Armory Docs – Armory Continuous Deployment Manifest Configuration Reference

Continuous-Deployment: Armory Config

Mon, 01 Jan 0001 00:00:00 +0000

spec.spinnakerConfig.config.armory

armory:
 dinghy:
 enabled:
 templateOrg:
 templateRepo:
 githubToken:
 githubEndpoint:
 stashUsername:
 stashToken:
 stashEndpoint:
 gitlabToken:
 gitlabEndpoint:
 dinghyFilename:
 autoLockPipelines:
 fiatUser:
 notifiers:
 slack:
 enabled:
 channel:
 github:
 enabled:
 webhookValidationEnabledProviders:
 webhookValidations:
 - enabled:
 versionControlProvider:
 organization:
 repo:
 secret:
 diagnostics:
 enabled:
 uuid:
 logging:
 enabled:
 endpoint:
 terraform:
 enabled:
 git:
 enabled:
 accessToken:
 username:
 secrets:
 vault:
 enabled:
 url:
 path:
 role:
 authMethod:

Dinghy parameters

enabled: true or false.
templateOrg: SCM organization or namespace where application and template repositories are located.
templateRepo: SCM repository where module templates are located
githubToken: GitHub token. Supports encrypted value.
githubEndpoint: (Default: https://api.github.com) Github API endpoint. Useful if you’re using Github Enterprise.
stashUsername: Stash username.
stashToken: Stash token. Supports encrypted value.
stashEndpoint: Stash API endpoint.
gitlabToken: GitLab token. Supports encrypted value.
gitlabEndpoint: GitLab endpoint.
dinghyFilename: (Default: dinghyfile) Name of the file in application repositories which contains pipelines.
autoLockPipelines: (Default: true) Lock pipelines in the UI before overwriting on change.
fiatUser: Fiat user to use for Dinghy operations.
notifiers:
- slack:
  - enabled: true or false.
  - channel: Name of channel to send notifications to.
- github:
  - enabled: true or false. This enables comments to the PR to allow for more robust feedback information from Dinghy. May cause issues with those using custom GitHub endpoints, as detailed in this KB article.
webhookValidationEnabledProviders: List of enabled providers for Webhook validations.
webhookValidations: Webhook validations list
- enabled: true/false flag to enable this validation.
- versionControlProvider: Version control provider.
- organization: Organization for the repository.
- repo: Repository name.
- secret: Secret configured.

Diagnostics parameters

enabled: true or false.
uuid: UUID of the Armory installation
logging:
- enabled: true or false.
- endpoint: Example: https://debug.armory.io/v1/logs

Armory Terraform parameters

enabled: true or false.
git:
- enabled: true or false.
- accessToken: Git access token. Supports encrypted value.
- username: Git username.

Secrets parameters

vault:
- enabled: true or false.
- url: URL of the Vault endpoint from Spinnaker services.
- path: (Default: kubernetes) (Applies to Kubernetes authentication method) Path of the Kubernetes authentication backend mount.
- role: (Applies to Kubernetes authentication method) Name of the role against which the login is being attempted.
- authMethod: Method used to authenticate with the Vault endpoint. Must be either KUBERNETES for Kubernetes service account auth or TOKEN for Vault token auth. The TOKEN method requires a VAULT_TOKEN environment variable for Operator and the services.

Kustomize patch examples

You can see examples in the spinnaker-kustomize-patches repo’s armory folder.

Continuous-Deployment: Artifact Config

Mon, 01 Jan 0001 00:00:00 +0000

spec.spinnakerConfig.config.artifacts

artifacts:
 bitbucket:
 gcs:
 github:
 gitlab:
 gitrepo:
 helm:
 http:
 maven:
 oracle:
 s3:
 templates:

Bitbucket

spec.spinnakerConfig.config.artifacts.bitbucket

artifacts:
 bitbucket:
 enabled: false
 accounts:
 - name:
 username:
 password:
 token:
 tokenFile:
 usernamePasswordFile:

enabled: true or false

Account parameters

username: Bitbucket username
password: Bitbucket password. Supports encrypted value.
usernamePasswordFile: File containing “username:password” to use for Bitbucket authentication. File needs to be present on the machine running Spinnaker. Supports encrypted file.
token: Bitbucket Server token. Supports encrypted value.
tokenFile: File containing a Bitbucket Server authentication token. File needs to be present on the machine running Spinnaker. Supports encrypted file. This file can be dynamically updated because it is automatically reloaded each time Armory Continuous Deployment makes a request.

Note: supply username and password OR usernamePasswordFile OR token OR tokenFile

GCS

spec.spinnakerConfig.config.artifacts.gcs

gcs:
 enabled: false
 accounts:
 - name: my-gcs-account
 jsonPath:

enabled: true or false

Account parameters

json-path: The path to a JSON service account that Spinnaker will use as credentials. This is only needed if Spinnaker is not deployed on a Google Compute Engine VM, or needs permissions not afforded to the VM it is running on. See service-accounts for more information. File needs to be present on the machine running Spinnaker. Supports encrypted file.

GitHub

spec.spinnakerConfig.config.artifacts.github

github:
 accounts:
 - name: my-github
 username:
 password:
 usernamePasswordFile:
 token:
 tokenFile:
 enabled: true

enabled: true or false

Account parameters

username: GitHub username
password: GitHub password. Supports encrypted value.
usernamePasswordFile: File containing “username:password” to use for GitHub authentication. File needs to be present on the machine running Spinnaker. Supports encrypted file.
token: GitHub token. Supports encrypted value.
tokenFile: File containing a GitHub authentication token. File needs to be present on the machine running Spinnaker. Supports encrypted file. This file can be dynamically updated because it is automatically reloaded each time Armory Continuous Deployment makes a request.

Note: supply username and password OR usernamePasswordFile or token or tokenFile

GitLab

spec.spinnakerConfig.config.artifacts.gitlab

gitlab:
 enabled:
 accounts:
 - name:
 token:
 tokenFile:

enabled: true or false

Account parameters

token: Gitlab token. Supports encrypted value.
tokenFile: File containing a Gitlab authentication token. File needs to be present on the machine running Spinnaker. Supports encrypted file. This file can be dynamically updated because it is automatically reloaded each time Armory Continuous Deployment makes a request.

Note: supply token or tokenFile

GitRepo

spec.spinnakerConfig.config.artifacts.gitrepo

gitrepo:
 enabled:
 accounts:
 - name:
 username:
 password:
 usernamePasswordFile:
 token:
 tokenFile:
 sshPrivateKeyFilePath:
 sshPrivateKeyPassphrase:
 sshKnownHostsFilePath:
 sshTrustUnknownHosts:

enabled: true or false

Account parameters

username: Git username
password: Git password. Supports encrypted value.
usernamePasswordFile: File containing “username:password” to use for Git authentication. File needs to be present on the machine running Spinnaker. Supports encrypted file.
token: Git token. Supports encrypted value.
tokenFile: File containing a Git authentication token. File needs to be present on the machine running Spinnaker. Supports encrypted file. This file can be dynamically updated because it is automatically reloaded each time Armory Continuous Deployment makes a request.
sshPrivateKeyFilePath: Path to the ssh private key in PEM format. File needs to be present on the machine running Spinnaker. Supports encrypted file.
sshPrivateKeyPassphrase: Passphrase for encrypted private key. Supports encrypted value.
sshKnownHostsFilePath: File containing the known and trusted SSH hosts. File needs to be present on the machine running Spinnaker. Supports encrypted file.
sshTrustUnknownHosts: Setting this to true allows Spinnaker to authenticate with unknown hosts

Note: supply username and password OR usernamePasswordFile or token or tokenFile

Helm

spec.spinnakerConfig.config.artifacts.helm

helm:
 enabled:
 accounts:
 - name:
 repository:
 username:
 password:
 usernamePasswordFile:

enabled: true or false

Account parameters

repository: Helm chart repository
username: Helm chart repository basic auth username
password: Helm chart repository basic auth password. Supports encrypted value.
usernamePasswordFile: File containing “username:password” to use for helm chart repository basic auth. File needs to be present on the machine running Spinnaker. Supports encrypted file.

Note: supply username and password OR usernamePasswordFile

HTTPS

spec.spinnakerConfig.config.artifacts.https

http:
 enabled:
 accounts:
 - name:
 username:
 password:
 usernamePasswordFile:

enabled: true or false

Account parameters

username: HTTP basic auth username
password: HTTP basic auth password. Supports encrypted value.
usernamePasswordFile: File containing “username:password” to use for HTTP basic auth. File needs to be present on the machine running Spinnaker. Supports encrypted file.

Note: supply username and password OR usernamePasswordFile

Maven

spec.spinnakerConfig.config.artifacts.maven.accounts

maven:
 enabled:
 accounts:
 - name:
 repositoryUrl:

enabled: true or false

Account parameters

repositoryUrl: Full URI for the Maven repository ie.http://some.host.com/repository/path

Oracle

spec.spinnakerConfig.config.artifacts.oracle

oracle:
 enabled:
 accounts:
 - name:
 namespace:
 region:
 userId:
 fingerprint:
 sshPrivateKeyFilePath:
 privateKeyPassphrase:
 tenancyId:

enabled: true or false

Account parameters

namespace: The namespace the bucket and objects should be created in
region: An Oracle region (e.g., us-phoenix-1)
userId: Provide the OCID of the Oracle User you’re authenticating as
fingerprint: Fingerprint of the public key
sshPrivateKeyFilePath: Path to the private key in PEM format. File needs to be present on the machine running Spinnaker. Supports encrypted file.
privateKeyPassphrase: Passphrase used for the private key, if it is encrypted. Supports encrypted value.
tenancyId: Provide the OCID of the Oracle Tenancy to use.

S3

spec.spinnakerConfig.config.artifacts.s3

s3:
 enabled:
 accounts:
 - name:
 apiEndpoint:
 apiRegion:
 region:
 awsAccessKeyId:
 awsSecretAccessKey:

enabled: true or false

Account parameters

apiEndpoint: S3 api endpoint; only required when using an S3 clone such as Minio
apiRegion: S3 api region; only required when using an S3 clone such as Minio
region: S3 region
awsAccessKeyId: Your AWS Access Key ID. If not provided, Halyard/Spinnaker will try to find AWS credentials as described at http://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html#credentials-default
awsSecretAccessKey: Your AWS Secret Key. Supports encrypted value.

Templates

templates:
- name:
 templatePath:

templatePath: The path to the Jinja template to use for artifact extraction. File needs to be present on the machine running Spinnaker.

