Managing Clusters Without Cluster API Enterprise
You do not need Cluster API to add your Kubernetes cluster to Weave GitOps Enterprise. The only thing you need is a secret containing a valid kubeconfig.
- Existing kubeconfig
- How to create a kubeconfig for a ServiceAccount
Adding kubeconfig to Your Management Cluster
If you already have a kubeconfig stored in a secret in your management cluster, continue with the "Create a GitopsCluster" step below.
If you have a kubeconfig, but it is not yet stored in your management cluster, load it into the cluster using this command:
kubectl create secret generic demo-01-kubeconfig \
--from-file=value=./demo-01-kubeconfig
Here's how to create a kubeconfig secret.
Create a new service account on the remote cluster:
apiVersion: v1
kind: ServiceAccount
metadata:
name: demo-01
namespace: defaultAdd RBAC permissions for the service account:
Expand to see role manifests
This will allow WGE to introspect the cluster for available namespaces.
Once we know what namespaces are available we can test whether the logged in user can access them via impersonation.
Retrieve the token from the service account. First, run this command to get the list of secrets of the service accounts:
kubectl get secrets --field-selector type=kubernetes.io/service-account-token
NAME TYPE DATA AGE
default-token-lsjz4 kubernetes.io/service-account-token 3 13d
demo-01-token-gqz7p kubernetes.io/service-account-token 3 99m(
demo-01-token-gqz7pis the secret that holds the token fordemo-01service account.)Then, run the following command to get the service account token:
TOKEN=$(kubectl get secret demo-01-token-gqz7p -o jsonpath={.data.token} | base64 -d)Create a kubeconfig secret. We'll use a helper script to generate the kubeconfig, and then save it into
static-kubeconfig.sh:Expand to see script
Obtain the cluster certificate (CA). How you do this depends on your cluster.
- AKS: Visit the Azure user docs for more information.
- EKS: Visit the EKS docs for more information.
- GKE: You can view the CA on the GCP Console: Cluster->Details->Endpoint->”Show cluster certificate”.
You'll need to copy the contents of the certificate into the ca.crt file used below.
```bash
CLUSTER_NAME=demo-01 \
CA_CERTIFICATE=ca.crt \
ENDPOINT=<control-plane-ip-address> \
TOKEN=<token> ./static-kubeconfig.sh > demo-01-kubeconfig
```
Update the following fields:
- CLUSTER_NAME: insert the name of your cluster—i.e.,
demo-01 - ENDPOINT: add the API server endpoint i.e.
34.218.72.31 - CA_CERTIFICATE: include the path to the CA certificate file of the cluster
- TOKEN: add the token of the service account retrieved in the previous step
- CLUSTER_NAME: insert the name of your cluster—i.e.,
Finally, create a secret for the generated kubeconfig in the WGE management cluster:
kubectl create secret generic demo-01-kubeconfig \
--from-file=value=./demo-01-kubeconfig
Add a Cluster Bootstrap Config
This step ensures that Flux gets installed into your cluster. Create a cluster bootstrap config as follows:
kubectl create secret generic my-pat --from-literal GITHUB_TOKEN=$GITHUB_TOKEN
Download the config with:
curl -o clusters/management/capi/bootstrap/capi-gitops-cluster-bootstrap-config.yaml https://deploy-preview-4116--gitops-io.netlify.app/assets/files/capi-gitops-cluster-bootstrap-config-d9934a1e6872a5b7ee5559d2d97a3d83.yaml
Then update the GITHUB_USER variable to point to your repository
Expand to see full yaml
Connect a Cluster
To connect your cluster, you need to add some common RBAC rules into the clusters/bases folder. When a cluster is provisioned, by default it will reconcile all the manifests in ./clusters/<cluster-namespace>/<cluster-name> and ./clusters/bases.
To display Applications and Sources in the UI, we need to give the logged-in user the permission to inspect the new cluster. Adding common RBAC rules to ./clusters/bases/rbac is an easy way to configure this.
curl -o clusters/bases/rbac/wego-admin.yaml https://deploy-preview-4116--gitops-io.netlify.app/assets/files/wego-admin-c80945c1acf9908fe6e61139ef65c62e.yaml
Expand to see full template yaml
Create a GitopsCluster
When a GitopsCluster appears in the cluster, the Cluster Bootstrap Controller will install Flux on it and by default start reconciling the ./clusters/demo-01 path in your management cluster's Git repository:
apiVersion: gitops.weave.works/v1alpha1
kind: GitopsCluster
metadata:
name: demo-01
namespace: default
# Signals that this cluster should be bootstrapped.
labels:
weave.works/capi: bootstrap
spec:
secretRef:
name: demo-01-kubeconfig
To use the Weave GitOps Enterprise user interface (UI) to inspect the Applications and Sources running on the new cluster, you'll need permissions. We took care of this above when we stored your RBAC rules in ./clusters/bases. In the following step, we'll create a kustomization to add these common resources onto our new cluster:
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
creationTimestamp: null
name: clusters-bases-kustomization
namespace: flux-system
spec:
interval: 10m0s
path: clusters/bases
prune: true
sourceRef:
kind: GitRepository
name: flux-system
Save these two files in your Git repository, then commit and push.
Once Flux has reconciled the cluster, you can inspect your Flux resources via the UI!
Debugging Tip: Checking that Your kubeconfig Secret Is in Your Cluster
To test that your kubeconfig secret is correctly set up, apply the following manifest and check the logs after the job completes:
Expand to see manifest
In the manifest above, demo-01-kubeconfig is the name of the secret that contains the kubeconfig for the remote cluster.
Additional Resources
Other documentation that you might find useful:
- Authentication strategies
- X509 client certificates: can be used across different namespaces
- Service account tokens: limited to a single namespace
- Kubernetes authentication 101 (CNCF blog post)
- Kubernetes authentication (Magalix blog post)