flux
Flux CD on Kubernetes, including KCL-based config rendering, SOPS secretencryption, Git commit of rendered manifests, Helmfile-driven operator
install, and reconciliation waiting via the Flux CLI.
Installation
dagger install github.com/stuttgart-things/blueprints/flux@v1.85.0Entrypoint
Return Type
FluxExample
dagger -m github.com/stuttgart-things/blueprints/flux@9f64ba8d3e0c17a0a05750b07b92c54252dd03ae call \
func (m *MyModule) Example() *dagger.Flux {
return dag.
Flux()
}@function
def example() -> dagger.Flux:
return (
dag.flux()
)@func()
example(): Flux {
return dag
.flux()
}Types
Flux 🔗
fluxApplyConfig() 🔗
FluxApplyConfig applies rendered config (non-secret) manifests to the cluster.
Return Type
String !Arguments
| Name | Type | Default Value | Description |
|---|---|---|---|
| configContent | String ! | - | Config YAML content |
| namespace | String | "flux-system" | Target namespace |
| kubeConfig | Secret ! | - | Kubeconfig secret for cluster access |
Example
dagger -m github.com/stuttgart-things/blueprints/flux@9f64ba8d3e0c17a0a05750b07b92c54252dd03ae call \
flux-apply-config --config-content string --kube-config env:MYSECRETfunc (m *MyModule) Example(ctx context.Context, configContent string, kubeConfig *dagger.Secret) string {
return dag.
Flux().
FluxApplyConfig(ctx, configContent, kubeConfig)
}@function
async def example(config_content: str, kube_config: dagger.Secret) -> str:
return await (
dag.flux()
.flux_apply_config(config_content, kube_config)
)@func()
async example(configContent: string, kubeConfig: Secret): Promise<string> {
return dag
.flux()
.fluxApplyConfig(configContent, kubeConfig)
}fluxApplySecrets() 🔗
FluxApplySecrets applies secret manifests to the cluster.
Return Type
String !Arguments
| Name | Type | Default Value | Description |
|---|---|---|---|
| secretContent | String ! | - | Secret YAML content |
| namespace | String | "flux-system" | Target namespace |
| kubeConfig | Secret ! | - | Kubeconfig secret for cluster access |
Example
dagger -m github.com/stuttgart-things/blueprints/flux@9f64ba8d3e0c17a0a05750b07b92c54252dd03ae call \
flux-apply-secrets --secret-content string --kube-config env:MYSECRETfunc (m *MyModule) Example(ctx context.Context, secretContent string, kubeConfig *dagger.Secret) string {
return dag.
Flux().
FluxApplySecrets(ctx, secretContent, kubeConfig)
}@function
async def example(secret_content: str, kube_config: dagger.Secret) -> str:
return await (
dag.flux()
.flux_apply_secrets(secret_content, kube_config)
)@func()
async example(secretContent: string, kubeConfig: Secret): Promise<string> {
return dag
.flux()
.fluxApplySecrets(secretContent, kubeConfig)
}fluxBootstrap() 🔗
FluxBootstrap orchestrates a full Flux bootstrap lifecycle.
