Configuration reference
Config.yaml
While Estafette‘s goal is to keep as much control as possible with each individual application build pipeline through the .estafette.yaml manifest, unavoidably there's some configuration that needs to be done centrally. This configuration is stored in the config.yaml file. Below is a description of the various configuration sections.
Integrations
For integrations with 3rd party services the integrations section provides a place for configuration for each individual service.
Integrations > Github
See Github integration.
Through config.yaml:
integrations:
github:
enable: true
Or via Helm values.yaml:
api:
deployment:
extraEnv:
- name: ESCI_INTEGRATIONS_GITHUB_ENABLE
value: 'true'
Integrations > Bitbucket
Through config.yaml:
integrations:
bitbucket:
enable: true
Or via Helm values.yaml:
api:
deployment:
extraEnv:
- name: ESCI_INTEGRATIONS_BITBUCKET_ENABLE
value: 'true'
Integrations > Slack
The Slack integration allows a Slash command to be configured in order to provide functionalities like encrypting a secret or triggering a release directly from Slack. For the Slash command to integrate with Estafette the following configuration section is needed.
Through config.yaml:
integrations:
slack:
enable: true
clientID: '<slack client id>'
clientSecret: '<slack client secret>'
appVerificationToken: '<slack app verification token>'
appOAuthAccessToken: '<slack app oauth access token>'
Or via Helm values.yaml:
api:
deployment:
extraEnv:
- name: ESCI_INTEGRATIONS_SLACK_ENABLE
value: 'true'
- name: ESCI_INTEGRATIONS_SLACK_CLIENTID
value: '<slack client id>'
- name: ESCI_INTEGRATIONS_SLACK_CLIENTSECRET
value: '<slack client secret>'
- name: ESCI_INTEGRATIONS_SLACK_APPVERIFICATIONTOKEN
value: '<slack app verification token>'
- name: ESCI_INTEGRATIONS_SLACK_APPOAUTHACCESSTOKEN
value: '<slack app oauth access token>'
Integrations > Pub/sub
In order for the Estafette CI api to create subscriptions to topics used in pubsub triggers and validate incoming events the following config section needs to be added.
Through config.yaml:
integrations:
pubsub:
enable: true
defaultProject: '<project that runs estafette>'
endpoint: 'https://<integrations host>/api/integrations/pubsub/events'
audience: beautiful-butterfly
serviceAccountEmail: '<email address for service account used by estafette-ci-api>'
subscriptionNameSuffix: '~estafette-ci-pubsub-trigger'
subscriptionIdleExpirationDays: 365
Or via Helm values.yaml:
api:
deployment:
extraEnv:
- name: ESCI_INTEGRATIONS_PUBSUB_ENABLE
value: 'true'
- name: ESCI_INTEGRATIONS_PUBSUB_DEFAULTPROJECT
value: '<project that runs estafette>'
- name: ESCI_INTEGRATIONS_PUBSUB_ENDPOINT
value: 'https://<integrations host>/api/integrations/pubsub/events'
- name: ESCI_INTEGRATIONS_PUBSUB_AUDIENCE
value: 'beautiful-butterfly'
- name: ESCI_INTEGRATIONS_PUBSUB_SERVICEACCOUNTEMAIL
value: '<email address for service account used by estafette-ci-api>'
- name: ESCI_INTEGRATIONS_PUBSUB_SUBSCRIPTIONNAMESUFFIX
value: '~estafette-ci-pubsub-trigger'
- name: ESCI_INTEGRATIONS_PUBSUB_SUBSCRIPTIONIDLEEXPIRATIONDAYS
value: '365'
For all projects used in pubsub triggers the estafette-ci-api service account needs the following roles:
- pubsub.subscriber
- pubsub.editor
Integrations > Prometheus
Through config.yaml:
integrations:
prometheus:
enable: true
serverURL: http://estafette-ci-metrics-server
scrapeIntervalSeconds: 5
Or via Helm values.yaml:
api:
deployment:
extraEnv:
- name: ESCI_INTEGRATIONS_PROMETHEUS_ENABLE
value: 'true'
- name: ESCI_INTEGRATIONS_PROMETHEUS_SERVERURL
value: 'http://estafette-ci-metrics-server'
- name: ESCI_INTEGRATIONS_PROMETHEUS_SCRAPEINTERVALSECONDS
value: '5'
Integrations > BigQuery
Through config.yaml:
integrations:
bigquery:
