Version information
Start using this module
Add this module to your Puppetfile:
mod 'dancb10-spinnaker', '0.1.1'Learn more about managing modules with a PuppetfileDocumentation
Spinnaker module
Table of Contents
- Overview
- Features
- Usage
- Variables
- Spinnaker RPMs
- Baking with Rosco
- Environment variables
- Using secrets during Bake
- Supported Platforms
- Known missing features
- Support
Overview
Install Spinnaker and all of its dependencies for a fully functional deployment using Puppet on Virtual or Physical machines.
Features
The module will install and configure all Spinnaker microservices (others may be added in the future).
For now the module can configure Spinnaker to deploy in AWS and Kubernetes; more can be added
Uses a single Redis endpoint (Elasticache)
Uses LDAP for authentication; can be further expanded to include OKTA and others
Uses Rosco for baking AMIs, the current supported Operating Systems for bake are:
- CentOS6
- CentOS7
- Amazon Linux 2014
- Amazon Linux 2017
- Amazon Linux 2
The aws-ebs.json Packer file is used to bake all Operating Systems; the baked platform is dictated by the source AMI ID used in Spinnaker when baking
The install_packages.sh script is used during the baking process, it handles all aspects of the instance creation (installation and configuration of packages). Note that this may be the most problematic part since it covers our scenarios for the moment. You can further expand on this script and add new features.
Usage
The Puppet module can be invoked as seen in the following example:
class {'spinnaker':
deck_baseurl => my_deck_url,
deck_gateurl => my_gate_url,
aws_default_region => region,
aws_default_storage_bucket => s3_bucket_name,
redis_server => endpoint_of_redis,
gate_ldap_url => ldap_url,
fiat_ldap_url => ldap_url
}
Variables:
Bellow you will find all variables part of this module that have been used and tested, note that there may be others defined but not currently used.
spinnaker_timezone
The Spinnaker timezone, defaults to UTC
spinnaker_version
The Spinnaker app version, defaults to installed
clouddriver_version
The Clouddriver app version, defaults to installed
deck_version
The Deck app version, defaults to installed
echo_version
The Echo app version, defaults to installed
fiat_version
The Fiat app version, defaults to installed
front50_version
The Front50 app version, defaults to installed
igor_version
The Igor app version, defaults to installed
orca_version
The Orca app version, defaults to installed
rosco_version
The Rosco app version, defaults to installed
monitoring_daemon_version
The Monitoring_daemon app version, defaults to installed
clouddriver_aws_accounts
AWS accounts used by clouddriver, you can have one or more accounts listed as follows:
- name: default
accountId: account_id
regions:
- us-east-1 // region_1
- us-west-2 // region_2
lifecycleHooks: // if lifecycle hooks are used
- defaultResult: 'CONTINUE'
heartbeatTimeout: 7200
lifecycleTransition: 'autoscaling:EC2_INSTANCE_TERMINATING' // during the EC2 terminating phase
notificationTargetARN: 'sns_arn' // SNS topic used for ASG lifecycle hook notifications
roleARN: 'role_arn' // lifecycle hook assumed role
- defaultResult: 'CONTINUE'
heartbeatTimeout: 1200
lifecycleTransition: 'autoscaling:EC2_INSTANCE_LAUNCHING' // during the EC2 launching phase
notificationTargetARN: 'sns_arn'
roleARN: 'role_arn'
- name: account_2
...