Phase order:
0: ValidateAgeKeyPair — fail fast on key mismatch
1: FluxRenderConfig — render all manifests
2: FluxEncryptSecrets — encrypt before committing
3: FluxCommitConfig — push to Git
4: FluxDeployOperator — install operator (Helmfile)
5: FluxApplyConfig — apply FluxInstance CR
6: FluxApplySecrets — apply AFTER operator is running
7: FluxVerifySecrets — confirm secrets exist
8: FluxWaitForReconciliation — wait for Flux to reconcile
Return Type
String !Arguments
| Name | Type | Default Value | Description |
|---|---|---|---|
| ociSource | String | "ghcr.io/stuttgart-things/kcl-flux-instance:0.3.3" | OCI KCL module source for rendering Flux instance config |
| configParameters | String | - | Additional comma-separated key=value pairs for KCL parameters |
| fluxVersion | String | "2.8.5" | Flux instance version |
| entrypoint | String | "main.k" | KCL entrypoint file name |
| renderSecrets | Boolean | false | Whether KCL should also render Secret manifests |
| gitUsername | Secret | - | Git username for pull secret |
| gitPassword | Secret | - | GitHub token for git pull secret |
| sopsAgeKey | Secret | - | AGE private key for SOPS decryption (applied to cluster) |
| agePublicKey | Secret | - | AGE public key for encrypting secrets before git commit |
| sopsConfig | File | - | SOPS config file (.sops.yaml) |
| kubeConfig | Secret ! | - | Kubeconfig secret for cluster access |
| namespace | String | "flux-system" | Target namespace for Flux |
| repository | String | - | Repository in "owner/repo" format |
| branchName | String | "main" | Branch name for git operations |
| destinationPath | String | "clusters/" | Destination path within the repository |
| gitRef | String | "refs/heads/main" | Git reference for Flux source (e.g., refs/heads/main) |
| gitToken | Secret | - | GitHub token for git operations |
| helmfileRef | String | "helmfile.yaml" | Helmfile reference |
| src | Directory | - | Directory containing the helmfile |
| applySecrets | Boolean | true | Apply rendered secrets to cluster |
| encryptSecrets | Boolean | false | Encrypt secrets with SOPS before git commit |
| commitToGit | Boolean | false | Commit rendered config to git |
| deployOperator | Boolean | true | Deploy Flux operator via Helmfile |
| waitForReconciliation | Boolean | true | Wait for Flux reconciliation |
| reconciliationTimeout | String | "5m" | Timeout for reconciliation check |
| applyConfig | Boolean | false | Apply rendered config to cluster |
| fluxCliImage | String | "ghcr.io/fluxcd/flux-cli:v2.8.5" | Flux CLI container image |
| operatorVersion | String | "0.47.0" | Flux operator version for Helmfile state values |
Example
dagger -m github.com/stuttgart-things/blueprints/flux@9f64ba8d3e0c17a0a05750b07b92c54252dd03ae call \
flux-bootstrap --kube-config env:MYSECRETfunc (m *MyModule) Example(ctx context.Context, kubeConfig *dagger.Secret) string {
return dag.
Flux().
FluxBootstrap(ctxkubeConfig)
}@function
async def example(kube_config: dagger.Secret) -> str:
return await (
dag.flux()
.flux_bootstrap(kube_config)
)@func()
async example(kubeConfig: Secret): Promise<string> {
return dag
.flux()
.fluxBootstrap(kubeConfig)
}fluxCommitConfig() 🔗
FluxCommitConfig commits rendered config and optional secrets to a Git repository.
Return Type
String !Arguments
| Name | Type | Default Value | Description |
|---|---|---|---|
| configContent | String ! | - | Config YAML content to commit |
| repository | String ! | - | Repository in "owner/repo" format |
| branchName | String | "main" | Branch name for git operations |
| destinationPath | String | "clusters/" | Destination path within the repository |
| gitToken | Secret ! | - | GitHub token for git operations |
| secretsContent | String | - | Optional secrets YAML content to include in the commit |
Example
dagger -m github.com/stuttgart-things/blueprints/flux@9f64ba8d3e0c17a0a05750b07b92c54252dd03ae call \
flux-commit-config --config-content string --repository string --git-token env:MYSECRETfunc (m *MyModule) Example(ctx context.Context, configContent string, repository string, gitToken *dagger.Secret) string {
return dag.
Flux().
FluxCommitConfig(ctx, configContent, repository, gitToken)
}@function
async def example(config_content: str, repository: str, git_token: dagger.Secret) -> str:
return await (
dag.flux()
.flux_commit_config(config_content, repository, git_token)
)@func()
async example(configContent: string, repository: string, gitToken: Secret): Promise<string> {
return dag
.flux()
.fluxCommitConfig(configContent, repository, gitToken)
}fluxDeployOperator() 🔗
FluxDeployOperator deploys the Flux operator via Helmfile.
Return Type
Void !Arguments
| Name | Type | Default Value | Description |
|---|---|---|---|
| kubeConfig | Secret ! | - | Kubeconfig secret for cluster access |
| helmfileRef | String | "helmfile.yaml" | Helmfile reference |
| src | Directory | - | Directory containing the helmfile |
| stateValues | String | - | Comma-separated key=value pairs for --state-values-set (e.g., "version=0.42.1") |
Example
dagger -m github.com/stuttgart-things/blueprints/flux@9f64ba8d3e0c17a0a05750b07b92c54252dd03ae call \
flux-deploy-operator --kube-config env:MYSECRETfunc (m *MyModule) Example(ctx context.Context, kubeConfig *dagger.Secret) {
return dag.
