I want to configure two different AWS account credentials in Spinnaker. How can I add second account in spinnaker?
Thanks,
Puneet
Here are the detailed instructions on how to add multiple accounts to Spinnaker as written by the Spinnaker development team. You basically need to add the ability to assume role from the secondary account - https://github.com/spinnaker/clouddriver/tree/master/clouddriver-aws
Keep in mind that the default templates on spinnaker/spinnaker do not allow for multiple accounts and you have to edit clouddriver.yml directly to follow these instructions.
Related
I'm currently searching for a way to grant specific users permissions to only use and manage the features listed ind the Test Plans tab in azure devops. So users in this group/team should not be able to see releases, builds, code and all the other stuff in the current project.
Is there a Way to achieve this?
Thanks
There is no default way to disable services of Repos, Pipeline, etc. You need to set the permission for each resource by referring to the following link:
https://learn.microsoft.com/en-us/azure/devops/organizations/security/permissions?view=azure-devops&tabs=preview-page
For example, make users not see the repo, you can deny the "Read" permission for the repo:
I am trying to evaluate Jenkins+Spinnaker as our CI/CD platform and i would like to say it worked perfectly for us till Staging environment. We are using AWS and AMIs for our flow.
Now, our requirement is that we want to share AMI with Prod account, which is a completely different account from UAT and Staging, only when it passes QA in Staging env as we want to keep only those image in our prod account which have passed quality gates. I tried searching some suggestion for same but didn't found any. Though there were some blogs on sharing AMI with different regions which baking step using aws-multi-ebs.json, which is not our requirement.
Is there any inbuilt process in Spinnaker itself for the same or i need to use some outside job, like integrating with Jenkins, for copying the AMI to Prod env ?
Spinnaker will do this by default via allow launch (the AMI remains owned by the baking account but when you deploy to the prod account launch permission is granted to that account)
Have a business requirement to prevent development users from being able to access production and integration MFP environments; However, they can retain full access to the test environment.
Currently have the following Active Directory security groups configured for the production environment:
mfpadmin
mfpdeployer
mfpmonitor
mfpoperator
mfpanalytics_administrator
mfpanalytics_infrastructure
mfpanalytics_support
mfpanalytics_developer
mfpanalytics_business
mfpappcenteradmin
mfpappcenteruser
Within the server.xml file there is an LDAP connection and then a section defining security roles. These AD group names are reflected in the security role section. To fulfill the requirement above, one may presumably creates new active directory security groups similar to the ones listed above (something like mfpadmin-test, mfpadmin-int), add development users to these newly created test groups, e.g., mc-admin-test, remove these same users from the groups defined for the production environment, e.g., mfpadmin, and update the appropriate server.xml file.
Is there anything inside of the specific applications (Admin, Analytics, AppCenter) that one needs to do to further restrict access?
Is there anything needed to be done with the war file?
Is there anything inside of the specific applications (Admin, Analytics, AppCenter) that one needs to do to further restrict access?
(A) No just defining the right security roles should be sufficient
Is there anything needed to be done with the war file?
(A) No , nothing to do with the war file.
mfpadmin,mfpdeployer,mfpmonitor, and mfpoperator are the default security roles defined by Mobilefirst. The same security roles will need to be defined for your test and integration environments. These security roles can in-turn be grouped to the right groups i.e
mfpadmin-test, mfpadmin-in etc.
I have setup three node secure NIFI cluster and integrated with LDAP for user login .
my doubts
In login-identity-providers.xml can we add multiple USER Search Base of ldap.(i tried by adding multiple usersearchbase but failed)
In LDAP user search should happen on multiple sub domains eg : DC=example1,dc=example,dc=com
DC=example2,dc=example,dc=com
on User-search-base in login-identity-providers.xml
TO achieve mutitenancy in ldap what is the configuration changes we need to make in identity provider.xml
tenant1 user should access process group define for tenant 1 itself and its not access for tenant2 users
From what I can tell, AND Assuming you are using Microsoft Active Directory if you use:
FOLLOW
It may work.
We also sometimes might use the Global Catalog (as then there are no referrals)
I also am guessing that the "empty" parameters should be removed (but I do NOT know how NIFI works).
I would suggest you also do tests with a LDAP Browser to make sure you know what your LDAP tree looks like. We use Apache Studio, but there are others.
More data on if it is Microsoft Active Directory and refer to https://stackoverflow.com/help/how-to-ask
I have used AWS Community AMI for configuring Spinnaker. I am able to get the lists of ELB, AMI and Security Groups while creating Server Group. But, I am not getting the Instance types in the custom drop down list. Any idea about what could be going wrong?
Spinnaker Cluster Error
It looks like you are not having a correct IAM role assigned to the user whose access keys you are using for the spinnaker integration with AWS.
Mostly if you used the spinnaker.Check if you have enough rights in AWS.
If not then create a role and assign AWS POWER USER ACCESS to your user and then try to get the integration .
Spinnaker is a tool which would need AWS EC2 Full access atleast as it directly access EC2 spin up its server groups.
Instance types are cached in the browser's local storage. You can explicitly refresh the cache via the 'Refresh all caches' link:
If you show the network tab of your browser's console (prior to clicking 'Refresh all caches'), you should see a request to http://localhost:8084/instanceTypes.
If the response contains your instance types, you should be good to go.