Skip to content


Proper namespace

Git repos are added to the Fleet manager using the GitRepo custom resource type. The GitRepo type is namespaced. If you are using Fleet in a single cluster style the namespace will always be fleet-local. For a multi-cluster style please ensure you use the correct repo that will map to the right target clusters.

Create GitRepo instance

Git repositories are register by creating a GitRepo following the below YAML sample. Refer to the inline comments as the means of each field

kind: GitRepo
  # Any name can be used here
  name: my-repo
  # For single cluster use fleet-local, otherwise use the namespace of
  # your choosing
  namespace: fleet-local
  # This can be a HTTPS or git URL.  If you are using a git URL then
  # clientSecretName will probably need to be set to supply a credential.
  # repo is the only required parameter for a repo to be monitored.

  # Enforce all resources go to this target namespace. If a cluster scoped
  # resource is found the deployment will fail.
  # targetNamespace: app1

  # Any branch can be watched, this field is optional. If not specified the
  # branch is assumed to be master
  # branch: master

  # A specific commit or tag can also be watched.
  # revision: v0.3.0

  # For a private registry you must supply a clientSecretName. A default
  # secret can be set at the namespace level using the BundleRestriction
  # type. Secrets must be of the type "" or
  # "". The secret is assumed to be in the
  # same namespace as the GitRepo
  # clientSecretName: my-ssh-key
  # If fleet.yaml contains a private Helm repo that requires authentication,
  # provide the credentials in a K8s secret and specify them here. Details are provided
  # in the fleet.yaml documentation.
  # helmSecretName: my-helm-secret
  # To add additional ca-bundle for self-signed certs, caBundle can be 
  # filled with base64 encoded pem data. For example: 
  # `cat /path/to/ca.pem | base64 -w 0` 
  # caBundle: my-ca-bundle
  # Disable SSL verification for git repo
  # insecureSkipTLSVerify: true
  # A git repo can read multiple paths in a repo at once.
  # The below field is expected to be an array of paths and
  # supports path globbing (ex: some/*/path)
  # Example:
  # paths:
  # - single-path
  # - multiple-paths/*
  - simple

  # The service account that will be used to perform this deployment.
  # This is the name of the service account that exists in the
  # downstream cluster in the fleet-system namespace. It is assumed
  # this service account already exists so it should be create before
  # hand, most likely coming from another git repo registered with
  # the Fleet manager.
  # serviceAccount: moreSecureAccountThanClusterAdmin

  # Target clusters to deploy to if running Fleet in a multi-cluster
  # style. Refer to the "Mapping to Downstream Clusters" docs for
  # more information.
  # targets: ...

Adding private repository

Fleet supports both http and ssh auth key for private repository. To use this you have to create a secret in the same namespace.

For example, to generate a private ssh key

ssh-keygen -t rsa -b 4096 -m pem -C "[email protected]"

Note: The private key format has to be in EC PRIVATE KEY, RSA PRIVATE KEY or PRIVATE KEY and should not contain a passphase.

Put your private key into secret:

kubectl create secret generic $name -n $namespace --from-file=ssh-privatekey=/file/to/private/key 


Private key with passphrase is not supported.

Fleet supports putting known_hosts into ssh secret. Here is an example of how to add it:

Fetch the public key hash(take github as an example)

ssh-keyscan -H

And add it into secret:

apiVersion: v1
kind: Secret
  name: ssh-key
  ssh-privatekey: <private-key>
  known_hosts: |-
    |1|YJr1VZoi6dM0oE+zkM0do3Z04TQ=|7MclCn1fLROZG+BgR4m1r8TLwWc= ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==


If you don't add it any server's public key will be trusted and added. (ssh -o stricthostkeychecking=accept-new will be used)


If you are using openssh format for the private key and you are creating it in the UI, make sure a carriage return is appended in the end of the private key.


Fleet deployment stuck in modified state

When you deploy bundles to Fleet, some of the components are modified, and this causes the "modified" flag in the Fleet environment.

To ignore the modified flag for the differences between the Helm install generated by fleet.yaml and the resource in your cluster, add a diff.comparePatches to the fleet.yaml for your Deployment, as shown in this example:

defaultNamespace: <namespace name> 
  releaseName: <release name>  
  repo: <repo name> 
  chart: <chart name>
  - apiVersion: apps/v1
    kind: Deployment
    - {"op":"remove", "path":"/spec/template/spec/hostNetwork"}
    - {"op":"remove", "path":"/spec/template/spec/nodeSelector"}
    jsonPointers: # jsonPointers allows to ignore diffs at certain json path
    - "/spec/template/spec/priorityClassName"
    - "/spec/template/spec/tolerations" 

To determine which operations should be removed, observe the logs from fleet-agent on the target cluster. You should see entries similar to the following:

level=error msg="bundle monitoring-monitoring: deployment.apps monitoring/monitoring-monitoring-kube-state-metrics modified {\"spec\":{\"template\":{\"spec\":{\"hostNetwork\":false}}}}"

Based on the above log, you can add the following entry to remove the operation:

{"op":"remove", "path":"/spec/template/spec/hostNetwork"}