- Overview
- Features
- Usage
- Variables
- Spinnaker RPMs
- Baking with Rosco
- Environment variables
- Using secrets during Bake
- Supported Platforms
- Known missing features
- Support
Install Spinnaker and all of its dependencies for a fully functional deployment using Puppet on Virtual or Physical machines.
The module will install and configure all Spinnaker microservices (others may be added in the future).
For now the module can configure Spinnaker to deploy in AWS and Kubernetes; more can be added
Uses a single Redis endpoint (Elasticache)
Uses LDAP for authentication; can be further expanded to include OKTA and others
Uses Rosco for baking AMIs, the current supported Operating Systems for bake are:
- CentOS6
- CentOS7
- Amazon Linux 2014
- Amazon Linux 2017
- Amazon Linux 2
The aws-ebs.json Packer file is used to bake all Operating Systems; the baked platform is dictated by the source AMI ID used in Spinnaker when baking
The install_packages.sh script is used during the baking process, it handles all aspects of the instance creation (installation and configuration of packages). Note that this may be the most problematic part since it covers our scenarios for the moment. You can further expand on this script and add new features.
The Puppet module can be invoked as seen in the following example:
class {'spinnaker':
deck_baseurl => my_deck_url,
deck_gateurl => my_gate_url,
aws_default_region => region,
aws_default_storage_bucket => s3_bucket_name,
redis_server => endpoint_of_redis,
gate_ldap_url => ldap_url,
fiat_ldap_url => ldap_url
}
Bellow you will find all variables part of this module that have been used and tested, note that there may be others defined but not currently used.
The Spinnaker timezone, defaults to UTC
The Spinnaker app version, defaults to installed
The Clouddriver app version, defaults to installed
The Deck app version, defaults to installed
The Echo app version, defaults to installed
The Fiat app version, defaults to installed
The Front50 app version, defaults to installed
The Igor app version, defaults to installed
The Orca app version, defaults to installed
The Rosco app version, defaults to installed
The Monitoring_daemon app version, defaults to installed
AWS accounts used by clouddriver, you can have one or more accounts listed as follows:
- name: default
accountId: account_id
regions:
- us-east-1 // region_1
- us-west-2 // region_2
lifecycleHooks: // if lifecycle hooks are used
- defaultResult: 'CONTINUE'
heartbeatTimeout: 7200
lifecycleTransition: 'autoscaling:EC2_INSTANCE_TERMINATING' // during the EC2 terminating phase
notificationTargetARN: 'sns_arn' // SNS topic used for ASG lifecycle hook notifications
roleARN: 'role_arn' // lifecycle hook assumed role
- defaultResult: 'CONTINUE'
heartbeatTimeout: 1200
lifecycleTransition: 'autoscaling:EC2_INSTANCE_LAUNCHING' // during the EC2 launching phase
notificationTargetARN: 'sns_arn'
roleARN: 'role_arn'
- name: account_2
...
The bake template used by Rosco. Once this is configured, the template will be seen in the Spinnaker UI in the Base OS
section of the Bake stage
- id: Bake-AMI
shortDescription: "Bake what AMI you want"
packageType: rpm // what artifacts will be installed during the bake process
templateFile: aws-ebs.json // the Packer config file, defaults to aws-ebs.json
regions:
- region: us-east-1 // AWS region where the bake instance will be deployed
sourceAmi: ami-id // default AWS source AMI used
The default AWS IAM role assumed by Clouddriver
The user under which Spinnaker runs, defaults to root
The group under which Spinnaker runs, defaults to root
Weather or not the Spinnaker setup is done in AWS
Default AWS region, defaults to us-east-1
Default credentials used by Spinnaker, defaults to default
Default AWS IAM role used by Spinnaker instances
Default S3 bucket used by Spinnaker
If Docker registries are enabled or not
Docker registries used by Clouddriver:
- name: docker-test // the name of the Docker registry as will be seen in the Spinnaker UI
address: docker-test-url // URL endpoint of the Docker registry
username: username // username used to fetch images from the registry
password: ENC[password] // password for the username
repositories:
- name: docker-production
address: docker-production-url
username: username
password: ENC[password]
repositories:
If Spinnaker will be used to deploy charts on Kubernetes
Kubernetes cluster name as will appear in the Spinnaker UI
Kubernetes API endpoint
Kubernetes API certificate
Kubernetes service account name
Kubernetes service account token
Accounts used by Clouddriver
- name: kubernetes-account // account name
docker_registries: // docker registries used by this account
- docker-test
- docker-production
Kubectl version used by Spinnaker
If Front50 uses Redis or not, defaults to true
If Front50 uses S3 or not
If Igor is enabled or not, defaults to false
