GitOps Kubernetes Cluster for Customer. Infrastructure as Code (IaC) with Flux2.
Table of Contents
Kubernetes configuration best practices
- lower-case characters
- hyphen
Pattern: [a-z-]+
pre-commit framework needs to get initialized.
task pre-commit:initAll changes require a PR and review. Create a new branch and reference a Jira ticket, f.e.
git switch -c feature/INPRO-1-configure-resourceThe cluster has SOPS encryption in place
To be able to decrypt secrets you need to have the role in Google Cloud assigned.
Addons like @signageos/vscode-sops for VSCode enable the IDE to automatically decrypt and open secrets in IDE.
sops test.devs.sops.yamlThis works without further parameters because the path_regex configured in .sops.yaml matches.
Be sure to add # yamllint disable to top and keep this comment unencrypted.
sops -e -i test.devs.sops.yamlAfter updating the encryption key(s) in .sops.yaml - this counts for new verions in existing keys as well - run for each encrypted file:
sops updatekeys test.devs.sops.yamlTo keep the Kubernetes resources in sync with the source repository, Flux is in place.
Whenever there is a push to mainline, Flux will reconcile the resources with the desired state defined by the repository. Be sure to go through the full QA cycle.
Flux reconciles the cluster recources and has a deploy key added to the repository to be able to read and update the repo items.
Additional, Flux has a Google Service account bound to the kustomize-controller Service account to be able to read the decryption key from Google KMS. This enables Flux to decrypt secrets with SOPS. For more information how this works, check Flux SOPS documentation.