Customize your Config Sync installation

Console

Install Config Sync

To install Config Sync, all clusters must be registered to a fleet. When you install Config Sync in the Google Cloud console, selecting individual clusters automatically registers those clusters to your fleet.

1. In the Google Cloud console, go to the Config page under the Features section.

   Go to Config

2. Click add Install Config Sync.
3. Select the Config Sync version that you want to use.
4. Under Installation options, select one of the following options:
   • Install Config Sync on entire fleet (recommended): Config Sync will be installed on all clusters in the fleet.
   • Install Config Sync on individual clusters: all selected clusters will be automatically registered to a fleet. Config Sync will be installed on all clusters in the fleet.
5. If you're installing Config Sync on individual clusters, in the Available clusters table, select the clusters on which you want to install Config Sync.
6. Click Install Config Sync. In the Settings tab, after a few minutes, you should see Enabled in the Status column for the clusters in your fleet.

Deploy a package

After you have registered your clusters to a fleet and installed Config Sync, you can configure Config Sync to deploy a package to a cluster from a source of truth. You can deploy the same package to multiple clusters or deploy different packages to different clusters. You can edit a package after deploying it, except for some settings like package name and sync type. For more information, see Manage packages.

To deploy a package, complete the following steps:

1. In the Google Cloud console, go to the Config Sync dashboard.

   Go to Config Sync dashboard

2. Click Deploy Package.

3. In the Select clusters for package deployment table, select the cluster that you want to deploy a package to and then click Continue.

4. Select either Package hosted on Git or Package hosted on OCI as your source type and then click Continue.

5. In the Package details section, enter a Package name, which identifies the RootSync or RepoSync object.

6. In the Sync type field, choose either Cluster scoped sync or Namespace scoped sync as the sync type.

   Cluster scoped sync creates a RootSync object and Namespace scoped sync creates a RepoSync object. For more information about these objects, see Config Sync architecture.

7. In the Source section, complete the following:

   • For sources hosted in a Git repository, enter the following fields:

     1. Enter the URL of the Git repository that you're using as a source of truth as the Repository URL.
     2. Optional: Update the Revision field to check out if you're not using the default HEAD.
     3. Optional: Update the Path field if you don't want to sync from the root repository.
     4. Optional: Update the Branch field if you're not using the default main branch.

   • For sources hosted in an OCI image, enter the following fields:

     1. Enter the URL of the OCI image that you're using as a source of truth as the Image.
     2. Enter the path of the directory to sync from, relative to the root directory, as the Directory.

8. (Optional): Expand the Advanced settings section to complete the following:

   1. Select an Authentication type. Config Sync needs read-only access to your source of truth to read the configuration files in the source and apply them to your clusters. Unless your source requires no authentication, such as a public repository, ensure that you grant Config Sync read-only access to your Git repository, OCI image, or Helm chart (gcloud CLI only). Choose the same authentication type that you configured when you installed Config Sync:

      • None: Use no authentication.
      • SSH: Authenticate by using an SSH key pair.
      • Cookiefile: Authenticate by using a cookiefile.
      • Token: Authenticate by using an access token or password.
      • Google Cloud Repository: Use a Google service account to access a Cloud Source Repositories repository. Only select this option if Workload Identity Federation for GKE is not enabled in your cluster.
      • Workload Identity: Use a Google service account to access a Cloud Source Repositories repository.

   2. Enter a number in seconds to set the Sync wait time, which determines how long Config Sync waits between attempts to pull from the source of truth.

   3. Enter a Git proxy URL for the HTTPS proxy to be used when communicating with the source of truth.

   4. Choose Hierarchy to change the Source format.

      The default value Unstructured is recommended in most cases since it lets you organize your source of truth however you want.

9. Click Deploy Package.

   You are redirected to the Config Sync Packages page. After a few minutes, you should see Synced in the Sync status column for the cluster that you configured.

gcloud

Before you continue, make sure you've registered your clusters to a fleet.