Continuous-Deployment: Canary Config

Mon, 01 Jan 0001 00:00:00 +0000

spec.spinnakerConfig.config.canary

canary:
 enabled: true
 reduxLoggerEnabled:
 defaultMetricsAccount:
 defaultStorageAccount:
 defaultJudge:
 defaultMetricsStore:
 stagesEnabled:
 atlasWebComponentsUrl:
 templatesEnabled:
 showAllConfigsEnabled:
 serviceIntegrations:

enabled: true or false
reduxLoggerEnabled: true or false; whether or not to enable redux logging in the canary module in deck (Default: true).
defaultMetricsAccount: Name of metrics account to use by default.
defaultStorageAccount: Name of storage account to use by default.
defaultJudge: Name of canary judge to use by default (Default: NetflixACAJudge-v1.0).
defaultMetricsStore: Name of metrics store to use by default (e.g. atlas, datadog, prometheus, stackdriver).
stagesEnabled: true or false; whether or not to enable canary stages in deck (Default: true).
atlasWebComponentsUrl: Location of web components to use for Atlas metric configuration.
templatesEnabled: true or false; whether or not to enable custom filter templates for canary configs in deck (Default: true).
showAllConfigsEnabled: true or false; whether or not to show all canary configs in deck, or just those scoped to the current application (Default: true).
serviceIntegrations: list of configured canary services

Service Integrations

spec.spinnakerConfig.config.canary.serviceIntegrations

canary:
 enabled:
 serviceIntegrations:
 - name:
 enabled:
 accounts:
 - name:
 enabled:
 accounts:

Datadog

- name:
 enabled:
 accounts:
 - name:
 endpoint:
 baseUrl:
 apiKey:
 applicationKey:
 supportedTypes:
 - METRICS_STORE
 - CONFIGURATION_STORE
 - OBJECT_STORE

name: datadog
- enabled: true or false
- accounts:
  - name: account name
    - endpoint:
      - baseUrl: (Required) The base URL to the Datadog server.
    - apiKey: (Required) Your org’s unique Datadog API key. See https://app.datadoghq.com/account/settings#api. Supports encrypted value.
    - applicationKey: (Required) Your Datadog application key. See https://app.datadoghq.com/account/settings#api. Supports encrypted value.
    - supportedTypes: One of: METRICS_STORE, METRICS_STORE, OBJECT_STORE
      - METRICS_STORE
      - CONFIGURATION_STORE
      - OBJECT_STORE

Google

- name:
 enabled:
 accounts:
 - name:
 project:
 jsonPath:
 bucket:
 bucketLocation:
 rootFolder:
 supportedTypes:
 - METRICS_STORE
 - CONFIGURATION_STORE
 - OBJECT_STORE
 gcsEnabled:
 stackdriverEnabled:
 metadataCachingIntervalMS:

name: google
- enabled: true or false
- accounts:`
  - name: account name
    - project: (Required) The Google Cloud Platform project the canary service will use to consume GCS and Stackdriver.
    - jsonPath: The path to a JSON service account that Spinnaker will use as credentials. This is only needed if Spinnaker is not deployed on a Google Compute Engine VM, or needs permissions not afforded to the VM it is running on. See https://cloud.google.com/compute/docs/access/service-accounts for more information. File needs to be present on the machine running Spinnaker. Supports encrypted file.
    - bucket: The name of a storage bucket that your specified account has access to. If you specify a globally unique bucket name that doesn’t exist yet, Kayenta will create that bucket for you.
    - bucketLocation: This is only required if the bucket you specify doesn’t exist yet. In that case, the bucket will be created in that location. See https://cloud.google.com/storage/docs/managing-buckets#manage-class-location.
    - rootFolder: The root folder in the chosen bucket to place all of the canary service’s persistent data in (Default: kayenta).
    - supportedTypes: One of: METRICS_STORE, CONFIGURATION_STORE, OBJECT_STORE
      - METRICS_STORE
      - CONFIGURATION_STORE
      - OBJECT_STORE
- gcsEnabled: true or false. Whether or not to enable GCS as a persistent store (Default: false).
- stackdriverEnabled: true or false. Whether or not to enable Stackdriver as a metrics service (Default: false).
- metadataCachingIntervalMS: Number of milliseconds to wait in between caching the names of available metric types (for use in building canary configs; default: 60000).

New Relic

- name:
 enabled:
 accounts:
 - name:
 endpoint:
 baseUrl:
 apiKey:
 applicationKey:
 supportedTypes:
 - METRICS_STORE
 - CONFIGURATION_STORE
 - OBJECT_STORE

name: newrelic
- enabled: true or false
- accounts:`
  - name: account name
    - endpoint:
      - baseUrl: (Required) The base URL to the New Relic Insights server.
    - apiKey: (Required) Your account’s unique New Relic Insights API key. See https://docs.newrelic.com/docs/insights/insights-api/get-data/query-insights-event-data-api. Supports encrypted value.
    - applicationKey: (Required) Your New Relic account id. See https://docs.newrelic.com/docs/accounts/install-new-relic/account-setup/account-id. Supports encrypted value.
    - supportedTypes: One of: METRICS_STORE, CONFIGURATION_STORE, OBJECT_STORE
      - METRICS_STORE
      - CONFIGURATION_STORE
      - OBJECT_STORE

Prometheus

- name:
 enabled:
 accounts:
 - name:
 endpoint:
 baseUrl:
 username:
 password:
 usernamePasswordFile:
 supportedTypes:
 - METRICS_STORE
 - CONFIGURATION_STORE
 - OBJECT_STORE
 metadataCachingIntervalMS:

name: prometheus
- enabled: true or false
- accounts: account name
  - name:
    - endpoint:
      - baseUrl: (Required) The base URL to the Prometheus server.
    - username: A basic auth username.
    - password: A basic auth password.
    - usernamePasswordFile: The path to a file containing “username:password”. File needs to be present on the machine running Spinnaker. Supports encrypted file.
    - supportedTypes: One of: METRICS_STORE, CONFIGURATION_STORE, OBJECT_STORE
      - METRICS_STORE
      - CONFIGURATION_STORE
      - OBJECT_STORE
- metadataCachingIntervalMS: Number of milliseconds to wait in between caching the names of available metric types (for use in building canary configs; Default: 60000).

SignalFX

- name: signalfx
 enabled:
 accounts:
 - name:
 endpoint:
 baseUrl:
 accessToken:
 defaultScopeKey:
 defaultLocationKey:
 supportedTypes:
 - METRICS_STORE
 - CONFIGURATION_STORE
 - OBJECT_STORE

name: signalfx
- enabled: true or false
- accounts:
  - name: account name
    - endpoint:
      - baseUrl: The base URL to the SignalFx server. Defaults to https://stream.signalfx.com
    - accessToken: (Required) The SignalFx access token. Supports encrypted value.
    - defaultScopeKey: Scope key is used to distinguish between base and canary deployments. If omitted every request must supply the _scope_key param in extended scope params
    - defaultLocationKey: Location key is used to filter by deployment region. If omitted requests must supply the _location_key if it is needed.
    - supportedTypes: One of: METRICS_STORE, CONFIGURATION_STORE, OBJECT_STORE
      - METRICS_STORE
      - CONFIGURATION_STORE
      - OBJECT_STORE

Kustomize patch examples

You can see examples in the spinnaker-kustomize-patches repo’s canary folder.

Continuous-Deployment: CI Config

Mon, 01 Jan 0001 00:00:00 +0000

AWS CodeBuild

spec.spinnakerConfig.config.ci.codebuild

codebuild:
 enabled:
 accounts:
 - name:
 permissions:
 READ:
 accountId:
 assumeRole:
 region:

enabled: whether this CI tool is enabled
accounts: list of configured accounts

Account parameters

name: (Required) account name
permissions:
- READ:
- read1
accountId: The AWS account ID that will be used to trigger CodeBuild build.
assumeRole: If set, Operator will configure a credentials provider that uses AWS Security Token Service to assume the specified role.
region: (Required) The AWS region in which your CodeBuild projects live.

Concourse

spec.spinnakerConfig.config.ci.concourse

concourse:
 enabled:
 masters:
 - name:
 permissions:
 READ:
 WRITE:
 url:
 username:
 password:

enabled: whether this CI tool is enabled
masters: list of configured masters

Master parameters

name: master’s name
permissions: []
- READ: A user must have at least one of these roles in order to view this build master or use it as a trigger source.
- WRITE: A user must have at least one of these roles in order to be able to run jobs on this build master.
url: (Required) The url your concourse search is reachable at.
username: (Required) The username of the concourse user to authenticate as.
password: (Required) The password of the concourse user to authenticate as. Supports encrypted value.

Google CloudBuild (gcb)

spec.spinnakerConfig.config.ci.gcb

gcb:
 enabled:
 accounts:
 - name:
 permissions:
 READ:
 - read1
 project:
 subscriptionName:
 jsonKey:

enabled: whether this CI tool is enabled
accounts: list of configured masters

Account parameters

name: (Required) account name
permissions: []
- READ: A user must have at least one of these roles in order to view this build master or use it as a trigger source.
project: (Required) The name of the GCP project in which to trigger and monitor builds.
subscriptionName: The name of the PubSub subscription on which to listen for build changes.
jsonKey: The path to a JSON service account that Spinnaker will use as credentials. File needs to be present on the machine running Spinnaker. Supports encrypted file.

Jenkins

spec.spinnakerConfig.config.ci.jenkins

jenkins:
 enabled:
 masters:
 - name:
 permissions:
 READ:
 - read1
 address:
 username:
 password:
 csrf:
 trustStore:
 trustStoreType:
 trustStorePassword:

enabled: whether this CI tool is enabled
masters: list of configured masters

Master parameters

name: master’s name
permissions: []
- READ: A user must have at least one of these roles in order to view this build master or use it as a trigger source.
address: (Required) The address your Jenkins master is reachable at.
username: The username of the Jenkins user to authenticate as.
password: The password of the Jenkins user to authenticate as. Supports encrypted value.
csrf: Whether or not to negotiate CSRF tokens when calling Jenkins.
trustStore: File needs to be present on the machine running Spinnaker. Supports encrypted file.
trustStoreType:
trustStorePassword: Supports encrypted value.

Travis

spec.spinnakerConfig.config.ci.travis

travis:
 enabled:
 masters:
 - name:
 permissions:
 READ:
 - read1
 WRITE:
 - write1
 address:
 baseUrl:
 githubToken:
 numberOfRepositories:

enabled: whether this CI tool is enabled
masters: list of configured masters

Master parameters

name: master’s name
permissions: []
- READ: A user must have at least one of these roles in order to view this build master or use it as a trigger source.
- WRITE: A user must have at least one of these roles in order to be able to run jobs on this build master.
address: (Required) The address of the Travis API.
baseUrl: (Required) The base URL to the Travis UI.
githubToken: The github token to authenticate against Travis with. Supports encrypted value.
numberOfRepositories: How many repositories the Travis integration should fetch from the api each time the poller runs. Should be set a bit higher than the expected maximum number of repositories built within the poll interval.

Wercker

spec.spinnakerConfig.config.ci.wercker

wercker:
 enabled:
 masters:
 - name:
 permissions:
 READ:
 - read1
 WRITE:
 - write1
 address:
 user:
 token:

enabled: whether this CI tool is enabled
masters: list of configured masters

Master parameters

name: master’s name
permissions: []
- READ: A user must have at least one of these roles in order to view this build master or use it as a trigger source.
- WRITE: A user must have at least one of these roles in order to be able to run jobs on this build master.
address: (Required) The address your Wercker master is reachable at.
user: The username of the Wercker user to authenticate as.
token: The personal token of the Wercker user to authenticate as. Supports encrypted value.

Kustomize patch examples

You can see examples in the spinnaker-kustomize-patches repo’s ci folder.

Continuous-Deployment: Deployment Environment Config

Mon, 01 Jan 0001 00:00:00 +0000

deploymentEnvironment

deploymentEnvironment:
 size:
 type:
 accountName:
 imageVariant:
 bootstrapOnly:
 updateVersions:
 consul:
 enabled:
 address:
 vault:
 enabled:
 address:
 location:
 customSizing:
 clouddriver:
 replicas:
 requests:
 memory:
 cpu:
 limits:
 memory:
 cpu:
 sidecars:
 clouddriver:
 - name:
 dockerImage:
 port:
 env:
 abc:
 args:
 - arg1
 command:
 - arg1
 configMapVolumeMounts:
 - configMapName:
 mountPath:
 secretVolumeMounts:
 - secretName:
 mountPath:
 mountPath:
 securityContext:
 privileged:
 initContainers: {}
 hostAliases: {}
 nodeSelectors:
 abc:
 affinity: {}
 tolerations:
 clouddriver:
 - key:
 operator:
 value:
 effect:
 gitConfig:
 upstreamUser:
 originUser:
 livenessProbeConfig:
 enabled:
 initialDelaySeconds:
 haServices:
 clouddriver:
 enabled:
 disableClouddriverRoDeck:
 redisMasterEndpoint:
 redisSlaveEndpoint:
 redisSlaveDeckEndpoint:
 echo:
 enabled:

