Files for configuring mTLS in the Armory Agent for Kubernetes (https://docs.armory.io/docs/armory-agent/).
Last active
December 4, 2020 20:06
-
-
Save armory-gists/26186532a4cce0b7f8bc203fb9ab758a to your computer and use it in GitHub Desktop.
Files for configuring mTLS in the Armory Agent for Kubernetes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: spinnaker.armory.io/v1alpha2 | |
kind: SpinnakerService | |
metadata: | |
name: spinnaker | |
spec: | |
spinnakerConfig: | |
profiles: | |
clouddriver: | |
spinnaker: | |
extensibility: | |
pluginsRootPath: /opt/clouddriver/lib/plugins | |
plugins: | |
Armory.Kubesvc: | |
enabled: true | |
kustomize: | |
clouddriver: | |
service: | |
patchesStrategicMerge: | |
- | | |
spec: | |
ports: | |
- name: http | |
port: 7002 | |
- name: grpc | |
port: 9091 | |
deployment: | |
patchesStrategicMerge: | |
- | | |
spec: | |
template: | |
spec: | |
initContainers: | |
- name: kubesvc-plugin | |
image: docker.io/armory/kubesvc-plugin:<release> | |
volumeMounts: | |
- mountPath: /opt/plugin/target | |
name: kubesvc-plugin-vol | |
containers: | |
- name: clouddriver | |
volumeMounts: | |
- mountPath: /opt/clouddriver/lib/plugins | |
name: kubesvc-plugin-vol | |
- mountPath: /opt/clouddriver/cert | |
name: cert | |
volumes: | |
- name: kubesvc-plugin-vol | |
emptyDir: {} | |
- name: cert | |
secret: | |
secretName: <your-secret-name> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: spinnaker.armory.io/v1alpha2 | |
kind: SpinnakerService | |
metadata: | |
name: spinnaker | |
spec: | |
spinnakerConfig: | |
profiles: | |
clouddriver: | |
# See https://docs.armory.io/docs/installation/armory-agent/agent-options/ | |
kubesvc: | |
cluster: redis | |
grpc: | |
server: | |
security: | |
enabled: true | |
certificateChain: file:///opt/clouddriver/cert/tls.crt #list of crts | |
trustCertCollection: file:///opt/clouddriver/cert/tls.crt #cacert | |
privateKey: file:///opt/clouddriver/cert/tls.key | |
clientAuth: REQUIRE |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: apps/v1 | |
kind: Deployment | |
metadata: | |
labels: | |
app: spin | |
app.kubernetes.io/name: kubesvc | |
app.kubernetes.io/part-of: spinnaker | |
cluster: spin-kubesvc | |
name: spin-kubesvc | |
spec: | |
replicas: 1 | |
selector: | |
matchLabels: | |
app: spin | |
cluster: spin-kubesvc | |
template: | |
metadata: | |
labels: | |
app: spin | |
app.kubernetes.io/name: kubesvc | |
app.kubernetes.io/part-of: spinnaker | |
cluster: spin-kubesvc | |
spec: | |
# imagePullSecrets: | |
# - name: regcred | |
containers: | |
- env: | |
- name: GRPC_GO_LOG_SEVERITY_LEVEL | |
value: INFO | |
- name: GRPC_GO_LOG_VERBOSITY_LEVEL | |
value: "9999" | |
image: armory/kubesvc | |
imagePullPolicy: IfNotPresent | |
name: kubesvc | |
ports: | |
- name: health | |
containerPort: 8082 | |
protocol: TCP | |
- name: metrics | |
containerPort: 8008 | |
protocol: TCP | |
readinessProbe: | |
httpGet: | |
port: health | |
path: /health | |
failureThreshold: 3 | |
periodSeconds: 10 | |
successThreshold: 1 | |
timeoutSeconds: 1 | |
terminationMessagePath: /dev/termination-log | |
terminationMessagePolicy: File | |
volumeMounts: | |
- mountPath: /opt/kubesvc/cert | |
name: armoryagentcert | |
- mountPath: /opt/spinnaker/config | |
name: volume-kubesvc-config | |
- mountPath: /opt/kubesvc/cacert # this didn't work as of Nov 2020 | |
name: clouddrivercacert # this didn't work as of Nov 2020 | |
- mountPath: /etc/ssl | |
name: certpem | |
resources: | |
limits: | |
cpu: 1000m | |
memory: 1Gi | |
requests: | |
cpu: 200m | |
memory: 500Mi | |
serviceAccount: kubesvc | |
restartPolicy: Always | |
volumes: | |
- name: volume-kubesvc-config | |
configMap: | |
name: kubesvc-config | |
- name: armoryagentcert | |
secret: | |
secretName: <your-secret-name> | |
- name: clouddrivercacert # this didn't work as of Nov 2020 | |
secret: # this didn't work as of Nov 2020 | |
secretName: <your-secret-name> # this didn't work as of Nov 2020 | |
- name: certpem | |
secret: | |
secretName: <your-secret-name> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: apps/v1 | |
kind: Deployment | |
metadata: | |
labels: | |
app: spin | |
app.kubernetes.io/name: kubesvc | |
app.kubernetes.io/part-of: spinnaker | |
cluster: spin-kubesvc | |
name: spin-kubesvc | |
spec: | |
replicas: 1 | |
selector: | |
matchLabels: | |
app: spin | |
cluster: spin-kubesvc | |
template: | |
metadata: | |
labels: | |
app: spin | |
app.kubernetes.io/name: kubesvc | |
app.kubernetes.io/part-of: spinnaker | |
cluster: spin-kubesvc | |
spec: | |
containers: | |
- image: armory/kubesvc | |
env: | |
- name: HTTP_PROXY | |
value: <proxyaddress:proxyport> | |
- name: HTTPS_PROXY | |
value: <proxyaddress:proxyport> | |
imagePullPolicy: IfNotPresent | |
name: kubesvc | |
ports: | |
- name: health | |
containerPort: 8082 | |
protocol: TCP | |
- name: metrics | |
containerPort: 8008 | |
protocol: TCP | |
readinessProbe: | |
httpGet: | |
port: health | |
path: /health | |
failureThreshold: 3 | |
periodSeconds: 10 | |
successThreshold: 1 | |
timeoutSeconds: 1 | |
terminationMessagePath: /dev/termination-log | |
terminationMessagePolicy: File | |
volumeMounts: | |
- mountPath: /opt/spinnaker/config | |
name: volume-kubesvc-config | |
- mountPath: /kubeconfigfiles | |
name: volume-kubesvc-kubeconfigs | |
restartPolicy: Always | |
volumes: | |
- name: volume-kubesvc-config | |
configMap: | |
name: kubesvc-config | |
- name: volume-kubesvc-kubeconfigs | |
secret: | |
defaultMode: 420 | |
secretName: kubeconfigs-secret | |
--- | |
apiVersion: v1 | |
kind: Service | |
metadata: | |
name: kubesvc-metrics | |
labels: | |
app: spin | |
cluster: spin-kubesvc | |
spec: | |
ports: | |
- name: metrics | |
port: 8008 | |
targetPort: metrics | |
protocol: TCP | |
selector: | |
app: spin | |
cluster: spin-kubesvc |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
kubernetes: | |
accounts: | |
- name: armory-sales-dev | |
serviceAccount: true | |
#permissions: | |
# WRITE: | |
# - APPDEV_TEAMA | |
# READ: | |
# Add your accounts here, /kubeconfigfiles is the path where kubeconfig files added | |
# to kustomization.yaml are mounted. | |
# - kubeconfigFile: /kubeconfigfiles/kubecfg-test.yml | |
# name: account1 | |
# metrics: false | |
# kinds: [] | |
# omitKinds: [] | |
clouddriver: | |
grpc: vincent-clouddriver.se.armory.io:443 | |
insecure: false | |
tls: | |
#serverName: my-ca #to override the server name to verify (my-ca vs vincent...) | |
insecureSkipVerify: false #if true, don't verify server's cert | |
clientKeyFile: /opt/kubesvc/cert/agent.key #ref to the private key (mTLS) | |
#clientKeyPassword: #if the above file is password protected | |
#cacertFile: /opt/kubesvc/cacert/ca.crt #to validate server's cert | |
clientCertFile: /opt/kubesvc/cert/agent.crt #client cert for mTLS. | |
#certFile: #deprecated | |
# OPTIONAL | |
# server: | |
# port: 8082 | |
prometheus: | |
enabled: true | |
# port: 8008 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
kubernetes: | |
accounts: [] | |
# Add your accounts here, /kubeconfigfiles is the path where kubeconfig files added | |
# to kustomization.yaml are mounted. | |
# - kubeconfigFile: /kubeconfigfiles/kubecfg-test.yml | |
# name: account1 | |
# metrics: false | |
# kinds: [] | |
# omitKinds: [] | |
# You can add all the other fields from clouddriver settings, they'll be ignored. | |
noProxy: true | |
clouddriver: | |
grpc: spin-clouddriver-grpc:9091 | |
server: | |
port: 8082 | |
prometheus: | |
enabled: true |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment