GitOps Kubernetes Cluster for Customer. Infrastructure as Code (IaC) with Flux2.

⚠️ Connecting to the cluster's API endpoint (e.g. using kubectl or k9s) requires being connected to the STRG VPN first. ⚠️

Kubernetes configuration best practices

• lower-case characters
• hyphen

Pattern: [a-z-]+

• pre-commit

pre-commit framework needs to get initialized.

task pre-commit:init

All changes require a PR and review. Create a new branch and reference a Jira ticket, f.e.

git switch -c feature/INPRO-1-configure-resource

The cluster has SOPS encryption in place

To be able to decrypt secrets you need to have the role in Google Cloud assigned.

Addons like @signageos/vscode-sops for VSCode enable the IDE to automatically decrypt and open secrets in IDE.

sops test.devs.sops.yaml

This works without further parameters because the path_regex configured in .sops.yaml matches. Be sure to add # yamllint disable to top and keep this comment unencrypted.

sops -e -i test.devs.sops.yaml

After updating the encryption key(s) in .sops.yaml - this counts for new verions in existing keys as well - run for each encrypted file:

sops updatekeys test.devs.sops.yaml

To keep the Kubernetes resources in sync with the source repository, Flux is in place.

Whenever there is a push to mainline, Flux will reconcile the resources with the desired state defined by the repository. Be sure to go through the full QA cycle.

Flux reconciles the cluster recources and has a deploy key added to the repository to be able to read and update the repo items.

Additional, Flux has a Google Service account bound to the kustomize-controller Service account to be able to read the decryption key from Google KMS. This enables Flux to decrypt secrets with SOPS. For more information how this works, check Flux SOPS documentation.