Flux().
FluxDeployOperator(ctx, kubeConfig)
}@function
async def example(kube_config: dagger.Secret) -> None:
return await (
dag.flux()
.flux_deploy_operator(kube_config)
)@func()
async example(kubeConfig: Secret): Promise<void> {
return dag
.flux()
.fluxDeployOperator(kubeConfig)
}fluxDestroy() 🔗
FluxDestroy tears down Flux from a cluster.
Phase order:
0: Delete FluxInstance CR
1: Delete Flux secrets
2: Uninstall Flux operator (Helmfile destroy)
3: Delete flux-system namespace
Usage:
dagger call flux-destroy --kube-config file:///tmp/kubeconfig
Return Type
String !Arguments
| Name | Type | Default Value | Description |
|---|---|---|---|
| kubeConfig | Secret ! | - | Kubeconfig secret for cluster access |
| namespace | String | "flux-system" | Target namespace |
| helmfileRef | String | "helmfile.yaml" | Helmfile reference for Flux operator |
| src | Directory | - | Directory containing the helmfile |
| operatorVersion | String | "0.42.1" | Flux operator version for Helmfile state values |
Example
dagger -m github.com/stuttgart-things/blueprints/flux@9f64ba8d3e0c17a0a05750b07b92c54252dd03ae call \
flux-destroy --kube-config env:MYSECRETfunc (m *MyModule) Example(ctx context.Context, kubeConfig *dagger.Secret) string {
return dag.
Flux().
FluxDestroy(ctx, kubeConfig)
}@function
async def example(kube_config: dagger.Secret) -> str:
return await (
dag.flux()
.flux_destroy(kube_config)
)@func()
async example(kubeConfig: Secret): Promise<string> {
return dag
.flux()
.fluxDestroy(kubeConfig)
}fluxEncryptSecrets() 🔗
FluxEncryptSecrets encrypts secret YAML content with SOPS using the given AGE public key.
Return Type
String !Arguments
| Name | Type | Default Value | Description |
|---|---|---|---|
| secretContent | String ! | - | Plain-text secret YAML content |
| agePublicKey | Secret ! | - | AGE public key for encryption |
| sopsConfig | File | - | SOPS config file (.sops.yaml) |
Example
dagger -m github.com/stuttgart-things/blueprints/flux@9f64ba8d3e0c17a0a05750b07b92c54252dd03ae call \
flux-encrypt-secrets --secret-content string --age-public-key env:MYSECRETfunc (m *MyModule) Example(ctx context.Context, secretContent string, agePublicKey *dagger.Secret) string {
return dag.
Flux().
FluxEncryptSecrets(ctx, secretContent, agePublicKey)
}@function
async def example(secret_content: str, age_public_key: dagger.Secret) -> str:
return await (
dag.flux()
.flux_encrypt_secrets(secret_content, age_public_key)
)@func()
async example(secretContent: string, agePublicKey: Secret): Promise<string> {
return dag
.flux()
.fluxEncryptSecrets(secretContent, agePublicKey)
}fluxRenderConfig() 🔗
FluxRenderConfig renders the Flux instance configuration using a KCL module. Returns the full rendered YAML (multi-document).
Return Type
String !Arguments
| Name | Type | Default Value | Description |
|---|---|---|---|
| ociSource | String | "ghcr.io/stuttgart-things/kcl-flux-instance:0.3.3" | OCI KCL module source |
| configParameters | String ! | - | Comma-separated key=value pairs for KCL parameters |
| entrypoint | String | "main.k" | KCL entrypoint file name |
| renderSecrets | Boolean | false | Whether KCL should also render Secret manifests |
| gitUsername | Secret | - | Git username for pull secret |
| gitPassword | Secret | - | GitHub token for git pull secret |
| sopsAgeKey | Secret | - | AGE private key for SOPS decryption (applied to cluster) |
Example
dagger -m github.com/stuttgart-things/blueprints/flux@9f64ba8d3e0c17a0a05750b07b92c54252dd03ae call \
flux-render-config --config-parameters stringfunc (m *MyModule) Example(ctx context.Context, configParameters string) string {
return dag.
