Quickstart: Syncing from multiple repositories

In this quickstart, you create a new Google Kubernetes Engine (GKE) cluster and use Config Sync to sync to configs in the Anthos Config Management samples repository.

Imagine that your compliance team is responsible for making sure that everyone in your organization is following internal rules. To enforce these rules, the compliance team has created configs, which they have added to the samples repository. Each cluster in your organization is required to sync to the repository and you are responsible for creating and syncing clusters.

Before you begin

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

    In the Google Cloud Console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

    Make sure that billing is enabled for your Cloud project. Learn how to confirm that billing is enabled for your project.

Preparing your environment

In the following sections you create and configure a cluster that you can use with Config Sync.

Create a cluster

To create a cluster that you can use with Config Sync, complete the following steps:

  1. In the Google Cloud Console, go to the Google Kubernetes Engine page.

    Go to Google Kubernetes Engine

  2. Click Create.

  3. In the Standard section, click Configure.

  4. In the Cluster basics section, complete the following:

    1. Enter cs-cluster as the Name for your cluster.
    2. Leave all other fields with their recommended defaults.
  5. In the left-hand menu, click default-pool and in the drop-down list that appears, click Nodes.

  6. In the Nodes section, complete the following:

    1. In the Machine type drop-down list, select e2-standard-4.
    2. Leave all other fields as their default values.
  7. In the left-hand menu, under Cluster, select Security.

  8. In the Security page, select the Enable Workload Identity checkbox.

  9. Click Create. It can take several minutes for your cluster to be created.

Give yourself admin permissions

Once your cluster is created, grant yourself the GKE Hub Admin role that you need to Config Sync in the Google Cloud Console.

  1. In the Cloud Console, go to the IAM page.

    Go to IAM

  2. Click Add.

  3. In the New members field, enter the email address that you used to register with Google Cloud.

  4. In the Select a role drop-down list, search for and select GKE Hub Admin.

  5. Click Save.

Enable the feature

To enable the feature, complete the following steps:

Anthos

  1. Enable the Anthos API:

    1. In the Google Cloud Console, go to the Anthos API page.

      Go to Anthos API

    2. Click Enable.

  2. Enable Anthos Config Management:

    1. In the Google Cloud Console, go to the Anthos Features page.

      Go to Anthos Features

      1. In the Config Management row, click Enable.
      2. In the confirmation window, click Enable Config Management.

GKE

  1. In the Cloud Console, go to the Config Management page.

    Go to Config Management

  2. Click Set up Config Management.

  3. To enable the Config Management API, click Next. After you click Next, you are taken to the Select registered clusters for Config Management page where you can register your cluster.

Register your cluster

After your cluster is created, register your cluster to a fleet:

Anthos

  1. In the Google Cloud Console, go to the Anthos Clusters page.

    Go to Anthos Clusters

  2. Click Register existing cluster.

  3. Next to cs-cluster, click Register.

    Expected output:

    Cluster cs-cluster registered successfully as cs-cluster in project PROJECT_NAME.
    

GKE

  1. In the Select registered clusters for Config Management page, locate the Unregistered clusters from this project table, and find cs-cluster.
  2. Next to cs-cluster, click Register.

    Once the cluster is successfully registered, it appears in the Select registered clusters for Config Management table.

Configuring your cluster

Now that you have created a cluster, you can configure Config Sync to sync to the configs in the quickstart directory of the Anthos Config Management samples repository.

To configure Config Sync on the Google Cloud Console, complete the following steps:

Anthos

  1. In Cloud Console, go to the Anthos Config Management page.

    Go to Anthos Config Management

  2. Select cs-cluster and click Configure.

  3. In the Git Repository Authentication for ACM drop-down list, select None and click Continue.

  4. In the ACM settings for your clusters section, complete the following:

    1. In the Version field, select version 1.7.0 or later for Anthos Config Management, which enables syncing from multiple repositories by default.