size: SMALL
type: Distributed, LocalDebian, or LocalGit; Distributed: Deploy Spinnaker with one server group per microservice, and a single shared Redis. LocalDebian: Download and run the Spinnaker debians on the machine running the Daemon. LocalGit: Download and run the Spinnaker git repos on the machine running the Daemon.
accountName: The Spinnaker account that Spinnaker will be deployed to, assuming you are running a deployment of Spinnaker that requires an active cloud provider.
imageVariant: The container image variant type to use when deploying a distributed installation of Spinnaker. SLIM: Based on an Alpine image ubuntu: Based on Canonical’s ubuntu:bionic image. JAVA8: A variant of slim that uses the Java 8 runtime. UBUNTU-JAVA8: A variant of ubuntu that uses the Java 8 runtime Default value: SLIM
bootstrapOnly: true or false; a bootstrap-only account is the account in which Spinnaker itself is deployed. When true, this account will not be included the accounts managed by Spinnaker.
updateVersions: true or false; when set to “false”, any local version of Spinnaker components will be used instead of attempting to update. This does not work for distributed installations of Spinnaker, where no local version exists.
consul:
- enabled: true or false; whether or not to use Consul as a service discovery mechanism to deploy Spinnaker.
- address: The address of a running Consul cluster. This is only required when Spinnaker is being deployed in non-Kubernetes clustered configuration.
vault:
- enabled: true or false; whether or not to use Vault as a secret storage mechanism to deploy Spinnaker.
- address: The address of a running Vault datastore. This is only required when Spinnaker is being deployed in non-Kubernetes clustered configuration.
location: This is the location spinnaker will be deployed to. When deploying to Kubernetes, use this flag to specify the namespace to deploy to (defaults to spinnaker)
customSizing: Configure, validate, and view the component sizings for the Spinnaker services. Example above only lists clouddriver as an option, but other services can be defined, e.g. echo. Note that if you want to define the sizing for the entire service including sidecars, the definition should be in the spin-$SERVICE format. If only the main container should be defined, use $SERVICE for the definition instead.
- spin-clouddriver:
  - replicas: Set the number of replicas (pods) to be created for this service.
  - requests:
    - memory: Sets the memory request for the container running the spinnaker service. Examples: 512Mi, 8Gi
    - cpu: Sets the cpu request for the container running the spinnaker service. Example: 250m.
- limits:
  - memory: example: 8Gi
  - cpu: example: 250m
sidecars:
- clouddriver:
  - name:
  - dockerImage:
  - port:
  - env:
    - key: definition
  - args:
    - arg1
  - command:
    - arg1
  - configMapVolumeMounts:
    - configMapName:
    - mountPath:
  - secretVolumeMounts:
    - secretName:
    - mountPath:
  - mountPath:
  - securityContext:
    - privileged: true or false.
initContainers: {}
hostAliases: {}
nodeSelectors:
- key: definition
affinity: {}
tolerations:
- clouddriver:`
  - key:
  - operator: Exists, Equal, or DoesNotExist
  - value:
  - effect:
gitConfig:
- upstreamUser: This is the upstream git user you are configuring to pull changes from & push PRs to.
- originUser: This is the git user your github fork exists under.
livenessProbeConfig:
- enabled: true or false; when true, enable Kubernetes liveness probes on Spinnaker services deployed in a Distributed installation. See docs for more information.
- initialDelaySeconds: The number of seconds to wait before performing the first liveness probe. Should be set to the longest service startup time. See docs for more information.
haServices:
- clouddriver:
  - enabled: true or false.
  - disableClouddriverRoDeck: true or false.
  - redisMasterEndpoint: Set external Redis endpoint for clouddriver-rw and clouddriver-caching. The Redis URI schema is described here. clouddriver-rw and clouddriver-caching are configured to use the shared Redis, by default.
  - redisSlaveEndpoint: Set external Redis endpoint for clouddriver-ro. The Redis URI schema is described here. clouddriver-ro is configured to use the shared Redis, by default.
  - redisSlaveDeckEndpoint: Set external Redis endpoint for clouddriver-ro-deck. The Redis URI schema is described here. clouddriver-ro-deck is configured to use the shared Redis, by default.
- echo:
  - enabled: true or false.

Kustomize patch examples

You can see examples in the spinnaker-kustomize-patches repo’s spinnaker_deployment folder.

Continuous-Deployment: Features Config

Mon, 01 Jan 0001 00:00:00 +0000

spec.spinnakerConfig.config.features

features:
 artifacts:
 auth:
 fiat:
 chaos:
 entityTags:
 pipelineTemplates:
 artifactsRewrite:
 mineCanary:
 appengineContainerImageUrlDeployments:
 infrastructureStages:
 travis:
 wercker:
 managedPipelineTemplatesV2UI:
 gremlin:

artifacts: true or false. Enable artifact support.
auth: true or false.
fiat: true or false.
chaos: true or false. Enable Chaos Monkey support. For this to work, you’ll need a running Chaos Monkey deployment. Currently, Halyard doesn’t configure Chaos Monkey for you.
entityTags: true or false.
pipelineTemplates: true or false. Enable pipeline template support.
artifactsRewrite: true or false. Enable new artifact support.
mineCanary: true or false. Enable Canary support. For this to work, you’ll need a Canary judge configured. Currently, Halyard does not configure Canary judge for you.
appengineContainerImageUrlDeployments: true or false. Enable appengine deployments using a container image URL from gcr.io.
infrastructureStages: true or false. Enable infrastructure stages. Allows for creating Load Balancers as part of pipelines.
travis: true or false. Enable the Travis CI stage.
wercker: true or false. Enable the Wercker CI stage.
managedPipelineTemplatesV2UI: true or false. Enable managed pipeline templates v2 UI support.
gremlin: true or false. Enable Gremlin fault-injection support.

Continuous-Deployment: Metric Stores Config

Mon, 01 Jan 0001 00:00:00 +0000

spec.spinnakerConfig.config.metricStores

Metrics stores are used to store metrics for the various Spinnaker micro-services. These metrics are not related in any way to Canary deployments. The technologies backing both are similar, but metric stores are places to push metrics regarding Spinnaker metrics, whereas Canary metrics stores are used to pull metrics to analyze deployments. This configuration only affects the publishing of metrics against whichever metric stores you enable (it can be more than one).

metricStores:
 enabled:
 period:
 prometheus:
 push_gateway:
 add_source_metalabels:
 enabled:
 datadog:
 enabled:
 api_key:
 app_key:
 tags:
 - tag1
 stackdriver:
 enabled:
 credentials_path:
 project:
 instance_id:
 newrelic:
 enabled:
 insert_key:
 host:
 tags:
 - tag1

enabled: true or false.
period: Set the polling period for the monitoring daemon, e.g. 30
prometheus: Prometheus configuration
datadog: Datadog configuration
stackdriver: Stackdriver configuration
newrelic: New Relic configuration

Prometheus

push_gateway: The endpoint the monitoring Daemon should push metrics to. If you have configured Prometheus to automatically discover all your Spinnaker services and pull metrics from them this is not required.
add_source_metalabels: true or false.
enabled: true or false.

Datadog

enabled: true or false.
api_key: Your datadog API key. Supports encrypted value.
app_key: Your datadog app key. This is only required if you want Spinnaker to push preconfigured Spinnaker dashboards to your Datadog account. Supports encrypted value.
tags: Your datadog custom tags. Please delimit the KVP with colons, e.g. app:test env:dev

Stackdriver

enabled: true or false.
credentials_path: A path to a Google JSON service account that has permission to publish metrics. File needs to be present on the machine running Spinnaker. Supports encrypted file.
project: The project Spinnaker’s metrics should be published to.
zone: The zone Spinnaker’s metrics should be associated with.
instance_id:

New Relic

enabled: true or false.
insert_key: Your New Relic Insights insert key. Supports encrypted value.
host: The URL to post metric data to. In almost all cases, this is set correctly by default and should not be used.
tags: Your custom tags. Please delimit the KVP with colons, e.g. app:test env:dev

Kustomize patch examples

You can see examples in the spinnaker-kustomize-patches repo’s metric-stores folder.

Continuous-Deployment: Notification Config

Mon, 01 Jan 0001 00:00:00 +0000

spec.spinnakerConfig.config.notifications

notifications:
 slack:
 enabled:
 botName:
 token:
 baseUrl:
 forceUseIncomingWebhook:
 twilio:
 enabled:
 account:
 baseUrl:
 from:
 token:
 github-status:
 enabled:
 token:
 enabled:

Slack parameters

enabled: true or false.
botName: The name of your Slack bot.
token: Your Slack bot token. Supports encrypted value.
baseUrl: Slack endpoint. Optional, only set if using a compatible API.
forceUseIncomingWebhook: true or false. Force usage of incoming webhooks endpoint for Slack. Optional, only set if using a compatible API.

Twilio parameters

enabled: true or false.
account: Your Twilio account SID.
baseUrl: Twilio REST API base url
from: The phone number from which the SMS will be sent (e.g. +1234-567-8910).
token: Your Twilio auth token. Supports encrypted value.

GitHub status parameters

enabled: true or false.
token: Your GitHub account token. Supports encrypted value.

Kustomize patch examples

You can see examples in the spinnaker-kustomize-patches repo’s notifications folder.

Continuous-Deployment: Persistent Storage Config

Mon, 01 Jan 0001 00:00:00 +0000

spec.spinnakerConfig.config.persistentStorage

persistentStorage:
 persistentStoreType: s3
 azs:
 gcs:
 oracle:
 s3:

persistentStorageType: one of azs, gcs, oracle, s3; the configured storage type for Spinnaker to use
azs: Azure persistent storage configuration
gcs: Google Cloud persistent storage configuration
oracle: Oracle persistent storage configuration
s3: Amazon s3 persistent storage configuration

Azure

azs:
 storageAccountName:
 storageAccountKey:
 storageContainerName:

storageAccountName: The name of an Azure Storage Account used for Spinnaker’s persistent data.
storageAccountKey: The key to access the Azure Storage Account used for Spinnaker’s persistent data. Supports encrypted value.
storageContainerName: (Default: spinnaker) The container name in the chosen storage account to place all of Spinnaker’s persistent data.

GCS

gcs:
 jsonPath:
 project:
 bucket:
 rootFolder:
 bucketLocation:

jsonPath: A path to a JSON service account with permission to read and write to the bucket to be used as a backing store. File needs to be present on the machine running Spinnaker. Supports encrypted file.
project: The Google Cloud Platform project you are using to host the GCS bucket as a backing store.
bucket: The name of a storage bucket that your specified account has access to. If not specified, a random name will be chosen. If you specify a globally unique bucket name that doesn’t exist yet, Halyard will create that bucket for you.
rootFolder: The root folder in the chosen bucket to place all of Spinnaker’s persistent data in.
bucketLocation: This is only required if the bucket you specify doesn’t exist yet. In that case, the bucket will be created in that location. See https://cloud.google.com/storage/docs/managing-buckets#manage-class-location.

Oracle

oracle:
 bucketName:
 namespace:
 compartmentId:
 region:
 userId:
 fingerprint:
 sshPrivateKeyFilePath:
 privateKeyPassphrase:
 tenancyId:

bucketName: The bucket name to store persistent state object in
namespace: The namespace the bucket and objects should be created in
compartmentId: Provide the OCID of the Oracle Compartment to use.
region: An Oracle region (e.g., us-phoenix-1)
userId: Provide the OCID of the Oracle User you’re authenticating as
fingerprint: Fingerprint of the public key
sshPrivateKeyFilePath: Path to the private key in PEM format. File needs to be present on the machine running Spinnaker. Supports encrypted file.
privateKeyPassphrase: Passphrase used for the private key, if it is encrypted. Supports encrypted value.
tenancyId: Provide the OCID of the Oracle Tenancy to use.

S3

s3:
 bucket:
 rootFolder:
 region:
 pathStyleAccess:
 endpoint:
 accessKeyId:
 serverSideEncryption:
 secretAccessKey:

bucket: The name of a storage bucket that your specified account has access to. If not specified, a random name will be chosen. If you specify a globally unique bucket name that doesn’t exist yet, Operator will create that bucket for you.
rootFolder: The root folder in the chosen bucket to place all of Spinnaker’s persistent data in.
region: This is only required if the bucket you specify doesn’t exist yet. In that case, the bucket will be created in that region. See http://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region.
pathStyleAccess: true or false; when true, use path-style to access bucket; when false, use virtual hosted-style to access bucket. See
endpoint: An alternate endpoint that your S3-compatible storage can be found at. This is intended for self-hosted storage services with S3-compatible APIs, e.g. Minio. If supplied, this storage type cannot be validated.
accessKeyId: Your AWS Access Key ID. If not provided, Halyard/Spinnaker will try to find AWS credentials as described at http://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html#credentials-default
serverSideEncryption: Use Amazon Server-Side Encryption (‘x-amz-server-side-encryption’ header). Supports ‘AES256’ (for Amazon S3-managed encryption keys, equivalent to a header value of ‘AES256’) and ‘AWSKMS’ (for AWS KMS-managed encryption keys, equivalent to a header value of ‘aws:kms’.
secretAccessKey: Your AWS Secret Key. Supports encrypted value.

