armory-gists/agent-plugin-cloudriver-plugin.yaml

## agent-plugin-cloudriver-plugin.yaml
apiVersion: spinnaker.armory.io/v1alpha2
kind: SpinnakerService
metadata:
  name: spinnaker
spec:
  spinnakerConfig:
    profiles:
      clouddriver:
        spinnaker:
          extensibility:
            pluginsRootPath: /opt/clouddriver/lib/plugins
            plugins:
              Armory.Kubesvc:
                enabled: true
  kustomize:
    clouddriver:
      service:
        patchesStrategicMerge:
          - |
            spec:
              ports:
                - name: http
                  port: 7002
                - name: grpc
                  port: 9091
      deployment:
        patchesStrategicMerge:
          - |
            spec:
              template:
                spec:
                  initContainers:
                  - name: kubesvc-plugin
                    image: docker.io/armory/kubesvc-plugin:<release>
                    volumeMounts:
                      - mountPath: /opt/plugin/target
                        name: kubesvc-plugin-vol
                  containers:
                  - name: clouddriver
                    volumeMounts:
                      - mountPath: /opt/clouddriver/lib/plugins
                        name: kubesvc-plugin-vol
                      - mountPath: /opt/clouddriver/cert
                        name: cert
                  volumes:
                  - name: kubesvc-plugin-vol
                    emptyDir: {}
                  - name: cert
                    secret:
                      secretName: <your-secret-name>

## agent-plugin-config.yaml
apiVersion: spinnaker.armory.io/v1alpha2
kind: SpinnakerService
metadata:
  name: spinnaker
spec:
  spinnakerConfig:
    profiles:
      clouddriver:
        # See https://docs.armory.io/docs/installation/armory-agent/agent-options/
        kubesvc:
          cluster: redis
          grpc:
            server:
              security:
                enabled: true
                certificateChain: file:///opt/clouddriver/cert/tls.crt    #list of crts
                trustCertCollection: file:///opt/clouddriver/cert/tls.crt #cacert
                privateKey: file:///opt/clouddriver/cert/tls.key
                clientAuth: REQUIRE

## agent-service-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: spin
    app.kubernetes.io/name: kubesvc
    app.kubernetes.io/part-of: spinnaker
    cluster: spin-kubesvc
  name: spin-kubesvc
spec:
  replicas: 1
  selector:
    matchLabels:
      app: spin
      cluster: spin-kubesvc
  template:
    metadata:
      labels:
        app: spin
        app.kubernetes.io/name: kubesvc
        app.kubernetes.io/part-of: spinnaker
        cluster: spin-kubesvc
    spec:
      # imagePullSecrets:
      # - name: regcred
      containers:
      - env:
        - name: GRPC_GO_LOG_SEVERITY_LEVEL
          value: INFO
        - name: GRPC_GO_LOG_VERBOSITY_LEVEL
          value: "9999"
        image: armory/kubesvc
        imagePullPolicy: IfNotPresent
        name: kubesvc
        ports:
          - name: health
            containerPort: 8082
            protocol: TCP
          - name: metrics
            containerPort: 8008
            protocol: TCP
        readinessProbe:
          httpGet:
            port: health
            path: /health
          failureThreshold: 3
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /opt/kubesvc/cert
          name: armoryagentcert
        - mountPath: /opt/spinnaker/config
          name: volume-kubesvc-config
        - mountPath: /opt/kubesvc/cacert  # this didn't work as of Nov 2020
          name: clouddrivercacert         # this didn't work as of Nov 2020
        - mountPath: /etc/ssl
          name: certpem
        resources:
          limits:
            cpu: 1000m
            memory: 1Gi
          requests:
            cpu: 200m
            memory: 500Mi
      serviceAccount: kubesvc
      restartPolicy: Always
      volumes:
      - name: volume-kubesvc-config
        configMap:
          name: kubesvc-config
      - name: armoryagentcert
        secret:
          secretName: <your-secret-name>
      - name: clouddrivercacert         # this didn't work as of Nov 2020
        secret:                         # this didn't work as of Nov 2020
          secretName: <your-secret-name> # this didn't work as of Nov 2020
      - name: certpem
        secret:
          secretName: <your-secret-name>

## armory-agent-configure-mtls.md

      
    Raw
  

              armory-agent-configure-mtls.md
            
          
    Files for configuring mTLS in the Armory Agent for Kubernetes (https://docs.armory.io/docs/armory-agent/).