    2. Select the Enable Config Sync checkbox.

    3. In the drop-down list that appears, complete the following:

      1. In the URL field, add https://github.com/GoogleCloudPlatform/anthos-config-management-samples
      2. In the Branch field, add main
      3. Leave the Tag/Commit field blank since we are using the default value of HEAD.
      4. In the Policy directory field, add quickstart/multirepo/root
      5. Leave Sync wait and Git proxy blank since we are using their default values.
      6. In the Source format drop-down list, select unstructured. We recommend that you use the unstructured format as it lets you organize your configs in the way that is most convenient to you.
  5. Click Done. You are taken back to the Anthos Config Management menu. After a few minutes, you should see Synced in the Config sync status column next to cs-cluster.

GKE

  1. In the Select registered clusters for Config Management table, select cs-cluster and click Next.
  2. In the Config Sync page that appears, select an Anthos Config Management Version of 1.7.0 or later. This version enables syncing from multiple repositories by default.
  3. In the Authentication type drop-down list, select None.
  4. In the URL field, add https://github.com/GoogleCloudPlatform/anthos-config-management-samples
  5. In the Branch field, add main
  6. Leave the Tag/Commit field blank since we are using the default value of HEAD.
  7. In the Policy directory field, add quickstart/multirepo/root
  8. Leave Sync wait and Git proxy blank since we are using their default values.
  9. In the Source format drop-down list, select unstructured. We recommend that you use the unstructured format as it lets you organize your configs in the way that is most convenient to you.
  10. Click Next.
  11. Clear the Enable Policy Controller checkbox and click Complete.

    You are taken back to the Config Management menu. After a few minutes, you should see Synced in the Config sync status column next to cs-cluster.

Now that Config Sync is synced to a repository, it continuously reconciles the state of your clusters with the configs in the repository.

Exploring the Config Sync installation

In the following sections, you use Cloud Shell to explore your Config Sync installation.

Open Cloud Shell

To launch Cloud Shell, complete the following commands:

  1. Go to Google Cloud Console.

    Go to Google Cloud Console

  2. From the upper-right corner of the console, click the Activate Cloud Shell button:

    A Cloud Shell session opens inside a frame lower on the console. Use this shell to run gcloud, nomos, and kubectl commands.

  3. To use the commands in the following sections, configure kubectl command line access by running the following command:

    gcloud container clusters get-credentials cs-cluster \
        --zone ZONE \
        --project PROJECT_ID
    

    Replace the following:

    • ZONE: the zone that you created your cluster in
    • PROJECT_ID: your project ID

    Expected output:

    Fetching cluster endpoint and auth data.
    kubeconfig entry generated for cs-cluster.
    

Examine your cluster and repository

The quickstart directory includes ClusterRole, CustomResourceDefinition, configurations for Prometheus Operator for monitoring, Rolebinding, Namespace, and RepoSync. These configs are applied as soon as the Config Sync is configured to read from the repo.

All objects managed by Config Sync have the app.kubernetes.io/managed-by label set to configmanagement.gke.io.

To list namespaces managed by Config Sync, run the following command:

kubectl get ns -l app.kubernetes.io/managed-by=configmanagement.gke.io

Expected output:

NAME         STATUS   AGE
gamestore    Active   58s
monitoring   Active   58s

You can navigate to the /quickstart/multirepo/ folder of the Anthos Config Management repository in GitHub to explore the configs that caused these namespaces to be created.

You can examine other objects, such as ClusterRole, Reposyncs, CRDs, and Rolebindings, in the same way.

Attempt to manually modify a managed object

Config Sync prevents mutation of managed objects through the admission webhook.

If you attempt to make a conflicting change by manually modifying a Config Sync managed Kubernetes object, you receive an error.

To test this, try to delete the gamestore namespace.

kubectl delete namespace gamestore

Expected output:

error: admission webhook "v1.admission-webhook.configsync.gke.io" denied the request: requester is not authorized to delete managed resources

Cleaning up

If you want to follow the tutorial for Writing configs for Config Sync, do not clean up yet. This quickstart is a prerequisite for that tutorial, which also includes instructions for cleaning up.

If you do not want to take that tutorial, you can clean up by deleting the cluster that you used for this tutorial:

  1. Go to the GKE menu in Cloud Console.

    Go to GKE

  2. Next to the cs-cluster, click Actions, then click Delete.

  3. When prompted to confirm, click Delete again.

What's next