enable: true
projectID: '<google cloud project id with dataset>'
dataset: estafette_ci
Or via Helm values.yaml:
api:
deployment:
extraEnv:
- name: ESCI_INTEGRATIONS_BIGQUERY_ENABLE
value: 'true'
- name: ESCI_INTEGRATIONS_BIGQUERY_PROJECTID
value: '<google cloud project id with dataset>'
- name: ESCI_INTEGRATIONS_BIGQUERY_DATASET
value: 'estafette_ci'
Integrations > CloudStorage
Through config.yaml:
integrations:
gcs:
enable: true
projectID: '<google cloud project id with gcs bucket>'
bucket: '<google cloud bucket name for logs storage>'
logsDir: logs
Or via Helm values.yaml:
api:
deployment:
extraEnv:
- name: ESCI_INTEGRATIONS_CLOUDSTORAGE_ENABLE
value: 'true'
- name: ESCI_INTEGRATIONS_CLOUDSTORAGE_PROJECTID
value: '<google cloud project id with gcs bucket>'
- name: ESCI_INTEGRATIONS_CLOUDSTORAGE_BUCKET
value: '<google cloud bucket name for logs storage>'
- name: ESCI_INTEGRATIONS_CLOUDSTORAGE_LOGSDIRECTORY
value: 'logs'
Integrations > CloudSource
Through config.yaml:
integrations:
cloudsource:
enable: true
Or via Helm values.yaml:
api:
deployment:
extraEnv:
- name: ESCI_INTEGRATIONS_CLOUDSOURCE_ENABLE
value: 'true'
API Server
Urls
In order to set correct links for build status integration and provide correct communication between the builder jobs and the api there's some minimal configuration for the API itself:
Through config.yaml:
apiServer:
baseURL: 'https://<(private) host for the web gui>'
integrationsURL: 'https://<public host to receive webhooks>'
serviceURL: 'http://estafette-ci-api.<namespace>.svc.cluster.local/'
Or via Helm values.yaml:
api:
# (private) host at which to access the web interface and api
baseHost: estafette.mydomain.com
# host to receive webhooks from 3rd party integrations like github, bitbucket
integrationsHost: estafette-integrations.mydomain.com
These values are automatically used in the default config.yaml used in the estafette-ci Helm chart.
Log reading/writing
See full instructions.
Through config.yaml:
apiServer:
logwriters:
- cloudstorage
logreader: cloudstorage
Or via Helm values.yaml:
api:
deployment:
extraEnv:
- name: ESCI_APISERVER_LOGWRITERS
value: cloudstorage
- name: ESCI_APISERVER_LOGREADER
value: cloudstorage
Injecting stages
Estafette allows you to globally inject stages into all pipelines. Both before or after all the stages defined in the .estafette.yaml manifest have been executed.
Through config.yaml:
apiServer:
injectStagesPerOperatingSystem:
linux:
build:
before:
- name: envvars
image: extensions/envvars:stable
after: []
release:
before:
- name: envvars
image: extensions/envvars:stable
after: []
bot:
before:
- name: envvars
image: extensions/envvars:stable
after: []
Docker config for pipeline jobs
To specify some details on how the estafette-ci-builder runs the Docker daemon and configures one another.
Through config.yaml:
apiServer:
dockerConfigPerOperatingSystem:
linux:
runType: dind
mtu: 1460
bip: 192.168.1.1/24
networks:
- name: estafette
driver: default
subnet: 192.168.2.1/24
gateway: 192.168.2.1
durable: false
registryMirror: https://mirror.gcr.io
Authentication
Securing the API through JSON Web Tokens (JWT)
The communication between the different Estafette CI components is secured using JSON Web Tokens. This is configured out of the box in the estafette-ci Helm chart, but for completeness it has the following config properties.
Through config.yaml:
auth:
jwt:
domain: <private hostname for estafette>
Or via Helm values.yaml:
api:
deployment:
extraEnv:
- name: ESCI_AUTH_JWT_DOMAIN
value: '<private hostname for estafette>'
Administrators
To gain access to the Admin sections in the Estafette web ui and be allowed to perform any actions there you need to be set up as administrator. You can do so in the following manner.
