mirror of https://github.com/fluxcd/flux2.git
You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
553 lines
16 KiB
Markdown
553 lines
16 KiB
Markdown
# Installation
|
|
|
|
This guide walks you through setting up Flux v2 (hereafter: "Flux") to
|
|
manage one or more Kubernetes clusters.
|
|
|
|
## Prerequisites
|
|
|
|
You will need a Kubernetes cluster version **1.16** or newer
|
|
and kubectl version **1.18** or newer.
|
|
|
|
## Install the Flux CLI
|
|
|
|
With Homebrew:
|
|
|
|
```sh
|
|
brew install fluxcd/tap/flux
|
|
```
|
|
|
|
With Bash:
|
|
|
|
```sh
|
|
curl -s https://toolkit.fluxcd.io/install.sh | sudo bash
|
|
|
|
# enable completions in ~/.bash_profile
|
|
. <(flux completion bash)
|
|
```
|
|
|
|
Command-line completion for `zsh`, `fish`, and `powershell`
|
|
are also supported with their own sub-commands.
|
|
|
|
Binaries for macOS, Windows and Linux AMD64/ARM are available for download on the
|
|
[release page](https://github.com/fluxcd/flux2/releases).
|
|
|
|
A container image with `kubectl` and `flux` is available on DockerHub and GitHub:
|
|
|
|
* `docker.io/fluxcd/flux-cli:<version>`
|
|
* `ghcr.io/fluxcd/flux-cli:<version>`
|
|
|
|
Verify that your cluster satisfies the prerequisites with:
|
|
|
|
```sh
|
|
flux check --pre
|
|
```
|
|
|
|
## Bootstrap
|
|
|
|
Using the `flux bootstrap` command you can install Flux on a
|
|
Kubernetes cluster and configure it to manage itself from a Git
|
|
repository.
|
|
If the Flux components are present on the cluster, the bootstrap
|
|
command will perform an upgrade if needed. The bootstrap is
|
|
idempotent, it's safe to run the command as many times as you want.
|
|
|
|
The Flux component images are published to DockerHub and GitHub Container Registry
|
|
as [multi-arch container images](https://docs.docker.com/docker-for-mac/multi-arch/)
|
|
with support for Linux `amd64`, `arm64` and `armv7` (e.g. 32bit Raspberry Pi)
|
|
architectures.
|
|
|
|
If your Git provider is **GitHub**, **GitLab** or **Azure DevOps** please follow the specific bootstrap procedure:
|
|
|
|
* [GitHub.com and GitHub Enterprise](#github-and-github-enterprise)
|
|
* [GitLab.com and GitLab Enterprise](#gitlab-and-gitlab-enterprise)
|
|
* [Azure DevOps](../use-cases/azure.md#flux-installation-for-azure-devops)
|
|
|
|
### Generic Git Server
|
|
|
|
The `bootstrap git` command takes an existing Git repository, clones it and
|
|
commits the Flux components manifests to the specified branch. Then it
|
|
configures the target cluster to synchronize with that repository.
|
|
|
|
Run bootstrap for a Git repository and authenticate with your SSH agent:
|
|
|
|
```sh
|
|
flux bootstrap git \
|
|
--url=ssh://git@<host>/<org>/<repository> \
|
|
--branch=<my-branch> \
|
|
--path=clusters/my-cluster
|
|
```
|
|
|
|
The above command will generate a SSH key (defaults to RSA 2048 but can be changed with `--ssh-key-algorithm`),
|
|
and it will prompt you to add the SSH public key as a deploy key to your repository.
|
|
|
|
If you want to use your own SSH key, you can provide a **passwordless** private key using
|
|
`--private-key-file=<path/to/private.key>`.
|
|
This option can also be used if no SSH agent is available on your machine.
|
|
|
|
!!! hint "Bootstrap options"
|
|
There are many options available when bootstrapping Flux, such as installing a subset of Flux components,
|
|
setting the Kubernetes context, changing the Git author name and email, enabling Git submodules, and more.
|
|
To list all the available options run `flux bootstrap git --help`.
