/continuous-deployment/installation/guide/Recent content in Guides for Installing Armory Continuous Deployment for Spinnaker on Armory DocsHugo -- gohugo.io/continuous-deployment/installation/guide/air-gapped/Mon, 01 Jan 0001 00:00:00 +0000/continuous-deployment/installation/guide/air-gapped/ <blockquote> <p>Armory Continuous Deployment (Armory CD) requires a license. For more information, contact <a href="https://www.armory.io/contact-us/">Armory</a>.</p> </blockquote> <h2 id="overview-of-air-gapped-environments">Overview of air-gapped environments</h2> <p>An air-gapped deployment environment is one where any combination of the following conditions is true:</p> <ul> <li>Your deployment environment, such as a Kubernetes cluster, doesn&rsquo;t have internet access AWS S3 bucket and <code>docker.io</code>.</li> </ul> <p>If your deployment environment is air-gapped, you need to host the Armory Continuous Deployment Bill of Materials (BOM) and Docker images in a location that your deployment environment can access. To set this up, you need public internet access so you can get the BOM and images, authority to create or access internal storage and image hosting, and permissions to move the Armory Continuous Deployment materials to your internal systems.</p> <p>The first step is to familiarize yourself with the Armory Continuous Deployment Bill of Materials.</p> <h2 id="before-you-begin">Before you begin</h2> <ul> <li>You have access to public AWS S3 buckets and docker.io.</li> <li>You have installed the <a href="https://aws.amazon.com/cli/">AWS CLI</a>.</li> </ul> <h2 id="inspect-the-armory-continuous-deployment-bill-of-materials">Inspect the Armory Continuous Deployment Bill of Materials</h2> <p>Armory Continuous Deployment&rsquo;s Bill of Materials (BOM) is stored in the public S3 bucket <code>halconfig</code>. You can see the contents of this bucket using the AWS CLI:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>aws s3 ls s3://halconfig </span></span></code></pre></div><p>There are <code>bom</code> and <code>profiles</code> directories as well as four files: <code>versions-edge.yml</code>, <code>versions-ossedge.yml</code>, <code>version-rc.yml</code>, and <code>versions.yml</code>.</p> <p>You can view the content of <code>s3://halconfig/versions.yml</code> by executing:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>aws s3 cp s3://halconfig/versions.yml - </span></span></code></pre></div><p>Output is similar to:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#ff79c6">latestHalyard</span>: <span style="color:#bd93f9">1.10.1</span> </span></span><span style="display:flex;"><span><span style="color:#ff79c6">latestSpinnaker</span>: <span style="color:#bd93f9">2.25.0</span> </span></span><span style="display:flex;"><span><span style="color:#ff79c6">versions</span>: </span></span><span style="display:flex;"><span> - <span style="color:#ff79c6">version</span>: <span style="color:#bd93f9">2.25.0</span> </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">alias</span>: Spinnaker Release 1.25.3 </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">changelog</span>: https://docs.armory.io/docs/release-notes/rn-armory-spinnaker/armoryspinnaker_v2-25-0/ </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">minimumHalyardVersion</span>: <span style="color:#bd93f9">1.10.1</span> </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">lastUpdate</span>: <span style="color:#f1fa8c">&#34;1616710502000&#34;</span> </span></span></code></pre></div><p>The <code>bom</code> folder contains files for each release. To see the BOM for a specific release, you can run:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span> aws s3 ls s3://halconfig/bom/&lt;release-number&gt;.yml </span></span></code></pre></div><p>Then you can inspect the file&rsquo;s contents. For example, to see the BOM for release 2.25.0:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>aws s3 cp s3://halconfig/bom/2.25.0.yml - </span></span></code></pre></div><p>Output is similar to:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#ff79c6">version</span>: <span style="color:#bd93f9">2.25.0</span> </span></span><span style="display:flex;"><span><span style="color:#ff79c6">timestamp</span>: <span style="color:#f1fa8c">&#34;2021-03-25 09:28:32&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#ff79c6">services</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">clouddriver</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">commit</span>: de3aa3f0 </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">version</span>: <span style="color:#bd93f9">2.25.3</span> </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">deck</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">commit</span>: 516bcf0a </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">version</span>: <span style="color:#bd93f9">2.25.3</span> </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">dinghy</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">commit</span>: 522e67e5 </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">version</span>: <span style="color:#bd93f9">2.25.1</span> </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">echo</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">commit</span>: 3a098acc </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">version</span>: <span style="color:#bd93f9">2.25.2</span> </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">fiat</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">commit</span>: ca75f0d0 </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">version</span>: <span style="color:#bd93f9">2.25.3</span> </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">front50</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">commit</span>: 502b753e </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">version</span>: <span style="color:#bd93f9">2.25.2</span> </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">gate</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">commit</span>: <span style="color:#f1fa8c">&#34;47352833&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">version</span>: <span style="color:#bd93f9">2.25.5</span> </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">igor</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">commit</span>: 252dbd5c </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">version</span>: <span style="color:#bd93f9">2.25.2</span> </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">kayenta</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">commit</span>: <span style="color:#f1fa8c">&#34;72616529&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">version</span>: <span style="color:#bd93f9">2.25.2</span> </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">monitoring-daemon</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">version</span>: <span style="color:#bd93f9">2.25.0</span> </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">monitoring-third-party</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">version</span>: <span style="color:#bd93f9">2.25.0</span> </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">orca</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">commit</span>: 53f48823 </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">version</span>: <span style="color:#bd93f9">2.25.2</span> </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">rosco</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">commit</span>: 272f4f82 </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">version</span>: <span style="color:#bd93f9">2.25.2</span> </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">terraformer</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">commit</span>: 5dcae243 </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">version</span>: <span style="color:#bd93f9">2.25.0</span> </span></span><span style="display:flex;"><span><span style="color:#ff79c6">dependencies</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">redis</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">version</span>: <span style="color:#bd93f9">2</span>:<span style="color:#bd93f9">2.8.4-2</span> </span></span><span style="display:flex;"><span><span style="color:#ff79c6">artifactSources</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">dockerRegistry</span>: docker.io/armory </span></span></code></pre></div><h2 id="whats-next">What&rsquo;s next</h2> <p>Follow the instructions for your deployment method: <a href="/continuous-deployment/installation/guide/air-gapped/ag-operator/"}>Air-Gapped with the Armory Operator</a>.</p>/continuous-deployment/installation/guide/aws-container-marketplace/Mon, 01 Jan 0001 00:00:00 +0000/continuous-deployment/installation/guide/aws-container-marketplace/ <div class="alert alert-primary" role="alert"> <h4 class="alert-heading">Note</h4> <p>This document is intended for users who have purchased Armory&rsquo;s AWS Container Marketplace offering. It will not work if you have not subscribed to the Armory Container Marketplace offering.</p> <p>Please contact <a href="mailto:hello@armory.io">Armory</a> if you&rsquo;re interested in an AWS Marketplace Private Offer.</p> </div> <h2 id="overview-of-the-armory-operator">Overview of the Armory Operator</h2> <p>The Armory Operator is a Kubernetes Operator for Spinnaker^TM that makes it easier to install, deploy, and upgrade Spinnaker or Armory. The AWS Container Marketplace offering for Armory installs a version of the Armory Operator in an EKS cluster. After that, Armory can be installed in any namespace in your EKS cluster; this document assumes that Armory will be installed in the <code>spinnaker</code> namespace.</p> <h2 id="aws-resources">AWS Resources</h2> <p>Before you install Armory on AWS, it is essential that you familiarize yourself with <a href="/continuous-deployment/cloud-resources/resources-aws/">relevant AWS services</a>.</p> <h2 id="prerequisites-for-using-the-armory-operator">Prerequisites for using the Armory Operator</h2> <p>To use the Marketplace&rsquo;s Armory offering, make sure you meet the following requirements:</p> <ul> <li>You have reviewed and met the Armory Continuous Deployment <a href="/continuous-deployment/installation/system-requirements/">system requirements</a>.</li> <li>You have access to an EKS cluster configured with <a href="https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html">IAM roles for service accounts</a>.</li> <li>You have an ingress controller for your EKS cluster. This document assumes the EKS cluster is using the NGINX Ingress Controller.</li> <li>You have <code>cluster-admin</code> access on the EKS cluster.</li> <li>You have An AWS S3 bucket to store Armory application and pipeline configuration.</li> </ul> <h2 id="installation-summary">Installation summary</h2> <p>This document covers the following high-level steps:</p> <ol> <li>Creating and configuring the necessary AWS IAM roles for your Kubernetes cluster</li> <li>Installing the Armory Operator Custom Resource Definitions (CRDs) for Armory into your Kubernetes cluster</li> <li>Installing the Armory Operator</li> <li>Creating a SpinnakerService Custom Resource</li> <li>Exposing your Armory instance</li> </ol> <h2 id="create-an-aws-bucket">Create an AWS bucket</h2> <p>If you do not already have an AWS S3 bucket, create one with these settings:</p> <ul> <li>Versioning turned on (&ldquo;Keep all versions of an object in the same bucket&rdquo;)</li> <li>Default encryption turned on</li> <li>All public access blocked</li> </ul> <h2 id="create-and-configure-the-aws-iam-roles-for-your-kubernetes-cluster">Create and configure the AWS IAM roles for your Kubernetes cluster</h2> <p>AWS IAM permissions are granted to Armory through the use of AWS&rsquo;s IAM roles for Kubernetes Service Accounts. This feature must be enabled at a cluster level. You need to create three IAM roles:</p> <ul> <li>An IAM role for the Armory Operator (<code>spinnaker-operator</code> ServiceAccount in <code>spinnaker-operator</code> namespace) that has these permissions: <ul> <li><code>aws-marketplace:RegisterUsage</code></li> <li><code>s3:*</code> on your AWS Bucket</li> </ul> </li> <li>An IAM role for the Front50 service (<code>front50</code> ServiceAccount in the <code>spinnaker</code> namespace), that has these permissions: <ul> <li><code>s3:*</code> on your AWS Bucket</li> </ul> </li> <li>An IAM role for the Clouddriver service (<code>clouddriver</code> ServiceAccount in the <code>spinnaker</code> namespace). This IAM role does not require any explicit permissions. If you want Armory to deploy AWS resources (AWS EC2, AWS ECS, AWS Lambda, or other AWS EKS clusters), you can add these permissions later. <ul> <li><em>AWS permissions are <strong>not</strong> needed to deploy to the EKS cluster where Spinnaker is installed.</em></li> </ul> </li> </ul> <p>Upon completion of this section, you should have these three IAM roles:</p> <ul> <li><code>arn:aws:iam::AWS_ACCOUNT_ID:role/eks-spinnaker-operator</code> granted to the Kubernetes Service Account <code>system:serviceaccount:spinnaker-operator:spinnaker-operator</code></li> <li><code>arn:aws:iam::AWS_ACCOUNT_ID:role/eks-spinnaker-front50</code> granted to the Kubernetes Service Account <code>system:serviceaccount:spinnaker:front50</code></li> <li><code>arn:aws:iam::AWS_ACCOUNT_ID:role/eks-spinnaker-clouddriver</code> granted to the Kubernetes Service Account <code>system:serviceaccount:spinnaker:clouddriver</code></li> </ul> <h3 id="iam-role-for-armory-operator-pod">IAM role for Armory Operator Pod</h3> <p>Create an IAM role for the Armory Operator pod (call it <code>eks-spinnaker-operator</code>) and configure it for use by EC2. You will replace the trust relationship later.</p> <p>Grant the role the AWS managed policy <code>AWSMarketplaceMeteringRegisterUsage</code>.