gitops-knowledge
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseFlux CD Knowledge Base
Flux CD 知识库
You are an expert on Flux CD, the GitOps toolkit for Kubernetes. Use this knowledge base
to answer questions accurately, generate correct YAML manifests, and explain Flux concepts.
Rules:
- Always use the exact apiVersion/kind combinations from the CRD table below. Never invent API versions.
- Before generating YAML for any CRD, read its OpenAPI schema from to verify field names, types, and enum values.
assets/schemas/ - ResourceSet templates use delimiters, NEVER
<< >>(Go templates are only used inside ImageUpdateAutomation commit messages).{{ }} - When a question requires detail beyond this file, load the relevant reference file from . Load at most 1-2 reference files per question.
references/ - Prefer Flux Operator (FluxInstance) for cluster setup. Do not reference or legacy
flux bootstrapfiles.gotk-*
你是Flux CD(Kubernetes的GitOps工具集)领域专家,请基于本知识库准确解答问题、生成正确的YAML清单、讲解Flux相关概念。
规则:
- 始终使用下方CRD表格中给出的准确apiVersion/kind组合,禁止编造API版本。
- 为任意CRD生成YAML前,请先从目录读取对应的OpenAPI schema,校验字段名、字段类型和枚举值正确性。
assets/schemas/ - ResourceSet模板使用作为分隔符,绝对不能用
<< >>(Go模板仅允许在ImageUpdateAutomation的提交消息中使用)。{{ }} - 如果问题所需信息超出本文档范围,请从目录加载相关参考文件,每个问题最多加载1-2个参考文件。
references/ - 集群部署优先推荐使用Flux Operator(FluxInstance)实现,不要提及或旧版
flux bootstrap文件。gotk-*
What is Flux
什么是Flux
Flux is a set of Kubernetes controllers that implement GitOps — the practice of using Git
(or OCI registries) as the source of truth for declarative infrastructure and applications.
Flux continuously reconciles the desired state stored in sources with the actual state of
the cluster.
Flux Operator manages the Flux installation declaratively through a custom
resource. It handles installation, configuration, upgrades, and lifecycle of all Flux controllers.
Only one FluxInstance named can exist per cluster.
FluxInstancefluxHow resources relate:
Sources (Git, OCI, Helm, Bucket)
│
▼ produce artifacts
Artifacts (tarballs, Helm charts, OCI layers)
│
▼ consumed by
Appliers (Kustomization, HelmRelease)
│
▼ create/update
Managed Resources (Deployments, Services, ConfigMaps, ...)
│
▼ status reported to
Notifications (Provider + Alert → Slack, Teams, GitHub, ...)ResourceSet orchestration flow:
ResourceSetInputProvider (GitHub PRs, OCI tags, ...)
│
▼ exports inputs
ResourceSet (template + input matrix)
│
▼ generates per-input
Namespaces, Sources, Kustomizations, HelmReleases, RBAC, ...Two delivery models:
- Git-based: Flux watches Git repositories and applies changes on commit.
- Gitless (OCI-based): Git → CI pushes OCI artifacts → Flux pulls from registry. OCI artifacts are immutable, signed, and don't require Git credentials on clusters.
Flux是一组实现GitOps理念的Kubernetes控制器,GitOps是指将Git(或OCI镜像仓库)作为声明式基础设施和应用的唯一可信源的实践。Flux会持续将源中存储的期望状态与集群实际运行状态进行调和。
Flux Operator通过自定义资源以声明式方式管理Flux的安装,负责所有Flux控制器的安装、配置、升级和全生命周期管理。每个集群中仅允许存在一个名为的FluxInstance资源。
FluxInstanceflux资源关联关系:
Sources (Git, OCI, Helm, Bucket)
│
▼ produce artifacts
Artifacts (tarballs, Helm charts, OCI layers)
│
▼ consumed by
Appliers (Kustomization, HelmRelease)
│
▼ create/update
Managed Resources (Deployments, Services, ConfigMaps, ...)
│
▼ status reported to
Notifications (Provider + Alert → Slack, Teams, GitHub, ...)ResourceSet编排流程:
ResourceSetInputProvider (GitHub PRs, OCI tags, ...)
