|
| 1 | +--- |
| 2 | +title: Flux bootstrap for AWS CodeCommit |
| 3 | +linkTitle: AWS CodeCommit |
| 4 | +description: "How to bootstrap Flux with AWS CodeCommit" |
| 5 | +weight: 50 |
| 6 | +--- |
| 7 | + |
| 8 | +To install Flux on an EKS cluster using a CodeCommit repository as the source of truth, |
| 9 | +you can use the [`flux bootstrap git`](generic-git-server.md) command. |
| 10 | + |
| 11 | +{{% alert color="danger" title="Required permissions" %}} |
| 12 | +To bootstrap Flux, the person running the command must have **cluster admin rights** for the target Kubernetes cluster. |
| 13 | +It is also required that the person running the command has **pull and push rights** for the CodeCommit repository. |
| 14 | +{{% /alert %}} |
| 15 | + |
| 16 | +## Bootstrap over SSH |
| 17 | + |
| 18 | +{{% alert color="info" title="Private VPC" %}} |
| 19 | +If your VPC is configured without internet access, or if you prefer that the access is over a private connection, |
| 20 | +you need to set up a VPC endpoint to access CodeCommit by following the |
| 21 | +guide [Using AWS CodeCommit with interface VPC endpoints](https://docs.aws.amazon.com/codecommit/latest/userguide/codecommit-and-interface-VPC.html). |
| 22 | +{{% /alert %}} |
| 23 | + |
| 24 | +Create a CodeCommit repository and generate a PEM-encoded RSA SSH private key |
| 25 | +with a passphrase: |
| 26 | + |
| 27 | +```sh |
| 28 | +ssh-keygen -t rsa -b 4096 -m PEM -f ./codecommit_rsa |
| 29 | +``` |
| 30 | + |
| 31 | +Upload the SSH public key to the IAM user that Flux will use to access |
| 32 | +CodeCommit: |
| 33 | + |
| 34 | +```sh |
| 35 | +aws iam upload-ssh-public-key \ |
| 36 | + --user-name codecommit-user \ |
| 37 | + --ssh-public-key-body file://codecommit_rsa.pub |
| 38 | +``` |
| 39 | + |
| 40 | +The output will contain a field called `SSHPublicKeyID`: |
| 41 | + |
| 42 | +```json |
| 43 | +{ |
| 44 | + "SSHPublicKey": { |
| 45 | + "SSHPublicKeyId": "<SSH-Key-ID>", |
| 46 | + "Fingerprint": "<fingerprint>", |
| 47 | + "SSHPublicKeyBody": "<public-key>", |
| 48 | + "Status": "Active", |
| 49 | + "UploadDate": "<timestamp>" |
| 50 | + } |
| 51 | +} |
| 52 | +``` |
| 53 | + |
| 54 | +Run bootstrap using the `SSHPublicKeyId` as the SSH username: |
| 55 | + |
| 56 | +```sh |
| 57 | +flux bootstrap git \ |
| 58 | + --url=ssh://<SSHPublicKeyId>@git-codecommit.<region>.amazonaws.com/v1/repos/<repository> \ |
| 59 | + --branch=<my-branch> \ |
| 60 | + --private-key-file=./codecommit_rsa \ |
| 61 | + --password=<key-passphrase> \ |
| 62 | + --path=clusters/my-cluster |
| 63 | +``` |
| 64 | + |
| 65 | +Do not use the IAM user name as the SSH username in the repository URL. |
| 66 | +CodeCommit expects the SSH key ID assigned to the uploaded public key. |
| 67 | + |
| 68 | +You can also pipe the passphrase e.g. `echo key-passphrase | flux bootstrap git`. |
| 69 | + |
| 70 | +The SSH private key and the known hosts keys are stored in the cluster as a Kubernetes |
| 71 | +secret named `flux-system` inside the `flux-system` namespace. |
| 72 | + |
| 73 | +For the full CodeCommit SSH setup, including where to find the SSH Key ID, see |
| 74 | +the AWS CodeCommit SSH documentation for |
| 75 | +[Linux, macOS, or Unix](https://docs.aws.amazon.com/codecommit/latest/userguide/setting-up-ssh-unixes.html) |
| 76 | +and [Windows](https://docs.aws.amazon.com/codecommit/latest/userguide/setting-up-ssh-windows.html). |
| 77 | + |
| 78 | +{{% alert color="info" title="SSH Key rotation" %}} |
| 79 | +To rotate the SSH key, delete the `flux-system` secret from the cluster and re-run |
| 80 | +the bootstrap command using a new PEM-encoded RSA SSH private key. |
| 81 | +{{% /alert %}} |
0 commit comments