This is a simple example of how to use FluxCD to automatically update Kustomize resources in a Kubernetes cluster. It allows for a set and forget approach to managing your Kubernetes deployments. Such as well known Open Source projects like Postgres or WordPress.
Prerequisites
For the auto update to work, FluxCD needs to be allowed to commit to the Git repository from where it is bootstrapped.
For GitHub for example, make sure that the FluxCD deploy key has write access to the repository (check all permissions under repo
).
Next, since the image automation components are yet not installed by default, we need to install the image-automation-controller
and image-reflector-controller
components during the bootstrap. A already bootstrapped Kubernetes cluster with FluxCD, can safely be bootstrapped again with the following command:
Make sure to replace the owner, branch, repository and path with your own values.
export GITHUB_TOKEN=<your-token>
export GITHUB_USER=<your-username>
flux bootstrap github \
--components-extra=image-reflector-controller,image-automation-controller \
--owner=$GITHUB_USER \
--repository=flux-image-updates \
--branch=main \
--path=clusters/my-cluster \
--read-write-key \
--personal
Once bootstrapped, the new FluxCD resources can be defined in the cluster repository.
ImageUpdateAutomation Resource
The ImageUpdateAutomation
resource is used to define the update policy for the images in the cluster. It can be used to define the update policy for a single image or multiple images. The following example shows how to define the image update automation for the entire cluster.
Save the file as image-update-automation.yaml
in the clusters/my-cluster
directory.
apiVersion: image.toolkit.fluxcd.io/v1beta2
kind: ImageUpdateAutomation
metadata:
name: flux-system
namespace: flux-system
spec:
git:
checkout:
ref:
branch: main
commit:
author:
email: [email protected]
name: fluxcdbot
messageTemplate: '{{range .Changed.Changes}}{{print .OldValue}} -> {{println
.NewValue}}{{end}}'
push:
branch: main
interval: 30m0s
sourceRef:
kind: GitRepository
name: flux-system
For each image update, the ImageUpdateAutomation
resource will commit the changes to the repository and push them to the main
branch. With the {{range .Changed.Changes}}{{print .OldValue}} -> {{println.NewValue}}{{end}}
as the commit message template.
ImageRepository Resource
The ImageRepository
resource is used to define the image source for the image to be auto updated. The following example shows how to define the image repository for the keycloak
image.
Save the file as keycloak-registry.yaml
in the keycloak
kustomize directory. Don’t forget to append the keycloak-registry.yaml
to the kustomization.yaml
file.
apiVersion: image.toolkit.fluxcd.io/v1beta2
kind: ImageRepository
metadata:
name: keycloak
namespace: flux-system
spec:
image: quay.io/keycloak/keycloak
interval: 5m
The ImageRepository
resource will check for updates to the quay.io/keycloak/keycloak
image every 5 minutes.
ImageRepository resources can be checked by running the following command:
flux get images repository keycloak
ImagePolicy Resource
The ImagePolicy
resource is used to define the update policy for the images in the cluster. The following example shows how to define the image policy for the keycloak
image.
Save the file as keycloak-image-policy.yaml
in the keycloak
kustomize directory. Don’t forget to append the keycloak-image-policy.yaml
to the kustomization.yaml
file.
apiVersion: image.toolkit.fluxcd.io/v1beta2
kind: ImagePolicy
metadata:
name: keycloak
namespace: flux-system
spec:
imageRepositoryRef:
name: keycloak
policy:
semver:
range: 25.0.x
The ImagePolicy
resource will update the keycloak
image to the latest version in the 25.0.x
range.
ImagePolicy resources can be checked by running the following command:
flux get images policy keycloak
Apply ImagePolicy to Kustomize Resource
The ImagePolicy
resource needs to be applied to the Kustomize resource that uses the image. The following example shows how to apply the ImagePolicy
resource to the keycloak
Deployment.
...
containers:
- name: keycloak
image: quay.io/keycloak/keycloak:25.0.2 # {"$imagepolicy": "flux-system:keycloak"} <-- !!! Here
args: ["start", "--transaction-xa-enabled", "false"]
resources:
requests:
cpu: "100m"
memory: "128Mi"
limits:
cpu: "1000m"
memory: "512Mi"
envFrom:
- configMapRef:
name: keycloak-config
The {"$imagepolicy": "flux-system:keycloak"}
annotation will apply the ImagePolicy
resource to the keycloak
image.
Once a new image is available, FluxCD will automatically update the image in the keycloak
Deployment.
2024-07-21T11:00:27.120Z info ImagePolicy/keycloak.flux-system - Latest image tag for 'quay.io/keycloak/keycloak' updated from 25.0.1 to 25.0.2
2024-07-21T11:00:27.129Z info ImagePolicy/keycloak.flux-system - Latest image tag for 'quay.io/keycloak/keycloak' updated from 25.0.1 to 25.0.2
2024-07-18T07:14:21.271Z info GitRepository/flux-system.flux-system - stored artifact for commit 'quay.io/keycloak/keycloak:25.0.1 -> quay.io/keyclo...'
Caution
Make sure that the deployment update strategy is set to the preferred value. For example, RollingUpdate
or Recreate
.
Since FluxCD will automatically update the image, it is important to have a proper deployment strategy in place to avoid any downtime.