flux 和 GitOps
眾所周知,weaveworks 公司在 2017 年提出了 GitOps 這個概念,而 flux 是 weaveworks 開源的一款對 Kubernetes 上的應用實現持續交付的工具,2019 年 7 月 15日 被 CNCF 接受,現在處於孵化階段。
關於 GitOps 的更多詳細內容可以查看本公眾號過往的文章:
- 雲原生時代,你還不懂GitOps?
- 讓 KAS 給 GitOps 插上騰飛的翅膀
- 極狐GitLab 和 ArgoCD 的集成實踐
簡而言之:flux 是實現 GitOps 的一款開源工具。
極狐GitLab 與 flux 的集成
flux 的使用是通過 flux 命令行來實現的。先進行 flux 命令行的安裝。
flux 命令行安裝
flux CLI 的安裝可以參考官方文檔。本文以 macOS 為例,使用下面的命令即可安裝成功:
$ brew install fluxcd/tap/flux查看 flux 的版本,確認安裝是否成功:
$ flux -v
flux version 0.17.2極狐GitLab + flux = GitOps
極狐GitLab 與 flux 能夠很好的集成,從而實現 GitOps workflow。其核心原理是:極狐GitLab 作為單一可信源,當 極狐GitLab 倉庫有變更時,變更會自動同步至 Kubernetes 集羣側。示意圖如下。
可以用 flux bootstrap 命令來創建一個 GitOps workflow。flux bootstrap 命令有很多參數,詳細的使用可以用 flux bootstrap -h 來查看。在執行 bootstrap 命令之前,可以先用 flux check --pre 來做一個安裝前的檢查,確保目標 Kubernetes 集羣的版本能夠滿足 flux 的要求。
$ flux check --pre
► checking prerequisites
✔ kubectl 1.21.2 >=1.18.0-0
✔ Kubernetes 1.20.6-tke.3 >=1.16.0-0
✔ prerequisites checks passed可以看到目標集羣以及 kubectl 符合要求。
下面用 flux bootstrap 來創建一個基於極狐GitLab 的 GitOps workflow。使用命令如下:
$ flux bootstrap gitlab \
--hostname gitlab.cn \
--interval 30s \
--owner xiaomage \
--private \
--repository flux-gitops \
--path jihu其中參數的具體含義為:
- bootstrap gitlab:表明是基於 GitLab 倉庫來進行 bootstrap 操作
- hostname:指定 GitLab 的 hostname,默認是 gitlab.com,對於極狐GitLab Saas 服務來講是 gitlab.cn
- interval:倉庫的同步時間,默認是 1min
- owner:極狐GitLab 的用户名或者某個 Group
- private:如果設置為 true 則 bootstrap 過程中創建的倉庫是私有倉庫(默認是 true)
- repository:極狐GitLab 的倉庫名稱
- path:相對於極狐GitLab 倉庫根路徑的相對路徑
然後將獲取的 token 注入為環境變量:
$ export GITLAB_TOKEN=YOUR-JiHu-GitLab-Token然後執行上述的 flux bootstrap 命令。可以看到整個 bootstrap 過程:
► connecting to https://gitlab.cn
► cloning branch "main" from Git repository "https://gitlab.cn/xiaomage/flux-gitops.git"
✔ cloned repository
► generating component manifests
✔ generated component manifests
✔ committed sync manifests to "main" ("53f2232c92ad8769dc796d2e38995ee156fcf33b")
► pushing component manifests to "https://gitlab.cn/xiaomage/flux-gitops.git"
► installing components in "flux-system" namespace
✔ installed components
✔ reconciled components
► determining if source secret "flux-system/flux-system" exists
► generating source secret
✔ public key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyDKHJ3QDk+UVJS8zYe0cFIqz3KNUDAFlKXf0NaGH/gwYW1L2XxFKfzJAQydc+DGBGnrEGFB3d21mUpaXkxrFsCEYOxPuh277jvVZsgBOCsWwXkbUCAAsogUJyNfUWvEdUZYYrZ//84o0QbPylnnoUw9Y5lvC8BcArZ13kGeRvxwDbcweGho3nBPa1JP+nq0+X+/2QT+5gor9uQsa8x4c8eOYApOlefGQ9nbhZdM/kfzLVU9yCTjkKPcu6iaAzWIE1JXt+90lMmL4CzqwNjN231hu6H1ZOpdW/mtTYY8Zp9Qx/0duSjtfTQsJUqDNS5CA/nQ2Y9VfaLeTI06cI44kb
✔ configured deploy key "flux-system-main-flux-system-./jihu" for "https://gitlab.cn/xiaomage/flux-gitops"
► applying source secret "flux-system/flux-system"
✔ reconciled source secret
► generating sync manifests
✔ generated sync manifests
✔ committed sync manifests to "main" ("28df0fae5bc6327cbcaf2884a775110cb937f78b")
► pushing sync manifests to "https://gitlab.cn/xiaomage/flux-gitops.git"
► applying sync manifests
✔ reconciled sync configuration
◎ waiting for Kustomization "flux-system/flux-system" to be reconciled
✗ context deadline exceeded
► confirming components are healthy
✔ helm-controller: deployment ready
✔ kustomize-controller: deployment ready
✔ notification-controller: deployment ready
✔ source-controller: deployment ready
✔ all components are healthy整個過程,大概有如下幾個操作:
- 在極狐GitLab 上創建名為 flux-gitops 的倉庫(由 bootstrap 時的 repository 參數指定);
- 自動創建包含 GitOps toolkit components 的 manifest 文件(gotk-components.yaml);
- 根據上述生成的 manifest 文件創建 GitOps toolkit components;
- 生成並添加 Deploy key;
- 自動創建包含 GitOps toolkit sync 信息的 manifest 文件(gotk-sync.yaml);
- 檢查 GitOps toolkit 相關 components 的健康狀態
可以在極狐GitLab 上面查看 bootstrap 過程中創建的倉庫,其目錄結構為:
.
└── jihu
└── flux-system
├── gotk-components.yaml
├── gotk-sync.yaml
└── kustomization.yaml
2 directories, 3 filesjihu 為 bootstrap 時由 path 指定的參數。
添加的 Deploy key 可以在 flux-gitops 倉庫的 Settings --> Repository --> Deploy keys 查看:
查看 GitOps toolkit components 的狀態:
$ kubectl -n flux-system get pods
NAME READY STATUS RESTARTS AGE
helm-controller-5dfb499dfb-fpjgh 1/1 Running 0 7h45m
kustomize-controller-5458d94d5c-x4cjs 1/1 Running 0 7h45m
notification-controller-5b5dd6d7d9-z96xc 1/1 Running 0 7h45m
source-controller-cbcbbc677-r2ptp 1/1 Running 0 7h45m而且可以查看 source-controller 組件的 log:
$ kubectl -n flux-system logs -f source-controller-cbcbbc677-r2ptp
{"level":"info","ts":"2021-09-26T13:37:59.418Z","logger":"controller.gitrepository","msg":"Reconciliation finished in 730.754068ms, next run in 30s","reconciler group":"source.toolkit.fluxcd.io","reconciler kind":"GitRepository","name":"flux-system","namespace":"flux-system"}可以看到通過 Reconciliation 進行 sync 的同步間隔為 bootstrap 時指定的 30s。此時,説明 GitOps workflow 機制已經運行起來了:flux 已經在監聽 flux-gitops 倉庫的狀態了,一旦有變更就會自動進行同步。
接下來做一個 GitOps workflow 的 Demo。
GitOps Demo
此時 flux 的組件已經在監聽極狐GitLab 倉庫 flux-gitops 了,一旦這個倉庫下面有任何變更,就會把變更自動同步至 Kubernetes 集羣側。為了觸發 GitOps workflow 並進行驗證,在 flux-gitops 倉庫中添加一個 manifest 文件,此時倉庫的目錄結構變為:
.
├── flux-system
│ ├── gotk-components.yaml
│ ├── gotk-sync.yaml
│ └── kustomization.yaml
└── jihu-gitlab
└── manifest.yaml
2 directories, 4 filesmanifest.yaml 文件中包含創建 namespace、deployment、service、secret等資源所需的內容。
然後提交代碼至極狐GitLab 倉庫。然後可以看到多了一個名為 flux-gitops 的 namespace:
$ kubectl get ns
flux-gitops Active 1s查看此 namespace 下面的 pod:
$ kubectl -n flux-gitops get pods
NAME READY STATUS RESTARTS AGE
deploy-796886df9b-62jmd 1/1 Running 0 13s再進一步,將 manifest.yaml 中 deployment 的 replicas 設置為 2,觀察 flux-gitops namespace 下面的pod 變化:
$ kubectl -n flux-gitops get pods -w
NAME READY STATUS RESTARTS AGE
deploy-796886df9b-62jmd 1/1 Running 0 11h
deploy-796886df9b-s9v87 0/1 Pending 0 0s
deploy-796886df9b-s9v87 0/1 Pending 0 0s
deploy-796886df9b-s9v87 0/1 Pending 0 0s
deploy-796886df9b-s9v87 0/1 Pending 0 0s
deploy-796886df9b-s9v87 0/1 ContainerCreating 0 0s
deploy-796886df9b-s9v87 0/1 ContainerCreating 0 1s
deploy-796886df9b-s9v87 1/1 Running 0 3s
$ kubectl -n flux-gitops get pods
NAME READY STATUS RESTARTS AGE
deploy-796886df9b-62jmd 1/1 Running 0 11h
deploy-796886df9b-s9v87 1/1 Running 0 7s可以看到 pod 的副本數變成了兩個。整個過程可以查看 kustomize-controller 的 log,能夠看到如下關於 sync 的內容:
$ kubectl -n flux-system logs -f kustomize-controller-5458d94d5c-x4cjs
{"level":"info","ts":"2021-09-27T01:11:08.155Z","logger":"controller.kustomization","msg":"Kustomization applied in 1.829340287s","reconciler group":"kustomize.toolkit.fluxcd.io","reconciler kind":"Kustomization","name":"flux-system","namespace":"flux-system","output":{"clusterrole.rbac.authorization.k8s.io/crd-controller-flux-system":"configured","clusterrolebinding.rbac.authorization.k8s.io/cluster-reconciler-flux-system":"configured","clusterrolebinding.rbac.authorization.k8s.io/crd-controller-flux-system":"configured","customresourcedefinition.apiextensions.k8s.io/alerts.notification.toolkit.fluxcd.io":"configured","customresourcedefinition.apiextensions.k8s.io/buckets.source.toolkit.fluxcd.io":"configured","customresourcedefinition.apiextensions.k8s.io/gitrepositories.source.toolkit.fluxcd.io":"configured","customresourcedefinition.apiextensions.k8s.io/helmcharts.source.toolkit.fluxcd.io":"configured","customresourcedefinition.apiextensions.k8s.io/helmreleases.helm.toolkit.fluxcd.io":"configured","customresourcedefinition.apiextensions.k8s.io/helmrepositories.source.toolkit.fluxcd.io":"configured","customresourcedefinition.apiextensions.k8s.io/kustomizations.kustomize.toolkit.fluxcd.io":"configured","customresourcedefinition.apiextensions.k8s.io/providers.notification.toolkit.fluxcd.io":"configured","customresourcedefinition.apiextensions.k8s.io/receivers.notification.toolkit.fluxcd.io":"configured","deployment.apps/deploy":"configured","deployment.apps/helm-controller":"configured","deployment.apps/kustomize-controller":"configured","deployment.apps/notification-controller":"configured","deployment.apps/source-controller":"configured","gitrepository.source.toolkit.fluxcd.io/flux-system":"configured","kustomization.kustomize.toolkit.fluxcd.io/flux-system":"configured","namespace/flux-gitops":"configured","namespace/flux-system":"configured","networkpolicy.networking.k8s.io/allow-egress":"configured","networkpolicy.networking.k8s.io/allow-scraping":"configured","networkpolicy.networking.k8s.io/allow-webhooks":"configured","secret/jihu-gitlab-cr":"configured","secret/secret-env":"configured","service/notification-controller":"configured","service/source-controller":"configured","service/svc":"configured","service/webhook-receiver":"configured","serviceaccount/helm-controller":"configured","serviceaccount/kustomize-controller":"configured","serviceaccount/notification-controller":"configured","serviceaccount/source-controller":"configured"}}
{"level":"info","ts":"2021-09-27T01:11:08.436Z","logger":"controller.kustomization","msg":"Reconciliation finished in 3.900295254s, next run in 10m0s","reconciler group":"kustomize.toolkit.fluxcd.io","reconciler kind":"Kustomization","name":"flux-system","namespace":"flux-system","revision":"main/9f09f2a078c7f13287df1ed694df7deb45cfb5ed"}可以看到變更被捕獲且進行了同步。也即意味着實現了 GitOps workflow。
寫在最後
GitOps 被認為是雲原生應用程序和基礎設施部署與管理的新模式。極狐GitLab 在 13.x 版本中陸續引入了 Kubernetes Agent 來支持 GitOps workflow。而且每個版本都在不斷的迭代和完善。不同於使用 ArgoCD 和 Flux 的是:極狐GitLab 的 GitOps 能力是原生的,不需要額外去安裝和管理類似 ArgoCD 和 Flux 這樣的第三方軟件,減少了維護成本。
關於極狐GitLab 對於 GitOps workflow 的支持,可以查看公眾號文章讓 KAS 給 GitOps 插上騰飛的翅膀。