  
## forward-proxy-config.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: spin
    app.kubernetes.io/name: kubesvc
    app.kubernetes.io/part-of: spinnaker
    cluster: spin-kubesvc
  name: spin-kubesvc
spec:
  replicas: 1
  selector:
    matchLabels:
      app: spin
      cluster: spin-kubesvc
  template:
    metadata:
      labels:
        app: spin
        app.kubernetes.io/name: kubesvc
        app.kubernetes.io/part-of: spinnaker
        cluster: spin-kubesvc
    spec:
      containers:
      - image: armory/kubesvc
        env:
        - name: HTTP_PROXY
          value: <proxyaddress:proxyport>
        - name: HTTPS_PROXY
          value: <proxyaddress:proxyport>
        imagePullPolicy: IfNotPresent
        name: kubesvc
        ports:
          - name: health
            containerPort: 8082
            protocol: TCP
          - name: metrics
            containerPort: 8008
            protocol: TCP
        readinessProbe:
          httpGet:
            port: health
            path: /health
          failureThreshold: 3
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /opt/spinnaker/config
          name: volume-kubesvc-config
        - mountPath: /kubeconfigfiles
          name: volume-kubesvc-kubeconfigs
      restartPolicy: Always
      volumes:
      - name: volume-kubesvc-config
        configMap:
          name: kubesvc-config
      - name: volume-kubesvc-kubeconfigs
        secret:
          defaultMode: 420
          secretName: kubeconfigs-secret
---
apiVersion: v1
kind: Service
metadata:
  name: kubesvc-metrics
  labels:
    app: spin
    cluster: spin-kubesvc
spec:
  ports:
  - name: metrics
    port: 8008
    targetPort: metrics
    protocol: TCP
  selector:
    app: spin
    cluster: spin-kubesvc

## kubesvc.yaml
kubernetes:
  accounts:
  - name: armory-sales-dev
    serviceAccount: true
    #permissions:
    #  WRITE:
    #  - APPDEV_TEAMA
    #  READ:
  # Add your accounts here, /kubeconfigfiles is the path where kubeconfig files added
  # to kustomization.yaml are mounted.
#  - kubeconfigFile: /kubeconfigfiles/kubecfg-test.yml
#    name: account1
#    metrics: false
#    kinds: []
#    omitKinds: []
clouddriver:
  grpc: vincent-clouddriver.se.armory.io:443
  insecure: false
  tls:
    #serverName: my-ca  #to override the server name to verify (my-ca vs vincent...)
    insecureSkipVerify: false #if true, don't verify server's cert
    clientKeyFile: /opt/kubesvc/cert/agent.key #ref to the private key (mTLS)
    #clientKeyPassword: #if the above file is password protected
    #cacertFile: /opt/kubesvc/cacert/ca.crt #to validate server's cert
    clientCertFile: /opt/kubesvc/cert/agent.crt #client cert for mTLS.
#certFile: #deprecated
# OPTIONAL
# server:
#   port: 8082

prometheus:
  enabled: true
  # port: 8008

## no-proxy-snippet.yaml

kubernetes:
  accounts: []
  # Add your accounts here, /kubeconfigfiles is the path where kubeconfig files added
  # to kustomization.yaml are mounted.
#  - kubeconfigFile: /kubeconfigfiles/kubecfg-test.yml
#    name: account1
#    metrics: false
#    kinds: []
#    omitKinds: []
    # You can add all the other fields from clouddriver settings, they'll be ignored.

