Agent Service Configuration
Agent Service Configuration
Services are configured from the "opsmx-services-agentX" user-supplied configmap. There should be one key, 'services.yaml', which defines the services this Agent advertises to ISD, and the credentials needed to provide access.
The "name" element is advertised to ISD, and will be the name used for the associated Spinnaker account configuration. This name will be presented to ISD users. Renaming an account is not possible, and will require deleting and re-creating the account through the ISD interface.
Only services explicitly marked as "enabled: true" will be advertised to Spinnaker.
Example:
Agent Service Credentials
For most service types, credentials can be provided. The types of credentials allowed depend on the service type, but generally several are available.
No authentication
Credential type "none" indicates that the service endpoint does not require any authentication.
HTTP Basic Authentication
A credential type of "basic" requires a username and a password to be provided in the configmap or in a Kubernetes secret. These are passed to the target via HTTP Basic authentication.
If secrets are provided in the configmap (not recommended) they must be base64 encoded.
Example (with literal contents, not recommended):
Example (with Kubernetes secret of type 'kubernetes.io/basic-auth'):
The secret must be created, and have keys for "username" and "password".
HTTP Bearer Authentication
A credential type of "bearer" requires a token to be provided in the configmap or in a Kubernetes secret. These are passed to the target via HTTP Bearer authentication.
If secrets are provided in the configmap (not recommended) they must be base64 encoded.
Example (with literal contents, not recommended):
Example (with Kubernetes secret of type Opaque):
The secret must be created, and have a key for "token".
HTTP "Token" Authentication
While "bearer" should generally be used, some services require a small change, and require the authentication type to be called "token" in the HTTP headers sent to authenticate. Other than that change, "token" and "bearer" are identical in configuration methods.
Agent Service Type
The Agent supports many services types generally, but the ones shown below are also supported by ISD and Spinnaker.
Jenkins
Authentication types: none, basic, bearer. Example configuration:
Artifactory
Authentication types: none, basic, bearer. Example configuration:
Kubernetes
The agent has the ability to manage any namespace in the Kubernetes cluster it is installed into. However, it is disabled by default.
The Kubernetes service can be configured in two ways: a single Kubernetes account is advertised to Spinnaker, or multiple accounts with the same credentials advertised to Spinnaker, with different namespaces.
In all cases, access control is provided based on the Spinnaker configuration for RBAC.
Multiple clusters are not supported at this time, but multiple agents can be used, one per cluster. The namespace restrictions in the following examples are views into a single cluster, the one where the agent is running.
To advertise a single Kubernetes account "kubernetes1" which provides access to all namespaces:
To advertise a multiple Kubernetes accounts, with specific namespaces and names:
When advertising multiple instances, the top-level name is ignored.
Last updated