</p> <p>Grant the role an inline policy granting permissions on your S3 bucket (replace <code>BUCKET_NAME</code> with the name of your bucket):</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-json" data-lang="json"><span style="display:flex;"><span>{ </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Version&#34;</span>: <span style="color:#f1fa8c">&#34;2012-10-17&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Statement&#34;</span>: [ </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Effect&#34;</span>: <span style="color:#f1fa8c">&#34;Allow&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Action&#34;</span>: <span style="color:#f1fa8c">&#34;s3:*&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Resource&#34;</span>: [ </span></span><span style="display:flex;"><span> <span style="color:#f1fa8c">&#34;arn:aws:s3:::BUCKET_NAME&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#f1fa8c">&#34;arn:aws:s3:::BUCKET_NAME/*&#34;</span> </span></span><span style="display:flex;"><span> ] </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> ] </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><p>For example:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-json" data-lang="json"><span style="display:flex;"><span>{ </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Version&#34;</span>: <span style="color:#f1fa8c">&#34;2012-10-17&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Statement&#34;</span>: [ </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Effect&#34;</span>: <span style="color:#f1fa8c">&#34;Allow&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Action&#34;</span>: <span style="color:#f1fa8c">&#34;s3:*&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Resource&#34;</span>: [ </span></span><span style="display:flex;"><span> <span style="color:#f1fa8c">&#34;arn:aws:s3:::my-spinnaker-bucket&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#f1fa8c">&#34;arn:aws:s3:::my-spinnaker-bucket/*&#34;</span> </span></span><span style="display:flex;"><span> ] </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> ] </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><p>Create this trust relationship on the IAM role, with these fields replaced:</p> <ul> <li>replace <code>AWS_ACCOUNT_ID</code> with your AWS account ID</li> <li>replace <code>OIDC_PROVIDER</code> with the &ldquo;OpenID Connect provider URL&rdquo; for your Kubernetes cluster (<em>with the <code>https://</code> removed</em>)</li> </ul> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-json" data-lang="json"><span style="display:flex;"><span>{ </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Version&#34;</span>: <span style="color:#f1fa8c">&#34;2012-10-17&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Statement&#34;</span>: [ </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Effect&#34;</span>: <span style="color:#f1fa8c">&#34;Allow&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Principal&#34;</span>: { </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Federated&#34;</span>: <span style="color:#f1fa8c">&#34;arn:aws:iam::AWS_ACCOUNT_ID:oidc-provider/OIDC_PROVIDER&#34;</span> </span></span><span style="display:flex;"><span> }, </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Action&#34;</span>: <span style="color:#f1fa8c">&#34;sts:AssumeRoleWithWebIdentity&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Condition&#34;</span>: { </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;StringEquals&#34;</span>: { </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;OIDC_PROVIDER:sub&#34;</span>: <span style="color:#f1fa8c">&#34;system:serviceaccount:spinnaker-operator:spinnaker-operator&#34;</span> </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> ] </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><p>For example:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-json" data-lang="json"><span style="display:flex;"><span>{ </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Version&#34;</span>: <span style="color:#f1fa8c">&#34;2012-10-17&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Statement&#34;</span>: [ </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Effect&#34;</span>: <span style="color:#f1fa8c">&#34;Allow&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Principal&#34;</span>: { </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Federated&#34;</span>: <span style="color:#f1fa8c">&#34;arn:aws:iam::111222333444:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/AAAABBBBCCCCDDDDEEEEFFFF00001111&#34;</span> </span></span><span style="display:flex;"><span> }, </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Action&#34;</span>: <span style="color:#f1fa8c">&#34;sts:AssumeRoleWithWebIdentity&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Condition&#34;</span>: { </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;StringEquals&#34;</span>: { </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;oidc.eks.us-east-1.amazonaws.com/id/AAAABBBBCCCCDDDDEEEEFFFF00001111:sub&#34;</span>: <span style="color:#f1fa8c">&#34;system:serviceaccount:spinnaker-operator:spinnaker-operator&#34;</span> </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> ] </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><h3 id="iam-role-for-front50-pod">IAM role for Front50 Pod</h3> <p>Create an IAM role for the Armory Operator pod (call it <code>eks-spinnaker-front50</code>) and configure it for use by EC2. You will replace the trust relationship later.</p> <p>Grant the role an inline policy granting permissions on your S3 bucket (replace <code>BUCKET_NAME</code> with the name of your bucket):</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-json" data-lang="json"><span style="display:flex;"><span>{ </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Version&#34;</span>: <span style="color:#f1fa8c">&#34;2012-10-17&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Statement&#34;</span>: [ </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Effect&#34;</span>: <span style="color:#f1fa8c">&#34;Allow&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Action&#34;</span>: <span style="color:#f1fa8c">&#34;s3:*&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Resource&#34;</span>: [ </span></span><span style="display:flex;"><span> <span style="color:#f1fa8c">&#34;arn:aws:s3:::BUCKET_NAME&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#f1fa8c">&#34;arn:aws:s3:::BUCKET_NAME/*&#34;</span> </span></span><span style="display:flex;"><span> ] </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> ] </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><p>For example:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-json" data-lang="json"><span style="display:flex;"><span>{ </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Version&#34;</span>: <span style="color:#f1fa8c">&#34;2012-10-17&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Statement&#34;</span>: [ </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Effect&#34;</span>: <span style="color:#f1fa8c">&#34;Allow&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Action&#34;</span>: <span style="color:#f1fa8c">&#34;s3:*&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Resource&#34;</span>: [ </span></span><span style="display:flex;"><span> <span style="color:#f1fa8c">&#34;arn:aws:s3:::my-spinnaker-bucket&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#f1fa8c">&#34;arn:aws:s3:::my-spinnaker-bucket/*&#34;</span> </span></span><span style="display:flex;"><span> ] </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> ] </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><p>Create this trust relationship on the IAM role, with these fields replaced:</p> <ul> <li>Replace <code>AWS_ACCOUNT_ID</code> with your AWS account ID</li> <li>Replace <code>OIDC_PROVIDER</code> with the &ldquo;OpenID Connect provider URL&rdquo; for your Kubernetes cluster (<em>with the <code>https://</code> removed</em>)</li> </ul> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-json" data-lang="json"><span style="display:flex;"><span>{ </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Version&#34;</span>: <span style="color:#f1fa8c">&#34;2012-10-17&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Statement&#34;</span>: [ </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Effect&#34;</span>: <span style="color:#f1fa8c">&#34;Allow&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Principal&#34;</span>: { </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Federated&#34;</span>: <span style="color:#f1fa8c">&#34;arn:aws:iam::AWS_ACCOUNT_ID:oidc-provider/OIDC_PROVIDER&#34;</span> </span></span><span style="display:flex;"><span> }, </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Action&#34;</span>: <span style="color:#f1fa8c">&#34;sts:AssumeRoleWithWebIdentity&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Condition&#34;</span>: { </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;StringEquals&#34;</span>: { </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;OIDC_PROVIDER:sub&#34;</span>: <span style="color:#f1fa8c">&#34;system:serviceaccount:spinnaker:front50&#34;</span> </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> ] </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><p>For example:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-json" data-lang="json"><span style="display:flex;"><span>{ </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Version&#34;</span>: <span style="color:#f1fa8c">&#34;2012-10-17&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Statement&#34;</span>: [ </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Effect&#34;</span>: <span style="color:#f1fa8c">&#34;Allow&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Principal&#34;</span>: { </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Federated&#34;</span>: <span style="color:#f1fa8c">&#34;arn:aws:iam::111222333444:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/AAAABBBBCCCCDDDDEEEEFFFF00001111&#34;</span> </span></span><span style="display:flex;"><span> }, </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Action&#34;</span>: <span style="color:#f1fa8c">&#34;sts:AssumeRoleWithWebIdentity&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Condition&#34;</span>: { </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;StringEquals&#34;</span>: { </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;oidc.eks.us-east-1.amazonaws.com/id/AAAABBBBCCCCDDDDEEEEFFFF00001111:sub&#34;</span>: <span style="color:#f1fa8c">&#34;system:serviceaccount:spinnaker:front50&#34;</span> </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> ] </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><h3 id="iam-role-for-clouddriver-pod">IAM role for Clouddriver pod</h3> <p>Create an IAM role for the Armory Operator pod (call it <code>eks-spinnaker-clouddriver</code>) and configure it for use by EC2. You will replace the trust relationship later. It does not need explicit AWS permissions.</p> <p>Create this trust relationship on the IAM role, with these fields replaced:</p> <ul> <li>Replace <code>AWS_ACCOUNT_ID</code> with your AWS account ID</li> <li>Replace <code>OIDC_PROVIDER</code> with the &ldquo;OpenID Connect provider URL&rdquo; for your Kubernetes cluster (<em>with the <code>https://</code> removed</em>)</li> </ul> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-json" data-lang="json"><span style="display:flex;"><span>{ </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Version&#34;</span>: <span style="color:#f1fa8c">&#34;2012-10-17&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Statement&#34;</span>: [ </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Effect&#34;</span>: <span style="color:#f1fa8c">&#34;Allow&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Principal&#34;</span>: { </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Federated&#34;</span>: <span style="color:#f1fa8c">&#34;arn:aws:iam::AWS_ACCOUNT_ID:oidc-provider/OIDC_PROVIDER&#34;</span> </span></span><span style="display:flex;"><span> }, </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Action&#34;</span>: <span style="color:#f1fa8c">&#34;sts:AssumeRoleWithWebIdentity&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Condition&#34;</span>: { </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;StringEquals&#34;</span>: { </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;OIDC_PROVIDER:sub&#34;</span>: <span style="color:#f1fa8c">&#34;system:serviceaccount:spinnaker:clouddriver&#34;</span> </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> ] </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><p>For example:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-json" data-lang="json"><span style="display:flex;"><span>{ </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Version&#34;</span>: <span style="color:#f1fa8c">&#34;2012-10-17&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Statement&#34;</span>: [ </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Effect&#34;</span>: <span style="color:#f1fa8c">&#34;Allow&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Principal&#34;</span>: { </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Federated&#34;</span>: <span style="color:#f1fa8c">&#34;arn:aws:iam::111222333444:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/AAAABBBBCCCCDDDDEEEEFFFF00001111&#34;</span> </span></span><span style="display:flex;"><span> }, </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Action&#34;</span>: <span style="color:#f1fa8c">&#34;sts:AssumeRoleWithWebIdentity&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Condition&#34;</span>: { </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;StringEquals&#34;</span>: { </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;oidc.eks.us-east-1.amazonaws.com/id/AAAABBBBCCCCDDDDEEEEFFFF00001111:sub&#34;</span>: <span style="color:#f1fa8c">&#34;system:serviceaccount:spinnaker:clouddriver&#34;</span> </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> ] </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><h2 id="install-the-armory-operator-custom-resource-definitions-crds">Install the Armory Operator Custom Resource Definitions (CRDs)</h2> <p>Download the Kubernetes manifest for Armory Operator and install it into your Kubernetes cluster:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>mkdir -p spinnaker-operator <span style="color:#ff79c6">&amp;&amp;</span> <span style="color:#8be9fd;font-style:italic">cd</span> spinnaker-operator </span></span><span style="display:flex;"><span>bash -c <span style="color:#f1fa8c">&#39;curl -L https://github.com/armory/marketplace/releases/latest/download/marketplace.tgz | tar -xz&#39;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#6272a4"># Install or update CRDs cluster wide</span> </span></span><span style="display:flex;"><span>kubectl apply -f manifests/crds/ </span></span></code></pre></div><h2 id="install-the-armory-operator">Install the Armory Operator</h2> <p>Update the manifest for the Armory Operator with your AWS Account ID:</p> <ul> <li>You must update <code>AWS_ACCOUNT_ID</code> (in the ServiceAccount annotation) with your account ID, so the ServiceAccount can access your AWS IAM roles.