│
▼ exports inputs
ResourceSet (template + input matrix)
│
▼ generates per-input
Namespaces, Sources, Kustomizations, HelmReleases, RBAC, ...两种交付模式:
- 基于Git: Flux监听Git仓库变动,代码提交后自动应用变更。
- 无Git(基于OCI): Git → CI推送OCI制品 → Flux从镜像仓库拉取制品。OCI制品不可变、可签名,且集群无需配置Git凭证。
Controllers and CRDs
控制器与CRD
| Kind | apiVersion | Controller | Purpose |
|---|---|---|---|
| FluxInstance | fluxcd.controlplane.io/v1 | flux-operator | Manages Flux installation lifecycle |
| FluxReport | fluxcd.controlplane.io/v1 | flux-operator | Read-only observed state of Flux |
| ResourceSet | fluxcd.controlplane.io/v1 | flux-operator | Template resources from input matrix |
| ResourceSetInputProvider | fluxcd.controlplane.io/v1 | flux-operator | Fetch inputs from external services |
| GitRepository | source.toolkit.fluxcd.io/v1 | source-controller | Fetch from Git repositories |
| OCIRepository | source.toolkit.fluxcd.io/v1 | source-controller | Fetch OCI artifacts from registries |
| HelmRepository | source.toolkit.fluxcd.io/v1 | source-controller | Index Helm chart repositories |
| HelmChart | source.toolkit.fluxcd.io/v1 | source-controller | Fetch and package Helm charts |
| Bucket | source.toolkit.fluxcd.io/v1 | source-controller | Fetch from S3-compatible storage |
| ExternalArtifact | source.toolkit.fluxcd.io/v1 | (external) | Generic artifact storage for 3rd-party controllers |
| ArtifactGenerator | source.extensions.fluxcd.io/v1beta1 | source-controller | Compose/decompose artifacts from multiple sources |
| Kustomization | kustomize.toolkit.fluxcd.io/v1 | kustomize-controller | Build and apply Kustomize overlays or plain YAML |
| HelmRelease | helm.toolkit.fluxcd.io/v2 | helm-controller | Install and manage Helm releases |
| Provider | notification.toolkit.fluxcd.io/v1beta3 | notification-controller | External notification provider config |
| Alert | notification.toolkit.fluxcd.io/v1beta3 | notification-controller | Route events to notification providers |
| Receiver | notification.toolkit.fluxcd.io/v1 | notification-controller | Webhook receiver for incoming events |
| ImageRepository | image.toolkit.fluxcd.io/v1 | image-reflector-controller | Scan container image registries |
| ImagePolicy | image.toolkit.fluxcd.io/v1 | image-reflector-controller | Select image by version policy |
| ImageUpdateAutomation | image.toolkit.fluxcd.io/v1 | image-automation-controller | Update YAML in Git with new image tags |
| Kind | apiVersion | Controller | 用途 |
|---|---|---|---|
| FluxInstance | fluxcd.controlplane.io/v1 | flux-operator | 管理Flux安装全生命周期 |
| FluxReport | fluxcd.controlplane.io/v1 | flux-operator | Flux运行状态的只读观测结果 |
| ResourceSet | fluxcd.controlplane.io/v1 | flux-operator | 基于输入矩阵生成模板化资源 |
| ResourceSetInputProvider | fluxcd.controlplane.io/v1 | flux-operator | 从外部服务拉取输入参数 |
| GitRepository | source.toolkit.fluxcd.io/v1 | source-controller | 从Git仓库拉取资源 |
| OCIRepository | source.toolkit.fluxcd.io/v1 | source-controller | 从镜像仓库拉取OCI制品 |
| HelmRepository | source.toolkit.fluxcd.io/v1 | source-controller | 索引Helm Chart仓库 |
| HelmChart | source.toolkit.fluxcd.io/v1 | source-controller | 拉取并打包Helm Chart |
| Bucket | source.toolkit.fluxcd.io/v1 | source-controller | 从S3兼容存储拉取资源 |
| ExternalArtifact | source.toolkit.fluxcd.io/v1 | (external) | 供第三方控制器使用的通用制品存储 |
| ArtifactGenerator | source.extensions.fluxcd.io/v1beta1 | source-controller | 从多个源组合/拆分制品 |
| Kustomization | kustomize.toolkit.fluxcd.io/v1 | kustomize-controller | 构建并应用Kustomize覆盖层或纯YAML |
| HelmRelease | helm.toolkit.fluxcd.io/v2 | helm-controller | 安装并管理Helm发布 |
| Provider | notification.toolkit.fluxcd.io/v1beta3 | notification-controller | 外部通知提供方配置 |
| Alert | notification.toolkit.fluxcd.io/v1beta3 | notification-controller | 将事件路由到通知提供方 |
| Receiver | notification.toolkit.fluxcd.io/v1 | notification-controller | 接收外部事件的Webhook |
| ImageRepository | image.toolkit.fluxcd.io/v1 | image-reflector-controller | 扫描容器镜像仓库 |
| ImagePolicy | image.toolkit.fluxcd.io/v1 | image-reflector-controller | 基于版本策略选择镜像 |
| ImageUpdateAutomation | image.toolkit.fluxcd.io/v1 | image-automation-controller | 用新镜像标签更新Git中的YAML |
How Flux Works
Flux工作原理
Reconciliation Loop
调和循环
Flux controllers run a continuous reconciliation loop:
- Sources poll for changes — source-controller checks Git repos, OCI registries, Helm repos, or S3 buckets at configured intervals and produces versioned artifacts.
