Armory Docs – Tasks/plugins/scale-agent/tasks/Recent content in Tasks on Armory DocsHugo -- gohugo.ioPlugins: Configure Mutual TLS Authentication/plugins/scale-agent/tasks/configure-mtls/Mon, 01 Jan 0001 00:00:00 +0000/plugins/scale-agent/tasks/configure-mtls/ <h2 id="before-you-begin">Before you begin</h2> <p>You need the following to configure mTLS:</p> <ul> <li>A Certificate Authority (CA) certificate in the <code>pem</code> format, used for validating the issuer for mTLS requests.</li> <li>Clouddriver certificate and corresponding private key.</li> <li>Agent certificate and corresponding private key.</li> </ul> <blockquote> <p>The Agent only supports PKCS#8 keys. The PKCS#12 key store you set up for Armory CD can still use PKCS#8 keys. So, the Armory Scale Agent should use a PKCS#8 key while other services use PKCS#12 keys.</p> </blockquote> <h2 id="agent-plugin-configuration">Agent plugin configuration</h2> <h3 id="create-a-kubernetes-secret">Create a Kubernetes secret</h3> <p>Create a secret that contains your Clouddriver certificate and corresponding key.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>kubectl create secret tls &lt;clouddriver-secret-name&gt; <span style="color:#f1fa8c">\ </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"></span> --cert<span style="color:#ff79c6">=</span>&lt;your-clouddriver-cert&gt; --key<span style="color:#ff79c6">=</span>&lt;your-clouddriver-key&gt; </span></span></code></pre></div><p>Or:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>kubectl create secret generic &lt;clouddriver-secret-name&gt; <span style="color:#f1fa8c">\ </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"></span> --from-file<span style="color:#ff79c6">=</span>&lt;your-clouddriver-cert&gt; --from-file<span style="color:#ff79c6">=</span>&lt;your-clouddriver-key&gt; </span></span></code></pre></div><h3 id="mount-the-secret">Mount the secret</h3> <p>Mount the secret in the plugin.</p> <p>In your <code>agent-plugin/clouddriver-plugin.yaml</code> file, <code>spec.kustomize.clouddriver.deployment.patchesStrategicMerge</code> section, add the following lines to mount the Clouddriver cert from your secret:</p> <div class="highlight"><div style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;display:grid;"> <table style="border-spacing:0;padding:0;margin:0;border:0;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;"> <pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;display:grid;"><code><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 1 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 2 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 3 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 4 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 5 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 6 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 7 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 8 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 9 </span><span style="background-color:#3d3f4a"><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">10 </span></span><span style="background-color:#3d3f4a"><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">11 </span></span><span style="background-color:#3d3f4a"><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">12 </span></span><span style="background-color:#3d3f4a"><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">13 </span></span><span style="background-color:#3d3f4a"><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">14 </span></span><span style="background-color:#3d3f4a"><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">15 </span></span><span style="background-color:#3d3f4a"><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">16 </span></span><span style="background-color:#3d3f4a"><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">17 </span></span><span style="background-color:#3d3f4a"><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">18 </span></span></code></pre></td> <td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%"> <pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;display:grid;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#ff79c6">spec</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">kustomize</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">clouddriver</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">deployment</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">patchesStrategicMerge</span>: </span></span><span style="display:flex;"><span> - |<span style="color:#f1fa8c"> </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"> spec: </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"> template: </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"> spec: </span></span></span><span style="display:flex; background-color:#3d3f4a"><span><span style="color:#f1fa8c"> containers: </span></span></span><span style="display:flex; background-color:#3d3f4a"><span><span style="color:#f1fa8c"> - name: clouddriver </span></span></span><span style="display:flex; background-color:#3d3f4a"><span><span style="color:#f1fa8c"> volumeMounts: </span></span></span><span style="display:flex; background-color:#3d3f4a"><span><span style="color:#f1fa8c"> - mountPath: &lt;path&gt; # such as /opt/clouddriver/cert </span></span></span><span style="display:flex; background-color:#3d3f4a"><span><span style="color:#f1fa8c"> name: cert </span></span></span><span style="display:flex; background-color:#3d3f4a"><span><span style="color:#f1fa8c"> volumes: </span></span></span><span style="display:flex; background-color:#3d3f4a"><span><span style="color:#f1fa8c"> - name: cert </span></span></span><span style="display:flex; background-color:#3d3f4a"><span><span style="color:#f1fa8c"> secret: </span></span></span><span style="display:flex; background-color:#3d3f4a"><span><span style="color:#f1fa8c"> secretName: &lt;clouddriver-secret-name&gt;</span> </span></span></code></pre></td></tr></table> </div> </div> <h3 id="configure-the-plugin">Configure the plugin</h3> <p>In the <code>agent-plugin/config.yaml</code> file, configure the plugin to use the mounted certs. Note that <code>trustCertCollection</code>, <code>certificateChain</code>, and <code>privateKey</code> values must in <code>file:///filepath/filename</code> format.