In this KubeCon Europe 2023 talk, Stefan and Hidde will talk about the latest developments of Flux around the Open Container Initiative (OCI). The focus will be on how OCI can serve as the single source of truth for both application code (container images) and configuration (OCI artifacts). We will start by explaining how Flux can be used as a package manager for distributing Kubernetes configs and Terraform modules as OCI artifacts. Afterwards, we will demonstrate how to build a secure delivery pipeline that leverages Flux integrations with GitHub Actions and keyless signatures from Sigstore Cosign. Lastly, we will touch upon the upcoming plans for 2023 and the significance of OCI in the future of continuous delivery with Flux.
1. Hidde Beydals (Flux core maintainer, Weaveworks)
Stefan Prodan (Flux core maintainer, Weaveworks)
Flux Beyond Git
Harnessing the Power of OCI
2. Flux: Project overview
The Flux project aims to provide a complete Continuous Delivery platform on
top of Kubernetes, supporting all the common practices and tooling in the field.
Flux v2 is powered by the GitOps Toolkit, a set of composable APIs and specialized tools for
keeping Kubernetes clusters in sync with sources of configuration, and automating updates to
configuration when there is new code to deploy.
CLI
- https://github.com/fluxcd/flux2
Controllers
- https://github.com/fluxcd/source-controller
- https://github.com/fluxcd/kustomize-controller
- https://github.com/fluxcd/helm-controller
- https://github.com/fluxcd/image-automation-controller
- https://github.com/fluxcd/image-reflector-controller
- https://github.com/fluxcd/notification-controller
- https://github.com/fluxcd/flagger
Terraform Provider
- https://github.com/fluxcd/terraform-
provider-flux
Go SDK
- https://github.com/fluxcd/pkg
3. Flux: Ecosystem News
Adopters & Vendors
GitLab joins Azure, AWS, VMware, D2IQ, Giant Swarm and other vendors that
are relying on Flux to offer GitOps to their users.
Orange joins Deutsche Telekom and other mobile carriers that have adopted
Flux to accelerate the deployment of 5G infrastructure.
Integrations & Extensions
Weaveworks offers a free and open source distribution of Weave GitOps
which includes a Web UI for Flux and a Terraform Controller that extends
Flux’s capabiles beyond Kubernetes.
AWS is developing a Cloud Formation Controller that enables Flux
to manage cloud resources beyond EKS.
4. Open Container Initiative
The Open Container Initiative (OCI) is an open governance structure
under Linux Foundation, that defines the specifications and standards
for container technologies (artifacts, distribution and runtimes).
Unified Artifact Registry
The OCI distribution is rapidly evolving into an universal solution for
distributing not only container images but any other type of package.
- All major Cloud and SaaS vendors offer support for OCI Artifacts
- Popular package managers such as Homebrew and Helm make use of
OCI artifacts for package distribution
- Various cloud-native projects have adopted OCI for distributing
configuration, policies, addons, WASM, SBOMs, signatures
- Every organization that uses Kubernetes has the infrastructure needed to
store and distribute OCI artifacts (you can’t run Kubernetes without a
container registry).
5. Flux: GitOps Workflow
In the typical GitOps workflow, the Kubernetes clusters must pull the configs from
Git and the container images from a registry.
6. Flux: CI/CD Workflow for OCI artifacts
Using a container registry for both app container images and deploy configs,
simplifies the delivery pipeline.
8. Flux: OCI support for Kubernetes configs
$ flux push artifact oci://ghcr.io/org/my-app-config:1.0.0 --path ./deploy
$ cosign sign ghcr.io/org/my-app-config@<digest> --key cosign.key
9. Flux: OCI support for Terraform modules
$ flux push artifact oci://docker.io/org/my-app-infra:1.0.0 --path ./infra
$ cosign sign docker.io/org/my-app-infra@<digest> --key cosign.key
10. Flux: Push changes to clusters from CI safely
The Flux CLI can be used to implement a push-based workflow,
where kubectl apply is replaced with flux push.
11. Flux: OCI custom media types
The OCI artifacts produced by flux push are of type vnd.cncf.flux and they
contain information about the origin Git repository and the Git commit SHA.
12. Flux: OCI support for Helm charts
$ helm push my-app-1.0.0.tgz oci://<id>.dkr.ecr.amazonws.com/charts
$ cosign sign oci://<id>.dkr.ecr.amazonws.com/charts/my-app@<digest>
13. Flux: Benefits of OCI compared to Git
● Images, configuration and signatures in one place
● Registries have (often) higher availability
● OCI registries are API based, Git not so much
● Regional traffic saves you 💰
● Passwordless authentication
● Keyless integrity verification
14. Flux: (contextual) authentication towards registries
Git
- Secret with a SSH key or basic
authentication token
OCI
- Kubernetes Workload Identity
attached to controller’s Service
Account
- Image pull secrets attached to a
referenced Service Account
- Secret reference with a Docker
config
Easier to manage, fine-grain access control, better integrated with Kubernetes
and cloud providers.
15. Flux: Integrity verification of (OCI) Sources
Keyless verification, instead of hard to manage identities.
Git
- OpenPGP signatures
- Eventually[1]
: SSH signatures
OCI
- Sigstore Cosign (OpenSSF)
- Soon[2]
: Notation (CNCF)
[1]: https://github.com/go-git/go-git/pull/705
[2]: https://github.com/fluxcd/source-controller/issues/1072
16. Flux: Scenarios where OCI may be a better fit than Git
- When the Git repository does not contain the final Kubernetes manifests.
For example, using CUE, Jsonnet or any other tool that generates YAML
resources.
- At the edge, due to reduced resource usage.
- Isolated systems with limited network access.
As images are in many cases easier to mirror than Git repositories.
- Version based production systems.
- Local development environments.
18. Flux: Demo time 🎉
Spinning up a local dev environment for Flux
using Kubernetes Kind and Docker OSS Registry
https://github.com/stefanprodan/flux-local-dev
19. Closing and final questions
Thank you for your time 🙇
We will be happy to answer any question you may have.