Find file Copy path
92 lines (79 sloc) 6.62 KB
title menu_order
Flux Daemon


Flux daemon (fluxd, aka flux agent) allows automation of application deployments and version control of cluster configuration. Version controlling of cluster manifests provides reproducibility and a historical trail of events.

Flux daemon responsibilities

A) Continuous Deployment
    Flux daemon monitors user git repo Kubernetes manifests for changes, which it
    then deploys to the cluster.

    Flux daemon monitors container registry for running container image updates.
    Detection of an image change (running container image tag vs container
    registry image tag) triggers k8s manifest update, which is committed to the
    user git repository, then deployed to the Kubernetes cluster.

B) Deployment approaches
    Automate vs Deautomate
        Deployment happens automatically when a new image tag is detected.
        Deautomated deployment will not proceed until manually released (through
        the UI or the CLI tool fluxctl).

    Lock vs Unlock
        Deployment is pinned to a particular image tag. New deployment will not
        proceed upon triggered release.

More information

Setting up and configuring fluxd is discussed in our standalone setup document.


fluxd requires setup and offers customization though a multitude of flags.

flag default purpose
--listen -l :3030 listen address where /metrics and API will be served
--listen-metrics listen address for /metrics endpoint
--kubernetes-kubectl optional, explicit path to kubectl tool
--version false output the version number and exit
Git repo & key etc.
--git-url URL of git repo with Kubernetes manifests; e.g.,
--git-branch master branch of git repo to use for Kubernetes manifests
--git-ci-skip false when set, fluxd will append \n\n[ci skip] to its commit messages
--git-ci-skip-message "" if provided, fluxd will append this to commit messages (overrides --git-ci-skip`)
--git-path path within git repo to locate Kubernetes manifests (relative path)
--git-user Weave Flux username to use as git committer
--git-email email to use as git committer
--git-set-author false if set, the author of git commits will reflect the user who initiated the commit and will differ from the git committer
--git-label label to keep track of sync progress; overrides both --git-sync-tag and --git-notes-ref
--git-sync-tag flux-sync tag to use to mark sync progress for this cluster (old config, still used if --git-label is not supplied)
--git-notes-ref flux ref to use for keeping commit annotations in git notes
--git-poll-interval 5m period at which to fetch any new commits from the git repo
--git-timeout 20s duration after which git operations time out
syncing control over how config is applied to the cluster
--sync-interval 5m apply the git config to the cluster at least this often. New commits may provoke more frequent syncs
registry cache (none of these need overriding, usually)
--memcached-hostname memcached hostname for memcached service to use for caching image metadata
--memcached-timeout 1s maximum time to wait before giving up on memcached requests
--memcached-service memcached SRV service used to discover memcache servers
--registry-cache-expiry 1h Duration to keep cached registry tag info. Must be < 1 month.
--registry-poll-interval 5m period at which to poll registry for new images
--registry-rps 200 maximum registry requests per second per host
--registry-burst 125 maximum number of warmer connections to remote and memcache
--registry-insecure-host [] registry hosts to use HTTP for (instead of HTTPS)
--docker-config "" path to a Docker config file with default image registry credentials
--registry-ecr-region [] Allow these AWS regions when scanning images from ECR (multiple values alllowed); defaults to the detected cluster region
--registry-ecr-include-id [] Include these AWS account ID(s) when scanning images in ECR (multiple values allowed); empty means allow all, unless excluded
--registry-ecr-exclude-id [<EKS SYSTEM ACCOUNT>] Exclude these AWS account ID(s) when scanning ECR (multiple values allowed); defaults to the EKS system account, so system images will not be scanned
k8s-secret backed ssh keyring configuration
--k8s-secret-name flux-git-deploy name of the k8s secret used to store the private SSH key
--k8s-secret-volume-mount-path /etc/fluxd/ssh mount location of the k8s secret storing the private SSH key
--k8s-secret-data-key identity data key holding the private SSH key within the k8s secret
k8s configuration
--k8s-namespace-whitelist Experimental, optional: restrict the view of the cluster to the namespaces listed. All namespaces are included if this is not set.
upstream service
--connect connect to an upstream service e.g., Weave Cloud, at this base address
--token authentication token for upstream service
SSH key generation
--ssh-keygen-bits -b argument to ssh-keygen (default unspecified)
--ssh-keygen-type -t argument to ssh-keygen (default unspecified)