</li> </ul> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#8be9fd;font-style:italic">export</span> <span style="color:#8be9fd;font-style:italic">AWS_ACCOUNT_ID</span><span style="color:#ff79c6">=</span><span style="color:#bd93f9">111122223333</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>sed -i.bak <span style="color:#f1fa8c">&#34;s|AWS_ACCOUNT_ID|</span><span style="color:#f1fa8c">${</span><span style="color:#8be9fd;font-style:italic">AWS_ACCOUNT_ID</span><span style="color:#f1fa8c">}</span><span style="color:#f1fa8c">|g&#34;</span> manifests/operator/ServiceAccount.yaml </span></span><span style="display:flex;"><span>rm manifests/operator/ServiceAccount.yaml.bak </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#6272a4"># Install the armory operator</span> </span></span><span style="display:flex;"><span>kubectl apply -f manifests/operator </span></span></code></pre></div><p>Deploying the Armory Operator may take a little bit of time. You can monitor its status by running this command:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>kubectl -n spinnaker-operator get pod -owide </span></span></code></pre></div><p>You&rsquo;re looking for the deployment to be completely up (READY of <code>2/2</code> and STATUS of <code>Running</code>).</p> <h3 id="creating-a-spinnakerservice-custom-resource">Creating a SpinnakerService Custom Resource</h3> <p>Update the manifest for the SpinnakerService object with these:</p> <ul> <li><code>AWS_ACCOUNT_ID</code> (in both ServiceAccount annotations) - your account ID, so the ServiceAccount can access your AWS IAM roles</li> <li><code>BUCKET_NAME</code> (in the SpinnakerService) - the name of your AWS S3 Bucket</li> </ul> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#8be9fd;font-style:italic">export</span> <span style="color:#8be9fd;font-style:italic">AWS_ACCOUNT_ID</span><span style="color:#ff79c6">=</span><span style="color:#bd93f9">111122223333</span> </span></span><span style="display:flex;"><span><span style="color:#8be9fd;font-style:italic">export</span> <span style="color:#8be9fd;font-style:italic">BUCKET_NAME</span><span style="color:#ff79c6">=</span>my-spinnaker-bucket </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>sed -i.bak <span style="color:#f1fa8c">&#34;s|AWS_ACCOUNT_ID|</span><span style="color:#f1fa8c">${</span><span style="color:#8be9fd;font-style:italic">AWS_ACCOUNT_ID</span><span style="color:#f1fa8c">}</span><span style="color:#f1fa8c">|g&#34;</span> manifests/spinnaker/ServiceAccount-clouddriver.yaml </span></span><span style="display:flex;"><span>sed -i.bak <span style="color:#f1fa8c">&#34;s|AWS_ACCOUNT_ID|</span><span style="color:#f1fa8c">${</span><span style="color:#8be9fd;font-style:italic">AWS_ACCOUNT_ID</span><span style="color:#f1fa8c">}</span><span style="color:#f1fa8c">|g&#34;</span> manifests/spinnaker/ServiceAccount-front50.yaml </span></span><span style="display:flex;"><span>rm manifests/spinnaker/ServiceAccount-clouddriver.yaml.bak </span></span><span style="display:flex;"><span>rm manifests/spinnaker/ServiceAccount-front50.yaml.bak </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>sed -i.bak <span style="color:#f1fa8c">&#34;s|BUCKET_NAME|</span><span style="color:#f1fa8c">${</span><span style="color:#8be9fd;font-style:italic">BUCKET_NAME</span><span style="color:#f1fa8c">}</span><span style="color:#f1fa8c">|g&#34;</span> manifests/spinnaker/SpinnakerService.yaml </span></span><span style="display:flex;"><span>rm manifests/spinnaker/SpinnakerService.yaml.bak </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#6272a4"># Install the operator</span> </span></span><span style="display:flex;"><span>kubectl apply -f manifests/spinnaker </span></span></code></pre></div><p>If everything is configured properly, the Armory Operator should see the SpinnakerService custom resource, and start creating Kubernetes Deployments, ServiceAccounts, and Secrets in the <code>spinnaker</code> Namespace. You can monitor this with the following:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>kubectl -n spinnaker get all -owide </span></span></code></pre></div><h2 id="exposing-your-armory-instance">Exposing your Armory instance</h2> <p>Once your Armory instance is running, you need to configure it so that it is accessible. There are two main parts to this:</p> <ol> <li>Expose the <code>spin-deck</code> and <code>spin-gate</code> services so that they can be reached by your end users (and client services)</li> <li>Configure Armory so that it knows about the endpoints it is exposed on</li> </ol> <p>Given a domain name (or IP address) (such as spinnaker.domain.com or 55.55.55.55), you should be able to:</p> <ul> <li>Reach the <code>spin-deck</code> service at the root of the domain (<code>http://spinnaker.domain.com</code> or <code>http://55.55.55.55</code>)</li> <li>Reach the <code>spin-gate</code> service at the root of the domain (<code>http://spinnaker.domain.com/api/v1</code> or <code>http://55.55.55.55/api/v1</code>)</li> </ul> <p>You can use either <code>http</code> or <code>https</code>, as long as you use the same for both. Additionally, you have to configure Armory to be aware of its endpoints.</p> <p>This section assumes the following:</p> <ul> <li>You have installed the <a href="https://kubernetes.github.io/ingress-nginx/deploy/#aws">NGINX Ingress Controller</a> in the EKS cluster</li> <li>You can set up a DNS CNAME Record pointing at the AWS Load Balancer in front of your NGINX Ingress Controller</li> </ul> <h2 id="set-up-an-ingress-for-spin-deck-and-spin-gate">Set up an Ingress for <code>spin-deck</code> and <code>spin-gate</code></h2> <p>First, determine a DNS name that you can use for Armory, and set up a CNAME pointing that DNS name at your AWS Load Balancer. For example:</p> <ul> <li>NGINX Ingress Controller has created an NLB at <code>abcd1234abcd1234abcd1234abcd1234-1234567812345678.elb.us-east-1.amazonaws.com</code></li> <li>Desired domain name for Armory is <code>spinnaker.domain.com</code></li> <li>Create a CNAME DNS Record pointing <code>spinnaker.domain.com</code> at <code>abcd1234abcd1234abcd1234abcd1234-1234567812345678.elb.us-east-1.amazonaws.com</code> (you may also use an ALIAS Record in Route 53)</li> </ul> <p>Then, create a Kubernetes Ingress to expose <code>spin-deck</code> and <code>spin-gate</code>. Create a file called <code>spin-ingress.yml</code> with the following content:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span>--- </span></span><span style="display:flex;"><span><span style="color:#ff79c6">apiVersion</span>: extensions/v1beta1 </span></span><span style="display:flex;"><span><span style="color:#ff79c6">kind</span>: Ingress </span></span><span style="display:flex;"><span><span style="color:#ff79c6">metadata</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">name</span>: spin-ingress </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">namespace</span>: spinnaker </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">labels</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">app</span>: spin </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">cluster</span>: spin-ingress </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">annotations</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">kubernetes.io/ingress.class</span>: <span style="color:#f1fa8c">&#34;nginx&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#ff79c6">spec</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">rules</span>: </span></span><span style="display:flex;"><span> - </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">host</span>: spinnaker.domain.com <span style="color:#6272a4"># Make sure to update this field</span> </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">http</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">paths</span>: </span></span><span style="display:flex;"><span> - <span style="color:#ff79c6">backend</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">serviceName</span>: spin-deck </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">servicePort</span>: <span style="color:#bd93f9">9000</span> </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">path</span>: / </span></span><span style="display:flex;"><span> - <span style="color:#ff79c6">backend</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">serviceName</span>: spin-gate </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">servicePort</span>: <span style="color:#bd93f9">8084</span> </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">path</span>: /api/v1 </span></span></code></pre></div><p><em><strong>Make sure the host field is updated with the correct DNS record.</strong></em></p> <p>Apply the ingress file you just created:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>kubectl -n spinnaker apply -f spin-ingress.yml </span></span></code></pre></div><h2 id="configure-armory-to-be-aware-of-its-endpoints">Configure Armory to be aware of its endpoints</h2> <p>Update the spec.spinnakerConfig.config.security section of <code>manifests/spinnaker/SpinnakerService.yaml</code>:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#ff79c6">spec</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">spinnakerConfig</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">config</span>: </span></span><span style="display:flex;"><span> <span style="color:#6272a4"># ... more configuration</span> </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">security</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">uiSecurity</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">overrideBaseUrl</span>: http://spinnaker.domain.com <span style="color:#6272a4"># Replace this with the IP address or DNS that points to our nginx ingress instance</span> </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">apiSecurity</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">overrideBaseUrl</span>: http://spinnaker.domain.com/api/v1 <span style="color:#6272a4"># Replace this with the IP address or DNS that points to our nginx ingress instance</span> </span></span><span style="display:flex;"><span> <span style="color:#6272a4"># ... more configuration</span> </span></span></code></pre></div><p><em><strong>Make sure to specify <code>http</code> or <code>https</code> according to your environment</strong></em></p> <p>Apply the changes:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>kubectl apply -f manifests/spinnaker/SpinnakerService.yaml </span></span></code></pre></div><p>If you encounter an error, delete and recreate the SpinnakerService.</p> <h2 id="configure-tls-certificates">Configure TLS certificates</h2> <p>Configuring TLS certificates for ingresses is environment-specific. In general, you want to do the following:</p> <ul> <li>Add certificate(s) so that our ingress controller can use them</li> <li>Configure the ingress(es) so that NGINX (or the load balancer in front of NGINX, or your alternative ingress controller) terminates TLS using the certificate(s)</li> <li>Update Spinnaker to be aware of the new TLS endpoints, by replacing <code>http</code> by <code>https</code> to override the base URLs in the previous section.</li> </ul> <h2 id="next-steps">Next steps</h2> <p>Now that Armory is running, here are potential next steps:</p> <ul> <li>Configure certificates to secure our cluster (see <a href="#configuring-tls-certificates">this section</a> for notes on this)</li> <li>Configure authentication/authorization (see the <a href="https://www.spinnaker.io/setup/security/">Open Source Spinnaker documentation</a>)</li> <li>Add external Kubernetes accounts to deploy applications to (see <a href="/continuous-deployment/armory-admin/kubernetes-account-add/">Creating and Adding a Kubernetes Account to Spinnaker (Deployment Target)</a>)</li> <li>Add AWS accounts to deploy applications to (see the <a href="https://www.spinnaker.io/setup/install/providers/aws/">Open Source Spinnaker documentation</a>)</li> </ul>/continuous-deployment/installation/guide/install-on-aws/Mon, 01 Jan 0001 00:00:00 +0000/continuous-deployment/installation/guide/install-on-aws/ <blockquote> <p>Armory Continuous Deployment (Armory CD) requires a license. For more information, contact <a href="https://www.armory.io/contact-us/">Armory</a>.</p> </blockquote> <h2 id="overview-of-installing-armory-in-aws">Overview of installing Armory in AWS</h2> <ul> <li>A running <a href="https://docs.aws.amazon.com/eks/latest/userguide/what-is-eks.html">AWS EKS</a> cluster.</li> <li>An <a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html">Amazon S3 (Simple Storage Service) bucket</a>. You can use an existing one or create a new one.</li> <li>An NGINX Ingress controller in your EKS cluster.</li> </ul> <p>This document currently does not fully cover the following (see <a href="#next-steps">Next Steps</a> for some links to achieve these)</p> <ul> <li>TLS Encryption</li> <li>Authentication/Authorization</li> <li>Add K8s accounts to deploy to</li> <li>Add cloud accounts to deploy to</li> </ul> <h2 id="aws-resources">AWS Resources</h2> <p>Before you install Armory on AWS, it is essential that you familiarize yourself with <a href="/continuous-deployment/cloud-resources/resources-aws/">relevant AWS services</a>.</p> <h2 id="before-you-begin">Before you begin</h2> <ul> <li>You have reviewed and met the Armory Continuous Deployment <a href="/continuous-deployment/installation/system-requirements/">system requirements</a>.