</p> <div class="highlight"><div style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;display:grid;"> <table style="border-spacing:0;padding:0;margin:0;border:0;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;"> <pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;display:grid;"><code><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 1 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 2 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 3 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 4 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 5 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 6 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 7 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 8 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 9 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">10 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">11 </span><span style="background-color:#3d3f4a"><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">12 </span></span><span style="background-color:#3d3f4a"><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">13 </span></span><span style="background-color:#3d3f4a"><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">14 </span></span><span style="background-color:#3d3f4a"><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">15 </span></span><span style="background-color:#3d3f4a"><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">16 </span></span><span style="background-color:#3d3f4a"><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">17 </span></span><span style="background-color:#3d3f4a"><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">18 </span></span></code></pre></td> <td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%"> <pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;display:grid;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#ff79c6">apiVersion</span>: spinnaker.armory.io/v1alpha2 </span></span><span style="display:flex;"><span><span style="color:#ff79c6">kind</span>: SpinnakerService </span></span><span style="display:flex;"><span><span style="color:#ff79c6">metadata</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">name</span>: spinnaker </span></span><span style="display:flex;"><span><span style="color:#ff79c6">spec</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">spinnakerConfig</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">profiles</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">clouddriver</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">kubesvc</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">cluster</span>: redis </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">grpc</span>: </span></span><span style="display:flex; background-color:#3d3f4a"><span> <span style="color:#ff79c6">server</span>: </span></span><span style="display:flex; background-color:#3d3f4a"><span> <span style="color:#ff79c6">security</span>: </span></span><span style="display:flex; background-color:#3d3f4a"><span> <span style="color:#ff79c6">enabled</span>: <span style="color:#ff79c6">true</span> </span></span><span style="display:flex; background-color:#3d3f4a"><span> <span style="color:#ff79c6">trustCertCollection</span>: file:&lt;path-to-CA-cert&gt; </span></span><span style="display:flex; background-color:#3d3f4a"><span> <span style="color:#ff79c6">certificateChain</span>: file:&lt;path-to-your-clouddriver-cert&gt; </span></span><span style="display:flex; background-color:#3d3f4a"><span> <span style="color:#ff79c6">privateKey</span>: file:&lt;path-to-your-clouddriver-key&gt; </span></span><span style="display:flex; background-color:#3d3f4a"><span> <span style="color:#ff79c6">clientAuth</span>: REQUIRE</span></span></code></pre></td></tr></table> </div> </div> <p>See the <a href="/plugins/scale-agent/reference/config/plugin-options/"}>Armory Scale Agent Plugin Configuration Options</a> page for additional options.</p> <h2 id="agent-service-configuration">Agent service configuration</h2> <h3 id="create-a-secret">Create a secret</h3> <p>Create a secret in the target cluster namespace where the Armory Scale Agent resides.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>kubectl create secret generic &lt;agent-secret-name&gt; <span style="color:#f1fa8c">\ </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"></span>--from-file<span style="color:#ff79c6">=</span>&lt;your-agent-cert&gt; --from-file<span style="color:#ff79c6">=</span>&lt;your-agent-key&gt; </span></span></code></pre></div><h3 id="modify-deployment-configuration">Modify deployment configuration</h3> <p>Modify the Armory Scale Agent&rsquo;s deployment configuration in <code>deployment.yaml</code> to mount the certs.</p> <blockquote> <p>The paths that files are mounted to in the <code>deployment.yaml</code> file should always match the corresponding location in the <code>armory-agent.yaml</code> configuration file. For example, the <code>mountPath</code> of the CA cert in the <code>deployment.yaml</code> file must match the <code>clouddriver.tls.clientCertFile</code> location in <code>armory-agent.yaml</code>.</p> </blockquote> <div class="highlight"><div style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;display:grid;"> <table style="border-spacing:0;padding:0;margin:0;border:0;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;"> <pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;display:grid;"><code><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 1 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 2 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 3 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 4 </span><span style="background-color:#3d3f4a"><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 5 </span></span><span style="background-color:#3d3f4a"><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 6 </span></span><span style="background-color:#3d3f4a"><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 7 </span></span><span style="background-color:#3d3f4a"><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 8 </span></span><span style="background-color:#3d3f4a"><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 9 </span></span><span