If Jenkins is enabled or not, defaults to false
Spinnaker UI url
Spinnaker API url
Deck URL domain name
If Deck authentication is enabled
Default echo port, defaults to 8009
If Cassandra is enabled or not
Echo inMemory trigger
If Echo crons are enabled or not
If Echo mails are enabled or not
Echo mail sending host
Echo mail from to address
Echo hipchat trigger
Echo hipchat endpoint
Echo hipchat API token
Echo hipchat bot name
Echo sms trigger
Echo sms account name
Echo sms token
Echo sms from to entity
Echo Slack trigger
Echo Slack token
Echo Slack bot name
Spinnaker default protocol
Spinnaker default host
Redis server hostname
Redis server port
Redis trigger secure config
Docker repository
Gate LDAP endpoint
Gate LDAP user pattern
Gate port
Gate hostname
Gate LDAP integration trigger
Fiat trigger
Echo LDAP endpoint
Fiat LDAP user filtering
Fiat LDAP service account
Fiat LDAP service account password
Fiat LDAP group filtering
Fiat LDAP group search filter
Fiat LDAP group role attributes
Chaos trigger
Rosco configuration directory
Rosco monitoring username
Rosco monitoring password
Packer interface used for ssh, defaults to private_ip
Rosco VPC id where the Packer instance will be bootstrapped
Rosco subnet ID where the Packer instance will be bootstrapped
Rosco the source CIDR block from where ssh connections will be allowed, defaults to 172.16.0.0/12
We are currently creating our own Spinnaker RPMs which will be published (hopefully) soon on a public repository.
You can use Spinnaker to bake AMIs for different Operating Systems, you can perform such operation during the "Bake" stage of your pipeline.
Behind the scenes, Rosco uses Packer for baking any AMI. A multi-layered approach can be used in which you bake a "Base" AMI then build other "Application specific" AMIs on top.
This deployment uses a single Packer configuration file (aws-ebs.json
) for baking.
bootstrap_env_1..10 # environment variables used during the bootstrap process
bootstrap_secrets_1..10 # secrets extracted during the bake process
bake_env_1 .. 10 # environment variables used during the bake process
aws_iam_instance_profile # the instance profile used by the Packer machine
ami_os # the OS of the baked instance
ami_name # the name of the AMI
upgrade # if yum upgrade is needed before baking
packages # list of packages in the order of install
The install_packages.sh
script uses all the logic for baking an AMI. There is a brief description of the script's purpose in its header.
Are passed in the "Bake" stage as key/value entries in the "Extended Attributes" section.
You are probably wondering why there are bootstrap_env_*
, bootstrap_secrets_*
and bake_env_*
variables used in the install_packages script.
What's important to note is that by default, the bootstrap_env
and bootstrap_secrets
variables are persisted on disk after the AMI has been created.
These variables can be used by applications running on the actual production instance once deployed.
This is our way of creating semi-immutable EC2 instances. Every change in the instance results in a new bake and deploy operation.
You can decide to stop these variables from being written on the disk by using the persist_variables
trigger.
The bake_env
variables are only used during the bake process and are never persisted to disk.
All these environment variables are treated as lists and each one can have multiple values separated by the comma character, as follows:
bootstrap_env_1 = script_variable1=test
bootstrap_env_2 = script_variable2=test2,script_variable3=test3
bake_env_1 = var1=false,var2=test
bootstrap_secrets_1 = mysecret1=ssm://MY_SECRET1,mysecret1=ssm://MY_SECRET2
bootstrap_secrets_2 = mysecret3=ssm://MY_SECRET3
The bootstrap_secrets_* variables values are prefixed by the "secret provider" (e.g. ssm, vault).
The install_packages script will try to fetch those secrets and use them (if needed) during the bake or the startup phase (if secrets are persisted on disk).
In the following example, a variable named repository_password is defined in the "Extended Attributes" section of the bake stage:
repository_password=ssm://REPOSITORY_PASSWORD
The setup has been deployed so far in AWS on EC2 instances. The module has been tested on the following operating systems.
- CentOS 6
- CentOS 7
Testing and patches for other platforms are welcomed.
There are currently no initd or systemd files for starting the Spinnaker daemons, this is why the service.pp file is empty.
Spinnaker microservices are started by a script located in /opt/spinnaker/bin/start_spinnaker.sh
and has been removed
completely in newer versions.
No other cloud providers have been added nor tested in the module.
Extracting secrets from Vault has not been implemented yet.
Contributions are welcomed! Read the Contributing Guide for more information. GitHub repository
This project is licensed under the Apache V2 License. See LICENSE for more information.