Sync your resources on Kubernetes with GitOps

How to synchronise your secrets and configMaps hosted on Git with your Kubernetes cluster using modern tools.

Photo by Stefan Steinbauer on Unsplash
  • Apply it on the cluster
  • Backup it somewhere safe (or use tools like velero )
  • Make this process scheduled with a cron.
  • Save it on git safely
  • Wait for it to be on each namespaces you want.
  • Something to encrypt your passwords : We could use SealedSecrets or Vault.
  • Git repository (On this case we will use Git but you can do it wherever you want).
  • A tool to sync you secrets on multiple namespaces. On this case we will use kubed which is perfect for our use case.

The installation / configuration process

First of all, you need Flux on your computer.

Install Flux :

$ brew install fluxcd/tap/flux
$ kind create cluster --name local-demo 
$ export GITHUB_TOKEN=YOUR_TOKEN# Then install flux on your local cluster :$ flux bootstrap github \
--owner=YOUR_USERNAME \
--repository=flux-infra \
--path=clusters/my-cluster \
--personal

Create two namespaces :

# Create Kubed / Flux sync namespace :$ kubectl create namespace flux-resources
$ kubectl label --overwrite namespace flux-resources app=kubed
# Create Apps namespace :$ kubectl create namespace apps
$ kubectl label --overwrite namespace apps app=kubed

Install Kubed and SealedSecrets :

Then we need to install the two apps we need : Kubed and SealedSecrets

# The helm sources : $ flux create source helm appscode \
--interval=1h \
--url=https://charts.appscode.com/stable/
$ flux create source helm sealed-secrets \
--interval=1h \
--url=https://bitnami-labs.github.io/sealed-secrets
# First helmrelase, sealed-secrets : $ flux create helmrelease sealed-secrets \
--interval=1h \
--release-name=sealed-secrets \
--target-namespace=flux-system \
--source=HelmRepository/sealed-secrets \
--chart=sealed-secrets \
--chart-version="1.13.x"
# Create values file with kubed config : 
$ cat << EOF > ./values-kubed.yaml
config:
configSourceNamespace: kubed-sync
EOF
# Then create kubed helmrelease : $ flux create helmrelease kubed \
--interval=1h \
--release-name=kubed \
--target-namespace=flux-system \
--source=HelmRepository/appscode \
--chart=kubed \
--values=./values-kubed.yaml
$ kubeseal \
--controller-name=sealed-secrets \
--controller-namespace=flux-system \
--fetch-cert > ./sealed-secrets.pem

Create secrets

Now we want the secrets to be encrypted by SealedSecrets.

$ kubectl create secret docker-registry regcred \
—-docker-server=<your-registry-server> \
-—docker-username=<your-name> \
—-docker-password=<your-password> \
—-docker-email=<your-email> \
—-dry-run=client \
-oyaml > ./regcred.yaml
annotations:
kubed.appscode.com/sync: app=kubed
$ kubeseal --format=yaml --cert=sealed-secrets.pem \
< regcred.yaml > regcred-sealed.yaml
#Remove this good old secret : $ rm regcred.yaml
kubectl apply -f ./regcred-sealed.yaml

That’s “almost” it

French Devops/Infrastructure engineer who loves automation and container orchestration.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store