style="background-color:#3d3f4a"><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">10 </span></span><span style="background-color:#3d3f4a"><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">11 </span></span><span style="background-color:#3d3f4a"><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">12 </span></span><span style="background-color:#3d3f4a"><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">13 </span></span><span style="background-color:#3d3f4a"><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">14 </span></span><span style="background-color:#3d3f4a"><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">15 </span></span><span style="background-color:#3d3f4a"><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">16 </span></span><span style="background-color:#3d3f4a"><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">17 </span></span><span style="background-color:#3d3f4a"><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">18 </span></span><span style="background-color:#3d3f4a"><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">19 </span></span></code></pre></td> <td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%"> <pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;display:grid;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#ff79c6">spec</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">template</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">spec</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">containers</span>: </span></span><span style="display:flex; background-color:#3d3f4a"><span> <span style="color:#ff79c6">volumeMounts</span>: </span></span><span style="display:flex; background-color:#3d3f4a"><span> - <span style="color:#ff79c6">mountPath</span>: &lt;path&gt; <span style="color:#6272a4"># for example, /opt/armory-agent/cert</span> </span></span><span style="display:flex; background-color:#3d3f4a"><span> <span style="color:#ff79c6">name</span>: armoryagentcert </span></span><span style="display:flex; background-color:#3d3f4a"><span> - <span style="color:#ff79c6">mountPath</span>: &lt;path&gt; <span style="color:#6272a4"># for example, /opt/armory-agent/cacert</span> </span></span><span style="display:flex; background-color:#3d3f4a"><span> <span style="color:#ff79c6">name</span>: clouddrivercacert </span></span><span style="display:flex; background-color:#3d3f4a"><span> <span style="color:#ff79c6">volumes</span>: </span></span><span style="display:flex; background-color:#3d3f4a"><span> - <span style="color:#ff79c6">name</span>: armoryagentcert </span></span><span style="display:flex; background-color:#3d3f4a"><span> <span style="color:#ff79c6">secret</span>: </span></span><span style="display:flex; background-color:#3d3f4a"><span> <span style="color:#ff79c6">secretName</span>: &lt;agent-secret-name&gt; </span></span><span style="display:flex; background-color:#3d3f4a"><span> - <span style="color:#ff79c6">name</span>: clouddrivercacert </span></span><span style="display:flex; background-color:#3d3f4a"><span> <span style="color:#ff79c6">secret</span>: </span></span><span style="display:flex; background-color:#3d3f4a"><span> <span style="color:#ff79c6">secretName</span>: &lt;clouddriver-secret-name&gt; </span></span><span style="display:flex; background-color:#3d3f4a"><span> - <span style="color:#ff79c6">name</span>: certpem </span></span><span style="display:flex; background-color:#3d3f4a"><span> <span style="color:#ff79c6">secret</span>: </span></span><span style="display:flex; background-color:#3d3f4a"><span> <span style="color:#ff79c6">secretName</span>: &lt;CA-secret-name&gt;</span></span></code></pre></td></tr></table> </div> </div> <p>If you use a custom CA, you can install it on the Armory Scale Agent pod. The default location on that image, which uses the Alpine base, is <code>/etc/ssl/cert.pem</code>, so you can either append your CA cert to the trust store, which is <code>/etc/ssl/cert.pem</code>, or you can mount the file anywhere and configure the <code>clouddriver.tls.cacertFile</code> property in your YAML to point to that location.</p> <p>See the <a href="/plugins/scale-agent/reference/config/service-options/#configuration-options">Agent Options</a> for configuration details.</p> <h3 id="configure-the-service">Configure the service</h3> <p>Add the certificate information in <code>armory-agent.yaml</code>. Note that <code>clientCertFile</code> and <code>clientKeyFile</code> values must in <code>file:///filepath/filename</code> format.</p> <div class="highlight"><div style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;display:grid;"> <table style="border-spacing:0;padding:0;margin:0;border:0;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;"> <pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;display:grid;"><code><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">2 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">3 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">4 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">5 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">6 </span><span style="background-color:#3d3f4a"><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">7 </span></span><span style="background-color:#3d3f4a"><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">8 </span></span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">9 </span></code></pre></td> <td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%"> <pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;display:grid;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#ff79c6">clouddriver</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">grpc</span>: &lt;:443 </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">insecure</span>: <span style="color:#ff79c6">false</span> </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">tls</span>: </span></span><span style="display:flex;"><span> <span style="color:#6272a4">#serverName: &lt;my-ca&gt;</span> </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">insecureSkipVerify</span>: <span style="color:#ff79c6">false</span> </span></span><span style="display:flex; background-color:#3d3f4a"><span> <span style="color:#ff79c6">clientCertFile</span>: &lt;path-to-your-agent-cert&gt; <span style="color:#6272a4">#client cert for mTLS.</span> </span></span><span style="display:flex; background-color:#3d3f4a"><span> <span style="color:#ff79c6">clientKeyFile</span>: &lt;path-to-your-agent-key&gt; </span></span><span style="display:flex;"><span> <span style="color:#6272a4">#clientKeyPassword:</span></span></span></code></pre></td></tr></table> </div> </div> <p>See the <a href="/plugins/scale-agent/reference/config/service-options/#configuration-options">Agent Options</a> for configuration details.</p> <h2 id="x509-certificate-subject-filtering">x509 certificate subject filtering</h2> <p>If you have many Agents that want to talk to Clouddriver, and all of them have valid x509 certificates for mTLS, you can authorize a particular subset by configuring a subject filter in your <code>clouddriver.yaml</code> configuration. If a certificate subject line matches <strong>any</strong> of the filters, that certificate is authorized. All non-matching certificate subjects calls are rejected with an <code>X509CertificateAuthorizationFilterException</code>.</p> <p>You can specify multiple filtering criteria. However, the order in which the criteria are read is not guaranteed because when Java reads the certificates, it does not maintain the order used in the certificate itself. Be careful when matching on two parts of a subject line, for example <code>UID=.*O=Armory</code>, because the <code>UID</code> and <code>O</code> attributes may not appear in that order. It might be safest to write a regular expression that can match in any order.</p> <h3 id="plugin-filter-configuration">Plugin filter configuration</h3> <p>Add an <code>grpc.auth.x509</code> section to your Clouddriver profile:</p> <div class="highlight"><div style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;display:grid;"> <table style="border-spacing:0;padding:0;margin:0;border:0;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;"> <pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;display:grid;"><code><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 1 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 2 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 3 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 4 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 5 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 6 </span><span style="background-color:#3d3f4a"><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 7 </span></span><span style="background-color:#3d3f4a"><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 8 </span></span><span style="background-color:#3d3f4a"><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 9 </span></span><span style="background-color:#3d3f4a"><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">10 </span></span><span style="background-color:#3d3f4a"><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">11 </span></span><span style="background-color:#3d3f4a"><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">12 </span></span></code></pre></td> <td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%"> <pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;display:grid;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#ff79c6">spec</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">spinnakerConfig</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">profiles</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">clouddriver</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">kubesvc</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">cluster</span>: redis </span></span><span style="display:flex; background-color:#3d3f4a"><span> <span style="color:#ff79c6">grpc</span>: </span></span><span style="display:flex; background-color:#3d3f4a"><span> <span style="color:#ff79c6">auth</span>: </span></span><span style="display:flex; background-color:#3d3f4a"><span> <span style="color:#ff79c6">x509</span>: </span></span><span style="display:flex; background-color:#3d3f4a"><span> <span style="color:#ff79c6">enabled</span>: <span style="color:#ff79c6">true</span> <span style="color:#6272a4"># must be true for filters to be applied</span> </span></span><span style="display:flex; background-color:#3d3f4a"><span> <span style="color:#ff79c6">filters</span>: </span></span><span style="display:flex; background-color:#3d3f4a"><span> - UID=([a-z]){3}:[1-9]{3}:ksvc</span></span></code></pre></td></tr></table> </div> </div> <p>See the <a href="/plugins/scale-agent/reference/config/plugin-options/"}>Armory Scale Agent Plugin Configuration Options</a> page for configuration options.</p>Plugins: Dynamic Accounts Tasks/plugins/scale-agent/tasks/dynamic-accounts/Mon, 01 Jan 0001 00:00:00 +0000/plugins/scale-agent/tasks/dynamic-accounts/Plugins: Integrate Prometheus/plugins/scale-agent/tasks/service-monitor/Mon, 01 Jan 0001 00:00:00 +0000/plugins/scale-agent/tasks/service-monitor/ <h2 id="available-metrics">Available metrics</h2> <p>If <code>prometheus.enabled</code> is true in the Armory Scale Agent service <a href="/plugins/scale-agent/reference/config/service-options/">configuration</a>, the Armory Scale Agent exposes metrics on port 8008 (<code>prometheus.port</code>) on path <code>/metrics</code> or <code>/prometheus_metrics</code> like other Armory CD services. Both paths serve the same data.</p> <table> <thead> <tr> <th>Setting</th> <th>Type</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><code>go_gc_duration_seconds</code></td> <td>summary</td> <td>Amount of time spent in garbage collection.</td> </tr> <tr> <td><code>go_goroutines</code></td> <td>gauge</td> <td>Number of go routines.</td> </tr> <tr> <td><code>go_memstats_alloc_bytes</code></td> <td>gauge</td> <td>Amount of memory allocation used by Go.</td> </tr> <tr> <td><code>go_memstats_alloc_bytes</code></td> <td>gauge</td> <td>Number of bytes allocated and still in use.</td> </tr> <tr> <td><code>go_memstats_alloc_bytes_total</code></td> <td>counter</td> <td>Total number of bytes allocated, even if freed.</td> </tr> <tr> <td><code>go_memstats_buck_hash_sys_bytes</code></td> <td>gauge</td> <td>Number of bytes used by the profiling bucket hash table.</td> </tr> <tr> <td><code>go_memstats_frees_total</code></td> <td>counter</td> <td>Total number of frees.</td> </tr> <tr> <td><code>go_memstats_gc_cpu_fraction</code></td> <td>gauge</td> <td>The fraction of this program's available CPU time used by the GC since the program started.