├── README.md
├── deploy
    └── podinfo.yaml
└── install.sh


/README.md:
--------------------------------------------------------------------------------
 1 | # Deliverybot GitOps example
 2 | 
 3 | This example sets up a GitHub repository as a source of truth for [Flux][flux]
 4 | to read and to apply manifests into your Kubernetes cluster. It also has a
 5 | corresponding GitHub action which can push manifests to this repository to
 6 | deploy your code.
 7 | 
 8 | This brings the benefits of GitOps together with the ease of managing deployment
 9 | automation with Deliverybot. Click a button and watch manifests be updated and
10 | deployed to your Kubernetes cluster!
11 | 
12 | ![Flux diagram](https://deliverybot.dev/assets/images/integrations/flux.svg)
13 | 
14 | **This is currently in beta and the API around this may change.**
15 | 
16 | ## Getting started
17 | 
18 | Requires `cfssl` to be installed along with `helm` and `kubectl`.
19 | 
20 | 1. Copy this repository to your organization.
21 | 
22 | 2. Run the [`./install.sh`](install.sh) script to setup FluxCD or follow this
23 |    guide [here][flux-guide].
24 | 
25 | ```bash
26 | GIT_REPO=git@github.com:myrepo/example-gitops.git GIT_PATH=deploy NAMESPACE=kube-system ./install.sh
27 | ```
28 | 
29 | 3. Create a new repository to emulate an application that you want to deploy to
30 |    Kubernetes and install the GitOps action https://github.com/deliverybot/gitops
31 | 
32 | 4. [Install the repository][deliverybot] on Deliverybot.
33 | 
34 | 4. Trigger a deployment and watch the action push a change to your flux repo!
35 | 
36 | [flux]: https://fluxcd.io
37 | [flux-guide]: https://docs.fluxcd.io/projects/helm-operator/en/latest/tutorials/get-started.html
38 | [deliverybot]: https://github.com/apps/deliverybot/installations/new
39 | 


--------------------------------------------------------------------------------
/deploy/podinfo.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: flux.weave.works/v1beta1
 2 | kind: HelmRelease
 3 | metadata:
 4 |   name: podinfo-dev
 5 |   namespace: kubernetes-guide
 6 | spec:
 7 |   releaseName: podinfo-dev
 8 |   chart:
 9 |     git: git@github.com:fluxcd/helm-operator-get-started
10 |     path: charts/podinfo
11 |     ref: master
12 |   values:
13 |     image: stefanprodan/podinfo:dev-kb9lm91e
14 |     replicaCount: 1
15 | 


--------------------------------------------------------------------------------
/install.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | # Call with GIT_REPO GIT_PATH NAMESPACE
  3 | 
  4 | set -e
  5 | cd $(mktemp -d)
  6 | 
  7 | export TILLER_HOSTNAME=tiller-deploy.${NAMESPACE}
  8 | export TILLER_SERVER=server
  9 | export USER_NAME=flux-helm-operator
 10 | 
 11 | 
 12 | ## Create tls using cfssl:
 13 | # Provides a secure helm installation.
 14 | 
 15 | mkdir tls
 16 | pushd tls
 17 | 
 18 | # Prep the configuration
 19 | echo '{"CN":"CA","key":{"algo":"rsa","size":4096}}' | cfssl gencert -initca - | cfssljson -bare ca -
 20 | echo '{"signing":{"default":{"expiry":"43800h","usages":["signing","key encipherment","server auth","client auth"]}}}' > ca-config.json
 21 | 
 22 | # Create the tiller certificate
 23 | echo '{"CN":"'$TILLER_SERVER'","hosts":[""],"key":{"algo":"rsa","size":4096}}' | cfssl gencert \
 24 |   -config=ca-config.json -ca=ca.pem \
 25 |   -ca-key=ca-key.pem \
 26 |   -hostname="$TILLER_HOSTNAME" - | cfssljson -bare $TILLER_SERVER
 27 | 
 28 | # Create a client certificate
 29 | echo '{"CN":"'$USER_NAME'","hosts":[""],"key":{"algo":"rsa","size":4096}}' | cfssl gencert \
 30 |   -config=ca-config.json -ca=ca.pem -ca-key=ca-key.pem \
 31 |   -hostname="$TILLER_HOSTNAME" - | cfssljson -bare $USER_NAME
 32 | 
 33 | popd
 34 | 
 35 | 
 36 | ## Create the RBAC configuration for Tiller:
 37 | # Includes rbac for a client service-account.
 38 | 
 39 | cat > rbac-config.yaml <<EOF
 40 | apiVersion: v1
 41 | kind: ServiceAccount
 42 | metadata:
 43 |   name: flux-tiller
 44 |   namespace: $NAMESPACE
 45 | ---
 46 | apiVersion: rbac.authorization.k8s.io/v1beta1
 47 | kind: ClusterRoleBinding
 48 | metadata:
 49 |   name: flux-tiller
 50 | roleRef:
 51 |   apiGroup: rbac.authorization.k8s.io
 52 |   kind: ClusterRole
 53 |   name: cluster-admin
 54 | subjects:
 55 |   - kind: ServiceAccount
 56 |     name: flux-tiller
 57 |     namespace: $NAMESPACE
 58 | 
 59 | ---
 60 | # Helm client serviceaccount
 61 | apiVersion: v1
 62 | kind: ServiceAccount
 63 | metadata:
 64 |   name: helm
 65 |   namespace: $NAMESPACE
 66 | ---
 67 | apiVersion: rbac.authorization.k8s.io/v1beta1
 68 | kind: Role
 69 | metadata:
 70 |   name: tiller-user
 71 |   namespace: $NAMESPACE
 72 | rules:
 73 | - apiGroups:
 74 |   - ""
 75 |   resources:
 76 |   - pods/portforward
 77 |   verbs:
 78 |   - create
 79 | - apiGroups:
 80 |   - ""
 81 |   resources:
 82 |   - pods
 83 |   verbs:
 84 |   - list
 85 | ---
 86 | apiVersion: rbac.authorization.k8s.io/v1beta1
 87 | kind: RoleBinding
 88 | metadata:
 89 |   name: tiller-user-binding
 90 |   namespace: $NAMESPACE
 91 | roleRef:
 92 |   apiGroup: rbac.authorization.k8s.io
 93 |   kind: Role
 94 |   name: tiller-user
 95 | subjects:
 96 | - kind: ServiceAccount
 97 |   name: helm
 98 |   namespace: $NAMESPACE
 99 | EOF
100 | kubectl create -f rbac-config.yaml
101 | 
102 | 
103 | ## Deploy helm with mutual TLS enabled.
104 | # --history-max limits the maximum number of revisions Tiller stores;
105 | # leaving it to the default (0) may result in request timeouts after N
106 | # releases, due to the excessive amount of ConfigMaps Tiller will
107 | # attempt to retrieve.
108 | 
109 | helm init --upgrade \
110 |   --wait \
111 |   --tiller-namespace $NAMESPACE \
112 |   --service-account flux-tiller \
113 |   --history-max 10 \
114 |   --override 'spec.template.spec.containers[0].command'='{/tiller,--storage=secret}' \
115 |   --tiller-tls \
116 |   --tiller-tls-cert ./tls/server.pem \
117 |   --tiller-tls-key ./tls/server-key.pem \
118 |   --tiller-tls-verify \
119 |   --tls-ca-cert ./tls/ca.pem
120 | 
121 | 
122 | ## Deploy the Helm Operator
123 | # Creates a K8s tls secret.
124 | 
125 | kubectl create secret \
126 |   --namespace $NAMESPACE \
127 |   tls helm-client \
128 |   --cert=tls/flux-helm-operator.pem \
129 |   --key=./tls/flux-helm-operator-key.pem
130 | 
131 | helm repo add fluxcd https://fluxcd.github.io/flux
132 | helm upgrade --install \
133 |   --tls \
134 |   --tls-verify \
135 |   --tls-ca-cert ./tls/ca.pem \
136 |   --tls-cert ./tls/flux-helm-operator.pem \
137 |   --tls-key ././tls/flux-helm-operator-key.pem \
138 |   --tls-hostname $TILLER_HOSTNAME \
139 |   --tiller-namespace $NAMESPACE \
140 |   --namespace $NAMESPACE \
141 |   --set helmOperator.create=true \
142 |   --set helmOperator.createCRD=true \
143 |   --set git.url=$GIT_REPO \
144 |   --set git.path=$GIT_PATH \
145 |   --set helmOperator.tls.enable=true \
146 |   --set helmOperator.tls.verify=true \
147 |   --set helmOperator.tls.secretName=helm-client \
148 |   --set helmOperator.tls.caContent="$(cat ./tls/ca.pem)" \
149 |   --set helmOperator.tillerNamespace=$NAMESPACE \
150 |   flux \
151 |   fluxcd/flux
152 | 


--------------------------------------------------------------------------------