介绍 (Introduction)
Spinnaker is an open-source resource management and continuous delivery application for fast, safe, and repeatable deployments, using a powerful and customizable pipeline system. Spinnaker allows for automated application deployments to many platforms, including DigitalOcean Kubernetes. When deploying, you can configure Spinnaker to use built-in deployment strategies, such as Highlander and Red/black, with the option of creating your own deployment strategy. It can integrate with other DevOps tools, like Jenkins and TravisCI, and can be configured to monitor GitHub repositories and Docker registries.
Spinnaker是一个开源资源管理和连续交付应用程序,它使用功能强大且可自定义的管道系统来进行快速,安全和可重复的部署。 Spinnaker允许将应用程序自动化部署到许多平台,包括DigitalOcean Kubernetes 。 部署时,您可以将Spinnaker配置为使用内置的部署策略 ,例如Highlander和Red / black,并可以选择创建自己的部署策略。 它可以与其他DevOps工具(例如Jenkins和TravisCI)集成,并且可以配置为监视GitHub存储库和Docker注册表。
Spinnaker is managed by Halyard, a tool specifically built for configuring and deploying Spinnaker to various platforms. Spinnaker requires external storage for persisting your application’s settings and pipelines. It supports different platforms for this task, like DigitalOcean Spaces.
Spinnaker由Halyard管理,该工具专门用于配置Spinnaker并将其部署到各种平台。 Spinnaker需要外部存储来持久化应用程序的设置和管道。 它支持用于此任务的不同平台,例如DigitalOcean Spaces 。
In this tutorial, you’ll deploy Spinnaker to DigitalOcean Kubernetes using Halyard, with DigitalOcean Spaces as the underlying back-end storage. You’ll also configure Spinnaker to be available at your desired domain, secured using Let’s Encrypt TLS certificates. Then, you will create a sample application in Spinnaker, create a pipeline, and deploy a Hello World app to your Kubernetes cluster. After testing it, you’ll introduce authentication and authorization via GitHub Organizations. By the end, you will have a secured and working Spinnaker deployment in your Kubernetes cluster.
在本教程中,您将使用Halyard将Spinnaker部署到DigitalOcean Kubernetes,并将DigitalOcean Spaces作为底层后端存储。 您还将配置Spinnaker,使其在所需的域中可用,并使用“加密TLS”证书进行保护。 然后,您将在Spinnaker中创建一个示例应用程序,创建管道,并将Hello World应用程序部署到Kubernetes集群。 测试之后,您将通过GitHub Organizations引入身份验证和授权。 到最后,您将在Kubernetes集群中拥有安全且有效的Spinnaker部署。
Note: This tutorial has been specifically tested with Spinnaker 1.13.5.
注意:本教程已经过Spinnaker 1.13.5专门测试。
先决条件 (Prerequisites)
Halyard installed on your local machine, according to the official instructions. Please note that using Halyard on Ubuntu versions higher than 16.04 is not supported. In such cases, you can use it via Docker.
根据官方说明 ,将Halyard安装在本地计算机上。 请注意,不支持在高于16.04的Ubuntu版本上使用Halyard。 在这种情况下,您可以通过Docker使用它。
A DigitalOcean Kubernetes cluster with your connection configured as the
kubectldefault. The cluster must have at least 8GB RAM and 4 CPU cores available for Spinnaker (more will be required in the case of heavier use). Instructions on how to configurekubectlare shown under the Connect to your Cluster step shown when you create your cluster. To create a Kubernetes cluster on DigitalOcean, see the Kubernetes Quickstart.一个DigitalOcean Kubernetes集群,其连接配置为
kubectl默认。 群集必须至少有8GB RAM和4个CPU内核可用于Spinnaker(如果使用量更大,则需要更多)。 创建集群时,在“ 连接到集群”步骤下显示有关如何配置kubectl说明。 要在DigitalOcean上创建Kubernetes集群,请参阅Kubernetes Quickstart 。An Nginx Ingress Controller and cert-manager installed on the cluster. For a guide on how to do this, see How to Set Up an Nginx Ingress with Cert-Manager on DigitalOcean Kubernetes.
在群集上安装了Nginx Ingress Controller和cert-manager。 有关如何执行此操作的指南,请参见如何在DigitalOcean Kubernetes上使用Cert-Manager设置Nginx入口 。
A DigitalOcean Space with API keys (access and secret). To create a DigitalOcean Space and API keys, see How To Create a DigitalOcean Space and API Key.
具有API密钥(访问和密钥)的DigitalOcean Space。 要创建DigitalOcean Space和API密钥,请参阅如何创建DigitalOcean Space和API密钥 。
A domain name with three DNS A records pointed to the DigitalOcean Load Balancer used by the Ingress. If you’re using DigitalOcean to manage your domain’s DNS records, consult How to Create DNS Records to create A records. In this tutorial, we’ll refer to the A records as
spinnaker.example.com,spinnaker-api.example.com, andhello-world.example.com.具有三个DNS A记录的域名指向Ingress使用的DigitalOcean负载均衡器。 如果您使用DigitalOcean来管理域的DNS记录,请参阅如何创建DNS记录以创建A记录。 在本教程中,我们将A记录称为
spinnaker.example.com,spinnaker-api.example.com和hello-world.example.com。A GitHub account, added to a GitHub Organization with admin permissions and public visibility. The account must also be a member of a Team in the Organization. This is required to complete Step 5.
