Quickstart: Syncing from multiple repositories

In this quickstart, you create a new Google Kubernetes Engine (GKE) cluster and use Config Sync to sync to configs in the Anthos Config Management samples repository.

Imagine that your compliance team is responsible for making sure that everyone in your organization is following internal rules. To enforce these rules, the compliance team has created configs, which they have added to the samples repository. Each cluster in your organization is required to sync to the repository and you are responsible for creating and syncing clusters.

Before you begin

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

    In the Google Cloud Console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

    Make sure that billing is enabled for your Cloud project. Learn how to confirm that billing is enabled for your project.

Prepare your environment

In the following sections, you create and configure a cluster that you can use with Config Sync.

Create a cluster

To create a cluster that you can use with Config Sync, complete the following steps:

  1. In the Google Cloud Console, go to the Google Kubernetes Engine page.

    Go to Google Kubernetes Engine

  2. Click Create.

  3. In the Standard section, click Configure.

  4. In the Cluster basics section, complete the following:

    1. Enter cs-cluster as the Name for your cluster.
    2. Leave all other fields with their recommended defaults.
  5. In the left-hand menu, click default-pool and in the drop-down list that appears, click Nodes.

  6. In the Nodes section, complete the following:

    1. In the Machine type drop-down list, select e2-standard-4.
    2. Leave all other fields as their default values.
  7. In the left-hand menu, under Cluster, select Security.

  8. In the Security page, select the Enable Workload Identity checkbox.

  9. Click Create. It can take several minutes for your cluster to be created.

Give yourself admin permissions

After creating your cluster, grant yourself the GKE Hub Admin role that you need to use Config Sync in the Google Cloud Console.

  1. In the Cloud Console, go to the IAM page.

    Go to IAM

  2. Click Add.

  3. In the New principals field, enter the email address that you used to register with Google Cloud.

  4. In the Select a role drop-down list, search for and select GKE Hub Admin.

  5. Click Save.

Enable Anthos Config Management

To enable Anthos Config Management, complete the following steps:

  1. In the Cloud Console, go to the Config Management page.

    Go to Config Management

  2. Click Set up Config Management.

  3. To enable the Config Management API, click Next. After you click Next, you are taken to the Select registered clusters for Config Management page where you can register your cluster.

Register your cluster

After your cluster is created, register your cluster to a fleet:

  1. In the Select registered clusters for Config Management page, locate the Unregistered clusters from this project table, and find cs-cluster.
  2. Next to cs-cluster, click Register.

    Once the cluster is successfully registered, it appears in the Select registered clusters for Config Management table.

Configure your cluster

Now that you have created a cluster, you can configure Config Sync to sync to the configs in the quickstart directory of the Anthos Config Management samples repository.

To configure Config Sync on the Google Cloud Console, complete the following steps:

  1. In the Select registered clusters for Config Management table, select cs-cluster and click Next.
  2. In the Config Sync page that appears, select an Anthos Config Management Version of 1.7.0 or later. This version enables syncing from multiple repositories by default.
  3. Leave the Enable Config sync checkbox enabled.
  4. In the URL field, add https://github.com/GoogleCloudPlatform/anthos-config-management-samples
  5. In the Authentication type drop-down list, select None.
  6. In the Branch field, add main
  7. Leave the Tag/Commit field blank since we are using the default value of HEAD.
  8. In the Policy directory field, add quickstart/multirepo/root
  9. Leave Sync wait and Git proxy blank since we are using their default values of 15 seconds and HTTPS respectively.
  10. In the Source format drop-down list, select unstructured. We recommend that you use the unstructured format as it lets you organize your configs in the way that is most convenient to you.
  11. Click Next.
  12. Clear the Enable Policy Controller checkbox and click Complete.

    You are taken back to the Config Management menu. After a few minutes, you should see Synced in the Config sync status column next to cs-cluster.

Now that Config Sync is synced to a repository, it continuously reconciles the state of your clusters with the configs in the repository.

Explore and test the Config Sync installation

In the following sections, you use Cloud Shell to explore your Config Sync installation and then try to modify a managed objec.

Open Cloud Shell

To launch Cloud Shell, complete the following commands:

  1. Go to Google Cloud Console.

    Go to Google Cloud Console

  2. From the upper-right corner of the console, click the Activate Cloud Shell button:

    A Cloud Shell session opens inside a frame lower on the console. Use this shell to run gcloud, nomos, and kubectl commands.

  3. To use the commands in the following sections, configure kubectl command-line access by running the following command:

    gcloud container clusters get-credentials cs-cluster \
        --zone ZONE \
        --project PROJECT_ID
    

    Replace the following:

    • ZONE: the zone that you created your cluster in
    • PROJECT_ID: your project ID

    Expected output:

    Fetching cluster endpoint and auth data.
    kubeconfig entry generated for cs-cluster.
    

Examine your cluster and repository

The quickstart directory includes ClusterRole, CustomResourceDefinition, configurations for Prometheus Operator for monitoring, Rolebinding, Namespace, and RepoSync. These configs are applied as soon as the Config Sync is configured to read from the repo.

All objects managed by Config Sync have the app.kubernetes.io/managed-by label set to configmanagement.gke.io.

To list namespaces managed by Config Sync, run the following command:

kubectl get ns -l app.kubernetes.io/managed-by=configmanagement.gke.io

Expected output:

NAME         STATUS   AGE
gamestore    Active   58s
monitoring   Active   58s

You can navigate to the /quickstart/multirepo/ folder of the Anthos Config Management repository in GitHub to explore the configs that caused these namespaces to be created.

You can examine other objects, such as ClusterRole, Reposyncs, CRDs, and Rolebindings, in the same way.

Attempt to manually modify a managed object

Config Sync prevents mutation of managed objects through the admission webhook.

If you attempt to make a conflicting change by manually modifying a Config Sync managed Kubernetes object, you receive an error.

To test this behaviour, try to delete the gamestore namespace.

kubectl delete namespace gamestore

Expected output:

error: admission webhook "v1.admission-webhook.configsync.gke.io" denied the request: requester is not authorized to delete managed resources

Clean up

If you want to follow the tutorial for Writing configs for Config Sync, do not clean up yet. This quickstart is a prerequisite for that tutorial, which also includes instructions for cleaning up.

If you do not want to complete that tutorial, you can clean up by deleting the cluster that you used for this tutorial:

  1. Go to the GKE menu in Cloud Console.

    Go to GKE

  2. Next to the cs-cluster, click Actions, then click Delete.

  3. When prompted to confirm, click Delete again.

What's next