Syncing from a Git repository

This quickstart shows you how to get started with Anthos Config Management on a new cluster, using the Anthos Config Management samples repository to bootstrap a cluster with a set of configs. In this quickstart, you do not need write access to the repository. Imagine that a compliance team in your organization is responsible for creating the configs, and that each cluster is required to sync to the repository.

Before you begin

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
  2. In the Google Cloud Console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  3. Make sure that billing is enabled for your Cloud project. Learn how to confirm that billing is enabled for your project.

  4. Enable the Anthos API.

    Enable the API

  5. Install and initialize the Cloud SDK.

Cluster setup

GKE users

  1. Create a cluster.

  2. Set up the kubectl command to authenticate to the cluster and create a RoleBinding to make yourself a cluster administrator, using the following commands. Use your cluster name where you see [MY-CLUSTER], and use your Cloud Billing account's email address where you see [USER-ACCOUNT]. Depending on how you configured the gcloud command on your local system, you might need to add the --project and --zone fields.

    gcloud container clusters get-credentials [MY-CLUSTER]
    
    kubectl create clusterrolebinding cluster-admin-binding \
        --clusterrole cluster-admin --user [USER_ACCOUNT]
    

Anthos clusters on VMware users

Anthos Config Management preparation

Complete the following steps, to prepare the tools you need for this quickstart:

  1. If you are using Anthos Config Management for the first time, enable the feature through the Google Cloud Console or using the gcloud command-line tool.

    Console

    To enable Anthos Config Management:

    1. Visit the Anthos Feature page in the Google Cloud Console.

      Visit Anthos Features

    2. In the Config Management row, click Enable.

    3. In the confirmation window, click Enable Config Management.

    gcloud

    To enable Anthos Config Management, run the following command:

     gcloud alpha container hub config-management enable
    
  2. Install the nomos command onto your local system.

  3. If you want to install Config Sync with kubectl, deploy the Config Management Operator onto the cluster you just created.

  4. Register your cluster to an Anthos environ using Connect.

Configure your cluster

You can configure your cluster using the Google Cloud Console, gcloud command-line tool or kubectl.

Console

To configure Anthos Config Management on the Google Cloud Console, complete the following steps:

  1. Visit the Anthos Config Management menu in Google Cloud Console.

    Visit Anthos Config Management menu

  2. Select your registered cluster and click Configure.

  3. In the Git Repository Authentication for ACM section, select None, as the repository in this example is world-readable.

  4. Click Continue.

  5. In the ACM settings for your clusters section, complete the following:

    1. In the Version field, select version 1.7.0 or later for Anthos Config Management, which enables syncing from multiple repositories by default.

    2. Select the Enable Config Sync checkbox.

    3. In the dropdown menu that appears, complete the following:

      1. In the URL field, add https://github.com/GoogleCloudPlatform/anthos-config-management-samples
      2. In the Branch field, add init
      3. Leave the Tag/Commit field blank since we are using the default value of HEAD.
      4. In the Policy directory field, add quickstart/multirepo/root.
      5. In the Source format field, select unstructured. We recommend that you use unstructured format as it lets you organize your configs in the way that is most convenient to you.
      6. Leave all other fields as their default values.
  6. Click Done. You are taken back to the Anthos Config Management menu. After a few minutes, you should see Synced in the status column next to the cluster you configured.

gcloud

Create a file named config-management.yaml and copy the below YAML file into it. We recommend that you enable the ability to sync from multiple repositories for additional functionality. To learn more, see Syncing from multiple repositories. We also recommend that you use unstructured format as it lets you organize your configs in the way that is most convenient to you. Because the repository is world-readable, secretType is set to none. For an explanation of the fields, see Configuration for the Git repository.

  1. Create a file config-management.yaml and copy the following YAML file into it:

    # config-management.yaml
    
    apiVersion: configmanagement.gke.io/v1
    kind: ConfigManagement
    metadata:
      name: config-management
      namespace: config-management-system
    spec:
      # Enable multi-repo mode to use new features
      enableMultiRepo: true
      # Use spec.git for generating a RootSync resource in multi-repo mode
      enableLegacyFields: true
      # Use unstructured format
      sourceFormat: unstructured
      git:
        syncRepo: https://github.com/GoogleCloudPlatform/anthos-config-management-samples
        syncBranch: init
        secretType: none
        policyDir: quickstart/multirepo/root
    
  2. Set a variable:

    export CONFIG_YAML=PATH_TO_CONFIG_YAML

  3. Apply the config-management.yaml file:

     gcloud alpha container hub config-management apply \
         --membership=CLUSTER_NAME \
         --config=$CONFIG_YAML \
         --project=PROJECT_ID
    

    Replace the following:

    • CLUSTER_NAME: add the registered cluster that you want to apply this configuration to.
    • PROJECT_ID: add your project ID.

kubectl

Create a file named config-management.yaml and copy the below YAML file into it. We recommend that you enable the ability to sync to multiple repositories for additional functionality. To learn more, see Syncing from multiple repositories.

