README.md

Flux

Flux is a tool that automatically ensures that the state of a cluster matches the config in git. It uses an operator in the cluster to trigger deployments inside Kubernetes, which means you don't need a separate CD tool. It monitors all relevant image repositories, detects new images, triggers deployments and updates the desired running configuration based on that (and a configurable policy).

Introduction

This chart bootstraps a Flux deployment on a Kubernetes cluster using the Helm package manager.

Prerequisites

Kubernetes

Kubernetes >= v1.10 is recommended. Kubernetes v1.8 (the first to support Custom Resources) appears to have problems with repeated application of custom resources (see kubernetes/kubernetes#53379). This means fluxd can fail to apply changes to HelmRelease resources.

Helm

Tiller should be running in the cluster, though helm-operator will wait until it can find one.

Git repo

• One repo containing cluster config (i.e., Kubernetes YAMLs) and zero or more git repos containing Charts themselves.
• Charts can be co-located with config in the git repo, or be from Helm repositories.
• Custom Resource namespace reflects where the release should be done. Both the Helm release and its corresponding Custom Resource will live in this namespace.
• Example of a test repo: https://github.com/weaveworks/flux-get-started

Installation

We put together a simple Get Started guide which takes about 5-10 minutes to follow. You will have a fully working Flux installation deploying workloads to your cluster.

Installing Flux using Helm

Installing the Chart

Add the weaveworks repo:

helm repo add weaveworks https://weaveworks.github.io/flux

To install the chart with the release name flux

Replace weaveworks/flux-get-started with your own git repository and run helm install:

$ helm install --name flux \
--set git.url=git@github.com:weaveworks/flux-get-started \
--namespace flux \
weaveworks/flux

To connect Flux to a Weave Cloud instance:

helm install --name flux \
--set git.url=git@github.com:weaveworks/flux-get-started \
--set token=YOUR_WEAVE_CLOUD_SERVICE_TOKEN \
--namespace flux \
weaveworks/flux

To install Flux with the Helm operator:

Apply the Helm Release CRD:

kubectl apply -f https://raw.githubusercontent.com/weaveworks/flux/master/deploy-helm/flux-helm-release-crd.yaml

Install Flux with Helm:

$ helm install --name flux \
--set git.url=git@github.com:weaveworks/flux-get-started \
--set helmOperator.create=true \
--set helmOperator.createCRD=false \
--namespace flux \
weaveworks/flux

To install Flux with a private git host:

When using a private git host, setting the ssh.known_hosts variable is required for enabling successful key matches because StrictHostKeyChecking is enabled during flux git daemon operations.

By setting the ssh.known_hosts variable, a configmap will be created called flux-ssh-config which in turn will be mounted into a volume named sshdir at /root/.ssh/known_hosts.

• Get the ssh.known_hosts keys by running the following command:

ssh-keyscan <your_git_host_domain>

To prevent a potential man-in-the-middle attack, one should verify the ssh keys acquired through the ssh-keyscan match expectations using an alternate mechanism.

• Start flux and flux helm operator:

  • Using a string for setting known_hosts

    YOUR_GIT_HOST=your_git_host.example.com
    YOUR_GIT_USER=your_git_user
    KNOWN_HOSTS='domain ssh-rsa line1
    domain ecdsa-sha2-line2
    domain ssh-ed25519 line3'
    
    helm install \
    --name flux \
    --set helmOperator.create=true \
    --set helmOperator.createCRD=false \
    --set git.url="git@${YOUR_GIT_HOST}:${YOUR_GIT_USER}/flux-get-started" \
    --set-string ssh.known_hosts="${KNOWN_HOSTS}" \
    --namespace flux \
    chart/flux

  • Using a file for setting known_hosts

    Copy known_hosts keys into a temporary file /tmp/flux_known_hosts

    YOUR_GIT_HOST=your_git_host.example.com
    YOUR_GIT_USER=your_git_user
    
    helm install \
    --name flux \
    --set helmOperator.create=true \
    --set helmOperator.createCRD=false \
    --set git.url="git@${YOUR_GIT_HOST}:${YOUR_GIT_USER}/flux-get-started" \
    --set-file ssh.known_hosts=/tmp/flux_known_hosts \
    --namespace flux \
    chart/flux

The configuration section lists all the parameters that can be configured during installation.

