-
-
Save darrencraig/e0d4404205accaf44d34592e7f1ad86d to your computer and use it in GitHub Desktop.
Halyard configuration for GKE plus Spinnaker deployment
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# execute from remote path | |
cd $(cd -P -- "$(dirname -- "$0")" && pwd -P) | |
BACKUP_ID=$(date '+%d-%M-%Y-%s') | |
mv ~/.hal ~/hal$BACKUP_ID | |
source config_vars | |
if [! "$CLSID" = "" ]; then | |
$QUIET = "-q" | |
fi | |
#kubectl config current-context | |
hal $QUIET config version edit --version ${SPINNAKER_VERSION} | |
wget --quiet https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-sdk-${GCLOUD_VERSION}-linux-x86_64.tar.gz | |
tar xf google-cloud-sdk-${GCLOUD_VERSION}-linux-x86_64.tar.gz | |
google-cloud-sdk/bin/gcloud auth activate-service-account --key-file=/tmp/account.json | |
google-cloud-sdk/bin/gcloud container clusters get-credentials ${cluster_name} --zone ${zone} --project ${project} | |
secret=$(kubectl get sa ${SPINNAKER_SERVICE_ACCOUNT} -o jsonpath={..secrets..name}) | |
kubectl get secret ${secret} -o jsonpath={..token} > /tmp/LOCAL_TOKEN | |
SPINNAKER_PROFILE=$(kubectl config current-context) | |
kubectl config set-credentials ${SPINNAKER_PROFILE} --token=$(cat /tmp/LOCAL_TOKEN | base64 -d) | |
# let's build the contexts for all other clusters and register pubsub queues while we're at it | |
hal config pubsub google enable | |
cat managed_clusters | while IFS=: read -r MANAGED_CLUSTER MPROJECT MZONE; do | |
echo "Adding kubectl context for cluster ${MANAGED_CLUSTER} in project ${MPROJECT} with spinnaker" | |
google-cloud-sdk/bin/gcloud container clusters get-credentials ${MANAGED_CLUSTER} --zone ${MZONE} --project ${MPROJECT} | |
secret=$(kubectl get sa ${SPINNAKER_SERVICE_ACCOUNT} -o jsonpath={..secrets..name}) | |
kubectl get secret ${secret} -o jsonpath={..token} > /tmp/${MANAGED_CLUSTER}_TOKEN | |
USER_PROFILE=$(kubectl config current-context) | |
kubectl config set-credentials ${USER_PROFILE} --token $(cat /tmp/${MANAGED_CLUSTER}_TOKEN | base64 -d) | |
echo "Creating subscription ${SUBSCRIPTION} for GCR pubsub topics" | |
SUBSCRIPTION=spinnaker-${project}-${MPROJECT}-gcr | |
{ | |
google-cloud-sdk/bin/gcloud -q beta pubsub subscriptions create $SUBSCRIPTION --topic projects/${MPROJECT}/topics/gcr --topic-project ${MPROJECT} | |
} || { | |
echo "${SUBSCRIPTION} already exists" | |
} | |
hal config pubsub google subscription add $SUBSCRIPTION \ | |
--subscription-name $SUBSCRIPTION \ | |
--json-path /tmp/account.json \ | |
--project $MPROJECT \ | |
--message-format GCR | |
done | |
kubectl config use-context ${SPINNAKER_PROFILE} | |
kubectl get secret deployment -o jsonpath="{..SPINNAKER_GH_TOKEN}" | base64 -d > /tmp/GH_TOKEN | |
# enable the kubernetes account | |
hal $QUIET config provider kubernetes enable | |
# add gcs bucket | |
hal $QUIET config storage gcs edit --project ${project} \ | |
--bucket-location ${SPINNAKER_BUCKET_LOCATION} \ | |
--bucket ${SPINNAKER_BUCKET} \ | |
--json-path=/tmp/account.json | |
hal $QUIET config storage edit --type gcs | |
# setup docker registries for config | |
hal $QUIET config provider docker-registry account add spinnaker-usgcr-account --address=https://us.gcr.io --username=_json_key --password-file=/tmp/account.json | |
hal $QUIET config provider docker-registry account edit spinnaker-usgcr-account --cache-interval-seconds 300 | |
hal $QUIET config provider docker-registry enable | |
hal $QUIET config features edit --artifacts true | |
hal $QUIET config artifact github enable | |
# uses personal github access toke | |
hal $QUIET config artifact github account add github-artifact-account \ | |
--token-file /tmp/GH_TOKEN | |
hal $QUIET config provider kubernetes account add ${cluster_name} \ | |
--docker-registries spinnaker-usgcr-account \ | |
--context ${SPINNAKER_PROFILE} | |
hal config security ui edit \ | |
--override-base-url ${SPINNAKER_UI_URL} | |
hal config security api edit \ | |
--override-base-url ${SPINNAKER_API_URL} | |
hal $QUIET config deploy edit --account-name ${cluster_name} --type distributed #--location spinnaker | |
kubectl get pods | |
read -ra CONTEXTS <<<$(kubectl config view -o jsonpath='{.contexts[*].name}') | |
for CONTEXT in "${CONTEXTS[@]}"; do | |
echo $CONTEXT | |
if [ "$CONTEXT" != "$SPINNAKER_PROFILE" ]; then | |
echo "Registering context ${CONTEXT} with Spinnaker" | |
hal $QUIET config provider kubernetes account add ${CONTEXT}v2 \ | |
--provider-version v2 \ | |
--context ${CONTEXT} | |
hal $QUIET config provider kubernetes account add ${CONTEXT##*_} \ | |
--provider-version v2 \ | |
--context ${CONTEXT} | |
fi | |
done | |
echo "Deploying Spinnaker" | |
# setup authorization | |
export CREDENTIALS=/tmp/spinnaker_gsuite.json | |
hal config security authz google edit \ | |
--admin-username $ADMIN \ | |
--credential-path $CREDENTIALS \ | |
--domain $DOMAIN | |
hal config security authz edit --type google | |
# hal config security authz enable | |
# setup authentication | |
SPINNAKER_CLIENT_ID=$(kubectl get secret deployment -o jsonpath="{..SPINNAKER_CLIENT_ID}" | base64 -d) | |
SPINNAKER_CLIENT_SECRET=$(kubectl get secret deployment -o jsonpath="{..SPINNAKER_CLIENT_SECRET}" | base64 -d) | |
hal config security authn oauth2 edit \ | |
--client-id $SPINNAKER_CLIENT_ID \ | |
--client-secret $SPINNAKER_CLIENT_SECRET \ | |
--provider google \ | |
--pre-established-redirect-uri ${SPINNAKER_API_URL}/login \ | |
--user-info-requirements hd=$DOMAIN | |
hal config security authn oauth2 enable | |
# setup logging/monitoring | |
hal config metric-stores stackdriver edit \ | |
--credentials-path /tmp/account.json | |
#modify X-Forwarded- behaviour using custom conf: | |
mkdir ~/.hal/default/profiles | |
cp /tmp/patched_gate-local.yml ~/.hal/default/profiles/gate-local.yml | |
SPINNAKER_SLACK_TOKEN=$(kubectl get secret deployment -o jsonpath="{..SPINNAKER_SLACK_TOKEN}" | base64 -d) | |
echo $SPINNAKER_SLACK_TOKEN | hal config notification slack edit --bot-name dl_spinnaker --token | |
hal deploy apply |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment