Adding a GitRepo

Proper namespace

Git repos are added to the Fleet manager using the GitRepo custom resource type. The GitRepo type is namespaced. By default, Rancher will create two Fleet workspaces: fleet-default and fleet-local.

  • Fleet-default will contain all the downstream clusters that are already registered through Rancher.
  • Fleet-local will contain the local cluster by default.

If you are using Fleet in a single cluster style, the namespace will always be fleet-local. Check here for more on the fleet-local namespace.

For a multi-cluster style, please ensure you use the correct repo that will map to the right target clusters.

Create GitRepo instance

Git repositories are register by creating a GitRepo following the below YAML sample. Refer to the inline comments as the means of each field

  1. kind: GitRepo
  2. apiVersion: fleet.cattle.io/v1alpha1
  3. metadata:
  4.   # Any name can be used here
  5.   name: my-repo
  6.   # For single cluster use fleet-local, otherwise use the namespace of
  7.   # your choosing
  8.   namespace: fleet-local
  9. spec:
  10.   # This can be a HTTPS or git URL.  If you are using a git URL then
  11.   # clientSecretName will probably need to be set to supply a credential.
  12.   # repo is the only required parameter for a repo to be monitored.
  13.   #
  14.   repo: https://github.com/rancher/fleet-examples
  16.   # Enforce all resources go to this target namespace. If a cluster scoped
  17.   # resource is found the deployment will fail.
  18.   #
  19.   # targetNamespace: app1
  21.   # Any branch can be watched, this field is optional. If not specified the
  22.   # branch is assumed to be master
  23.   #
  24.   # branch: master
  26.   # A specific commit or tag can also be watched.
  27.   #
  28.   # revision: v0.3.0
  30.   # For a private registry you must supply a clientSecretName. A default
  31.   # secret can be set at the namespace level using the GitRepoRestriction
  32.   # type. Secrets must be of the type "kubernetes.io/ssh-auth" or
  33.   # "kubernetes.io/basic-auth". The secret is assumed to be in the
  34.   # same namespace as the GitRepo
  35.   #
  36.   # clientSecretName: my-ssh-key
  37.   #
  38.   # If fleet.yaml contains a private Helm repo that requires authentication,
  39.   # provide the credentials in a K8s secret and specify them here.
  40.   # Danger: the credentials will be sent to all repositories referenced from
  41.   # this gitrepo. See section below for more information.
  42.   #
  43.   # helmSecretName: my-helm-secret
  44.   #
  45.   # To add additional ca-bundle for self-signed certs, caBundle can be
  46.   # filled with base64 encoded pem data. For example:
  47.   # `cat /path/to/ca.pem | base64 -w 0`
  48.   #
  49.   # caBundle: my-ca-bundle
  50.   #
  51.   # Disable SSL verification for git repo
  52.   #
  53.   # insecureSkipTLSVerify: true
  54.   #
  55.   # A git repo can read multiple paths in a repo at once.
  56.   # The below field is expected to be an array of paths and
  57.   # supports path globbing (ex: some/*/path)
  58.   #
  59.   # Example:
  60.   # paths:
  61.   # - single-path
  62.   # - multiple-paths/*
  63.   paths:
  64.   - simple
  66.   # PollingInterval configures how often fleet checks the git repo. The default
  67.   # is 15 seconds.
  68.   # Setting this to zero does not disable polling. It results in a 15s
  69.   # interval, too.
  70.   # As checking a git repo incurs a CPU cost, raising this value can help
  71.   # lowering fleetcontroller's CPU usage if tens of git repos are used or more
  72.   #
  73.   # pollingInterval: 15s
  75.   # Paused  causes changes in Git to not be propagated down to the clusters but
  76.   # instead mark resources as OutOfSync
  77.   #
  78.   # paused: false
  80.   # Increment this number to force a redeployment of contents from Git
  81.   #
  82.   # forceSyncGeneration: 0
  84.   # The service account that will be used to perform this deployment.
  85.   # This is the name of the service account that exists in the
  86.   # downstream cluster in the cattle-fleet-system namespace. It is assumed
  87.   # this service account already exists so it should be create before
  88.   # hand, most likely coming from another git repo registered with
  89.   # the Fleet manager.
  90.   #
  91.   # serviceAccount: moreSecureAccountThanClusterAdmin
  93.   # Target clusters to deploy to if running Fleet in a multi-cluster
  94.   # style. Refer to the "Mapping to Downstream Clusters" docs for
  95.   # more information.
  96.   #
  97.   # targets: ...

