Installing Autopilot
Last updated
Was this helpful?
Last updated
Was this helpful?
If you are already using Open Source Spinnaker, then Autopilot can get seamlessly integrated with your Open Source Spinnaker and you get the all the benefits of Autopilot product. The following section defines the procedure for installing Autopilot as a standalone module to work with Open Source Spinnaker.
Have access to public repositories in docker.io and quay.io
Have the following tools installed - wget, kubectl, helm
Have access to a Kubernetes cluster with at least 2 nodes, each node having 8 CPU and 32 GB RAM
Have the NGINX Ingress Controller installed in the cluster. If it is not already installation, then you can install the same using the following instructions
$ kubectl create ns ingress-nginx
$ helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
$ helm repo update
$ helm install ingress-nginx ingress-nginx/ingress-nginx -n ingress-nginx
$ kubectl get svc -n ingress-nginx
Have “cert-manager” already available in the cluster. If it is not already available, then you can install it using the following instructions
$ kubectl create namespace cert-manager
$ helm repo add jetstack https://charts.jetstack.io
$ helm repo update
$ helm install cert-manager jetstack/cert-manager --set installCRDs=true -n cert-manager
In the Kubernetes cluster, have 3 Persistent Volumes of size 10GB each
Two DNS records pointing to the IP of the Ingress Controller for the following:
“Autopilot UI”, Eg. autopilot.opsmx.net
“Autopilot Gate”, Eg. autopilot-gate.opsmx.net
Following are the steps to install Autopilot.
Download yaml file from the Enterprise Spinnaker repository in the GitHub
Update Autopilot UI and Autopilot Gate entries
#Autopilot UI URL configuration
oesUI:
host: << AUTOPILOT UI URL Example autopilot.opsmx.net >>
#Autopilot Gate URL configuration
oesGate:
host: << AUTOPILOT GATE URL Example autopilot-gate.opsmx.net >>
Update Spinnaker Deck URL in dashboard section of values-APforOSS.yaml
#Dashboard Service
dashboard:
config:
spinnakerLink: <<SPINNAKER DECK URL Example spinaker.opsmx.net>>
Authentication:
Using LDAP
Make changes in the ldap section in values-APforOSS.yaml
#ldap configuration used in oes-gate, oes-platform and spinnaker gate for authentication and authorization
#Change the below settings based on your LDAP server
Ldap:
enabled: true
url: << LDAP URL: Example: ldaps://xxx.opsmx.com:636 >>
managerDn: cn=manager,dc=opsmx,dc=com
managerPassword: manager123
groupSearchBase: ou=groups,dc=opsmx,dc=com
groupSearchFilter: member={0}
groupRoleAttributes: cn
userDnPattern: uid={0},ou=users,dc=opsmx,dc=com
Note:
managerDn: The Distinguished Name (DN) used to log into the Directory Service and to search for user accounts.
manager-password: The password for the manager account specified in the managerDn property.
groupSearchBase: The DN of the LDAP object where the search for the user account's groups begins.
groupSearchFilter: The LDAP query string used to find the user account's group objects. The default is “(member={0})”. (In some LDAP implementations the name is memberof.). The {0} is a required value. It is a token that represents the user account that is being validated
groupRoleAttributes: The field name to use as the Security role name for the group object DN
userDnPattern: The field name to tell the authenticator how to find a user in LDAP
Using SAML 2.0
Make changes in the saml section in values-APforOSS.yaml
saml:
enabled: true
userSource: gate # Groups will be obtained from SAML
keyStore: /opt/spinnaker/saml/oessaml.jks # The key in this secret must be oessamljks
keyStorePassword: changeit
keyStoreAliasName: saml
metadataUrl: /opt/spinnaker/saml/oesmetadata.xml # The key in this secret must be oesmetadataxml
redirectProtocol: https
redirectHostname: << AUTOPILOT GATE URL Example autopilot-gate.opsmx.net >>
redirectBasePath: /
issuerId: << Unique Issuer Id Example opsmx.test >>
jksSecretName: oessamljks
metadataSecretName: oesmetadataxml
Using OAuth 2.0
Autopilot supports OAuth 2.0 for authentication with GitHub organizations. Consult the GitHub OAuth 2.0 documentation and register a new OAuth 2.0 application to obtain a client ID and client secret. Make changes in the oauth2 section in values-APforOSS.yaml
oauth2:
enabled: true
client:
clientId: #CLIENT_ID
clientSecret: #CLIENT_SECRET_ID
accessTokenUri: https://github.com/login/oauth/access_token
userAuthorizationUri: https://github.com/login/oauth/authorize
scope: user-email
resource:
userInfoUri: https://api.github.com/user
userInfoMapping:
email: email
firstName: firstname
lastName: name
username: login
provider: GITHUB
Specify the user groups from the authentication system; these groups will have Super Administrator privileges in Autopilot. Specify userSource for the specific authorization type.
platform:
config:
#These groups will have superAdmin privileges in Autopilot adminGroups: admin
#Source of groups for Authorization
#Support sources: LDAP, FILE, GATE. In general, use "gate" for SAML
userSource: ldap
Specify Spinnaker Gate URL. When the Authentication type is X509, set the corresponding flag to true.
sapor:
config:
spinnakerImages: OSS
spinnaker:
#true if authentication is enabled in Spinnaker authnEnabled: true
#encryption key is needed for sapor to startup
encrupt:
enabled:false
Add opsmx helm chart using the command
$ helm repo add opsmx https://helmcharts.opsmx.com/
$ helm repo update
Create a namespace for installing Autopilot
$ kubectl create namespace autopilot
Begin the installation using the following command
$ helm install myautopilot opsmx/oes -f values-APforOSS.yaml -n autopilot --timeout 60m
Run the following command to get the URLs
$kubectl get ingress -n autopilot
IP addresses should be linked to URLs in the DNS server
After installing Autopilot, there are few changes in your Open Source Spinnaker configuration to integrate it with Autopilot. Following are the changes:
Before editing yaml files in Spinnaker, first ensure their persistence. If they are not persistent already, follow these steps.
Example:
$ kubectl edit cm ossspin-spinnaker-halyard-init-script
Where ossspin is the name of the spinnaker instance. Change it as per your instance name. The following lines need to be commented out, followed by save.
# rm -rf /tmp/spinnaker/.hal/default/service-settings
# cp /tmp/service-settings/*/tmp/spinnaker/.hal/default/service-settings
# rm -rf /tmp/spinnaker/.hal/default/profiles
# cp /tmp/additionalProfileConfigMaps/*/tmp/spinnaker/.hal/default/profiles/
Enable echo events in OSS Spinnaker. Get a shell to the Spinnaker halyard pod.
Example:
kubectl exec -it oes-spinnaker-halyard-0 -n oss-spin -- /bin/bash
Go to location: ~/.hal/default/profiles edit the file echo-local.yml;
Create a new file if not available
$ vi echo-local.yml
Update/Add the following lines, with the correct "Autopilot Gate" URL.
rest:
enabled: true
endpoints:
-
wrap: false
url: << AUTOPILOT GATE URL
Example https://autopilot-gate.opsmx.net >>/auditservice/v1/echo/events/data
-
wrap: false
url: << AUTOPILOT GATE URL
Example https://autopilot-gate.opsmx.net >>/oes/echo
Enable Custom Plugins in Spinnaker. Get a shell to the Spinnaker halyard pod.
Example:
$kubectl exec -it spinnaker-halyard-0 -n oss-spin -- /bin/bash
Go to location: ~/.hal/default/profiles
$ cd ~/.hal/default/profiles
Edit the file orca-local.yml (create a new file if not available)
$ vi orca-local.yml
Update/Add the following lines
spinnaker:
extensibility:
plugins:
Opsmx.VerificationGatePlugin:
enabled: true
version: 1.0.1
config:
Opsmx.VisibilityApprovalPlugin:
enabled: true
version: 1.0.1
config:
Opsmx.TestVerificationGatePlugin:
enabled: true
version: 1.0.1
config:
Opsmx.PolicyGatePlugin:
enabled: true
version: 1.0.1
config:
repositories:
opsmx-repo:
id: opsmx-repo
Edit the file gate-local.yml (create a new file if not available)
$ vi gate-local.yml
Update/add the following lines
spinnaker:
extensibility:
plugins:
deck-proxy:
enabled: true
plugins:
Opsmx.VerificationGatePlugin:
enabled: true
version: 1.0.1
Opsmx.TestVerificationGatePlugin:
enabled: true
version: 1.0.1
Opsmx.PolicyGatePlugin:
enabled: true
version: 1.0.1
Opsmx.VisibilityApprovalPlugin:
enabled: true
version: 1.0.1
plugins-root-path: /opt/gate/plugins
repositories:
opsmx-repo:
url: https://raw.githubusercontent.com/OpsMx/spinnakerPluginRepository/v3.10.0/plugins.json
Edit the file front50-local.yml (create a new file if not available)
$ vi front50-local.yml
Update/add the following lines
spinnaker:
extensibility:
plugins:
Opsmx.StaticPolicyPlugin:
enabled: true
version: "1.0.1"
config: null
repositories:
opsmx-repo:
id: "opsmx-repo"
url: "https://raw.githubusercontent.com/OpsMx/spinnakerPluginRepository/v3.10.0.staticpolicy/plugins.json"
policy:
opa:
enabled: true
url: << AUTOPILOT GATE URL Example https://autopilot-gate.opsmx.net >>
Run Hal deploy apply command to reflect the changes
$ hal deploy apply
Configure Spinnaker in Autopilot UI Once Spinnaker and OES are installed successfully, we need to configure Spinnaker in Autopilot UI.
Navigate to Setup → Spinnaker → Add Spinnaker.
The following fields need to be provided:
Spinnaker Name: User defined name of Spinnaker Instance
Spinnaker Gate URL: The Gate URL of the Spinnaker instance
Authentication Type: Mechanism with which Autopilot communicates to Spinnaker.
Mention, LDAP, for Basic Authentication (username with password) or X509, for 2 Factor Authentication systems.
Using the LDAP Mechanism
Provide the username and password of the user who has the access to all the pipelines in the encrypted base64 format using this command,
echo -ne “username:password” | base64 -w0
Using the x509 Mechanism
For Autopilot to communicate with Spinnaker using x509, we need a client p12 key.
Using the client.p12 key and password, we can configure Autopilot to communicate with Spinnaker on the x509 port.
Assuming that we have client tls certificate and key, we can generate a p12 using the following command,
$ openssl pkcs12 -export -clcerts -in x509lb.crt -inkey x509lb.key -out x509lb.p12 -name gate509lb -password pass:changeit
$ wget
url:
To Enable x509 method of Authentication for Spinnaker, please refer to the steps in