try.spinnaker.io is a hosted playground version of Spinnaker aimed for new users to test out its UI and core features.
- IaC via Terraform to host try.spinnaker.io on AWS using an EKS cluster
- Deployment of Spinnaker via Armory's OOS Spinnaker Operator
- Kubernetes deployment via Spinnaker
- AWS Load Balancer Controller to expose deployments
- User authentication via Google OAuth 2.0
- Private ECR registry
- Block all public images via portieris
- Script to deploy default pipelines
- Auto resource cleanup
- Deploy demo web app
- Deploy using highlander strategy
- Authz rules via a Spinnaker plugin, adds default role 'public' to all users
Metrics(wip)
- awscli
- Create access key
- Input keys here
aws configure
- Route53 hosted zone
- Terraform
- kubectl (v1.20.0), new verisons break kustomize script for Spinnaker operator
curl -LO "https://dl.k8s.io/v1.20.0/bin/linux/amd64/kubectl"
- Google OAuth 2.0 Client ID
Edit the values region
, route53_zone
, and domain_name
in terraform/variables.tf
. Note: domain_name
must be a subdomain of route53_zone
, i.e. if route53_zone = spinnaker.io
then domain_name = try.spinnaker.io
.
Files are inside the spinnaker-kustomize-patches
folder.
File Name | Description |
---|---|
kustomization.yml | Main kustomize file. |
spinnakerservice.yml | Contains configuration for Spinnaker. Update spec.spinnakerConfig.config.version to the version of OOS Spinnaker you wish to deploy. Update the value of https://try.gsoc.armory.io in spec.spinnakerConfig.config.*.apiSecurity.overrideBaseUrl to your DNS name. |
security/patch-file-authz.yml | Update users.username to the admin email you will login with Google OAuth in spec.spinnakerConfig.files.rolemappings.yml |
security/patch-google.yml | Update spec.spinnakerConfig.config.security.authn.client.clientId to your Google OAuth 2.0 Client ID. Create a file called spinnaker-kustomize-patches/secrets/secrets.env and add your Secret ID to the file in in this format oauth-client-secret=fakepassword123 |
accounts/docker/patch-ecr.yml | Update spec.spinnakerConfig.providers.dockerRegistry.accounts.address to the address of your ECR registry. |
Run these commands in the terraform folder.
terraform init
terraform plan
terraform apply
- Install spin, a cli tool for Spinnnaker.
- Copy the file
scripts/oauth
to~/.spin/oauth
- Modify
Gate.Endpoint
,ClientId
, andClientSecret
- Run script via
bash scripts/spin.sh
When you are all done then run:
terraform destroy
You may need to go into AWS Web Console to delete dangling load balancers or VPC in the case that Terraform doesn't delete it.
.
βββ scripts # Contains helper scripts
βΒ Β βββ ecr.sh # Mirrors latest verison of nginx to ECR
βΒ Β βββ install-pipelines.sh # Uses spin cli to install pipelines
βΒ Β βββ oauth # Sample outh config for spin, used for install-pipelines.sh
βΒ Β βββ pipelines # Directory containing pipelines to install
βΒ Β βββ portieris.sh # Downloads latest portieris release
βββ spinnaker-kustomize-patches # Patches for Spinnaker Operator
βΒ Β βββ accounts
βΒ Β βΒ Β βββ docker
βΒ Β βΒ Β βΒ Β βββ patch-ecr.yml # Add private ECR registry
βΒ Β βΒ Β βββ kubernetes
βΒ Β βΒ Β βΒ Β βββ patch-kube.yml # Add K8S cluster for Spinnaker to deploy to
βΒ Β βΒ Β βΒ Β βββ spin-sa.yml # K8S service account for Spinnaker
βΒ Β βΒ Β βββ s3
βΒ Β βΒ Β βββ patch-s3.yml # Setup persistent storage for Spinnaker
βΒ Β βββ deploy.sh # Deploy Spinnaker via Operator. You can redeploy via `SPIN_FLAVOR=oss ./deploy.sh`
βΒ Β βββ kustomization.yml -> recipes/kustomization-try.yml # Softlink to main kustomization file, contains various patches
βΒ Β βββ plugins
βΒ Β βΒ Β βββ patch-default-role-plugin.yml # Install github.com/ko28/defaultRolePlugin
βΒ Β βββ secrets
βΒ Β βΒ Β βββ secrets.env # Local file to store oauth-client-secret
βΒ Β βββ security
βΒ Β βΒ Β βββ patch-fiat-create-app-roles.yml # Define what roles can access specific apps
βΒ Β βΒ Β βββ patch-file-authz.yml # Define fiat roles (admin) for specific users
βΒ Β βββ spinnakerservice.yml # Main spinnaker config file, define version and endpoint
βββ terraform # IaC via Terraform
βββ main.tf
βββ outputs.tf
βββ policy # Directory containing IAM and portieris policies
βββ variables.tf
βββ versions.tf