reinoud/flux2-hub-spoke-example
1
0
Fork 0
mirror of https://github.com/fluxcd/flux2-hub-spoke-example.git synced 2025-07-27 15:53:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Add cluster connectivity section to docs

Browse source 
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
This commit is contained in:
Stefan Prodan 2024-04-12 12:09:35 +03:00
parent 45e655f7db
commit d949cc6257
No known key found for this signature in database
GPG key ID: 3299AEB0E4085BAF
1 changed files with 34 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

35
README.md
View file

@ -235,11 +235,44 @@ To enforce the RBAC restrictions, and to provision the controllers before the cu
4. `apps` (app workloads - depends on `infra-configs`)
> [!TIP]
> When managing a large numbers of tenants and clusters, it is recommended to use run a dedicated
> When managing a large number of tenants and clusters, it is recommended to use run a dedicated
> Flux instance for each group of clusters belonging to the same tenant. For more information
> on how to assign Flux instances to specific clusters, see the
> [Flux sharding and horizontal scaling guide](https://fluxcd.io/flux/installation/configuration/sharding/).
## Cluster connectivity and access control
For the Flux kustomize-controller and helm-controller to be able to
reconcile the remote clusters, the Kubernetes API servers
need to be accessible from the central cluster.
The Flux controllers authenticate with the target clusters using
kubeconfig files stored as Kubernetes secrets in the central cluster.
Both the Flux `Kustomization` and `HelmRelease` objects take a reference to the
Kubernetes secret containing the kubeconfig file:
```yaml
kind: Kustomization | HelmRelease
spec:
kubeConfig:
secretRef:
name: cluster-kubeconfig
```
The secret defined in the `secretRef` must exist in the same namespace as the `Kustomization`
or `HelmRelease` object, and the kubeconfig file must be stored in the `value` data key.
If the target clusters are accessible over a proxy, the proxy address must be set in the kubeconfig file.
If the target API servers use self-signed certificates, both controllers can be configured
to skip the TLS verification by setting the `--insecure-kubeconfig-tls` flag in the controller container args.
> [!IMPORTANT]
> Note that kubeconfigs that rely on exec-based authentication plugins are not supported by default.
> You will need to build custom container images with the necessary binaries and configure
> the controllers with the `--insecure-kubeconfig-exec` flag. Another option is to generate kubeconfigs
> with bearer tokens and refresh them periodically with a CronJob that runs e.g. `aws eks get-token`.
## Monitoring and alerting
To configure Prometheus, Loki and Grafana for monitoring the Flux controllers and the workloads reconciliation,