- Appliers consume artifacts — kustomize-controller and helm-controller detect new artifact revisions, build manifests (Kustomize overlays or Helm templates), and apply them to the cluster using server-side apply.
- Drift detection and self-healing — Flux compares the desired state from the source with the live state in the cluster. When drift is detected, Flux corrects it automatically (if enabled).
- Notifications report status — notification-controller sends events to external systems (Slack, Teams, GitHub commit status, etc.) based on Alert rules.
Flux控制器会持续运行调和循环:
- 源轮询变更 — source-controller按照配置的间隔检查Git仓库、OCI仓库、Helm仓库或S3存储桶,生成带版本的制品。
- 应用器消费制品 — kustomize-controller和helm-controller检测到新的制品版本后,构建清单(Kustomize覆盖层或Helm模板),并通过服务端应用的方式部署到集群。
- 漂移检测与自愈 — Flux将源中定义的期望状态与集群实际运行状态对比,检测到漂移后会自动修正(如果开启了该功能)。
- 状态通知上报 — notification-controller根据Alert规则将事件发送到外部系统(Slack、Teams、GitHub提交状态等)。
Dependency Ordering
依赖顺序控制
Use to control reconciliation order. For example, install CRDs before CRs,
or infrastructure before applications:
dependsOnyaml
spec:
dependsOn:
- name: infra-controllers # wait for this Kustomization to be ReadyResourceSets support richer dependencies with (CEL expressions):
readyExpryaml
spec:
dependsOn:
- apiVersion: fluxcd.controlplane.io/v1
kind: ResourceSet
name: policies
ready: true
readyExpr: "status.conditions.filter(e, e.type == 'Ready').all(e, e.status == 'True')"使用控制调和顺序,例如先安装CRD再安装CR,或是先部署基础设施再部署应用:
dependsOnyaml
spec:
dependsOn:
- name: infra-controllers # 等待该Kustomization状态变为ReadyResourceSet支持通过(CEL表达式)实现更灵活的依赖配置:
readyExpryaml
spec:
dependsOn:
- apiVersion: fluxcd.controlplane.io/v1
kind: ResourceSet
name: policies
ready: true
readyExpr: "status.conditions.filter(e, e.type == 'Ready').all(e, e.status == 'True')"Reactivity with Watch Labels
监听标签实现即时响应
By default, Flux controllers poll sources at the configured interval. To react immediately
when a dependency changes, add the watch label to the upstream resource:
yaml
metadata:
labels:
reconcile.fluxcd.io/watch: EnabledWhen a ConfigMap or Secret with this label changes, any Kustomization or HelmRelease that
references it via or will reconcile immediately.
postBuild.substituteFromvaluesFrom默认情况下Flux控制器按照配置的间隔轮询源,若要在依赖变更时立即触发调和,请给上游资源添加监听标签:
yaml
metadata:
labels:
reconcile.fluxcd.io/watch: Enabled当带有该标签的ConfigMap或Secret发生变更时,所有通过或引用它的Kustomization或HelmRelease都会立即触发调和。
postBuild.substituteFromvaluesFromDecision Trees
决策树
Which Source Type?
选择哪种源类型?
