Last active
April 7, 2019 19:13
-
-
Save veggiemonk/496e87970f85faef597c264fbcbd8516 to your computer and use it in GitHub Desktop.
Spinnaker Armory - https://docs.armory.io/spinnaker-install-admin-guides/install-on-gke
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Specify the name of the kubernetes context that has permissions to create the service account in your | |
# target cluster and namespace. To get the list of contexts, you can run "kubectl config get-contexts" | |
export CONTEXT="$(kubectl config current-context)" | |
# Enter the namespace that you want to install Spinnaker in. This can already exist, or can be created. | |
export NAMESPACE="spinnaker" | |
# Enter the name of the service account you want to create. This will be created in the target namespace | |
export SERVICE_ACCOUNT_NAME="spinnaker" | |
# Enter the name of the role you want to create. This will be created in the target namespace | |
export ROLE_NAME="spinnaker-role" | |
# Enter the name you want Spinnaker to use to identify the cloud provider account | |
export ACCOUNT_NAME="spinnaker" | |
#By default, Google IAM users do not have all necessary permissions on GKE clusters. | |
kubectl create clusterrolebinding cluster-admin-binding \ | |
--clusterrole cluster-admin \ | |
--user $(gcloud config get-value account) | |
# create NS | |
kubectl --context ${CONTEXT} create ns ${NAMESPACE} | |
# Create the file | |
tee ${NAMESPACE}-service-account.yml <<-'EOF' | |
apiVersion: v1 | |
kind: ServiceAccount | |
metadata: | |
name: SERVICE_ACCOUNT_NAME | |
namespace: NAMESPACE | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: Role | |
metadata: | |
name: ROLE_NAME | |
namespace: NAMESPACE | |
rules: | |
- apiGroups: [""] | |
resources: ["namespaces", "events", "replicationcontrollers", "serviceaccounts", "pods/log"] | |
verbs: ["get", "list"] | |
- apiGroups: [""] | |
resources: ["pods", "services", "secrets", "configmaps"] | |
verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] | |
- apiGroups: ["autoscaling"] | |
resources: ["horizontalpodautoscalers"] | |
verbs: ["list", "get"] | |
- apiGroups: ["apps"] | |
resources: ["controllerrevisions", "statefulsets"] | |
verbs: ["list"] | |
- apiGroups: ["extensions", "apps"] | |
resources: ["deployments", "replicasets", "ingresses"] | |
verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] | |
# These permissions are necessary for Halyard to operate. We use this role also to deploy Spinnaker itself. | |
- apiGroups: [""] | |
resources: ["services/proxy", "pods/portforward"] | |
verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: RoleBinding | |
metadata: | |
name: ROLE_NAME-binding | |
namespace: NAMESPACE | |
roleRef: | |
apiGroup: rbac.authorization.k8s.io | |
kind: Role | |
name: ROLE_NAME | |
subjects: | |
- namespace: NAMESPACE | |
kind: ServiceAccount | |
name: SERVICE_ACCOUNT_NAME | |
EOF | |
# pdate the manifest with the bash variables (and create the resources) | |
sed -i.bak \ | |
-e "s/NAMESPACE/${NAMESPACE}/g" \ | |
-e "s/SERVICE_ACCOUNT_NAME/${SERVICE_ACCOUNT_NAME}/g" \ | |
-e "s/ROLE_NAME/${ROLE_NAME}/g" \ | |
${NAMESPACE}-service-account.yml | |
# Create the resources | |
kubectl --context ${CONTEXT} apply -f ${NAMESPACE}-service-account.yml | |
#################### Create minified kubeconfig | |
NEW_CONTEXT=${NAMESPACE}-sa | |
KUBECONFIG_FILE="kubeconfig-${NAMESPACE}-sa" | |
# Get the token for the service account | |
SECRET_NAME=$(kubectl get serviceaccount ${SERVICE_ACCOUNT_NAME} \ | |
--context ${CONTEXT} \ | |
--namespace ${NAMESPACE} \ | |
-o jsonpath='{.secrets[0].name}') | |
TOKEN_DATA=$(kubectl get secret ${SECRET_NAME} \ | |
--context ${CONTEXT} \ | |
