In this tutorial, you add Kustomize configurations that reference Helm charts to your repository and then use Config Sync to sync your cluster to your repository.
Objectives
- Configure your repository with Kustomize configurations that reference an off-the-shelf Helm chart for cert-manager. cert-manager is a tool for Kubernetes that helps you manage your certificates.
- Preview and validate the configs that you create.
- Use Config Sync to automatically render your chart and sync your cluster to your repository.
- Verify that your installation succeeded.
Costs
This tutorial uses the following billable components of Google Cloud:
To generate a cost estimate based on your projected usage,
use the pricing calculator.
When you finish this tutorial, you can avoid continued billing by deleting the resources you created. For more information, see Clean up.
Before you begin
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Cloud project. Learn how to check if billing is enabled on a project.
- Create, or ensure that you have access to, a cluster that meets the requirements for Config Sync and has a version of 1.9.0 or later.
- Register your cluster to a fleet.
- Install the
nomos
command-line tool. If you've already installed thenomos
tool, make sure you upgrade it to version 1.9.0 or later. - Install Helm.
It's also helpful to have some familiarity with Git, Kustomize, and Helm.
Configure your repository
The following tasks show you how to prepare a Git repository with configs that combine Kustomize configurations with Helm charts:
Create, or make sure you have access to, a Git repository. Since your repository uses Kustomize and Helm, this should be an unstructured repository.
In the root of your Git repository, create a file named
kustomization.yaml
and paste the following code into it:# ./kustomization.yaml resources: - base patches: - path: ignore-deployment-mutation-patch.yaml target: kind: Deployment
This file is a Kustomize overlay that points to the Kustomize base. This overlay includes a patch for the Helm chart base that adds the
client.lifecycle.config.k8s.io/mutation: ignore
annotation to all Deployment objects. The annotation causes Config Sync to ignore any conflicting changes to this object in the cluster after you have created it.In your Git repository, create a directory named
base
:mkdir base
In the
base
directory, create another file namedkustomization.yaml
and paste the following code into it:# ./base/kustomization.yaml helmCharts: - name: cert-manager repo: https://charts.jetstack.io version: v1.5.3 releaseName: my-cert-manager namespace: cert-manager
This file is the Kustomize base, which renders the remote Helm chart.
Navigate back to the root of your Git repository, create a file named
ignore-deployment-mutation-patch.yaml
and paste the following code into it:# ./ignore-deployment-mutation-patch.yaml apiVersion: apps/v1 kind: Deployment metadata: name: any annotations: client.lifecycle.config.k8s.io/mutation: ignore
This file is a patch that is applied to the base Helm chart. It adds the
client.lifecycle.config.k8s.io/mutation: ignore
annotation to all Deployments in the base directory.Commit the changes to your repository:
git add . git commit -m 'Set up manifests.' git push
The Anthos Config Management samples repository has an example of what such a repository would look like.
Preview and validate rendered configs
Before Config Sync renders the configs and syncs them to the cluster, ensure
that the configs are accurate by running nomos hydrate
to preview the rendered
configuration and running nomos vet
to validate that the format is correct.
Run the following
nomos hydrate
with the following flags:nomos hydrate \ --source-format=unstructured \ --output=OUTPUT_DIRECTORY
In this command:
--source-format=unstructured
letsnomos hydrate
work on an unstructured repository. Since you are using Kustomize configurations and Helm charts, you need to use an unstructured repository and add this flag.--output=OUTPUT_DIRECTORY
lets you define a path to the rendered configs. ReplaceOUTPUT_DIRECTORY
with the location that you want the output to be saved in.
Check the syntax and validity of your configs by running
nomos vet
with the following flags:nomos vet \ --source-format=unstructured \ --keep-output=true \ --output=OUTPUT_DIRECTORY
In this command:
--source-format=unstructured
letsnomos vet
work on an unstructured repository.--keep-output=true
saves the rendered configs.--output=OUTPUT_DIRECTORY
is the path to the rendered configs.
