# Installation
This guide walks you through setting up Flux v2 (hereafter: "Flux") to
manage one or more Kubernetes clusters.
## Prerequisites
You will need a Kubernetes cluster version **1.16** or newer
and kubectl version **1.18** or newer.
## Install the Flux CLI
With Homebrew:
brew install fluxcd/tap/flux
With Bash:
curl -s https://fluxcd.io/install.sh | sudo bash
# enable completions in ~/.bash_profile
. <(flux completion bash)
Command-line completion for `zsh`, `fish`, and `powershell`
are also supported with their own sub-commands.
Binaries for macOS, Windows and Linux AMD64/ARM are available for download on the
[release page](https://github.com/fluxcd/flux2/releases).
A container image with `kubectl` and `flux` is available on DockerHub and GitHub:
* `docker.io/fluxcd/flux-cli:<version>`
* `ghcr.io/fluxcd/flux-cli:<version>`
Verify that your cluster satisfies the prerequisites with:
flux check --pre
## Bootstrap
Using the `flux bootstrap` command you can install Flux on a
Kubernetes cluster and configure it to manage itself from a Git
If the Flux components are present on the cluster, the bootstrap
command will perform an upgrade if needed. The bootstrap is
idempotent, it's safe to run the command as many times as you want.
The Flux component images are published to DockerHub and GitHub Container Registry
as [multi-arch container images](https://docs.docker.com/docker-for-mac/multi-arch/)
with support for Linux `amd64`, `arm64` and `armv7` (e.g. 32bit Raspberry Pi)
If your Git provider is **GitHub**, **GitLab** or **Azure DevOps** please follow the specific bootstrap procedure:
* [GitHub.com and GitHub Enterprise](#github-and-github-enterprise)
* [GitLab.com and GitLab Enterprise](#gitlab-and-gitlab-enterprise)
* [Azure DevOps](../use-cases/azure.md#flux-installation-for-azure-devops)
### Generic Git Server
The `bootstrap git` command takes an existing Git repository, clones it and
commits the Flux components manifests to the specified branch. Then it
configures the target cluster to synchronize with that repository.
Run bootstrap for a Git repository and authenticate with your SSH agent:
flux bootstrap git \
--url=ssh://git@<host>/<org>/<repository> \
--branch=<my-branch> \
The above command will generate a SSH key (defaults to RSA 2048 but can be changed with `--ssh-key-algorithm`),
and it will prompt you to add the SSH public key as a deploy key to your repository.
If you want to use your own SSH key, you can provide a **passwordless** private key using
This option can also be used if no SSH agent is available on your machine.
!!! hint "Bootstrap options"
There are many options available when bootstrapping Flux, such as installing a subset of Flux components,
setting the Kubernetes context, changing the Git author name and email, enabling Git submodules, and more.
To list all the available options run `flux bootstrap git --help`.
If your Git server doesn't support SSH, you can run bootstrap for Git over HTTPS:
flux bootstrap git \
--url=https://<host>/<org>/<repository> \
--username=<my-username> \
--password=<my-password> \
--token-auth=true \
If your Git server uses a self-signed TLS certificate, you can specify the CA file with
With `--path` you can configure the directory which will be used to reconcile the target cluster.
To control multiple clusters from the same Git repository, you have to set a unique path per
cluster e.g. `clusters/staging` and `clusters/production`:
├── staging # <- path=clusters/staging
│ └── flux-system # <- namespace dir generated by bootstrap
│ ├── gotk-components.yaml
│ ├── gotk-sync.yaml
│ └── kustomization.yaml
└── production # <- path=clusters/production
└── flux-system
After running bootstrap you can place Kubernetes YAMLs inside a dir under path
e.g. `clusters/staging/my-app`, and Flux will reconcile them on your cluster.
For examples on how you can structure your Git repository see:
* [flux2-kustomize-helm-example](https://github.com/fluxcd/flux2-kustomize-helm-example)
* [flux2-multi-tenancy](https://github.com/fluxcd/flux2-multi-tenancy)
### GitHub and GitHub Enterprise
The `bootstrap github` command creates a GitHub repository if one doesn't exist and
commits the Flux components manifests to specified branch. Then it
configures the target cluster to synchronize with that repository by
setting up a SSH deploy key or by using token-based authentication.
Generate a [personal access token](https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line)
that can create repositories by checking all permissions under `repo`.
Export your GitHub personal access token as an environment variable:
export GITHUB_TOKEN=<your-token>
Run the bootstrap for a repository on your personal GitHub account:
flux bootstrap github \
--owner=my-github-username \
--repository=my-repository \
--path=clusters/my-cluster \
!!! hint "Deploy key"
The bootstrap command creates an SSH key which it stores as a secret in the
Kubernetes cluster. The key is also used to create a deploy key in the GitHub
repository. The new deploy key will be linked to the personal access token used
to authenticate. **Removing the personal access token will also remove the deploy key.**
Run the bootstrap for a repository owned by a GitHub organization:
flux bootstrap github \
--owner=my-github-organization \
--repository=my-repository \
--team=team1-slug \
--team=team2-slug \
When you specify a list of teams, those teams will be granted maintainer access to the repository.