Adding Private Git Repository

Fleet supports both http and ssh auth key for private repository. To use this you have to create a secret in the same namespace.

For example, to generate a private ssh key

  1. ssh-keygen -t rsa -b 4096 -m pem -C "[email protected]"

Note: The private key format has to be in EC PRIVATE KEY, RSA PRIVATE KEY or PRIVATE KEY and should not contain a passphase.

Put your private key into secret, use the namespace the GitRepo is in:

  1. kubectl create secret generic ssh-key -n fleet-default --from-file=ssh-privatekey=/file/to/private/key  --type=kubernetes.io/ssh-auth

Adding a GitRepo - 图1caution

Private key with passphrase is not supported.

Adding a GitRepo - 图2caution

The key has to be in PEM format.

Fleet supports putting known_hosts into ssh secret. Here is an example of how to add it:

Fetch the public key hash(take github as an example)

  1. ssh-keyscan -H github.com

And add it into secret:

  1. apiVersion: v1
  2. kind: Secret
  3. metadata:
  4.   name: ssh-key
  5. type: kubernetes.io/ssh-auth
  6. stringData:
  7.   ssh-privatekey: <private-key>
  8.   known_hosts: |-
  9.     |1|YJr1VZoi6dM0oE+zkM0do3Z04TQ=|7MclCn1fLROZG+BgR4m1r8TLwWc= ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==

Adding a GitRepo - 图3danger

If you don’t add it any server’s public key will be trusted and added. (ssh -o stricthostkeychecking=accept-new will be used)

Adding a GitRepo - 图4info

If you are using openssh format for the private key and you are creating it in the UI, make sure a carriage return is appended in the end of the private key.

Using HTTP Auth

Create a secret containing username and password. You can replace the password with a personal access token if necessary. Also see HTTP secrets in Github.

  1. kubectl create secret generic basic-auth-secret -n fleet-default --type=kubernetes.io/basic-auth --from-literal=username=$user --from-literal=password=$pat

Just like with SSH, reference the secret in your GitRepo resource via clientSecretName.

  1. spec:
  2.   repo: https://github.com/fleetrepoci/gitjob-private.git
  3.   branch: main
  4.   clientSecretName: basic-auth-secret

Using Private Helm Repositories

Adding a GitRepo - 图5danger

The credentials will be used unconditionally for all Helm repositories referenced by the gitrepo resource. Make sure you don’t leak credentials by mixing public and private repositories. As a workaround, split them into different gitrepos.

For a private Helm repo, users can reference a secret with the following keys:

  1. username and password for basic http auth if the Helm HTTP repo is behind basic auth.

  2. cacerts for custom CA bundle if the Helm repo is using a custom CA.

  3. ssh-privatekey for ssh private key if repo is using ssh protocol. Private key with passphase is not supported currently.

For example, to add a secret in kubectl, run

kubectl create secret -n $namespace generic helm --from-literal=username=foo --from-literal=password=bar --from-file=cacerts=/path/to/cacerts --from-file=ssh-privatekey=/path/to/privatekey.pem

After secret is created, specify the secret to gitRepo.spec.helmSecretName. Make sure secret is created under the same namespace with gitrepo.

Troubleshooting

See Fleet Troubleshooting section here.