Connecting Spinnaker to GitHub as an Artifact Source

Configuring a GitHub Trigger

Spinnaker pipelines can be configured to trigger when a change is committed to a GitHub repository. This doesn’t require any configuration of Spinnaker other than adding a GitHub trigger but does require administration of the GitHub repositories to configure the webhook.

The open source documentation has concise instructions for configuring GitHub webhooks.

Configuring GitHub as an Artifact Source

If you actually want to use a file from the GitHub commit in your pipeline, you’ll need to configure GitHub as an artifact source.

This is just a quick walkthrough of how to configure your Spinnaker to access a GitHub repo as a source of artifacts. Many of the commands below have additional options that may be useful (or possibly required). If you need more detailed help, take a look at the Halyard command reference if you’re deploying Spinnaker with Halyard.

Enable GitHub Artifacts

If you haven’t done this yet (for example, if you’ve just installed Armory Spinnaker fresh), you’ll need to enable GitHub as an artifact source:

Operator

Add the following snippet to SpinnakerService manifest:

apiVersion: spinnaker.armory.io/v1alpha2
kind: SpinnakerService
metadata:
  name: spinnaker
spec:
  spinnakerConfig:  
    config:
      features:
        artifacts: true
      artifacts:
        github:
          enabled: true

Halyard

hal config features edit --artifacts true
hal config artifact github enable

Add a GitHub Credential

To access private GitHub repositories, you’ll need a GitHub “Personal Access Token”. This can be generated by going to the “Settings” page in GitHub, then clicking on “Developer Settings” and then “Personal Access Token”. The token will need the repo scope.

Once you have a token, you should provide that token for Spinnaker’s Igor service as a credential to use to access GitHub. This can be done with a command like this:

Replace the account name github_user with the string you want to use to identify this GitHub credential.

Operator

Add the following snippet to SpinnakerService manifest:

apiVersion: spinnaker.armory.io/v1alpha2
kind: SpinnakerService
metadata:
  name: spinnaker
spec:
  spinnakerConfig:  
    config:
      features:
        artifacts: true
      artifacts:
        github:
          enabled: true
          accounts:
          - name: github_user
            token: abc  # GitHub's personal access token. This fields supports `encrypted` references to secrets.
            # username: abc # GitHub username
            # password: abc # GitHub password. This fields supports `encryptedreferences` to secrets.
            # usernamePasswordFile: creds.txt # File containing "username:password" to use for GitHub authentication. This fields supports `encryptedFilereferences` to secrets.
            # tokenFile: token.txt # File containing a GitHub authentication token. This fields supports `encryptedFile` references to secrets.

If you have a GitHub personal access token, you only need that to authenticate against GitHub, but there are other authentication options like username/password, or specifying credentials in a file entry.

Don’t forget to apply your changes:

kubectl -n >spinnaker namespace> apply -f <SpinnakerService manifest>

Halyard

GITHUB_ACCOUNT_NAME=github_user
hal config artifact github account add ${GITHUB_ACCOUNT_NAME} \
    --token # you'll be prompted for this interactively

Detailed information on all command line options can be found here.

Don’t forget to run hal deploy apply to apply your changes.

Using the GitHub Credential

You may note that the above GitHub “account” doesn’t actually have a endpoint for your GitHub; this account is basically just the credential used by Spinnaker artifacts to access GitHub. The actual GitHub API endpoint is specified in the artifact reference. There are a couple ways to use this credential, one example of which is detailed here:

Troubleshooting Credentials and URIs

To verify that your token and URI are correct, you can run a curl command to test authentication (the user field doesn’t matter):

curl https://api.github.com/repos/armory/demo/contents/manifests/deployment.yml \
  -u nobody:abcdef0123456789abcdef0123456789abcdef01

If you receive metadata about your file, the credential and URI are correct.