Kustomize patch examples

You can see examples in the spinnaker-kustomize-patches repo’s persistence folder.

Continuous-Deployment: Plugins Config

Mon, 01 Jan 0001 00:00:00 +0000

Warning

Please see Spinnaker’s Plugins User Guide for a detailed explanation of plugins.

Parameters

spec.spinnakerConfig.profiles

Put configuration in the service that the plugin extends. Only the impacted service will restart when you apply the manifest.

Example:

spec:
 # spec.spinnakerConfig - This section is how to specify configuration spinnaker
 spinnakerConfig:
 # spec.spinnakerConfig.config - This section contains the contents of a deployment found in a halconfig .deploymentConfigurations[0]
 profiles:
 orca:
 spinnaker:
 extensibility:
 plugins:
 <plugin-name>:
 enabled: <true-or-false>
 version: <version>
 config: {}
 repositories:
 <repository-name>:
 id:
 url:

plugins:
- <plugin-name>: suggested format is creator.plugin
  - id: plugin ID as defined in plugins.json
  - enabled: true or false
  - version: version of the plugin to use
  - config: {} - configuration for this specific plugin
repositories:
- <repository-name>:
  - id: same as
  - url: URL to repositories.json or plugins.json

See the Plugin Users Guide Add a plugin repository section for when you can use plugins.json instead of repositories.json.

Deck proxy

You need to configure a deck-proxy in Gate if your plugin has a Deck component. Locate the profiles section in your SpinnakerService.yml and add the proxy information to the gate section.

# spec.spinnakerConfig.profiles - This section contains the YAML of each service's profile
profiles:
clouddriver: {} # is the contents of ~/.hal/default/profiles/clouddriver.yml
# deck has a special key "settings-local.js" for the contents of settings-local.js
deck:
 # settings-local.js - contents of ~/.hal/default/profiles/settings-local.js
 # Use the | YAML symbol to indicate a block-style multiline string
 settings-local.js: |
 window.spinnakerSettings.feature.kustomizeEnabled = true;
 window.spinnakerSettings.feature.artifactsRewrite = true;
echo: {} # is the contents of ~/.hal/default/profiles/echo.yml
fiat: {} # is the contents of ~/.hal/default/profiles/fiat.yml
front50: {} # is the contents of ~/.hal/default/profiles/front50.yml
gate:
 spinnaker:
 extensibility:
 deck-proxy:
 enabled: true
 plugins:
 <plugin-name>:
 enabled: true
 version: <version>
 repositories:
 <repository-name>:
 url: <url-to-repositories.json-or-plugins.json>
igor: {} # is the contents of ~/.hal/default/profiles/igor.yml
kayenta: {} # is the contents of ~/.hal/default/profiles/kayenta.yml
orca: {} # is the contents of ~/.hal/default/profiles/orca.yml

Example

The example below configures the pf4jStagePlugin. The configured repository is a plugins.json file rather than a repositories.json file.

spec:
 spinnakerConfig:
 # spec.spinnakerConfig.profiles - This section contains the YAML of each service's profile
 profiles:
 gate:
 spinnaker:
 extensibility:
 deck-proxy: # you need this for plugins with a Deck component
 enabled: true
 plugins:
 Armory.RandomWaitPlugin:
 enabled: true
 version: 1.1.17
 repositories:
 examplePluginsRepo:
 url: https://raw.githubusercontent.com/spinnaker-plugin-examples/examplePluginRepository/master/plugins.json
 orca:
 spinnaker:
 extensibility:
 plugins:
 Armory.RandomWaitPlugin:
 enabled: true
 version: 1.1.17
 config:
 defaultMaxWaitTime: 15
 repositories:
 examplePluginsRepo:
 id: examplePluginsRepo
 url: https://raw.githubusercontent.com/spinnaker-plugin-examples/examplePluginRepository/master/plugins.json

Kustomize patch examples

You can see examples in the spinnaker-kustomize-patches repo’s plugins folder.

Continuous-Deployment: Providers Config

Mon, 01 Jan 0001 00:00:00 +0000

spec.spinnakerConfig.config.providers

providers:
 appengine:
 aws:
 ecs:
 dcos:
 dockerRegistry:
 google:
 huaweicloud:
 kubernetes:
 tencentcloud:
 oracle:
 cloudfoundry:

App Engine

spec.spinnakerConfig.config.providers.appengine

The App Engine provider is used to deploy resources to any number of App Engine applications. To get started with App Engine, visit the App Engine docs. An account in the App Engine provider refers to a single App Engine application. Spinnaker assumes that your App Engine application already exists.

appengine:
 enabled: false
 gcloudPath:
 accounts:
 - name: prod-1
 cachingIntervalSeconds:
 environment:
 gcloudReleaseTrack:
 gitHttpsUsername:
 gitHttpsPassword:
 githubOAuthAccessToken:
 jsonPath:
 localRepositoryDirectory:
 omitServices:
 omitVersions:
 permissions:
 READ:
 WRITE:
 EXECUTE:
 CREATE:
 project:
 providerVersion:
 requiredGroupMembership:
 sshPrivateKeyFilePath:
 sshPrivateKeyPassphrase:
 sshKnownHostsFilePath:
 sshTrustUnknownHosts:
 services:
 versions:
 primaryAccount:

enabled:
accounts:
gCloudPath: The path to the gcloud executable on the machine running clouddriver. Ex: /root
primaryAccount:

Account parameters

cachingIntervalSeconds: The interval in seconds at which Spinnaker will poll for updates in your AppEngine clusters.
environment: The environment name for the account. Many accounts can share the same environment (e.g. dev, test, prod)
gcloudReleaseTrack: The gcloud release track (ALPHA, BETA, or STABLE) that Spinnaker will use when deploying to App Engine.
gitHttpsPassword: A password to be used when connecting with a remote git repository server over HTTPS. Supports encrypted value.
gitHttpsUsername: A username to be used when connecting with a remote git repository server over HTTPS.
githubOAuthAccessToken: An OAuth token provided by Github for connecting to a git repository over HTTPS. See Creating an Access Token for Command Line Use for more information. Supports encrypted value.
json-path: The path to a JSON service account that Spinnaker will use as credentials. This is only needed if Spinnaker is not deployed on a Google Compute Engine VM, or needs permissions not afforded to the VM it is running on. See Service Accounts for more information.
localRepositoryDirectory: A local directory to be used to stage source files for App Engine deployments within Spinnaker’s Clouddriver microservice.
omitServices: A list of regular expressions. Any service matching one of these regexes will be ignored by Spinnaker.
omitVersions: A list of regular expressions. Any version matching one of these regexes will be ignored by Spinnaker.
permissions:
- READ: [] A user must have at least one of these roles in order to view this account’s cloud resources.
- WRITE: [] A user must have at least one of these roles in order to make changes to this account’s cloud resources.
- EXECUTE:
- CREATE:
project: (Required) The Google Cloud Platform project this Spinnaker account will manage.
providerVersion:
requiredGroupMembership: (Default: []) A user must be a member of at least one specified group in order to make changes to this account’s cloud resources.
services: A list of regular expressions. Any service matching one of these regexes will be indexed by Spinnaker.
sshKnownHostsFilePath: The path to a known_hosts file to be used when connecting with a remote git repository over SSH. File needs to be present on the machine running Spinnaker. Supports encrypted file.
sshPrivateKeyFilePath: The path to an SSH private key to be used when connecting with a remote git repository over SSH. File needs to be present on the machine running Spinnaker. Supports encrypted file.
sshPrivateKeyPassphrase: The passphrase to an SSH private key to be used when connecting with a remote git repository over SSH. Supports encrypted value.
sshTrustUnknownHosts: (Default: false) Enabling this flag will allow Spinnaker to connect with a remote git repository over SSH without verifying the server’s IP address against a known_hosts file.
versions: A list of regular expressions. Any version matching one of these regexes will be indexed by Spinnaker.

AWS

spec.spinnakerConfig.config.providers.aws

aws:
 enabled: false
 accessKeyId:
 defaults:
 iamRole: BaseIAMRole
 defaultAssumeRole:
 defaultKeyPairTemplate:
 defaultRegions:
 - name:
 primaryAccount:
 secretAccessKey:
 accounts:
 - name: aws-dev
 accountId:
 assumeRole:
 edda:
 environment:
 defaultKeyPair:
 discovery:
 lifecycleHooks:
 - defaultResult:
 heartbeatTimeout:
 lifecycleTransition:
 notificationTargetARN:
 roleARN:
 permissions:
 READ:
 WRITE:
 EXECUTE:
 CREATE:
 providerVersion: V1
 regions:
 - name:
 requiredGroupMembership:
 externalId:
 bakeryDefaults:
 awsAccessKey:
 awsAssociatePublicIpAddress:
 awsSecretKey:
 awsSubnetId:
 awsVpcId:
 defaultVirtualizationType:
 baseImages:
 - baseImage:
 id:
 shortDescription:
 detailedDescription:
 packageType:
 templateFile:
 virtualizationSettings:
 - region:
 virtualizationType:
 instanceType:
 sourceAmi:
 sshUserName:
 winRmUserName:
 spotPrice:
 spotPriceAutoProduct:
 templateFile:
 features:
 cloudFormation:
 enabled:

The AWS provider requires a central “Managing Account” to authenticate on behalf of other AWS accounts, or act as your sole, credential-based account.

enabled: whether the provider is enabled
accessKeyId: AWS Access Key ID; note that if you are baking AMIs via Rosco, you may also need to set the access key on the AWS bakery default options.
accounts: list of configured accounts
bakeryDefaults: configuration for Spinnaker’s image bakery.Configuration for Spinnaker’s image bakery.
defaults: array with single entry:
- iamRole: BaseIAMRole
defaultKeyPairTemplate: “{{name}}-keypair”
defaultRegions: array of name: <region-name> items
features: configuration for AWS-specific features
primaryAccount: the account you want to be primary of the configured accounts
secretAccessKey: AWS Secret Key; note that if you are baking AMIs via Rosco, you may also need to set the secret key on the AWS bakery default options. Supports encrypted value.

Account parameters

accountId: (Required) Your AWS account ID to manage. See the AWS IAM User Guide for more information.
assumeRole: (Required) If set, will configure a credentials provider that uses AWS Security Token Service to assume the specified role. Example: “user/spinnaker” or “role/spinnakerManaged”
defaultKeyPair: The name of the AWS key-pair to use. See http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html for more information.
discovery: The endpoint at which your Eureka discovery system is reachable. See https://github.com/Netflix/eureka for more information. Example: http://.eureka.url.to.use:8080/eureka-server/v2. Using will make Spinnaker use AWS regions in the hostname to access discovery so that you can have discovery for multiple regions.
edda: The endpoint at which Edda is reachable. Edda is not a hard dependency of Spinnaker, but is helpful for reducing the request volume against AWS. See https://github.com/Netflix/edda for more information.
environment: The environment name for the account. Many accounts can share the same environment (e.g. dev, test, prod)
lifecycleHooks: Configuration for AWS Auto Scaling Lifecycle Hooks. For more information, see: https://docs.aws.amazon.com/autoscaling/ec2/userguide/lifecycle-hooks.html
- defaultResult: Defines the action the Auto Scaling group should take when the lifecycle hook timeout elapses or if an unexpected failure occurs. Acceptable values: CONTINUE, ABANDON.
- heartbeatTimeout: Set the heartbeat timeout in seconds for the lifecycle hook. Instances can remain in a wait state for a finite period of time. Must be greater than or equal to 30 and less than or equal to 7200. The default is 3600 (one hour).
- lifecycleTransition: Type of lifecycle transition. Acceptable values: autoscaling:EC2_INSTANCE_LAUNCHING, autoscaling:EC2_INSTANCE_TERMINATING
- notificationTargetARN: The ARN of the notification target that Amazon EC2 Auto Scaling uses to notify you when an instance is in the transition state for the lifecycle hook. This target can be either an SQS queue or an SNS topic.
- roleARN: The ARN of the IAM role that allows the Auto Scaling group to publish to the specified notification target, for example, an Amazon SNS topic or an Amazon SQS queue.
permissions:
- READ: [] A user must have at least one of these roles in order to view this account’s cloud resources.
- WRITE: [] A user must have at least one of these roles in order to make changes to this account’s cloud resources.
- EXECUTE: A user must have at least one of these roles in order to execute pipelines.
- CREATE:
providerVersion:
regions: (Default: []) The AWS regions this Spinnaker account will manage.
requiredGroupMemberships: (Deprecated): Configure permissions instead.
externalId: Optional parameter used to identify and control access to AWS resources. Set this to the same value as the ExternalID parameter in the trust policy for the role you want to assume.

Bakery parameters

awsAccessKey: The default access key used to communicate with AWS.
awsAssociatePublicIpAddress: If using a non-default VPC, public IP addresses are not provided by default. If this is enabled, your new instance will get a Public IP.
awsSecretKey: The secret key used to communicate with AWS. Supports encrypted value.
awsSubnetId: If using VPC, the default ID of the subnet, such as subnet-12345def, where Packer will launch the EC2 instance. This field is required if you are using a non-default VPC.
awsVpcId: If launching into a VPC subnet, Packer needs the VPC ID in order to create a temporary security group within the VPC. Requires subnet_id to be set. If this default value is left blank, Packer will try to get the VPC ID from the subnet_id.
baseImages: []
defaultVirtualizationType: The default type of virtualization for the AMI you are building. This option must match the supported virtualization type of source_ami. Can be pv or hvm.
templateFile: This is the name of the packer template that will be used to bake images from this base image. The template file must be found in this list, or supplied as described in the bakery docs

Bakery base image parameters

detailedDescription: A long description to help human operators identify the image.
id:This is the identifier used by AWS to find this base image.
shortDescription:A short description to help human operators identify the image.
detailedDescription:A long description to help human operators identify the image.
packageType:This is used to help Spinnaker’s bakery download the build artifacts you supply it with. For example, specifying deb indicates that your artifacts will need to be fetched from a debian repository.
templateFile: The name of the Packer template that will be used to bake images from this base image. The template file must be found in this list: https://github.com/spinnaker/rosco/tree/master/rosco-web/config/packer, or supplied as described here: https://spinnaker.io/setup/bakery/.
virtualizationSettings:
- region:The name of the region in which to launch the EC2 instance to create the AMI.
- virtualizationType: The type of virtualization for the AMI you are building. This option must match the supported virtualization type of sourceAmi. Acceptable values: pv, hvm.
- instanceType: The EC2 instance type to use while building the AMI, such as t2.small.
- sourceAmi:The source AMI whose root volume will be copied and provisioned on the currently running instance. This must be an EBS-backed AMI with a root volume snapshot that you have access to.
- sshUserName:The username to connect to SSH with. Required if using SSH.
- winRmUserName:The username to use to connect to WinRM.
- spotPrice:The maximum hourly price to pay for a spot instance to create the AMI. Spot instances are a type of instance that EC2 starts when the current spot price is less than the maximum price you specify. Spot price will be updated based on available spot instance capacity and current spot instance requests. It may save you some costs. You can set this to auto for Packer to automatically discover the best spot price or to “0” to use an on demand instance (default).
- spotPriceAutoProduct:Required if spotPrice is set to auto. This tells Packer what sort of AMI you are launching to find the best spot price. This must be one of: Linux/UNIX, SUSE Linux, Windows, Linux/UNIX (Amazon VPC), SUSE Linux (Amazon VPC), Windows (Amazon VPC).

Features parameters

cloud-formation: (Required) Enable CloudFormation support for AWS.

Azure

spec.spinnakerConfig.config.providers.azure

azure:
 enabled: false
 primaryAccount: azure-dev
 accounts:
 - name: azure-dev
 appKey:
 clientId:
 defaultKeyVault:
 defaultResourceGroup:
 environment:
 objectId:
 packerResourceGroup:
 packerStorageAccount:
 permissions:
 READ:
 WRITE:
 EXECUTE:
 CREATE:
 providerVersion: V1
 regions:
 - name:
 requiredGroupMembership:
 subscriptionId:
 tenantId:
 useSshPublicKey:
 bakeryDefaults:
 templateFile:
 baseImages:
 - baseImage:
 id:
 detailedDescription:
 packageType:
 publisher:
 offer:
 shortDescription:
 templateFile:
 sku:
 version:
 virtualizationSettings: {}

enabled: whether the provider is enabled
primaryAccount: name of primary account
accounts: list of configured accounts
bakeryDefaults: configuration for Spinnaker’s image bakery

Account parameters

appKey: (Required) The appKey (password) of your service principal. Supports encrypted value.
clientId: (Required) The clientId (also called appId) of your service principal.
defaultKeyVault: (Required) The name of a KeyVault that contains the user name, password, and ssh public key used to create VMs
defaultResourceGroup: (Required) The default resource group to contain any non-application specific resources.
environment: The environment name for the account. Many accounts can share the same environment (e.g. dev, test, prod)
objectId: The objectId of your service principal. This is only required if using Packer to bake Windows images.
packerResourceGroup: The resource group to use if baking images with Packer.
packerStorageAccount: The storage account to use if baking images with Packer.
permissions:
- READ: [] A user must have at least one of these roles in order to view this account’s cloud resources.
- WRITE: [] A user must have at least one of these roles in order to make changes to this account’s cloud resources.
- EXECUTE:
- CREATE:
regions: The Azure regions this Spinnaker account will manage.
requiredGroupMembership: (Deprecated): Configure permissions instead.
subscriptionId: (Required) The subscriptionId that your service principal is assigned to.
tenantId: (Required) The tenantId that your service principal is assigned to.
useSshPublicKey: Whether to use SSH public key to provision the linux vm. The default value is true which means using the ssh public key. Setting it to false means using the password instead.

Bakery parameters

templateFile: his is the name of the packer template that will be used to bake images from this base image. The template file must be found in this list, or supplied as described in the bakery docs

Bakery base image parameters

detailedDescription: A long description to help human operators identify the image.
offer: (Required) The offer for your base image. See https://aka.ms/azspinimage to get a list of images.
packageType: This is used to help Spinnaker’s bakery download the build artifacts you supply it with. For example, specifying ‘deb’ indicates that your artifacts will need to be fetched from a debian repository.
publisher: (Required) The Publisher name for your base image. See https://aka.ms/azspinimage to get a list of images.
shortDescription: A short description to help human operators identify the image.
sku: (Required) The SKU for your base image. See https://aka.ms/azspinimage to get a list of images.
templateFile: This is the name of the packer template that will be used to bake images from this base image. The template file must be found in this list https://github.com/spinnaker/rosco/tree/master/rosco-web/config/packer, or supplied as described here: https://spinnaker.io/setup/bakery/
version: The version of your base image. This defaults to ’latest’ if not specified.

Cloud Foundry

spec.spinnakerConfig.config.providers.cloudfoundry

cloudfoundry:
 enabled: false
 accounts:
 - name: cf-dev
 apiHost:
 appsManagerUrl:
 environment:
 metricsUrl:
 providerVersion: V1
 password:
 permissions:
 READ:
 WRITE:
 EXECUTE:
 CREATE:
 requiredGroupMembership:
 skipSslValidation:
 user:
 primaryAccount: cf-dev

enabled: whether the provider is enabled
primaryAccount: name of primary account
accounts: list of configured accounts

Account parameters

apiHost: (Required) Host of the CloudFoundry Foundation API endpoint ie. api.sys.somesystem.com
appsManagerUrl: HTTP(S) URL of the Apps Manager application for the CloudFoundry Foundation. Example: https://apps.sys.somesystem.com
environment: The environment name for the account. Many accounts can share the same environment (e.g. dev, test, prod)
metricsUrl: HTTP(S) URL of the metrics application for the CloudFoundry Foundation. Example https://metrics.sys.somesystem.com
password: (Required) Password for the account to use on for this CloudFoundry Foundation. Supports encrypted value.
permissions:
- READ: [] A user must have at least one of these roles in order to view this account’s cloud resources.
- WRITE: [] A user must have at least one of these roles in order to make changes to this account’s cloud resources.
- EXECUTE:
- CREATE:
requiredGroupMembership: [] (Deprecated): Configure permissions instead.
skipSslValidation: (Default: false) Skip SSL server certificate validation of the API endpoint
user: (Required) User name for the account to use on for this CloudFoundry Foundation

DC/OS

spec.spinnakerConfig.config.providers.dcos

dcos:
 enabled: false
 accounts:
 - name: dcos-dev
 clusters:
 - name:
 password:
 serviceKeyFile:
 uid:
 dockerRegistries:
 - accountName:
 namespaces:
 environment:
 permissions:
 READ:
 WRITE:
 EXECUTE:
 CREATE:
 providerVersion: V1
 requiredGroupMembership:
 clusters:
 - name:
 caCertFile:
 dcosUrl:
 insecureSkipTlsVerify:
 loadBalancer:
 image:
 serviceAccountSecret:
 primaryAccount:

enabled: Whether the provider is enabled.
accounts: the list of configured accounts
primaryAccount: The name of the primary account.
clusters: the list of configured clusters

Accounts parameters

clusters: (Required) The clusters against which this account will authenticate.
- name: (Required) The name of the account.
- password: Password for a user account. If set, serviceKeyFile should not be set. Supports encrypted value.
- serviceKeyFile: Path to a file containing the secret key for service account authentication. If set, password should not be set. File needs to be present on the machine running Spinnaker. Supports encrypted file.
- uid: (Required) User or service account identifier.
dockerRegistries: []; (Required) Provide the list of docker registries to use with this DC/OS account
environment: The environment name for the account. Many accounts can share the same environment (e.g. dev, test, prod)
requiredGroupMembership: (Deprecated): Configure permissions instead.
serviceKeyFile: Path to a file containing the secret key for service account authentication
uid: (Required) User or service account identifier

Clusters parameters

name: (Required) The name of the cluster.
caCertFile: Root certificate file to trust for connections to the cluster. File needs to be present on the machine running Spinnaker. Supports encrypted file.
dcosUrl: (Required) URL of the endpoint for the DC/OS cluster’s admin router.
insecureSkipTlsVerify: If true, disables verification of certificates from the cluster (insecure).
loadBalancer: Configuration for a DC/OS load balancer
- image: Marathon-lb image to use when creating a load balancer with Spinnaker.
- serviceAccountSecret: Name of the secret to use for allowing marathon-lb to authenticate with the cluster. Only necessary for clusters with strict or permissive security. Supports encrypted value.

Docker Registry

spec.spinnakerConfig.config.providers.dockerRegistry

dockerRegistry:
 enabled: true
 primaryAccount: dockerhub
 accounts:
 - name: dockerhub
 environment:
 requiredGroupMembership:
 providerVersion: V1
 permissions:
 READ:
 WRITE:
 EXECUTE:
 CREATE:
 address:
 username:
 password:
 passwordCommand:
 email:
 cacheIntervalSeconds:
 clientTimeoutMillis:
 cacheThreads:
 paginateSize:
 sortTagsByDate:
 trackDigests:
 insecureRegistry:
 repositories:
 passwordFile:
 dockerconfigFile:

enabled: Whether the provider is enabled.
accounts: the list of configured accounts
primaryAccount: The name of the primary account.

Account parameters

name: name of the account
address: (Default: gcr.io) (Required) The registry address you want to pull and deploy images from; e.g. https://index.docker.io
cacheIntervalSeconds: (Default: 30) How many seconds elapse between polling your docker registry. Certain registries are sensitive to over-polling, and larger intervals (e.g. 10 minutes = 600 seconds) are desirable if you’re seeing rate limiting.
cacheThreads: (Default: 1) How many threads to cache all provided repos on. Really only useful if you have a ton of repos.
clientTimeoutMillis: (Default: 60000) Timeout time in milliseconds for this repository.
email: Your docker registry email (often this only needs to be well-formed, rather than be a real address)
environment: The environment name for the account. Many accounts can share the same environment (e.g. dev, test, prod)
insecureRegistry: (Default: false) Treat the docker registry as insecure (don’t validate the ssl cert).
paginateSize: (Default: 100) Paginate size for the docker repository _catalog endpoint.
password: Your docker registry password. Supports encrypted value.
passwordCommand: Command to retrieve docker token/password, commands must be available in environment
passwordFile: The path to a file containing your docker password in plaintext (not a docker/config.json file). File needs to be present on the machine running Spinnaker. Supports encrypted file.
permissions:
- READ: [] A user must have at least one of these roles in order to view this account’s cloud resources.
- WRITE: [] A user must have at least one of these roles in order to make changes to this account’s cloud resources.
- EXECUTE:
- CREATE:
requiredGroupMembership: [] (Deprecated): Configure permissions instead.
repositories: (Default: []) An optional list of repositories to cache images from. If not provided, Spinnaker will attempt to read accessible repositories from the registries _catalog endpoint
sortTagsByDate: (Default: false) Sort tags by creation date.
trackDigests: (Default: false) Track digest changes. This is not recommended as it consumes a high QPM, and most registries are flaky.
username: Your docker registry username

ECS

spec.spinnakerConfig.config.providers.ecs

ecs:
 enabled: false
 accounts:
 - name: aws-dev
 environment:
 awsAccount:
 requiredGroupMembership:
 permissions:
 READ:
 WRITE:
 EXECUTE:
 CREATE:
 providerVersion: v1
 primaryAccount: aws-dev

enabled: Whether the provider is enabled.
accounts: the list of configured accounts
primaryAccount: The name of the primary account.

Account parameters

name: name of the account
awsAccount: (Required) Provide the name of the AWS account associated with this ECS account.See https://github.com/spinnaker/clouddriver/blob/master/clouddriver-ecs/README.md for more information.
environment: The environment name for the account. Many accounts can share the same environment (e.g. dev, test, prod)
permissions:
- READ: [] A user must have at least one of these roles in order to view this account’s cloud resources.
- WRITE: [] A user must have at least one of these roles in order to make changes to this account’s cloud resources.
- EXECUTE:
- CREATE:
requiredGroupMembership: [] (Deprecated): Configure permissions instead.

Google

spec.spinnakerConfig.config.providers.google

google:
 enabled:
 accounts:
 - name:
 environment:
 requiredGroupMembership:
 - readers
 providerVersion: V1
 permissions:
 READ:
 - read1
 - read2
 WRITE:
 - write1
 - write2
 EXECUTE:
 - exec1
 - exec2
 CREATE:
 - create1
 - create2
 project:
 jsonPath:
 alphaListed:
 imageProjects:
 - abc
 consul:
 enabled:
 agentEndpoint:
 agentPort:
 datacenters:
 - abc
 userDataFile:
 regions:
 - abc
 primaryAccount: google-dev
 bakeryDefaults:
 templateFile:
 baseImages:
 - baseImage:
 id:
 shortDescription:
 detailedDescription:
 packageType:
 templateFile:
 isImageFamily:
 virtualizationSettings:
 sourceImage:
 sourceImageFamily:
 zone:
 network:
 networkProjectId:
 useInternalIp:
 defaultKeyPairTemplate:
 defaultRegions:
 - name:

enabled: Whether the provider is enabled.
accounts: the list of configured accounts
primaryAccount: The name of the primary account.
bakeryDefaults: configuration for Spinnaker’s image bakery

Account parameters

name: name of the account
alphaListed: (Default: false) Enable this flag if your project has access to alpha features and you want Spinnaker to take advantage of them.
environment: The environment name for the account. Many accounts can share the same environment (e.g. dev, test, prod)
imageProjects: (Default: []) A list of Google Cloud Platform projects Spinnaker will be able to cache and deploy images from. When this is omitted, it defaults to the current project. Each project must have granted the IAM role compute.imageUser to the service account associated with the json key used by this account, as well as to the ‘Google APIs service account’ automatically created for the project being managed (should look similar to 12345678912@cloudservices.gserviceaccount.com). See Sharing Images Across Projects for more information about sharing images across GCP projects.
jsonPath: The path to a JSON service account that Spinnaker will use as credentials. This is only needed if Spinnaker is not deployed on a Google Compute Engine VM, or needs permissions not afforded to the VM it is running on. See https://cloud.google.com/compute/docs/access/service-accounts for more information. File needs to be present on the machine running Spinnaker. Supports encrypted file.
permissions:
- READ: [] A user must have at least one of these roles in order to view this account’s cloud resources.
- WRITE: [] A user must have at least one of these roles in order to make changes to this account’s cloud resources.
- EXECUTE:
- CREATE:
requiredGroupMembership: [] (Deprecated): Configure permissions instead.
project: (Required) The Google Cloud Platform project this Spinnaker account will manage.
readPermissions: (Default: []) A user must have at least one of these roles in order to view this account’s cloud resources.
regions: A list of regions for caching and mutating calls. This overwrites any default-regions set on the provider.
userDataFile: The path to user data template file. Spinnaker has the ability to inject userdata into generated instance templates. The mechanism is via a template file that is token replaced to provide some specifics about the deployment. See https://github.com/spinnaker/clouddriver/blob/master/clouddriver-aws/UserData.md for more information. File needs to be present on the machine running Spinnaker.
consul: Configuration for Consul.
- enabled: Whether Consul is enabled.
- agentEndpoint: Reachable Consul node endpoint connected to the Consul cluster. Defaults to localhost.
- agentPort: Port consul is running on for every agent.
- datacenters: List of data centers to cache and keep updated.

Bakery parameters

network: Set the default network your images will be baked in.
networkProjectId: Set the default project id for the network and subnet to use for the VM baking your image.
templateFile: This is the name of the packer template that will be used to bake images from this base image. The template file must be found in this list https://github.com/spinnaker/rosco/tree/master/rosco-web/config/packer, or supplied as described here: https://spinnaker.io/setup/bakery/
useInternalIp: Use the internal rather than external IP of the VM baking your image.
zone: Set the default zone your images will be baked in.

Bakery base image parameters

detailedDescription: A long description to help human operators identify the image.
isImageFamily: (Default: false)
packageType: This is used to help Spinnaker’s bakery download the build artifacts you supply it with. For example, specifying ‘deb’ indicates that your artifacts will need to be fetched from a debian repository.
shortDescription: A short description to help human operators identify the image.
templateFile: This is the name of the packer template that will be used to bake images from this base image. The template file must be found in this list https://github.com/spinnaker/rosco/tree/master/rosco-web/config/packer, or supplied as described here: https://spinnaker.io/setup/bakery/
virtualizationSettings:
- sourceImage: The source image. If both source image and source image family are set, source image will take precedence.
- source-image-family: The source image family to create the image from. The newest, non-deprecated image is used.

Huawei Cloud

spec.spinnakerConfig.config.providers.huawei

huaweicloud:
 enabled:
 accounts:
 - name: huawei-dev
 environment:
 requiredGroupMembership:
 providerVersion: V1
 permissions:
 READ:
 - read1
 - read2
 WRITE:
 - write1
 - write2
 EXECUTE:
 - exec1
 - exec2
 CREATE:
 - create1
 - create2
 accountType:
 authUrl:
 username:
 password:
 projectName:
 domainName:
 insecure:
 regions:
 primaryAccount: huawei-dev
 bakeryDefaults:
 templateFile:
 baseImages:
 - baseImage:
 id:
 shortDescription:
 detailedDescription:
 packageType:
 templateFile:
 virtualizationSettings:
 - region:
 instanceType:
 sourceImageId:
 sshUserName:
 eipType:
 authUrl:
 username:
 password:
 projectName:
 domainName:
 insecure:
 vpcId:
 subnetId:
 securityGroup:
 eipBandwidthSize:

enabled: Whether the provider is enabled.
accounts: the list of configured accounts
primaryAccount: The name of the primary account.
bakeryDefaults: configuration for Spinnaker’s image bakery

Account parameters

name: name of the account
accountType: The type of account.
authUrl: (Required) The auth url of cloud.
domainName: (Required) The domain name of the cloud.
environment: The environment name for the account. Many accounts can share the same environment (e.g. dev, test, prod)
insecure: (Default: false) Disable certificate validation on SSL connections. Needed if certificates are self signed. Default false.
password: (Required) The password used to access cloud. Supports encrypted value.
projectName: (Required) The name of the project within the cloud.
regions: (Default: []) (Required) The region(s) of the cloud.
username: (Required) The username used to access cloud.
permissions:
- READ: [] A user must have at least one of these roles in order to view this account’s cloud resources.
- WRITE: [] A user must have at least one of these roles in order to make changes to this account’s cloud resources.
- EXECUTE:
- CREATE:
requiredGroupMembership: [] (Deprecated): Configure permissions instead.

Bakery parameters

authUrl: (Required) Set the default auth URL your images will be baked in.
domainName: (Required) Set the default domainName your images will be baked in.
eipBandwidthSize: (Required) Set the bandwidth size of EIP your images will be baked in.
insecure: (Required) The security setting (true/false) for connecting to the HuaweiCloud account.
password: (Required) Set the default password your images will be baked with.
projectName: Set the default project name your images will be baked in.
domainName: (Required) Set the default project name your images will be baked in.
securityGroup: (Required) Set the default security group your images will be baked in.
subnetId: (Required) Set the subnet your images will be baked in.
templateFile: This is the name of the packer template that will be used to bake images from this base image. The template file must be found in this list https://github.com/spinnaker/rosco/tree/master/rosco-web/config/packer, or supplied as described here: https://spinnaker.io/setup/bakery/
username: (Required) Set the default username your images will be baked with.
vpcId: (Required) Set the vpc your images will be baked in.

Bakery base image parameters

detailedDescription: A long description to help human operators identify the image.
packageType: This is used to help Spinnaker’s bakery download the build artifacts you supply it with. For example, specifying ‘deb’ indicates that your artifacts will need to be fetched from a debian repository.
shortDescription: A short description to help human operators identify the image.
templateFile: This is the name of the packer template that will be used to bake images from this base image. The template file must be found in this list https://github.com/spinnaker/rosco/tree/master/rosco-web/config/packer, or supplied as described here: https://spinnaker.io/setup/bakery/

Kubernetes

spec.spinnakerConfig.config.providers.kubernetes

The Kubernetes provider is used to deploy Kubernetes resources to any number of Kubernetes clusters. Spinnaker assumes you have a Kubernetes cluster already running. If you don’t, you must configure one: https://Kubernetes.io/docs/getting-started-guides/.

Before proceeding, please visit https://kubernetes.io/docs/tasks/access-application-cluster/configure-access-multiple-clusters/ to make sure you’re familiar with the authentication terminology.

kubernetes:
 enabled: true
 accounts:
 - name: spinnaker
 context:
 cluster:
 user:
 configureImagePullSecrets:
 cacheThreads:
 namespaces:
 omitNamespaces:
 kinds:
 omitKinds:
 customResources:
 versioned:
 - kubernetesKind:
 - spinnakerKind:
 cachingPolicies:
 - kubernetesKind:
 maxEntriesPerAgent:
 kubeconfigFile:
 kubeconfigContents:
 kubectlPath:
 kubectlRequestTimeoutSeconds:
 liveManifestCalls:
 oAuthServiceAccount:
 oAuthScopes:
 namingStrategy:
 skin:
 onlySpinnakerManaged:
 debug:
 dockerRegistries:
 - accountName:
 namespaces:
 providerVersion: V2
 requiredGroupMembership:
 permissions:
 READ:
 WRITE:
 EXECUTE:
 CREATE:
 primaryAccount: spinnaker

enabled: Whether the provider is enabled.
accounts: the list of configured accounts
primaryAccount: The name of the primary account.

Account parameters

An account in the Kubernetes provider refers to a single Kubernetes context. In Kubernetes, a context is the combination of a Kubernetes cluster and some credentials. If no context is specified, the default context in in your kubeconfig is assumed. You must also provide a set of Docker Registries for each account. Spinnaker will automatically upload that Registry’s credentials to the specified Kubernetes cluster allowing you to deploy those images without further configuration.

name: spinnaker
context: The kubernetes context to be managed by Spinnaker. See http://kubernetes.io/docs/user-guide/kubeconfig-file/#context for more information. When no context is configured for an account the ‘current-context’ in your kubeconfig is assumed.
cluster: Used with V1 provider (deprecated)
user: Used with V1 provider (deprecated)
configureImagePullSecrets: Used with V1 provider. When true, Spinnaker will create & manage your image pull secrets for you; when false, you will have to create and attach them to your pod specs by hand.
serviceAccount: When true, Spinnaker attempt to authenticate against Kubernetes using a Kubernetes service account. This only works when Halyard & Spinnaker are deployed in Kubernetes. Read more about service accounts here: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/.
cacheThreads: Number of caching agents for this kubernetes account. Each agent handles a subset of the namespaces available to this account. By default, only 1 agent caches all kinds for all namespaces in the account.
namespaces: A list of namespaces this Spinnaker account can deploy to and will cache. When no namespaces are configured, this defaults to ‘all namespaces’.
omitNamespaces: A list of namespaces this Spinnaker account cannot deploy to or cache. This can only be set when –namespaces is empty or not set.
kinds: (V2 Only) A list of resource kinds this Spinnaker account can deploy to and will cache. When no kinds are configured, this defaults to all kinds described in the Kubernetes Provider docs.
omitKinds: (V2 Only) A list of resource kinds this Spinnaker account cannot deploy to or cache. This can only be set when –kinds is empty or not set.
customResources: (V2 Only) List of Kubernetes custom resources to managed by clouddriver and made available for use in patch and delete manifest stages.
- versioned: true or false
- kubernetesKind: Fully qualified name of the Kubernetes CRD
- spinnakerKind: One of instances, configs, serverGroups, loadBalancers, securityGroups, serverGroupManagers, unclassified
cachingPolicies:
- kubernetesKind:
- maxEntriesPerAgent:
kubeconfigFile: The path to your kubeconfig file. By default, it will be under the Spinnaker user’s home directory in the typical .kube/config location. File needs to be present on the machine running Spinnaker. Supports encrypted file.
kubeconfigContents: Inline kubeconfig file contents
kubectlPath: Alternate path inside clouddriver pod of the kubectl binary
kubectlRequestTimeoutSeconds: Timeout in seconds of kubectl calls
checkPermissionsOnStartup: When false, clouddriver will skip the permission checks for all Kubernetes Kinds at startup. This can save a great deal of time during clouddriver startup when you have many Kubernetes accounts configured. This disables the log messages at startup about missing permissions.
liveManifestCalls: When true, clouddriver will query manifest status during pipeline executions using live data rather than the cache. This eliminates all time spent in the “force cache refresh” task in pipelines, greatly reducing execution time.
oAuthServiceAccount: File needs to be present on the machine running Spinnaker. Supports encrypted file.
oAuthScopes:
namingStrategy:
skin:
onlySpinnakerManaged: (V2 Only) When true, Spinnaker only caches and displays applications that have been created by Spinnaker. Before placing in a false state, you should review the Kubernetes cluster configuration. When false, Spinnaker analyzes the cluster and automatically attempts to configure and populate applications for resources already present in Kubernetes, unless limited with omitNamespaces. You should note the increased possibilities of misconfigured Autogenerated Application Placeholders in the deployments.
debug: true or false
dockerRegistries:
- accountName: dockerhub
- namespaces:
providerVersion: V2
permissions:
- READ: [] A user must have at least one of these roles in order to view this account’s cloud resources.
- WRITE: [] A user must have at least one of these roles in order to make changes to this account’s cloud resources.
- EXECUTE:
- CREATE:
requiredGroupMembership: [] (Deprecated): Configure permissions instead.

Oracle

spec.spinnakerConfig.config.providers.oracle

oracle:
 enabled:
 accounts:
 - name: oracle-dev
 environment:
 requiredGroupMembership:
 providerVersion: V1
 permissions:
 READ:
 - read1
 - read2
 WRITE:
 - write1
 - write2
 EXECUTE:
 - exec1
 - exec2
 CREATE:
 - create1
 - create2
 compartmentId:
 userId:
 fingerprint:
 sshPrivateKeyFilePath:
 privateKeyPassphrase:
 tenancyId:
 region:
 primaryAccount: oracle-dev
 bakeryDefaults:
 templateFile:
 baseImages:
 - baseImage:
 id:
 shortDescription:
 detailedDescription:
 packageType:
 templateFile:
 virtualizationSettings:
 baseImageId:
 sshUserName:
 availabilityDomain:
 subnetId:
 instanceShape:

Account parameters

compartmentId: (Required) Provide the OCID of the Oracle Compartment to use.
deployment: If supplied, use this Halyard deployment. This will not create a new deployment.
environment: The environment name for the account. Many accounts can share the same environment (e.g. dev, test, prod)
fingerprint: (Required) Fingerprint of the public key
privateKeyPassphrase: Passphrase used for the private key, if it is encrypted.Supports encrypted value.
permissions:
- READ: [] A user must have at least one of these roles in order to view this account’s cloud resources.
- WRITE: [] A user must have at least one of these roles in order to make changes to this account’s cloud resources.
- EXECUTE:
- CREATE:
requiredGroupMembership: [] (Deprecated): Configure permissions instead.
region: (Required) An Oracle region (e.g., us-phoenix-1)
sshPrivateKeyFilePath: (Required) Path to the private key in PEM format. File needs to be present on the machine running Spinnaker. Supports encrypted file.
tenancyId: (Required) Provide the OCID of the Oracle Tenancy to use.
userI: (Required) Provide the OCID of the Oracle User you’re authenticating as

Bakery parameters

availabilityDomain: (Required) The name of the Availability Domain within which a new instance is launched and provisioned.
deployment: If supplied, use this Halyard deployment. This will not create a new deployment.
instanceShape: (Required) The shape for allocated to a newly created instance.
subnetId: (Required) The name of the subnet within which a new instance is launched and provisioned.
templateFile: This is the name of the packer template that will be used to bake images from this base image. The template file must be found in this list https://github.com/spinnaker/rosco/tree/master/rosco-web/config/packer, or supplied as described here: https://spinnaker.io/setup/bakery/

Bakery base image parameters

baseImageId: (Required) The OCID of the base image ID for the baking configuration.
deployment: If supplied, use this Halyard deployment. This will not create a new deployment.
detailedDescription: A long description to help human operators identify the image.
packageType: This is used to help Spinnaker’s bakery download the build artifacts you supply it with. For example, specifying ‘deb’ indicates that your artifacts will need to be fetched from a debian repository.
shortDescription: A short description to help human operators identify the image.
sshUserName: (Required) The ssh username for the baking configuration.
templateFile: This is the name of the packer template that will be used to bake images from this base image. The template file must be found in this list https://github.com/spinnaker/rosco/tree/master/rosco-web/config/packer, or supplied as described here: https://spinnaker.io/setup/bakery/

Tencent Cloud

spec.spinnakerConfig.config.providers.tencentcloud

tencentcloud:
 enabled:
 accounts:
 - name: tencent-dev
 environment: dev
 requiredGroupMembership:
 providerVersion: V1
 permissions:
 READ:
 - read1
 - read2
 WRITE:
 - write1
 - write2
 EXECUTE:
 - exec1
 - exec2
 CREATE:
 - create1
 - create2
 secretId:
 secretKey:
 regions:
 primaryAccount: tencent-dev
 bakeryDefaults:
 templateFile:
 baseImages:
 - baseImage:
 id:
 shortDescription:
 detailedDescription:
 packageType:
 templateFile:
 virtualizationSettings:
 - region:
 zone:
 instanceType:
 sourceImageId:
 sshUserName:
 secretId:
 secretKey:

enabled: true or false
accounts: account configuration list
primaryAccount: primary account to use
bakeryDefaults: image baking configuration

Account parameters

deployment: If supplied, use this Halyard deployment. This will not create a new deployment.
environment: The environment name for the account. Many accounts can share the same environment (e.g. dev, test, prod)
permissions:
- READ: [] A user must have at least one of these roles in order to view this account’s cloud resources.
- WRITE: [] A user must have at least one of these roles in order to make changes to this account’s cloud resources.
- EXECUTE:
- CREATE:
requiredGroupMembership: [] (Deprecated): Configure permissions instead.
regions: The Tencent CLoud regions this Spinnaker account will manage.
secretId: (Required) The secret id used to access Tencent Cloud.
secretKey: (Required) The secret key used to access Tencent Cloud. Supports encrypted value.

Bakery parameters

secretId: (Required) The default access key used to communicate with AWS.
secretKey: (Required) The secret key used to communicate with AWS. Supports encrypted value.
templateFile: This is the name of the packer template that will be used to bake images from this base image. The template file must be found in this list https://github.com/spinnaker/rosco/tree/master/rosco-web/config/packer, or supplied as described here: https://spinnaker.io/setup/bakery/

Bakery base image parameters

detailedDescription: A long description to help human operators identify the image.
instanceType: (Required) The instance type for the baking configuration.
packageType: This is used to help Spinnaker’s bakery download the build artifacts you supply it with. For example, specifying ‘deb’ indicates that your artifacts will need to be fetched from a debian repository.
region: (Required) The region for the baking configuration.
shortDescription: A short description to help human operators identify the image.
sourceImageId: (Required) The source image ID for the baking configuration.
sshUserName: (Required) The ssh username for the baking configuration.
templateFile: This is the name of the packer template that will be used to bake images from this base image. The template file must be found in this list https://github.com/spinnaker/rosco/tree/master/rosco-web/config/packer, or supplied as described here: https://spinnaker.io/setup/bakery/
zone: (Required) The zone for the baking configuration.

Kustomize patch examples

You can see examples in the spinnaker-kustomize-patches repo’s accounts folder.

Continuous-Deployment: PubSub Config

Mon, 01 Jan 0001 00:00:00 +0000

spec.spinnakerConfig.config.pubsub

pubsub:
 enabled:
 google:
 enabled:
 subscriptions:
 - name:
 project:
 subscriptionName:
 jsonPath:
 templatePath:
 ackDeadlineSeconds:
 messageFormat:
 publishers:
 - name:
 project:
 topicName:
 jsonPath:
 content:

enabled: true or false.
google:

Google

enabled: true or false.
subscriptions:
- name: subscription name
- project: The name of the GCP project your subscription lives in.
- subscriptionName: The name of the subscription to listen to. This identifier does not include the name of the project, and must already be configured for Spinnaker to work.
- jsonPath: The path to a JSON service account that Spinnaker will use as credentials. This is only needed if Spinnaker is not deployed on a Google Compute Engine VM, or needs permissions not afforded to the VM it is running on. See https://cloud.google.com/compute/docs/access/service-accounts for more information. File needs to be present on the machine running Spinnaker. Supports encrypted file.
- templatePath: A path to a jinja template that specifies how artifacts from this pubsub system are interpreted and transformed into Spinnaker artifacts. See spinnaker.io/reference/artifacts for more information. File needs to be present on the machine running Spinnaker.
- ackDeadlineSeconds: Time in seconds before an outstanding message is considered unacknowledged and is re-sent. Configurable in your Google Cloud Pubsub subscription. See the docs here`: https://cloud.google.com/pubsub/docs/subscriber
- messageFormat: One of ‘GCB’, ‘GCS’, ‘GCR’, or ‘CUSTOM’. This can be used to help Spinnaker translate the contents of the Pub/Sub message into Spinnaker artifacts.
publishers:
- name: name of publisher
  - project:
  - topicName:
  - jsonPath: File needs to be present on the machine running Spinnaker. Supports encrypted file.

Kustomize patch examples

You can see examples in the spinnaker-kustomize-patches repo’s pubsub folder.

Continuous-Deployment: Repository Config

Mon, 01 Jan 0001 00:00:00 +0000

spec.spinnakerConfig.config.repository

repository:
 artifactory:
 enabled:
 searches:
 - name:
 baseUrl:
 permissions:
 READ:
 WRITE:
 repo:
 groupId:
 repoType:
 username:
 password:

Artifactory

enabled: true or false.
searches:
- - name: The name of the account
  - baseUrl: The base url your artifactory search is reachable at.
  - permissions:
    - READ: [] A user must have at least one of these roles in order to view this account’s cloud resources.
    - WRITE: [] A user must have at least one of these roles in order to make changes to this account’s cloud resources.
  - repo: The repo in your artifactory to be searched.
  - groupId: The group id in your artifactory to be searched.
  - repoType: The package type of repo in your artifactory to be searched: maven (default).
  - username: The username of the artifactory user to authenticate as.
  - password: The password of the artifactory user to authenticate as. Supports encrypted value.

Continuous-Deployment: Security Config

Mon, 01 Jan 0001 00:00:00 +0000

spec.spinnakerConfig.config.security

Configure Spinnaker’s security. This includes external SSL, authentication mechanisms, and authorization policies.

security:
 apiSecurity:
 uiSecurity:
 authn:
 authz:

apiSecurity
uiSecurity
authn
authz

API

spec.spinnakerConfig.config.security.apiSecurity

apiSecurity:
 ssl:
 enabled:
 keyAlias:
 keyStore:
 keyStoreType:
 keyStorePassword:
 trustStore:
 trustStoreType:
 trustStorePassword:
 clientAuth:
 overrideBaseUrl:
 corsAccessPattern:

ssl:
overrideBaseUrl: If you are accessing the API server remotely, provide the full base URL (including protocol) of whatever proxy or load balancer is fronting the API requests.
corsAccessPattern: ^.*$ If you have authentication enabled, are accessing Spinnaker remotely, and are logging in from sources other than the UI, provide a regex matching all URLs authentication redirects may come from.

SSL parameters

enabled: true or false.
keyAlias: Name of your keystore entry as generated with your keytool.
keyStore: Path to the keystore holding your security certificates. File needs to be present on the machine running Spinnaker. Supports encrypted file.
keyStoreType: The type of your keystore. Examples include JKS, and PKCS12.
keyStorePassword: The password to unlock your keystore. Due to a limitation in Tomcat, this must match your key’s password in the keystore. Supports encrypted value.
trustStore: Path to the truststore holding your trusted certificates. File needs to be present on the machine running Spinnaker. Supports encrypted file.
trustStoreType: The type of your truststore. Examples include JKS, and PKCS12.
trustStorePassword: The password to unlock your truststore. Supports encrypted value.
clientAuth: Declare WANT when client auth is wanted but not mandatory or NEED when client auth is mandatory.

Authentication

spec.spinnakerConfig.config.security.authn

authn:
 oauth2:
 saml:
 ldap:
 x509:
 iap:

enabled: true or false.
oauth2:
saml:
ldap:
x509:
iap

OAUTH2

spec.spinnakerConfig.config.security.authn.oauth2

oauth2:
 enabled:
 client:
 clientId:
 clientSecret:
 accessTokenUri:
 userAuthorizationUri:
 clientAuthenticationScheme:
 scope:
 preEstablishedRedirectUri:
 useCurrentUri:
 userInfoRequirements:
 resource:
 userInfoUri:
 userInfoMapping:
 email:
 firstName:
 lastName:
 username:
 provider:

enabled: true or false.
client:
- clientId: The OAuth client ID you have configured with your OAuth provider.
- clientSecret: The OAuth client secret you have configured with your OAuth provider. Supports encrypted value.
- accessTokenUri: The access token uri for your OAuth provider.
- userAuthorizationUri: The user authorization uri for your OAuth provider.
- clientAuthenticationScheme: The client authentication scheme for your OAuth provider.
- scope: The scope for your OAuth provider, e.g. user:email
- preEstablishedRedirectUri: The externally accessible URL for Gate. For use with load balancers that do any kind of address manipulation for Gate traffic, such as an SSL terminating load balancer.
- useCurrentUri: false
userInfoRequirements: {} The map of requirements the userInfo request must have. This is used to restrict user login to specific domains or having a specific attribute. Use equal signs between key and value, and additional key/value pairs need to repeat the flag. Example: ‘–user-info-requirements foo=bar –userInfoRequirements baz=qux’.
resource:
- userInfoUri: The user info uri for your OAuth provider.
userInfoMapping:
- email: The email field returned from your OAuth provider.
- firstName: The first name field returned from your OAuth provider.
- lastName: The last name field returned from your OAuth provider.
- username: The username field returned from your OAuth provider.
provider: One of azure, github, oracle, other, google

SAML

spec.spinnakerConfig.config.security.authn.saml

saml:
 enabled:
 metadataLocal:
 metadataRemote:
 issuerId:
 keyStore:
 keyStorePassword:
 keyStoreAliasName:
 serviceAddress:
 userAttributeMapping:
 firstName:
 lastName:
 roles:
 lastName:
 username:
 email:

enabled: true or false.
metadataLocal: The address to your identity provider’s metadata XML file. File needs to be present on the machine running Spinnaker. Supports encrypted file.
metadataRemote: The address to your identity provider’s metadata XML file. This is a URL.
issuerId: The identity of the Spinnaker application registered with the SAML provider.
keyStore: Path to the keystore that contains this server’s private key. This key is used to cryptographically sign SAML AuthNRequest objects. File needs to be present on the machine running Spinnaker. Supports encrypted file.
keyStorePassword: The password used to access the file specified in –keystore. Supports encrypted value.
keyStoreAliasName: The name of the alias under which this server’s private key is stored in the –keystore file.
serviceAddress: The address of the Gate server that will be accesible by the SAML identity provider. This should be the full URL, including port, e.g. https://gate.org.com:8084/. If deployed behind a load balancer, this would be the load balancer’s address.
userAttributeMapping:
- firstName: The first name field returned from your SAML provider.
- lastName: The last name field returned from your SAML provider.
- roles: The roles field returned from your SAML provider.
- lastName: The last name field returned from your SAML provider.
- username: aThe username field returned from your SAML provider.
- email: The email field returned from your SAML provider.

LDAP

spec.spinnakerConfig.config.security.authn.ldap

ldap:
 enabled:
 url:
 userDnPattern:
 userSearchBase:
 userSearchFilter:
 managerDn:
 managerPassword:
 groupSearchBase:

enabled: true or false.
url: ldap:// or ldaps:// url of the LDAP server
userDnPattern: The pattern for finding a user’s DN using simple pattern matching. For example, if your LDAP server has the URL ldap://mysite.com/dc=spinnaker,dc=org, and you have the pattern ‘uid={0},ou=members’, ‘me’ will map to a DN uid=me,ou=members,dc=spinnaker,dc=org. If no match is found, will try to find the user using user-search-filter, if set.
userSearchBase: The part of the directory tree under which user searches should be performed. If user-search-base isn’t supplied, the search will be performed from the root.
userSearchFilter: The filter to use when searching for a user’s DN. Will search either from user-search-base (if specified) or root for entires matching the filter, then attempt to bind as that user with the login password. For example, the filter ‘uid={0}’ would apply to any user where uid matched the user’s login name. If –user-dn-pattern is also specified, will attempt to find a match using the specified pattern first, before searching with the specified search filter if no match is found from the pattern.
managerDn: An LDAP manager user is required for binding to the LDAP server for the user authentication process. This property refers to the DN of that entry. I.e. this is not the user which will be authenticated when logging into DHIS2, rather the user which binds to the LDAP server in order to do the authentication.
managerPassword: The password for the LDAP manager user.
groupSearchBase: The part of the directory tree under which group searches should be performed.

x509

spec.spinnakerConfig.config.security.authn.x509

x509:
 enabled:
 roleOid:
 subjectPrincipalRegex:

enabled: true or false.
roleOid: The OID that encodes roles that the user specified in the x509 certificate belongs to
subjectPrincipalRegex: EMAILADDRESS=(.*?)(?:,|$) The regex used to parse the subject principal name embedded in the x509 certificate if necessary

IAP

spec.spinnakerConfig.config.security.authn.iap

iap:
 enabled:
 jwtHeader:
 issuerId:
 audience:
 iapVerifyKeyUrl:

enabled: true or false.
jwtHeader: The HTTP request header that contains the JWT token.
issuerId: The Issuer from the ID token payload.
audience: The Audience from the ID token payload. You can retrieve this field from the IAP console.
iapVerifyKeyUrl: The URL containing the Cloud IAP public keys in JWK format.

Authorization

spec.spinnakerConfig.config.security.authz

authz:
 enabled:
 groupMembership:

enabled: true or false.
groupMembership:

Group Membership

groupMembership:
 service:
 google:
 roleProviderType: GOOGLE
 credentialPath:
 adminUsername:
 domain:
 github:
 roleProviderType: GITHUB
 baseUrl:
 accessToken:
 organization:
 file:
 roleProviderType: FILE
 path:
 ldap:
 roleProviderType: LDAP
 url:
 managerDn:
 managerPassword:
 userDnPattern:
 userSearchBase:
 groupSearchBase:
 userSearchFilter:
 groupSearchFilter:
 groupRoleAttributes:

service: One of EXTERNAL, FILE, GOOGLE, GITHUB, LDAP
google:
- roleProviderType: GOOGLE
- credentialPath: A path to a valid json service account that can authenticate against the Google role provider. File needs to be present on the machine running Spinnaker. Supports encrypted file.
- adminUsername: Your role provider’s admin username e.g. admin@myorg.net
- domain: The domain your role provider is configured for e.g. myorg.net.
github:
- roleProviderType: GITHUB
- baseUrl: Used if using GitHub enterprise some other non github.com GitHub installation.
- accessToken: A personal access token of an account with access to your organization’s GitHub Teams structure. Supports encrypted value.
- organization: The GitHub organization under which to query for GitHub Teams.
file:
- roleProviderType: FILE
- path: A path to a file describing the roles of each user.
ldap:
- roleProviderType: LDAP
- url: ldap:// or ldaps:// URL of the LDAP server
- managerDn: The manager user’s distinguished name (principal) to use for querying ldap groups.
- managerPassword: The manager user’s password to use for querying ldap groups. Supports encrypted value.
- userDnPattern: The pattern for finding a user’s DN using simple pattern matching. For example, if your LDAP server has the URL ldap://mysite.com/dc=spinnaker,dc=org, and you have the pattern ‘uid={0},ou=members’, ‘me’ will map to a DN uid=me,ou=members,dc=spinnaker,dc=org. If no match is found, will try to find the user using –user-search-filter, if set.
- userSearchBase: The part of the directory tree under which user searches should be performed. If –user-search-base isn’t supplied, the search will be performed from the root.
- groupSearchBase: The part of the directory tree under which group searches should be performed.
- userSearchFilter: The filter to use when searching for a user’s DN. Will search either from –user-search-base (if specified) or root for entires matching the filter.
- groupSearchFilter: The filter which is used to search for group membership. The default is uniqueMember={0}, corresponding to the groupOfUniqueMembers LDAP class. In this case, the substituted parameter is the full distinguished name of the user. The parameter ‘{1}’ can be used if you want to filter on the login name.
- groupRoleAttributes: The attribute which contains the name of the authority defined by the group entry. Defaults to cn.

UI

spec.spinnakerConfig.config.security.uiSecurity

uiSecurity:
 ssl:
 overrideBaseUrl:

overrideBaseUrl: If you are accessing the UI server remotely, provide the full base URL (including protocol) of whatever proxy or load balancer is fronting the UI requests.
ssl:

SSL

uiSecurity:
 ssl:
 enabled:
 sslCertificateFile:
 sslCertificateKeyFile:
 sslCertificatePassphrase:
 sslCACertificateFile:

enabled: true or false.
sslCertificateFile: Path to your .crt file. File needs to be present on the machine running Spinnaker. Supports encrypted file.
sslCertificateKeyFile: Path to your .key file. File needs to be present on the machine running Spinnaker. Supports encrypted file.
sslCertificatePassphrase: The passphrase needed to unlock your SSL certificate. This will be provided to Apache on startup. Supports encrypted value.
sslCACertificateFile: Path to the .crt file for the CA that issued your SSL certificate. This is only needed for localgitdeployments that serve the UI using webpack dev server. File needs to be present on the machine running Spinnaker. Supports encrypted file.

Kustomize patch examples

You can see examples in the spinnaker-kustomize-patches repo’s security folder.

Continuous-Deployment: Stats Config

Mon, 01 Jan 0001 00:00:00 +0000

spec.spinnakerConfig.config.stats

stats:
 enabled: true
 endpoint: # Set the endpoint for stats metrics.

enabled: true or false.
endpoint: Set the endpoint for stats metrics, such as https://stats.spinnaker.io

Continuous-Deployment: Webhook Config

Mon, 01 Jan 0001 00:00:00 +0000

spec.spinnakerConfig.config.webhook

webhook:
 trust:
 enabled: false
 trustStore:
 trustStorePassword:

trust:
- enabled: false
- trustStore: The path to a key store in JKS format containing certification authorities that should be trusted by webhook stages. File needs to be present on the machine running Spinnaker.
- trustStorePassword: The password for the supplied trustStore.