Flux

This section explains the details on the relevant Flux Resource Configurations. We just show the content of the required manifests. You can pass them to the RAIL cluster either by commiting them as files with GitOps or by passing these files to kubectl apply -f filename.yaml.

Flux Kustomizations

Flux Kustomizations are resource objects placed in the top level team namespace to manage resources in a sub namespace.

The sub-namespace itself must first be created by setting up the SubnamespaceAnchor object:

apiVersion: hnc.x-k8s.io/v1alpha2
kind: SubnamespaceAnchor
metadata:
  name: adm-it-xxx-subname

It is good practice to prefix the name of the sub-namespace with the name of the team namespace. Kubernetes itself does not enforce this as the namespace names on that level are just required to be unique.

After we have a namespace we can enable GitOps for it by creating the Kustomization configuration that connects the namespace with a location in the team’s GitOps repo. This object looks like this:

apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
  name: adm-it-xxx-subname
spec:
  sourceRef:
    kind: GitRepository
    name: adm-it-xxx
  path: clustername/subname
  targetNamespace: adm-it-xxx-subname
  prune: true
  wait: true
  interval: 30m0s
  retryInterval: 2m0s
  timeout: 3m0s
  decryption:
    provider: sops
    secretRef:
      name: sops-gpg

Details on the meaning of each of these settings can be found at fluxcd.io.

Flux ImageRepository

You can set up automatic updates of the image tag referenced in a GitOps repository when new releases of your container becomes available. To do this with Flux you need to create 3 different resource configurations of the types ImageRepository, ImagePolicy and ImageUpdateAutomation. Each is responsible for its own little task. We suggest you just name them all the same as the app name.

The first one is the ImageRepository. It will cause Flux to repeatedly fetch the list the most recent tags available from the given container registry/image path. You can inspect the list of tags found by running kubectl get imagerepository app-name -o yaml.

apiVersion: image.toolkit.fluxcd.io/v1beta2
kind: ImageRepository
metadata:
  name: app-name
spec:
  image: itgit.app.uib.no:4567/it/xx/xxx/app-repo/app-image
  interval: 1m3s
  provider: generic
  secretRef:
    name: pull-secret

Note that GitLab’s container registry implementation — which is the one we use — does not implement listing of container tags correctly. Instead of listing them by most recent date it lists them in reverse ASCII order. This might matter if you have too many tags and might not make the expected tag show up in the list presented. Pruning of old tags on the GitLab side might be a cure.

Flux ImagePolicy

The next configuration to set up is the ImagePolicy. Its task is to determines which tag of those listed in the referenced ImageRepository to select. You can inspect what it came up with by running kubectl get imagepolicy app-name -o yaml.

apiVersion: image.toolkit.fluxcd.io/v1beta2
kind: ImagePolicy
metadata:
  name: app-name
spec:
  imageRepositoryRef:
    name: app-name
  filterTags:
    pattern: '^prod-\d{4}-\d{2}-\d{2}'
  policy:
    alphabetical:
      order: asc

This kind of spec is useful for tags can be ordered by ISO datetime. This example selects the most recent that match the prod-YYYY-MM-DD pattern.

Alternative policy is something like semver: { range: 1.0.x }. This can be used if the image tags are traditional version numbers.

Flux ImageUpdateAutomation

The last configuration to set up is the ImageUpdateAutomation. Its task is to listen for new tags selected by the referenced ImagePolicy and then check out the GitOps repository, look for occurrences of this image reference in files under the spec.update.path directory, edit it and commit the change. It only consider lines that are annotated with this comment:

image: ... # {"$imagepolicy": "adm-it-xxx-subname:app-name"}

Replace the values after ‘:’ in the comment above with your sub-namespace name and the name you used for your ImagePolicy object. You can further suffix the value with :tag or :name if you only want the bare tagname or the bare image name without tag replaced.

apiVersion: image.toolkit.fluxcd.io/v1beta2
kind: ImageUpdateAutomation
metadata:
  name: app-name
spec:
  git:
    checkout:
      ref:
        branch: main
    push:
      branch: main
    commit:
      author:
        name: fluxcdbot
        email: fluxcdbot@noreply.uib.no
      messageTemplate: '{{ .AutomationObject }}: {{range .Changed.Changes}}{{print .OldValue}} -> {{println .NewValue}}{{end}}'
  interval: 1m0s
  sourceRef:
    kind: GitRepository
    name: adm-it-xxx
    namespace: adm-it-xxx
  update:
    strategy: Setters
    path: base/app-name