Installing Anthos Config Management

This page is for platform administrators.

This page describes how to install Anthos Config Management.

Anthos Config Management lets you apply policies and configuration to your Anthos clusters declaratively by automatically deploying your new configuration from a central Git repository. See the Anthos Config Management documentation to learn more.

You can install Anthos Config Management using the management center or using kubectl. You need to have a Git repository before you install Anthos Config Management.

Installing from the management center

Set up Anthos Config Management on your user cluster by navigating to the Config Management tab and click Setup. Then follow the instructions on the page to finish the setup.

You can also update or upgrade an existing Anthos Config Management installation. Click the link under the Version column to modify the existing configuration.

Installing with kubectl

Installing Anthos Config Management with kubectl is a two step process. First you set up SSH keys for Config Sync to use to authenticate with your Git repository. Then you install the Anthos Config Management resources, ConfigManagementFeatureSpec and ConfigManagementBinding, in the cluster.

You can also use kubectl to update or upgrade an existing Anthos Config Management installation.

Set up SSH keys

An SSH key pair consists of two files: a public key and a private key. The public key typically has a .pub extension.

  1. Create an SSH key pair to allow Config Sync to authenticate to your Git repository. You can use a single key pair for all clusters or a key pair per cluster, depending on your security and compliance requirements.

    The following command creates a 4096-bit RSA key. Lower values are not recommended:

    ssh-keygen -t rsa -b 4096 \
      -C GIT_REPOSITORY_USERNAME \
      -N '' \
      -f /path/to/KEYPAIR_FILENAME
    

    Replace the following:

    • GIT_REPOSITORY_USERNAME: the username that you want Config Sync to use to authenticate to the repository.
    • /path/to/KEYPAIR_FILENAME: a path to output the key pair to.
  2. Configure your repository to recognize the newly created public key. Refer to the documentation for your Git hosting provider.

  3. Add the private key to a new Secret object in the user cluster:

    kubectl create ns config-management-system --kubeconfig=USER_CLUSTER_KUBECONFIG && \
    kubectl create secret generic git-creds --kubeconfig=USER_CLUSTER_KUBECONFIG \
     --namespace=config-management-system \
     --from-file=ssh=/path/to/KEYPAIR_PRIVATE_KEY_FILENAME
    

    Replace the following:

    • USER_CLUSTER_KUBECONFIG: The configuration file for the user cluster. You can obtain this from the management center.
    • /path/to/KEYPAIR_PRIVATE_KEY_FILENAME: The name of the private key (the file without the .pub suffix).
  4. Delete the private key from the local disk or otherwise protect it.

Configure ConfigManagementFeatureSpec and ConfigManagementBinding

Next, create a ConfigManagementFeatureSpec resource in your cluster:

kubectl apply -f CONFIG_MANAGEMENT_YAML --kubeconfig=ADMIN_OIDC_KUBECONFIG

Replace the following:

apiVersion: managementcenter.anthos.cloud.google.com/v1
kind: ConfigManagementFeatureSpec
metadata:
  name: config-management-spec-sample
  namespace: anthos-management-center
spec:
  version: "1.7.2"
  git:
    syncRepo: "git@GIT_HOST_ADDRESS:REPO_NAME.git"
    policyDir: "."
    secretType: "ssh"
    syncBranch: "master"
    syncRev: "HEAD"
    syncWait: 15
  policyController:
    enabled: true
---
apiVersion: managementcenter.anthos.cloud.google.com/v1
kind: ConfigManagementBinding
metadata:
  name: config-management-binding-sample
  namespace: anthos-management-center
spec:
  configs:
  - configRef:
      name: config-management-spec-sample
      namespace: anthos-management-center
    placement:
      clusterIDs:
      - "CLUSTER-NAME"

Replace the following:

  • GIT_HOST_ADDRESS: The host address of the Git repository.
  • REPO_NAME: The name of the Git repository.
  • CLUSTER-NAME: The name of the cluster.

Updating and upgrading

You can update or upgrade Anthos Config Management by modifying the corresponding ConfigManagementFeatureSpec.

For example, to enable the Unstructured Repo feature, update the ConfigManagementFeatureSpec:

apiVersion: managementcenter.anthos.cloud.google.com/v1
kind: ConfigManagementFeatureSpec
metadata:
  name: config-management-spec-sample
  namespace: anthos-management-center
spec:
  version: "1.7.2"
  sourceFormat: "unstructured"
  git:
    syncRepo: "git@<YOUR_GIT_HOST_ADDRESS>:<YOUR_UNSTRUCTURED_REPO>.git"
    policyDir: "."
    secretType: "ssh"
    syncBranch: "master"
    syncRev: "HEAD"
    syncWait: 15
  policyController:
    enabled: true

View Anthos Config Management status

You can view the Anthos Config Management status by querying the ConfigManagementBinding resource.

kubectl get ConfigManagementBinding -o \
jsonpath="{range .items[*].status.bindingItemStatuses[*]}{'\n'}{['clusterID', 'configRef', 'conditions']}" \
--namespace=anthos-management-center \
--kubeconfig=ADMIN_OIDC_KUBECONFIG \
| grep CLUSTER-NAME

Replace the following:

Here's an example output with Anthos Config Management in healthy status:

target-user-cluster-1 {"name":"new-spec-f75y8","namespace":"anthos-management-center"} [{"lastTransitionTime":"2021-05-27T18:06:27Z","message":"","observedGeneration":1,"reason":"Healthy","status":"True","type":"Ready"}]