Configure syncing from the Git repository
Now that you have created a repository with the configs that you want to use, you can configure syncing from your cluster to your repository.
Console
To configure syncing from the Google Cloud console, complete the following tasks:
In Google Cloud console, go to the Anthos Config Management page.
Select your cluster and click Configure.
In the Git Repository Authentication for ACM drop-down list, select an authentication type.
Follow the instructions in the Google Cloud console to grant Config Sync read-only access to Git and click Continue.
In the ACM settings for your clusters section, complete the following:
- In the Version field, select a version.
- Select the Enable Config Sync checkbox.
In the drop-down list that appears, complete the following:
- In the URL field, add the URL of your Git repository.
You can enter URLs using either the HTTPS or SSH protocol. For
example,
https://github.com/GoogleCloudPlatform/anthos-config-management-samples/
uses the HTTPS protocol. If you don't enter a protocol, the URL is treated as an HTTPS URL. - Optional: In the Branch field, add the branch of the
repository to sync from. The default branch is
master
. - Optional: In the Tag/Commit field, add the Git revision (tag or
hash) to check out. The default is
HEAD
. - Optional: In the Configuration directory field, add the path of the directory to sync from, relative to the root of the Git repository. All sub-directories of the directory that you specify are included and synced to the cluster. The default value is the root directory of the repository.
- Optional: In the Sync wait field, add the period in seconds between consecutive syncs. The default is 15 seconds.
- Optional: In the Git proxy field, enter the URL for the HTTPS proxy to be used when communicating with the Git repository. This is an optional field, and if it's left blank, no proxy is used.
- In the Source format drop-down list, select unstructured. Since your repository is using Helm, you need to use an unstructured repository.
- In the URL field, add the URL of your Git repository.
You can enter URLs using either the HTTPS or SSH protocol. For
example,
Click Done. You are taken back to the Anthos Config Management menu.
gcloud
To configure syncing by using the Google Cloud CLI, complete the following tasks:
Create a file named
apply-spec.yaml
and copy the following YAML file into it:# apply-spec.yaml applySpecVersion: 1 spec: configSync: enabled: true # Since your repository is using Helm, you need to use an unstructured repository. sourceFormat: unstructured syncRepo: REPO syncBranch: BRANCH secretType: TYPE policyDir: "DIRECTORY"
Replace the following:
REPO
: add the URL of your Git repository. You can enter URLs using either the HTTPS or SSH protocol. For example,https://github.com/GoogleCloudPlatform/anthos-config-management-samples/
uses the HTTPS protocol. If you don't enter a protocol, the URL is treated as an HTTPS URL.BRANCH
: the branch of the repository to sync from. The default branch ismaster
.TYPE
: one of the followingSecretTypes
:none
ssh
cookiefile
token
gcenode
If you added a
secretType
other thannone
, grant Config Sync access to your Git repository.DIRECTORY
: the path of the directory to sync from, relative to the root of the Git repository. All sub-directories of the directory that you specify are included and synced to the cluster. The default value is the root directory of the repository.
For example, the following
apply-spec.yaml
file, syncs to the configs in thehelm-component/manifests
directory of the Anthos Config Management samples repository:# apply-spec.yaml applySpecVersion: 1 spec: configSync: enabled: true sourceFormat: unstructured syncRepo: https://github.com/GoogleCloudPlatform/anthos-config-management-samples syncBranch: main secretType: none policyDir: helm-component/manifests
Apply the
apply-spec.yaml
file:gcloud alpha container fleet config-management apply \ --membership=MEMBERSHIP_NAME \ --config=CONFIG_YAML_PATH \ --project=PROJECT_ID
Replace the following:
MEMBERSHIP_NAME
: the membership name that you chose when you registered your cluster. If you registered your cluster using the Google Cloud console, the membership name is the same as the name of your cluster.CONFIG_YAML_PATH
: the path to yourapply-spec.yaml
filePROJECT_ID
: your project ID
Verify the installation
After you have installed and configured Config Sync, you can verify that the installation completed successfully.
