In this tutorial, you add Kustomize configurations that reference Helm charts to your repository and then use Config Sync to sync your cluster to your repository.
When you use Config Sync, the Kustomize configurations and Helm charts you place in your Git repository are automatically rendered. Automated rendering provides you with the following benefits:
- You no longer need an external hydration pipeline. Without automated rendering, you have to manually render the configurations using Kustomize and Helm on your workstation, or set up a step to trigger the hydration process in your CI systems. With automated rendering, Config Sync handles the execution. 
- Your maintenance costs are reduced. Without automated rendering, you have to maintain one Git repository with the original Kustomize configurations and Helm charts and another Git repository with the output generated by the external hydration. You then have to configure Config Sync to sync from the Git repository with the rendered output. With automated rendering, you only need to maintain one repository with the original configs. 
- Your development workflow is simplified. Without automated rendering, changes made to your original configs need to be reviewed twice before being merged; once in the original repository and again in the rendered repository. With automated rendering, the rendered configs are generated by Config Sync, and you only need to review the changes to the original configs. 
Objectives
- Configure your repository with Kustomize configurations that reference an off-the-shelf Helm chart for cert-manager. cert-manager is a tool for Kubernetes that helps you manage your certificates.
- Preview and validate the configs that you create.
- Use Config Sync to automatically render your chart and sync your cluster to your repository.
- Verify that your installation succeeded.
Costs
In this document, you use the following billable components of Google Cloud:
  
  
  
  To generate a cost estimate based on your projected usage,
      use the pricing calculator.
  
When you finish the tasks that are described in this document, you can avoid continued billing by deleting the resources that you created. For more information, see Clean up.
Before you begin
- 
  
    
    
      
    
  
    
    
      
    
  
  
  
    
    
      In the Google Cloud console, on the project selector page, select or create a Google Cloud project. Roles required to select or create a project - Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
- 
      Create a project: To create a project, you need the Project Creator
      (roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission. Learn how to grant roles.
 
- 
  
    
    
  
    
    
  
  
    Verify that billing is enabled for your Google Cloud project. 
- Create, or ensure that you have access to, a cluster that meets the
requirements for Config Sync
and uses the following Config Sync settings:
- Uses an unstructured repository.
- RootSyncand- RepoSyncAPIs are enabled.
- spec.override.enableShellInRenderingis set to- trueto let Config Sync support pulling remote bases from public repositories in the rendering process.
 
- Register your cluster to a fleet.
- Install the nomoscommand-line tool. If you've already installed thenomostool, make sure you upgrade it to version 1.9.0 or later.
- Install Helm.
It's also helpful to have some familiarity with Git, Kustomize, and Helm.
Configure your repository
The following tasks show you how to prepare a Git repository with configs that combine Kustomize configurations with Helm charts:
- Create, or make sure you have access to, a Git repository. Since your repository uses Kustomize and Helm, this should be an unstructured repository. 
- In the root of your Git repository, create a file named - kustomization.yamland paste the following code into it:- # ./kustomization.yaml resources: - base patches: - path: ignore-deployment-mutation-patch.yaml target: kind: Deployment- This file is a Kustomize overlay that points to the Kustomize base. This overlay includes a patch for the Helm chart base that adds the - client.lifecycle.config.k8s.io/mutation: ignoreannotation to all Deployment objects. The annotation causes Config Sync to ignore any conflicting changes to this object in the cluster after you have created it.
- In your Git repository, create a directory named - base:- mkdir base
- In the - basedirectory, create another file named- kustomization.yamland paste the following code into it:- # ./base/kustomization.yaml helmCharts: - name: cert-manager repo: https://charts.jetstack.io version: v1.5.3 releaseName: my-cert-manager namespace: cert-manager- This file is the Kustomize base, which renders the remote Helm chart. 
- Navigate back to the root of your Git repository, create a file named - ignore-deployment-mutation-patch.yamland paste the following code into it:- # ./ignore-deployment-mutation-patch.yaml apiVersion: apps/v1 kind: Deployment metadata: name: any annotations: client.lifecycle.config.k8s.io/mutation: ignore- This file is a patch that is applied to the base Helm chart. It adds the - client.lifecycle.config.k8s.io/mutation: ignoreannotation to all Deployments in the base directory.
- Commit the changes to your repository: - git add . git commit -m 'Set up manifests.' git push
The samples repository has an example of what such a repository would look like.
Preview and validate rendered configs
Before Config Sync renders the configs and syncs them to the cluster, ensure
that the configs are accurate by running nomos hydrate to preview the rendered
configuration and running nomos vet to validate that the format is correct.
- Run the following - nomos hydratewith the following flags:- nomos hydrate \ --source-format=unstructured \ --output=OUTPUT_DIRECTORY- In this command: - --source-format=unstructuredlets- nomos hydratework on an unstructured repository. Since you are using Kustomize configurations and Helm charts, you need to use an unstructured repository and add this flag.
- --output=OUTPUT_DIRECTORYlets you define a path to the rendered configs. Replace- OUTPUT_DIRECTORYwith the location that you want the output to be saved in.
 