Through config.yaml:
auth:
administrators:
- <email admin 1>
- <email admin 2>
Or via Helm values.yaml:
api:
deployment:
extraEnv:
- name: ESCI_AUTH_ADMINISTRATORS
value: '<email admin 1>,<email admin 2>'
Once applied log out and log in again and you should be able to see the Admin section.
Google login
See Google login.
Github login
See Github login.
Database
Estafette supports Postgresql; this allows it to use CockroachDB as it's database. Below is the required configuration to connect to the database.
Through config.yaml:
database:
databaseName: defaultdb
host: estafette-ci-db-public
insecure: false
sslMode: verify-full
certificateAuthorityPath: /cockroach-certs/ca.crt
certificatePath: /cockroach-certs/tls.crt
certificateKeyPath: /cockroach-certs/tls.key
port: 26257
user: root
password: ''
maxOpenConnections: 0
maxIdleConnections: 2
connectionMaxLifetimeMinutes: 0
Or via Helm values.yaml:
api:
deployment:
extraEnv:
- name: ESCI_DATABASE_DATABASENAME
value: defaultdb
- name: ESCI_DATABASE_HOST
value: estafette-ci-db-public
- name: ESCI_DATABASE_INSECURE
value: 'false'
- name: ESCI_DATABASE_SSLMODE
value: verify-full
- name: ESCI_DATABASE_CERTIFICATEAUTHORITYPATH
value: /cockroach-certs/ca.crt
- name: ESCI_DATABASE_CERTIFICATEPATH
value: /cockroach-certs/tls.crt
- name: ESCI_DATABASE_CERTIFICATEKEYPATH
value: /cockroach-certs/tls.key
- name: ESCI_DATABASE_PORT
value: '26257'
- name: ESCI_DATABASE_USER
value: root
- name: ESCI_DATABASE_PASSWORD
value: ''
- name: ESCI_DATABASE_MAXOPENCONNS
value: '0'
- name: ESCI_DATABASE_MAXIDLECONNS
value: '2'
- name: ESCI_DATABASE_CONNMAXLIFETIMEMINUTES
value: '0'
Queue
Estafette uses nats as a queue / routing mechanism to loosely couple actions triggered by an event.
It uses the following defaults in config.yaml
queue:
hosts:
- estafette-ci-queue-0.estafette-ci-queue
subjectCron: event.cron
subjectGit: event.git
subjectGithub: event.github
subjectBitbucket: event.bitbucket
Or via Helm values.yaml:
api:
deployment:
extraEnv:
- name: ESCI_QUEUE_HOSTS
value: 'estafette-ci-queue-0.estafette-ci-queue'
- name: ESCI_QUEUE_SUBJECTCRON
value: 'event.cron'
- name: ESCI_QUEUE_SUBJECTGIT
value: 'event.git'
- name: ESCI_QUEUE_SUBJECTGITHUB
value: 'event.github'
- name: ESCI_QUEUE_SUBJECTBITBUCKET
value: 'event.bitbucket'
Credentials
In order to centrally manage credentials used by various Estafette extensions or your own custom extensions. The only required fields are name and type, other fields are fully up to the consumer of the credentials. This allows Estafette to be easily extended with new types of credentials used by trusted images (see section below).
Types supported by Estafette‘s various official extensions are container-registry, kubernetes-engine and slack-webhook amongst others.
credentials:
- name: 'container-registry-estafette'
type: 'container-registry'
repository: 'estafette'
private: false
username: 'estafette.secret(793-0QLfe5QN3n1k.mDk5fL-_urybZ3T9Z3famkSZR68d-SrfqA==)'
password: 'estafette.secret(3p0Geq5U12j98HXV.Eaupah0YHK6nQkMgT4WYzC5R8FRQbDk5H6aTo1saw35de2KQ)'
- name: 'container-registry-extensions'
type: 'container-registry'
repository: 'extensions'
private: false
username: 'estafette.secret(793-0QLfe5QN3n1k.mDk5fL-_urybZ3T9Z3famkSZR68d-SrfqA==)'
password: 'estafette.secret(3p0Geq5U12j98HXV.Eaupah0YHK6nQkMgT4WYzC5R8FRQbDk5H6aTo1saw35de2KQ)'
- name: 'gke-production'
type: 'kubernetes-engine'
project: estafette-production
cluster: production-europe-west4
region: europe-west4
zone: europe-west4-d
serviceAccountKeyfile: 'estafette.secret(***)'
defaults:
namespace: production
autoscale:
min: 3
max: 500
hosts:
- ${ESTAFETTE_GIT_NAME}.estafette.io
- name: slack-webhook-estafette
type: slack-webhook
workspace: estafette
webhook: estafette.secret(***)
Notes:
- You can best see how much flexibility the credential type allows in the
kubernetes-engineexample wheredefaultsfor theextensions/gkeimage are provided. This allows you for example to override some of the extensions defaults for specific environments in case you want to deviate from those.