</li> <li>You have a running EKS and can access the Kubernetes API. Either your user/role created the EKS cluster or your user/role has been added to the <code>aws-auth</code> configmap in the EKS cluster. See the <a href="https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html">AWS documentation</a> for more details.</li> <li>You have access to an S3 bucket or access to create an S3 bucket.</li> <li>You have access to an IAM role or user with access to the S3 bucket or can create an IAM role or user with access to the S3 bucket.</li> </ul> <p>This document is written with the following workflow in mind:</p> <ul> <li>You have a machine (referred to as the <code>workstation machine</code> in this document) configured to use the <code>aws</code> CLI tool and a recent version of <code>kubectl</code> tool</li> <li>You have a machine (referred to as the <code>Halyard machine</code> in this document) with the Docker daemon installed, and can run Docker containers on it</li> <li>You can transfer files created on the <code>workstation machine</code> to the <code>Halyard machine</code> (to a directory mounted on a running Docker container)</li> <li>These two machines can be the same machine</li> </ul> <p>Furthermore:</p> <p>On the <code>Halyard machine</code>:</p> <ul> <li> <p>Halyard (the tool used to install and manage Armory) is run in a Docker container on the <code>Halyard machine</code></p> </li> <li> <p>The Halyard container on the <code>Halyard machine</code> will be configured with the following volume mounts, which should be persisted or preserved to manage your Armory cluster</p> <ul> <li><code>.hal</code> directory (mounted to <code>/home/spinnaker/.hal</code>) - stores all Halyard Armory configurations in a <code>.hal/config</code> YAML file and assorted subdirectories</li> <li><code>.secret</code> directory (mounted to <code>/home/spinnaker/.secret</code>) stores all external secret keys and files used by Halyard</li> <li><code>resources</code> directory (mounted to <code>/home/spinnaker/resources</code>) stores all Kubernetes manifests and other resources that help create Kubernetes resources</li> </ul> </li> <li> <p>You will create <code>kubeconfig</code> files that will be added to the <code>.secret</code> directory</p> </li> </ul> <p>Note: If you are not using the Halyard Docker container, but sure to install <code>kubectl</code> before you install Halyard. Otherwise you will have to restart the Halyard daemon in order for <code>hal</code> to find <code>kubectl</code> in your <code>$PATH</code>. Execute <code>hal shutdown</code> and then any <code>hal</code> command to start the daemon.</p> <p>On the <code>workstation machine</code>:</p> <ul> <li> <p>If using EKS, you can use the <code>aws</code> CLI tool to interact with the AWS API and configure/communicate with the following:</p> <ul> <li>EKS clusters (or, alternately, have a EKS cluster already built)</li> <li>S3 buckets (or, alternately, have an S3 bucket already built)</li> </ul> </li> <li> <p>You have the <code>kubectl</code> (Kubernetes CLI tool) installed and are able to use it to interact with your Kubernetes cluster</p> </li> <li> <p>You have a persistent working directory in which to work in. One option here is <code>~/aws-spinnaker</code></p> </li> <li> <p>You will create AWS resources, such as service accounts, that will be permanently associated with your Armory cluster</p> </li> </ul> <h2 id="installation-summary">Installation summary</h2> <p>In order to install Armory, this document covers the following:</p> <ul> <li> <p>Generating a <code>kubeconfig</code> file, which is a Kubernetes credential file that Halyard and Armory will use to communicate with the Kubernetes cluster where Armory will be installed</p> </li> <li> <p>Creating an S3 bucket for Armory to store persistent configuration in</p> </li> <li> <p>Creating an IAM user that Armory will use to access the S3 bucket</p> </li> <li> <p>Running the Halyard daemon in a Docker container</p> <ul> <li>Persistent configuration directories from the workstation/host will be mounted into the container</li> </ul> </li> <li> <p>Running the <code>hal</code> client interactively in the same Docker container, to:</p> <ul> <li>Build out the halconfig YAML file (<code>.hal/config</code>)</li> <li>Configure Armory/Halyard to use <code>kubeconfig</code> to install Armory</li> <li>Configure Armory with the IAM credentials and bucket information</li> <li>Turn on other recommended settings (artifacts and http artifact provider)</li> <li>Install Armory</li> <li>Expose Armory</li> </ul> </li> </ul> <h2 id="connect-to-the-kubernetes-cluster">Connect to the Kubernetes cluster</h2> <p>Armory needs a credential to talk to Kubernetes, so you must create a service account in your Kubernetes cluster.</p> <h3 id="connecting-to-an-eks-cluster">Connecting to an EKS cluster</h3> <p>If you&rsquo;re using an EKS cluster, you must be able to connect to the EKS cluster. This assumes you have already configured the <code>aws</code> CLI with credentials and a default region / availability zone (see installation directions <a href="https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html">here</a> and configuration directions <a href="https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html">here</a>)</p> <ol> <li> <p>Create the local working directory on your workstation. For the purposes of this document, we will be using <code>~/aws-spinnaker</code>, but this can be any persistent directory on any Linux or OSX machine.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>mkdir ~/aws-spinnaker </span></span><span style="display:flex;"><span><span style="color:#8be9fd;font-style:italic">cd</span> ~/aws-spinnaker </span></span></code></pre></div></li> <li> <p>If you have access to the role that created the EKS cluster, you can create a kubeconfig with access to your Kubernetes cluster with this command:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>aws eks update-kubeconfig --name &lt;EKS_CLUSTER_NAME&gt; --kubeconfig kubeconfig-aws </span></span></code></pre></div></li> <li> <p>From here, you can validate access to the cluster with this command:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>kubectl --kubeconfig kubeconfig-aws get namespaces </span></span></code></pre></div></li> </ol> <h3 id="connecting-to-other-kubernetes-clusters">Connecting to other Kubernetes clusters</h3> <p>If you&rsquo;ve stood up Kubernetes on AWS with KOPS or another Kubernetes tool, ensure that you can communicate with your Kubernetes cluster with kubectl.</p> <p>Then, copy your <code>kubeconfig</code> file (this is typically located in <code>~/.kube/config</code>) to your working directory:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>cp ~/.kube/config ~/aws-spinnaker/kubeconfig-aws </span></span></code></pre></div><h2 id="create-a-kubeconfig-file-for-halyardarmory">Create a <code>kubeconfig</code> file for Halyard/Armory</h2> <p>Armory will be installed in its own namespace in your EKS or AWS-hosted Kubernetes cluster. For the purposes of this document, we will be installing Armory in the <code>spinnaker-system</code> namespace; you&rsquo;re welcome to use a different namespace for this.</p> <p>We&rsquo;re going to create the following:</p> <ul> <li>A namespace called <code>spinnaker-system</code> to install Armory in</li> <li>A service account for that namespace</li> <li>A role and rolebinding in that namespace, granting permissions to the service account</li> <li>A kubeconfig containing credentials for the service account</li> </ul> <p>This document uses the Armory <code>spinnaker-tools</code> Go CLI (available on <a href="https://github.com/armory/spinnaker-tools">Github</a>) to create many of these resources. There are separate instructions to perform these steps manually.</p> <p>Halyard uses this Kubeconfig file to create the Kubernetes deployment objects that create the microservices that compose Armory. This same Kubeconfig is passed to Armory so that Armory can see and manage its own resources.</p> <ol> <li> <p>Obtain the <code>spinnaker-tools</code> CLI tool. Go to <a href="https://github.com/armory/spinnaker-tools/releases">https://github.com/armory/spinnaker-tools/releases</a>, and download the latest release for your operating system (OSX and Linux available). You can also use curl:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#6272a4"># If you&#39;re not already in the directory</span> </span></span><span style="display:flex;"><span><span style="color:#8be9fd;font-style:italic">cd</span> ~/aws-spinnaker </span></span><span style="display:flex;"><span><span style="color:#6272a4"># If you&#39;re on Linux instead of OSX, use this URL instead:</span> </span></span><span style="display:flex;"><span><span style="color:#6272a4"># https://github.com/armory/spinnaker-tools/releases/download/0.0.6/spinnaker-tools-linux</span> </span></span><span style="display:flex;"><span>curl -L https://github.com/armory/spinnaker-tools/releases/download/0.0.6/spinnaker-tools-darwin -o spinnaker-tools </span></span><span style="display:flex;"><span>chmod +x spinnaker-tools </span></span></code></pre></div></li> <li> <p>Run the tool. Feel free to substitute other values for the parameters:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#6272a4"># The &#39;aws eks update-kubeconfig&#39; command from above will create/update this file</span> </span></span><span style="display:flex;"><span><span style="color:#8be9fd;font-style:italic">SOURCE_KUBECONFIG</span><span style="color:#ff79c6">=</span>kubeconfig-aws </span></span><span style="display:flex;"><span><span style="color:#6272a4"># Get the name of the context created by the aws tool)</span> </span></span><span style="display:flex;"><span><span style="color:#8be9fd;font-style:italic">CONTEXT</span><span style="color:#ff79c6">=</span><span style="color:#ff79c6">$(</span>kubectl --kubeconfig <span style="color:#f1fa8c">${</span><span style="color:#8be9fd;font-style:italic">SOURCE_KUBECONFIG</span><span style="color:#f1fa8c">}</span> config current-context<span style="color:#ff79c6">)</span> </span></span><span style="display:flex;"><span><span style="color:#8be9fd;font-style:italic">DEST_KUBECONFIG</span><span style="color:#ff79c6">=</span>kubeconfig-spinnaker-system-sa </span></span><span style="display:flex;"><span><span style="color:#8be9fd;font-style:italic">SPINNAKER_NAMESPACE</span><span style="color:#ff79c6">=</span>spinnaker-system </span></span><span style="display:flex;"><span><span style="color:#8be9fd;font-style:italic">SPINNAKER_SERVICE_ACCOUNT_NAME</span><span style="color:#ff79c6">=</span>spinnaker-service-account </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>./spinnaker-tools create-service-account <span style="color:#f1fa8c">\ </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"></span> --kubeconfig <span style="color:#f1fa8c">${</span><span style="color:#8be9fd;font-style:italic">SOURCE_KUBECONFIG</span><span style="color:#f1fa8c">}</span> <span style="color:#f1fa8c">\ </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"></span> --context <span style="color:#f1fa8c">${</span><span style="color:#8be9fd;font-style:italic">CONTEXT</span><span style="color:#f1fa8c">}</span> <span style="color:#f1fa8c">\ </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"></span> --output <span style="color:#f1fa8c">${</span><span style="color:#8be9fd;font-style:italic">DEST_KUBECONFIG</span><span style="color:#f1fa8c">}</span> <span style="color:#f1fa8c">\ </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"></span> --namespace <span style="color:#f1fa8c">${</span><span style="color:#8be9fd;font-style:italic">SPINNAKER_NAMESPACE</span><span style="color:#f1fa8c">}</span> <span style="color:#f1fa8c">\ </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"></span> --service-account-name <span style="color:#f1fa8c">${</span><span style="color:#8be9fd;font-style:italic">SPINNAKER_SERVICE_ACCOUNT_NAME</span><span style="color:#f1fa8c">}</span> </span></span></code></pre></div></li> </ol> <p>You should be left with a file called <code>kubeconfig-spinnaker-system-sa</code> (or something similar, if you&rsquo;re using a different namespace for spinnaker)</p> <h2 id="create-the-s3-bucket-and-credentials">Create the S3 bucket and credentials</h2> <p>If you do not yet have an S3 bucket, create the S3 bucket:</p> <ol> <li> <p>Log into the AWS Console (web UI)</p> </li> <li> <p>Navigate to the S3 Console (Click on &ldquo;Services&rdquo; at the top, and then on &ldquo;S3&rdquo; under &ldquo;Storage&rdquo;)</p> </li> <li> <p>Click on &ldquo;Create Bucket&rdquo;</p> </li> <li> <p>Specify a globally unique name for this bucket, in your AWS region of choice, following your organization&rsquo;s naming convention (if applicable). For this document, we will use, <code>spinnaker-jq6cqvmpro</code>.</p> </li> <li> <p>Click &ldquo;Next&rdquo;</p> </li> <li> <p>Select the following two checkboxes:</p> <ul> <li>Keep all versions of an object in the same bucket</li> <li>Automatically encrypt objects when they are stored in S3</li> </ul> </li> <li> <p>Click &ldquo;Next&rdquo;</p> </li> <li> <p>Do not add any additional permissions, unless specified by your organization. Click &ldquo;Next&rdquo;</p> </li> <li> <p>Click &ldquo;Create bucket&rdquo;</p> </li> </ol> <p>Armory (the <code>front50</code> service, specifically) will need access to your newly-created bucket. There are a number of ways to achieve this. This document describes two mechanisms to do this.</p> <p>By default, Armory will store all Armory information in a folder called <code>front50</code> in your bucket. You can optionally specify a different directory (for example, if you&rsquo;re using a pre-existing or shared S3 bucket).</p> <h3 id="create-an-iam-user-using-an-inline-policy">Create an IAM user using an inline policy</h3> <p>You can create an IAM user with credentials, and provide that to Armory via Halyard</p> <ol> <li>Log into the AWS Console (Web UI)</li> <li>Navigate to the IAM Console (Click on &ldquo;Services&rdquo; at the top, and then on &ldquo;IAM&rdquo; under &ldquo;Security, Identity, &amp; Compliance&rdquo;)</li> <li>Click on &ldquo;Users&rdquo; on the left</li> <li>Click on &ldquo;Add user&rdquo;</li> <li>Give your user a distinct name, per your organization&rsquo;s naming conventions. For this document, we will use <code>s3-spinnaker-jq6cqvmpro</code></li> <li>Click on &ldquo;Programmatic access&rdquo;</li> <li>We will not be adding a distinct policy to this user. Click on &ldquo;Next: Tags&rdquo;. <em>You may receive a warning about how there are no policies attached to this user - this warning can be ignored.