You're viewing documentation for Anthos Config Management 1.8. You can continue using this version, or use the current version.

Using Config Sync with Helm

Helm is a tool that helps you manage your Kubernetes installations and cert-manager is a tool for Kubernetes that helps you manage your certificates. In this tutorial, you add the Helm template for cert-manager to your repository and then use Config Sync to sync a cluster to your repository.

Objectives

  • Learn how to use helm template to render manifests.
  • Learn how to use Config Sync to install an off-the-shelf Helm component.

Costs

This tutorial uses the following billable components of Google Cloud:

To generate a cost estimate based on your projected usage, use the pricing calculator. New Google Cloud users might be eligible for a free trial.

When you finish this tutorial, you can avoid continued billing by deleting the resources you created. For more information, see Cleaning up.

New Google Cloud users might be eligible for a free trial.

Before you begin

  1. In the Google Cloud Console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  2. Make sure that billing is enabled for your Cloud project. Learn how to confirm that billing is enabled for your project.

  3. Create or have access to a cluster that meets the requirements for Config Sync.
  4. Register your cluster to an Anthos fleet.
  5. Install Helm to render the manifests.
  6. Install the nomos command.

It's also helpful to have some familiarity with Git.

Using helm template to render manifests.

The following tasks show you how to prepare a Git repository so you can use helm template to add cert-manager manifests to the repository:

  1. Create, or have access to, a Git repository.

  2. In your Git repository, create a directory named manifests that can contain the configs that you want to sync to and add a README.md file in the directory:

    mkdir manifests && touch manifests/README.md
    
  3. In the manifests directory, create a file named namespace-cert-manager.yaml and paste the following text into it:

    # manifests/namespace-cert-manager.yaml
    apiVersion: v1
    kind: Namespace
    metadata:
     name: cert-manager
    

    This file creates a namespace called cert-manager where you can deploy the cert-manager chart.

  4. Render the cert-manager manifests to your repository by using helm template:

    1. Add the Helm chart repository:

      helm repo add cert-manager https://charts.jetstack.io
      
    2. In your local directory, download the chart and unpack it:

      helm pull cert-manager/cert-manager --version 1.3.0 --untar
      
    3. Render the template and write the rendered manifests into the manifests directory:

      helm template my-cert-manager cert-manager --namespace cert-manager --output-dir manifests
      
  5. Commit the changes to your repository:

    git add .
    git commit -m 'Set up cert-manager manifests.'
    git push
    

You can now return to your repository and explore the cert-manager manifests. The Anthos Config Management samples repository has an example of what such a repository would look like.

Configuring syncing from the Git repository

Now that you have created a repository with the configs that you want to use, you can configure syncing from your cluster to your repository.

Console

To configure syncing from the Google Cloud Console, complete the following tasks:

  1. In Google Cloud Console, go to the Anthos Config Management page.

    Go to Anthos Config Management

  2. Select your cluster and click Configure.

  3. In the Git Repository Authentication for ACM drop-down list, select an authentication type.

  4. Follow the instructions in the Google Cloud Console to grant Config Sync read-only access to Git and click Continue.

  5. In the ACM settings for your clusters section, complete the following:

    1. In the Version field, select a version.
    2. Select the Enable Config Sync checkbox.
    3. In the drop-down list that appears, complete the following:

      1. In the URL field, add the URL of your Git repository. You can enter URLs using either the HTTPS or SSH protocol. For example, https://github.com/GoogleCloudPlatform/csp-config-management/ uses the HTTPS protocol. If you don't enter a protocol, the URL is treated as an HTTPS URL.
      2. (Optional): In the Branch field, add the branch of the repository to sync from. The default branch is master.
      3. (Optional): In the Tag/Commit field, add the Git revision (tag or hash) to check out. The default is HEAD.
      4. (Optional): In the Policy directory field, add the path within the repository to the top of the policy hierarchy to sync. The default is the root directory of the repository.
      5. (Optional): In the Sync wait field, add the period in seconds between consecutive syncs. The default is 15 seconds.
      6. (Optional): In the Git proxy field, enter the URL for the HTTPS proxy to be used when communicating with the Git repository. This is an optional field, and if it's left blank, no proxy is used.
      7. In the Source format drop-down list, select unstructured. Since your repository is using Helm, you need to use an unstructured repository.
  6. Click Done. You are taken back to the Anthos Config Management menu.

gcloud

To configure syncing by using the gcloud command-line tool, complete the following tasks:

  1. Create a file named apply-spec.yaml and copy the following YAML file into it:

    # apply-spec.yaml
    
    applySpecVersion: 1
    spec:
      configSync:
        enabled: true
        # Since your repository is using Helm, you need to use an unstructured repository.
        sourceFormat: unstructured
        syncRepo: REPO
        syncBranch: BRANCH
        secretType: TYPE
        policyDir: "DIRECTORY"
    

    Replace the following:

    • REPO: add the URL of your Git repository. You can enter URLs using either the HTTPS or SSH protocol. For example, https://github.com/GoogleCloudPlatform/csp-config-management/ uses the HTTPS protocol. If you don't enter a protocol, the URL is treated as an HTTPS URL.
    • BRANCH: the branch of the repository to sync from. The default branch is master.
    • TYPE: one of the following SecretTypes:

      • none
      • ssh
      • cookiefile
      • token
      • gcenode

      If you added a secretType other than none, grant Config Sync access to your Git repository.