Setup Git deploy

At startup Flux generates a SSH key and logs the public key. Find the SSH public key by installing fluxctl and running:

fluxctl identity

In order to sync your cluster state with GitHub you need to copy the public key and create a deploy key with write access on your GitHub repository. Go to Settings > Deploy keys click on Add deploy key, check Allow write access, paste the Flux public key and click Add key.

Uninstalling the Chart

To uninstall/delete the flux deployment:

helm delete --purge flux

The command removes all the Kubernetes components associated with the chart and deletes the release. You should also remove the deploy key from your GitHub repository.

Configuration

The following tables lists the configurable parameters of the Weave Flux chart and their default values.

Parameter	Description	Default
image.repository	Image repository	quay.io/weaveworks/flux
image.tag	Image tag	<VERSION>
replicaCount	Number of flux pods to deploy, more than one is not desirable.	1
image.pullPolicy	Image pull policy	IfNotPresent
image.pullSecret	Image pull secret	None
resources.requests.cpu	CPU resource requests for the flux deployment	50m
resources.requests.memory	Memory resource requests for the flux deployment	64Mi
resources.limits	CPU/memory resource limits for the flux deployment	None
nodeSelector	Node Selector properties for the flux deployment	{}
tolerations	Tolerations properties for the flux deployment	[]
affinity	Affinity properties for the flux deployment	{}
token	Weave Cloud service token	None
extraEnvs	Extra environment variables for the flux pod(s)	[]
rbac.create	If true, create and use RBAC resources	true
serviceAccount.create	If true, create a new service account	true
serviceAccount.name	Service account to be used	flux
service.type	Service type to be used (exposing the Flux API outside of the cluster is not advised)	ClusterIP
service.port	Service port to be used	3030
git.url	URL of git repo with Kubernetes manifests	None
git.branch	Branch of git repo to use for Kubernetes manifests	master
git.path	Path within git repo to locate Kubernetes manifests (relative path)	None
git.user	Username to use as git committer	Weave Flux
git.email	Email to use as git committer	support@weave.works
git.setAuthor	If set, the author of git commits will reflect the user who initiated the commit and will differ from the git committer.	false
git.label	Label to keep track of sync progress, used to tag the Git branch	flux-sync
git.ciSkip	Append "[ci skip]" to commit messages so that CI will skip builds	false
git.pollInterval	Period at which to poll git repo for new commits	5m
git.timeout	Duration after which git operations time out	20s
git.secretName	Kubernetes secret with the SSH private key. Superceded by helmOperator.git.secretName if set.	None
ssh.known_hosts	The contents of an SSH known_hosts file, if you need to supply host key(s)	None
registry.pollInterval	Period at which to check for updated images	5m
registry.rps	Maximum registry requests per second per host	200
registry.burst	Maximum number of warmer connections to remote and memcache	125
registry.trace	Output trace of image registry requests to log	false
registry.insecureHosts	Use HTTP rather than HTTPS for the image registry domains	None
registry.cacheExpiry	Duration to keep cached image info (deprecated)	None
registry.excludeImage	Do not scan images that match these glob expressions; if empty, 'k8s.gcr.io/*' images are excluded	None
registry.ecr.region	Restrict ECR scanning to these AWS regions; if empty, only the cluster's region will be scanned	None
registry.ecr.includeId	Restrict ECR scanning to these AWS account IDs; if empty, all account IDs that aren't excluded may be scanned	None
registry.ecr.excludeId	Do not scan ECR for images in these AWS account IDs; the default is to exclude the EKS system account	602401143452
registry.acr.enabled	Mount azure.json via HostPath into the Flux Pod, enabling Flux to use AKS's service principal for ACR authentication	false
registry.acr.hostPath	Alternative location of azure.json on the host	/etc/kubernetes/azure.json