aws_ami
The bake template used by Rosco. Once this is configured, the template will be seen in the Spinnaker UI in the Base OS section of the Bake stage
- id: Bake-AMI
shortDescription: "Bake what AMI you want"
packageType: rpm // what artifacts will be installed during the bake process
templateFile: aws-ebs.json // the Packer config file, defaults to aws-ebs.json
regions:
- region: us-east-1 // AWS region where the bake instance will be deployed
sourceAmi: ami-id // default AWS source AMI used
clouddriver_assumerole
The default AWS IAM role assumed by Clouddriver
runas_user
The user under which Spinnaker runs, defaults to root
runas_group
The group under which Spinnaker runs, defaults to root
aws_enabled
Weather or not the Spinnaker setup is done in AWS
aws_default_region
Default AWS region, defaults to us-east-1
aws_primary_credentials
Default credentials used by Spinnaker, defaults to default
aws_default_iam_role
Default AWS IAM role used by Spinnaker instances
aws_default_storage_bucket
Default S3 bucket used by Spinnaker
docker_enabled
If Docker registries are enabled or not
clouddriver_docker_registries
Docker registries used by Clouddriver:
- name: docker-test // the name of the Docker registry as will be seen in the Spinnaker UI
address: docker-test-url // URL endpoint of the Docker registry
username: username // username used to fetch images from the registry
password: ENC[password] // password for the username
repositories:
- name: docker-production
address: docker-production-url
username: username
password: ENC[password]
repositories:
kubernetes_enabled
If Spinnaker will be used to deploy charts on Kubernetes
kubernetes_cluster_name
Kubernetes cluster name as will appear in the Spinnaker UI
kubernetes_api_address
Kubernetes API endpoint
kubernetes_api_certificate
Kubernetes API certificate
kubernetes_service_account_name
Kubernetes service account name
kubernetes_service_account_token
Kubernetes service account token
clouddriver_kubernetes_accounts
Accounts used by Clouddriver
- name: kubernetes-account // account name
docker_registries: // docker registries used by this account
- docker-test
- docker-production
kubectl_version
Kubectl version used by Spinnaker
front50_redis_enabled
If Front50 uses Redis or not, defaults to true
front50_s3_enabled
If Front50 uses S3 or not
igor_enabled
If Igor is enabled or not, defaults to false
jenkins_enabled
If Jenkins is enabled or not, defaults to false
deck_baseurl
Spinnaker UI url
deck_gateurl
Spinnaker API url
deck_domain
Deck URL domain name
deck_auth_enabled
If Deck authentication is enabled
echo_port
Default echo port, defaults to 8009
echo_cassandra_enabled
If Cassandra is enabled or not
echo_inMemory_enabled
Echo inMemory trigger
echo_cron_enabled
If Echo crons are enabled or not
echo_mail_enabled
If Echo mails are enabled or not
echo_mail_host
Echo mail sending host
echo_mail_fromAddress
Echo mail from to address
echo_hipchat_enabled
Echo hipchat trigger
echo_hipchat_url
Echo hipchat endpoint
echo_hipchat_token
Echo hipchat API token
echo_hipchat_botName
Echo hipchat bot name
echo_sms_enabled
Echo sms trigger
echo_sms_account
Echo sms account name
echo_sms_token
Echo sms token
echo_sms_from
Echo sms from to entity
echo_slack_enabled
Echo Slack trigger
echo_slack_token
Echo Slack token
echo_slack_botname
Echo Slack bot name
default_protocol
Spinnaker default protocol
default_host
Spinnaker default host
redis_server
Redis server hostname
redis_port
Redis server port
redis_configuration_secure
Redis trigger secure config
docker_targetRepository
Docker repository
gate_ldap_url
Gate LDAP endpoint
gate_ldap_userDnPattern
Gate LDAP user pattern
gate_port
Gate port
gate_host
Gate hostname
gate_ldap_enabled
Gate LDAP integration trigger
fiat_enabled
Fiat trigger
fiat_ldap_url
Echo LDAP endpoint
fiat_userDnPattern
Fiat LDAP user filtering
fiat_managerDn
Fiat LDAP service account
fiat_managerPassword
Fiat LDAP service account password
fiat_groupSearchBase
Fiat LDAP group filtering
fiat_groupSearchFilter
Fiat LDAP group search filter
fiat_groupRoleAttributes
Fiat LDAP group role attributes
chaos_enabled
Chaos trigger
rosco_configDir
Rosco configuration directory
monitoring_gateUser
Rosco monitoring username
monitoring_gatePassword
Rosco monitoring password
packer_ssh_interface
Packer interface used for ssh, defaults to private_ip
packer_vpc_id
Rosco VPC id where the Packer instance will be bootstrapped
packer_subnet_id
Rosco subnet ID where the Packer instance will be bootstrapped
packer_temporary_security_group_source_cidr
Rosco the source CIDR block from where ssh connections will be allowed, defaults to 172.16.0.0/12
Spinnaker RPMs
We are currently creating our own Spinnaker RPMs which will be published (hopefully) soon on a public repository.
Baking with Rosco
You can use Spinnaker to bake AMIs for different Operating Systems, you can perform such operation during the "Bake" stage of your pipeline.
Behind the scenes, Rosco uses Packer for baking any AMI. A multi-layered approach can be used in which you bake a "Base" AMI then build other "Application specific" AMIs on top.
This deployment uses a single Packer configuration file (aws-ebs.json) for baking.
bootstrap_env_1..10 # environment variables used during the bootstrap process
bootstrap_secrets_1..10 # secrets extracted during the bake process
bake_env_1 .. 10 # environment variables used during the bake process
aws_iam_instance_profile # the instance profile used by the Packer machine
ami_os # the OS of the baked instance
ami_name # the name of the AMI
upgrade # if yum upgrade is needed before baking
packages # list of packages in the order of install
The install_packages.sh script uses all the logic for baking an AMI. There is a brief description of the script's purpose in its header.
Environment variables
Are passed in the "Bake" stage as key/value entries in the "Extended Attributes" section.
You are probably wondering why there are bootstrap_env_*, bootstrap_secrets_* and bake_env_* variables used in the install_packages script.
What's important to note is that by default, the bootstrap_env and bootstrap_secrets variables are persisted on disk after the AMI has been created.
These variables can be used by applications running on the actual production instance once deployed.
This is our way of creating semi-immutable EC2 instances. Every change in the instance results in a new bake and deploy operation.
You can decide to stop these variables from being written on the disk by using the persist_variables trigger.
The bake_env variables are only used during the bake process and are never persisted to disk.
All these environment variables are treated as lists and each one can have multiple values separated by the comma character, as follows:
bootstrap_env_1 = script_variable1=test
bootstrap_env_2 = script_variable2=test2,script_variable3=test3
bake_env_1 = var1=false,var2=test
bootstrap_secrets_1 = mysecret1=ssm://MY_SECRET1,mysecret1=ssm://MY_SECRET2
bootstrap_secrets_2 = mysecret3=ssm://MY_SECRET3
Using secrets during Bake
The bootstrapsecrets* variables values are prefixed by the "secret provider" (e.g. ssm, vault).
The install_packages script will try to fetch those secrets and use them (if needed) during the bake or the startup phase (if secrets are persisted on disk).
In the following example, a variable named repository_password is defined in the "Extended Attributes" section of the bake stage:
repository_password=ssm://REPOSITORY_PASSWORD
Supported Platforms
The setup has been deployed so far in AWS on EC2 instances. The module has been tested on the following operating systems.
- CentOS 6
- CentOS 7
Testing and patches for other platforms are welcomed.
Known missing features
There are currently no initd or systemd files for starting the Spinnaker daemons, this is why the service.pp file is empty.
Spinnaker microservices are started by a script located in /opt/spinnaker/bin/start_spinnaker.sh and has been removed
completely in newer versions.
No other cloud providers have been added nor tested in the module.
Extracting secrets from Vault has not been implemented yet.
Contributing
Contributions are welcomed! Read the Contributing Guide for more information. GitHub repository
Licensing
This project is licensed under the Apache V2 License. See LICENSE for more information.
Dependencies
- puppetlabs-stdlib (>= 1.0.0)
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright 2019 Adobe
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.