    • DIRECTORY: the path in the Git repository to the root directory that contains the configuration that you want to sync to. The default is the root directory of the repository.

    For example, the following apply-spec.yaml file, syncs to the configs in the helm-component/manifests directory of the Anthos Config Management samples repository:

    # apply-spec.yaml
    
    applySpecVersion: 1
    spec:
      configSync:
        enabled: true
        sourceFormat: unstructured
        syncRepo: https://github.com/GoogleCloudPlatform/anthos-config-management-samples
        syncBranch: main
        secretType: none
        policyDir: helm-component/manifests
    
  2. Apply the apply-spec.yaml file:

     gcloud alpha container hub config-management apply \
         --membership=MEMBERSHIP_NAME \
         --config=CONFIG_YAML_PATH \
         --project=PROJECT_ID
    

    Replace the following:

    • MEMBERSHIP_NAME: the membership name that you chose when you registered your cluster. If you registered your cluster using the Google Cloud Console, the membership name is the same as the name of your cluster.
    • CONFIG_YAML_PATH: the path to your apply-spec.yaml file
    • PROJECT_ID: your project ID

Verifying the installation

After you have installed and configured Config Sync, you can verify that the installation completed successfully.

  1. Verify that your installation is synced:

    Console

    1. In the Cloud Console, go to the Anthos Config Management page.

      Go to Anthos Config Management

    2. View the Status column. A successful installation has a status of Synced.

    gcloud

    Run the following command:

    gcloud alpha container hub config-management status \
        --project=PROJECT_ID
    

    Replace PROJECT_ID with your project's ID.

    A successful installation has a status of SYNCED.

  2. Verify that there no other errors by using nomos status:

    nomos status
    

    Example output:

    *CLUSTER_NAME
    --------------------
    <root>   https:/github.com/GoogleCloudPlatform/anthos-config-management-samples.git/helm-component/manifests@init
    SYNCED   fd17dd5a
    
  3. Verify if the Helm component is successfully installed:

    kubectl get all -n cert-manager
    

    Example output:

    NAME                                              READY   STATUS    RESTARTS   AGE
    pod/my-cert-manager-54f5ccf74-wfzs4               1/1     Running   0          10m
    pod/my-cert-manager-cainjector-574bc8678c-rh7mq   1/1     Running   0          10m
    pod/my-cert-manager-webhook-7454f4c77d-rkct8      1/1     Running   0          10m
    
    NAME                              TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)    AGE
    service/my-cert-manager           ClusterIP   10.76.9.35     <none>        9402/TCP   10m
    service/my-cert-manager-webhook   ClusterIP   10.76.11.205   <none>        443/TCP    10m
    
    NAME                                         READY   UP-TO-DATE   AVAILABLE   AGE
    deployment.apps/my-cert-manager              1/1     1            1           10m
    deployment.apps/my-cert-manager-cainjector   1/1     1            1           10m
    deployment.apps/my-cert-manager-webhook      1/1     1            1           10m
    
    NAME                                                    DESIRED   CURRENT   READY   AGE
    replicaset.apps/my-cert-manager-54f5ccf74               1         1         1       10m
    replicaset.apps/my-cert-manager-cainjector-574bc8678c   1         1         1       10m
    replicaset.apps/my-cert-manager-webhook-7454f4c77d      1         1         1       10m
    

Clean up

To avoid incurring charges to your Google Cloud account for the resources used in this tutorial, either delete the project that contains the resources, or keep the project and delete the individual resources.

Delete the project

  1. In the Cloud Console, go to the Manage resources page.

    Go to Manage resources

  2. In the project list, select the project that you want to delete, and then click Delete.
  3. In the dialog, type the project ID, and then click Shut down to delete the project.

Delete individual resources

Delete the manifests in your repository

In order to help prevent accidental deletion, Config Sync does not let you remove all namespaces or cluster-scoped resources in a single commit. Follow these instructions to gracefully uninstall the component and remove the namespace in separate commits:

  1. Remove the cert-manager component from your repository:

    git rm -rf manifests/cert-manager \
        && git commit -m "uninstall cert-manager" \
        && git push origin BRANCH
    

    Replace BRANCH with the branch that you created your repository in.

  2. Delete the cert-manager namespace:

    git rm manifests/namespace-cert-manager.yaml \
        && git commit -m "remove the cert-manager namespace" \
        && git push origin BRANCH
    
  3. Verify that the cert-manager namespace does not exist:

    kubectl get namespace cert-namespace
    

    Example output:

    Error from server (NotFound): namespaces "cert-namespace" not found
    

Delete the cluster

To delete the cluster, complete the following commands:

Console

To delete a cluster using the Cloud Console, complete the following tasks:

  1. In the Cloud Console, go to the GKE page.

    Go to GKE

  2. Next to the cluster you want to delete, click Actions, then click Delete.

  3. When prompted to confirm, click Delete again.

gcloud

To delete a cluster using the gcloud command-line tool, run the following command:

gcloud container clusters delete CLUSTER_NAME

For more information, refer to the gcloud container clusters delete documentation.

What's next