</td> </tr> <tr> <td><code>go_memstats_gc_sys_bytes</code></td> <td>gauge</td> <td>Number of bytes used for garbage collection system metadata.</td> </tr> <tr> <td><code>go_memstats_heap_alloc_bytes</code></td> <td>gauge</td> <td>Number of heap bytes allocated and still in use.</td> </tr> <tr> <td><code>go_memstats_heap_idle_bytes</code></td> <td>gauge</td> <td>Number of heap bytes waiting to be used.</td> </tr> <tr> <td><code>go_memstats_heap_inuse_bytes</code></td> <td>gauge</td> <td>Number of heap bytes that are in use.</td> </tr> <tr> <td><code>go_memstats_heap_objects</code></td> <td>gauge</td> <td>Number of allocated objects.</td> </tr> <tr> <td><code>go_memstats_heap_released_bytes</code></td> <td>gauge</td> <td>Number of heap bytes released to OS.</td> </tr> <tr> <td><code>go_memstats_heap_sys_bytes</code></td> <td>gauge</td> <td>Number of heap bytes obtained from system.</td> </tr> <tr> <td><code>go_memstats_last_gc_time_seconds</code></td> <td>gauge</td> <td>Number of seconds since 1970 of last garbage collection.</td> </tr> <tr> <td><code>go_memstats_lookups_total</code></td> <td>counter</td> <td>Total number of pointer lookups.</td> </tr> <tr> <td><code>go_memstats_mallocs_total</code></td> <td>counter</td> <td>Total number of mallocs.</td> </tr> <tr> <td><code>go_memstats_next_gc_bytes</code></td> <td>gauge</td> <td>Number of heap bytes when next garbage collection will take place.</td> </tr> <tr> <td><code>go_memstats_sys_bytes</code></td> <td>gauge</td> <td>Number of bytes obtained from system.</td> </tr> <tr> <td><code>go_threads</code></td> <td>gauge</td> <td>Number of Go threads.</td> </tr> <tr> <td><code>kubesvc_connection_count</code></td> <td>counter</td> <td>Number of connections.</td> </tr> <tr> <td><code>kubesvc_disconnection_total</code></td> <td>counter</td> <td>Number of disconnections.</td> </tr> <tr> <td><code>kubesvc_events_bytes_sent_total</code></td> <td>counter</td> <td>Amount of data sent by caching events.</td> </tr> <tr> <td><code>kubesvc_events_sent_total</code></td> <td>counter</td> <td>Number of caching events sent.</td> </tr> <tr> <td><code>kubesvc_resource_agent_total</code></td> <td>counter</td> <td>Number of watched/polled resources.</td> </tr> <tr> <td><code>process_cpu_seconds_total</code></td> <td>counter</td> <td>Total user and system CPU time spent in seconds.</td> </tr> <tr> <td><code>process_max_fds</code></td> <td>gauge</td> <td>Maximum number of open file descriptors.</td> </tr> <tr> <td><code>process_open_fds</code></td> <td>gauge</td> <td>Number of open file descriptors.</td> </tr> <tr> <td><code>process_resident_memory_bytes</code></td> <td>gauge</td> <td>Resident memory size in bytes.</td> </tr> <tr> <td><code>process_start_time_seconds</code></td> <td>gauge</td> <td>Start time of the process since unix epoch in seconds.</td> </tr> <tr> <td><code>process_virtual_memory_bytes</code></td> <td>gauge</td> <td>Virtual memory size in bytes.</td> </tr> <tr> <td><code>process_virtual_memory_max_bytes</code></td> <td>gauge</td> <td>Maximum amount of virtual memory available in bytes.</td> </tr> </tbody> </table> <h2 id="configure-prometheus">Configure Prometheus</h2> <p>If you are using the Prometheus operator, you can scrape metrics with:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#ff79c6">apiVersion</span>: monitoring.coreos.com/v1 </span></span><span style="display:flex;"><span><span style="color:#ff79c6">kind</span>: ServiceMonitor </span></span><span style="display:flex;"><span><span style="color:#ff79c6">metadata</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">labels</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">app</span>: spin </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">name</span>: armory-agent-service-monitor </span></span><span style="display:flex;"><span><span style="color:#ff79c6">spec</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">endpoints</span>: </span></span><span style="display:flex;"><span> - <span style="color:#ff79c6">path</span>: /prometheus_metrics </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">port</span>: metrics </span></span><span style="display:flex;"><span><span style="color:#6272a4"># - path: /metrics</span> </span></span><span style="display:flex;"><span><span style="color:#6272a4"># port: metrics</span> </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">selector</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">app</span>: spin </span></span></code></pre></div><h2 id="import-a-grafana-dashboard">Import a Grafana dashboard</h2> <p>You can import <a href="https://github.com/armory-io/agent-k8s-spinplug-releases/tree/master/monitoring">this Grafana dashboard definition</a> to use with Prometheus.</p>Plugins: Integrate Vault with the Armory Scale Agent Service/plugins/scale-agent/tasks/service-vault/Mon, 01 Jan 0001 00:00:00 +0000/plugins/scale-agent/tasks/service-vault/ <h2 id="before-you-begin">Before you begin</h2> <ul> <li>This guide is for experienced Kubernetes and Armory CD users.</li> <li>You have read the Armory Scale Agent <a href="/plugins/scale-agent/">overview</a>.</li> </ul> <h2 id="authenticate-agent-with-vault">Authenticate Agent with Vault</h2> <p>The Armory Scale Agent is compatible with properties Armory CD uses for <a href="/continuous-deployment/armory-admin/secrets/secrets-vault/">storing secrets in HashiCorp Vault</a>. You put configuration in <code>armory-agent.yaml</code> in the <code>secrets.vault.*</code> section. You refer to Vault secrets using the same syntax you use in configuring secrets for Armory CD. See the <a href="/continuous-deployment/armory-admin/secrets/secrets-vault/#referencing-secrets">Referencing Secrets section</a> for details.