Skip to content

n3tuk/infra-flux

BranchesTags

Repository files navigation

n3t.uk Flux Artifact Repository

Bootstrapping

In order for Flux to manage the Talos Kubernetes clusters it must be pre-installed using Helm. This configures the Custom Resource Definitions (CRDs) which Flex will manage, and the resources which Terraform will create and update.

The first step is to prepare the Kubernetes cluster. The commands following this block assume that the configuration context and namespace have already been selected within your local environment:

$ kubectx admin@{environment}
✔ Switched to context "admin@{environment}".
$ kubectl config set-context --current --namespace=flux-system

Next, either add, or update, the fluxcd-community Helm repository so that we can bootstrap Flux by installing Flux via Helm (and hence via HelmRelease resources in the future) rather than manually using the flux CLI tool:

$ helm repo add fluxcd-community https://fluxcd-community.github.io/helm-charts
"fluxcd-community" has been added to your repositories
$ helm repo update
Hang tight while we grab the latest from your chart repositories...
...Successfully got an update from the "fluxcd-community" chart repository
Update Complete. ⎈Happy Helming!⎈

From here, Flux can be deployed, but with some minor overrides, specifically:

  1. The CRDs for Prometheus will be installed by Flux, so for the time being we will temporarily disable the creation of PodMonitor resources through this Helm Chart, else Kubernetes will reject it.
  2. The Flux webhook receiver for the Notification Controller requires both cert-manager installed, and LetsEncrypt configured as an ClusterIssuer in order for the Certificate resource to be created and issues. Again, we therefore must disable this set of resources or Kubernetes will reject it.
$ kubectl create namespace flux-system
$ helm install fluxcd fluxcd-community/flux2 \
    --values flux/flux/flux-values.yaml \
    --set prometheus.podMonitor.create=false \
    --set notificationController.webhookReceiver.ingress.create=false
NAME: fluxcd
LAST DEPLOYED: Thu Nov 21 14:17:19 2024
NAMESPACE: flux-system
STATUS: deployed
REVISION: 1
TEST SUITE: None

Finally, we need to set up the credentials to allow Flux to access GitHub Container Registry where the baseline (and other) OCI images are stored for Flux to retrieve. This will require a Classic Personal Access Token configured with the read:packages scope:

  1. Log into GitHub and navigate to Settings > Developer Settings > Tokens (Classic), then either:
    1. Select the token named source-controller@{environment} and then click Regenerate token, select No expiration for Expiration, and click Regenerate token again to get a new token if the cluster is being rebuilt; or
    2. Click Generate new token > Generate new token (classic) and enter the Note as source-controller@{environment}, the Expiration date as No expiration (this will only be allowed to access packages), and select only the read:packages scope, then click Generate token.
  2. Copy the personal access token from GitHub and run the following command:
$ kubectl create secret docker-registry ghcr-login \
    --docker-server=ghcr.io \
    --docker-username={github_username}
    --docker-password={github_pat}
secret/ghcr-login created

Flux is now bootstrapped. As such all the necessary resources are deployed so that Terraform can plan and apply against the Kubernetes cluster, and create the OCIRepository and Kustomization resources necessary for Flux to build and run.

Upgrading

TODO

Updating

To avoid a dependency loop between (at a minimum) prometheus-operator and cert-manager services, where both require each other to be installed before they themselves can be installed, it's necessary to install the Custom Resource Definitions for this services independently. That allows the creation of the relevant resources, without installing the additional services they depend on.

prometheus-operator CRDs

For the prometheus-operator CRDs, download the latest release of bundle.yaml and store it in the prometheus-operator.yaml file under flux/custom-resources:

wget https://github.com/prometheus-operator/prometheus-operator/releases/download/{release}/bundle.yaml \
  -o flux/custom-resources/prometheus-operator.yaml

cert-manager CRDs

For the cert-manager CRDs, download the latest release of cert-manager.crds.yaml and store it in the cert-manager.yaml file under flux/custom-resources:

wget https://github.com/cert-manager/cert-manager/releases/download/{release}/cert-manager.crds.yaml \
  -o flux/custom-resources/cert-manager.yaml

About

No description, website, or topics provided.

Resources

Readme

Code of conduct

Code of conduct
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages