Spinnaker 는 넷플릭스에서 개발하여 오픈 소스화한 멀티 클라우드를 지원하는 Continuous Delivery Platform 이다. 구글 클라우드, 아마존, 마이크로소프트등 대부분의 메이져 클라우드를 지원하며, Kubernetes 나, OpenStack 과 같은 오픈소스 기반의 클라우드 또는 컨테이너 플랫폼을 동시에 지원한다.
https://console.cloud.google.com/marketplace/product/google-cloud-platform/spinnaker?project=prj-sandbox-devops-9999
https://github.com/GoogleCloudPlatform/spinnaker-for-gcp/blob/master/README.md
gcp상에서 Spinnaker가 아래와 같은 목적으로 필요할 때 간편하게 사용해볼 수 있는 솔루션입니다.
구글 클라우드 플랫폼용 스핀나이커(Spinnaker for Google Cloud Platform)는 구글 클라우드 플랫폼에 스핀나이커를 설치하고 관리하기 위한 솔루션이다. 설치 및 관리 콘솔, Spinnaker 및 마이크로 서비스, 샘플 응용 프로그램으로 구성됩니다.
cloud shell 에서 실행
git config --global user.email \
"shmoon2@wemakeprice.com"
git config --global user.name \
"shmoon2"
gcloud auth login
gcloud config set project prj-sandbox-devops-9999
PROJECT_ID=prj-sandbox-devops-9999 \
~/cloudshell_open/spinnaker-for-gcp/scripts/install/setup_properties.sh
###########
# 파일 변경 필요 #
/home/shmoon2/cloudshell_open/spinnaker-for-gcp/scripts/install/properties
export SPINNAKER_VERSION=1.29.3
export HALYARD_VERSION=1.55.0
export ZONE=asia-northeast3-b
export REGION=asia-northeast3
###########
~/cloudshell_open/spinnaker-for-gcp/scripts/install/setup.sh
# ingress 설정
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: spinnaker-1-ingress
annotations:
# If the class annotation is not specified it defaults to "gce".
kubernetes.io/ingress.class: "gce"
spec:
rules:
- http:
paths:
- path: /*
pathType: ImplementationSpecific
backend:
service:
name: spin-deck
port:
number: 9000
---
https://spinnaker.io/docs/setup/install/
Prerequisites
sudo apt-get install -y kubectl google-cloud-sdk-gke-gcloud-auth-plugin bash-completion wget
cat >> ~/.bashrc <<EOL
export USE_GKE_GCLOUD_AUTH_PLUGIN=True
export PROJECT_ID=prj-sandbox-devops-9999
source <(kubectl completion bash)
alias k=kubectl
complete -o default -F __start_kubectl k
EOL
source ~/.bashrc
curl -O https://raw.githubusercontent.com/spinnaker/halyard/master/install/debian/InstallHalyard.sh
sudo bash InstallHalyard.sh
hal -v
GCE를 선택합니다.
prerequisites
google cloud sdk
google service account and key
sa 생성
SERVICE_ACCOUNT_NAME=spinnaker-gce-account-new
SERVICE_ACCOUNT_DEST-GCE=~/.gcp/gce-account.json
gcloud iam service-accounts create \
$SERVICE_ACCOUNT_NAME \
--display-name $SERVICE_ACCOUNT_NAME
SA_EMAIL=$(gcloud iam service-accounts list \
--filter="displayName:$SERVICE_ACCOUNT_NAME" \
--format='value(email)')
PROJECT=$(gcloud config get-value project)
# permission to create/modify instances in your project
gcloud projects add-iam-policy-binding $PROJECT \
--member serviceAccount:$SA_EMAIL \
--role roles/compute.instanceAdmin
# permission to create/modify network settings in your project
gcloud projects add-iam-policy-binding $PROJECT \
--member serviceAccount:$SA_EMAIL \
--role roles/compute.networkAdmin
# permission to create/modify firewall rules in your project
gcloud projects add-iam-policy-binding $PROJECT \
--member serviceAccount:$SA_EMAIL \
--role roles/compute.securityAdmin
# permission to create/modify images & disks in your project
gcloud projects add-iam-policy-binding $PROJECT \
--member serviceAccount:$SA_EMAIL \
--role roles/compute.storageAdmin
# permission to download service account keys in your project
# this is needed by packer to bake GCE images remotely
gcloud projects add-iam-policy-binding $PROJECT \
--member serviceAccount:$SA_EMAIL \
--role roles/iam.serviceAccountActor
mkdir -p $(dirname $SERVICE_ACCOUNT_DEST)
gcloud iam service-accounts keys create $SERVICE_ACCOUNT_DEST-GCE \
--iam-account $SA_EMAIL
생성 확인
provider enable
hal config provider google enable
account add
PROJECT=$(gcloud config get-value project)
SERVICE_ACCOUNT_DEST=$SERVICE_ACCOUNT_DEST
ACCOUNT=my-gce-account
hal config provider google account add $ACCOUNT --project $PROJECT \
--json-path $SERVICE_ACCOUNT_DEST
Halyard가 Spinnaker를 어떤 방식으로 설치할지 선택합니다.
분산 설치
Halyard가 Spinnaker’s 마이크로서비스를 분산 설치합니다. 운영 환경으로 설치 시 권장합니다.
로컬 설치
하나의 머신에 설치됩니다. 소규모 배포에 적합합니다.
github에서 설치
로컬 설치가 default 이기 때문에 별다른 설정 하지 않습니다.
Spinnaker에는 애플리케이션 설정 및 파이프 라인 설정을 유지하기 위해 외부 저장소가 필요합니다.
Spinnaker는 아래와 같은 스토리지를 지원합니다. 어떤 옵션을 선택해도 Cloud 공급자 선택에 영향을 미치지 않습니다. 예를 들어, Google Cloud Storage를 저장소 소스로 사용할 수 있지만 여전히 Microsoft Azure에 배포 할 수 있습니다.
sa 생성
SERVICE_ACCOUNT_NAME=spinnaker-gcs-account
SERVICE_ACCOUNT_DEST=~/.gcp/gcs-account.json
gcloud iam service-accounts create \
$SERVICE_ACCOUNT_NAME \
--display-name $SERVICE_ACCOUNT_NAME
SA_EMAIL=$(gcloud iam service-accounts list \
--filter="displayName:$SERVICE_ACCOUNT_NAME" \
--format='value(email)')
PROJECT=$(gcloud config get-value project)
gcloud projects add-iam-policy-binding $PROJECT \
--role roles/storage.admin --member serviceAccount:$SA_EMAIL
mkdir -p $(dirname $SERVICE_ACCOUNT_DEST)
gcloud iam service-accounts keys create $SERVICE_ACCOUNT_DEST \
--iam-account $SA_EMAIL
생성 확인
gcs 연결
PROJECT=$(gcloud config get-value project)
# see https://cloud.google.com/storage/docs/bucket-locations
BUCKET_LOCATION=ASIA
SERVICE_ACCOUNT_DEST=$SERVICE_ACCOUNT_DEST
hal config storage gcs edit --project $PROJECT \
--bucket-location $BUCKET_LOCATION \
--json-path $SERVICE_ACCOUNT_DEST
hal config storage edit --type gcs
아래와 같은 기초 설정이 끝났기 때문에 Spinnaker 버전을 선택하고 설치합니다.
클라우드 프로바이더를 사용하도록 설정
배포 환경을 선택
영구 스토리지를 구성
사용 가능한 버전을 조회하고 배포합니다.
sudo apt-get install -y wget
hal version list
hal config version edit --version 1.29.3
sudo hal deploy apply
sudo apt-get install -y kubectl google-cloud-sdk-gke-gcloud-auth-plugin bash-completion wget
cat >> ~/.bashrc <<EOL
export USE_GKE_GCLOUD_AUTH_PLUGIN=True
export PROJECT_ID=prj-sandbox-devops-9999
source <(kubectl completion bash)
alias k=kubectl
complete -o default -F __start_kubectl k
EOL
source ~/.bashrc
curl https://baltocdn.com/helm/signing.asc | gpg --dearmor | sudo tee /usr/share/keyrings/helm.gpg > /dev/null
sudo apt-get install apt-transport-https --yes
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://baltocdn.com/helm/stable/debian/ all main" | sudo tee /etc/apt/sources.list.d/helm-stable-debian.list
sudo apt-get update
sudo apt-get install helm
gcloud pubsub topics create projects/$PROJECT/topics/gcr-noti
Created topic [projects/prj-sandbox-devops-9999/topics/gcr-noti].
gcloud pubsub subscriptions create gcr-noti-triggers \
--topic projects/${PROJECT}/topics/gcr-noti
Created subscription [projects/prj-sandbox-devops-9999/subscriptions/gcr-noti-triggers].
shmoon2_wemakeprice_com@moon-spinnaker:~$ gcloud beta pubsub subscriptions add-iam-policy-binding gcr-noti-triggers --role roles/pubsub.subscriber --member serviceAccount:$SA_EMAIL_GCE
Updated IAM policy for subscription [gcr-noti-triggers].
bindings:
- members:
- serviceAccount:spinnaker-gce-account@prj-sandbox-devops-9999.iam.gserviceaccount.com
role: roles/pubsub.subscriber
etag: BwX3UDoEl8s=
version: 1
shmoon2_wemakeprice_com@moon-spinnaker:~$ kubectl create clusterrolebinding user-admin-binding \
--clusterrole=cluster-admin --user=$(gcloud config get-value account)
clusterrolebinding.rbac.authorization.k8s.io/user-admin-binding created
shmoon2_wemakeprice_com@moon-spinnaker:~$ kubectl create clusterrolebinding --clusterrole=cluster-admin \
--serviceaccount=default:default spinnaker-admin
clusterrolebinding.rbac.authorization.k8s.io/spinnaker-admin created
shmoon2_wemakeprice_com@moon-spinnaker:~$ helm repo add stable https://charts.helm.sh/stable
"stable" has been added to your repositories
shmoon2_wemakeprice_com@moon-spinnaker:~$ helm repo update
Hang tight while we grab the latest from your chart repositories...
...Successfully got an update from the "stable" chart repository
Update Complete. ⎈Happy Helming!⎈
shmoon2_wemakeprice_com@moon-spinnaker:~$ export PROJECT=$(gcloud info \
--format='value(config.project)')
shmoon2_wemakeprice_com@moon-spinnaker:~$ export BUCKET=$PROJECT-spinnaker-config
shmoon2_wemakeprice_com@moon-spinnaker:~$ export BUCKET=$PROJECT-spinnaker-config-helm
shmoon2_wemakeprice_com@moon-spinnaker:~$ echo $PROJECT $BUCKET
prj-sandbox-devops-9999 prj-sandbox-devops-9999-spinnaker-config-helm
gsutil mb -c regional -l asia-northeast3 gs://$BUCKET
export SA_JSON=$(cat ~/.gcp/gce-account.json)
export PROJECT=$(gcloud info --format='value(config.project)')
export BUCKET=$PROJECT-spinnaker-config
cat > spinnaker-config.yaml <<EOF
gcs:
enabled: true
bucket: $BUCKET
project: $PROJECT
jsonKey: '$SA_JSON'
dockerRegistries:
- name: gcr
address: https://gcr.io
username: _json_key
password: '$SA_JSON'
email: 1234@5678.com
# Disable minio as the default storage backend
minio:
enabled: false
# Configure Spinnaker to enable GCP services
halyard:
spinnakerVersion: 1.19.4
image:
repository: us-docker.pkg.dev/spinnaker-community/docker/halyard
tag: 1.32.0
pullSecrets: []
additionalScripts:
create: true
data:
enable_gcs_artifacts.sh: |-
\$HAL_COMMAND config artifact gcs account add gcs-$PROJECT --json-path /opt/gcs/key.json
\$HAL_COMMAND config artifact gcs enable
enable_pubsub_triggers.sh: |-
\$HAL_COMMAND config pubsub google enable
\$HAL_COMMAND config pubsub google subscription add gcr-triggers \
--subscription-name gcr-triggers \
--json-path /opt/gcs/key.json \
--project $PROJECT \
--message-format GCR
EOF
helm install -n default cd stable/spinnaker -f spinnaker-config.yaml \
--version 2.0.0-rc9 --timeout 10m0s --wait
export DECK_POD=$(kubectl get pods --namespace default -l "cluster=spin-deck" -o jsonpath="{.items[0].metadata.name}")
kubectl port-forward --namespace default $DECK_POD 9000
export GATE_POD=$(kubectl get pods --namespace default -l "cluster=spin-gate" -o jsonpath="{.items[0].metadata.name}")
kubectl port-forward --namespace default $GATE_POD 8084