This is a simple example of how to use FluxCD to automatically update Kustomize resources in a Kubernetes cluster. It allows for a set and forget approach to managing your Kubernetes deployments. Such as well known Open Source projects like Postgres or WordPress.
Prerequisites
For the auto update to work, FluxCD needs to be allowed to commit to the Git repository from where it is bootstrapped.
For GitHub for example, make sure that the FluxCD deploy key has write access to the repository (check all permissions under repo).
Next, since the image automation components are yet not installed by default, we need to install the image-automation-controller and image-reflector-controller components during the bootstrap. A already bootstrapped Kubernetes cluster with FluxCD, can safely be bootstrapped again with the following command:
Make sure to replace the owner, branch, repository and path with your own values.
export GITHUB_TOKEN=<your-token>
export GITHUB_USER=<your-username>
flux bootstrap github \
--components-extra=image-reflector-controller,image-automation-controller \
--owner=$GITHUB_USER \
--repository=flux-image-updates \
--branch=main \
--path=clusters/my-cluster \
--read-write-key \
--personal
Once bootstrapped, the new FluxCD resources can be defined in the cluster repository.
ImageUpdateAutomation Resource
The ImageUpdateAutomation resource is used to define the update policy for the images in the cluster. It can be used to define the update policy for a single image or multiple images. The following example shows how to define the image update automation for the entire cluster.
Save the file as image-update-automation.yaml in the clusters/my-cluster directory.
apiVersion: image.toolkit.fluxcd.io/v1beta2
kind: ImageUpdateAutomation
metadata:
name: flux-system
namespace: flux-system
spec:
git:
checkout:
ref:
branch: main
commit:
author:
email: [email protected]
name: fluxcdbot
messageTemplate: '{{range .Changed.Changes}}{{print .OldValue}} -> {{println
.NewValue}}{{end}}'
push:
branch: main
interval: 30m0s
sourceRef:
kind: GitRepository
name: flux-system
For each image update, the ImageUpdateAutomation resource will commit the changes to the repository and push them to the main branch. With the {{range .Changed.Changes}}{{print .OldValue}} -> {{println.NewValue}}{{end}} as the commit message template.
ImageRepository Resource
The ImageRepository resource is used to define the image source for the image to be auto updated. The following example shows how to define the image repository for the keycloak image.
Save the file as keycloak-registry.yaml in the keycloak kustomize directory. Don’t forget to append the keycloak-registry.yaml to the kustomization.yaml file.
apiVersion: image.toolkit.fluxcd.io/v1beta2
kind: ImageRepository
metadata:
name: keycloak
namespace: flux-system
spec:
image: quay.io/keycloak/keycloak
interval: 5m
The ImageRepository resource will check for updates to the quay.io/keycloak/keycloak image every 5 minutes.
ImageRepository resources can be checked by running the following command:
flux get images repository keycloak
ImagePolicy Resource
The ImagePolicy resource is used to define the update policy for the images in the cluster. The following example shows how to define the image policy for the keycloak image.
Save the file as keycloak-image-policy.yaml in the keycloak kustomize directory. Don’t forget to append the keycloak-image-policy.yaml to the kustomization.yaml file.
apiVersion: image.toolkit.fluxcd.io/v1beta2
kind: ImagePolicy
metadata:
name: keycloak
namespace: flux-system
spec:
imageRepositoryRef:
name: keycloak
policy:
semver:
range: 25.0.x
The ImagePolicy resource will update the keycloak image to the latest version in the 25.0.x range.
ImagePolicy resources can be checked by running the following command:
flux get images policy keycloak
Apply ImagePolicy to Kustomize Resource
The ImagePolicy resource needs to be applied to the Kustomize resource that uses the image. The following example shows how to apply the ImagePolicy resource to the keycloak Deployment.
...
containers:
- name: keycloak
image: quay.io/keycloak/keycloak:25.0.2 # {"$imagepolicy": "flux-system:keycloak"} <-- !!! Here
args: ["start", "--transaction-xa-enabled", "false"]
resources:
requests:
cpu: "100m"
memory: "128Mi"
limits:
cpu: "1000m"
memory: "512Mi"
envFrom:
- configMapRef:
name: keycloak-config
The {"$imagepolicy": "flux-system:keycloak"} annotation will apply the ImagePolicy resource to the keycloak image.
Once a new image is available, FluxCD will automatically update the image in the keycloak Deployment.
2024-07-21T11:00:27.120Z info ImagePolicy/keycloak.flux-system - Latest image tag for 'quay.io/keycloak/keycloak' updated from 25.0.1 to 25.0.2
2024-07-21T11:00:27.129Z info ImagePolicy/keycloak.flux-system - Latest image tag for 'quay.io/keycloak/keycloak' updated from 25.0.1 to 25.0.2
2024-07-18T07:14:21.271Z info GitRepository/flux-system.flux-system - stored artifact for commit 'quay.io/keycloak/keycloak:25.0.1 -> quay.io/keyclo...'
Caution
Make sure that the deployment update strategy is set to the preferred value. For example, RollingUpdate or Recreate.
Since FluxCD will automatically update the image, it is important to have a proper deployment strategy in place to avoid any downtime.
root