A collection of Terraform and bash scripts to setup an enterprise-grade Spinnaker deployment on Google Cloud Platform
A collection of Terraform and bash scripts to setup an enterprise-grade Spinnaker deployment on Google Cloud Platform
brew install vault
gcloud auth login
and gcloud config set project <YOUR_PROJECT_ID>
brew install terraform
Use this template
button above./quickstart.sh
No
Quickstart complete
you should see a Terraform output variable called halyard_command
which you can copy to log into your ephemerial halyard VM
showlog
command to follow the setup process by watching the tailing of the logs that setup all of the dependencies needed for all of the scripts inside the quickstart
script
quickstart
during the initial quickstart then your Spinnaker should already be being setup
Autostart complete please log into your Spinnaker deployment(s)
you can close out of showlog
by pressing ctrl-cquickstart
then after you see setup complete
you can close out of showlog
by pressing ctrl-cspingo
command to sudo into the shared user account
spinnaker@halyard-thd-spinnaker:~$
you will either need to run ./quickstart.sh
or run each of the pre-populated scripts that the ./quickstart
script is configured to run in that orderFollow the instructions here to setup basic monitoring and alerting of the Spinnaker deployments
After the managed DNS is setup you will need to direct the DNS hostname to the proper nameservers. After the DNS directory is run by quickstart, Terraform will output the new nameservers on the screen called google_dns_managed_zone_nameservers = [ "ns-cloud-c1.googledomains.com.", "ns-cloud-c2.googledomains.com.", ...]
. You then need to log into your domain hosting provider and direct the owned domain to all four of these name servers so that traffic can be routed to your project and SSL certificates can be requested through the Let's Encrypt Google domain authentication plugin which adds a TXT record to the domain to prove that it is owned by you.
Once Google Cloud DNS is properly getting traffic you will be able to complete the Let's Encrypt SSL configuration.
At the very end of the Setup Spinnaker Infrastructure step you will see an output called spinnaker_fiat_account_unique_id
with a very large number printed out. That number is the unique ID of the Spinnaker service account spinnaker-fiat
whose ID we need to use as the Client Name
in step #3 when we follow these instructions to enable read-only permissions to get all the groups that a user has at the organization level. Many large enterprises sync their active directory groups to their Google user accounts and we want to utilize that to enable true Role Based Authentication (RBAC) within Spinnaker to separate authorizations between different applications and between different deployment targets.
This must happen before the quickstart
script, that is run from inside the halyard VM, is run otherwise you will not be able to log into Spinnaker successfully
Application name
and your Authorized domains
Web application
then enter the Name
like spinnaker client ID
and the Authorized redirect URIs
to your HTTPS urls like this (note the /login
at the end of each
https://np-api.demo.example.com/login
https://sandbox-api.demo.example.com/login
vault write secret/$(gcloud config list --format 'value(core.project)' 2>/dev/null)/gcp-oauth "client-id=replace-me" "client-secret=replace-me"
replace-me
spinnakerbot
OAuth & Permissions
section make sure that the bot
scope is listed under interactivity and copy your Bot User OAuth Access Token
Bot User OAuth Access Token
vault write secret/$(gcloud config list --format 'value(core.project)' 2>/dev/null)/slack-token "value=replace-me"
no-slack
If you have previously run ./quickstart.sh
, and are in a situation where this is a new machine or otherwise a fresh clone of the repo, you can restore the saved values from vault by running:
scripts/restore-saved-config-from-vault.sh
If you want to completely destroy the installation:
./scripts/reset-spingo.sh
, after confirmation, it will destroy all Terraform resources and the service accounts and buckets that Terraform requires so that the ./scripts/initial-setup.sh
can be run again if needed.Check out the contributing readme for information on how to contribute to the project.
This project is released under the Apache2 free software license. More information can be found in the LICENSE file.