- Git repo with Kustomize overlays or plain YAML →
GitRepository - OCI artifact (container image with manifests) →
OCIRepository - Helm chart from OCI registry → with
OCIRepositoryfor Helm media typelayerSelector - Helm chart from HTTPS Helm repo → (default type)
HelmRepository - S3/GCS/MinIO bucket →
Bucket - Monorepo that needs splitting → (creates
ArtifactGeneratorper path)ExternalArtifact - Helm chart + env-specific values from Git → (composes chart with values overlay)
ArtifactGenerator
- 包含Kustomize覆盖层或纯YAML的Git仓库 →
GitRepository - OCI制品(包含清单的容器镜像) →
OCIRepository - 来自OCI仓库的Helm Chart → 配置了Helm媒体类型的
layerSelectorOCIRepository - 来自HTTPS Helm仓库的Helm Chart → (默认类型)
HelmRepository - S3/GCS/MinIO存储桶 →
Bucket - 需要拆分的单体仓库 → (为每个路径生成
ArtifactGenerator)ExternalArtifact - Helm Chart + 存储在Git中的环境专属值 → (将Chart与值覆盖层组合)
ArtifactGenerator
Kustomization vs HelmRelease?
Kustomization还是HelmRelease?
- Plain YAML or Kustomize overlays →
Kustomization - Helm chart →
HelmRelease - Both can deploy to remote clusters via and support
kubeConfig.dependsOn
- 纯YAML或Kustomize覆盖层 →
Kustomization - Helm Chart →
HelmRelease - 两者都支持通过部署到远程集群,也都支持
kubeConfig依赖配置。dependsOn
How to Reference Helm Charts (3 Patterns)
引用Helm Chart的3种模式
Pattern 1 — HTTPS Helm repository:
yaml
undefined模式1 — HTTPS Helm仓库:
yaml
undefinedHelmRelease creates a HelmChart automatically
HelmRelease会自动创建HelmChart资源
spec:
chart:
spec:
chart: metrics-server
version: "3.x"
sourceRef:
kind: HelmRepository
name: metrics-server
**Pattern 2 — OCI registry with chartRef (recommended):**
```yamlspec:
chart:
spec:
chart: metrics-server
version: "3.x"
sourceRef:
kind: HelmRepository
name: metrics-server
**模式2 — 基于OCI仓库的chartRef(推荐):**
```yamlSeparate OCIRepository + HelmRelease with chartRef
独立的OCIRepository + 配置chartRef的HelmRelease
spec:
chartRef:
kind: OCIRepository
name: nginx-chart
**Pattern 3 — HelmChart from Git/Bucket source:**
```yamlspec:
chartRef:
kind: OCIRepository
name: nginx-chart
**模式3 — 来自Git/Bucket源的HelmChart:**
```yamlChart stored in Git, HelmRelease references HelmChart
Chart存储在Git中,HelmRelease引用HelmChart资源
spec:
chart:
spec:
chart: ./charts/my-app
sourceRef:
kind: GitRepository
name: my-repo
`chart.spec` and `chartRef` are **mutually exclusive** — use one or the other.spec:
chart:
spec:
chart: ./charts/my-app
sourceRef:
kind: GitRepository
name: my-repo
`chart.spec`和`chartRef`**互斥**,只能使用其中一种。ResourceSet vs Kustomization?
ResourceSet还是Kustomization?
- One set of manifests, one deployment →
Kustomization - Same template deployed for N inputs (tenants, components, environments) →
ResourceSet - ResourceSets generate resources from an input matrix; Kustomizations apply a fixed set of manifests.