</p> <p>This is an example of what the <a href="/continuous-deployment/armory-admin/secrets/secrets-vault/#1-kubernetes-service-account-recommended">Kubernetes service account</a> configuration looks like in Agent, using an <code>encryptedFile:</code> reference for <code>kubeconfigFile</code>:</p> <div class="highlight"><div style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;display:grid;"> <table style="border-spacing:0;padding:0;margin:0;border:0;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;"> <pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;display:grid;"><code><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 1 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 2 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 3 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 4 </span><span style="background-color:#3d3f4a"><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 5 </span></span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 6 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 7 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 8 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 9 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">10 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">11 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">12 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">13 </span></code></pre></td> <td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%"> <pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;display:grid;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#6272a4"># ./armory-agent.yaml</span> </span></span><span style="display:flex;"><span><span style="color:#ff79c6">kubernetes</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">accounts</span>: </span></span><span style="display:flex;"><span> - <span style="color:#ff79c6">name</span>: account01 </span></span><span style="display:flex; background-color:#3d3f4a"><span> <span style="color:#ff79c6">kubeconfigFile</span>: encryptedFile:vault!e:secret!p:spinnaker/kubernetes!k:config </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#ff79c6">secrets</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">vault</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">enabled</span>: <span style="color:#ff79c6">true</span> </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">authMethod</span>: KUBERNETES </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">url</span>: https://your.vault.instance </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">role</span>: spinnaker </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">path</span>: kubernetes</span></span></code></pre></td></tr></table> </div> </div> <h2 id="dynamically-load-accounts-from-vault">Dynamically load accounts from Vault</h2> <blockquote> <p>This requires you to install the <a href="https://www.vaultproject.io/docs/platform/k8s/injector/installation">Vault Injector Sidecar</a>.</p> </blockquote> <p>The Armory Scale Agent detects changes in the configuration file and manages new accounts that it finds. This makes it possible to use a sidecar for adding and removing accounts dynamically instead of having a static <code>ConfigMap</code>. The <a href="https://www.vaultproject.io/docs/commands/kv/put">Vault guide</a> specifies the following syntax:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>vault kv put secret/kubernetes <span style="color:#8be9fd;font-style:italic">account01</span><span style="color:#ff79c6">=</span>@kubeconfig.yaml </span></span></code></pre></div><ul> <li>Keep <code>kubeconfig</code> files in one Vault secret (in this case <code>secret/kubernetes</code>).</li> <li>Each field name corresponds to an account name in Armory CD.</li> <li>Each field value is the contents of the <code>kubeconfigFile</code> used by that account.</li> </ul> <h3 id="configuration-template">Configuration template</h3> <p>Replace the configuration files and <code>kubeconfig</code> files with <a href="https://www.vaultproject.io/docs/platform/k8s/injector/annotations">Vault injector annotations</a> to provide a template.</p> <div class="highlight"><div style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;display:grid;"> <table style="border-spacing:0;padding:0;margin:0;border:0;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;"> <pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;display:grid;"><code><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 1 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 2 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 3 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 4 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 5 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 6 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 7 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 8 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 9 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">10 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">11 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">12 </span><span style="background-color:#3d3f4a"><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">13 </span></span><span style="background-color:#3d3f4a"><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">14 </span></span><span style="background-color:#3d3f4a"><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">15 </span></span><span style="background-color:#3d3f4a"><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">16 </span></span><span style="background-color:#3d3f4a"><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">17 </span></span><span style="background-color:#3d3f4a"><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">18 </span></span><span style="background-color:#3d3f4a"><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">19 </span></span><span style="background-color:#3d3f4a"><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">20 </span></span><span style="background-color:#3d3f4a"><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">21 </span></span><span style="background-color:#3d3f4a"><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">22 </span></span><span style="background-color:#3d3f4a"><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">23 </span></span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">24 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">25 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">26 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">27 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">28 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">29 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">30 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">31 