  noProxy: true

clouddriver:
  grpc: spin-clouddriver-grpc:9091

server:
  port: 8082

prometheus:
  enabled: true
	apiVersion: spinnaker.armory.io/v1alpha2
	kind: SpinnakerService
	metadata:
	name: spinnaker
	spec:
	spinnakerConfig:
	profiles:
	clouddriver:
	spinnaker:
	extensibility:
	pluginsRootPath: /opt/clouddriver/lib/plugins
	plugins:
	Armory.Kubesvc:
	enabled: true
	kustomize:
	clouddriver:
	service:
	patchesStrategicMerge:
	- \|
	spec:
	ports:
	- name: http
	port: 7002
	- name: grpc
	port: 9091
	deployment:
	patchesStrategicMerge:
	- \|
	spec:
	template:
	spec:
	initContainers:
	- name: kubesvc-plugin
	image: docker.io/armory/kubesvc-plugin:<release>
	volumeMounts:
	- mountPath: /opt/plugin/target
	name: kubesvc-plugin-vol
	containers:
	- name: clouddriver
	volumeMounts:
	- mountPath: /opt/clouddriver/lib/plugins
	name: kubesvc-plugin-vol
	- mountPath: /opt/clouddriver/cert
	name: cert
	volumes:
	- name: kubesvc-plugin-vol
	emptyDir: {}
	- name: cert
	secret:
	secretName: <your-secret-name>
	apiVersion: apps/v1
	kind: Deployment
	metadata:
	labels:
	app: spin
	app.kubernetes.io/name: kubesvc
	app.kubernetes.io/part-of: spinnaker
	cluster: spin-kubesvc
	name: spin-kubesvc
	spec:
	replicas: 1
	selector:
	matchLabels:
	app: spin
	cluster: spin-kubesvc
	template:
	metadata:
	labels:
	app: spin
	app.kubernetes.io/name: kubesvc
	app.kubernetes.io/part-of: spinnaker
	cluster: spin-kubesvc
	spec:
	# imagePullSecrets:
	# - name: regcred
	containers:
	- env:
	- name: GRPC_GO_LOG_SEVERITY_LEVEL
	value: INFO
	- name: GRPC_GO_LOG_VERBOSITY_LEVEL
	value: "9999"
	image: armory/kubesvc
	imagePullPolicy: IfNotPresent
	name: kubesvc
	ports:
	- name: health
	containerPort: 8082
	protocol: TCP
	- name: metrics
	containerPort: 8008
	protocol: TCP
	readinessProbe:
	httpGet:
	port: health
	path: /health
	failureThreshold: 3
	periodSeconds: 10
	successThreshold: 1
	timeoutSeconds: 1
	terminationMessagePath: /dev/termination-log
	terminationMessagePolicy: File
	volumeMounts:
	- mountPath: /opt/kubesvc/cert
	name: armoryagentcert
	- mountPath: /opt/spinnaker/config
	name: volume-kubesvc-config
	- mountPath: /opt/kubesvc/cacert # this didn't work as of Nov 2020
	name: clouddrivercacert # this didn't work as of Nov 2020
	- mountPath: /etc/ssl
	name: certpem
	resources:
	limits:
	cpu: 1000m
	memory: 1Gi
	requests:
	cpu: 200m
	memory: 500Mi
	serviceAccount: kubesvc
	restartPolicy: Always
	volumes:
	- name: volume-kubesvc-config
	configMap:
	name: kubesvc-config
	- name: armoryagentcert
	secret:
	secretName: <your-secret-name>
	- name: clouddrivercacert # this didn't work as of Nov 2020
	secret: # this didn't work as of Nov 2020
	secretName: <your-secret-name> # this didn't work as of Nov 2020
	- name: certpem
	secret:
	secretName: <your-secret-name>
	kubernetes:
	accounts:
	- name: armory-sales-dev
	serviceAccount: true
	#permissions:
	# WRITE:
	# - APPDEV_TEAMA
	# READ:
	# Add your accounts here, /kubeconfigfiles is the path where kubeconfig files added
	# to kustomization.yaml are mounted.
	# - kubeconfigFile: /kubeconfigfiles/kubecfg-test.yml
	# name: account1
	# metrics: false
	# kinds: []
	# omitKinds: []
	clouddriver:
	grpc: vincent-clouddriver.se.armory.io:443
	insecure: false
	tls:
	#serverName: my-ca #to override the server name to verify (my-ca vs vincent...)
	insecureSkipVerify: false #if true, don't verify server's cert
	clientKeyFile: /opt/kubesvc/cert/agent.key #ref to the private key (mTLS)
	#clientKeyPassword: #if the above file is password protected
	#cacertFile: /opt/kubesvc/cacert/ca.crt #to validate server's cert
	clientCertFile: /opt/kubesvc/cert/agent.crt #client cert for mTLS.
	#certFile: #deprecated
	# OPTIONAL
	# server:
	# port: 8082

	prometheus:
	enabled: true
	# port: 8008

	kubernetes:
	accounts: []
	# Add your accounts here, /kubeconfigfiles is the path where kubeconfig files added
	# to kustomization.yaml are mounted.
	# - kubeconfigFile: /kubeconfigfiles/kubecfg-test.yml
	# name: account1
	# metrics: false
	# kinds: []
	# omitKinds: []
	# You can add all the other fields from clouddriver settings, they'll be ignored.

	noProxy: true

	clouddriver:
	grpc: spin-clouddriver-grpc:9091

	server:
	port: 8082

	prometheus:
	enabled: true