Configure Config Sync with kubectl commands

This page explains how to configure Config Sync using kubectl commands after you've installed Config Sync using the Google Cloud console or Google Cloud CLI.

While you can make many configuration changes using the console or CLI, you need to use kubectl commands to override some Config Sync defaults, to control SSL certificate verification, and to use a certificate authority.

Create and edit the RootSync configuration file

To configure Config Sync using kubectl commands, you edit a RootSync object by creating a YAML file.

When you install Config Sync using the Google Cloud console or Google Cloud CLI, Config Sync automatically creates a RootSync object named root-sync. This object contains the most recent configuration information for Config Sync. Whenever you make a change in the Google Cloud console or Google Cloud CLI, root-sync is updated.

Learn about the fields you can edit using `kubectl`

You can make advanced changes to root-sync using kubectl commands for the fields not supported in the Google Cloud console or Google Cloud CLI. If you want to create and then update RootSync or RepoSync objects directly using kubectl commands, see RootSync and RepoSync fields.

Before you make any changes to the YAML file that you create in the following section, familiarize yourself with the following table. This table lists the fields that you can edit and add. If you edit fields not listed in this table, Config Sync automatically reverts changes back to the values you set when you last configured Config Sync in the Google Cloud console or Google Cloud CLI.

Key	Description
`spec.git.noSSLVerify`	`noSSLVerify` specifies whether to enable or disable the SSL certificate verification. Default: `false`. If `noSSLVerify` is set to `true`, it tells Git to skip the SSL certificate verification.
`spec.git.caCertSecretRef.name`	The name of the Secret containing the certificate authority (CA) certificate. If this field is provided, the Git server must be using a certificate issued by this CA. The CA certificate must be stored in the Secret under a key named `cert`.
`spec.override.resources`	The list of container resource requests and limit overrides. Optional. Each item in the list contains three fields: `containerName`: this field can be either `git-sync`, `oci-sync`, `hydration-controller`, or `reconciler`. `cpuRequest` (optional) `cpuLimit` (optional) `memoryRequest` (optional) `memoryLimit` (optional) When an override value for a resource request or limit isn't provided, the default resource value for the request or limit is used.
`spec.override.gitSyncDepth`	`gitSyncDepth` lets you override the number of Git commits to fetch. Must be no less than 0. Config Sync does a full clone if this field is 0, and a shallow clone if this field is greater than 0. If this field is not provided, Config Sync configures it automatically.
`spec.override.statusMode`	`statusMode` lets you enable or disable capturing the resource level status. The default is `enabled`. To disable capturing the resource level status, set this field to `disabled`.
`spec.override.reconcileTimeout`	`reconcileTimeout` lets you override the threshold for how long to wait for resources in an apply group to reconcile before giving up. All the resources in a commit can be in multiple apply groups based on the dependencies. The default timeout is `5m`. Use string to specify this field value, for example `30s`, `5m`.
`spec.override.enableShellInRendering`	`enableShellInRendering` specifies whether to enable or disable the shell access in the rendering process. Kustomize remote bases require shell access. Setting this field to `true` enables shell access in the rendering process and supports pulling remote bases from public repositories. The default is `false`.

Create the file

To create and edit a configuration file for root-sync, complete the following steps:

To make sure that you're retrieving the configuration information for the correct cluster, configure kubectl command-line access:
```
gcloud container clusters get-credentials CLUSTER_NAME \
    --zone ZONE \
    --project PROJECT_ID
```
Replace the following:
- CLUSTER_NAME: the name of the cluster that has the Config Sync configuration that you want to change
- ZONE: the zone that you created your cluster in
- PROJECT_ID: your project ID
Copy the configuration information from the RootSync object that Config Sync created into a YAML file:
```
kubectl get rootsync root-sync -n config-management-system -o yaml >
FILE_NAME.yaml
```
Replace FILE_NAME with a name for your configuration file.

Open the YAML file that you created and make the required configuration changes. For example, to override the memory limit of the git-sync container, add the following fields in bold:

apiVersion: v1
items:
- apiVersion: configsync.gke.io/v1beta1
kind: RootSync
metadata:
annotations:
  configmanagement.gke.io/managed-by-hub: "true"
  configmanagement.gke.io/update-time: "1644945169"
creationTimestamp: "2022-02-15T17:12:52Z"
generation: 1
name: root-sync
namespace: config-management-system
resourceVersion: "211980457"
uid: aa30a94b-2825-4590-ad30-5af848403502
spec:
git:
  auth: none
  branch: main
  dir: /quickstart/config-sync
  period: 15s
  repo: https://github.com/GoogleCloudPlatform/anthos-config-management-samples
  revision: HEAD
  secretRef: {}
override:
  resources:
  - containerName: "git-sync"
    memoryLimit: "400Mi"
sourceFormat: unstructured
# Remainder of RootSync omitted

Apply the changes to the YAML file:
```
kubectl apply -f FILE_NAME.yaml
```
To verify that Config Sync has applied your changes, view the RootSync object:
```
kubectl describe rootsync root-sync -n config-management-system
```
To verify that your changes haven't introduced any errors, use the nomos status command:
```
nomos status
```

Configure Certificate Authority

For servers configured with certificates from a Certificate Authority (CA) that is not already trusted, Config Sync can be configured to use a CA certificate to verify HTTPS connections to the server. This is supported for Git, Helm, or OCI servers. The CA certificate must include full SSL certificates (Root/Intermediate/Leaf). If your server is already using a trusted CA or you are not connecting over HTTPS, you can skip this step and leave caCertSecretRef unset.

`RootSync`

Fetch the CA certificate which was used to issue the certificate for your Git server and save it to a file.

For RootSync objects, the Secret must be created in the config-management-system namespace. For example:

kubectl create secret generic ROOT_CA_CERT_SECRET_NAME 

 --namespace=config-management-system 

 --from-file=cert=/path/to/CA_CERT_FILE

When you configure the RootSync object, set the value of the caCertSecretRef.name field in the RootSync object to ROOT_CA_CERT_SECRET_NAME.

`RepoSync`

Fetch the CA certificate which was used to issue the certificate for your Git server and save it to a file.

For RepoSync objects, the Secret must be created in the same namespace as the RepoSync. For example:

kubectl create secret generic NAMESPACE_CA_CERT_SECRET_NAME 

 --namespace=REPO_SYNC_NAMESPACE 

 --from-file=cert=/path/to/CA_CERT_FILE

When you configure the RepoSync, set the value of the caCertSecretRef.name field in the RepoSync object to NAMESPACE_CA_CERT_SECRET_NAME.

Remove the RootSync object

To delete root-sync, run the following command:

kubectl delete -f FILE_NAME

Replace FILE_NAME with the name of your RootSync configuration file. For example, root-sync.yaml.

Deleting a RootSync or RepoSync object does not clean up Config Sync annotations and labels. To clean up any managed resources, sync from an empty Git directory.

What's next

Learn more about the RootSync and RepoSync fields.
Discover how to Monitor RootSync and RepoSync objects.