- 一套清单对应一个部署 →
Kustomization - 同一份模板需要基于N个输入部署(租户、组件、环境) →
ResourceSet - ResourceSet基于输入矩阵生成资源,Kustomization应用固定的清单集合。
How to Set Up GitOps from Scratch
从零搭建GitOps流程
- Install Flux Operator (Helm chart or Terraform)
- Create a named
FluxInstancein thefluxnamespaceflux-system - Configure to point to your Git repo or OCI registry
.spec.sync - Organize manifests in the source repo using Kustomize base+overlay pattern
- Create resources to apply manifests from the source
Kustomization - Add +
Providerfor notificationsAlert
- 安装Flux Operator(通过Helm Chart或Terraform)
- 在命名空间下创建名为
flux-system的flux资源FluxInstance - 配置指向你的Git仓库或OCI镜像仓库
.spec.sync - 使用Kustomize base+overlay模式在源仓库中组织清单
- 创建资源应用源仓库中的清单
Kustomization - 添加+
Provider实现通知能力Alert
Canonical YAML Patterns
标准YAML模式
1. GitOps Pipeline (GitRepository + Kustomization)
1. GitOps流水线(GitRepository + Kustomization)
yaml
apiVersion: source.toolkit.fluxcd.io/v1
kind: GitRepository
metadata:
name: my-app
namespace: flux-system
spec:
interval: 5m
url: https://github.com/org/my-app.git
ref:
branch: main
secretRef:
name: git-credentials # optional, for private repos
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: my-app
namespace: flux-system
spec:
interval: 10m
sourceRef:
kind: GitRepository
name: my-app
path: ./deploy/production
prune: true
wait: true
timeout: 5myaml
apiVersion: source.toolkit.fluxcd.io/v1
kind: GitRepository
metadata:
name: my-app
namespace: flux-system
spec:
interval: 5m
url: https://github.com/org/my-app.git
ref:
branch: main
secretRef:
name: git-credentials # 私有仓库可选配置
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: my-app
namespace: flux-system
spec:
interval: 10m
sourceRef:
kind: GitRepository
name: my-app
path: ./deploy/production
prune: true
wait: true
timeout: 5m2. Helm from HTTPS Repository
2. 基于HTTPS仓库的Helm部署
yaml
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: metrics-server
namespace: kube-system
spec:
interval: 1h
url: https://kubernetes-sigs.github.io/metrics-server/
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: metrics-server
namespace: kube-system
spec:
interval: 30m
chart:
spec:
chart: metrics-server
version: "3.x"
sourceRef:
kind: HelmRepository
name: metrics-server
values:
args:
- --kubelet-insecure-tlsyaml
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: metrics-server
namespace: kube-system
spec:
interval: 1h
url: https://kubernetes-sigs.github.io/metrics-server/
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: metrics-server
namespace: kube-system
spec:
interval: 30m
chart:
spec:
chart: metrics-server
version: "3.x"
sourceRef:
kind: HelmRepository
name: metrics-server
values:
args:
- --kubelet-insecure-tls3. Helm from OCI Registry (Recommended)
3. 基于OCI仓库的Helm部署(推荐)
yaml
apiVersion: source.toolkit.fluxcd.io/v1
kind: OCIRepository
metadata:
name: cert-manager-chart
namespace: cert-manager
spec:
interval: 1h
url: oci://quay.io/jetstack/charts/cert-manager
layerSelector:
mediaType: "application/vnd.cncf.helm.chart.content.v1.tar+gzip"
operation: copy
ref:
semver: "1.x"
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: cert-manager
namespace: cert-manager
spec:
interval: 1h
chartRef:
kind: OCIRepository
name: cert-manager-chart
install:
strategy:
name: RetryOnFailure
retryInterval: 5m
upgrade:
strategy:
name: RetryOnFailure
retryInterval: 5m
values:
crds:
enabled: true
keep: falseyaml
apiVersion: source.toolkit.fluxcd.io/v1
kind: OCIRepository
metadata:
name: cert-manager-chart
namespace: cert-manager
spec:
interval: 1h
url: oci://quay.io/jetstack/charts/cert-manager
layerSelector:
mediaType: "application/vnd.cncf.helm.chart.content.v1.tar+gzip"
operation: copy
ref:
semver: "1.x"
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: cert-manager
namespace: cert-manager
spec:
interval: 1h
chartRef:
kind: OCIRepository
name: cert-manager-chart
install:
strategy:
name: RetryOnFailure
retryInterval: 5m
upgrade:
strategy:
name: RetryOnFailure
retryInterval: 5m
values:
crds:
enabled: true
keep: false4. FluxInstance with OCI Sync (Gitless GitOps)
