FluxCD
Here i install it with connection to codeberg:
-
the path is just for the cluster
-
the url a repo where fluxcd (in given path) install itself and monitor
-
i just install my needed components (i skip notification-controller, i prefer prometheus and alerting)
flux bootstrap git --components source-controller,kustomize-controller,helm-controller --path=<path> --url ssh://git@codeberg.org/wrenix/<repo>.gitSecure with verify
Afterwards we need to setup a verification with GPG, so that nobody else could commit any workload in your cluster. That is because i select an public git hosting (here codeberg), i trust them but maybe it get compromised one time.
in your repository the flux cli has created an <path>/flux-system/kustomization.yaml, we will edit them.
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- gotk-components.yaml
- gotk-sync.yaml
+patches:
+ - target:
+ kind: GitRepository
+ name: flux-system
+ patch: |-
+ apiVersion: source.toolkit.fluxcd.io/v1
+ kind: GitRepository
+ metadata:
+ name: flux-system
+ spec:
+ verify: (1)
+ mode: HEAD
+ secretRef:
+ name: gpg-publickey
+
+generatorOptions:
+ disableNameSuffixHash: true (2)
+
+secretGenerator:
+ - name: gpg-publickey (3)
+ namespace: flux-system
+ files:
+ - gpg-publickey/wrenix.gpg (4)| 1 | add verify, that only HEAD git commit with valide gpg signature is used |
| 2 | on the next generate, do not add hash |
| 3 | generate kubernetes Secret with the name gpg-publickey which is used in the patched GitRepository, see <1> |
| 4 | Add list of valide gpg key files |