1. Enable the ConfigManagement fleet feature:

   gcloud beta container fleet config-management enable
   

2. Prepare the configuration by either creating a new apply-spec.yaml manifest or by using an existing manifest. Using an existing manifest lets you configure your cluster with the same settings used by another cluster.

   Create new manifest

   To configure Config Sync with new settings for your cluster, create a file named apply-spec.yaml and copy the following YAML file into it.

   You can set all of the optional spec.configSync fields that you need when you create your manifest, and later use kubectl commands for configuration. You can also only set the spec.configSync.enabled field as true and omit the optional fields. You can then later use kubectl commands to create additional RootSync objects or RepoSyncs that you can fully manage using kubectl commands later.

   # apply-spec.yaml
   
   applySpecVersion: 1
   spec:
     configSync:
       enabled: true
       # If you don't have a source of truth yet, omit the
       # following fields. You can configure them later.
       sourceType: SOURCE_TYPE
       sourceFormat: FORMAT
       syncRepo: REPO
       syncRev: REVISION
       syncBranch: BRANCH
       secretType: SECRET_TYPE
       gcpServiceAccountEmail: EMAIL
       metricsGcpServiceAccountEmail: METRICS_EMAIL
       policyDir: DIRECTORY
       preventDrift: PREVENT_DRIFT
   

   Replace the following:

   • SOURCE_TYPE: add git to sync from a Git repository, oci to sync from an OCI image, or helm to sync from a Helm chart. If no value is specified, the default is git.
   • FORMAT: add unstructured to use an unstructured repository or add hierarchy to use a hierarchical repository. These values are case-sensitive. This field is optional and the default value is hierarchy. We recommend that you add unstructured, because this format lets you organize your configs in the way that is most convenient to you.

   • REPO: add the URL of the source of truth. Git and Helm repository URLs use either the HTTPS or SSH protocol. For example, https://github.com/GoogleCloudPlatform/anthos-config-management-samples. If you plan to use SSH as your secretType, enter your URL with the SSH protocol. This field is required and if you don't enter a protocol, the URL is treated as an HTTPS URL.

     OCI URLs use the following format: LOCATION-docker.pkg.dev/PROJECT_ID/REPOSITORY_NAME/PACKAGE_NAME. By default, the image is pulled from the latest tag, but you can pull in images by TAG or DIGEST instead. Specify TAG or DIGEST in the PACKAGE_NAME:

     • To pull by TAG: LOCATION-docker.pkg.dev/PROJECT_ID/REPOSITORY_NAME/PACKAGE_NAME:TAG
     • To pull by DIGEST: LOCATION-docker.pkg.dev/PROJECT_ID/REPOSITORY_NAME/PACKAGE_NAME@sha256:DIGEST

   • REVISION: the Git revision (tag or hash) or branch name to sync from. When using a hash, it must be a full hash, and not an abbreviated form.

   • SECRET_TYPE: one of the following secretTypes:

     git

     • none: Use no authentication.
     • ssh: Use an SSH key pair.
     • cookiefile: Use a cookiefile.
     • token: Use a token.
     • gcpserviceaccount: Use a Google service account to access a Cloud Source Repositories or Secure Source Manager repository. If you select this authentication type, you need to create an IAM policy binding after you finish configuring Config Sync. For details, see the Google service account tab of the Grant Config Sync access to Git with a Google service account section.
     • gcenode: Use a Google service account to access a Cloud Source Repositories. Only select this option if Workload Identity Federation for GKE is not enabled in your cluster.
     • githubapp: Use a GitHub App to authenticate to a GitHub repository.

     For more information on these authentication types, see Grant Config Sync access to Git.

     oci

     • none: Use no authentication
     • gcenode: Use the Compute Engine default service account to access an image in Artifact Registry. Only select this option if Workload Identity Federation for GKE is not enabled in your cluster.
     • gcpserviceaccount: Use a Google service account to access an image.

     helm

     • token: Use a token.
     • gcenode: Use the Compute Engine default service account to access an image in Artifact Registry. Only select this option if Workload Identity Federation for GKE is not enabled in your cluster.
     • gcpserviceaccount: Use a Google service account to access an image.