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">32 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">33 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">34 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">35 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">36 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">37 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">38 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">39 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">40 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">41 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">42 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">43 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">44 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">45 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">46 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">47 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">48 </span></code></pre></td> <td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%"> <pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;display:grid;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#ff79c6">apiVersion</span>: apps/v1 </span></span><span style="display:flex;"><span><span style="color:#ff79c6">kind</span>: Deployment </span></span><span style="display:flex;"><span><span style="color:#ff79c6">metadata</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">name</span>: spin-armory-agent </span></span><span style="display:flex;"><span><span style="color:#ff79c6">spec</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">template</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">metadata</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">annotations</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">vault.hashicorp.com/agent-inject</span>: <span style="color:#f1fa8c">&#34;true&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">vault.hashicorp.com/agent-inject-secret-armory-agent-local.yml</span>: <span style="color:#f1fa8c">&#34;&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">vault.hashicorp.com/secret-volume-path-armory-agent-local.yml</span>: <span style="color:#f1fa8c">&#39;/opt/armory/config&#39;</span> </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">vault.hashicorp.com/agent-inject-file-armory-agent-local.yml</span>: <span style="color:#f1fa8c">&#39;armory-agent-local.yml&#39;</span> </span></span><span style="display:flex; background-color:#3d3f4a"><span> <span style="color:#ff79c6">vault.hashicorp.com/agent-inject-template-armory-agent-local.yml</span>: |<span style="color:#f1fa8c"> </span></span></span><span style="display:flex; background-color:#3d3f4a"><span><span style="color:#f1fa8c"> kubernetes: </span></span></span><span style="display:flex; background-color:#3d3f4a"><span><span style="color:#f1fa8c"> accounts: </span></span></span><span style="display:flex; background-color:#3d3f4a"><span><span style="color:#f1fa8c"> {{- with secret &#34;secret/kubernetes&#34; -}} </span></span></span><span style="display:flex; background-color:#3d3f4a"><span><span style="color:#f1fa8c"> {{ range $k, $v := .Data.data }} </span></span></span><span style="display:flex; background-color:#3d3f4a"><span><span style="color:#f1fa8c"> - kubeconfigFile: &#39;encryptedFile:vault!e:secret!n:kubernetes!k:{{ $k }}&#39; </span></span></span><span style="display:flex; background-color:#3d3f4a"><span><span style="color:#f1fa8c"> name: {{ $k -}} </span></span></span><span style="display:flex; background-color:#3d3f4a"><span><span style="color:#f1fa8c"> {{- else }} </span></span></span><span style="display:flex; background-color:#3d3f4a"><span><span style="color:#f1fa8c"> [] </span></span></span><span style="display:flex; background-color:#3d3f4a"><span><span style="color:#f1fa8c"> {{ end -}} </span></span></span><span style="display:flex; background-color:#3d3f4a"><span><span style="color:#f1fa8c"> {{- end }} </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"> secrets: </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"> vault: </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"> enabled: true </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"> authMethod: KUBERNETES </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"> role: </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"> path: </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"> url: </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"> clouddriver: </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"> insecure: true</span> </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">spec</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">volumes</span>: </span></span><span style="display:flex;"><span> - <span style="color:#ff79c6">$patch</span>: delete </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">name</span>: volume-armory-agent-config </span></span><span style="display:flex;"><span> - <span style="color:#ff79c6">$patch</span>: delete </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">name</span>: volume-armory-agent-kubeconfigs </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">containers</span>: </span></span><span style="display:flex;"><span> - <span style="color:#ff79c6">name</span>: armory-agent </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">volumeMounts</span>: </span></span><span style="display:flex;"><span> - <span style="color:#ff79c6">$patch</span>: delete </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">name</span>: volume-armory-agent-config </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">mountPath</span>: /opt/armory/config </span></span><span style="display:flex;"><span> - <span style="color:#ff79c6">$patch</span>: delete </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">name</span>: volume-armory-agent-kubeconfigs </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">mounthPath</span>: </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">mountPath</span>: /kubeconfigfiles</span></span></code></pre></td></tr></table> </div> </div> <ul> <li>Make sure to include the required <a href="https://www.vaultproject.io/docs/platform/k8s/injector/annotations">Vault injector annotations</a> like <a href="https://www.vaultproject.io/docs/platform/k8s/injector/annotations#vault-hashicorp-com-role"><code>vault.hashicorp.com/role</code> or <code>vault.hashicorp.com/agent-configmap</code></a> that correspond to your environment.