Search code examples
kubernetesdeploymentconfigurationcustomizationspinnaker

How to apply custom profiles/setting to Spinnaker to make it deploy with one command?

I'm trying to deploy Spinnaker to k8s cluster using Halyard that running in Docker container. Thing is, I've configured all by using hal commands, but official docs says that there is a way to do it using custom profiles.

So, I've tried to create custom profiles, putted them into .hal/${DEPLOYMENT}/profiles, but when I use hal deploy apply --deployment ... - it's only copying my profiles without applying them. This is the first problem.

Secondly, I've tried to configure all in those profiles, and run hal deploy apply --deployment ... expecting that Halyard will see that those files already exist, and he can use them, but it always fails saying me that Persistant storage type is not configured!.

I do not understand how can I prepare only custom files, and where to put them, so I can only use hal deploy apply, and poof! Everything that was configured has been deployed!

Can you describe maybe where to put those files, and how to run deploy, using them? Or maybe I'm doing something wrong?

This one, for example, I've putted into .hal/${DEPLOYMENT}/profiles/gate-local.yml:

security:
  basic:
    enabled: true
  apiSecurity:
    overrideBaseUrl: https://<domain-api>
  uiSecurity:
    overrideBaseUrl: https://<domain-ui>
  authn:
    oauth2:
      enabled: true
      client:
        clientId: XXXXXXXXXXXXXXXX
        clientSecret: XXXXXXXXXXXXXXXX
        accessTokenUri: https://XXXXXXXXXXXXXXXX/token
        userAuthorizationUri: https://XXXXXXXXXXXXXXXX/auth
        scope: openid,email,profile,groups
      resource:
        userInfoUri: https://XXXXXXXXXXXXXXXX/userinfo
      userInfoMapping:
        email: email
        firstName: given_name
        lastName: family_name
        username: preferred_username

And here is an example of my front50-local.yml that always fails:

persistentStorage:
  persistentStoreType: s3
  s3:
    bucket: XXXXXXXXXXXXXX
    rootFolder: front50
    pathStyleAccess: true
    endpoint: https://XXXXXXXXXXXXXX
    accessKeyId: XXXXXXXXXXXXXX
    secretAccessKey: XXXXXXXXXXXXXX
    enabled: true

And etc. It's working if I use Hal commands to configure, but again, I want to:

  1. Start container with Halyard
  2. Give him prepeared configs
  3. hal deploy apply
  • boom. Welcome to Spinnaker. Any ideas?
Solution

  • Now, I found kinda solution for my issue. I do not use front50-local.yml for my configuration, it's clearly working with configuration in main config file. But, met the problem with roles through OpenId. Found a way to override it with gate-local.yml, It can be useful for someone:

    I've passed this part in main config:

    security:
  apiSecurity:
    overrideBaseUrl: https://domain-api.example
  uiSecurity:
    overrideBaseUrl: https://domain-deck.example
  authn:
    oauth2:
      enabled: true
      client:
        clientId: XXXXXXXX
        clientSecret: XXXXXXXX
        accessTokenUri: XXXXXXXX
        userAuthorizationUri: XXXXXXXX
      resource:
        userInfoUri: XXXXXXXX
      userInfoMapping: {}
      provider: OTHER

    And this part in gate-local.yml:

    security:
  oauth2:
    userInfoMapping:
      email: email
      firstName: given_name
      lastName: family_name
      username: username
      roles: groups
    client:
      scope: openid,email,profile,groups,roles

    Note, that mapping can be different from described above. Finally, this configuration passed successfully, and now I can see my roles passed from Keycloak at https://domain-api.example/auth/user

    About provider. Part in main config:

    providers:
   kubernetes:
      enabled: true

    And the rest of settings are in clouddriver-local.yml:

    kubernetes
   accounts:
   - name: XXXXX
     context: XXXX
     providerVersion: V2
     kubeconfigContents: encrypted:k8s!n:secret_name!k:secret_value
     namespaces: [] #Access to ALL namespaces
     permissions:
        READ:
        - everyone
        WRITE:
        - group1
        - group2
        - group3
        EXECUTE:
        - the-same-way
        CREATE:
        - the-same-way
     requiredGroupMembership: # Member of what group you have to be to 
     - group1                 #have access to this account
     configureImagePullSecrets: true
     cacheThreads: 1
     dockerRegistries: []
   primaryAccount: XXXXXX

    Although, I do use Spinnaker-operator for deployment in k8s. It's a little easier to deploy with it, not facing hal commands itself. Seems like a solution for my question! Hope it will help someone!

    UPDATE:

    Now, when we have provided roles, we can use them to setup RBAC system for our applications, etc.:

    1. Enable authz in main config, in security section after authn above like this:
       ......
   ......
   provider: OTHER
authz:
  enabled: true

    2)Next setup must be configured in fiat-local.yml.

    fiat.restrictApplicationCreation: true #Allows to restrict permissions
auth.permissions.provider.application: aggregate
auth.permissions.source.application.prefix: #Allows to work with
  enabled: true                          # applications prefixes
  prefixes:
  - prefix: "*" # All applications
    permissions:
      READ:
      - "group1"
      WRITE:
      - "group1"
      EXECUTE:
      - "group1"
      CREATE:
      - "group1"

    Now, if you login with user that is member of group1, it will be allowed to see available applications, create and manage them. If it will be user without membership in this group - It won't access anything, and won't be able to create applications!