Provide Namespace-as-a-Service to tenants, the GitOps way.
Introduce the Tenant concept to GitOps multi-tenancy scenario with Flux v2.
This repository is a fork of fluxcd/flux2-multi-tenancy.
The setup enables unprivileged tenant space, that tenants are able to declare and let Flux reconcile in a secure way.
The secure way of reconciliation is enabled by use of Kubernetes unprivileged-User impersonation and Capsule, that provides boundaries between tenants.
For more details please see the architecture
GitRepository.spec.url in clusters/staging/flux-system/gotk-sync.yaml
GitRepository.spec.url in tenants/base/dev-team/sync.yaml
This is needed to bootstrap Flux configuration to the forked repository and add a deploy key to read from it.
The access token is then discarded and can be revoked.
kind create cluster
export GITHUB_USER=<your-username>
export GITHUB_REPO=<repository-name>
flux bootstrap github \
--owner=${GITHUB_USER} \
--repository=${GITHUB_REPO} \
--branch=main \
--personal \
--path=clusters/staging
git push origin main -f
You need to create a Secret containing the kubeconfig that specifies:
server: Capsule ProxyServiceURLtoken: the token of theTenantGitOps reconciler
To easy the task let's use proxy-kubeconfig-generator utility:
go install github.com/maxgio92/proxy-kubeconfig-generator@latest
proxy-kubeconfig-generator \
--kubeconfig-secret-key kubeconfig \
--namespace dev-team \
--server 'https://capsule-proxy.flux-system.svc:9001' \
--server-tls-secret-namespace flux-system \
--server-tls-secret-name capsule-proxy \
--serviceaccount gitops-reconciler