Flux Playbooks
Mission control enhances a flux deployment with:
- An Argo style graph between Flux resources and the objects they create
- A playbook library that includes a GUI for both day 2 operations with
fluxcli and a GitOps Approach - Health checks on all flux resources based on
status.conditions - Alert silencing based on Flux hierarchy - that is, silence all alerts for objects created by a
KustomizationorHelmRlease
The following playbooks work by calling the flux CLI directly
| Playbook | Kustomization | HelmRelease |
|---|---|---|
Suspend | ||
Resume | ||
Reconcile |
ClickOps
The following playbooks enable a ClickOps style of working, but with all changes implemented using standard pull request workflows, giving developers self-service, guardrail driven access to make changes without direct git access or expertise.
| Playbook | Kustomization | HelmRelease | Namespace | Deployment |
|---|---|---|---|---|
Edit | ||||
Create Kustomization | ||||
Create Namespace | ||||
Create Deployment | ||||
Create Helm Chart | ||||
Update Values | ||||
Update Chart Version | ||||
Scale | ||||
Update Resources | ||||
Update Image |
Just In Time (JIT) Access
Just In Time playbooks provide a mechanism to grant users access to a namespace for a short space of time, this works by creating a new Rolebinding resource and inserting it into the kustomization resources, and then after the expiry window deleting the resources from git.
This approach provides a single audit trail of who has received access, and limits the need for the control plane to have direct access to update permissions.
| Playbook | Namespace |
|---|---|
Request Access |
Getting Started
-
Create a github connection
OptionalThis step is optional if you do not plan to use the ClickOps playbooks.
- Github
- Gitlab
- Azure Devops
- Git
apiVersion: mission-control.flanksource.com/v1
kind: Connection
metadata:
name: github
spec:
github:
organization: flanksoure
personalAccessToken:
valueFrom:
secretKeyRef:
name: secret-name
key: patClassic PATTo create pull requests it is recommended to use a classic token with the
repoOAuth scope.apiVersion: mission-control.flanksource.com/v1
kind: Connection
metadata:
name: gitlab
spec:
gitlab:
url: https://gitlab.com
personalAccessToken:
valueFrom:
secretKeyRef:
name: secret-name
key: patapiVersion: mission-control.flanksource.com/v1
kind: Connection
metadata:
name: azure
spec:
azureDevops:
url: https://dev.azure.com/YOUR_ORGANIZATION-OMA/YOUR_PROJECT/_git/repo
organization: YOUR_ORGANIZATION
personalAccessToken:
valueFrom:
secretKeyRef:
name: secret-name
key: patHTTP Basic Auth
apiVersion: mission-control.flanksource.com/v1
kind: Connection
metadata:
name: git
spec:
git:
username:
valueFrom:
secretKeyRef:
name: secret-name
key: username
password:
valueFrom:
secretKeyRef:
name: secret-name
key: passwordSSH Keys
apiVersion: mission-control.flanksource.com/v1
kind: Connection
metadata:
name: git
spec:
git:
certificate:
value: |
-----BEGIN OPENSSH PRIVATE KEY-----
...
-----END OPENSSH PRIVATE KEY-----warningThe
gitconnection type does not support opening pull requests, use agithub,gitlaborazureDevopsconnection type instead. -
Install the mission-control-playbooks-flux chart
- Helm
- Flux
helm install mission-control-flux flanksource/mission-control-flux \
--set git.type=github \
--set git.connection=connection://mission-control/github \
-n mission-control --waitapiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: mission-control-flux
namespace: mission-control
spec:
chart:
spec:
chart: mission-control-flux
sourceRef:
kind: HelmRepository
name: flanksource
namespace: mission-control
interval: 1m
values:
git.type: github
git.connection: connection://mission-control/githubvalues.yaml
- createPullRequest: boolean (default: true) - yaml-language-server: $schema=values.schema.json
- git:
- connection: - Git connection to use when opening Pull Requests and pushing changes
- type: string (default: "github")
- url: - URL for the default git repository to use
- global: - Global values are values that can be accessed from any chart or subchart by exactly the same name.
Global values are values that can be accessed from any chart or subchart by exactly the same name.
- playbooks:
- createDeployment: boolean (default: true)
- createHelmRelease: boolean (default: true)
- debug: boolean
- edit: boolean (default: true)
- enabled: boolean (default: true)
- reconcile: boolean (default: true)
- requestNamespaceAccess: boolean (default: true)
- resume: boolean (default: true)
- scale: boolean (default: true)
- suspend: boolean (default: true)
- updateHelmChartVersion: boolean (default: true)
- updateHelmValues: boolean (default: true)
- updateImage: boolean (default: true)
- updateResources: boolean (default: true)
-
Annotate resources with
config.kubernetes.io/originThe annotation is added by kustomize when the
originAnnotationsbuild flag is set:kustomization.yamlapiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
buildMetadata: [originAnnotations]
Best Practises
- Don't provide the service account user who is submitting Pull Requests direct access to commit to
main. - Use branch protection policies to require pull requests, passing tests and selective approval
- Implement PR based integration tests that ensure changes:
- Compile using
kustomization build - Are compatible with your kubernetes API versions and CRD's with:
kustomization build | kubectl apply -f - --dry-run=service - Passes all compliance and governance rule
- Compile using
- Auto Merge PR's that are safe
Learn More
- Playbook exec and gitops actions
Auto Merging PRs by @jhale, has a run-down of using Github Actions to automerge, with some gotchas trivy - A mis-configuration, secrets and compliance scanner with good support for Kubernetes bulldozer and policy-bot for auto-merging PR's using customizable rules and policies