Creating a flux sync configuration referring a config map for substitution

 If you configure your k8s cluster with terraform one of the final steps is to install a fluxcd operator. The operator are responsible to manage the resources inside of the cluster. In this way a fully automatic creation process is possible.

To install flux a terraform provider is available preparing a install and sync configuration which can be installed in k8s using the kubernetes/kubectl providers.

In fluxcd itself it is possible to use substitution. This means you can use variables to prepare the k8s yaml files. This is useful for variable content like different cluster names and domain names for all stages. Or more specialised arn ids of created resources while creating the cluster in aws. To use substitution fluxcd offers to link the configuration to a config map. In the map a set of key values can be defined to replace variable values.

The map can also be created with terraform and the kubectl provider. Do not store secrets in the config map. Try to use secrets instead.

Applying the config map to the sync configuration of the fluxcd terraform source turned out as the biggest challenge. Since the provider do not support to set the substituteFrom parameter. Therefore the configuration must be manipulated before applying to k8s.

postBuildParameters = {
    substituteFrom = [
        kind = "ConfigMap"
        name = "cluster-vars"


  decoded_documents = [ for v in data.kubectl_file_documents.sync.documents : yamldecode(v) ]
  documents = [ for v in local.decoded_documents :
    merge( v, v.kind == "Kustomization" ? { spec = merge(v.spec, {postBuild = local.postBuildParameters}) } : {})

In this way a config map named kube-system/cluster-vars will be used to substitute the variables.


Beliebte Posts aus diesem Blog

Sonatype Nexus fails with random "peer not authenticated" errors behind ingress

[mhus lib] Reorg in generation 7 nearly finished