|
|
|
|
If your Git server doesn't support SSH, you can run bootstrap for Git over HTTPS:
|
|
|
|
```sh
|
|
flux bootstrap git \
|
|
--url=https://<host>/<org>/<repository> \
|
|
--username=<my-username> \
|
|
--password=<my-password> \
|
|
--token-auth=true \
|
|
--path=clusters/my-cluster
|
|
```
|
|
|
|
If your Git server uses a self-signed TLS certificate, you can specify the CA file with
|
|
`--ca-file=<path/to/ca.crt>`.
|
|
|
|
With `--path` you can configure the directory which will be used to reconcile the target cluster.
|
|
To control multiple clusters from the same Git repository, you have to set a unique path per
|
|
cluster e.g. `clusters/staging` and `clusters/production`:
|
|
|
|
```sh
|
|
./clusters/
|
|
├── staging # <- path=clusters/staging
|
|
│ └── flux-system # <- namespace dir generated by bootstrap
|
|
│ ├── gotk-components.yaml
|
|
│ ├── gotk-sync.yaml
|
|
│ └── kustomization.yaml
|
|
└── production # <- path=clusters/production
|
|
└── flux-system
|
|
```
|
|
|
|
After running bootstrap you can place Kubernetes YAMLs inside a dir under path
|
|
e.g. `clusters/staging/my-app`, and Flux will reconcile them on your cluster.
|
|
|
|
For examples on how you can structure your Git repository see:
|
|
|
|
* [flux2-kustomize-helm-example](https://github.com/fluxcd/flux2-kustomize-helm-example)
|
|
* [flux2-multi-tenancy](https://github.com/fluxcd/flux2-multi-tenancy)
|
|
|
|
### GitHub and GitHub Enterprise
|
|
|
|
The `bootstrap github` command creates a GitHub repository if one doesn't exist and
|
|
commits the Flux components manifests to specified branch. Then it
|
|
configures the target cluster to synchronize with that repository by
|
|
setting up a SSH deploy key or by using token-based authentication.
|
|
|
|
Generate a [personal access token](https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line)
|
|
that can create repositories by checking all permissions under `repo`.
|
|
|
|
Export your GitHub personal access token as an environment variable:
|
|
|
|
```sh
|
|
export GITHUB_TOKEN=<your-token>
|
|
```
|
|
|
|
Run the bootstrap for a repository on your personal GitHub account:
|
|
|
|
```sh
|
|
flux bootstrap github \
|
|
--owner=my-github-username \
|
|
--repository=my-repository \
|
|
--path=clusters/my-cluster \
|
|
--personal
|
|
```
|
|
|
|
!!! hint "Deploy key"
|
|
The bootstrap command creates an SSH key which it stores as a secret in the
|
|
Kubernetes cluster. The key is also used to create a deploy key in the GitHub
|
|
repository. The new deploy key will be linked to the personal access token used
|
|
to authenticate. **Removing the personal access token will also remove the deploy key.**
|
|
|
|
Run the bootstrap for a repository owned by a GitHub organization:
|
|
|
|
```sh
|
|
flux bootstrap github \
|
|
--owner=my-github-organization \
|
|
--repository=my-repository \
|
|
--team=team1-slug \
|
|
--team=team2-slug \
|
|
--path=clusters/my-cluster
|
|
```
|
|
|
|
When you specify a list of teams, those teams will be granted maintainer access to the repository.
|
|
|
|
To run the bootstrap for a repository hosted on GitHub Enterprise, you have to specify your GitHub hostname:
|
|
|
|
```sh
|
|
flux bootstrap github \
|
|
--hostname=my-github-enterprise.com \
|
|
--ssh-hostname=my-github-enterprise.com \
|
|
--owner=my-github-organization \
|
|
--repository=my-repository \
|
|
--branch=main \
|
|
--path=clusters/my-cluster
|
|
```
|
|
|
|
If your GitHub Enterprise has SSH access disabled, you can use HTTPS and token authentication with:
|
|
|
|
```sh
|
|
flux bootstrap github \
|
|
--token-auth \
|
|
--hostname=my-github-enterprise.com \
|
|
--owner=my-github-organization \
|
|
--repository=my-repository \
|
|
--branch=main \
|
|
--path=clusters/my-cluster
|
|
```
|
|
|
|
### GitLab and GitLab Enterprise
|
|
|
|
The `bootstrap gitlab` command creates a GitLab repository if one doesn't exist and
|
|
commits the Flux components manifests to specified branch. Then it
|
|
configures the target cluster to synchronize with that repository by
|
|
setting up a SSH deploy key or by using token-based authentication.