--namespace ${NAMESPACE} \ | |
-o jsonpath='{.data.token}') | |
#TOKEN=$(echo ${TOKEN_DATA} | base64 -d) | |
# Use this command if you're on a mac: | |
TOKEN=$(echo ${TOKEN_DATA} | base64 -D) | |
# Use the token to create a minified kubeconfig | |
# Create dedicated kubeconfig | |
# Create a full copy | |
kubectl config view --raw > ${KUBECONFIG_FILE}.full.tmp | |
# Switch working context to correct context | |
kubectl --kubeconfig ${KUBECONFIG_FILE}.full.tmp config use-context ${CONTEXT} | |
# Minify | |
kubectl --kubeconfig ${KUBECONFIG_FILE}.full.tmp \ | |
config view --flatten --minify > ${KUBECONFIG_FILE}.tmp | |
# Rename context | |
kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \ | |
rename-context ${CONTEXT} ${NEW_CONTEXT} | |
# Create token user | |
kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \ | |
set-credentials ${CONTEXT}-${NAMESPACE}-token-user \ | |
--token ${TOKEN} | |
# Set context to use token user | |
kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \ | |
set-context ${NEW_CONTEXT} --user ${CONTEXT}-${NAMESPACE}-token-user | |
# Set context to correct namespace | |
kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \ | |
set-context ${NEW_CONTEXT} --namespace ${NAMESPACE} | |
# Flatten/minify kubeconfig | |
kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \ | |
view --flatten --minify > ${KUBECONFIG_FILE} | |
# Remove tmp | |
rm ${KUBECONFIG_FILE}.full.tmp | |
rm ${KUBECONFIG_FILE}.tmp |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Spinnaker uses a GCS bucket to store persistent configuration (such as pipeline definitions). | |
# This section will create a Google IAM service account as well as a Google credential file for use by Halyard and Spinnaker. | |
# By default, this account will have the roles/storage.admin IAM role; if you have an existing GCS bucket to use, | |
# you can specify a different set of permissions. | |
export SERVICE_ACCOUNT_NAME=spinnaker-gcs-account-trial | |
export SERVICE_ACCOUNT_FILE=spinnaker-gcs-account.json | |
export PROJECT=$(gcloud info --format='value(config.project)') | |
gcloud --project ${PROJECT} iam service-accounts create \ | |
${SERVICE_ACCOUNT_NAME} \ | |
--display-name ${SERVICE_ACCOUNT_NAME} | |
SA_EMAIL=$(gcloud --project ${PROJECT} iam service-accounts list \ | |
--filter="displayName:${SERVICE_ACCOUNT_NAME}" \ | |
--format='value(email)') | |
gcloud --project ${PROJECT} projects add-iam-policy-binding ${PROJECT} \ | |
--role roles/storage.admin --member serviceAccount:${SA_EMAIL} | |
mkdir -p $(dirname ${SERVICE_ACCOUNT_FILE}) | |
gcloud --project ${PROJECT} iam service-accounts keys create ${SERVICE_ACCOUNT_FILE} \ | |
--iam-account ${SA_EMAIL} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Feel free to use some other directory for this; make sure it is a persistent directory. | |
# Also, make sure this directory doesn't live on an NFS mount, as that can cause issues | |
WORKING_DIRECTORY=~/gke-spinnaker/ | |
mkdir -p ${WORKING_DIRECTORY}/.hal | |
mkdir -p ${WORKING_DIRECTORY}/.secret | |
mkdir -p ${WORKING_DIRECTORY}/resources | |
# You should have two files: | |
# A kubeconfig file (kubeconfig-spinnaker-sa) with the credentials for GKE service account | |
# A JSON key file (spinnaker-gcs-account.json) with credentials for a Google IAM service account with Google storage permissions | |
# Copy the key files over to the docker machine (if it’s a different machine) (use whatever file transfer mechanism works best for you, such as scp) | |
# Put the two files in the .secret directory | |
mv kubeconfig-spinnaker-sa ${WORKING_DIRECTORY}/.secret | |
mv spinnaker-gcs-account.json ${WORKING_DIRECTORY}/.secret |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Start the Halyard container | |
