Create a Tenant GSL Project

Tenants interact with the Greymatter GitOps pipeline through projects. Tenant projects are created with the Greymatter CLI’s init command.

This guide will show you how to create a tenant project using the Greymatter CLI. At the end of the guide, you will have a newly generated project with its application edge node and sync service running inside the mesh.

Walkthrough

Prerequisites

• A Greymatter v1.8.x installation.

• The Greymatter CLI.

• A Git repository.

• Git credentials in the form of an SSH key or an HTTP API token.

Tenant Initialization

Navigate to the directory where you want to store the project configurations and run:

greymatter init --git-remote <git repo URL> <project name>

The Greymatter project name and the Kubernetes namespace must match.

The git-remote (or the shorter -r flag) flag will inject the git repository URL into the sync manifests. This should either be in SSH or HTTP format.

Greymatter uses SSH for cloning operations by default but also accommodates HTTPS.

While specifying this is optional, failing to provide this will cause Sync to crash on startup. For guidance on modifying or adding the repository later, please refer to this article.

After running the command, the contents of your project directory will look like:

├── .greymatter
├── README.md
├── TUTORIAL.md
├── cue.mod
├── greymatter
│   ├── policies
│   ├── core
│   │   └── edge.cue
│   ├── globals.cue
│   └── <project name>
└── k8s
    ├── manifests.yaml
    └── sync.yaml

At this point, you should commit and push your changes to finish initialization.

Deploy Project Resources

To ready the environment for deployment, you must configure certificates (optional for TLS or mTLS deployments) and provide your sync git credentials (required).

Create Git Credential Secret

For the sync service to clone and watch the tenant Git repository it requires credentials. The type of credentials depends on if your repository is configured for SSH or HTTPS. By default this guide will assume your Git provider is setup for SSH. onfigured for SSH or HTTPS. By default this guide will assume your Git provider is setup for SSH.

If you want to use HTTPS authentication, skip this section and follow this guide.

Before creating the secret, you must acquire SSH credentials with read permissions for the tenant repository. SSH also requires a known hosts file containing your Git provider’s public key.

Create the greymatter-sync-secret secret:

kubectl create secret generic greymatter-sync-secret \
    --from-file=ssh-private-key=</path/to/key/file> \
    --from-file=known_hosts=</path/to/known/hosts> \
    -n <project namespace>

If the SSH key is password-protected, you need to provide Sync with the password. Create another secret with the SSH key's password:

kubectl create secret generic sync-ssh-passphrase --from-literal=passphrase=<password> -n <project namespace>

Open Sync's manifest file found at k8s/sync.yaml and add this YAML block to the env array:

env:
- name: GREYMATTER_SSH_PASSPHRASE
  valueFrom:
    secretKeyRef:
	  name: sync-ssh-passphrase
	  key: passphrase
	  optional: true

This allows Kubernetes to write the value in the Secret into the Pod's environment.

Apply the manifests

You are now ready to deploy the manifests for the edge proxy and sync.

kubectl apply -f ./k8s