</li> <li>Be aware of the version of Vault&rsquo;s KV engine currently in your environment. This guide assumes you have the secret engine <a href="https://www.vaultproject.io/docs/secrets/kv/kv-v2">KV version 2</a>. For KV version 1, you need to modify the template to use <code>{{ range $k, $v := .Data }}</code> instead. See the Templating Language&rsquo;s <a href="https://github.com/hashicorp/consul-template/blob/master/docs/templating-language.md#versioned-read">Versioned Read</a> section for more information.</li> <li>This template expects <code>secret/kubernets</code> to hold the <code>kubeconfig file</code>: Make sure to replace both line 16 and 18 in case that&rsquo;s not the case in your environment.</li> <li>Make sure to include all other <a href="/plugins/scale-agent/reference/config/service-options/#configuration-options">Agent Options</a> that you require in your environment.</li> </ul> <p>After addressing the preceding points, save the template as <code>armory-agent-vault-patch.yaml</code> and refer to it in your <code>kustomization.yaml</code>:</p> <div class="highlight"><div style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;display:grid;"> <table style="border-spacing:0;padding:0;margin:0;border:0;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;"> <pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;display:grid;"><code><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 1 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 2 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 3 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 4 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 5 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 6 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 7 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 8 </span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 9 </span><span style="background-color:#3d3f4a"><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">10 </span></span><span style="background-color:#3d3f4a"><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">11 </span></span></code></pre></td> <td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%"> <pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;display:grid;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#6272a4"># ./kustomization.yaml</span> </span></span><span style="display:flex;"><span><span style="color:#6272a4"># Pre-existing SpinnakerService resource (may be different)</span> </span></span><span style="display:flex;"><span><span style="color:#ff79c6">namespace</span>: spinnaker </span></span><span style="display:flex;"><span><span style="color:#ff79c6">resources</span>: </span></span><span style="display:flex;"><span> - spinnakerservice.yaml </span></span><span style="display:flex;"><span><span style="color:#ff79c6">bases</span>: </span></span><span style="display:flex;"><span><span style="color:#6272a4"># Armory Scale Agent deployment</span> </span></span><span style="display:flex;"><span> - armory-agent </span></span><span style="display:flex;"><span> </span></span><span style="display:flex; background-color:#3d3f4a"><span><span style="color:#ff79c6">patchesStrategicMerge</span>: </span></span><span style="display:flex; background-color:#3d3f4a"><span> - armory-agent-vault-patch.yaml</span></span></code></pre></td></tr></table> </div> </div> <h2 id="troubleshooting">Troubleshooting</h2> <p><strong>Agent deployment is to appearing / There are no spin-armory-agent pods</strong></p> <ul> <li>Check the following commands for any error or warning message: <ul> <li><code>kubectl describe desploy spin-armory-agent | sed -ne '/^Events:$/,$p'</code></li> <li><code>kubectl describe rs -l cluster=spin-armory-agent | sed -ne '/^Events:$/,$p'</code></li> </ul> </li> <li>Error message: <code>Error creating: admission webhook &quot;vault.hashicorp.com&quot; denied the request: error validating agent configuration: no Vault role found</code>: <ul> <li>Make sure that the annotations <a href="https://www.vaultproject.io/docs/platform/k8s/injector/annotations#vault-hashicorp-com-role"><code>vault.hashicorp.com/role</code> or <code>vault.hashicorp.com/agent-configmap</code></a> are set and they correspond to your environment</li> </ul> </li> </ul> <p><strong>Agent gets stuck in status Init</strong></p> <ul> <li>Check for logs of the injector with the following command: <code>kubectl logs deploy/spin-armory-agent -c vault-agent-init</code>.</li> <li>Error message: <code>[WARN] (view) vault.read(secret/kubernetes): no secret exists at secret/data/kubernetes (retry attempt 1 after &quot;250ms&quot;)</code>: <ul> <li>Make sure to update the reference in <code>armory-agent-vault-patch.yaml</code> to a secret that is accessible in your environment.</li> </ul> </li> </ul> <p><strong>Agent is in Crash loop back off</strong></p> <ul> <li>Check for logs of armory-agent with the following command <code>kubectl logs deploy/spin-armory-agent -c armory-agent</code>.</li> <li>Error message: <code>Error registering vault config: vault configuration error</code>: <ul> <li>Make sure to update <code>armory-agent-vault-patch.yaml</code> to include the properties <a href="/continuous-deployment/armory-admin/secrets/secrets-vault/"><code>secrets.vault.*</code></a> that correspond to your environment.</li> </ul> </li> <li>Error message <code>failed to load configuration: error fetching key \&quot;data\&quot;</code>: <ul> <li>Your vault KV engine is using version 2. Make sure the template in <code>armory-agent-vault-patch.yaml</code> is using <code>{{ range $k, $v := .Data.data }}</code>.</li> </ul> </li> </ul> <p><strong>Agent registers with 0 servers</strong></p> <ul> <li>Check for logs of vault injector with the following command: <code>kubectl logs -f deploy/spin-armory-agent -c vault-agent</code>.</li> <li>Error message <code>missing dependency: vault.read(secret/kubernetes)</code>: <ul> <li>Your vault KV engine is using version 1. Make sure the template in <code>armory-agent-vault-patch.yaml</code> is using <code>{{ range $k, $v := .Data }} </code>.</li> </ul> </li> </ul>