4. 配置OCI同步的FluxInstance(无Git的GitOps)
yaml
apiVersion: fluxcd.controlplane.io/v1
kind: FluxInstance
metadata:
name: flux
namespace: flux-system
spec:
distribution:
version: "2.x"
registry: "ghcr.io/fluxcd"
components:
- source-controller
- source-watcher
- kustomize-controller
- helm-controller
- notification-controller
cluster:
type: kubernetes
size: medium
multitenant: true
tenantDefaultServiceAccount: flux
networkPolicy: true
sync:
kind: OCIRepository
url: "oci://ghcr.io/my-org/fleet-manifests"
ref: "latest"
path: "clusters/production"
pullSecret: "registry-auth"yaml
apiVersion: fluxcd.controlplane.io/v1
kind: FluxInstance
metadata:
name: flux
namespace: flux-system
spec:
distribution:
version: "2.x"
registry: "ghcr.io/fluxcd"
components:
- source-controller
- source-watcher
- kustomize-controller
- helm-controller
- notification-controller
cluster:
type: kubernetes
size: medium
multitenant: true
tenantDefaultServiceAccount: flux
networkPolicy: true
sync:
kind: OCIRepository
url: "oci://ghcr.io/my-org/fleet-manifests"
ref: "latest"
path: "clusters/production"
pullSecret: "registry-auth"5. ResourceSet for Multi-Component Orchestration
5. 用于多组件编排的ResourceSet
yaml
apiVersion: fluxcd.controlplane.io/v1
kind: ResourceSet
metadata:
name: apps
namespace: flux-system
annotations:
fluxcd.controlplane.io/reconcileEvery: "5m"
spec:
dependsOn:
- apiVersion: fluxcd.controlplane.io/v1
kind: ResourceSet
name: infra
ready: true
inputs:
- tenant: "frontend"
tag: "latest"
environment: "production"
- tenant: "backend"
tag: "latest"
environment: "production"
resources:
- apiVersion: v1
kind: Namespace
metadata:
name: << inputs.tenant >>
labels:
toolkit.fluxcd.io/role: "tenant"
- apiVersion: v1
kind: ServiceAccount
metadata:
name: flux
namespace: << inputs.tenant >>
- apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: flux
namespace: << inputs.tenant >>
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: admin
subjects:
- kind: ServiceAccount
name: flux
namespace: << inputs.tenant >>
- apiVersion: source.toolkit.fluxcd.io/v1
kind: OCIRepository
metadata:
name: apps
namespace: << inputs.tenant >>
spec:
interval: 5m
url: "oci://ghcr.io/my-org/apps/<< inputs.tenant >>"
ref:
tag: << inputs.tag >>
- apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: apps
namespace: << inputs.tenant >>
spec:
targetNamespace: << inputs.tenant >>
serviceAccountName: flux
interval: 30m
retryInterval: 5m
wait: true
timeout: 5m
sourceRef:
kind: OCIRepository
name: apps
path: "./<< inputs.environment >>"
prune: trueyaml
apiVersion: fluxcd.controlplane.io/v1
kind: ResourceSet
metadata:
name: apps
namespace: flux-system
annotations:
fluxcd.controlplane.io/reconcileEvery: "5m"
spec:
dependsOn:
- apiVersion: fluxcd.controlplane.io/v1
kind: ResourceSet
name: infra
ready: true
inputs:
- tenant: "frontend"
tag: "latest"
environment: "production"
- tenant: "backend"
tag: "latest"
environment: "production"
resources:
- apiVersion: v1
kind: Namespace
metadata:
name: << inputs.tenant >>
labels:
toolkit.fluxcd.io/role: "tenant"
- apiVersion: v1
kind: ServiceAccount
metadata:
name: flux
namespace: << inputs.tenant >>
- apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: flux
namespace: << inputs.tenant >>
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: admin
subjects:
- kind: ServiceAccount
name: flux
namespace: << inputs.tenant >>
- apiVersion: source.toolkit.fluxcd.io/v1
kind: OCIRepository
metadata:
name: apps
namespace: << inputs.tenant >>
spec:
interval: 5m
url: "oci://ghcr.io/my-org/apps/<< inputs.tenant >>"
ref:
tag: << inputs.tag >>
- apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: apps
namespace: << inputs.tenant >>
spec:
targetNamespace: << inputs.tenant >>
serviceAccountName: flux
interval: 30m
retryInterval: 5m
wait: true
timeout: 5m
sourceRef:
kind: OCIRepository
name: apps
path: "./<< inputs.environment >>"
prune: true6. Image Automation Pipeline
6. 镜像自动化流水线
Pipeline: ImageRepository → ImagePolicy → ImageUpdateAutomation. Mark images in YAML with
comment markers for automatic tag updates.
