Enable and Configure Dynamic Accounts in the Armory Scale Agent

Learn how to enable and configure the Dynamic Accounts feature in Armory Scale Agent for Spinnaker and Kubernetes.

Before you begin

  • You are familiar with Dynamic Accounts Architecture and Features.

  • The following Dynamic Accounts features use Clouddriver Account Management:

    • Automatic account migration
    • Clouddriver Account Management API request interception

    Clouddriver Account Management is not enabled by default in Spinnaker or Armory Continuous Deployment. See Spinnaker’s Clouddriver Account Management page for how to enable the feature.

Scale Agent plugin

Dynamic Accounts is enabled by default starting with plugin versions v0.11.21/0.10.69/0.9.85.

If you are using a prior version of the plugin, you should enable Dynamic Accounts by setting kubesvc.dynamicAccounts.enabled: true in your plugin configuration. For example:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
spec:
  spinnakerConfig:
    profiles:
      clouddriver:
        spinnaker:
          extensibility:
            repositories:
              armory-agent-k8s-spinplug-releases:
                enabled: true
                url: https://raw.githubusercontent.com/armory-io/agent-k8s-spinplug-releases/master/repositories.json
            plugins:
              Armory.Kubesvc:
                enabled: true
                version: 0.11.26  # Replace with a version compatible with your Armory CD version
                extensions:
                  armory.kubesvc:
                    enabled: true
        # Plugin config
        kubesvc:  
          cluster: kubernetes
          cluster-kubernetes:
            kubeconfigFile: <path-to-file> # (Optional; default: null)
            verifySsl: <true|false> # Optional; default: true)
            namespace: <string> # (Optional; default: null)
            httpPortName: <string> # (Optional; default: http)
            clouddriverServiceNamePrefix: <string> # (Optional; default: spin-clouddriver)
         	dynamicAccounts:
             enabled: <true|false>
             maxRetries: <int>
             retryFrequencySeconds: <int>
             interceptor: # requires Clouddriver Account Management be enabled in Spinnaker/Armory Continuous Deployment
               enabled: <true|false>
             scanBatchSize: <int> # (Optional) # requires Clouddriver Account Management be enabled in Spinnaker/Armory Continuous Deployment
             scanFrequencySeconds: <int> # (Optional) # requires Clouddriver Account Management be enabled in Spinnaker/Armory Continuous Deployment
             namePatterns: ['^account1.*','^.*account2.*'] # (Optional) # requires Clouddriver Account Management be enabled in Spinnaker/Armory Continuous Deployment

dynamicAccounts:

  • enabled: (Optional) default: false; set to true to enable the Dynamic Accounts feature
  • maxRetries: (Optional) default: 3; the number of times to retry adding an account that fails the first time
  • retryFrequencySeconds: (Optional) default: 5; the number of seconds to wait between trying to add a FAILED account

The remaining optional attributes in the dynamicAccounts section are for configuring automatic migration of Clouddriver accounts to the Scale Agent. These options are discussed in detail in Migrate Clouddriver Kubernetes Accounts to the Armory Scale Agent.

If you want to use the interceptor feature to intercept requests sent to Clouddriver’s /credentials endpoint, add:

dynamicAccounts:
   enabled: true
   interceptor:
      enabled: true

Alternately, you can enable the autoscan for new Clouddriver accounts feature by configuring the following:

  • scanBatchSize:
  • scanFrequencySeconds:
  • namePatterns: [’^account1.*’,’^.account2.']

For example:

1
2
3
4
5
dynamicAccounts:
   enabled: true
   scanBatchSize: 15
   scanFrequencySeconds: 120
   namePatterns: ['^account1.*','^.*account2.*']

Access the API

The Dynamic Accounts REST API provides endpoints to create, delete, get, migrate, and update Kubernetes accounts. You can’t access these endpoints through Gate. You should have kubectl access to your Spinnaker cluster and port-forward to be able to call the API.

kubectl port-forward deployment/spin-clouddriver 7002:7002 -n spinnaker 

You can then access endpoints via http://localhost:7002.

Scale Agent service

The Dynamic Accounts API is enabled by default in the Scale Agent Service:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
apiVersion: v1
kind: ConfigMap
metadata:
  name: armory-agent-config
  namespace: spin-agent
data:
  armory-agent.yml: |  
  server:
    port: 8082
  dynamicAccountsEnabled: true # (Optional; default: true)

You can disable dynamic accounts features by setting dynamicAccountsEnabled to false.

What’s next

  1. Migrate Clouddriver Kubernetes Accounts to the Armory Scale Agent
  2. Manage Kubernetes Accounts in the Armory Scale Agent

Last modified August 18, 2023: (02b163b7)