memcached.verbose	Enable request logging in memcached	false
memcached.maxItemSize	Maximum size for one item	1m
memcached.maxMemory	Maximum memory to use, in megabytes	64
memcached.pullSecret	Image pull secret	None
memcached.repository	Image repository	memcached
memcached.resources	CPU/memory resource requests/limits for memcached	None
helmOperator.create	If true, install the Helm operator	false
helmOperator.createCRD	Create the v1beta1 and v1alpha2 flux CRDs. Dependent on helmOperator.create=true	true
helmOperator.repository	Helm operator image repository	quay.io/weaveworks/helm-operator
helmOperator.tag	Helm operator image tag	<VERSION>
helmOperator.replicaCount	Number of helm operator pods to deploy, more than one is not desirable.	1
helmOperator.pullPolicy	Helm operator image pull policy	IfNotPresent
helmOperator.pullSecret	Image pull secret	None
helmOperator.updateChartDeps	Update dependencies for charts	true
helmOperator.git.pollInterval	Period at which to poll git repo for new commits	git.pollInterval
helmOperator.git.timeout	Duration after which git operations time out	git.timeout
helmOperator.git.secretName	The name of the kubernetes secret with the SSH private key, supercedes git.secretName	None
helmOperator.chartsSyncInterval	Interval at which to check for changed charts	3m
helmOperator.extraEnvs	Extra environment variables for the Helm operator pod	[]
helmOperator.logReleaseDiffs	Helm operator should log the diff when a chart release diverges (possibly insecure)	false
helmOperator.allowNamespace	If set, this limits the scope to a single namespace. If not specified, all namespaces will be watched	None
helmOperator.tillerNamespace	Namespace in which the Tiller server can be found	kube-system
helmOperator.tls.enable	Enable TLS for communicating with Tiller	false
helmOperator.tls.verify	Verify the Tiller certificate, also enables TLS when set to true	false
helmOperator.tls.secretName	Name of the secret containing the TLS client certificates for communicating with Tiller	helm-client-certs
helmOperator.tls.keyFile	Name of the key file within the k8s secret	tls.key
helmOperator.tls.certFile	Name of the certificate file within the k8s secret	tls.crt
helmOperator.tls.caContent	Certificate Authority content used to validate the Tiller server certificate	None
helmOperator.tls.hostname	The server name used to verify the hostname on the returned certificates from the Tiller server	None
helmOperator.configureRepositories.enable	Enable volume mount for a repositories.yaml configuration file and respository cache	false
helmOperator.configureRepositories.volumeName	Name of the volume for the repositories.yaml file	repositories-yaml
helmOperator.configureRepositories.secretName	Name of the secret containing the contents of the repositories.yaml file	flux-helm-repositories
helmOperator.configureRepositories.cacheName	Name for the repository cache volume	repositories-cache
helmOperator.resources.requests.cpu	CPU resource requests for the helmOperator deployment	50m
helmOperator.resources.requests.memory	Memory resource requests for the helmOperator deployment	64Mi
helmOperator.resources.limits	CPU/memory resource limits for the helmOperator deployment	None
helmOperator.nodeSelector	Node Selector properties for the helmOperator deployment	{}
helmOperator.tolerations	Tolerations properties for the helmOperator deployment	[]
helmOperator.affinity	Affinity properties for the helmOperator deployment	{}
kube.config	Override for kubectl default config in the flux pod(s).	See values.yaml
prometheus.enabled	If enbaled, adds prometheus annotations to flux and helmOperator pod(s)	false

Specify each parameter using the --set key=value[,key=value] argument to helm install. For example:

$ helm upgrade --install --wait flux \
--set git.url=git@github.com:stefanprodan/k8s-podinfo \
--set git.path="deploy/auto-scaling\,deploy/local-storage" \
--namespace flux \
weaveworks/flux

Upgrade

Update Weave Flux version with:

helm upgrade --reuse-values flux \
--set image.tag=1.8.1 \
weaveworks/flux