|
|
|
|
Generate a [personal access token](https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html)
|
|
that grants complete read/write access to the GitLab API.
|
|
|
|
Export your GitLab personal access token as an environment variable:
|
|
|
|
```sh
|
|
export GITLAB_TOKEN=<your-token>
|
|
```
|
|
|
|
Run the bootstrap for a repository on your personal GitLab account:
|
|
|
|
```sh
|
|
flux bootstrap gitlab \
|
|
--owner=my-gitlab-username \
|
|
--repository=my-repository \
|
|
--branch=master \
|
|
--path=clusters/my-cluster \
|
|
--token-auth \
|
|
--personal
|
|
```
|
|
|
|
To run the bootstrap for a repository using deploy keys for authentication, you have to specify the SSH hostname:
|
|
|
|
```sh
|
|
flux bootstrap gitlab \
|
|
--ssh-hostname=gitlab.com \
|
|
--owner=my-gitlab-username \
|
|
--repository=my-repository \
|
|
--branch=master \
|
|
--path=clusters/my-cluster
|
|
```
|
|
|
|
!!! hint "Authentication"
|
|
When providing the `--ssh-hostname`, a read-only (SSH) deploy key will be added
|
|
to your repository, otherwise your GitLab personal token will be used to
|
|
authenticate against the HTTPS endpoint instead.
|
|
|
|
Run the bootstrap for a repository owned by a GitLab (sub)group:
|
|
|
|
```sh
|
|
flux bootstrap gitlab \
|
|
--owner=my-gitlab-group/my-gitlab-subgroup \
|
|
--repository=my-repository \
|
|
--branch=master \
|
|
--path=clusters/my-cluster
|
|
```
|
|
|
|
To run the bootstrap for a repository hosted on GitLab on-prem or enterprise, you have to specify your GitLab hostname:
|
|
|
|
```sh
|
|
flux bootstrap gitlab \
|
|
--hostname=my-gitlab.com \
|
|
--token-auth \
|
|
--owner=my-gitlab-group \
|
|
--repository=my-repository \
|
|
--branch=master \
|
|
--path=clusters/my-cluster
|
|
```
|
|
|
|
### Air-gapped Environments
|
|
|
|
To bootstrap Flux on air-gapped environments without access to github.com and ghcr.io, first you'll need
|
|
to download the `flux` binary, and the container images from a computer with access to internet.
|
|
|
|
List all container images:
|
|
|
|
```console
|
|
$ flux install --export | grep ghcr.io
|
|
|
|
image: ghcr.io/fluxcd/helm-controller:v0.8.0
|
|
image: ghcr.io/fluxcd/kustomize-controller:v0.9.0
|
|
image: ghcr.io/fluxcd/notification-controller:v0.9.0
|
|
image: ghcr.io/fluxcd/source-controller:v0.9.0
|
|
```
|
|
|
|
Pull the images locally and push them to your container registry:
|
|
|
|
```sh
|
|
docker pull ghcr.io/fluxcd/source-controller:v0.9.0
|
|
docker tag ghcr.io/fluxcd/source-controller:v0.9.0 registry.internal/fluxcd/source-controller:v0.9.0
|
|
docker push registry.internal/fluxcd/source-controller:v0.9.0
|
|
```
|
|
|
|
Copy `flux` binary to a computer with access to your air-gapped cluster,
|
|
and create the pull secret in the `flux-system` namespace:
|
|
|
|
```sh
|
|
kubectl create ns flux-system
|
|
|
|
kubectl -n flux-system create secret generic regcred \
|
|
--from-file=.dockerconfigjson=/.docker/config.json \
|
|
--type=kubernetes.io/dockerconfigjson
|
|
```
|
|
|
|
Finally, bootstrap Flux using the images from your private registry:
|
|
|
|
```sh
|
|
flux bootstrap <GIT-PROVIDER> \
|
|
--registry=registry.internal/fluxcd \
|
|
--image-pull-secret=regcred \
|
|
--hostname=my-git-server.internal
|
|
```
|
|
|
|
Note that when running `flux bootstrap` without specifying a `--version`,
|
|
the CLI will use the manifests embedded in its binary instead of downloading
|
|
them from GitHub. You can determine which version you'll be installing,
|
|
with `flux --version`.
