Shoulder.dev Logo Shoulder.dev

Managing ConfigMaps and Secrets with FluxCD

Scenario: A developer wants to manage ConfigMaps and Secrets using FluxCD. In this example, we will demonstrate how to use FluxCD’s GitOps workflow to manage ConfigMaps and Secrets by syncing desired state from a Git repository.

Background: FluxCD is an open-source GitOps tool for Kubernetes that enables continuous delivery of application configurations. It provides a GitOps workflow for managing Kubernetes resources, including ConfigMaps and Secrets. FluxCD supports various methods for managing secrets, such as Kubernetes Secrets, Encrypted Secrets using Decryption Operators, and external secret management systems.

Prerequisites:

  • Familiarity with Kubernetes and Git
  • A Git repository containing Kubernetes manifests
  • FluxCD installed and configured

Steps:

  1. Create a ConfigMap using a Kubernetes manifest in your Git repository. For example, create a file named configmap.yaml in the manifests directory:
apiVersion: v1
kind: ConfigMap
metadata:
name: example-configmap
data:
example: |
This is an example ConfigMap.

  1. Commit and push the configmap.yaml file to your Git repository.

  2. Configure FluxCD to sync the ConfigMap from your Git repository. Create a file named configmap-sync.yaml in the manifests/install directory:

apiVersion: flux.tools/v1beta2
kind: GitRepository
metadata:
name: example-repo
namespace: flux-system
spec:
url: https://github.com/<username>/<repository>.git
branch: <branch>
directory:
path: manifests
syncPolicy:
interval: 5m
sourceRef:
branch: <branch>
commit: <commit-hash>
secret:
name: example-configmap-secret
key: example

---

apiVersion: flux.tools/v1beta2
kind: Kustomization
metadata:
name: example-configmap-sync
spec:
path: configmap.yaml
interval: 5m

Replace <username>, <repository>, <branch>, and <commit-hash> with the appropriate values for your Git repository.

  1. Commit and push the configmap-sync.yaml file to your Git repository.

  2. Verify that FluxCD syncs the ConfigMap from your Git repository. Run the following command to check the status of the sync:

$ flux status syncs
  1. Create a Secret using a Kubernetes manifest in your Git repository. For example, create a file named secret.yaml in the manifests directory:
apiVersion: v1
kind: Secret
metadata:
name: example-secret
type: Opaque
data:
example: <base64-encoded-secret>

Replace <base64-encoded-secret> with the base64-encoded value of your secret.

  1. Commit and push the secret.yaml file to your Git repository.

  2. Configure FluxCD to sync the Secret from your Git repository using a Decryption Operator. Create a file named secret-sync.yaml in the manifests/install directory:

apiVersion: flux.tools/v1beta2
kind: GitRepository
metadata:
name: example-repo
namespace: flux-system
spec:
url: https://github.com/<username>/<repository>.git
branch: <branch>
directory:
path: manifests
syncPolicy:
interval: 5m
sourceRef:
branch: <branch>
commit: <commit-hash>
secret:
name: example-secret
key: example

---

apiVersion: flux.tools/v1beta2
kind: Kustomization
metadata:
name: example-secret-sync
spec:
path: secret.yaml
interval: 5m
decryptionKeys:
- name: example-decryption-key
secretRef:
name: example-decryption-key-secret

---

apiVersion: v1
kind: Secret
metadata:
name: example-decryption-key-secret
type: Opaque
data:
example-decryption-key: <base64-encoded-decryption-key>

Replace <username>, <repository>, <branch>, <commit-hash>, and <base64-encoded-decryption-key> with the appropriate values for your Git repository and decryption key.

  1. Commit and push the secret-sync.yaml file to your Git repository.

  2. Verify that FluxCD syncs the Secret from your Git repository using the Decryption Operator. Run the following command to check the status of the sync:

$ flux status syncs

Tests:

To verify the answer, you can perform the following tests:

  1. Check that the ConfigMap is synced from the Git repository by running:
$ kubectl get configmap example-configmap
  1. Check that the Secret is synced from the Git repository using the Decryption Operator by running:
$ kubectl get secret example-secret -o yaml

  1. Update the ConfigMap or Secret in the Git repository and verify that FluxCD syncs the changes.

  2. Delete the ConfigMap or Secret from the Git repository and verify that FluxCD deletes the corresponding resources in the cluster.

  3. Test the security of the Secret by attempting to access it without the Decryption Operator key.

  4. Test the scalability of the solution by adding more ConfigMaps and Secrets to the Git repository and verifying that FluxCD syncs them correctly.