Article
How to manage Kubernetes secrets securely in Git
Learn how to use Sealed Secrets to manage your Kubernetes secrets in Git.
Learn how to use the GitOps methodology to simplify your Kubernetes deployments.
Kentaro Wakayama
July 10, 2020
GitOps is a Kubernetes application delivery methodology. It aims to simplify the deployment and operation of Kubernetes applications.
In this article we will use Flux, which can be installed as a Kubernetes operator.
The Flux operator keeps the cluster state and a repository in sync. Any configuration change made in the repository is automatically applied to the Kubernetes cluster.
In this guide we will set up Flux and deploy a demo application via the Git repository.
To get started, we need kubectl
connected to a Kubernetes cluster and a Git repository in Gitlab.
fluxctl
is a command line tool to interact with Flux. On macOS you can install fluxctl
with Homebrew.
brew install fluxctl
You can find installation instructions for other platforms here: https://docs.fluxcd.io/en/1.17.1/references/fluxctl.html
Let’s start by creating a namespace for the Flux operator.
kubectl create namespace flux
We use the fluxctl
tool to generate the Kubernetes manifest files for the Flux operator. You need to specify the repository url, Git user information. You also need to provide the paths to the folders where the Kubernetes manifests are kept and the namespace where the operator should be deployed.
fluxctl install
--git-url=git@gitlab.com:$tom-code/example-gitops-flux
--git-user=flux
--git-email=flux@tomcode.com
--git-path=namespaces,workloads
--namespace=flux > flux.yaml
Let’s apply the Flux operator using kubectl
.
kubectl apply -f flux.yaml
Verify the deployment by checking the status Kubernetes pods in the flux namespace. There should be the Flux operator as well as a Memchached instance, which is used by the operator to keep some internal state.
kubectl get pods -n flux
NAME READY STATUS RESTARTS AGE
flux-5dd6d54f5b-2gbws 1/1 Running 0 67s
memcached-5fd8f56fc5-qlpsc 1/1 Running 0 67s
Flux connects to the Git repository using an SSH key. It generates the key on initial startup. You can retrieve the public SSH key via the fluxctl
cli.
fluxctl identity --k8s-fwd-ns flux
Open Gitlab, navigate to your project, go to Settings -> Repository -> Deploy Keys
and add the SSH key retrieved from fluxctl. Make sure you check Write access allowed.
Use Git to clone the repository to your local machine and cd
into the directory.
git clone https://gitlab.com/tom-code/example-gitops-flux.git
cd example-flux-gitops
Let’s create two folders where our Kubernetes manifest file will be kept.
mkdir namespaces workloads
We start by adding a Kubernetes namespace resource. Copy the snippet below and save it as demo-ns.yaml
in the namespaces directory.
apiVersion: v1
kind: Namespace
metadata:
labels:
name: demo
name: demo
Next, we will add a demo nginx deployment. Copy the snippet below and save it as nginx-deploy.yaml
in the workloads directory.
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
namespace: demo
spec:
selector:
matchLabels:
app: nginx
replicas: 2
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
Use Git to add the new files to the repository. Afterwards commit and push the changes to the Gitlab repository.
git add namespaces workloads
git commit -m 'Add demo resources'
git push
Verify the deployment by checking the status Kubernetes pods in the demo namespace. There should be two nginx pods running.
kubectl get pods -n demo
NAME READY STATUS RESTARTS AGE
nginx-deployment-6b6bc59c57-fd2w5 1/1 Running 0 57s
nginx-deployment-6b6bc59c57-vh8bh 1/1 Running 0 52s
We deployed Flux and configured it to work with a Gitlab repository. Changes to the Git repository are deployed to the cluster automatically.
As you can see, there is no external client which needs access to the Kubernetes cluster which makes the process very secure and makes it perfect for deployments in highly regulated environments such as in the insurance and fintech industries.
Having a central repository to manage the Kubernetes manifest files makes the deployment easier to operate and removes complexity which comes with Kubernetes from the repository and pipelines of the services.
Contact: Kentaro Wakayama
Email: info@tomcode.com
Tel: +49 711 838 823 38