GitHub帐户,添加到具有管理员权限和公共可见性的GitHub Organization中。 该帐户还必须是组织中团队的成员。 这是完成步骤5所必需的。
第1步-使用Halyard添加Kubernetes帐户 (Step 1 — Adding a Kubernetes Account with Halyard)
In this section, you will add a Kubernetes account to Spinnaker via Halyard. An account, in Spinnaker’s terms, is a named credential it uses to access a cloud provider.
在本部分中,您将通过Halyard将Kubernetes帐户添加到Spinnaker。 用Spinnaker的术语来说,帐户是用于访问云提供商的命名凭证。
As part of the prerequisite, you created the echo1 and echo2 services and an echo_ingress ingress for testing purposes; you will not need these in this tutorial, so you can now delete them.
作为前提条件的一部分,您创建了echo1和echo2服务以及一个echo_ingress入口以进行测试; 您在本教程中将不需要它们,因此现在可以将其删除。
Start off by deleting the ingress by running the following command:
首先通过运行以下命令删除入口:
- kubectl delete -f echo_ingress.yaml kubectl删除-f echo_ingress.yaml
Then, delete the two test services:
然后,删除两个测试服务:
- kubectl delete -f echo1.yaml && kubectl delete -f echo2.yaml kubectl删除-f echo1.yaml && kubectl删除-f echo2.yaml
The kubectl delete command accepts the file to delete when passed the -f parameter.
当传递-f参数时, kubectl delete命令接受要删除的文件。
Next, from your local machine, create a folder that will serve as your workspace:
接下来,在您的本地计算机上,创建一个将用作您的工作区的文件夹:
- mkdir ~/spinnaker-k8s 麦克迪尔〜/ spinnaker-k8s
Navigate to your workspace by running the following command:
通过运行以下命令导航到您的工作区:
- cd ~/spinnaker-k8s 光盘〜/ spinnaker-k8s
Halyard does not yet know where it should deploy Spinnaker. Enable the Kubernetes provider with this command:
Halyard尚不知道应该在哪里部署Spinnaker。 使用以下命令启用Kubernetes提供程序:
- hal config provider kubernetes enable hal配置提供程序kubernetes启用
You’ll receive the following output:
您将收到以下输出:
Output
+ Get current deployment
Success
+ Edit the kubernetes provider
Success
Problems in default.provider.kubernetes:
- WARNING Provider kubernetes is enabled, but no accounts have been
configured.
+ Successfully enabled kubernetes
Halyard logged all the steps it took to enable the Kubernetes provider, and warned that no accounts are defined yet.
Halyard记录了启用Kubernetes提供程序所采取的所有步骤,并警告尚未定义任何帐户。
Next, you’ll create a Kubernetes service account for Spinnaker, along with RBAC. A service account is a type of account that is scoped to a single namespace. It is used by software, which may perform various tasks in the cluster. RBAC (Role Based Access Control) is a method of regulating access to resources in a Kubernetes cluster. It limits the scope of action of the account to ensure that no important configurations are inadvertently changed on your cluster.
接下来,您将为Spinnaker和RBAC创建一个Kubernetes 服务帐户 。 服务帐户是一种帐户,范围仅限于单个名称空间。 它由软件使用,可以在集群中执行各种任务。 RBAC(基于角色的访问控制)是一种调节Kubernetes集群中对资源的访问的方法。 它限制了帐户的操作范围,以确保在群集上没有无意更改任何重要配置。
Here, you will grant Spinnaker cluster-admin permissions to allow it to control the whole cluster. If you wish to create a more restrictive environment, consult the official Kubernetes documentation on RBAC.
在这里,您将授予Spinnaker cluster-admin权限,以使其可以控制整个集群。 如果您想创建一个更严格的环境,请参考RBAC上的Kubernetes官方文档 。
First, create the spinnaker namespace by running the following command:
首先,通过运行以下命令来创建spinnaker名称空间:
- kubectl create ns spinnaker kubectl创建ns大三角帆
The output will look like:
输出将如下所示:
Output
namespace/spinnaker created
Run the following command to create a service account named spinnaker-service-account:
运行以下命令以创建名为spinnaker-service-account :
kubectl create serviceaccount spinnaker-service-account -n spinnaker
kubectl创建服务帐户spinnaker-service-account -n spinnaker
You’ve used the -n flag to specify that kubectl create the service account in the spinnaker namespace. The output will be:
您已使用-n标志指定kubectl在spinnaker名称空间中创建服务帐户。 输出将是:
Output
serviceaccount/spinnaker-service-account created
Then, bind it to the cluster-admin role:
然后,将其绑定到cluster-admin角色:
kubectl create clusterrolebinding spinnaker-service-account --clusterrole cluster-admin --serviceaccount=spinnaker:spinnaker-service-account
kubectl创建clusterrolebinding spinnaker-service-account --clusterrole cluster-admin --serviceaccount = spinnaker: spinnaker-service-account
You will see the following output:
您将看到以下输出:
Output
clusterrolebinding.rbac.authorization.k8s.io/spinnaker-service-account created
Halyard uses the local kubectl to access the cluster. You’ll need to configure it to use the newly created service account before deploying Spinnaker. Kubernetes accounts authenticate using usernames and tokens. When a service account is created, Kubernetes makes a new secret and populates it with the account token. To retrieve the token for the spinnaker-service-account, you’ll first need to get the name of the secret. You can fetch it into a console variable, named TOKEN_SECRET, by running:
Halyard使用本地kubectl访问群集。 在部署Spinnaker之前,您需要将其配置为使用新创建的服务帐户。 Kubernetes帐户使用用户名和令牌进行身份验证。 创建服务帐户后,Kubernetes会创建一个新的秘密,并使用帐户令牌填充它。 要检索spinnaker-service-account的令牌,您首先需要获取密钥的名称。 您可以通过运行以下TOKEN_SECRET将其提取到名为TOKEN_SECRET的控制台变量中:
TOKEN_SECRET=$(kubectl get serviceaccount -n spinnaker spinnaker-service-account -o jsonpath='{.secrets[0].name}')
TOKEN_SECRET = $(kubectl获取服务帐户 -n三角帆Spinnaker -service-account -o jsonpath ='{。secrets [0] .name}')
This gets information about the spinnaker-service-account from the namespace spinnaker, and fetches the name of the first secret it contains by passing in a JSON path.
这将从名称空间spinnaker获取有关spinnaker-service-account信息,并通过传递JSON路径来获取其中包含的第一个机密的名称。
Fetch the contents of the secret into a variable named TOKEN by running:
通过运行以下命令,将秘密的内容提取到名为TOKEN的变量中:
- TOKEN=$(kubectl get secret -n spinnaker $TOKEN_SECRET -o jsonpath='{.data.token}' | base64 --decode) TOKEN = $(kubectl获取秘密-n大三角帆$ TOKEN_SECRET -o jsonpath ='{。data.token}'| base64 --decode)
You now have the token available in the environment variable TOKEN. Next, you’ll need to set credentials for the service account in kubectl:
现在,您可以在环境变量TOKEN 。 接下来,您需要在kubectl中设置服务帐户的凭据:
kubectl config set-credentials spinnaker-token-user --token $TOKEN
kubectl配置设置凭据Spinnaker -token-user --token $ TOKEN
You will see the following output:
您将看到以下输出:
Output
User "spinnaker-token-user" set.
Then, you’ll need to set the user of the current context to the newly created spinnaker-token-user by running the following command:
然后,您需要通过运行以下命令,将当前上下文的用户设置为新创建的spinnaker-token-user :
- kubectl config set-context --current --user spinnaker-token-user kubectl config set-context --current --user spinnaker-token-user
By setting the current user to spinnaker-token-user, kubectl is now configured to use the spinnaker-service-account, but Halyard does not know anything about that. Add an account to its Kubernetes provider by executing:
通过将当前用户设置为spinnaker-token-user ,kubectl现在已配置为使用spinnaker-service-account ,但是Halyard对此一无所知。 通过执行以下操作将帐户添加到其Kubernetes提供程序:
- hal config provider kubernetes account add spinnaker-account --provider-version v2 hal配置提供者kubernetes帐户添加spinnaker-account --provider-version v2
The output will look like this:
输出将如下所示:
Output
+ Get current deployment
Success
+ Add the spinnaker-account account
Success
+ Successfully added account spinnaker-account for provider
kubernetes.
This commmand adds a Kubernetes account to Halyard, named spinnaker-account, and marks it as a service account.
该命令将一个Kubernetes帐户添加到Halyard中,名为spinnaker-account ,并将其标记为服务帐户。
Generally, Spinnaker can be deployed in two ways: distributed installation or local installation. Distributed installation is what you’re completing in this tutorial—you’re deploying it to the cloud. Local installation, on the other hand, means that Spinnaker will be downloaded and installed on the machine Halyard runs on. Because you’re deploying Spinnaker to Kubernetes, you’ll need to mark the deployment as distributed, like so:
通常,可以通过两种方式部署Spinnaker:分布式安装或本地安装。 分布式安装是本教程中要完成的工作-您正在将其部署到云中。 另一方面, 本地安装意味着Spinnaker将被下载并安装在Halyard运行的机器上。 因为您正在将Spinnaker部署到Kubernetes,所以需要将部署标记为distributed ,就像这样:
- hal config deploy edit --type distributed --account-name spinnaker-account hal配置部署编辑--type分布式--account-name spinnaker-account
Since your Spinnaker deployment will be building images, it is necessary to enable artifacts in Spinnaker. You can enable them by running the following command:
由于您的Spinnaker部署将构建映像,因此有必要在Spinnaker中启用artifacts 。 您可以通过运行以下命令来启用它们:
- hal config features edit --artifacts true hal config功能编辑--artifacts true
Here you’ve enabled artifacts to allow Spinnaker to store more metadata about the objects it creates.
在这里,您已经启用了artifacts以使Spinnaker可以存储有关其创建的对象的更多元数据。
You’ve added a Kubernetes account to Spinnaker, via Halyard. You enabled the Kubernetes provider, configured RBAC roles, and added the current kubectl config to Spinnaker, thus adding an account to the provider. Now you’ll set up your back-end storage.
您已经通过Halyard向Spinnaker添加了Kubernetes帐户。 您启用了Kubernetes提供程序,配置了RBAC角色,并将当前的kubectl配置添加到Spinnaker,从而向该提供程序添加了一个帐户。 现在,您将设置后端存储。
第2步-将空间配置为基础存储 (Step 2 — Configuring the Space as the Underlying Storage)
In this section, you will configure the Space as the underlying storage for the Spinnaker deployment. Spinnaker will use the Space to store its configuration and pipeline-related data.
在本节中,您将配置Space作为Spinnaker部署的基础存储。 三角帆将使用Space来存储其配置和与管道相关的数据。
To configure S3 storage in Halyard, run the following command:
要在Halyard中配置S3存储,请运行以下命令:
hal config storage s3 edit --access-key-id your_space_access_key --secret-access-key --endpoint spaces_endpoint_with_region_prefix --bucket space_name --no-validate
hal config storage s3 edit --access-key-id your_space_access_key --secret-access-key --endpointspaces_endpoint_with_region_prefix --bucket space_name --no-validate
Remember to replace your_space_access_key with your Space access key and spaces_endpoint_with_region_prefix with the endpoint of your Space. This is usually region-id.digitaloceanspaces.com, where region-id is the region of your Space. You can replace space_name with the name of your Space. The --no-validate flag tells Halyard not to validate the settings given right away, because DigitalOcean Spaces validation is not supported.
记得替换your_space_access_key与你的空间访问键和spaces_endpoint_with_region_prefix与你的空间的端点。 这通常是region-id .digitaloceanspaces.com ,其中region-id是您空间的区域。 您可以将space_name替换为Space的名称。 --no-validate标志告诉Halyard不要立即验证给定的设置,因为不支持DigitalOcean Spaces验证。
Once you’ve run this command, Halyard will ask you for your secret access key. Enter it to continue and you’ll then see the following output:
运行此命令后,Halyard将询问您的秘密访问密钥。 输入它以继续,然后您将看到以下输出:
Output
+ Get current deployment
Success
+ Get persistent store
Success
+ Edit persistent store
Success
+ Successfully edited persistent store "s3".
Now that you’ve configured s3 storage, you’ll ensure that your deployment will use this as its storage by running the following command:
现在,您已经配置了s3存储,您将通过运行以下命令来确保部署将其用作存储:
- hal config storage edit --type s3 hal config storage edit --type s3
The output will look like this:
输出将如下所示:
Output
+ Get current deployment
Success
+ Get persistent storage settings
Success
+ Edit persistent storage settings
Success
+ Successfully edited persistent storage.
You’ve set up your Space as the underlying storage that your instance of Spinnaker will use. Now you’ll deploy Spinnaker to your Kubernetes cluster and expose it at your domains using the Nginx Ingress Controller.
您已将Space设置为Spinnaker实例将使用的基础存储。 现在,您将Spinnaker部署到Kubernetes集群,并使用Nginx Ingress Controller在您的域中公开它。
步骤3 —将Spinnaker部署到您的集群 (Step 3 — Deploying Spinnaker to Your Cluster)
In this section, you will deploy Spinnaker to your cluster using Halyard, and then expose its UI and API components at your domains using an Nginx Ingress. First, you’ll configure your domain URLs: one for Spinnaker’s user interface and one for the API component. Then you’ll pick your desired version of Spinnaker and deploy it using Halyard. Finally you’ll create an ingress and configure it as an Nginx controller.
在本节中,您将使用Halyard将Spinnaker部署到您的集群,然后使用Nginx Ingress在您的域中公开它的UI和API组件。 首先,您将配置域URL:一个用于Spinnaker的用户界面,另一个用于API组件。 然后,您将选择所需的Spinnaker版本,并使用Halyard进行部署。 最后,您将创建一个入口并将其配置为Nginx控制器。
First, you’ll need to edit Spinnaker’s UI and API URL config values in Halyard and set them to your desired domains. To set the API endpoint to your desired domain, run the following command:
首先,您需要在Halyard中编辑Spinnaker的UI和API URL配置值,并将它们设置为所需的域。 要将API端点设置为所需的域,请运行以下命令:
hal config security api edit --override-base-url https://spinnaker-api.example.com
hal配置安全性api编辑--override-base-url https:// spinnaker-api.example.com
The output will look like:
输出将如下所示:
Output
+ Get current deployment
Success
+ Get API security settings
Success
+ Edit API security settings
Success
...
To set the UI endpoint to your domain, which is where you will access Spinnaker, run:
要将UI端点设置为您的域(将在其中访问Spinnaker的域),请运行:
hal config security ui edit --override-base-url https://spinnaker.example.com
hal config security ui edit --override-base-url https:// spinnaker.example.com
The output will look like:
输出将如下所示:
Output
+ Get current deployment
Success
+ Get UI security settings
Success
+ Edit UI security settings
Success
+ Successfully updated UI security settings.
Remember to replace spinnaker-api.example.com and spinnaker.example.com with your domains. These are the domains you have pointed to the Load Balancer that you created during the Nginx Ingress Controller prerequisite.
请记住用您的域替换spinnaker-api.example.com和spinnaker.example.com 。 这些是您指向在Nginx Ingress Controller先决条件期间创建的负载均衡器的域。
You’ve created and secured Spinnaker’s Kubernetes account, configured your Space as its underlying storage, and set its UI and API endpoints to your domains. Now you can list the available Spinnaker versions:
您已经创建并保护了Spinnaker的Kubernetes帐户,将Space配置为其基础存储,并将其UI和API端点设置为您的域。 现在,您可以列出可用的Spinnaker版本:
- hal version list hal版本列表
Your output will show a list of available versions. At the time of writing this article 1.13.5 was the latest version:
您的输出将显示可用版本的列表。 在撰写本文时, 1.13.5是最新版本:
Output
+ Get current deployment
Success
+ Get Spinnaker version
Success
+ Get released versions
Success
+ You are on version "", and the following are available:
- 1.11.12 (Cobra Kai):
Changelog: https://gist.GitHub.com/spinnaker-release/29a01fa17afe7c603e510e202a914161
Published: Fri Apr 05 14:55:40 UTC 2019
(Requires Halyard >= 1.11)
- 1.12.9 (Unbreakable):
Changelog: https://gist.GitHub.com/spinnaker-release/7fa9145349d6beb2f22163977a94629e
Published: Fri Apr 05 14:11:44 UTC 2019
(Requires Halyard >= 1.11)
- 1.13.5 (BirdBox):
Changelog: https://gist.GitHub.com/spinnaker-release/23af06bc73aa942c90f89b8e8c8bed3e
Published: Mon Apr 22 14:32:29 UTC 2019
(Requires Halyard >= 1.17)
To select a version to install, run the following command:
要选择要安装的版本,请运行以下命令:
hal config version edit --version 1.13.5
hal config版本编辑--version 1.13.5
It is recommended to always select the latest version, unless you encounter some kind of regression.
建议始终选择最新版本,除非您遇到某种回归。
You will see the following output:
您将看到以下输出:
Output
+ Get current deployment
Success
+ Edit Spinnaker version
Success
+ Spinnaker has been configured to update/install version "version".
Deploy this version of Spinnaker with `hal deploy apply`.
You have now fully configured Spinnaker’s deployment. You’ll deploy it with the following command:
现在,您已经完全配置了Spinnaker的部署。 您将使用以下命令部署它:
- hal deploy apply 半部署申请
This command could take a few minutes to finish.
此命令可能需要几分钟才能完成。
The final output will look like this:
最终输出将如下所示:
Output
+ Get current deployment
Success
+ Prep deployment
Success
+ Preparation complete... deploying Spinnaker
+ Get current deployment
Success
+ Apply deployment
Success
+ Deploy spin-redis
Success
+ Deploy spin-clouddriver
Success
+ Deploy spin-front50
Success
+ Deploy spin-orca
Success
+ Deploy spin-deck
Success
+ Deploy spin-echo
Success
+ Deploy spin-gate
Success
+ Deploy spin-rosco
Success
...
Halyard is showing you the deployment status of each of Spinnaker’s microservices. Behind the scenes, it calls kubectl to install them.
Halyard向您显示了Spinnaker的每个微服务的部署状态。 在后台,它调用kubectl进行安装。
Kubernetes will take some time—ten minutes on average—to bring all of the containers up, especially for the first time. You can watch the progress by running the following command:
Kubernetes将花费一些时间(平均十分钟)来启动所有容器,尤其是第一次。 您可以通过运行以下命令来观察进度:
- kubectl get pods -n spinnaker -w kubectl获得豆荚-n大三角帆-w
You’ve deployed Spinnaker to your Kubernetes cluster, but it can’t be accessed beyond your cluster.
您已将Spinnaker部署到Kubernetes集群,但是无法在集群之外访问它。
You’ll be storing the ingress configuration in a file named spinnaker-ingress.yaml. Create it using your text editor:
您将把入口配置存储在名为spinnaker-ingress.yaml的文件中。 使用您的文本编辑器创建它:
nano spinnaker-ingress.yaml
纳米大三角帆入口
Add the following lines:
添加以下行:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: spinnaker-ingress
namespace: spinnaker
annotations:
kubernetes.io/ingress.class: nginx
certmanager.k8s.io/cluster-issuer: letsencrypt-prod
spec:
tls:
- hosts:
- spinnaker-api.example.com
- spinnaker.example.com
secretName: spinnaker
rules:
- host: spinnaker-api.example.com
http:
paths:
- backend:
serviceName: spin-gate
servicePort: 8084
- host: spinnaker.example.com
http:
paths:
- backend:
serviceName: spin-deck
servicePort: 9000Remember to replace spinnaker-api.example.com with your API domain, and spinnaker.example.com with your UI domain.
记得替换spinnaker-api.example.com与您的API域, spinnaker.example.com您的UI域。
The configuration file defines an ingress called spinnaker-ingress. The annotations specify that the controller for this ingress will be the Nginx controller, and that the letsencrypt-prod cluster issuer will generate the TLS certificates, defined in the prerequisite tutorial.
配置文件定义了一个称为spinnaker-ingress 。 批注指定此入口的控制器将是Nginx控制器,而letsencrypt-prod群集颁发者将生成TLS证书,这在先决条件教程中已定义。
Then, it specifies that TLS will secure the UI and API domains. It sets up routing by directing the API domain to the spin-gate service (Spinnaker’s API containers), and the UI domain to the spin-deck service (Spinnaker’s UI containers) at the appropriate ports 8084 and 9000.
然后,它指定TLS将保护UI和API域。 它通过在适当的端口8084和9000 8084 API域定向到spin-gate服务(Spinnaker的API容器),以及将UI域定向到spin-deck服务(Spinnaker的UI容器)来设置路由。
Save and close the file.
保存并关闭文件。
Create the Ingress in Kubernetes by running:
通过运行以下命令在Kubernetes中创建Ingress:
kubectl create -f spinnaker-ingress.yaml
kubectl创建-f spinnaker-ingress.yaml
You’ll see the following output:
您将看到以下输出:
Output
ingress.extensions/spinnaker-ingress created
Wait a few minutes for Let’s Encrypt to provision the TLS certificates, and then navigate to your UI domain, spinnaker.example.com, in a browser. You will see Spinnaker’s user interface.
等待几分钟,让我们加密以提供TLS证书,然后在浏览器中导航到您的UI域spinnaker.example.com 。 您将看到Spinnaker的用户界面。
You’ve deployed Spinnaker to your cluster, exposed the UI and API components at your domains, and tested if it works. Now you’ll create an application in Spinnaker and run a pipeline to deploy the Hello World app.
您已将Spinnaker部署到群集,在域中公开了UI和API组件,并测试了它是否有效。 现在,您将在Spinnaker中创建一个应用程序,并运行管道以部署Hello World应用程序。
第4步-创建应用程序并运行管道 (Step 4 — Creating an Application and Running a Pipeline)
In this section, you will use your access to Spinnaker at your domain to create an application with it. You’ll then create and run a pipeline to deploy a Hello World app, which can be found at paulbouwer/hello-kubernetes. You’ll access the app afterward.
在本部分中,您将使用对域中Spinnaker的访问权来创建一个应用程序。 然后,您将创建并运行管道以部署Hello World应用程序,该程序可在paulbouwer / hello-kubernetes中找到 。 您稍后将访问该应用。
Navigate to your domain where you have exposed Spinnaker’s UI. In the upper right corner, press on Actions, then select Create Application. You will see the New Application form.
导航到公开Spinnaker的用户界面的域。 在右上角,按操作 ,然后选择创建应用程序 。 您将看到“ 新申请”表格。
Type in hello-world as the name, input your email address, and press Create.
输入hello-world作为名称,输入您的电子邮件地址,然后按Create 。
When the page loads, navigate to Pipelines by clicking the first tab in the top menu. You will see that there are no pipelines defined yet.
页面加载后,通过单击顶部菜单中的第一个选项卡导航到“ 管道” 。 您将看到尚未定义管道。
Press on Configure a new pipeline and a new form will open.
按下“ 配置新管道” ,将打开一个新表单。
Fill in Deploy Hello World Application as your pipeline’s name, and press Create.
填写Deploy Hello World Application作为管道的名称,然后按Create 。
On the next page, click the Add Stage button. As the Type, select Deploy (Manifest), which is used for deploying Kubernetes manifests you specify. For the Stage Name, type in Deploy Hello World. Scroll down, and in the textbox under Manifest Configuration, enter the following lines:
在下一页上,单击“ 添加阶段”按钮。 作为Type ,选择Deploy(Manifest) ,它用于部署您指定的Kubernetes清单。 对于阶段名称 ,输入Deploy Hello World 。 向下滚动,然后在“ 清单配置”下的文本框中,输入以下行:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: hello-world-ingress
namespace: spinnaker
annotations:
kubernetes.io/ingress.class: nginx
certmanager.k8s.io/cluster-issuer: letsencrypt-prod
spec:
tls:
- hosts:
- hello-world.example.com
secretName: hello-world
rules:
- host: hello-world.example.com
http:
paths:
- backend:
serviceName: hello-kubernetes
servicePort: 80
---
apiVersion: v1
kind: Service
metadata:
name: hello-kubernetes
namespace: spinnaker
spec:
type: ClusterIP
ports:
- port: 80
targetPort: 8080
selector:
app: hello-kubernetes
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: hello-kubernetes
namespace: spinnaker
spec:
replicas: 3
selector:
matchLabels:
app: hello-kubernetes
template:
metadata:
labels:
app: hello-kubernetes
spec:
containers:
- name: hello-kubernetes
image: paulbouwer/hello-kubernetes:1.5
ports:
- containerPort: 8080Remember to replace hello-world.example.com with your domain, which is also pointed at your Load Balancer.
请记住用您的域替换hello-world.example.com ,该域也指向您的负载均衡器。
In this configuration, you define a Deployment, consisting of three replicas of the paulbouwer/hello-kubernetes:1.5 image. You also define a Service to be able to access it and an Ingress to expose the Service at your domain.
在此配置中,您将定义一个Deployment ,其中包括paulbouwer/hello-kubernetes:1.5映像的三个副本。 还可以定义一个Service能够访问和入口,露出Service在您的域名。
Press Save Changes in the bottom right corner of the screen. When it finishes, navigate back to Pipelines. On the right side, select the pipeline you just created and press the Start Manual Execution link. When asked to confirm, press Run.
按屏幕右下角的保存更改 。 完成后,导航回Pipelines 。 在右侧,选择刚创建的管道,然后按“ 开始手动执行”链接。 当要求确认时,按运行 。
This pipeline will take a short time to complete. You will see the progress bar complete when it has successfully finished.
该管道将花费很短的时间来完成。 成功完成后,您将看到进度条完成。
You can now navigate to the domain you defined in the configuration. You will see the Hello World app, which Spinnaker just deployed.
现在,您可以导航到在配置中定义的域。 您将看到Spinnaker刚刚部署的Hello World应用程序。
You’ve created an application in Spinnaker, ran a pipeline to deploy a Hello World app, and accessed it. In the next step, you will secure Spinnaker by enabling GitHub Organizations authorization.
您已经在Spinnaker中创建了一个应用程序,运行了一个管道来部署Hello World应用程序,并对其进行了访问。 在下一步中,您将通过启用GitHub Organizations授权来保护Spinnaker。
第5步—使用GitHub组织启用基于角色的访问 (Step 5 — Enabling Role-Based Access with GitHub Organizations)
In this section, you will enable GitHub OAuth authentication and GitHub Organizations authorization. Enabling GitHub OAuth authentication forces Spinnaker users to log in via GitHub, therefore preventing anonymous access. Authorization via GitHub Organizations restricts access only to those in an Organization. A GitHub Organization can contain Teams (named groups of members), which you will be able to use to restrict access to resources in Spinnaker even further.
在本部分中,您将启用GitHub OAuth身份验证和GitHub组织授权。 启用GitHub OAuth身份验证会强制Spinnaker用户通过GitHub登录,从而防止匿名访问。 通过GitHub Organizations进行的授权仅限制对组织内的人员的访问。 GitHub组织可以包含团队 (成员的命名组),您将可以使用它们进一步限制对Spinnaker中资源的访问。
For OAuth authentication to work, you’ll first need to set up the authorization callback URL, which is where the user will be redirected after authorization. This is your API domain ending with /login. You need to specify this manually to prevent Spinnaker and other services from guessing. To configure this, run the following command:
为了使OAuth身份验证有效,您首先需要设置授权回调URL,在授权后将重定向用户。 这是您以/login结尾的API域。 您需要手动指定此选项以防止Spinnaker和其他服务猜测。 要配置它,请运行以下命令:
hal config security authn oauth2 edit --pre-established-redirect-uri https://spinnaker-api.example.com/login
hal config安全认证authn oauth2编辑--pre-built-redirect-uri https:// spinnaker-api.example.com / login
You will see this output:
您将看到以下输出:
Output
+ Get current deployment
Success
+ Get authentication settings
Success
+ Edit oauth2 authentication settings
Success
+ Successfully edited oauth2 method.