Verify that your installation is synced:
Console
In the Google Cloud console, go to the Anthos Config Management page.
View the Status column. A successful installation has a status of Synced.
gcloud
Run the following command:
gcloud alpha container fleet config-management status \ --project=PROJECT_ID
Replace
PROJECT_ID
with your project's ID.A successful installation has a status of
SYNCED
.Verify that there no other errors by using
nomos status
:nomos status
Example output:
*CLUSTER_NAME -------------------- <root> https:/github.com/GoogleCloudPlatform/anthos-config-management-samples.git/helm-component/manifests@init SYNCED fd17dd5a
Verify if the Helm component is successfully installed:
kubectl get all -n cert-manager
Example output:
NAME READY STATUS RESTARTS AGE pod/my-cert-manager-54f5ccf74-wfzs4 1/1 Running 0 10m pod/my-cert-manager-cainjector-574bc8678c-rh7mq 1/1 Running 0 10m pod/my-cert-manager-webhook-7454f4c77d-rkct8 1/1 Running 0 10m NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/my-cert-manager ClusterIP 10.76.9.35 <none> 9402/TCP 10m service/my-cert-manager-webhook ClusterIP 10.76.11.205 <none> 443/TCP 10m NAME READY UP-TO-DATE AVAILABLE AGE deployment.apps/my-cert-manager 1/1 1 1 10m deployment.apps/my-cert-manager-cainjector 1/1 1 1 10m deployment.apps/my-cert-manager-webhook 1/1 1 1 10m NAME DESIRED CURRENT READY AGE replicaset.apps/my-cert-manager-54f5ccf74 1 1 1 10m replicaset.apps/my-cert-manager-cainjector-574bc8678c 1 1 1 10m replicaset.apps/my-cert-manager-webhook-7454f4c77d 1 1 1 10m
Clean up
To avoid incurring charges to your Google Cloud account for the resources used in this tutorial, either delete the project that contains the resources, or keep the project and delete the individual resources.
Delete the project
- In the Google Cloud console, go to the Manage resources page.
- In the project list, select the project that you want to delete, and then click Delete.
- In the dialog, type the project ID, and then click Shut down to delete the project.
Delete individual resources
Delete the manifests in your repository
In order to help prevent accidental deletion, Config Sync does not let you remove all namespaces or cluster-scoped resources in a single commit. Follow these instructions to gracefully uninstall the component and remove the namespace in separate commits:
Remove the cert-manager component from your repository:
git rm -rf manifests/cert-manager \ && git commit -m "uninstall cert-manager" \ && git push origin BRANCH
Replace
BRANCH
with the branch that you created your repository in.Delete the cert-manager namespace:
git rm manifests/namespace-cert-manager.yaml \ && git commit -m "remove the cert-manager namespace" \ && git push origin BRANCH
Verify that the cert-manager namespace does not exist:
kubectl get namespace cert-namespace
Example output:
Error from server (NotFound): namespaces "cert-namespace" not found
Delete the cluster
To delete the cluster, complete the following commands:
Console
To delete a cluster using the Google Cloud console, complete the following tasks:
In the Google Cloud console, go to the GKE page.
Next to the cluster you want to delete, click more_vert Actions, then click delete Delete.
When prompted to confirm, click Delete again.
gcloud
To delete a cluster using the Google Cloud CLI, run the following command:
gcloud container clusters delete CLUSTER_NAME
For more information, refer to the
gcloud container clusters delete
documentation.
What's next
- See more examples of using a repo with Kustomize configurations and Helm charts.
- Learn more about working with unstructured repositories.
- Explore reference architectures, diagrams, tutorials, and best practices about Google Cloud. Take a look at our Cloud Architecture Center.