Flux bootstrap for Azure DevOps
To install Flux on an AKS cluster using an Azure DevOps Git repository as the source of truth, you can use the flux bootstrap git command.
Required permissions
To bootstrap Flux, the person running the command must have cluster admin rights for the target Kubernetes cluster. It is also required that the person running the command to have pull and push rights for the Azure DevOps Git repository.Azure DevOps PAT
For accessing the Azure API, the bootstrap command requires an Azure DevOps personal access token (PAT) with pull and push permissions for Git repositories.
Generate an Azure DevOps PAT and create a new repository to hold your Flux install and other Kubernetes resources.
The Azure DevOps PAT can be exported as an environment variable:
export GIT_PASSWORD=<az-token> If the GIT_PASSWORD env var is not set, the bootstrap command will prompt you to type it the token.
You can also supply the token using a pipe e.g. echo "<az-token>" | flux bootstrap git.
Bootstrap using a DevOps PAT
Run the bootstrap for a repository using token-based authentication:
flux bootstrap git \ --token-auth=true \ --url=https://dev.azure.com/<org>/<project>/_git/<repository> \ --branch=main \ --path=clusters/my-cluster When using --token-auth, the CLI and the Flux controllers running on the cluster will use the Azure DevOps PAT to access the Git repository over HTTPS.
Note that the Azure DevOps PAT is stored in the cluster as a Kubernetes Secret named flux-system inside the flux-system namespace.
Token rotation
Note that Azure DevOps PAT have an expiry date. To rotate the token before it expires, delete the flux-system secret from the cluster and create a new one with the new PAT:
flux create secret git flux-system \ --url=https://dev.azure.com/<org>/<project>/_git/<repository> \ --username=git \ --password=<az-token> Bootstrap using SSH keys
Azure DevOps SSH works only with RSA SHA-2 keys.
To configure Flux with RSA SHA-2 keys, you need to clone the DevOps locally, then create the file structure required by bootstrap with:
mkdir -p clusters/my-cluster/flux-system touch clusters/my-cluster/flux-system/gotk-components.yaml \ clusters/my-cluster/flux-system/gotk-sync.yaml \ clusters/my-cluster/flux-system/kustomization.yaml Edit the kustomization.yaml file to include the following patches:
apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - gotk-components.yaml - gotk-sync.yaml patches: - patch: | - op: add path: /spec/template/spec/containers/0/args/- value: --ssh-hostkey-algos=rsa-sha2-512,rsa-sha2-256 target: kind: Deployment name: (source-controller|image-automation-controller) Commit and push the changes to upstream with:
git add -A && git commit -m "init flux" && git push To generate an SSH key pair compatible with Azure DevOps, you’ll need to use ssh-keygen with the rsa-sha2-512 algorithm:
ssh-keygen -t rsa-sha2-512 Upload the SSH public key to Azure DevOps. For more information, see the Azure DevOps documentation.
Run bootstrap using the SSH URL of the Azure DevOps repository and the RSA SHA-2 private key:
flux bootstrap git \ --url=ssh://git@ssh.dev.azure.com/v3/<org>/<project>/<repository> --branch=<my-branch> \ --ssh-hostkey-algos=rsa-sha2-512,rsa-sha2-256 \ --private-key-file=<path/to/ssh/private.key> \ --password=<key-passphrase> \ --path=clusters/my-cluster For more information on how to use the flux bootstrap git command, please see the generic Git server documentation.