To run the bootstrap for a repository hosted on GitHub Enterprise, you have to specify your GitHub hostname:
flux bootstrap github \
--hostname=my-github-enterprise.com \
--ssh-hostname=my-github-enterprise.com \
--owner=my-github-organization \
--repository=my-repository \
--branch=main \
If your GitHub Enterprise has SSH access disabled, you can use HTTPS and token authentication with:
flux bootstrap github \
--token-auth \
--hostname=my-github-enterprise.com \
--owner=my-github-organization \
--repository=my-repository \
--branch=main \
### GitLab and GitLab Enterprise
The `bootstrap gitlab` command creates a GitLab repository if one doesn't exist and
commits the Flux components manifests to specified branch. Then it
configures the target cluster to synchronize with that repository by
setting up a SSH deploy key or by using token-based authentication.
Generate a [personal access token](https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html)
that grants complete read/write access to the GitLab API.
Export your GitLab personal access token as an environment variable:
export GITLAB_TOKEN=<your-token>
Run the bootstrap for a repository on your personal GitLab account:
flux bootstrap gitlab \
--owner=my-gitlab-username \
--repository=my-repository \
--branch=master \
--path=clusters/my-cluster \
--token-auth \
To run the bootstrap for a repository using deploy keys for authentication, you have to specify the SSH hostname:
flux bootstrap gitlab \
--ssh-hostname=gitlab.com \
--owner=my-gitlab-username \
--repository=my-repository \
--branch=master \
!!! hint "Authentication"
When providing the `--ssh-hostname`, a read-only (SSH) deploy key will be added
to your repository, otherwise your GitLab personal token will be used to
authenticate against the HTTPS endpoint instead.
Run the bootstrap for a repository owned by a GitLab (sub)group:
flux bootstrap gitlab \
--owner=my-gitlab-group/my-gitlab-subgroup \
--repository=my-repository \
--branch=master \
To run the bootstrap for a repository hosted on GitLab on-prem or enterprise, you have to specify your GitLab hostname:
flux bootstrap gitlab \
--hostname=my-gitlab.com \
--token-auth \
--owner=my-gitlab-group \
--repository=my-repository \
--branch=master \
### Air-gapped Environments
To bootstrap Flux on air-gapped environments without access to github.com and ghcr.io, first you'll need
to download the `flux` binary, and the container images from a computer with access to internet.
List all container images:
$ flux install --export | grep ghcr.io
image: ghcr.io/fluxcd/helm-controller:v0.8.0
image: ghcr.io/fluxcd/kustomize-controller:v0.9.0
image: ghcr.io/fluxcd/notification-controller:v0.9.0
image: ghcr.io/fluxcd/source-controller:v0.9.0
Pull the images locally and push them to your container registry:
docker pull ghcr.io/fluxcd/source-controller:v0.9.0
docker tag ghcr.io/fluxcd/source-controller:v0.9.0 registry.internal/fluxcd/source-controller:v0.9.0
docker push registry.internal/fluxcd/source-controller:v0.9.0
Copy `flux` binary to a computer with access to your air-gapped cluster,
and create the pull secret in the `flux-system` namespace:
kubectl create ns flux-system
kubectl -n flux-system create secret generic regcred \
--from-file=.dockerconfigjson=/.docker/config.json \
Finally, bootstrap Flux using the images from your private registry:
flux bootstrap <GIT-PROVIDER> \
--registry=registry.internal/fluxcd \
--image-pull-secret=regcred \
Note that when running `flux bootstrap` without specifying a `--version`,
the CLI will use the manifests embedded in its binary instead of downloading
them from GitHub. You can determine which version you'll be installing,
with `flux --version`.
## Bootstrap with Terraform
The bootstrap procedure can be implemented with Terraform using the Flux provider published on
The provider consists of two data sources (`flux_install` and `flux_sync`) for generating the
Kubernetes manifests that can be used to install or upgrade Flux:
data "flux_install" "main" {
target_path = "clusters/my-cluster"
network_policy = false
version = "latest"
data "flux_sync" "main" {
target_path = "clusters/my-cluster"
url = "https://github.com/${var.github_owner}/${var.repository_name}"
branch = "main"
For more details on how to use the Terraform provider
please see [fluxcd/terraform-provider-flux](https://github.com/fluxcd/terraform-provider-flux).
## Customize Flux manifests
You can customize the Flux components before or after running bootstrap.
Assuming you want to customise the Flux controllers before they get deployed on the cluster,
first you'll need to create a Git repository and clone it locally.
