You are viewing documentation for Flux version: 2.0

Version 2.0 of the documentation is no longer actively maintained. The site that you are currently viewing is an archived snapshot. For up-to-date documentation, see the latest version.

Using Flux on GCP With Source Repository

How to bootstrap Flux on GCP GKE with Cloud Source repositories.

Cluster Creation

To create a cluster with Google Cloud you can use the gcloud cli or the Google Cloud Console.

The following command creates a cluster with the default configuration.

gcloud containers create sample-cluster

For more details on how to create a GKE cluster with gcloud, please see the Cloud SDK Documentation

Source Repository Creation

Create a Cloud Source Repository that will hold your Flux installation manifests and other Kubernetes resources. Like the cluster, it can be created with the CLI or the console.

Flux Installation

Download the Flux CLI and bootstrap Flux with:

flux bootstrap git \
--url=ssh://<user><project-name>/r/<repo-name> \
--branch=master \

The above command will prompt you to add a deploy key to your repository, but Cloud Source Repository does not support repository or org-specific deploy keys. You may add the deploy key to a user’s personal SSH keys, but take note that revoking the user’s access to the repository will also revoke Flux’s access. The better alternative is to create a dedicated user for Flux.

You can also use a SSH key that was already added to Cloud Source Repository by adding the --private-key-file and --password flags.

Flux Upgrade

To upgrade Flux, first you need to download the new CLI binary from GitHub release.

Flux components can be upgraded by running the bootstrap command again with the same arguments as before:

flux bootstrap git \
--url=ssh://<user><project-name>/r/<repo-name> \
--branch=master \

To upgrade Flux in a GitOps manner, you can generate the components manifests with the install command and commit the changes to your Git repository:

flux install --export > clusters/my-cluster/flux-system/gotk-components.yaml
git add -A
git commit -m "Update $(flux -v)"
git push

Once Flux detects the changes in Git, it will upgrade itself.

Secrets Management with SOPS and GCP KMS

You would need to create GCP KMS key and have workload identity enabled on the GKE cluster. Create an IAM service account that has Cloud KMS CryptoKey Decrypter role and allow the kustomize-controller service account to impersonate this service account by adding an IAM policy binding between it and the IAM service account.

gcloud iam service-accounts add-iam-policy-binding <iam-service-account>@<project-name> \
    --role roles/iam.workloadIdentityUser \
    --member "serviceAccount:<project-name>[flux-system/kustomize-controller]"

Patch the kustomize-controller with the<iam-service-account>@<project-name> annotation so that it can access GCP KMS. You can start committing your encrypted files to Git with the proper GCP KMS configuration.

See the Mozilla SOPS AWS Guide for further detail.

Image Updates with Google Container Registry

You will need to create an GCR registry. Most new GKE cluster by default have access to Google Container Registry in the same project. But if you have enabled Workload Identity on your cluster, you would need to create an IAM service account that has access to GCR.

You may need to update your Flux install to include additional components:

flux bootstrap git \
--url=ssh://<user><project-name>/r/<repo-name> \
--branch=master \

Follow the Image Update Automation Guide and see the GCP specific Image Automation Contollers documentation for more details on how to configure image update automation for GKE.