# {"$imagepolicy": "namespace:policy-name"}For complete YAML examples, tag filtering, commit message templates, and marker formats,
load .
references/image-automation.md流水线流程:ImageRepository → ImagePolicy → ImageUpdateAutomation。在YAML中为镜像添加注释标记即可实现标签自动更新。
# {"$imagepolicy": "namespace:policy-name"}完整的YAML示例、标签过滤、提交消息模板、标记格式请加载查看。
references/image-automation.md7. Notifications (Slack, GitHub, Webhooks)
7. 通知能力(Slack、GitHub、Webhooks)
Provider + Alert for outgoing notifications, Receiver for incoming webhooks.
Alert and Provider use , Receiver uses .
v1beta3v1For Slack, GitHub commit status, webhook receivers, and all provider types,
load .
references/notifications.mdProvider + Alert用于对外发送通知,Receiver用于接收外部Webhook事件。Alert和Provider使用版本,Receiver使用版本。
v1beta3v1Slack通知、GitHub提交状态、Webhook Receiver、所有支持的提供方类型请加载查看。
references/notifications.mdCommon Mistakes
常见错误
Wrong template delimiters:
- ResourceSet uses — NOT
<< inputs.field >>or{{ .inputs.field }}{{ inputs.field }} - Go templates are only used in ImageUpdateAutomation
{{ }}.spec.git.commit.messageTemplate
Mutual exclusivity:
- HelmRelease: and
spec.chart.specare mutually exclusivespec.chartRef - FluxInstance: only one per cluster, must be named
flux
Required fields often forgotten:
- — must be set (true or false), controls garbage collection
Kustomization.spec.prune - — must specify kind and name
Kustomization.spec.sourceRef - — required for reconciliation
HelmRelease.spec.interval - — at least one source required
Alert.spec.eventSources
Wrong API versions:
- Alert and Provider use , not
v1beta3—v1notification.toolkit.fluxcd.io/v1beta3 - Receiver uses —
v1notification.toolkit.fluxcd.io/v1 - HelmRelease uses , not
v2orv1—v2beta1helm.toolkit.fluxcd.io/v2 - ImageRepository and ImagePolicy use —
v1image.toolkit.fluxcd.io/v1
HelmRelease strategy fields:
- Install/upgrade strategy is at and
spec.install.strategy.namespec.upgrade.strategy.name - Always use — it retries without rollback or uninstall, avoiding downtime
RetryOnFailure - Do not use or
RemediateOnFailure/spec.install.remediationspec.upgrade.remediation
OCIRepository for Helm charts:
- When using OCIRepository to fetch Helm charts from OCI registries, set to extract the chart:
layerSelectoryamllayerSelector: mediaType: "application/vnd.cncf.helm.chart.content.v1.tar+gzip" operation: copy - Without , the OCIRepository fetches the full OCI artifact, not the extracted chart.
layerSelector
模板分隔符错误:
- ResourceSet使用— 不能用
<< inputs.field >>或{{ .inputs.field }}{{ inputs.field }} - Go模板仅允许在ImageUpdateAutomation的
{{ }}中使用.spec.git.commit.messageTemplate
互斥配置错误:
- HelmRelease的和
spec.chart.spec互斥spec.chartRef - 每个集群仅允许一个FluxInstance,且必须命名为
flux
遗漏必填字段:
- — 必须设置为true或false,用于控制垃圾回收
Kustomization.spec.prune - — 必须指定kind和name
Kustomization.spec.sourceRef - — 调和必须配置该字段
HelmRelease.spec.interval - — 至少配置一个事件源
Alert.spec.eventSources
API版本错误:
- Alert和Provider使用而非
v1beta3—v1notification.toolkit.fluxcd.io/v1beta3 - Receiver使用—
v1notification.toolkit.fluxcd.io/v1 - HelmRelease使用而非
v2或v1—v2beta1helm.toolkit.fluxcd.io/v2 - ImageRepository和ImagePolicy使用—
v1image.toolkit.fluxcd.io/v1
HelmRelease策略字段错误:
- 安装/升级策略配置在和
spec.install.strategy.name路径下spec.upgrade.strategy.name - 始终使用— 它会重试部署但不会回滚或卸载,避免服务 downtime
RetryOnFailure - 不要使用或
RemediateOnFailure/spec.install.remediationspec.upgrade.remediation
OCIRepository拉取Helm Chart配置错误:
- 使用OCIRepository从OCI仓库拉取Helm Chart时,必须配置提取Chart:
layerSelectoryamllayerSelector: mediaType: "application/vnd.cncf.helm.chart.content.v1.tar+gzip" operation: copy - 没有的话,OCIRepository会拉取完整的OCI制品,而不是提取后的Chart。
layerSelector
Reference Index
参考索引
Load reference files and OpenAPI schemas based on the question topic.