Trusted images
In order to gain access to the centrally stored credentials and optionally gain additional elevated permissions trusted images can be configured. For a trusted image the path provides the full container name except for it's tag. To automatically get access all credentials of one or multiple types each type of those credentials can be listed in the injectedCredentialTypes array.
Those injected credentials are then automatically mounted into the stage container(s) that use the trusted image. It mounts credentials at /credentials/<credential type in lower snake case>.json (for example /credentials/kubernetes_engine.json) in JSON format.
In not configuring anything the following default trusted images are set:
trustedImages:
- path: extensions/git-clone
injectedCredentialTypes:
- bitbucket-api-token
- github-api-token
- cloudsource-api-token
- path: extensions/github-status",
injectedCredentialTypes:
- github-api-token
- path: extensions/github-release",
injectedCredentialTypes:
- github-api-token
- path: extensions/bitbucket-status",
injectedCredentialTypes:
- bitbucket-api-token
- path: extensions/docker",
runDocker: true
injectedCredentialTypes:
- container-registry
- github-api-token
- path: extensions/gke",
injectedCredentialTypes:
- kubernetes-engine
- path: extensions/helm",
injectedCredentialTypes:
- kubernetes-engine
- path: extensions/cloud-function",
injectedCredentialTypes:
- kubernetes-engine
- path: bsycorp/kind",
runPrivileged: true
You can add extra trusted images by specifying those using the trustedImages section. If you want to clear all of the default images shown above use clearDefaultTrustedImages: true. Only the images specified in the trustedImages section will be trusted in that case.
Notes:
- The
bitbucket-api-tokenorgithub-api-tokencredential types are set on the fly when a build/release job is started for either a Bitbucket or Github repository. This allows a repository to be cloned without needing to set up deploy keys or other forms of ssh authentication.
Build Control
Build Control configuration can block repositories from building on estafette instance. Configuration provides options to allow/ block repositories, projects (only on Bitbucket) from building.
Example configuration
buildControl:
bitbucket:
allowed:
projects:
- project1
- project2
repos:
- repo1
blocked:
projects:
- project3
- project4
repos:
- repo2
github:
allowed:
- repo3
blocked:
- repo4
release:
repos:
"*":
allowed:
- main
- master
blocked:
- bugfix
some-repo:
allowed:
- main
restrictedClusters:
- trvx-prd
The processing of allow/ blocking happen in following ways
- Blocked list are processed first. If any repository/ project/ branch is blocked they will not be built/ released on estafette
- If allowed list is provided repositories/ branch outside allowed projects/ repositories/ branches are not build/ released
Only build repositories under certain projects
Below configuration will only build repositories that are under project1
buildControl:
bitbucket:
allowed:
projects:
- project1
Only build certain repositories
Below configuration will only build repo1 and repo2
buildControl:
bitbucket:
allowed:
repos:
- repo1
- repo2
Block builds for certain projects
Below configuration will block any build for repositories under project3
buildControl:
bitbucket:
blocked:
projects:
- project3
Block builds for certain repositories
Below configuration will block any build for repo3 and repo4
buildControl:
bitbucket:
blocked:
repos:
- repo3
- repo4
Block Branches from repo to release on certain clusters
Below configuration will block release to trvx-prd cluster from feature branches of some-repo
buildControl:
release:
repos:
some-repo:
blocked:
- feature.*
restrictedClusters:
- trvx-prd
Block Branches from all repos to release on certain clusters
Below configuration will block any release to trvx-prd cluster from non-main branches for all reppositories
buildControl:
release:
repos:
"*":
allowed:
- main
restrictedClusters:
- trvx-prd
Source code
You can find the source code responsible for reading and validating configuration options at https://github.com/estafette/estafette-ci-api/blob/main/pkg/api/config.go