In this lab we will install Concourse to new worker nodes within the shared cluster via a Helm chart. The following modifications to the default chart values need to be made:
- Use Contour Ingress
- Generate certificate for concourse web endpoint via Cert Manager/Let's Encrypt
- Updated URLs for concourse web
- Set an admin user with password from
params.yaml
and place in main team - Configure for OIDC authentication and initial placement of
platform-team
into the main team - Tolerations so that concourse web and workers run on isolated tainted nodes
- Explicitly add Let's Encrypt CA to the OIDC endpoint in case of custom Okta domains
Concourse will also be managed via Tanzu Mission Control in a dedicated workspace.
The following section should be added to or exist in your local params.yaml file:
concourse:
namespace: concourse
fqdn: concourse.tkg-shared.<your-domain>
tmc-workspace: concourse-workspace
admin-password: SuperSecretPassword
okta:
concourse-app-client-id: foo-client-id
concourse-app-client-secret: bar-client-secret
Once these are in place and correct, run the following to export the following into your shell:
export TMC_CLUSTER_GROUP=$(yq e .tmc.cluster-group $PARAMS_YAML)
export CONCOURSE_NAMESPACE=$(yq e .concourse.namespace $PARAMS_YAML)
export CONCOURSE_TMC_WORKSPACE=$TMC_CLUSTER_GROUP-$(yq e .concourse.tmc-workspace $PARAMS_YAML)
export CLUSTER_NAME=$(yq e .shared-services-cluster.name $PARAMS_YAML)
export IAAS=$(yq e .iaas $PARAMS_YAML)
export VMWARE_ID=$(yq e .vmware-id $PARAMS_YAML)
In order to deploy the Helm chart for Concourse to a dedicated namespace, we need to create it first. To do this, we can use Tanzu Mission Control, as it is already running on our shared services cluster. This will create a "managed namespace", where we can assert additional control over what is deployed.
tmc workspace create -n $CONCOURSE_TMC_WORKSPACE -d "Workspace for Concourse"
tmc cluster namespace create -c $VMWARE_ID-$CLUSTER_NAME-$IAAS -n $CONCOURSE_NAMESPACE -d "Concourse product installation" -k $CONCOURSE_TMC_WORKSPACE -m attached -p attached
-
Log into your Okta account you created as part of the Okta Setup Lab. The URL should be in your
params.yaml
file under okta.auth-server-fqdn. -
Choose Applications (Left menu) > Add Application > Create New App > Web, Click Next.
-
Complete the form as follows, and then click Done.
- Give your app a name:
Concourse
- Remove Base URL
- Login redirect URIs:
https://<concourse.fqdn from $PARAMS_YAML>/sky/issuer/callback
# - Logout redirect URIs:
https://<concourse.fqdn from $PARAMS_YAML>/sky/issuer/logout
- Grant type allowed:
Authorization Code
- Capture
Client ID
andClient Secret
for and put it in your $PARAMS_YAML file
okta:
concourse-app-client-id: MY_CLIENT_ID
concourse-app-client-secret: MY_CLIENT_SECRET
- Choose Applications (left menu) > Applications > Pick your app > Sign On tab > Edit OpenID Connect ID Token section
- Groups claim type =>
Filter
- Groups claim filter => groups Matches regex .*
Prepare and deploy the YAML manifests for the related Concourse K8S objects. Manifest will be output into concourse/generated/
in case you want to inspect.
kubectl config use-context $CLUSTER_NAME-admin@$CLUSTER_NAME
./scripts/generate-and-apply-concourse-yaml.sh
Lastly, add the newly created namespace for the Concourse main team to TMC's managed workspace we created earlier.
tmc cluster namespace attach -c $VMWARE_ID-$CLUSTER_NAME-$IAAS -n concourse-main -k $CONCOURSE_TMC_WORKSPACE --management-cluster-name attached --provisioner-name attached
- All Concourse pods are in a running state, on the tainted nodes:
kubectl get po -n $CONCOURSE_NAMESPACE -o wide
- Certificate is True and Ingress created:
kubectl get cert,ing -n $CONCOURSE_NAMESPACE
- Open a browser and navigate to the FQDN you defined for Concourse above. The default user is admin/<password from
params.yaml
>.
-
Download the fly cli from the concourse UI. Choose the correct OS version and then copy to location in your path (e.g.
/usr/local/bin
). -
Log in and save alias
fly -t $(yq e .shared-services-cluster.name $PARAMS_YAML) login \
-c https://$(yq e .concourse.fqdn $PARAMS_YAML) \
-n main
Note: You will be prompted to access the web url and authenticate. If you are running fly from a console that does not have web app access, you can alternatively pass in the username and password into the login command for the admin user (not the OIDC users).
There are a number of ways to manage pipeline configuration values. See notes at https://github.com/concourse/concourse-chart In the sample pipeline we will place them in a Kubernetes secret.
- Create Kubernetes secret in the concourse_main namespace.
ytt -f concourse/common-secrets.yaml --ignore-unknown-comments | kapp deploy -n concourse-main -a concourse-main-secrets -y -f -
- Set the pipeline using fly cli
fly -t $(yq e .shared-services-cluster.name $PARAMS_YAML) set-pipeline -p test-pipeline -c concourse/test-pipeline.yaml -n
fly -t $(yq e .shared-services-cluster.name $PARAMS_YAML) unpause-pipeline -p test-pipeline
fly -t $(yq e .shared-services-cluster.name $PARAMS_YAML) trigger-job -j test-pipeline/hello-world --watch