# On the docker machine, start the Halyard container | |
# (see the armory/halyard-armory tag list: https://hub.docker.com/r/armory/halyard-armory/tags) | |
# for the latest Armory Halyard Docker image tag. | |
# If you want to install OSS Spinnaker instead, use gcr.io/spinnaker-marketplace/halyard:stable for the Docker image | |
WORKING_DIRECTORY=~/gke-spinnaker/ | |
docker run --name armory-halyard -it --rm \ | |
-v ${WORKING_DIRECTORY}/.hal:/home/spinnaker/.hal \ | |
-v ${WORKING_DIRECTORY}/.secret:/home/spinnaker/.secret \ | |
-v ${WORKING_DIRECTORY}/resources:/home/spinnaker/resources \ | |
armory/halyard-armory:1.4.3 | |
docker exec -it armory-halyard bash | |
exit 0 | |
# Also, once in the container, you can run these commands for a friendlier environment to: | |
# - prompt with information | |
# - alias for ls | |
# - cd to the home directory | |
export PS1="\h:\w \u\$ " | |
alias ll='ls -alh' | |
cd ~ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
###### Use the same values as in 1-create_halyard_kubeconfig | |
# Enter the namespace that you want to install Spinnaker in. This can already exist, or can be created. | |
export NAMESPACE="spinnaker" | |
# Enter the name of the service account you want to create. This will be created in the target namespace | |
export SERVICE_ACCOUNT_NAME="spinnaker" | |
# Enter the name of the role you want to create. This will be created in the target namespace | |
export ROLE_NAME="spinnaker-role" | |
# Enter the name you want Spinnaker to use to identify the cloud provider account | |
export ACCOUNT_NAME="spinnaker" | |
# Replace with the filename for the kubeconfig, if it's different | |
export KUBECONFIG_FULL=/home/spinnaker/.secret/kubeconfig-spinnaker-sa | |
# Enable the Kubernetes cloud provider | |
hal config provider kubernetes enable | |
# Enable artifacts | |
hal config features edit --artifacts true | |
# Add account | |
hal config provider kubernetes account add ${ACCOUNT_NAME} \ | |
--provider-version v2 \ | |
--kubeconfig-file ${KUBECONFIG_FULL} \ | |
--only-spinnaker-managed true \ | |
--namespaces ${NAMESPACE} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
hal config deploy edit \ | |
--type distributed \ | |
--account-name ${ACCOUNT_NAME} \ | |
--location ${NAMESPACE} | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
####### Inside container | |
PROJECT= #GOOGLE_CLOUD_PROJECT_NAME | |
BUCKET_LOCATION=us | |
SERVICE_ACCOUNT_FILE=~/.secret/spinnaker-gcs-account.json | |
ROOT_FOLDER=front-50 | |
hal config storage gcs edit --project ${PROJECT} \ | |
--bucket-location ${BUCKET_LOCATION} \ | |
--root-folder ${ROOT_FOLDER} \ | |
--json-path ${SERVICE_ACCOUNT_FILE} | |
hal config storage edit --type gcs |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Replace with version of choice: | |
# see: hal version list | |
#If you are installing Armory Spinnaker, you will get a version that starts with 2.x.x | |
#If you are installing OSS Spinnaker and using gcr.io/spinnaker-marketplace/halyard:stable, you will get a version that starts with 1.x.x | |
export VERSION=2.1.0 | |
hal config version edit --version $VERSION | |
hal deploy apply |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
DECK_POD=$(kubectl -n spinnaker get pod -l cluster=spin-deck -ojsonpath='{.items[0].metadata.name}') | |
GATE_POD=$(kubectl -n spinnaker get pod -l cluster=spin-gate -ojsonpath='{.items[0].metadata.name}') | |
kubectl -n spinnaker port-forward ${DECK_POD} 9000 & | |
kubectl -n spinnaker port-forward ${GATE_POD} 8084 & | |
open http://localhost:9000 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment