--- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: spinnaker-admin roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: default namespace: spinnaker --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: halyard-pv-claim namespace: spinnaker labels: app: halyard-storage-claim spec: accessModes: - ReadWriteOnce resources: requests: storage: 5Gi storageClassName: standard --- apiVersion: apps/v1beta1 kind: Deployment metadata: name: spin-halyard namespace: spinnaker labels: app: spin stack: halyard spec: replicas: 1 strategy: type: Recreate selector: matchLabels: app: spin stack: halyard template: metadata: labels: app: spin stack: halyard spec: securityContext: runAsGroup: 1000 runAsUser: 1000 fsGroup: 1000 containers: - name: halyard-daemon # todo - make :stable or digest of :stable image: gcr.io/spinnaker-marketplace/halyard:stable imagePullPolicy: Always command: - /bin/sh args: - -c - "cp -R /home/spinnaker/staging/.hal/. /home/spinnaker/.hal/ && /opt/halyard/bin/halyard" readinessProbe: exec: command: - wget - -q - --spider - http://localhost:8064/health ports: - containerPort: 8064 volumeMounts: - name: persistentconfig mountPath: /home/spinnaker/.hal - name: halconfig mountPath: /home/spinnaker/staging/.hal/config subPath: config - name: halconfig mountPath: /home/spinnaker/staging/.hal/default/service-settings/deck.yml subPath: deck.yml - name: halconfig mountPath: /home/spinnaker/staging/.hal/default/service-settings/gate.yml subPath: gate.yml - name: halconfig mountPath: /home/spinnaker/staging/.hal/default/service-settings/igor.yml subPath: igor.yml - name: halconfig mountPath: /home/spinnaker/staging/.hal/default/service-settings/fiat.yml subPath: fiat.yml - name: halconfig mountPath: /home/spinnaker/staging/.hal/default/service-settings/redis.yml subPath: redis.yml - name: halconfig mountPath: /home/spinnaker/staging/.hal/default/profiles/front50-local.yml subPath: front50-local.yml volumes: - name: halconfig configMap: name: halconfig - name: persistentconfig persistentVolumeClaim: claimName: halyard-pv-claim --- apiVersion: v1 kind: Service metadata: name: spin-halyard namespace: spinnaker spec: ports: - port: 8064 targetPort: 8064 protocol: TCP selector: app: spin stack: halyard --- apiVersion: v1 kind: ConfigMap metadata: name: halconfig namespace: spinnaker data: igor.yml: | enabled: true skipLifeCycleManagement: false fiat.yml: | enabled: true skipLifeCycleManagement: false front50-local.yml: | spinnaker.s3.versioning: false gate.yml: | host: 0.0.0.0 deck.yml: | host: 0.0.0.0 env: API_HOST: http://spin-gate.spinnaker:8084 redis.yml: | overrideBaseUrl: redis://spin-redis:6379 config: | currentDeployment: default deploymentConfigurations: - name: default version: 1.19.3 providers: appengine: enabled: false accounts: [] aws: enabled: false accounts: [] defaultKeyPairTemplate: '{{name}}-keypair' defaultRegions: - name: us-west-2 defaults: iamRole: BaseIAMRole azure: enabled: false accounts: [] bakeryDefaults: templateFile: azure-linux.json baseImages: [] dcos: enabled: false accounts: [] clusters: [] dockerRegistry: enabled: false accounts: [] google: enabled: false accounts: [] bakeryDefaults: templateFile: gce.json baseImages: [] zone: us-central1-f network: default useInternalIp: false kubernetes: enabled: true accounts: - name: gke-cluster-account requiredGroupMembership: [] providerVersion: V2 dockerRegistries: [] configureImagePullSecrets: true serviceAccount: true namespaces: [] omitNamespaces: [] kinds: [] omitKinds: [] customResources: [] oAuthScopes: [] primaryAccount: gke-cluster-account oraclebmcs: enabled: false accounts: [] deploymentEnvironment: size: SMALL type: Distributed accountName: gke-cluster-account updateVersions: true consul: enabled: false vault: enabled: false customSizing: {} gitConfig: upstreamUser: spinnaker persistentStorage: persistentStoreType: s3 azs: {} gcs: rootFolder: front50 redis: {} s3: bucket: spinnaker-artifacts rootFolder: front50 endpoint: http://minio-service.spinnaker:9000 accessKeyId: dont-use-this secretAccessKey: for-production oraclebmcs: {} features: auth: true fiat: true chaos: false entityTags: false jobs: false artifacts: true metricStores: datadog: enabled: false prometheus: enabled: false add_source_metalabels: true stackdriver: enabled: false period: 30 enabled: false notifications: slack: enabled: false timezone: America/Los_Angeles ci: jenkins: enabled: true masters: - name: jenkins-master address: http://jenkins.spinnaker.svc.cluster.local:8080 username: {{jenkins-username}} password: {{jenkins-password}} travis: enabled: false masters: [] security: apiSecurity: ssl: enabled: false overrideBaseUrl: /gate uiSecurity: ssl: enabled: false authn: oauth2: enabled: false client: {} resource: {} userInfoMapping: {} saml: enabled: false ldap: enabled: false x509: enabled: false enabled: false authz: groupMembership: service: EXTERNAL google: roleProviderType: GOOGLE github: roleProviderType: GITHUB file: roleProviderType: FILE enabled: false artifacts: gcs: enabled: false accounts: [] github: enabled: false accounts: [] http: enabled: false accounts: [] pubsub: google: enabled: false subscriptions: [] canary: enabled: true serviceIntegrations: - name: google enabled: false accounts: [] gcsEnabled: false stackdriverEnabled: false - name: prometheus enabled: false - name: datadog enabled: false accounts: [] - name: signalfx enabled: false accounts: [] - name: newrelic enabled: false accounts: [] - name: aws enabled: true accounts: - name: kayenta-minio bucket: spinnaker-artifacts rootFolder: kayenta endpoint: http://minio-service.spinnaker:9000 accessKeyId: dont-use-this secretAccessKey: for-production supportedTypes: - CONFIGURATION_STORE - OBJECT_STORE s3Enabled: true reduxLoggerEnabled: true defaultJudge: NetflixACAJudge-v1.0 stagesEnabled: true templatesEnabled: true showAllConfigsEnabled: true --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: minio-pv-claim namespace: spinnaker labels: app: minio-storage-claim spec: accessModes: - ReadWriteOnce resources: requests: storage: 5Gi storageClassName: standard --- apiVersion: apps/v1beta1 kind: Deployment metadata: # This name uniquely identifies the Deployment name: minio-deployment namespace: spinnaker spec: strategy: type: Recreate template: metadata: labels: app: minio spec: volumes: - name: storage persistentVolumeClaim: claimName: minio-pv-claim containers: - name: minio image: minio/minio args: - server - /storage env: - name: MINIO_ACCESS_KEY value: "dont-use-this" - name: MINIO_SECRET_KEY value: "for-production" ports: - containerPort: 9000 volumeMounts: - name: storage mountPath: /storage --- apiVersion: v1 kind: Service metadata: name: minio-service namespace: spinnaker spec: ports: - port: 9000 targetPort: 9000 protocol: TCP selector: app: minio --- apiVersion: batch/v1 kind: Job metadata: name: hal-deploy-apply namespace: spinnaker labels: app: job stack: hal-deploy spec: template: metadata: labels: app: job stack: hal-deploy spec: restartPolicy: OnFailure containers: - name: hal-deploy-apply # todo use a custom image image: gcr.io/spinnaker-marketplace/halyard:1.33.0 command: - /bin/sh args: - -c - "hal deploy apply --daemon-endpoint http://spin-halyard.spinnaker:8064" --- apiVersion: v1 kind: Service metadata: namespace: spinnaker labels: app: spin stack: deck name: spin-deck-lb spec: type: LoadBalancer ports: - name: http port: 9000 protocol: TCP selector: cluster: spin-deck