootstrap"
git_repository_name = "k8s-fleet"
git_branch = "main"
git_target_path = "clusters/your-cluster"
github_owner = "your-github-name"
github_deploy_key_title = "flux-your-cluster"
create_deploy_key = false
flux_sync_secret_name = "flux-system" ## --> name of the Kubernetes secret containing your deploy key
}| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| create_deploy_key | Create the GitHub deploy key? | bool |
true |
no |
| create_namespace | Create the Kubernetes namespace? | bool |
true |
no |
| flux_image_pull_secrets | Kubernetes secret name used for pulling the toolkit images from a private registry | string |
"" |
no |
| flux_install_components | Toolkit components to include in the install manifests | list(string) |
[ |
no |
| flux_install_components_extra | List of extra components to include in the install manifests | list(string) |
[] |
no |
| flux_install_network_policy | Deny ingress access to the toolkit controllers from other namespaces using network policies? | bool |
true |
no |
| flux_install_toleration_keys | List of toleration keys used to schedule the components pods onto nodes with matching tailist | list(string) |
[] |
no |
| flux_log_level | Log level for Flux toolkit components | string |
"info" |
no |
| flux_registry | Container registry from where the Flux toolkit images are pulled | string |
"ghcr.io/fluxcd" |
no |
| flux_resources_name | The name of generated Kubernetes resources | string |
"flux-system" |
no |
| flux_secret_name | The name of the secret that is referenced by GitRepository, used by flux to deploy to the git repository |
string |
"flux-system" |
no |
| flux_sync_interval_minutes | Sync interval in minutes | number |
1 |
no |
| flux_version | FluxCD version; defaults to the latest available | string |
null |
no |
| flux_watch_all_namespaces | Watch for custom resources in all namespaces? | bool |
true |
no |
| git_branch | Git branch | string |
"main" |
no |
| git_repository_name | Name of the Git repository to store the FluxCD manifests | string |
n/a | yes |
| git_target_path | Target path for storing FluxCD manifests in the Git repository | string |
"." |
no |
| github_deploy_key_readonly | Set the GitHub deploy key as read-only? | bool |
true |
no |
| github_deploy_key_title | GitHub deploy key title | string |
"flux" |
no |
| github_owner | GitHub owner | string |
n/a | yes |
| github_ssh_domain | Domain to use for SSH to GitHub | string |
"github.com" |
no |
| github_ssh_known_hosts_file | Path to a temporary file used to store GitHub's known hosts during the deployment | string |
"/tmp/github_known_hosts" |
no |
| k8s_cluster_domain | The internal cluster domain | string |
"cluster.local" |
no |
| k8s_namespace | Name of the Kubernetes namespace where the resources will be deployed | string |
"flux-system" |
no |
| k8s_namespace_annotations | Annotations to apply to the Kubernetes namespace when it is created | map(string) |
{} |
no |
| k8s_namespace_labels | Labels to apply to the Kubernetes namespace when it is created | map(string) |
{} |
no |
No modules.
| Name | Description |
|---|---|
| deploy_key | SSH key added to the GitHub repository |
| github_repository | GitHub repository used by flux |
| known_hosts | Known hosts for GitHub's SSH domain |
| namespace | The name (metadata.name) of the namespace |
| Name | Version |
|---|---|
| flux | 1.0.0-rc.1 |
| github | ~> 5.0 |
| kubectl | ~> 1.14 |
| kubernetes | ~> 2.16 |
| local | ~> 2.2 |
| null | ~> 3.2 |
| tls | ~> 4.0 |
| Name | Version |
|---|---|
| terraform | ~> 1.3 |
| flux | 1.0.0-rc.1 |
| github | ~> 5.0 |
| kubectl | ~> 1.14 |
| kubernetes | ~> 2.16 |
| local | ~> 2.2 |
| null | ~> 3.2 |
| tls | ~> 4.0 |
| Name | Type |
|---|---|
| github_repository_deploy_key.this | resource |
| github_repository_file.install | resource |
| github_repository_file.kustomize | resource |
| github_repository_file.sync | resource |
| kubectl_manifest.install | resource |
| kubectl_manifest.sync | resource |
| kubernetes_namespace.flux | resource |
| kubernetes_secret.flux_ssh | resource |
| null_resource.k8s_namespace | resource |
| null_resource.ssh_scan | resource |
| tls_private_key.this | resource |
| flux_install.this | data source |
| flux_sync.this | data source |
| github_repository.this | data source |
| kubectl_file_documents.install | data source |
| kubectl_file_documents.sync | data source |
| local_file.known_hosts | data source |
Andre Silva - @andreswebs
This project is licensed under the Unlicense.
https://www.terraform.io/docs/language/state/sensitive-data.html
https://github.com/kube-champ/terraform-k8s-flux-bootstrap