Create the file structure required by bootstrap with:
mkdir -p clusters/my-cluster/flux-system
touch clusters/my-cluster/flux-system/gotk-components.yaml \
clusters/my-cluster/flux-system/gotk-patches.yaml \
clusters/my-cluster/flux-system/gotk-sync.yaml \
Assuming you want to add custom annotations and labels to the Flux controllers,
edit `clusters/my-cluster/gotk-patches.yaml` and set the metadata for source-controller and kustomize-controller pods:
apiVersion: apps/v1
kind: Deployment
name: source-controller
namespace: flux-system
custom: annotation
custom: label
apiVersion: apps/v1
kind: Deployment
name: kustomize-controller
namespace: flux-system
custom: annotation
custom: label
Edit `clusters/my-cluster/kustomization.yaml` and set the resources and patches:
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
- gotk-components.yaml
- gotk-sync.yaml
- gotk-patches.yaml
Push the changes to main branch:
git add -A && git commit -m "add flux customisations" && git push
Now run the bootstrap for `clusters/my-cluster`:
flux bootstrap git \
--url=ssh://git@<host>/<org>/<repository> \
--branch=main \
When the controllers are deployed for the first time on your cluster, they will contain all
the customisations from `gotk-patches.yaml`.
You can make changes to the patches after bootstrap and Flux will apply them in-cluster on its own.
## Dev install
For testing purposes you can install Flux without storing its manifests in a Git repository:
flux install
Or using kubectl:
kubectl apply -f https://github.com/fluxcd/flux2/releases/latest/download/install.yaml
Then you can register Git repositories and reconcile them on your cluster:
flux create source git podinfo \
--url=https://github.com/stefanprodan/podinfo \
--tag-semver=">=4.0.0" \
flux create kustomization podinfo-default \
--source=podinfo \
--path="./kustomize" \
--prune=true \
--validation=client \
--interval=10m \
--health-check="Deployment/podinfo.default" \
You can register Helm repositories and create Helm releases:
flux create source helm bitnami \
--interval=1h \
flux create helmrelease nginx \
--interval=1h \
--release-name=nginx-ingress-controller \
--target-namespace=kube-system \
--source=HelmRepository/bitnami \
--chart=nginx-ingress-controller \
## Upgrade
!!! note "Patch versions"
It is safe and advised to use the latest PATCH version when upgrading to a
new MINOR version.
Update Flux CLI to the latest release with `brew upgrade fluxcd/tap/flux` or by
downloading the binary from [GitHub](https://github.com/fluxcd/flux2/releases).
Verify that you are running the latest version with:
flux --version
### Bootstrap upgrade
If you've used the [bootstrap](#bootstrap) procedure to deploy Flux,
then rerun the bootstrap command for each cluster using the same arguments as before:
flux bootstrap github \
--owner=my-github-username \
--repository=my-repository \
--branch=main \
--path=clusters/my-cluster \
The above command will clone the repository, it will update the components manifest in
`<path>/flux-system/gotk-components.yaml` and it will push the changes to the remote branch.
Tell Flux to pull the manifests from Git and upgrade itself with:
flux reconcile source git flux-system
Verify that the controllers have been upgrade with:
flux check
!!! hint "Automated upgrades"
You can automate the components manifest update with GitHub Actions
and open a PR when there is a new Flux version available.
For more details please see [Flux GitHub Action docs](https://github.com/fluxcd/flux2/tree/main/action).
### Terraform upgrade
Update the Flux provider to the [latest release](https://github.com/fluxcd/terraform-provider-flux/releases)
and run `terraform apply`.
Tell Flux to upgrade itself in-cluster or wait for it to pull the latest commit from Git:
kubectl annotate --overwrite gitrepository/flux-system reconcile.fluxcd.io/requestedAt="$(date +%s)"
### In-cluster upgrade
If you've installed Flux directly on the cluster, then rerun the install command:
flux install
The above command will apply the new manifests on your cluster.
You can verify that the controllers have been upgraded to the latest version with `flux check`.
If you've installed Flux directly on the cluster with kubectl,
then rerun the command using the latest manifests from the `main` branch:
kustomize build https://github.com/fluxcd/flux2/manifests/install?ref=main | kubectl apply -f-
## Uninstall
You can uninstall Flux with:
flux uninstall --namespace=flux-system
The above command performs the following operations:
- deletes Flux components (deployments and services)
- deletes Flux network policies
- deletes Flux RBAC (service accounts, cluster roles and cluster role bindings)
- removes the Kubernetes finalizers from Flux custom resources
- deletes Flux custom resource definitions and custom resources
- deletes the namespace where Flux was installed
If you've installed Flux in a namespace that you wish to preserve, you
can skip the namespace deletion with:
flux uninstall --namespace=infra --keep-namespace
!!! hint
Note that the `uninstall` command will not remove any Kubernetes objects
or Helm releases that were reconciled on the cluster by Flux.