Flux().
FluxRenderConfig(ctxconfigParameters)
}@function
async def example(config_parameters: str) -> str:
return await (
dag.flux()
.flux_render_config(config_parameters)
)@func()
async example(configParameters: string): Promise<string> {
return dag
.flux()
.fluxRenderConfig(configParameters)
}fluxVerifySecrets() 🔗
FluxVerifySecrets auto-extracts secret names from the YAML and verifies they exist in the cluster.
Return Type
String !Arguments
| Name | Type | Default Value | Description |
|---|---|---|---|
| secretContent | String ! | - | Secret YAML content (multi-document) |
| namespace | String | "flux-system" | Target namespace |
| kubeConfig | Secret ! | - | Kubeconfig secret for cluster access |
Example
dagger -m github.com/stuttgart-things/blueprints/flux@9f64ba8d3e0c17a0a05750b07b92c54252dd03ae call \
flux-verify-secrets --secret-content string --kube-config env:MYSECRETfunc (m *MyModule) Example(ctx context.Context, secretContent string, kubeConfig *dagger.Secret) string {
return dag.
Flux().
FluxVerifySecrets(ctx, secretContent, kubeConfig)
}@function
async def example(secret_content: str, kube_config: dagger.Secret) -> str:
return await (
dag.flux()
.flux_verify_secrets(secret_content, kube_config)
)@func()
async example(secretContent: string, kubeConfig: Secret): Promise<string> {
return dag
.flux()
.fluxVerifySecrets(secretContent, kubeConfig)
}fluxWaitForReconciliation() 🔗
FluxWaitForReconciliation runs flux check with retry, reconciles sources, and gets all Flux resources.
Return Type
String !Arguments
| Name | Type | Default Value | Description |
|---|---|---|---|
| namespace | String | "flux-system" | Target namespace |
| kubeConfig | Secret ! | - | Kubeconfig secret for cluster access |
| reconciliationTimeout | String | "5m" | Timeout for reconciliation check |
| fluxCliImage | String | "ghcr.io/fluxcd/flux-cli:v2.8.3" | Flux CLI container image |
Example
dagger -m github.com/stuttgart-things/blueprints/flux@9f64ba8d3e0c17a0a05750b07b92c54252dd03ae call \
flux-wait-for-reconciliation --kube-config env:MYSECRETfunc (m *MyModule) Example(ctx context.Context, kubeConfig *dagger.Secret) string {
return dag.
Flux().
FluxWaitForReconciliation(ctxkubeConfig)
}@function
async def example(kube_config: dagger.Secret) -> str:
return await (
dag.flux()
.flux_wait_for_reconciliation(kube_config)
)@func()
async example(kubeConfig: Secret): Promise<string> {
return dag
.flux()
.fluxWaitForReconciliation(kubeConfig)
}validateAgeKeyPair() 🔗
ValidateAgeKeyPair derives the public key from the given AGE private key and verifies it matches the provided public key. Fails fast on mismatch.
Usage:
dagger call validate-age-key-pair --sops-age-key env:SOPS_AGE_KEY --age-public-key env:AGE_PUB
Return Type
String !Arguments
| Name | Type | Default Value | Description |
|---|---|---|---|
| sopsAgeKey | Secret ! | - | AGE private key |
| agePublicKey | Secret ! | - | AGE public key to validate against |
Example
dagger -m github.com/stuttgart-things/blueprints/flux@9f64ba8d3e0c17a0a05750b07b92c54252dd03ae call \
validate-age-key-pair --sops-age-key env:MYSECRET --age-public-key env:MYSECRETfunc (m *MyModule) Example(ctx context.Context, sopsAgeKey *dagger.Secret, agePublicKey *dagger.Secret) string {
return dag.
Flux().
ValidateAgeKeyPair(ctx, sopsAgeKey, agePublicKey)
}@function
async def example(sops_age_key: dagger.Secret, age_public_key: dagger.Secret) -> str:
return await (
dag.flux()
.validate_age_key_pair(sops_age_key, age_public_key)
)@func()
async example(sopsAgeKey: Secret, agePublicKey: Secret): Promise<string> {
return dag
.flux()
.validateAgeKeyPair(sopsAgeKey, agePublicKey)
}