|
|
|
|
## Bootstrap with Terraform
|
|
|
|
The bootstrap procedure can be implemented with Terraform using the Flux provider published on
|
|
[registry.terraform.io](https://registry.terraform.io/providers/fluxcd/flux).
|
|
|
|
The provider consists of two data sources (`flux_install` and `flux_sync`) for generating the
|
|
Kubernetes manifests that can be used to install or upgrade Flux:
|
|
|
|
```hcl
|
|
data "flux_install" "main" {
|
|
target_path = "clusters/my-cluster"
|
|
network_policy = false
|
|
version = "latest"
|
|
}
|
|
|
|
data "flux_sync" "main" {
|
|
target_path = "clusters/my-cluster"
|
|
url = "https://github.com/${var.github_owner}/${var.repository_name}"
|
|
branch = "main"
|
|
}
|
|
```
|
|
|
|
For more details on how to use the Terraform provider
|
|
please see [fluxcd/terraform-provider-flux](https://github.com/fluxcd/terraform-provider-flux).
|
|
|
|
## Customize Flux manifests
|
|
|
|
You can customize the Flux components in the Git repository where you've run bootstrap with Kustomize patches.
|
|
|
|
First clone the repository locally and generate a `kustomization.yaml` file with:
|
|
|
|
```sh
|
|
cd ./clusters/production && kustomize create --autodetect
|
|
```
|
|
|
|
Assuming you want to add custom annotations and labels to the Flux controllers in `clusters/production`.
|
|
Create a Kustomize patch and set the metadata for source-controller and kustomize-controller pods:
|
|
|
|
```yaml
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: source-controller
|
|
namespace: flux-system
|
|
spec:
|
|
template:
|
|
metadata:
|
|
annotations:
|
|
custom: annotation
|
|
labels:
|
|
custom: label
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: kustomize-controller
|
|
namespace: flux-system
|
|
spec:
|
|
template:
|
|
metadata:
|
|
annotations:
|
|
custom: annotation
|
|
labels:
|
|
custom: label
|
|
```
|
|
|
|
Save the above file as `flux-system-patch.yaml` inside the `clusters/production` dir.
|
|
|
|
Edit `clusters/production/kustomization.yaml` and add the patch:
|
|
|
|
```yaml
|
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
|
kind: Kustomization
|
|
resources:
|
|
- flux-system
|
|
patchesStrategicMerge:
|
|
- flux-system-patch.yaml
|
|
```
|
|
|
|
Push the changes to main branch:
|
|
|
|
```sh
|
|
git add -A && git commit -m "add production metadata" && git push
|
|
```
|
|
|
|
Flux will detect the change and will update itself on the production cluster.
|
|
|
|
## Dev install
|
|
|
|
For testing purposes you can install Flux without storing its manifests in a Git repository:
|
|
|
|
```sh
|
|
flux install
|
|
```
|
|
|
|
Or using kubectl:
|
|
|
|
```sh
|
|
kubectl apply -f https://github.com/fluxcd/flux2/releases/latest/download/install.yaml
|
|
```
|
|
|
|
Then you can register Git repositories and reconcile them on your cluster:
|
|
|
|
```sh
|
|
flux create source git podinfo \
|
|
--url=https://github.com/stefanprodan/podinfo \
|
|
--tag-semver=">=4.0.0" \
|
|
--interval=1m
|
|
|
|
flux create kustomization podinfo-default \
|
|
--source=podinfo \
|
|
--path="./kustomize" \
|
|
--prune=true \
|
|
--validation=client \
|
|
--interval=10m \
|
|
--health-check="Deployment/podinfo.default" \
|
|
--health-check-timeout=2m
|
|
```
|
|
|
|
You can register Helm repositories and create Helm releases:
|
|
|
|
```sh
|
|
flux create source helm bitnami \
|
|
--interval=1h \
|
|
--url=https://charts.bitnami.com/bitnami
|
|
|
|
flux create helmrelease nginx \
|
|
--interval=1h \
|
|
--release-name=nginx-ingress-controller \
|
|
--target-namespace=kube-system \
|
|
--source=HelmRepository/bitnami \
|
|
--chart=nginx-ingress-controller \
|
|
--chart-version="5.x.x"
|
|
```
|
|
|
|
## Upgrade
|
|
|
|
!!! note "Patch versions"
|
|
It is safe and advised to use the latest PATCH version when upgrading to a
|
|
new MINOR version.