- Check the syntax and validity of your configs by running - nomos vetwith the following flags:- nomos vet \ --source-format=unstructured \ --keep-output=true \ --output=OUTPUT_DIRECTORY- In this command: - --source-format=unstructuredlets- nomos vetwork on an unstructured repository.
- --keep-output=truesaves the rendered configs.
- --output=OUTPUT_DIRECTORYis the path to the rendered configs.
 
Configure syncing from the Git repository
Now that you have created a repository with the configs that you want to use, you can configure syncing from your cluster to your repository.
- To configure your - RootSyncobject, create a- root-sync.yamlfile:- # root-sync.yaml apiVersion: configsync.gke.io/v1beta1 kind: RootSync metadata: name: root-sync namespace: config-management-system spec: sourceFormat: unstructured git: repo: YOUR_GIT_REPOSITORY branch: main auth: none override: enableShellInRendering: true- Replace - YOUR_GIT_REPOSITORYwith the URL of your Git repository.
- Apply the - root-sync.yamlfile to your cluster:- kubectl apply -f root-sync.yaml
Verify the installation
After you have installed and configured Config Sync, you can verify that the installation completed successfully.
- Verify that there no other errors by using - nomos status:- nomos status- Example output: - *CLUSTER_NAME -------------------- <root> https:/github.com/GoogleCloudPlatform/anthos-config-management-samples.git/helm-component/manifests@init SYNCED fd17dd5a
- Verify if the Helm component is successfully installed: - kubectl get all -n cert-manager- Example output: - NAME READY STATUS RESTARTS AGE pod/my-cert-manager-54f5ccf74-wfzs4 1/1 Running 0 10m pod/my-cert-manager-cainjector-574bc8678c-rh7mq 1/1 Running 0 10m pod/my-cert-manager-webhook-7454f4c77d-rkct8 1/1 Running 0 10m NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/my-cert-manager ClusterIP 10.76.9.35 <none> 9402/TCP 10m service/my-cert-manager-webhook ClusterIP 10.76.11.205 <none> 443/TCP 10m NAME READY UP-TO-DATE AVAILABLE AGE deployment.apps/my-cert-manager 1/1 1 1 10m deployment.apps/my-cert-manager-cainjector 1/1 1 1 10m deployment.apps/my-cert-manager-webhook 1/1 1 1 10m NAME DESIRED CURRENT READY AGE replicaset.apps/my-cert-manager-54f5ccf74 1 1 1 10m replicaset.apps/my-cert-manager-cainjector-574bc8678c 1 1 1 10m replicaset.apps/my-cert-manager-webhook-7454f4c77d 1 1 1 10m
Clean up
To avoid incurring charges to your Google Cloud account for the resources used in this tutorial, either delete the project that contains the resources, or keep the project and delete the individual resources.
Delete the project
- In the Google Cloud console, go to the Manage resources page.
- In the project list, select the project that you want to delete, and then click Delete.
- In the dialog, type the project ID, and then click Shut down to delete the project.
Delete individual resources
Delete the manifests in your repository
In order to help prevent accidental deletion, Config Sync does not let you remove all namespaces or cluster-scoped resources in a single commit. Follow these instructions to gracefully uninstall the component and remove the namespace in separate commits:
- Remove the cert-manager component from your repository: - git rm -rf manifests/cert-manager \ && git commit -m "uninstall cert-manager" \ && git push origin BRANCH- Replace - BRANCHwith the branch that you created your repository in.
- Delete the cert-manager namespace: - git rm manifests/namespace-cert-manager.yaml \ && git commit -m "remove the cert-manager namespace" \ && git push origin BRANCH
- Verify that the cert-manager namespace does not exist: - kubectl get namespace cert-namespace- Example output: - Error from server (NotFound): namespaces "cert-namespace" not found
Delete the cluster
To delete the cluster, complete the following commands:
Console
To delete a cluster using the Google Cloud console, complete the following tasks:
- In the Google Cloud console, go to the GKE page. 
- Next to the cluster you want to delete, click more_vert Actions, then click delete Delete. 
- When prompted to confirm, click Delete again. 
gcloud
To delete a cluster using the Google Cloud CLI, run the following command:
gcloud container clusters delete CLUSTER_NAME
For more information, refer to the
gcloud container clusters delete
documentation.
What's next
- Learn more about working with unstructured repositories.