From ae4b3fc6266d6078b2b348675acdf7a62d608ba9 Mon Sep 17 00:00:00 2001 From: Finnian Dempsey <78527975+FinnianDempsey@users.noreply.github.com> Date: Mon, 4 Mar 2024 14:24:11 +1000 Subject: [PATCH 1/5] updated kube target docs to include workerpool warning --- .../deployment-targets/kubernetes-target/index.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/pages/docs/infrastructure/deployment-targets/kubernetes-target/index.md b/src/pages/docs/infrastructure/deployment-targets/kubernetes-target/index.md index 23ee6cf75a..e0d435a80c 100644 --- a/src/pages/docs/infrastructure/deployment-targets/kubernetes-target/index.md +++ b/src/pages/docs/infrastructure/deployment-targets/kubernetes-target/index.md @@ -177,6 +177,10 @@ When a Kubernetes target is used, the namespace it references is created automat To make use of the Kubernetes steps, the Octopus Server or workers that will run the steps need to have the `kubectl` executable installed. Linux workers also need to have the `jq`, `xargs` and `base64` applications installed. 11. Click **SAVE**. +:::div{.warning} +Setting the Worker Pool directly on the Deployment Target will override the Worker Pool defined in a Deployment Process. +::: + ## Create service accounts The recommended approach to configuring a Kubernetes target is to have a service account for each application and namespace. From 8ef6649f78c9ba2438bf8bca3758c0a64c88488d Mon Sep 17 00:00:00 2001 From: Steve Fenton <99181436+steve-fenton-octopus@users.noreply.github.com> Date: Mon, 4 Mar 2024 09:01:33 +0000 Subject: [PATCH 2/5] Spelling fixes --- dictionary-octopus.txt | 4 ++ .../kubernetes-target/index.md | 52 +++++++++---------- 2 files changed, 30 insertions(+), 26 deletions(-) diff --git a/dictionary-octopus.txt b/dictionary-octopus.txt index ae35d916d6..75412165d9 100644 --- a/dictionary-octopus.txt +++ b/dictionary-octopus.txt @@ -78,6 +78,7 @@ hyperthreading IMDS inetmgr inetsrv +inkey internalcustomer Istio istioctl @@ -87,7 +88,9 @@ itemtype ITSM jwks keyrings +kubeconfig Kubelet +kubelogin kustomization kustomize latestdeployments @@ -151,6 +154,7 @@ rehype reindexing releaseprogression remoting +replicasets reprioritize reprovisioned reprovisioning diff --git a/src/pages/docs/infrastructure/deployment-targets/kubernetes-target/index.md b/src/pages/docs/infrastructure/deployment-targets/kubernetes-target/index.md index e0d435a80c..c076240386 100644 --- a/src/pages/docs/infrastructure/deployment-targets/kubernetes-target/index.md +++ b/src/pages/docs/infrastructure/deployment-targets/kubernetes-target/index.md @@ -45,30 +45,30 @@ A number of the fields in this configuration file map directly to the fields in apiVersion: v1 clusters: - cluster: - certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUV5REN... + certificate-authority-data: XXXXXXXXXXXXXXXX... server: https://kubernetes.example.org:443 - name: k8scluster + name: k8s-cluster contexts: - context: - cluster: k8scluster - user: k8suser - name: k8suser -current-context: k8scluster + cluster: k8s-cluster + user: k8s_user + name: k8s_user +current-context: k8s-cluster kind: Config preferences: {} users: -- name: k8suser +- name: k8s_user user: - client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tL... - client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKS0FJQkFBS0... - token: 1234567890abcdefghijkl -- name: k8suser2 + client-certificate-data: XXXXXXXXXXXXXXXX... + client-key-data: XXXXXXXXXXXXXXXX... + token: 1234567890xxxxxxxxxxxxx +- name: k8s_user2 user: password: some-password username: exp -- name: k8suser3 +- name: k8s_user3 user: - token: 1234567890abcdefghijkl + token: 1234567890xxxxxxxxxxxxx ``` ## Add a Kubernetes target @@ -129,7 +129,7 @@ users: C:\OpenSSL-Win32\bin\openssl pkcs12 ` -passout pass: ` -export ` - -out certificateandkey.pfx ` + -out certificate_and_key.pfx ` -in certificate.crt ` -inkey private.key ``` @@ -140,7 +140,7 @@ users: openssl pkcs12 \ -passout pass: \ -export \ - -out certificateandkey.pfx \ + -out certificate_and_key.pfx \ -in certificate.crt \ -inkey private.key ``` @@ -158,18 +158,18 @@ Decoding the `certificate-authority-data` field results in a string that looks s ``` -----BEGIN CERTIFICATE----- -MIIEyDCCArCgAwIBAgIRAOBNYnhYDBamTvQn... +XXXXXXXXXXXXXXXX... -----END CERTIFICATE----- ``` Save this text to a file called `ca.pem`, and upload it to the [Octopus certificate management area](https://oc.to/CertificatesDocumentation). The certificate can then be selected in the `cluster certificate authority` field. 