|
|
|
|
Update Flux CLI to the latest release with `brew upgrade fluxcd/tap/flux` or by
|
|
downloading the binary from [GitHub](https://github.com/fluxcd/flux2/releases).
|
|
|
|
Verify that you are running the latest version with:
|
|
|
|
```sh
|
|
flux --version
|
|
```
|
|
|
|
### Bootstrap upgrade
|
|
|
|
If you've used the [bootstrap](#bootstrap) procedure to deploy Flux,
|
|
then rerun the bootstrap command for each cluster using the same arguments as before:
|
|
|
|
```sh
|
|
flux bootstrap github \
|
|
--owner=my-github-username \
|
|
--repository=my-repository \
|
|
--branch=main \
|
|
--path=clusters/my-cluster \
|
|
--personal
|
|
```
|
|
|
|
The above command will clone the repository, it will update the components manifest in
|
|
`<path>/flux-system/gotk-components.yaml` and it will push the changes to the remote branch.
|
|
|
|
Tell Flux to pull the manifests from Git and upgrade itself with:
|
|
|
|
```sh
|
|
flux reconcile source git flux-system
|
|
```
|
|
|
|
Verify that the controllers have been upgrade with:
|
|
|
|
```sh
|
|
flux check
|
|
```
|
|
|
|
!!! hint "Automated upgrades"
|
|
You can automate the components manifest update with GitHub Actions
|
|
and open a PR when there is a new Flux version available.
|
|
For more details please see [Flux GitHub Action docs](https://github.com/fluxcd/flux2/tree/main/action).
|
|
|
|
### Terraform upgrade
|
|
|
|
Update the Flux provider to the [latest release](https://github.com/fluxcd/terraform-provider-flux/releases)
|
|
and run `terraform apply`.
|
|
|
|
Tell Flux to upgrade itself in-cluster or wait for it to pull the latest commit from Git:
|
|
|
|
```sh
|
|
kubectl annotate --overwrite gitrepository/flux-system reconcile.fluxcd.io/requestedAt="$(date +%s)"
|
|
```
|
|
|
|
### In-cluster upgrade
|
|
|
|
If you've installed Flux directly on the cluster, then rerun the install command:
|
|
|
|
```sh
|
|
flux install
|
|
```
|
|
|
|
The above command will apply the new manifests on your cluster.
|
|
You can verify that the controllers have been upgraded to the latest version with `flux check`.
|
|
|
|
If you've installed Flux directly on the cluster with kubectl,
|
|
then rerun the command using the latest manifests from the `main` branch:
|
|
|
|
```sh
|
|
kustomize build https://github.com/fluxcd/flux2/manifests/install?ref=main | kubectl apply -f-
|
|
```
|
|
|
|
## Uninstall
|
|
|
|
You can uninstall Flux with:
|
|
|
|
```sh
|
|
flux uninstall --namespace=flux-system
|
|
```
|
|
|
|
The above command performs the following operations:
|
|
|
|
- deletes Flux components (deployments and services)
|
|
- deletes Flux network policies
|
|
- deletes Flux RBAC (service accounts, cluster roles and cluster role bindings)
|
|
- removes the Kubernetes finalizers from Flux custom resources
|
|
- deletes Flux custom resource definitions and custom resources
|
|
- deletes the namespace where Flux was installed
|
|
|
|
If you've installed Flux in a namespace that you wish to preserve, you
|
|
can skip the namespace deletion with:
|
|
|
|
```sh
|
|
flux uninstall --namespace=infra --keep-namespace
|
|
```
|
|
|
|
!!! hint
|
|
Note that the `uninstall` command will not remove any Kubernetes objects
|
|
or Helm releases that were reconciled on the cluster by Flux.
|