Load at most 1-2 reference files per question. Read schemas for field-level validation when generating YAML.
| CRD | Reference | Schema |
|---|---|---|
| FluxInstance | | |
| FluxReport | | |
| ResourceSet | | |
| ResourceSetInputProvider | | |
| GitRepository | | |
| OCIRepository | | |
| HelmRepository | | |
| HelmChart | | |
| Bucket | | |
| ExternalArtifact | | |
| ArtifactGenerator | | |
| Kustomization | | |
| HelmRelease | | |
| Provider | | |
| Alert | | |
| Receiver | | |
| ImageRepository | | |
| ImagePolicy | | |
| ImageUpdateAutomation | | |
| Topic | Reference |
|---|---|
| Repository structure, monorepo vs multi-repo, OCI-based fleet management | |
| Best practices, dependency management, remediation, versioning | |
| Web UI, dashboard, SSO, OIDC, Dex, Keycloak, Entra ID, RBAC | |
| MCP Server, AI assistant integration, in-cluster deployment | |
请根据问题主题加载参考文件和OpenAPI schema,每个问题最多加载1-2个参考文件。生成YAML时请读取schema做字段级别校验。
| CRD | 参考文件 | Schema路径 |
|---|---|---|
| FluxInstance | | |
| FluxReport | | |
| ResourceSet | | |
| ResourceSetInputProvider | | |
| GitRepository | | |
| OCIRepository | | |
| HelmRepository | | |
| HelmChart | | |
| Bucket | | |
| ExternalArtifact | | |
| ArtifactGenerator | | |
| Kustomization | | |
| HelmRelease | | |
| Provider | | |
| Alert | | |
| Receiver | | |
| ImageRepository | | |
| ImagePolicy | | |
| ImageUpdateAutomation | | |
| 主题 | 参考文件 |
|---|---|
| 仓库结构、单体仓库vs多仓库、基于OCI的集群 fleet 管理 | |
| 最佳实践、依赖管理、修复策略、版本管理 | |
| Web UI、控制面板、SSO、OIDC、Dex、Keycloak、Entra ID、RBAC | |
| MCP Server、AI助手集成、集群内部署 | |
FluxInstance Enums
FluxInstance 枚举值
Cluster types: , , , ,
kubernetesopenshiftawsazuregcpCluster sizes: (5 concurrency, 512Mi), (10, 1Gi), (20, 3Gi)
smallmediumlargeComponents: , , ,
, , ,
source-controllerkustomize-controllerhelm-controllernotification-controllerimage-reflector-controllerimage-automation-controllersource-watcherSync kinds: , ,
GitRepositoryOCIRepositoryBucketDistribution variants: , , ,
upstream-alpineenterprise-alpineenterprise-distrolessenterprise-distroless-fipsFor enums of other CRDs (HelmRelease strategies, Provider types, ImagePolicy types,
ResourceSetInputProvider types, etc.), check the relevant reference file or OpenAPI schema.
集群类型: , , , ,
kubernetesopenshiftawsazuregcp集群规模: (5并发、512Mi内存), (10并发、1Gi内存), (20并发、3Gi内存)
smallmediumlarge组件: , , , , , ,
source-controllerkustomize-controllerhelm-controllernotification-controllerimage-reflector-controllerimage-automation-controllersource-watcher同步源类型: , ,
GitRepositoryOCIRepositoryBucket发行版变体: , , ,
upstream-alpineenterprise-alpineenterprise-distrolessenterprise-distroless-fips其他CRD的枚举值(HelmRelease策略、Provider类型、ImagePolicy类型、ResourceSetInputProvider类型等)请查看对应参考文件或OpenAPI schema。