   • EMAIL: If you added gcpserviceaccount as your secretType, add your Google service account email address. For example, acm@PROJECT_ID.iam.gserviceaccount.com.

   • METRICS_EMAIL: the email of the Google Cloud Service Account (GSA) used for exporting Config Sync metrics to Cloud Monitoring. The GSA should have the Monitoring Metric Writer (roles/monitoring.metricWriter) IAM role. The Kubernetes ServiceAccount default in the namespace config-management-monitoring should be bound to the GSA.

   • DIRECTORY: the path of the directory to sync from, relative to the root of the Git repository. All sub-directories of the directory that you specify are included and synced to the cluster. The default value is the root directory of the repository.

   • PREVENT_DRIFT: If set to true, enables the Config Sync admission webhook to prevent drifts by rejecting conflicting changes from being pushed to live clusters. The default setting is false. Config Sync always remediates drifts no matter the value of this field.

   For a complete list of fields that you can add to the spec field, see gcloud fields.

   Use existing manifest

   To configure your cluster with the same settings used by another cluster, fetch the settings from a registered cluster:

   gcloud alpha container fleet config-management fetch-for-apply \
       --membership=MEMBERSHIP_NAME \
       --project=PROJECT_ID \
       > CONFIG_YAML_PATH
   

   Replace the following:

   • MEMBERSHIP_NAME: the membership name of the registered cluster that has the Config Sync settings you want to use
   • PROJECT_ID: your project ID
   • CONFIG_YAML_PATH: the path to the apply-spec.yaml file which contains the settings fetched from the cluster

3. Apply the apply-spec.yaml file. If you are using an existing manifest, you should apply the file to the cluster that you want to configure with the settings that you fetched in the previous command:

   gcloud beta container fleet config-management apply \
       --membership=MEMBERSHIP_NAME \
       --config=CONFIG_YAML_PATH \
       --project=PROJECT_ID
   

   Replace the following:

   • MEMBERSHIP_NAME: the fleet membership name that you chose when you registered your cluster. You can find the name with gcloud container fleet memberships list.
   • CONFIG_YAML_PATH: the path to your apply-spec.yaml file.
   • PROJECT_ID: your project ID.

Terraform

For each cluster that you want to configure Config Sync, apply a google_gkehub_feature_membership resource block that contains a configmanagement and config_sync block, such as in the following example:

data "google_project" "default" {}

resource "google_container_cluster" "default" {
  name     = "gke-autopilot-basic"
  location = "us-central1"

  fleet {
    project = data.google_project.default.project_id
  }

  enable_autopilot = true
}

resource "google_gke_hub_feature" "configmanagement_feature" {
  name     = "configmanagement"
  location = "global"
}

resource "google_gke_hub_feature_membership" "configmanagement_feature_member" {
  location = "global"

  feature             = google_gke_hub_feature.configmanagement_feature.name
  membership          = google_container_cluster.default.fleet[0].membership_id
  membership_location = google_container_cluster.default.fleet[0].membership_location

  configmanagement {
    config_sync {
      # The field `enabled` was introduced in Terraform version 5.41.0, and
      # needs to be set to `true` explicitly to install Config Sync.
      enabled = true
      git {
        sync_repo   = "REPO"
        sync_branch = "BRANCH"
        policy_dir  = "DIRECTORY"
        secret_type = "SECRET"
      }
    }
  }
}

data "google_project" "default" {}

resource "google_container_cluster" "default" {
  name     = "gke-autopilot-basic"
  location = "us-central1"

  fleet {
    project = data.google_project.default.project_id
  }

  enable_autopilot = true
}

resource "google_gke_hub_feature" "configmanagement_feature" {
  name     = "configmanagement"
  location = "global"
}

resource "google_gke_hub_feature_membership" "configmanagement_feature_member" {
  location = "global"

  feature             = google_gke_hub_feature.configmanagement_feature.name
  membership          = google_container_cluster.default.fleet[0].membership_id
  membership_location = google_container_cluster.default.fleet[0].membership_location

  configmanagement {
    config_sync {
      # The field `enabled` was introduced in Terraform version 5.41.0, and
      # needs to be set to `true` explicitly to install Config Sync.
      enabled = true
      oci {
        sync_repo   = "REPO"
        policy_dir  = "DIRECTORY"
        secret_type = "SECRET"
      }
    }
  }
}

Repeat this process for each cluster that you want to sync.