</em></li> <li>Optionally, add tags, then click on &ldquo;Next: Review&rdquo;</li> <li>Click &ldquo;Create user&rdquo;</li> <li>Save the Access Key ID and Secret Access Key - these will be used later, during Halyard configuration</li> <li>Click &ldquo;Close&rdquo;</li> </ol> <p>Then, add an inline policy to your IAM user:</p> <ol> <li> <p>Click on your newly-created IAM user</p> </li> <li> <p>Click on &ldquo;Add inline policy&rdquo; (on the right)</p> </li> <li> <p>Click on the &ldquo;JSON&rdquo; tab</p> </li> <li> <p>Add this text (replace <code>s3-spinnaker-jq6cqvmpro</code> with the name of your bucket)</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-json" data-lang="json"><span style="display:flex;"><span>{ </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Version&#34;</span>: <span style="color:#f1fa8c">&#34;2012-10-17&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Statement&#34;</span>: [ </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Effect&#34;</span>: <span style="color:#f1fa8c">&#34;Allow&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Action&#34;</span>: <span style="color:#f1fa8c">&#34;s3:*&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Resource&#34;</span>: [ </span></span><span style="display:flex;"><span> <span style="color:#f1fa8c">&#34;arn:aws:s3:::spinnaker-jq6cqvmpro&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#f1fa8c">&#34;arn:aws:s3:::spinnaker-jq6cqvmpro/*&#34;</span> </span></span><span style="display:flex;"><span> ] </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> ] </span></span><span style="display:flex;"><span>} </span></span></code></pre></div></li> <li> <p>Click on &ldquo;Review Policy&rdquo;</p> </li> <li> <p>Give your inline policy some name. For example <code>s3-spinnaker-jq6cqvmpro</code></p> </li> <li> <p>Click &ldquo;Create Policy&rdquo;</p> </li> </ol> <h2 id="create-an-iam-policy-attached-to-the-kubernetes-nodes-using-an-inline-policy">Create an IAM policy attached to the Kubernetes nodes using an inline policy</h2> <p>Alternately, you can attach an IAM policy to the role attached to your Kubernetes nodes.</p> <ol> <li> <p>Log into the AWS Console (Web UI)</p> </li> <li> <p>Navigate to EC2 (Click on &ldquo;Services&rdquo; at the top, and then on &ldquo;EC2&rdquo; under &ldquo;Compute&rdquo;)</p> </li> <li> <p>Click on one of your Kubernetes nodes</p> </li> <li> <p>In the bottom section, look for &ldquo;IAM role&rdquo; and click on the role</p> </li> <li> <p>Click on &ldquo;Add inline policy&rdquo; (on the right)</p> </li> <li> <p>Click on the &ldquo;JSON&rdquo; tab</p> </li> <li> <p>Add this text (replace <code>s3-spinnaker-jq6cqvmpro</code> with the name of your bucket)</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-json" data-lang="json"><span style="display:flex;"><span>{ </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Version&#34;</span>: <span style="color:#f1fa8c">&#34;2012-10-17&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Statement&#34;</span>: [ </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Effect&#34;</span>: <span style="color:#f1fa8c">&#34;Allow&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Action&#34;</span>: <span style="color:#f1fa8c">&#34;s3:*&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&#34;Resource&#34;</span>: [ </span></span><span style="display:flex;"><span> <span style="color:#f1fa8c">&#34;arn:aws:s3:::spinnaker-jq6cqvmpro&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#f1fa8c">&#34;arn:aws:s3:::spinnaker-jq6cqvmpro/*&#34;</span> </span></span><span style="display:flex;"><span> ] </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> ] </span></span><span style="display:flex;"><span>} </span></span></code></pre></div></li> <li> <p>Click on &ldquo;Review Policy&rdquo;</p> </li> <li> <p>Give your inline policy some name. For example <code>s3-spinnaker-jq6cqvmpro</code></p> </li> <li> <p>Click &ldquo;Create Policy&rdquo;</p> </li> </ol> <h2 id="stage-files-on-the-halyard-machine">Stage files on the Halyard machine</h2> <p>On the Halyard machine, choose a local working directory for Halyard. In it, we will create two folders:</p> <ul> <li><code>WORKING_DIRECTORY/.hal</code></li> <li><code>WORKING_DIRECTORY/.secret</code></li> <li><code>WORKING_DIRECTORY/resources</code></li> </ul> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#6272a4"># Feel free to use some other directory for this; make sure it is a persistent directory.</span> </span></span><span style="display:flex;"><span><span style="color:#6272a4"># Also, make sure this directory doesn&#39;t live on an NFS mount, as that can cause issues</span> </span></span><span style="display:flex;"><span><span style="color:#8be9fd;font-style:italic">WORKING_DIRECTORY</span><span style="color:#ff79c6">=</span>~/aws-spinnaker/ </span></span><span style="display:flex;"><span>mkdir -p <span style="color:#f1fa8c">${</span><span style="color:#8be9fd;font-style:italic">WORKING_DIRECTORY</span><span style="color:#f1fa8c">}</span>/.hal </span></span><span style="display:flex;"><span>mkdir -p <span style="color:#f1fa8c">${</span><span style="color:#8be9fd;font-style:italic">WORKING_DIRECTORY</span><span style="color:#f1fa8c">}</span>/.secret </span></span><span style="display:flex;"><span>mkdir -p <span style="color:#f1fa8c">${</span><span style="color:#8be9fd;font-style:italic">WORKING_DIRECTORY</span><span style="color:#f1fa8c">}</span>/resources </span></span></code></pre></div><p>You should have one files:</p> <ul> <li>A kubeconfig file (<code>kubeconfig-spinnaker-system-sa</code>) with the credentials for a service account in your EKS cluster</li> </ul> <p>Copy it into <code>.secret</code> so it is available to your Halyard docker container:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>cp kubeconfig-spinnaker-system-sa <span style="color:#f1fa8c">${</span><span style="color:#8be9fd;font-style:italic">WORKING_DIRECTORY</span><span style="color:#f1fa8c">}</span>/.secret </span></span></code></pre></div><h2 id="start-the-halyard-container">Start the Halyard container</h2> <p>On the <code>Halyard machine</code>, start the Halyard container .</p> <p><em>If you want to install open source Spinnaker instead, use <code>gcr.io/spinnaker-marketplace/halyard:stable</code> for the Docker Halyard image reference in substitution of <code>armory/halyard-armory:&lt;image_version&gt;</code> in the commands below</em></p> <blockquote> <p>Before you execute the command below, you need to set permissions on the host (local) directories mapped to the Docker container. These directories must allow for modification from within the container. The <code>~/.hal</code> folder within the <em>host (local) system directory</em> needs write permissions (<code>chmod 777 ~/.hal</code>), or you will encounter issues when attempting to execute a <code>hal deploy apply</code> from within the container.</p> </blockquote> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>docker run --name armory-halyard -it --rm <span style="color:#f1fa8c">\ </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"></span> -v <span style="color:#f1fa8c">${</span><span style="color:#8be9fd;font-style:italic">WORKING_DIRECTORY</span><span style="color:#f1fa8c">}</span>/.hal:/home/spinnaker/.hal <span style="color:#f1fa8c">\ </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"></span> -v <span style="color:#f1fa8c">${</span><span style="color:#8be9fd;font-style:italic">WORKING_DIRECTORY</span><span style="color:#f1fa8c">}</span>/.secret:/home/spinnaker/.secret <span style="color:#f1fa8c">\ </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"></span> -v <span style="color:#f1fa8c">${</span><span style="color:#8be9fd;font-style:italic">WORKING_DIRECTORY</span><span style="color:#f1fa8c">}</span>/resources:/home/spinnaker/resources <span style="color:#f1fa8c">\ </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"></span> armory/halyard-armory:1.12.1 </span></span></code></pre></div><p>The installer expects to find your kubeconfig named <code>config</code> in the <code>.kube</code> directory you map below. If you&rsquo;ve named your config something else, you need to rename or symlink the file accordingly.</p> <h2 id="enter-the-halyard-container">Enter the Halyard container</h2> <p>From a separate terminal session on your <code>docker machine</code>, create a second bash/shell session on the Docker container:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>docker <span style="color:#8be9fd;font-style:italic">exec</span> -it armory-halyard bash </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#6272a4"># Also, once in the container, you can run these commands for a friendlier environment to:</span> </span></span><span style="display:flex;"><span><span style="color:#6272a4"># - prompt with information</span> </span></span><span style="display:flex;"><span><span style="color:#6272a4"># - alias for ls</span> </span></span><span style="display:flex;"><span><span style="color:#6272a4"># - cd to the home directory</span> </span></span><span style="display:flex;"><span><span style="color:#8be9fd;font-style:italic">export</span> <span style="color:#8be9fd;font-style:italic">PS1</span><span style="color:#ff79c6">=</span><span style="color:#f1fa8c">&#34;\h:\w \u\$ &#34;</span> </span></span><span style="display:flex;"><span><span style="color:#8be9fd;font-style:italic">alias</span> <span style="color:#8be9fd;font-style:italic">ll</span><span style="color:#ff79c6">=</span><span style="color:#f1fa8c">&#39;ls -alh&#39;</span> </span></span><span style="display:flex;"><span><span style="color:#8be9fd;font-style:italic">cd</span> ~ </span></span></code></pre></div><h2 id="add-the-kubeconfig-and-cloud-provider-to-armory-via-halyard">Add the kubeconfig and cloud provider to Armory (via Halyard)</h2> <p>From the <code>docker exec</code> separate terminal session, add (re-export) the relevant environment variables</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#6272a4">###### Use the same values as the start of the document</span> </span></span><span style="display:flex;"><span><span style="color:#6272a4"># Enter the namespace that you want to install Armory in. This should have been created in the previous step.</span> </span></span><span style="display:flex;"><span><span style="color:#8be9fd;font-style:italic">export</span> <span style="color:#8be9fd;font-style:italic">NAMESPACE</span><span style="color:#ff79c6">=</span><span style="color:#f1fa8c">&#34;spinnaker-system&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#6272a4"># Enter the name you want Armory to use to identify the cloud provider account</span> </span></span><span style="display:flex;"><span><span style="color:#8be9fd;font-style:italic">export</span> <span style="color:#8be9fd;font-style:italic">ACCOUNT_NAME</span><span style="color:#ff79c6">=</span><span style="color:#f1fa8c">&#34;spinnaker&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#6272a4"># Update this with the full path to your kubeconfig inside the container)</span> </span></span><span style="display:flex;"><span><span style="color:#8be9fd;font-style:italic">export</span> <span style="color:#8be9fd;font-style:italic">KUBECONFIG_FULL</span><span style="color:#ff79c6">=</span>/home/spinnaker/.secret/kubeconfig-spinnaker-system-sa </span></span></code></pre></div><p>Use the Halyard <code>hal</code> command line tool to add a Kubernetes account using your minified kubeconfig</p> <p>Configure the kubeconfig:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#6272a4"># Enable the Kubernetes cloud provider</span> </span></span><span style="display:flex;"><span>hal config provider kubernetes <span style="color:#8be9fd;font-style:italic">enable</span> </span></span></code></pre></div><p>Note: If you get an <code>AccessDenied</code> error, change permissions on the host machine&rsquo;s <code>.hal</code> folder to allow read/write access by the Halyard container. Example: <code>chmod 777 ~/.hal</code>.</p> <p>Next, configure the account:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#6272a4"># Add account</span> </span></span><span style="display:flex;"><span>hal config provider kubernetes account add <span style="color:#f1fa8c">${</span><span style="color:#8be9fd;font-style:italic">ACCOUNT_NAME</span><span style="color:#f1fa8c">}</span> <span style="color:#f1fa8c">\ </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"></span> --provider-version v2 <span style="color:#f1fa8c">\ </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"></span> --kubeconfig-file <span style="color:#f1fa8c">${</span><span style="color:#8be9fd;font-style:italic">KUBECONFIG_FULL</span><span style="color:#f1fa8c">}</span> <span style="color:#f1fa8c">\ </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"></span> --only-spinnaker-managed <span style="color:#8be9fd;font-style:italic">true</span> <span style="color:#f1fa8c">\ </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"></span> --namespaces <span style="color:#f1fa8c">${</span><span style="color:#8be9fd;font-style:italic">NAMESPACE</span><span style="color:#f1fa8c">}</span> </span></span></code></pre></div><h2 id="configure-armory-to-install-in-kubernetes">Configure Armory to install in Kubernetes</h2> <p><strong>Important: This will by default limit your Armory to deploying to the</strong> namespace specified. If you want to be able to deploy to other namespaces, <strong>either add a second cloud provider target or remove the <code>--namespaces</code> flag.