Skip to main content
Version: 0.28.0

Profiles Enterprise

BEFORE YOU START

The following instructions require you to make minor changes to the content of your own hosted Helm repository.

To put it simply, Profiles are Helm charts. To create a Profile, you need to add an annotation to a Helm chart.

A very simple Helm chart marked up as a Profile looks like this:

name: demo-profile
version: 0.0.1
annotations:
weave.works/profile: "A Demo Profile"

The chart can use either subcharts or dependencies to include other charts. These other charts do not need the annotation, and they will not show up as Profiles.

Mark a HelmRepository as Containing Profiles

Alternatively, you can annotate a Flux HelmRepository

apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: podinfo
namespace: default
annotations:
weave.works/profiles: "true" # this identifies all charts as profiles
spec:
interval: 5m0s
url: https://stefanprodan.github.io/podinfo

This will ensure that all charts in the HelmRepository are identified as Profiles.

Add Layers to Define Dependencies Between Your Profiles

Profile layers are a mechanism for loosely defining dependencies between Profiles.

To add a layer to a Profile chart:

name: demo-profile
version: 0.0.1
annotations:
weave.works/profile: "A Demo Profile"
weave.works/layer: "demo"

When multiple Profiles are specified in an API call, with layers in the API request then the set of layers is sorted, reversed, and configured as dependencies using Flux's dependsOn mechanism.

┌─────────┐      ┌─────────┐      ┌─────────┐
│ │ │ │ │ │
│ layer-3 ├──────► layer-2 ├──────► layer-1 │
│ │ │ │ │ │
└─────────┘ └─────────┘ └─────────┘
dependsOn dependsOn

The scope of the dependsOn calculation is limited to the set of Profiles in the API call.

If only one chart is being installed, obviously no dependsOn is configured.

If several charts are installed in the same layer, then the preceeding layer charts will be configured to depend on all the charts in the succeeding layer.

┌──────────┐     ┌─────────┐      ┌─────────┐
│ │ │ │ │ │
│ layer-3 ├─────► layer-2 ├──────► layer-1 │
│ │ │ │ │ │
└──────────┤ └─────────┘ └─▲───────┘
dependsOn │ dependsOn │
│ │
│ ┌─────────┐ │
│ │ │ │
└─────► layer-2 ├────────┘
│ │
└─────────┘
dependsOn

If a chart with no layer specified is installed with a chart that has a layer specified, the service will configure the dependsOn for the chart without a layer to depend on the chart with layer.

(Optional) Use a Helm Chart from a Remote Public/Private Repository

You can add your Profiles to a remote repository that can be referenced using a HelmRepository resource. The repository can be either public or private. Using a private repo requires a few extra steps.

In this example, a public repo and branch is referenced directly where the Helm releases are:

HelmRepository.yaml
apiVersion: source.toolkit.fluxcd.io/v1beta1
kind: HelmRepository
metadata:
name: weaveworks-charts
namespace: flux-system
spec:
interval: 1m
url: https://weaveworks.github.io/weave-gitops-profile-examples/

To use private repositories with restricted access, you can use a secret synced to the target leaf cluster. SecretSync references the secret as spec.secretRef. The labels of your target leaf cluster are added for the syncer to match clusters against those labels using spec.clusterSelector.matchLabels.

SecretSync.yaml
apiVersion: capi.weave.works/v1alpha1
kind: SecretSync
metadata:
name: my-dev-secret-syncer
namespace: flux-system
spec:
clusterSelector:
matchLabels:
weave.works/capi: bootstrap
secretRef:
name: weave-gitops-enterprise-credentials
targetNamespace: flux-system

Once the SecretSync and Secret are available, the secret can be directly referenced in the HelmRepository object:

PrivateHelmRepository.yaml
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: weaveworks-charts
namespace: flux-system
spec:
interval: 60m
secretRef:
name: weave-gitops-enterprise-credentials
url: https://charts.dev.wkp.weave.works/releases/charts-v3

Note: The HelmRepoSecret, SecretSync, and the GitopsCluster should all be in the same namespace.

Select the Profiles You Want Installed at Cluster Creation

WGE inspects the namespace in the management cluster where it is deployed, and looks for a HelmRepository object named weaveworks-charts. This Kubernetes object should point to a Helm chart repository that includes the Profiles available for installation.

When creating a cluster from the UI using a CAPI template, these Profiles are available for selection in the Profiles section of the template. For example:

Profiles Selection

As shown above, some Profiles are optional, while others are required. This is determined when the template is authored and allows for operations teams to control which Helm packages should be installed on new clusters by default.

To enable editing of the yaml values for required Profiles, add the editable flag in the annotation and describe the required Profile in the template. For example:

apiVersion: templates.weave.works/v1alpha2
kind: GitOpsTemplate
metadata:
name: connect-a-cluster-with-policies
namespace: default
annotations:
capi.weave.works/profile-0: '{"name": "weave-policy-agent", "editable": true, "version": "0.2.8", "values": "accountId: weaveworks\nclusterId: ${CLUSTER_NAME}" }'