To learn more about using Terraform, see Terraform support for Config Sync.

gcloud

Run the enable command for the feature, passing the apply-spec.yaml configuration file that you created when you installed Config Sync in the previous section:

gcloud beta container fleet config-management enable \
    --fleet-default-member-config=apply-spec.yaml

You can use this command to update your fleet default settings at any time. If you update your fleet default settings, you must re-sync your existing clusters to the default settings.

Console

1. In the Google Cloud console, go to the Feature Manager page.

   Go to Feature Manager

2. In the Config Sync pane, click Configure.

3. Review your fleet-level settings. All new clusters you create in the fleet inherit these settings.

4. Optional: To change the default settings, click Customize fleet settings. In the dialog that appears, do the following:

   1. Select the Config Sync version that you want to use.
   2. Click Save changes.

5. Click Configure.

6. In the Configuring fleet settings confirmation dialog, click Confirm. If you haven't previously enabled Config Sync, clicking Confirm also enables the anthosconfigmanagement.googleapis.com API.

Terraform

To enable Config Sync across a fleet, refer to the following example:

resource "google_gke_hub_feature" "default" {
  name     = "configmanagement"
  location = "global"

  fleet_default_member_config {
    configmanagement {
      config_sync {
        # The field `enabled` was introduced in Terraform version 5.41.0, and
        # needs to be set to `true` explicitly to install Config Sync.
        enabled = true
        git {
          sync_repo   = "REPO"
          sync_branch = "BRANCH"
          policy_dir  = "DIRECTORY"
          secret_type = "SECRET"
        }
      }
    }
  }
}

resource "google_gke_hub_feature" "configmanagement_feature_member" {
  name     = "configmanagement"
  location = "global"

  fleet_default_member_config {
    configmanagement {
      config_sync {
        # The field `enabled` was introduced in Terraform version 5.41.0, and
        # needs to be set to `true` explicitly to install Config Sync.
        enabled = true
        oci {
          sync_repo   = "REPO"
          policy_dir  = "DIRECTORY"
          secret_type = "SECRET"
        }
      }
    }
  }
}

To learn more about using Terraform, see Terraform support for Config Sync.

gcloud

1. Sync an existing membership to the fleet default configuration:

   gcloud beta container fleet config-management apply \
       --origin=FLEET \
       --membership=MEMBERSHIP_NAME
   

   Replace MEMBERSHIP_NAME with the fleet membership name of the cluster that you want to sync with the fleet default configuration.

2. Confirm that your membership configurations are synced with the fleet default:

   gcloud beta container fleet config-management status
   

   The output of this command should display as Yes for the Synced_to_Fleet_Default status for the membership that you synced.

console

1. Go to Feature Manager:

   Go to Feature Manager: Config Sync

2. In the cluster table, select the clusters that you want to sync to fleet settings.

3. Click Sync to fleet settings.

Console

Complete the following steps:

1. In the Google Cloud console, go to the Config page under the Features section.

   Go to Config

2. On the Packages tab, check the Sync status column in the cluster table. A successful installation of Config Sync has a status of Installed. A successfully configured source of truth has a status of Synced.

gcloud

Run the following command:

gcloud beta container fleet config-management status \
    --project=PROJECT_ID

Replace PROJECT_ID with your project's ID.

A successful installation has a status of SYNCED with the Config Sync version installed.

If you see an error after running the preceding command, make sure that you created the git-creds Secret. If you have created the Secret, try rerunning the following command:

gcloud beta container fleet config-management apply