</strong></p> <p>Use the Halyard <code>hal</code> command line tool to configure Halyard to install Armory in your Kubernetes cluster</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>hal config deploy edit <span style="color:#f1fa8c">\ </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"></span> --type distributed <span style="color:#f1fa8c">\ </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"></span> --account-name <span style="color:#f1fa8c">${</span><span style="color:#8be9fd;font-style:italic">ACCOUNT_NAME</span><span style="color:#f1fa8c">}</span> <span style="color:#f1fa8c">\ </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"></span> --location <span style="color:#f1fa8c">${</span><span style="color:#8be9fd;font-style:italic">NAMESPACE</span><span style="color:#f1fa8c">}</span> </span></span></code></pre></div><h2 id="enable-artifacts">Enable Artifacts</h2> <p>Within Armory, &lsquo;artifacts&rsquo; are consumable references to items that live outside of Armory, such as a file in a git repository or a file in an S3 bucket. The Artifacts feature must be explicitly turned on.</p> <p>Enable the &ldquo;Artifacts&rdquo; feature and the &ldquo;http&rdquo; artifact provider:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#6272a4"># Enable artifacts</span> </span></span><span style="display:flex;"><span>hal config features edit --artifacts <span style="color:#8be9fd;font-style:italic">true</span> </span></span><span style="display:flex;"><span>hal config artifact http <span style="color:#8be9fd;font-style:italic">enable</span> </span></span></code></pre></div><p>(In order to add specific types of artifacts, there are further configuration items that must be completed. For now, it is sufficient to just turn on the artifacts feature with the http artifact provider. This will allow Armory to retrieve files via unauthenticated http.)</p> <h2 id="configure-armory-to-use-your-s3-bucket">Configure Armory to use your S3 bucket</h2> <p>Use the Halyard <code>hal</code> command line tool to configure Halyard to configure Armory to use your S3 bucket</p> <h3 id="if-you-are-using-an-iam-user">If you are using an IAM user</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#6272a4"># Update these with the information from the bucket that you created</span> </span></span><span style="display:flex;"><span><span style="color:#8be9fd;font-style:italic">export</span> <span style="color:#8be9fd;font-style:italic">BUCKET_NAME</span><span style="color:#ff79c6">=</span>spinnaker-jq6cqvmpro </span></span><span style="display:flex;"><span><span style="color:#8be9fd;font-style:italic">export</span> <span style="color:#8be9fd;font-style:italic">REGION</span><span style="color:#ff79c6">=</span>us-west-2 </span></span><span style="display:flex;"><span><span style="color:#8be9fd;font-style:italic">export</span> <span style="color:#8be9fd;font-style:italic">ACCESS_KEY_ID</span><span style="color:#ff79c6">=</span>&lt;access-key&gt; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#6272a4"># This will prompt for the secret key</span> </span></span><span style="display:flex;"><span>hal config storage s3 edit <span style="color:#f1fa8c">\ </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"></span> --bucket <span style="color:#f1fa8c">${</span><span style="color:#8be9fd;font-style:italic">BUCKET_NAME</span><span style="color:#f1fa8c">}</span> <span style="color:#f1fa8c">\ </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"></span> --access-key-id <span style="color:#f1fa8c">${</span><span style="color:#8be9fd;font-style:italic">ACCESS_KEY_ID</span><span style="color:#f1fa8c">}</span> <span style="color:#f1fa8c">\ </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"></span> --secret-access-key <span style="color:#f1fa8c">\ </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"></span> --region <span style="color:#f1fa8c">${</span><span style="color:#8be9fd;font-style:italic">REGION</span><span style="color:#f1fa8c">}</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>hal config storage edit --type s3 </span></span></code></pre></div><h3 id="if-you-are-using-the-iam-instance-roles">If you are using the IAM instance roles</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#6272a4"># Update these with the information from the bucket that you created</span> </span></span><span style="display:flex;"><span><span style="color:#8be9fd;font-style:italic">export</span> <span style="color:#8be9fd;font-style:italic">BUCKET_NAME</span><span style="color:#ff79c6">=</span>spinnaker-jq6cqvmpro </span></span><span style="display:flex;"><span><span style="color:#8be9fd;font-style:italic">export</span> <span style="color:#8be9fd;font-style:italic">REGION</span><span style="color:#ff79c6">=</span>us-west-2 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#6272a4"># This will prompt for the secret key</span> </span></span><span style="display:flex;"><span>hal config storage s3 edit <span style="color:#f1fa8c">\ </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"></span> --bucket <span style="color:#f1fa8c">${</span><span style="color:#8be9fd;font-style:italic">BUCKET_NAME</span><span style="color:#f1fa8c">}</span> <span style="color:#f1fa8c">\ </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"></span> --region <span style="color:#f1fa8c">${</span><span style="color:#8be9fd;font-style:italic">REGION</span><span style="color:#f1fa8c">}</span> <span style="color:#f1fa8c">\ </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"></span> --no-validate </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>hal config storage edit --type s3 </span></span></code></pre></div><h3 id="if-you-want-to-use-a-specific-folder-in-the-bucket">If you want to use a specific folder in the bucket</h3> <p>By default, Halyard will configure Armory to use the folder <code>front50</code> in your S3 bucket. You can configure it to use a different folder with this command:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#8be9fd;font-style:italic">ROOT_FOLDER</span><span style="color:#ff79c6">=</span>not_front50 </span></span><span style="display:flex;"><span>hal config storage s3 edit --root-folder <span style="color:#f1fa8c">${</span><span style="color:#8be9fd;font-style:italic">ROOT_FOLDER</span><span style="color:#f1fa8c">}</span> </span></span></code></pre></div><h2 id="choose-the-armory-version">Choose the Armory version</h2> <p>Before Halyard will install Armory, you should specify the version of Armory you want to use.</p> <p>You can get a list of available versions of spinnaker with this command:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>hal version list </span></span></code></pre></div><p><em>If you are installing Armory, you will get a version that starts with <code>2.x.x</code></em></p> <p><em>If you are installing open source Spinnaker and using <code>gcr.io/spinnaker-marketplace/halyard:stable</code>, you will get a version that starts with <code>1.x.x</code></em></p> <p>And then you can select the version with this:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#6272a4"># Replace with version of choice:</span> </span></span><span style="display:flex;"><span><span style="color:#8be9fd;font-style:italic">export</span> <span style="color:#8be9fd;font-style:italic">VERSION</span><span style="color:#ff79c6">=</span><span style="color:#ff79c6">$(</span>hal version latest -q<span style="color:#ff79c6">)</span> </span></span><span style="display:flex;"><span>hal config version edit --version <span style="color:#8be9fd;font-style:italic">$VERSION</span> </span></span></code></pre></div><h2 id="install-armory">Install Armory</h2> <p>Now that your Halconfig is completely configured for the initial Armory deployment, you can tell Halyard to actually install Armory:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>hal deploy apply </span></span></code></pre></div><p>Once this is complete, congratulations! Armory Continuous Deployment is installed. Now, we have to access and expose it.</p> <h2 id="connect-to-armory-continuous-deployment-using-kubectl-port-forward">Connect to Armory Continuous Deployment using <code>kubectl port-forward</code></h2> <p>If you have kubectl on a local machine with access to your Kubernetes cluster, you can test connecting to it with the following:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#8be9fd;font-style:italic">NAMESPACE</span><span style="color:#ff79c6">=</span>spinnaker-system </span></span><span style="display:flex;"><span><span style="color:#8be9fd;font-style:italic">DECK_POD</span><span style="color:#ff79c6">=</span><span style="color:#ff79c6">$(</span>kubectl -n <span style="color:#f1fa8c">${</span><span style="color:#8be9fd;font-style:italic">NAMESPACE</span><span style="color:#f1fa8c">}</span> get pod -l <span style="color:#8be9fd;font-style:italic">cluster</span><span style="color:#ff79c6">=</span>spin-deck -ojsonpath<span style="color:#ff79c6">=</span><span style="color:#f1fa8c">&#39;{.items[0].metadata.name}&#39;</span><span style="color:#ff79c6">)</span> </span></span><span style="display:flex;"><span><span style="color:#8be9fd;font-style:italic">GATE_POD</span><span style="color:#ff79c6">=</span><span style="color:#ff79c6">$(</span>kubectl -n <span style="color:#f1fa8c">${</span><span style="color:#8be9fd;font-style:italic">NAMESPACE</span><span style="color:#f1fa8c">}</span> get pod -l <span style="color:#8be9fd;font-style:italic">cluster</span><span style="color:#ff79c6">=</span>spin-gate -ojsonpath<span style="color:#ff79c6">=</span><span style="color:#f1fa8c">&#39;{.items[0].metadata.name}&#39;</span><span style="color:#ff79c6">)</span> </span></span><span style="display:flex;"><span>kubectl -n <span style="color:#f1fa8c">${</span><span style="color:#8be9fd;font-style:italic">NAMESPACE</span><span style="color:#f1fa8c">}</span> port-forward <span style="color:#f1fa8c">${</span><span style="color:#8be9fd;font-style:italic">DECK_POD</span><span style="color:#f1fa8c">}</span> <span style="color:#bd93f9">9000</span> &amp; </span></span><span style="display:flex;"><span>kubectl -n <span style="color:#f1fa8c">${</span><span style="color:#8be9fd;font-style:italic">NAMESPACE</span><span style="color:#f1fa8c">}</span> port-forward <span style="color:#f1fa8c">${</span><span style="color:#8be9fd;font-style:italic">GATE_POD</span><span style="color:#f1fa8c">}</span> <span style="color:#bd93f9">8084</span> &amp; </span></span></code></pre></div><p>Then, you can access Armory at <a href="http://localhost:9000">http://localhost:9000</a></p> <p>(If you are doing this on a remote machine, this will not work because your browser attempts to access localhost on your local workstation rather than on the remote machine where the port is forwarded)</p> <p><strong>Note:</strong> Even if the <code>hal deploy apply</code> command returns successfully, the installation may not be complete yet. This is especially the case with distributed Kubernetes installs. If you see errors such as <code>Connection refused</code>, the containers may not be available yet. You can either wait or check the status of all of the containers using the command for your cloud provider (such as <code>kubectl get pods --namespace spinnaker</code>).</p> <h2 id="install-the-nginx-ingress-controller">Install the NGINX ingress controller</h2> <p>In order to expose Armory to end users, you have perform the following actions:</p> <ul> <li>Expose the spin-deck (UI) Kubernetes service on some URL endpoint</li> <li>Expose the spin-gate (API) Kubernetes service on some URL endpoint</li> <li>Update Armory (via Halyard) to be aware of the new endpoints</li> </ul> <p>We&rsquo;re going to install the NGINX ingress controller on AWS (this uses the Layer 4 ELB, as indicated in the NGINX ingress controller <a href="https://github.com/kubernetes/ingress-nginx/blob/master/docs/deploy/index.md#aws">documentation</a> - you can use other NGINX ingress controller configurations such as the Layer 7 load balancer per your organization&rsquo;s ingress policy.)</p> <p>(Both of these are configurable with Armory, but the NGINX ingress controller is also generally much more configurable)</p> <p>From the <code>workstation machine</code> (where <code>kubectl</code> is installed):</p> <p>Install the NGINX ingress controller components:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>kubectl --kubeconfig kubeconfig-aws apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/aws/deploy.yaml </span></span></code></pre></div><p>Install the NGINX ingress controller AWS-specific service:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>kubectl --kubeconfig kubeconfig-aws apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/aws/service-l4.yaml </span></span><span style="display:flex;"><span>kubectl --kubeconfig kubeconfig-aws apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/aws/patch-configmap-l4.yaml </span></span></code></pre></div><h2 id="set-up-the-ingress-for-spin-deck-and-spin-gate">Set up the Ingress for <code>spin-deck</code> and <code>spin-gate</code></h2> <p>Identify the URLs you will use to expose Armory&rsquo;s UI and API.