To set up OAuth authentication with GitHub, you’ll need to create an OAuth application for your Organization. To do so, navigate to your Organization on GitHub, go to Settings, click on Developer Settings, and then select OAuth Apps from the left-hand menu. Afterward, click the New OAuth App button on the right. You will see the Register a new OAuth application form.
要使用GitHub设置OAuth身份验证,您需要为组织创建一个OAuth应用程序。 为此,请在GitHub上导航到您的单位,转到设置 ,单击开发人员设置 ,然后从左侧菜单中选择OAuth应用 。 然后,点击右侧的New OAuth App按钮。 您将看到“ 注册新的OAuth应用程序”表单。
Enter spinnaker-auth as the name. For the Homepage URL, enter https://spinnaker.example.com, and for the Authorization callback URL, enter https://spinnaker-api.example.com/login. Then, press Register Application.
输入spinnaker-auth作为名称。 对于主页URL ,输入https:// spinnaker.example.com ,对于授权回调URL ,输入https:// spinnaker-api.example.com /login 。 然后,按注册应用程序 。
You’ll be redirected to the settings page for your new OAuth app. Note the Client ID and Client Secret values—you’ll need them for the next command.
您将被重定向到新OAuth应用的设置页面。 请注意“ 客户端ID”和“ 客户端密钥”值-下一个命令将需要它们。
With the OAuth app created, you can configure Spinnaker to use the OAuth app by running the following command:
创建OAuth应用后,您可以通过运行以下命令将Spinnaker配置为使用OAuth应用:
hal config security authn oauth2 edit --client-id client_id --client-secret client_secret --provider GitHub
hal config security authn oauth2编辑--client-id client_id --client-secret client_secret --provider GitHub
Remember to replace client_id and client_secret with the values shown on the GitHub settings page.
请记住用GitHub设置页面上显示的值替换client_id和client_secret 。
You output will be similar to the following:
您的输出将类似于以下内容:
Output
+ Get current deployment
Success
+ Get authentication settings
Success
+ Edit oauth2 authentication settings
Success
Problems in default.security.authn:
- WARNING An authentication method is fully or partially
configured, but not enabled. It must be enabled to take effect.
+ Successfully edited oauth2 method.
You’ve configured Spinnaker to use the OAuth app. Now, to enable it, execute:
您已将Spinnaker配置为使用OAuth应用。 现在,要启用它,执行:
- hal config security authn oauth2 enable hal config security authn oauth2 enable
The output will look like:
输出将如下所示:
Output
+ Get current deployment
Success
+ Edit oauth2 authentication settings
Success
+ Successfully enabled oauth2
You’ve configured and enabled GitHub OAuth authentication. Now users will be forced to log in via GitHub in order to access Spinnaker. However, right now, everyone who has a GitHub account can log in, which is not what you want. To overcome this, you’ll configure Spinnaker to restrict access to members of your desired Organization.
您已经配置并启用了GitHub OAuth身份验证。 现在,用户将被迫通过GitHub登录以访问Spinnaker。 但是,现在,拥有GitHub帐户的每个人都可以登录,这不是您想要的。 为了克服这个问题,您将配置Spinnaker以限制对所需组织成员的访问。
You’ll need to set this up semi-manually via local config files, because Halyard does not yet have a command for setting this. During deployment, Halyard will use the local config files to override the generated configuration.
您需要通过本地配置文件进行半手动设置,因为Halyard尚无设置此命令。 在部署期间,Halyard将使用本地配置文件覆盖生成的配置。
Halyard looks for custom configuration under ~/.hal/default/profiles/. Files named service-name-*.yml are picked up by Halyard and used to override the settings of a particular service. The service that you’ll override is called gate, and serves as the API gateway for the whole of Spinnaker.
Halyard在~/.hal/default/profiles/下寻找自定义配置。 Halyard会拾取名为service-name -*.yml文件,并用于覆盖特定服务的设置。 您将要覆盖的服务称为gate ,并充当整个Spinnaker的API网关。
Create a file under ~/.hal/default/profiles/ named gate-local.yml:
在~/.hal/default/profiles/下创建一个名为gate-local.yml :
- nano ~/.hal/default/profiles/gate-local.yml 纳米〜/ .hal / default / profiles / gate-local.yml
Add the following lines:
添加以下行:
security:
oauth2:
providerRequirements:
type: GitHub
organization: your_organization_nameReplace your_organization_name with the name of your GitHub Organization. Save and close the file.
将your_organization_name替换为您的GitHub Organization的名称。 保存并关闭文件。
With this bit of configuration, only members of your GitHub Organization will be able to access Spinnaker.
通过此配置,只有您的GitHub组织的成员才能访问Spinnaker。
Note: Only those members of your GitHub Organization whose membership is set to Public will be able to log in to Spinnaker. This setting can be changed on the member list page of your Organization.
注意:只有您的GitHub Organization的成员身份设置为Public的那些成员才能登录Spinnaker。 可以在组织的成员列表页面上更改此设置。
Now, you’ll integrate Spinnaker with an even more particular access-rule solution: GitHub Teams. This will enable you to specify which Team(s) will have access to resources created in Spinnaker, such as applications.