9. Enter the Kubernetes Namespace. -When a single Kubernetes cluster is shared across environments, resources deployed to the cluster will often be separated by environment and by application, team, or service. In this situation, the recommended approach is to create a namespace for each application and environment (e.g., `myapplication-development` and `my-application-production`), and create a Kubernetes service account that has permissions to just that namespace. +When a single Kubernetes cluster is shared across environments, resources deployed to the cluster will often be separated by environment and by application, team, or service. In this situation, the recommended approach is to create a namespace for each application and environment (e.g., `my-application-development` and `my-application-production`), and create a Kubernetes service account that has permissions to just that namespace. -Where each environment has its own Kubernetes cluster, namespaces can be assigned to each application, team or service (e.g. `myapplication`). +Where each environment has its own Kubernetes cluster, namespaces can be assigned to each application, team or service (e.g. `my-application`). -In both scenarios, a target is then created for each Kubernetes cluster and namespace. The `Target Role` tag is set to the application name (e.g. `myapplication`), and the `Environments` are set to the matching environment. +In both scenarios, a target is then created for each Kubernetes cluster and namespace. The `Target Role` tag is set to the application name (e.g. `my-application`), and the `Environments` are set to the matching environment. When a Kubernetes target is used, the namespace it references is created automatically if it does not already exist. @@ -275,7 +275,7 @@ The token can then be saved as a Token Octopus account, and assigned to the Kube Kubernetes targets use the `kubectl` executable to communicate with the Kubernetes cluster. This executable must be available on the path on the target where the step is run. When using workers, this means the `kubectl` executable must be in the path on the worker that is executing the step. Otherwise the `kubectl` executable must be in the path on the Octopus Server itself. ## Vendor Authentication Plugins -Prior to `kubectl` version 1.26, the logic for authenticating against various cloud providers (eg Azure Kubernetes Services, Google Kubernetes Engine) was included "in-tree" in `kubetcl`. From version 1.26 onward, the cloud-vendor specific authentication code has been removed from `kubectl`, in favor of a plugin approach. +Prior to `kubectl` version 1.26, the logic for authenticating against various cloud providers (eg Azure Kubernetes Services, Google Kubernetes Engine) was included "in-tree" in `kubectl`. From version 1.26 onward, the cloud-vendor specific authentication code has been removed from `kubectl`, in favor of a plugin approach. What this means for your deployments: @@ -341,7 +341,7 @@ kubectl version --client --output=yaml # Write a custom kube config. This is useful when you have a config that works, and you want to confirm it works in Octopus. Write-Host "Health check with custom config file" -Set-Content -Path "myconfig.yml" -Value @" +Set-Content -Path "my-config.yml" -Value @" apiVersion: v1 clusters: - cluster: @@ -351,8 +351,8 @@ clusters: contexts: - context: cluster: test - user: testadmin - name: testadmin + user: test_admin + name: test_admin - context: cluster: test user: test @@ -361,16 +361,16 @@ current-context: test kind: Config preferences: {} users: -- name: testadmin +- name: test_admin user: token: auth-token-goes-here - name: test user: client-certificate-data: certificate-data-goes-here - client-key-data: certificate-key-gies-here + client-key-data: certificate-key-goes-here "@ -kubectl version --short --kubeconfig myconfig.yml +kubectl version --short --kubeconfig my-config.yml exit 0 From c8ef1d557f505d7c6df2bacbec3fe6b44fd09109 Mon Sep 17 00:00:00 2001 From: Steve Fenton <99181436+steve-fenton-octopus@users.noreply.github.com> Date: Mon, 4 Mar 2024 09:07:27 +0000 Subject: [PATCH 3/5] Updated date --- .../deployment-targets/kubernetes-target/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/docs/infrastructure/deployment-targets/kubernetes-target/index.md b/src/pages/docs/infrastructure/deployment-targets/kubernetes-target/index.md index c076240386..974f9a55db 100644 --- a/src/pages/docs/infrastructure/deployment-targets/kubernetes-target/index.md +++ b/src/pages/docs/infrastructure/deployment-targets/kubernetes-target/index.md @@ -1,7 +1,7 @@ --- layout: src/layouts/Default.astro pubDate: 2023-01-01 -modDate: 2023-01-01 +modDate: 2024-03-04 title: Kubernetes cluster description: How to configure a Kubernetes cluster as a deployment target in Octopus navOrder: 50 From b6b04e3a5a6716a051d4505bbaf748c64401db59 Mon Sep 17 00:00:00 2001 From: Finnian Dempsey <78527975+FinnianDempsey@users.noreply.github.com> Date: Tue, 5 Mar 2024 19:17:08 +1000 Subject: [PATCH 4/5] testing process --- .../deployment-targets/tentacle/tentacle-communication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/docs/infrastructure/deployment-targets/tentacle/tentacle-communication.md b/src/pages/docs/infrastructure/deployment-targets/tentacle/tentacle-communication.md index 9a424730ca..548ad6c856 100644 --- a/src/pages/docs/infrastructure/deployment-targets/tentacle/tentacle-communication.md +++ b/src/pages/docs/infrastructure/deployment-targets/tentacle/tentacle-communication.md @@ -18,7 +18,7 @@ In listening mode Tentacle is the TCP server, and Octopus is the TCP client. :::figure ![Octopus to Listening Tentacle communication](/docs/infrastructure/deployment-targets/tentacle/images/listening-tentacle.png) ::: - + When choosing a communication mode, we recommend Listening mode when possible. Listening mode uses the least resources (listening on a TCP port is cheaper than actively trying to connect to one). It also gives you the most control (you can use rules in your firewall to limit which IP addresses can connect to the port). [Octopus and Tentacle use SSL when communicating](/docs/security/octopus-tentacle-communication), and Tentacle will outright reject connections that aren't from an Octopus Server that it trusts, identified by an X.509 certificate public key that you provide during setup. From 984a118456a1d0b918f54771b2270d3f1e5e2023 Mon Sep 17 00:00:00 2001 From: Finnian Dempsey <78527975+FinnianDempsey@users.noreply.github.com> Date: Wed, 6 Mar 2024 08:01:06 +1000 Subject: [PATCH 5/5] Revert "testing process" This reverts commit b6b04e3a5a6716a051d4505bbaf748c64401db59. --- .../deployment-targets/tentacle/tentacle-communication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/docs/infrastructure/deployment-targets/tentacle/tentacle-communication.md b/src/pages/docs/infrastructure/deployment-targets/tentacle/tentacle-communication.md index 548ad6c856..9a424730ca 100644 --- a/src/pages/docs/infrastructure/deployment-targets/tentacle/tentacle-communication.md +++ b/src/pages/docs/infrastructure/deployment-targets/tentacle/tentacle-communication.md @@ -18,7 +18,7 @@ In listening mode Tentacle is the TCP server, and Octopus is the TCP client. :::figure ![Octopus to Listening Tentacle communication](/docs/infrastructure/deployment-targets/tentacle/images/listening-tentacle.png) ::: - + When choosing a communication mode, we recommend Listening mode when possible. Listening mode uses the least resources (listening on a TCP port is cheaper than actively trying to connect to one). It also gives you the most control (you can use rules in your firewall to limit which IP addresses can connect to the port). [Octopus and Tentacle use SSL when communicating](/docs/security/octopus-tentacle-communication), and Tentacle will outright reject connections that aren't from an Octopus Server that it trusts, identified by an X.509 certificate public key that you provide during setup.