Kubernetes – Auto Update Kustomize Resources using FluxCD

This is a simple example of how to use FluxCD to automatically update Kustomize resources in a Kubernetes cluster. It allows for a set and forget approach to managing your Kubernetes deployments. Such as well known Open Source projects like Postgres or WordPress.

Prerequisites

For the auto update to work, FluxCD needs to be allowed to commit to the Git repository from where it is bootstrapped. For GitHub for example, make sure that the FluxCD deploy key has write access to the repository (check all permissions under repo).

Next, since the image automation components are yet not installed by default, we need to install the image-automation-controller and image-reflector-controller components during the bootstrap. A already bootstrapped Kubernetes cluster with FluxCD, can safely be bootstrapped again with the following command:

Make sure to replace the owner, branch, repository and path with your own values.

export GITHUB_TOKEN=<your-token>
export GITHUB_USER=<your-username>

flux bootstrap github \
  --components-extra=image-reflector-controller,image-automation-controller \
  --owner=$GITHUB_USER \
  --repository=flux-image-updates \
  --branch=main \
  --path=clusters/my-cluster \
  --read-write-key \
  --personal

Once bootstrapped, the new FluxCD resources can be defined in the cluster repository.

ImageUpdateAutomation Resource

The ImageUpdateAutomation resource is used to define the update policy for the images in the cluster. It can be used to define the update policy for a single image or multiple images. The following example shows how to define the image update automation for the entire cluster.

Save the file as image-update-automation.yaml in the clusters/my-cluster directory.

apiVersion: image.toolkit.fluxcd.io/v1beta2
kind: ImageUpdateAutomation
metadata:
  name: flux-system
  namespace: flux-system
spec:
  git:
    checkout:
      ref:
        branch: main
    commit:
      author:
        email: [email protected]
        name: fluxcdbot
      messageTemplate: '{{range .Changed.Changes}}{{print .OldValue}} -> {{println
        .NewValue}}{{end}}'
    push:
      branch: main
  interval: 30m0s
  sourceRef:
    kind: GitRepository
    name: flux-system

For each image update, the ImageUpdateAutomation resource will commit the changes to the repository and push them to the main branch. With the {{range .Changed.Changes}}{{print .OldValue}} -> {{println.NewValue}}{{end}} as the commit message template.

ImageRepository Resource

The ImageRepository resource is used to define the image source for the image to be auto updated. The following example shows how to define the image repository for the keycloak image.

Save the file as keycloak-registry.yaml in the keycloak kustomize directory. Don’t forget to append the keycloak-registry.yaml to the kustomization.yaml file.

apiVersion: image.toolkit.fluxcd.io/v1beta2
kind: ImageRepository
metadata:
  name: keycloak
  namespace: flux-system
spec:
  image: quay.io/keycloak/keycloak
  interval: 5m

The ImageRepository resource will check for updates to the quay.io/keycloak/keycloak image every 5 minutes.

ImageRepository resources can be checked by running the following command:

flux get images repository keycloak

ImagePolicy Resource

The ImagePolicy resource is used to define the update policy for the images in the cluster. The following example shows how to define the image policy for the keycloak image.

Save the file as keycloak-image-policy.yaml in the keycloak kustomize directory. Don’t forget to append the keycloak-image-policy.yaml to the kustomization.yaml file.

apiVersion: image.toolkit.fluxcd.io/v1beta2
kind: ImagePolicy
metadata:
  name: keycloak
  namespace: flux-system
spec:
  imageRepositoryRef:
    name: keycloak
  policy:
    semver:
      range: 25.0.x

The ImagePolicy resource will update the keycloak image to the latest version in the 25.0.x range.

ImagePolicy resources can be checked by running the following command:

flux get images policy keycloak

Apply ImagePolicy to Kustomize Resource

The ImagePolicy resource needs to be applied to the Kustomize resource that uses the image. The following example shows how to apply the ImagePolicy resource to the keycloak Deployment.

...
containers:
  - name: keycloak
    image: quay.io/keycloak/keycloak:25.0.2 # {"$imagepolicy": "flux-system:keycloak"} <-- !!! Here
    args: ["start", "--transaction-xa-enabled", "false"]
    resources:
      requests:
        cpu: "100m"
        memory: "128Mi"
      limits:
        cpu: "1000m"
        memory: "512Mi"
    envFrom:
      - configMapRef:
          name: keycloak-config

The {"$imagepolicy": "flux-system:keycloak"} annotation will apply the ImagePolicy resource to the keycloak image.

Once a new image is available, FluxCD will automatically update the image in the keycloak Deployment.

2024-07-21T11:00:27.120Z info ImagePolicy/keycloak.flux-system - Latest image tag for 'quay.io/keycloak/keycloak' updated from 25.0.1 to 25.0.2
2024-07-21T11:00:27.129Z info ImagePolicy/keycloak.flux-system - Latest image tag for 'quay.io/keycloak/keycloak' updated from 25.0.1 to 25.0.2
2024-07-18T07:14:21.271Z info GitRepository/flux-system.flux-system - stored artifact for commit 'quay.io/keycloak/keycloak:25.0.1 -> quay.io/keyclo...'

Caution

Make sure that the deployment update strategy is set to the preferred value. For example, RollingUpdate or Recreate. Since FluxCD will automatically update the image, it is important to have a proper deployment strategy in place to avoid any downtime.