Flux bootstrapping succeeds but subsequent syncing using SSH fail.

[vijayansarathy]

Hi,
I am trying to bootstrap two EKS clusters with Flux in two separate AWS Regions and sync their state from the same Git repository, hosted on GitHub enterprise (github.cicd.mycompany.com). Everything works fine with the EKS cluster in US-EAST-1. When doing the same for the cluster in US-WEST-2, the following operations during bootstrapping phase works OK. That is,

1. Flux controllers are successfully deployed to the cluster and are in a running state
2. YAML manifests for the GitOps Toolkit (gotk-*.yaml) files are pushed to the clusters/CLUSTER_NAME/flux-system directory in the Git repo
3. SSH public key is added to the Git repo.

Following that, during the syncing phase. when the Flux source controller tries to checkout the latest revision from the Git repo, it fails with the following error:

failed to checkout and determine revision: unable to clone 'ssh://[email protected]/ratings/spratings-gitops-hub.git': dial tcp 10.164.129.59:22: connect: connection timed out"

Looks like there is some firewall issue, perhaps, that is blocking access to port 22 when Flux tries to clone the Git repo from the cluster in US-WEST-2. But, how is Flux able to push the gotk-*.yaml manifests to the repository in the first place? Is that not done using SSH an by some other means using the PAT that we provide? Can someone please explain this?

Thanks,
Viji

[stefanprodan]

But, how is Flux able to push the gotk-*.yaml manifests to the repository in the first place?

The Flux CLI that commits the manifests to Git runs on your computer, while the Flux source-controller runs on the cluster. So either the firewall allows your computer and denies the cluster, or the cluster has some egress filter that blocks SSH.

[vijayansarathy]

Thanks @stefanprodan
I lost sight of the fact that the Flux installation happens from outside the cluster.
Thanks for the clarification. Let me look into whether there are any firewall rules blocking SSH access to Git.