现在,您将把Spinnaker与一个更特定的访问规则解决方案集成:GitHub Teams。 这将使您能够指定哪些团队可以访问在Spinnaker中创建的资源,例如应用程序。
To achieve this, you’ll need to have a GitHub Personal Access Token for an admin account in your Organization. To create one, visit Personal Access Tokens and press the Generate New Token button. On the next page, give it a description of your choice and be sure to check the read:org scope, located under admin:org. When you are done, press Generate token and note it down when it appears—you won’t be able to see it again.
为此,您需要为组织中的管理员帐户拥有一个GitHub个人访问令牌。 要创建一个,请访问“ 个人访问令牌” ,然后按“ 生成新令牌”按钮。 在下一页上,对其进行描述,并确保检查admin:org下的read:org范围。 完成后,请按生成令牌并在其出现时记下它-您将无法再次看到它。
To configure GitHub Teams role authorization in Spinnaker, run the following command:
要在Spinnaker中配置GitHub Teams角色授权,请运行以下命令:
hal config security authz github edit --accessToken access_token --organization organization_name --baseUrl https://api.github.com
hal配置安全性authz github编辑--accessToken access_token --organization organization_name --baseUrl https://api.github.com
Be sure to replace access_token with your personal access token you generated and replace organization_name with the name of the Organization.
确保用生成的个人访问令牌替换access_token ,并用organization_name名称替换organization_name 。
The output will be:
输出将是:
Output
+ Get current deployment
Success
+ Get GitHub group membership settings
Success
+ Edit GitHub group membership settings
Success
+ Successfully edited GitHub method.
You’ve updated your GitHub group settings. Now, you’ll set the authorization provider to GitHub by running the following command:
您已经更新了GitHub组设置。 现在,通过运行以下命令将授权提供程序设置为GitHub:
- hal config security authz edit --type github hal config security authz edit --type github
The output will look like:
输出将如下所示:
Output
+ Get current deployment
Success
+ Get group membership settings
Success
+ Edit group membership settings
Success
+ Successfully updated roles.
After updating these settings, enable them by running:
更新这些设置后,通过运行以下命令启用它们:
- hal config security authz enable hal config security authz enable
You’ll see the following output:
您将看到以下输出:
Output
+ Get current deployment
Success
+ Edit authorization settings
Success
+ Successfully enabled authorization
With all the changes in place, you can now apply the changes to your running Spinnaker deployment. Execute the following command to do this:
完成所有更改后,您现在可以将更改应用于正在运行的Spinnaker部署。 执行以下命令以执行此操作:
- hal deploy apply 半部署申请
Once it has finished, wait for Kubernetes to propagate the changes. This can take quite some time—you can watch the progress by running:
完成后,请等待Kubernetes传播更改。 这可能会花费一些时间-您可以通过运行以下命令查看进度:
- kubectl get pods -n spinnaker -w kubectl获得豆荚-n大三角帆-w
When all the pods’ states become Running and availability 1/1, navigate to your Spinnaker UI domain. You will be redirected to GitHub and asked to log in, if you’re not already. If the account you logged in with is a member of the Organization, you will be redirected back to Spinnaker and logged in. Otherwise, you will be denied access with a message that looks like this:
当所有Pod的状态都变为“ Running和可用性1/1 ,导航到您的Spinnaker UI域。 如果您尚未重定向到GitHub,则会要求您登录。 如果您使用的帐户登录的是组织的成员,那么您将被重定向回Spinnaker并登录。否则,您将被拒绝访问,并显示以下消息:
{"error":"Unauthorized", "message":"Authentication Failed: User's provider info does not have all required fields.", "status":401, "timestamp":...}The effect of GitHub Teams integration is that Spinnaker now translates them into roles. You can use these roles in Spinnaker to incorporate additional restrictions to access for members of particular teams. If you try to add another application, you’ll notice that you can now also specify permissions, which combine the level of access—read only or read and write—with a role, for that application.
GitHub Teams集成的结果是Spinnaker现在将它们转换为角色 。 您可以在Spinnaker中使用这些角色 ,以合并其他限制以访问特定团队的成员。 如果尝试添加另一个应用程序,您会发现现在还可以指定权限,该权限将对该应用程序的访问级别(只读或读写)与角色结合在一起。
You’ve set up GitHub authentication and authorization. You have also configured Spinnaker to restrict access to members of your Organization, learned about roles and permissions, and considered the place of GitHub Teams when integrated with Spinnaker.
您已经设置了GitHub身份验证和授权。 您还配置了Spinnaker来限制对组织成员的访问,了解角色和权限,并考虑了与Spinnaker集成时GitHub Teams的位置。
结论 (Conclusion)
You have successfully configured and deployed Spinnaker to your DigitalOcean Kubernetes cluster. You can now manage and use your cloud resources more easily, from a central place. You can use triggers to automatically start a pipeline; for example, when a new Docker image has been added to the registry. To learn more about Spinnaker’s terms and architecture, visit the official documentation. If you wish to deploy a private Docker registry to your cluster to hold your images, visit How To Set Up a Private Docker Registry on Top of DigitalOcean Spaces and Use It with DO Kubernetes.
您已成功配置Spinnaker并将其部署到DigitalOcean Kubernetes集群。 现在,您可以从一个中央位置更轻松地管理和使用您的云资源。 您可以使用触发器来自动启动管道。 例如,当新的Docker映像已添加到注册表中时。 要了解有关Spinnaker的条款和架构的更多信息,请访问官方文档 。 如果您希望将私有Docker注册表部署到群集中以保存图像,请访问如何在DigitalOcean Spaces顶部设置私有Docker注册表并将其与DO Kubernetes结合使用 。
扫一扫
416
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