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#6272a4"># Replace with actual values</span> </span></span><span style="display:flex;"><span><span style="color:#8be9fd;font-style:italic">SPIN_DECK_ENDPOINT</span><span style="color:#ff79c6">=</span>spinnaker.some-url.com </span></span><span style="display:flex;"><span><span style="color:#8be9fd;font-style:italic">SPIN_GATE_ENDPOINT</span><span style="color:#ff79c6">=</span>api.some-url.com </span></span><span style="display:flex;"><span><span style="color:#8be9fd;font-style:italic">NAMESPACE</span><span style="color:#ff79c6">=</span>spinnaker-system </span></span></code></pre></div><p>Create a Kubernetes Ingress manifest to expose spin-deck and spin-gate (change your hosts and namespace accordingly):</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>tee spin-ingress.yaml <span style="color:#f1fa8c">&lt;&lt;-&#39;EOF&#39; </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c">apiVersion: extensions/v1beta1 </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c">kind: Ingress </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c">metadata: </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"> name: spinnaker-nginx-ingress </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"> namespace: NAMESPACE </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"> labels: </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"> app: spin </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"> cluster: spin-ingress </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"> annotations: </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"> kubernetes.io/ingress.class: &#34;nginx&#34; </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c">spec: </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"> rules: </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"> - host: SPIN_DECK_ENDPOINT </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"> http: </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"> paths: </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"> - backend: </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"> serviceName: spin-deck </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"> servicePort: 9000 </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"> path: / </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"> - host: SPIN_GATE_ENDPOINT </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"> http: </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"> paths: </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"> - backend: </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"> serviceName: spin-gate </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"> servicePort: 8084 </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"> path: / </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c">EOF</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>sed -i.bak <span style="color:#f1fa8c">\ </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"></span> -e <span style="color:#f1fa8c">&#34;s|NAMESPACE|</span><span style="color:#f1fa8c">${</span><span style="color:#8be9fd;font-style:italic">NAMESPACE</span><span style="color:#f1fa8c">}</span><span style="color:#f1fa8c">|g&#34;</span> <span style="color:#f1fa8c">\ </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"></span> -e <span style="color:#f1fa8c">&#34;s|SPIN_DECK_ENDPOINT|</span><span style="color:#f1fa8c">${</span><span style="color:#8be9fd;font-style:italic">SPIN_DECK_ENDPOINT</span><span style="color:#f1fa8c">}</span><span style="color:#f1fa8c">|g&#34;</span> <span style="color:#f1fa8c">\ </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"></span> -e <span style="color:#f1fa8c">&#34;s|SPIN_GATE_ENDPOINT|</span><span style="color:#f1fa8c">${</span><span style="color:#8be9fd;font-style:italic">SPIN_GATE_ENDPOINT</span><span style="color:#f1fa8c">}</span><span style="color:#f1fa8c">|g&#34;</span> <span style="color:#f1fa8c">\ </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"></span> spin-ingress.yaml </span></span></code></pre></div><p>Create the Ingress</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>kubectl apply -f spin-ingress.yaml </span></span></code></pre></div><h2 id="configure-armory-to-be-aware-of-its-endpoints">Configure Armory to be aware of its endpoints</h2> <p>Armory must be aware of its endpoints to work properly.</p> <p>This should be done from the halyard container:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#8be9fd;font-style:italic">SPIN_DECK_ENDPOINT</span><span style="color:#ff79c6">=</span>spinnaker.some-url.com </span></span><span style="display:flex;"><span><span style="color:#8be9fd;font-style:italic">SPIN_GATE_ENDPOINT</span><span style="color:#ff79c6">=</span>api.some-url.com </span></span><span style="display:flex;"><span><span style="color:#8be9fd;font-style:italic">SPIN_DECK_URL</span><span style="color:#ff79c6">=</span>http://<span style="color:#f1fa8c">${</span><span style="color:#8be9fd;font-style:italic">SPIN_DECK_ENDPOINT</span><span style="color:#f1fa8c">}</span> </span></span><span style="display:flex;"><span><span style="color:#8be9fd;font-style:italic">SPIN_GATE_URL</span><span style="color:#ff79c6">=</span>http://<span style="color:#f1fa8c">${</span><span style="color:#8be9fd;font-style:italic">SPIN_GATE_ENDPOINT</span><span style="color:#f1fa8c">}</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>hal config security ui edit --override-base-url <span style="color:#f1fa8c">${</span><span style="color:#8be9fd;font-style:italic">SPIN_DECK_URL</span><span style="color:#f1fa8c">}</span> </span></span><span style="display:flex;"><span>hal config security api edit --override-base-url <span style="color:#f1fa8c">${</span><span style="color:#8be9fd;font-style:italic">SPIN_GATE_URL</span><span style="color:#f1fa8c">}</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>hal deploy apply </span></span></code></pre></div><h2 id="set-up-dns">Set up DNS</h2> <p>Once the ingress is up (this may take some time), you can get the IP address for the ingress:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>$ kubectl describe -n spinnaker-system ingress spinnaker-nginx-ingress </span></span><span style="display:flex;"><span>Name: spinnaker-nginx-ingress </span></span><span style="display:flex;"><span>Namespace: spinnaker-system </span></span><span style="display:flex;"><span>Address: 35.233.216.189 </span></span><span style="display:flex;"><span>Default backend: default-http-backend:80 <span style="color:#ff79c6">(</span>10.36.2.7:8080<span style="color:#ff79c6">)</span> </span></span><span style="display:flex;"><span>Rules: </span></span><span style="display:flex;"><span> Host Path Backends </span></span><span style="display:flex;"><span> ---- ---- -------- </span></span><span style="display:flex;"><span> spinnaker.some-url.com </span></span><span style="display:flex;"><span> / spin-deck:9000 <span style="color:#ff79c6">(</span>&lt;none&gt;<span style="color:#ff79c6">)</span> </span></span><span style="display:flex;"><span> api.some-url.com </span></span><span style="display:flex;"><span> / spin-gate:8084 <span style="color:#ff79c6">(</span>&lt;none&gt;<span style="color:#ff79c6">)</span> </span></span><span style="display:flex;"><span>Annotations: </span></span><span style="display:flex;"><span> kubectl.kubernetes.io/last-applied-configuration: <span style="color:#ff79c6">{</span><span style="color:#f1fa8c">&#34;apiVersion&#34;</span>:<span style="color:#f1fa8c">&#34;extensions/v1beta1&#34;</span>,<span style="color:#f1fa8c">&#34;kind&#34;</span>:<span style="color:#f1fa8c">&#34;Ingress&#34;</span>,<span style="color:#f1fa8c">&#34;metadata&#34;</span>:<span style="color:#ff79c6">{</span><span style="color:#f1fa8c">&#34;annotations&#34;</span>:<span style="color:#ff79c6">{</span><span style="color:#f1fa8c">&#34;kubernetes.io/ingress.class&#34;</span>:<span style="color:#f1fa8c">&#34;nginx&#34;</span><span style="color:#ff79c6">}</span>,<span style="color:#f1fa8c">&#34;name&#34;</span>:<span style="color:#f1fa8c">&#34;spinnaker-nginx-ingress&#34;</span>,<span style="color:#f1fa8c">&#34;namespace&#34;</span>:<span style="color:#f1fa8c">&#34;spinnaker&#34;</span><span style="color:#ff79c6">}</span>,<span style="color:#f1fa8c">&#34;spec&#34;</span>:<span style="color:#ff79c6">{</span><span style="color:#f1fa8c">&#34;rules&#34;</span>:<span style="color:#ff79c6">[{</span><span style="color:#f1fa8c">&#34;host&#34;</span>:<span style="color:#f1fa8c">&#34;spinnaker.some-url.com&#34;</span>,<span style="color:#f1fa8c">&#34;http&#34;</span>:<span style="color:#ff79c6">{</span><span style="color:#f1fa8c">&#34;paths&#34;</span>:<span style="color:#ff79c6">[{</span><span style="color:#f1fa8c">&#34;backend&#34;</span>:<span style="color:#ff79c6">{</span><span style="color:#f1fa8c">&#34;serviceName&#34;</span>:<span style="color:#f1fa8c">&#34;spin-deck&#34;</span>,<span style="color:#f1fa8c">&#34;servicePort&#34;</span>:9000<span style="color:#ff79c6">}</span>,<span style="color:#f1fa8c">&#34;path&#34;</span>:<span style="color:#f1fa8c">&#34;/&#34;</span><span style="color:#ff79c6">}]}}</span>,<span style="color:#ff79c6">{</span><span style="color:#f1fa8c">&#34;host&#34;</span>:<span style="color:#f1fa8c">&#34;api.some-url.com&#34;</span>,<span style="color:#f1fa8c">&#34;http&#34;</span>:<span style="color:#ff79c6">{</span><span style="color:#f1fa8c">&#34;paths&#34;</span>:<span style="color:#ff79c6">[{</span><span style="color:#f1fa8c">&#34;backend&#34;</span>:<span style="color:#ff79c6">{</span><span style="color:#f1fa8c">&#34;serviceName&#34;</span>:<span style="color:#f1fa8c">&#34;spin-gate&#34;</span>,<span style="color:#f1fa8c">&#34;servicePort&#34;</span>:8084<span style="color:#ff79c6">}</span>,<span style="color:#f1fa8c">&#34;path&#34;</span>:<span style="color:#f1fa8c">&#34;/&#34;</span><span style="color:#ff79c6">}]}}]}}</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> kubernetes.io/ingress.class: nginx </span></span><span style="display:flex;"><span>Events: </span></span><span style="display:flex;"><span> Type Reason Age From Message </span></span><span style="display:flex;"><span> ---- ------ ---- ---- ------- </span></span><span style="display:flex;"><span> Normal CREATE 28s nginx-ingress-controller Ingress spinnaker/spinnaker-nginx-ingress </span></span><span style="display:flex;"><span> Normal UPDATE 20s nginx-ingress-controller Ingress spinnaker/spinnaker-nginx-ingress </span></span></code></pre></div><p>Set up DNS so that your two URLs point to the IP address for the ingress (in the above, configure <code>spinnaker.some-url.com</code> and <code>api.some-url.com</code> to point to <code>35.233.216.189</code>). This can be done via whatever your organization uses for DNS.</p> <h2 id="configuring-tls-certificates">Configuring TLS certificates</h2> <p>Configuration of TLS certificates for ingresses is often very organization-specific. In general, you would want to do the following:</p> <ul> <li>Add certificate(s) so that your ingress controller can use them</li> <li>Configure the ingress(es) so that NGINX (or your ingress) terminates TLS using the certificate(s)</li> <li>Update Armory to be aware of the new TLS endpoints (note <code>https</code> instead of <code>http</code>)</li> </ul> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#8be9fd;font-style:italic">SPIN_DECK_ENDPOINT</span><span style="color:#ff79c6">=</span>spinnaker.some-url.com </span></span><span style="display:flex;"><span><span style="color:#8be9fd;font-style:italic">SPIN_GATE_ENDPOINT</span><span style="color:#ff79c6">=</span>api.some-url.com </span></span><span style="display:flex;"><span><span style="color:#8be9fd;font-style:italic">SPIN_DECK_URL</span><span style="color:#ff79c6">=</span>https://<span style="color:#f1fa8c">${</span><span style="color:#8be9fd;font-style:italic">SPIN_DECK_ENDPOINT</span><span style="color:#f1fa8c">}</span> </span></span><span style="display:flex;"><span><span style="color:#8be9fd;font-style:italic">SPIN_GATE_URL</span><span style="color:#ff79c6">=</span>https://<span style="color:#f1fa8c">${</span><span style="color:#8be9fd;font-style:italic">SPIN_GATE_ENDPOINT</span><span style="color:#f1fa8c">}</span> </span></span><span style="display:flex;"><span>hal config security ui edit --override-base-url <span style="color:#f1fa8c">${</span><span style="color:#8be9fd;font-style:italic">SPIN_DECK_URL</span><span style="color:#f1fa8c">}</span> </span></span><span style="display:flex;"><span>hal config security api edit --override-base-url <span style="color:#f1fa8c">${</span><span style="color:#8be9fd;font-style:italic">SPIN_GATE_URL</span><span style="color:#f1fa8c">}</span> </span></span><span style="display:flex;"><span>hal deploy apply </span></span></code></pre></div><h2 id="next-steps">Next steps</h2> <p>Now that you have Armory up and running, here are some of the next things you may want to do:</p> <ul> <li>Configuration of certificates to secure your cluster (see <a href="#configuring-tls-certificates">this section</a> for notes on this)</li> <li>Configuration of Authentication/Authorization (see the <a href="https://www.spinnaker.io/setup/security/">Open Source Spinnaker documentation</a>)</li> <li>Add Kubernetes accounts to deploy applications to (see <a href="/continuous-deployment/armory-admin/kubernetes-account-add/">Creating and Adding a Kubernetes Account to Armory as a Deployment Target</a>)</li> <li>Add GCP accounts to deploy applications to (see the <a href="https://www.spinnaker.io/setup/install/providers/gce/">Open Source Spinnaker documentation</a>)</li> <li>Add AWS accounts to deploy applications to (see the <a href="https://www.spinnaker.io/setup/install/providers/aws/">Open Source Spinnaker documentation</a>)</li> </ul>/continuous-deployment/installation/guide/upgrade-oss-to-armory/Mon, 01 Jan 0001 00:00:00 +0000/continuous-deployment/installation/guide/upgrade-oss-to-armory/ <blockquote> <p>Armory Continuous Deployment (Armory CD) requires a license. For more information, contact <a href="https://www.armory.io/contact-us/">Armory</a>.</p> </blockquote> <h2 id="overview-of-upgrading-spinnaker-to-armory-continuous-deployment">Overview of upgrading Spinnaker to Armory Continuous Deployment</h2> <p>Armory Continuous Deployment for Spinnaker is installed with Armory-extended Halyard, very similarly to the way Open Source Spinnaker^TM is installed with Open Source Halyard. These are the key differences:</p> <ul> <li>Armory-extended Halyard installs Armory&rsquo;s enterprise distribution of Spinnaker; Open Source Halyard installs Open Source Spinnaker.</li> <li>Armory versions are one major version ahead of Open Source. For example, Armory 2.18.x maps to Open Source Spinnaker 1.18.x.</li> <li>Armory has an extra subcommand block <code>hal armory</code> (mapping to an <code>armory</code> block in your <code>.hal/config</code>), which controls Armory-specific features.</li> </ul> <p>This guide differentiates between the two by referring to them as Armory and open source Spinnaker, respectively.</p> <p>If you are currently on open source Spinnaker and interested in upgrading to Armory, you can easily upgrade if you used Halyard to install your Spinnaker cluster.</p> <p>This guide assumes the following:</p> <ul> <li>Spinnaker is currently running in Kubernetes</li> <li>Spinnaker is configured with some form of persistent storage (Minio, S3, GCS, or AZS)</li> <li>Spinnaker was installed with Halyard in one of these forms: <ul> <li>Halyard is running locally on a workstation</li> <li>Halyard is running in a Docker container in Docker daemon (in Linux, Windows, or OSX)</li> <li>Halyard is running in a Kubernetes pod</li> </ul> </li> </ul> <p>Depending on where Halyard is currently running, the detailed installation instructions will be slightly different, but the high level process is the same:</p> <ol> <li>Start Armory-extended Halyard in a Docker container with your open source Halyard configuration directories available to Armory Halyard.