Syncing from multiple repositories
In this tutorial, you create a new Google Kubernetes Engine (GKE) cluster and use Config Sync to sync to configs in the Anthos Config Management samples repository.
Imagine that your compliance team is responsible for making sure that everyone in your organization is following internal rules. To enforce these rules, the compliance team has created configs, which they have added to the samples repository. Each cluster in your organization is required to sync to the repository and you are responsible for creating and syncing clusters.
Before you begin
-
Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Make sure that billing is enabled for your Cloud project. Learn how to check if billing is enabled on a project.
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Make sure that billing is enabled for your Cloud project. Learn how to check if billing is enabled on a project.
Prepare your environment
In the following sections, you create and configure a cluster that you can use with Config Sync.
Create a cluster
To create a cluster that you can use with Config Sync, complete the following steps:
In the Google Cloud console, go to the Google Kubernetes Engine page.
If you're using GKE for the first time, click Enable to enable the Kubernetes Engine API.
Click add_box Create.
In the Standard section, click Configure.
In the Cluster basics section, add
cs-cluster
in the Name field and leave all other fields with their recommended defaults.In the left-hand menu, under Cluster, select Security.
In the Security page, select the Enable Workload Identity checkbox and leave all other fields with their default values.
Click Create. It can take several minutes for your cluster to be created.
Give yourself admin permissions
After creating your cluster, grant yourself the GKE Hub Admin.
In the Google Cloud console, go to the IAM page.
Click Add.
In the New principals field, enter the email address that you used to register with Google Cloud.
In the Select a role drop-down list, search for and select GKE Hub Admin.
Click Save.
Enable Anthos Config Management
To enable Anthos Config Management, complete the following steps:
In the Google Cloud console, go to the Config Management page.
Click Set up Config Management.
To enable the Config Management API, click Next. After you click Next, you are taken to the Select registered clusters for Config Management page where you can register your cluster.
Register your cluster
After your cluster is created, register your cluster to a fleet:
- In the Select registered clusters for Config Management page, locate
the Unregistered clusters from this project table, and find
cs-cluster
. Next to
cs-cluster
, click Register.Once the cluster is successfully registered, it appears in the Select registered clusters for Config Management table.
Configure your cluster
Now that you have created a cluster, you can configure Config Sync to sync
to the configs in the config-sync-quickstart
directory
of the Anthos Config Management samples repository.
To configure Config Sync on the Google Cloud console, complete the following steps:
- In the Select registered clusters for Config Management table, select
cs-cluster
and click Next. - In the Config Sync page that appears, select an Anthos Config Management Version of 1.7.0 or later. This version enables syncing from multiple repositories by default.
- Leave the Enable Config sync checkbox enabled.
- In the URL field, add
https://github.com/GoogleCloudPlatform/anthos-config-management-samples
- In the Authentication type drop-down list, select None.
- In the Branch field, add
main
- Leave the Tag/Commit field blank since we are using the default
value of
HEAD
. - In the Configuration directory field, add
config-sync-quickstart/multirepo/root
- Leave Sync wait and Git proxy blank since we are using
their default values of 15 seconds and
HTTPS
respectively. - In the Source format drop-down list, select unstructured. We recommend that you use the unstructured format as it lets you organize your configs in the way that is most convenient to you.
- Click Next.
Clear the Enable Policy Controller checkbox and click Complete.
You are taken back to the Config Management menu. After a few minutes, you should see Synced in the Config sync status column next to
cs-cluster
.
Now that Config Sync is synced to a repository, it continuously reconciles the state of your clusters with the configs in the repository.
Explore and test the Config Sync installation
In the following sections, you use Cloud Shell to explore your Config Sync installation and then try to modify a managed objec.
Open Cloud Shell
To launch Cloud Shell, complete the following commands:
Go to Google Cloud console.
From the upper-right corner of the console, click the Activate Cloud Shell button:
A Cloud Shell session opens inside a frame lower on the console. Use this shell to run
gcloud
,nomos
, andkubectl
commands.To use the commands in the following sections, configure
kubectl
command-line access by running the following command:gcloud container clusters get-credentials cs-cluster \ --zone ZONE \ --project PROJECT_ID
Replace the following:
ZONE
: the zone that you created your cluster inPROJECT_ID
: your project ID
Expected output:
Fetching cluster endpoint and auth data. kubeconfig entry generated for cs-cluster.
Examine your cluster and repository
The config-sync-quickstart
directory includes ClusterRole,
CustomResourceDefinition, configurations for Prometheus
Operator for monitoring, Rolebinding, Namespace, and RepoSync.
These configs are applied as soon as the Config Sync is configured to
read from the repo.
All objects managed by Config Sync have the
app.kubernetes.io/managed-by
label set to configmanagement.gke.io
.
To list namespaces managed by Config Sync, run the following command:
kubectl get ns -l app.kubernetes.io/managed-by=configmanagement.gke.io
Expected output:
NAME STATUS AGE
gamestore Active 58s
monitoring Active 58s
You can navigate to the /config-sync-quickstart/multirepo/ folder of the Anthos Config Management repository in GitHub to explore the configs that caused these namespaces to be created.
You can examine other objects, such as ClusterRole, Reposyncs, CRDs, and Rolebindings, in the same way.
Attempt to manually modify a managed object
Config Sync prevents mutation of managed objects through the admission webhook.
If you attempt to make a conflicting change by manually modifying a Config Sync managed Kubernetes object, you receive an error.
To test this behavior, try to delete the gamestore
namespace:
kubectl delete namespace gamestore
Expected output:
error: admission webhook "v1.admission-webhook.configsync.gke.io" denied the request: requester is not authorized to delete managed resources
Clean up
If you want to follow the tutorial for Writing configs for Config Sync, do not clean up yet. This quickstart is a prerequisite for that tutorial, which also includes instructions for cleaning up.
If you do not want to complete that tutorial, you can clean up by deleting the cluster that you used for this tutorial:
Go to the GKE menu in Google Cloud console.
Next to the
cs-cluster
, click more_vert Actions, then click delete Delete.When prompted to confirm, click Delete again.
What's next
- Work through the tutorial about writing, testing, and syncing configs.
- Learn more about configs.
- Learn about validating configs.