![Flux: Integrity verification of (OCI) Sources
Keyless verification, instead of hard to manage identities.
Git
- OpenPGP signatures
- Eventually[1]
: SSH signatures
OCI
- Sigstore Cosign (OpenSSF)
- Soon[2]
: Notation (CNCF)
[1]: https://github.com/go-git/go-git/pull/705
[2]: https://github.com/fluxcd/source-controller/issues/1072](https://image.slidesharecdn.com/fluxocikubeconeu23-230502125353-f845f05f/85/Flux-Beyond-Git-Harnessing-the-Power-of-OCI-15-320.jpg)
Flux Beyond Git Harnessing the Power of OCI
- 1. Hidde Beydals (Flux core maintainer, Weaveworks) Stefan Prodan (Flux core maintainer, Weaveworks) Flux Beyond Git Harnessing the Power of OCI
- 2. Flux: Project overview The Flux project aims to provide a complete Continuous Delivery platform on top of Kubernetes, supporting all the common practices and tooling in the field. Flux v2 is powered by the GitOps Toolkit, a set of composable APIs and specialized tools for keeping Kubernetes clusters in sync with sources of configuration, and automating updates to configuration when there is new code to deploy. CLI - https://github.com/fluxcd/flux2 Controllers - https://github.com/fluxcd/source-controller - https://github.com/fluxcd/kustomize-controller - https://github.com/fluxcd/helm-controller - https://github.com/fluxcd/image-automation-controller - https://github.com/fluxcd/image-reflector-controller - https://github.com/fluxcd/notification-controller - https://github.com/fluxcd/flagger Terraform Provider - https://github.com/fluxcd/terraform- provider-flux Go SDK - https://github.com/fluxcd/pkg
- 3. Flux: Ecosystem News Adopters & Vendors GitLab joins Azure, AWS, VMware, D2IQ, Giant Swarm and other vendors that are relying on Flux to offer GitOps to their users. Orange joins Deutsche Telekom and other mobile carriers that have adopted Flux to accelerate the deployment of 5G infrastructure. Integrations & Extensions Weaveworks offers a free and open source distribution of Weave GitOps which includes a Web UI for Flux and a Terraform Controller that extends Flux’s capabiles beyond Kubernetes. AWS is developing a Cloud Formation Controller that enables Flux to manage cloud resources beyond EKS.
- 4. Open Container Initiative The Open Container Initiative (OCI) is an open governance structure under Linux Foundation, that defines the specifications and standards for container technologies (artifacts, distribution and runtimes). Unified Artifact Registry The OCI distribution is rapidly evolving into an universal solution for distributing not only container images but any other type of package. - All major Cloud and SaaS vendors offer support for OCI Artifacts - Popular package managers such as Homebrew and Helm make use of OCI artifacts for package distribution - Various cloud-native projects have adopted OCI for distributing configuration, policies, addons, WASM, SBOMs, signatures - Every organization that uses Kubernetes has the infrastructure needed to store and distribute OCI artifacts (you can’t run Kubernetes without a container registry).
- 5. Flux: GitOps Workflow In the typical GitOps workflow, the Kubernetes clusters must pull the configs from Git and the container images from a registry.
- 6. Flux: CI/CD Workflow for OCI artifacts Using a container registry for both app container images and deploy configs, simplifies the delivery pipeline.
- 7. Flux: Source APIs Flux offers interchangeable APIs for defining Git and OCI sources.
- 8. Flux: OCI support for Kubernetes configs $ flux push artifact oci://ghcr.io/org/my-app-config:1.0.0 --path ./deploy $ cosign sign ghcr.io/org/my-app-config@<digest> --key cosign.key
- 9. Flux: OCI support for Terraform modules $ flux push artifact oci://docker.io/org/my-app-infra:1.0.0 --path ./infra $ cosign sign docker.io/org/my-app-infra@<digest> --key cosign.key
- 10. Flux: Push changes to clusters from CI safely The Flux CLI can be used to implement a push-based workflow, where kubectl apply is replaced with flux push.
- 11. Flux: OCI custom media types The OCI artifacts produced by flux push are of type vnd.cncf.flux and they contain information about the origin Git repository and the Git commit SHA.
- 12. Flux: OCI support for Helm charts $ helm push my-app-1.0.0.tgz oci://<id>.dkr.ecr.amazonws.com/charts $ cosign sign oci://<id>.dkr.ecr.amazonws.com/charts/my-app@<digest>
- 13. Flux: Benefits of OCI compared to Git ● Images, configuration and signatures in one place ● Registries have (often) higher availability ● OCI registries are API based, Git not so much ● Regional traffic saves you 💰 ● Passwordless authentication ● Keyless integrity verification
- 14. Flux: (contextual) authentication towards registries Git - Secret with a SSH key or basic authentication token OCI - Kubernetes Workload Identity attached to controller’s Service Account - Image pull secrets attached to a referenced Service Account - Secret reference with a Docker config Easier to manage, fine-grain access control, better integrated with Kubernetes and cloud providers.
- 15. Flux: Integrity verification of (OCI) Sources Keyless verification, instead of hard to manage identities. Git - OpenPGP signatures - Eventually[1] : SSH signatures OCI - Sigstore Cosign (OpenSSF) - Soon[2] : Notation (CNCF) [1]: https://github.com/go-git/go-git/pull/705 [2]: https://github.com/fluxcd/source-controller/issues/1072
- 16. Flux: Scenarios where OCI may be a better fit than Git - When the Git repository does not contain the final Kubernetes manifests. For example, using CUE, Jsonnet or any other tool that generates YAML resources. - At the edge, due to reduced resource usage. - Isolated systems with limited network access. As images are in many cases easier to mirror than Git repositories. - Version based production systems. - Local development environments.
- 17. Flux: OCI resources - OCIRepository specification: https://fluxcd.io/flux/components/source/ocirepositories/ - HelmRepository OCI specification: https://fluxcd.io/flux/components/source/helmrepositories/#helm-oci-repository - OCI cheatsheet: https://fluxcd.io/flux/cheatsheets/oci-artifacts/ - flux-local-dev: https://github.com/stefanprodan/flux-local-dev - flux-aio: https://github.com/stefanprodan/flux-aio
- 18. Flux: Demo time 🎉 Spinning up a local dev environment for Flux using Kubernetes Kind and Docker OSS Registry https://github.com/stefanprodan/flux-local-dev
- 19. Closing and final questions Thank you for your time 🙇 We will be happy to answer any question you may have.