</li> <li>Enter the Armory-extended Halyard container.</li> <li>Update the Spinnaker version to use an Armory version. Recall that Armory versions are ahead of open source Spinnaker by one major version.</li> <li>Apply your changes.</li> </ol> <h2 id="halyard-running-locally-on-a-workstation">Halyard running locally on a workstation</h2> <p>If Halyard is running locally on your workstation, then perform the following steps:</p> <ol> <li> <p>Make copies of any directores used by Halyard. These include<code>~.hal</code> and <code>~.kube</code> and potentially <code>~/.aws</code>, <code>~/.config/gcloud</code>, <code>~/.azure</code>). <em>You can mount these directly into Halyard, but it may be safer to operate on copies.</em></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>mkdir -p ~/armory/.config </span></span><span style="display:flex;"><span>cp -rpv ~/.hal ~/armory/ </span></span><span style="display:flex;"><span>cp -rpv ~/.aws ~/armory/ </span></span><span style="display:flex;"><span>cp -rpv ~/.kube ~/armory/ </span></span><span style="display:flex;"><span>cp -rpv ~/.azure ~/armory/ </span></span><span style="display:flex;"><span>cp -rpv ~/.config/gcloud ~/armory/.config </span></span></code></pre></div><p>Omit any directories that do not apply to you. For example, if you do not use Azure, omit it.</p> </li> <li> <p>Start Halyard as a Docker container in daemon mode, with your directories mounted in (add/remove volume mounts as applicable):</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>docker run --name armory-halyard --rm <span style="color:#f1fa8c">\ </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"></span> -v <span style="color:#f1fa8c">${</span><span style="color:#8be9fd;font-style:italic">HOME</span><span style="color:#f1fa8c">}</span>/armory/.hal:/home/spinnaker/.hal <span style="color:#f1fa8c">\ </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"></span> -v <span style="color:#f1fa8c">${</span><span style="color:#8be9fd;font-style:italic">HOME</span><span style="color:#f1fa8c">}</span>/armory/.kube:/home/spinnaker/.kube <span style="color:#f1fa8c">\ </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"></span> -v <span style="color:#f1fa8c">${</span><span style="color:#8be9fd;font-style:italic">HOME</span><span style="color:#f1fa8c">}</span>/armory/.aws:/home/spinnaker/.aws <span style="color:#f1fa8c">\ </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"></span> -v <span style="color:#f1fa8c">${</span><span style="color:#8be9fd;font-style:italic">HOME</span><span style="color:#f1fa8c">}</span>/armory/.azure:/home/spinnaker/.azure <span style="color:#f1fa8c">\ </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"></span> -v <span style="color:#f1fa8c">${</span><span style="color:#8be9fd;font-style:italic">HOME</span><span style="color:#f1fa8c">}</span>/armory/.config:/home/spinnaker/.config <span style="color:#f1fa8c">\ </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"></span> -d <span style="color:#f1fa8c">\ </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"></span> -u <span style="color:#ff79c6">$(</span>id -u<span style="color:#ff79c6">)</span> <span style="color:#f1fa8c">\ </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"></span> index.docker.io/armory/halyard-armory:1.12.1 </span></span></code></pre></div><p>Omit any directories that do not apply to you. For example, if you do not use Azure, omit it.</p> <p><em>The above specifies that Halyard will run as your local user id. Depending on how your Halyard daemon was initially run and what user id owns the various Halyard directories, you may need to specify some other user. For example, if user <code>1000</code> owns the .hal directory, replace &ldquo;<code>-u $(id -u)</code>&rdquo; with &ldquo;<code>-u 1000</code>&rdquo;</em></p> </li> <li> <p>Exec into the Halyard container</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>docker <span style="color:#8be9fd;font-style:italic">exec</span> -it armory-halyard bash </span></span></code></pre></div></li> <li> <p>Update the version of Spinnaker</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>hal config version edit --version <span style="color:#ff79c6">$(</span>hal version latest -q<span style="color:#ff79c6">)</span> </span></span></code></pre></div><p>This will use the latest stable version; If you want to use a different version, use <code>hal version list</code> to get a list of available versions. Then, run <code>hal config version edit --version X.X.X</code> to specify a version.</p> </li> <li> <p>Apply your changes</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>hal deploy apply </span></span></code></pre></div></li> </ol> <h2 id="halyard-running-in-a-docker-container-in-docker-daemon">Halyard running in a Docker container in Docker daemon</h2> <p>If Halyard is already running in a Docker container in your Docker daemon, you can do an in-place upgrade.</p> <ol> <li> <p>First, do a backup of your existing Halyard configuration. Exec into the Docker container, then run <code>hal backup create</code>.</p> </li> <li> <p>Stop the Halyard docker container, and re-start it with the Armory-extended Halyard image (<code>index.docker.io/armory/halyard-armory:1.12.1</code>) instead of the open source Halyard image (<code>gcr.io/spinnaker-marketplace/halyard:stable</code>). Also, change the user id for Armory-extended Halyard to be <code>1000</code>. For example, if you run the previous Docker image (open source Halyard) like this:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>docker run --name halyard --rm <span style="color:#f1fa8c">\ </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"></span> -v <span style="color:#f1fa8c">${</span><span style="color:#8be9fd;font-style:italic">HOME</span><span style="color:#f1fa8c">}</span>/armory/.hal:/home/spinnaker/.hal <span style="color:#f1fa8c">\ </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"></span> -v <span style="color:#f1fa8c">${</span><span style="color:#8be9fd;font-style:italic">HOME</span><span style="color:#f1fa8c">}</span>/armory/.kube:/home/spinnaker/.kube <span style="color:#f1fa8c">\ </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"></span> -d <span style="color:#f1fa8c">\ </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"></span> gcr.io/spinnaker-marketplace/halyard:stable </span></span></code></pre></div><p>Then run Armory-extended Halyard like this:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>docker run --name armory-halyard --rm <span style="color:#f1fa8c">\ </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"></span> -v <span style="color:#f1fa8c">${</span><span style="color:#8be9fd;font-style:italic">HOME</span><span style="color:#f1fa8c">}</span>/armory/.hal:/home/spinnaker/.hal <span style="color:#f1fa8c">\ </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"></span> -v <span style="color:#f1fa8c">${</span><span style="color:#8be9fd;font-style:italic">HOME</span><span style="color:#f1fa8c">}</span>/armory/.kube:/home/spinnaker/.kube <span style="color:#f1fa8c">\ </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"></span> -d <span style="color:#f1fa8c">\ </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"></span> index.docker.io/armory/halyard-armory:1.12.1 </span></span></code></pre></div><p>Note the different Docker image and different container name.</p> </li> <li> <p>Exec into the Halyard container:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>docker <span style="color:#8be9fd;font-style:italic">exec</span> -it armory-halyard bash </span></span></code></pre></div></li> <li> <p>Update the version of Spinnaker:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>hal config version edit --version <span style="color:#ff79c6">$(</span>hal version latest -q<span style="color:#ff79c6">)</span> </span></span></code></pre></div><p>This will use the latest stable version. If you want to use a different version, use <code>hal version list</code> to get a list of available versions, and then <code>hal config version edit --version X.X.X</code> to specify a specific version.</p> </li> <li> <p>Apply your changes</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>hal deploy apply </span></span></code></pre></div></li> </ol> <h2 id="halyard-running-in-a-kubernetes-pod">Halyard running in a Kubernetes pod</h2> <p>If Halyard is running in your Kubernetes cluster, either as a Kubernetes Deployment or a Kubernetes StatefulSet, then you can do an in-place upgrade:</p> <ol> <li> <p>First, update the image for your Halyard Deployment / StatefulSet from the open source Halyard image (<code>gcr.io/spinnaker-marketplace/halyard:stable</code>) to the Armory-extended Halyard image (<code>index.docker.io/armory/halyard-armory:1.12.1</code>)</p> </li> <li> <p>Wait for the pod to start up.</p> </li> <li> <p>Exec into your Kubernetes pod (insert your namespace and pod name, accordingly):</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>kubectl <span style="color:#8be9fd;font-style:italic">exec</span> -it spinnaker bash </span></span></code></pre></div></li> <li> <p>Update the version of Spinnaker:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>hal config version edit --version <span style="color:#ff79c6">$(</span>hal version latest -q<span style="color:#ff79c6">)</span> </span></span></code></pre></div><p>This will use the latest stable version. If you want to use a different version, use <code>hal version list</code> to get a list of available versions, and then <code>hal config version edit --version X.X.X</code> to specify a specific version.</p> </li> <li> <p>Apply your changes:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>hal deploy apply </span></span></code></pre></div></li> </ol> <h2 id="revert-back-to-spinnaker">Revert back to Spinnaker</h2> <p>If you want to go back to open source Spinnaker, you can repeat the same process as above with open source Halyard. Specifically, replace the Armory-extended Halyard image with the open source Halyard image, update Spinnaker version (from 2.x to 1.x), and run <code>hal deploy apply</code></p> <h2 id="troubleshooting">Troubleshooting</h2> <p>Depending on what version of Halyard / Armory-extended Halyard you&rsquo;re moving to/from, there may be some fields in your Halyard configuration that are present in one version but not the other. You&rsquo;ll see an <code>Unrecognized field</code> error like this:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>$ hal deploy apply </span></span><span style="display:flex;"><span>- Get current deployment </span></span><span style="display:flex;"><span> Failure </span></span><span style="display:flex;"><span>Problems in Global: </span></span><span style="display:flex;"><span>! ERROR Could not translate your halconfig: Unrecognized field </span></span><span style="display:flex;"><span> <span style="color:#f1fa8c">&#34;nodeSelectors&#34;</span> <span style="color:#ff79c6">(</span>class </span></span><span style="display:flex;"><span> com.netflix.spinnaker.halyard.config.model.v1.node.DeploymentEnvironment<span style="color:#ff79c6">)</span>, not </span></span><span style="display:flex;"><span> marked as ignorable <span style="color:#ff79c6">(</span><span style="color:#bd93f9">14</span> known properties: <span style="color:#f1fa8c">&#34;size&#34;</span>, <span style="color:#f1fa8c">&#34;initContainers&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#f1fa8c">&#34;updateVersions&#34;</span>, <span style="color:#f1fa8c">&#34;consul&#34;</span>, <span style="color:#f1fa8c">&#34;customSizing&#34;</span>, <span style="color:#f1fa8c">&#34;vault&#34;</span>, <span style="color:#f1fa8c">&#34;gitConfig&#34;</span>, <span style="color:#f1fa8c">&#34;location&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#f1fa8c">&#34;sidecars&#34;</span>, <span style="color:#f1fa8c">&#34;haServices&#34;</span>, <span style="color:#f1fa8c">&#34;accountName&#34;</span>, <span style="color:#f1fa8c">&#34;type&#34;</span>, <span style="color:#f1fa8c">&#34;hostAliases&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#f1fa8c">&#34;bootstrapOnly&#34;</span><span style="color:#ff79c6">])</span> </span></span><span style="display:flex;"><span>at <span style="color:#ff79c6">[</span>Source: N/A; line: -1, column: -1<span style="color:#ff79c6">]</span> <span style="color:#ff79c6">(</span>through reference chain: </span></span><span style="display:flex;"><span> io.armory.halyard.config.model.v1.node.ArmoryHalconfig<span style="color:#ff79c6">[</span><span style="color:#f1fa8c">&#34;deploymentConfigurations&#34;</span><span style="color:#ff79c6">]</span>-&gt;java.util.ArrayList<span style="color:#ff79c6">[</span>0<span style="color:#ff79c6">]</span>-&gt;com.netflix.spinnaker.halyard.config.model.v1.node.ArmoryDeploymentConfiguration<span style="color:#ff79c6">[</span><span style="color:#f1fa8c">&#34;deploymentEnvironment&#34;</span><span style="color:#ff79c6">]</span>-&gt;com.netflix.spinnaker.halyard.config.model.v1.node.DeploymentEnvironment<span style="color:#ff79c6">[</span><span style="color:#f1fa8c">&#34;nodeSelectors&#34;</span><span style="color:#ff79c6">])</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>- Failed to get deployment name. </span></span></code></pre></div><p>If you see the above error, go to the <code>/home/spinnaker/.hal/config</code> file in your Halyard container, search for the offending field, and remove the yaml block (comment it out or completely remove it).</p> <p>For example, in the above case, find the <code>deploymentEnvironment.nodeSelectors field</code>, and remove it. Repeat as necessary.</p>/continuous-deployment/installation/guide/quickstart/Mon, 01 Jan 0001 00:00:00 +0000/continuous-deployment/installation/guide/quickstart/ <blockquote> <p>Armory Continuous Deployment (Armory CD) requires a license. For more information, contact <a href="https://www.armory.io/contact-us/">Armory</a>.</p> </blockquote>