Using Flux on OpenShift
OpenShift Setup
Steps described in this document have been tested on OpenShift 4.6, 4.7 and 4.8. You require cluster-admin privileges to install Flux on OpenShift. This means that it currently is not possible to install Flux on the OpenShift Developer Sandbox.
CodeReady Containers
An easy way to provision OpenShift is to use CodeReady Containers (CRC) for OpenShift, which could be obtained from here. With this setup, you require a physical Linux box. An OpenShift cluster will run inside a VM installed by CRC.
Resource Usage
Please note that your desktop / laptop should have at least 8 CPU cores with 32 GB of RAM as it is recommended to allocate at least 4 CPU cores and 18 GB of RAM for the cluster to have a good experience.# Setup the OpenShift configuration
# You need to paste a pull secret here
crc setup
# Start the cluster with 18 GB of RAM
crc start -c 4 -m 18432
After the cluster is up and running, there will be a message tell us how to login.
Please make sure that you use kubeadmin
user to login before installing Flux.
# Prepare environment setup for the OC command
eval $(crc oc-env)
# Login
oc login -u kubeadmin -p <your password> https://api.crc.testing:6443
Flux Installation with CLI
The best way to install Flux on OpenShift currently is to use the flux bootstrap
command.
This command works with GitHub, GitLab as well as generic Git provider.
Before installing Flux with CLI, you need to set the nonroot SCC for all controllers in the flux-system
namespace, like this:
NS="flux-system"
oc adm policy add-scc-to-user nonroot system:serviceaccount:$NS:kustomize-controller
oc adm policy add-scc-to-user nonroot system:serviceaccount:$NS:helm-controller
oc adm policy add-scc-to-user nonroot system:serviceaccount:$NS:source-controller
oc adm policy add-scc-to-user nonroot system:serviceaccount:$NS:notification-controller
oc adm policy add-scc-to-user nonroot system:serviceaccount:$NS:image-automation-controller
oc adm policy add-scc-to-user nonroot system:serviceaccount:$NS:image-reflector-controller
Also, you have to patch your Kustomization to remove the SecComp Profile and enforce runUserAs
to the same UID provided by the images to prevent OpenShift to alter the user expected by our controllers, before bootstrapping by.
You’ll need to create a Git repository and clone it locally.
Create the file structure required by bootstrap using the following command:
mkdir -p clusters/my-cluster/flux-system
touch clusters/my-cluster/flux-system/gotk-components.yaml \
clusters/my-cluster/flux-system/gotk-sync.yaml \
clusters/my-cluster/flux-system/kustomization.yaml
- Add the following YAML snippet and its patches section to kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- gotk-components.yaml
- gotk-sync.yaml
patches:
- patch: |
apiVersion: apps/v1
kind: Deployment
metadata:
name: all
spec:
template:
spec:
containers:
- name: manager
securityContext:
runAsUser: 65534
seccompProfile:
$patch: delete
target:
kind: Deployment
labelSelector: app.kubernetes.io/part-of=flux
- Commit and push the changes to main branch:
git add -A && git commit -m "init flux for openshift" && git push
Then you can continue with the Flux bootstrap process. Assuming that you are a GitHub user, you could start by preparing your GitHub credentials.
export GITHUB_TOKEN=<your-token>
export GITHUB_USER=<your-username>
And run the Flux bootstrap command.
flux bootstrap github \
--owner=$GITHUB_USER \
--repository=openshift-gitops \
--branch=main \
--path=./clusters/my-cluster \
--personal
Please refer to the command’s documentations here in details.
Flux Upgrade
Upgrading Flux on OpenShift is very simple and straightforward.
Please just make sure that you are already logged in as kubeadmin
user.
Assuming you are a Homebrew user, you could upgrade Flux CLI using the following command.
# Upgrade Flux
brew upgrade fluxcd/tap/flux
# Check Flux version
flux -v
# Login as kubeadmin
oc login -u kubeadmin -p <your password> https://api.crc.testing:6443
After you obtained the Flux version you wanted, simply re-run the above flux bootstrap
command from the previous section, and all of your Flux component will be upgraded.
# Re-running the bootstrap command to upgrade
flux bootstrap github \
--owner=$GITHUB_USER \
--repository=openshift-gitops \
--branch=main \
--path=./clusters/my-cluster \
--personal
Please see also the upgrade and the bootstrap upgrade documentations for details.
Flux Installation via OperatorHub
Flux is available on OperatorHub and Red Hat OpenShift Community Operators, which means that you can install Flux directly from the Red Hat OperatorHub user interface.
On the OpenShift UI, you go to “Operators -> OperatorHub” menu, search for “Flux”, click the Flux Operator, then click the “Install” button.
Here’s the link to Flux on OperatorHub.