# config-management.yaml
apiVersion: configmanagement.gke.io/v1
kind: ConfigManagement
metadata:
  name: config-management
spec:
  # clusterName is required and must be unique among all managed clusters
  clusterName: my-cluster
  # Enable multi-repo mode to use new features
  enableMultiRepo: true

Apply the configuration to your cluster:

kubectl apply -f config-management.yaml

If the command succeeds, Kubernetes updates Anthos Config Management on your cluster to create controllers and CustomResourceDefinitions (CRDs). To verify that the Anthos Config Management is running, wait for the RootSync and RepoSync CRDs to be available:

until kubectl get customresourcedefinitions rootsyncs.configsync.gke.io reposyncs.configsync.gke.io; \
do date; sleep 1; echo ""; done

Output:

NAME                          CREATED AT
rootsyncs.configsync.gke.io   YYYY-MM-DDThh:mm:ssZ
reposyncs.configsync.gke.io   YYYY-MM-DDThh:mm:ssZ

Then create a file with a RootSync custom resource. We recommend that you use unstructured format as it lets you organize your configs in the way that is most convenient to you. Because the repo is world-readable, auth is set to none. For an explanation of the fields, see ConfigManagement fields.

# root-sync.yaml
# If you are using a Config Sync version earlier than 1.7,
# use: apiVersion: configsync.gke.io/v1alpha1
apiVersion: configsync.gke.io/v1beta1
kind: RootSync
metadata:
  name: root-sync
  namespace: config-management-system
spec:
  sourceFormat: unstructured
  git:
    repo: https://github.com/GoogleCloudPlatform/anthos-config-management-samples
    branch: init
    dir: quickstart/multirepo/root
    auth: none

Apply the RootSync to your cluster:

kubectl apply -f root-sync.yaml

If the command succeeds, Kubernetes updates Anthos Config Management on your cluster to create the reconcilers and to begin syncing your cluster's configuration from the repository. To verify that the Anthos Config Management is running, list all Pods running in the config-management-system namespace:

kubectl get pods -n config-management-system

Output:

NAME                                       READY   STATUS    RESTARTS   AGE
admission-webhook-7dbc55cbf5-thlnl         1/1     Running   1          89m
admission-webhook-7dbc55cbf5-x54n9         1/1     Running   0          89m
ns-reconciler-gamestore-7478cb7b87-hf6zn   3/3     Running   0          2m37s
reconciler-manager-7cdb699bf8-fns5r        2/2     Running   0          5m29s
root-reconciler-6c7c87b7b7-txptf           3/3     Running   0          4m51s

Check the sync status

You can check if Anthos Config Management successfully syncs all configs to your cluster using the nomos status command.

 nomos status

Output:

*my-cluster
  --------------------
  <root>  https://github.com/GoogleCloudPlatform/anthos-config-management-samples/quickstart/multirepo/root@init
  SYNCED   282a2023
  --------------------
  gamestore   https://github.com/GoogleCloudPlatform/anthos-config-management-samples/quickstart/multirepo/namespaces/gamestore@init
  SYNCED      282a2023

Examine your cluster and repository

The init directory includes ClusterRole, CustomResourceDefinition, configurations for Prometheus Operator for monitoring, Rolebinding, Namespace, and RepoSync. These configs are applied as soon as the Anthos Config Management is configured to read from the repo.

All objects managed by Anthos Config Management have the app.kubernetes.io/managed-by label set to configmanagement.gke.io.

  • List namespaces managed by Anthos Config Management:

    kubectl get ns -l app.kubernetes.io/managed-by=configmanagement.gke.io
    

    Output:

    NAME         STATUS   AGE
    gamestore    Active   58s
    monitoring   Active   58s
    

    Examine the configs that caused these namespaces to be created, such as namespace-gamestore.yaml and acm-monitor/namespace-monitoring.yaml.

  • List ClusterRoles managed by Anthos Config Management:

    kubectl get clusterroles -l app.kubernetes.io/managed-by=configmanagement.gke.io
    

    Output:

    NAME                  CREATED AT
    namespace-reader      YYYY-MM-DDThh:mm:ssZ
    prometheus-acm        YYYY-MM-DDThh:mm:ssZ
    prometheus-operator   YYYY-MM-DDThh:mm:ssZ
    webstore-admin        YYYY-MM-DDThh:mm:ssZ
    

    Examine the ClusterRole configs declaring:

    • clusterrole-namespace-reader.yaml
    • clusterrole-webstore-admin.yaml
  • List RepoSyncs managed by Anthos Config Management:

    kubectl get reposyncs.configsync.gke.io -A -l app.kubernetes.io/managed-by=configmanagement.gke.io
    

    Output:

    NAMESPACE   NAME        SOURCECOMMIT                               SYNCCOMMIT
    gamestore   repo-sync   282a2023cf73ac94e8a85b464ac9f76d209067b0   282a2023cf73ac94e8a85b464ac9f76d209067b0
    

    Examine the RepoSync configs declaring:

    • reposync-gamestore.yaml

You can examine other objects, such as CRDs and Rolebindings, in the same way.

Attempt to manually modify a managed object

Anthos Config Management prevents mutation of managed objects through the admission webhook.

If you attempt to make a conflicting change by manually modifying an Anthos Config Management managed Kubernetes object, you receive an error.

To test this, try to delete the gamestore namespace.

kubectl delete namespace gamestore

Output:

error: admission webhook "v1.admission-webhook.configsync.gke.io" denied the request: requester is not authorized to delete managed resources

Cleaning up

If you want to follow the quickstart for Writing configs for Config Sync, do not clean up yet. This quickstart is a prerequisite for that topic, which also includes instructions for cleaning up.

If you do not want to take the advanced quickstart, you can clean up by deleting the cluster you used for testing.

What's next