A collection of Terraform and bash scripts to setup an enterprise-grade Spinnaker deployment on Google Cloud Platform

• Vault needs to be setup and authenticated
  • VAULT_ADDR environment variable should be setup pointing to the vault server
  • Or on OSX with homebrew it's brew install vault
• Google Cloud SDK should be setup and authenticated
  • Be sure to run both gcloud auth login and gcloud config set project <YOUR_PROJECT_ID>
  • You will need to be an owner of the GCP project to grant all the permissions required for Terraform to create all the resources needed
• Terraform should be setup
  • Or on OSX with homebrew it's brew install terraform

git clone https://github.com/homedepot/spingo.git
cd spingo
./scripts/initial_setup.sh

cd dns
# Initialize Terraform against newly created bucket
terraform init
terraform apply

After the managed DNS is setup you now need to direct the DNS hostname to the proper nameservers. First, navigate to the managed DNS zone that was just setup and note the name servers listed under the data for the NS type record (it should look like ns-cloud-c1.googledomains.com and ns-cloud-c2.googledomains.com etc. and there should be 4 of them). You then need to log into your domain hosting provider and direct the owned domain to these name servers so that traffic can be routed to your project and SSL certificates can be requested through the Let's Encrypt Google domain authentication plugin which adds a TXT record to the domain to prove that it is owned by you.

Once Google Cloud DNS is properly getting traffic you will be able to complete the Let's Encrypt SSL configuration.

cd ..

Just like with DNS Managed Zones, we are separating the generation of static IPs out from the 'spinnaker/' tree to it's own self-contained area. This is necessary in order to allow for a terraform destroy of the spinnaker resources and not lose static IPs because they persist in external things like firewall rules and it's non-trivial to update those.

cd static_ips
# Initialize Terraform against newly created bucket
terraform init
terraform apply
cd ..

cd spinnaker
# Initialize Terraform against newly created bucket
terraform init
terraform apply

At the very end of the Setup Spinnaker Infrastructure step you will see an output called spinnaker_fiat_account_unique_id with a very large number printed out. That number is the unique ID of the Spinnaker service account spinnaker-fiat whose ID we need to use as the Client Name in step #3 when we follow these instructions to enable read-only permissions to get all the groups that a user has at the organization level. Many large enterprises sync their active directory groups to their Google user accounts and we want to utilize that to enable true Role Based Authentication (RBAC) within Spinnaker to separate authorizations between different applications and between different deployment targets.

cd ..

• Navigate to the APIs & Services > Credentials and set your Application name and your Authorized domains
• Navigate to Create OAuth client ID and choose Web application then enter the Name like spinnaker client ID and the Authorized redirect URIs to your HTTPS url like this (note the /login at the end of each
  • https://spinnaker-api.demo.example.com/login
• Write your new OAuth client ID and client secret into vault
  • You can enter the details directly through this command vault write secret/$(gcloud config list --format 'value(core.project)' 2>/dev/null)/gcp-oauth "client-id=replace-me" "client-secret=replace-me"
  • Alternatively, you may be able to use the vault UI and enter the information to the same location and replace anything where the value is replace-me

• Create a Slack Bot App within your Slack workspace and call it spinnakerbot
• Under the OAuth & Permissions section make sure that the bot scope is listed under interactivity and copy your Bot User OAuth Access Token
• Write your new Bot User OAuth Access Token
  • You can enter the details directly through this command vault write secret/$(gcloud config list --format 'value(core.project)' 2>/dev/null)/slack-token "value=replace-me"
  • Alternatively, you may be able to use the vault UI and enter the information to the same location and replace anything where the value is replace-me

cd certbot
# Initialize Terraform against newly created bucket
terraform init
terraform apply

• SSH into the certbot VM
• Enter this command to make sure the setup is complete showlog
• Once completed, log into the user account by entering this command spingo
• Test create a certificate by executing this script ./execute-test.sh
• When you are ready to create the certificate for real then execute this script ./execute-only-if-you-are-sure.sh
• When you have successfully recieved certificates you then execute ./make_or_update_keystore.sh
• Finally, you run the command pushcerts to push the certs back up to the halyard bucket
• You no longer need the certbot VM anymore so destroy it

terraform destroy
cd ..

cd halyard
# Initialize Terraform against newly created bucket
terraform init
terraform apply

• SSH into the halyard VM
• Enter this command to make sure the setup is complete showlog
• Once completed log into the user account by entering this command spingo
• Setup Halyard for the first time by executing ./setupHalyard.sh
• Before we deploy we should make sure we can reach the cluster by trying this command kubectl get nodes and you should see the nodes of the cluster listed
• Now we need to deploy Spinnaker with the hda command which behind the scenes runs hal deploy apply --wait-for-completion
• Once the deployment is successful the next step is to setup SSL by executing ./setupSSL.sh
• Last step is to do a hda to send the full configuration up to the Spinnaker deployment
• Navigate to your new Spinnaker by going to https://spinnaker.demo.example.com and replacing demo.example.com with whatever domain you entered into the initialization script

If you have previously run scripts/initial_setup.sh, and are in a situation where this is a new machine or otherwise a fresh clone of the repo, you can restore the saved values from vault by running:

scripts/restore_saved_config_from_vault.sh

If you want to completely destroy the installation:

1. terraform destroy all of the subdirectories in the reverse-order that you ran terraform apply
2. execute scripts/reset_spingo.sh

scripts/reset_spingo.sh is designed to remove the service accounts that terraform requires.

Check out the contributing readme for information on how to contribute to the project.

This project is released under the Apache2 free software license. More information can be found in the LICENSE file.