- IaC (Infrastructure as Code): 全部的 state 都使用 git 控管。- 每一次的更動都是 atomic, transactional。
- 透過發 pull request 解決 production 的問題,而不是直接做操作。
 
- No more kubectl.
- 不需要把 Cluster 權限給 CI。
- 有新的 Image 會自動部署。- Watch Docker Registry.
 
 
Typical push pipeline with read/write permission outside of the cluster.
 
Pull pipeline: credentials are kept inside the cluster.
 
Start
https://github.com/weaveworks/flux/blob/master/site/get-started.md
| git clone https://github.com/weaveworks/flux | 
修改 deploy/flux-deployment.yaml (More Config),
改成自己的 Repo:
| # Replace or remove the following URL. | 
| kubectl apply -f deploy | 
 
這邊如果你希望在 Config Repo 裡面使用 helm,就改用:
| kubectl apply -f deploy-helm | 
 
不過我個人是已經不使用 helm,改用 Kustomize 了。
https://github.com/weaveworks/flux-kustomize-example
Check flux logs
| kubectl -n default logs deployment/flux -f | 
It shows if you don’t check Allow write access.
| ts=2019-06-14T09:08:15.453604961Z caller=loop.go:85 component=sync-loop err="git repo not ready: attempt to push tag: fatal: Could not read from remote repository., full output:\n ERROR: The key you are authenticating with has been marked as read only.\nfatal: Could not read from remote repository.\n\nPlease make sure you have the correct access rights\nand the repository exists.\n" | 
Setup GitOps Config Repo
Fork Repo: https://github.com/weaveworks/flux-get-started
| brew install fluxctl | 
 
Repo -> Setting -> Deploy Keys
- Add deploy key- Allow write access
 
Annotations
| flux.weave.works/automated: "true" | 
Doc:
Behavior
- 預設同步時間 (拉取 Git Config Repo): 5m- https://github.com/weaveworks/flux/blob/master/site/faq.md#how-often-does-flux-check-for-new-git-commits-and-can-i-make-it-sync-faster- –git-poll-interval, which controls how often it looks for new commits
- –sync-interval, which controls how often it will apply what’s in git, to the cluster, absent new commits.
 
 
- https://github.com/weaveworks/flux/blob/master/site/faq.md#how-often-does-flux-check-for-new-git-commits-and-can-i-make-it-sync-faster
- 手動 deploy 已經被 flux 控管的資源 (flux.weave.works/automated: "true"):- kubectl apply -f workloads
- 會被同步回來
 
- Disable registry scanning
Gasbage Collection
https://github.com/weaveworks/flux/blob/master/site/garbagecollection.md
- --sync-garbage-collection=true
- 只會刪除由 Flux 創建的資源- 如果已經將資源加入 flux flux.weave.works/automated: "true",再移除資源的話,就會被刪除
 
- 如果已經將資源加入 flux 
- 更改 source (git repo URL, branch, and paths),會 relabel- 如果 git manifest 不一樣,就會當作不是被 Flux 創建的資源
 
Flux 需要多大的權限?
https://github.com/weaveworks/flux/blob/master/deploy/flux-account.yaml
| apiVersion: rbac.authorization.k8s.io/v1beta1 | 
基本上就是 cluster-admin 了
https://github.com/kubernetes/kubernetes/blob/218a2b078b7289b4ba31664cbfceb917999d01af/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go#L188-L197
| ObjectMeta: metav1.ObjectMeta{Name: "cluster-admin"}, | 
Blue Green Deploy
https://github.com/weaveworks/flagger
常用 Commands
| fluxctl sync |