-
A Docker Hub account
-
A Kubernetes cluster:
- For which you have the
admin
cluster role. - That is already running Brigade v2.0.0 or greater.
- That is capable of provisioning a public IP address for a service of type
LoadBalancer
.
⚠️ This means you won't have much luck running the gateway locally in the likes of KinD or minikube unless you're able and willing to create port forwarding rules on your router or make use of a service such as ngrok. Both of these are beyond the scope of this documentation. - For which you have the
-
kubectl
-
helm
: Commands below requirehelm
3.7.0+. -
brig
: The Brigade CLI. Commands below requirebrig
2.0.0+.
⚠️ To proceed beyond this point, you'll need to be logged into Brigade as the "root" user (not recommended) or (preferably) as a user with theADMIN
role. Further discussion of this is beyond the scope of this documentation. Please refer to Brigade's own documentation.
-
Using the
brig
CLI, create a service account for the gateway to use:$ brig service-account create \ --id brigade-dockerhub-gateway \ --description "Used by the Brigade Docker Hub Gateway"
-
Make note of the token returned. This value will be used in another step.
⚠️ This is your only opportunity to access this value, as Brigade does not save it. -
Authorize this service account to create events:
$ brig role grant EVENT_CREATOR \ --service-account brigade-dockerhub-gateway \ --source brigade.sh/dockerhub
⚠️ The--source brigade.sh/dockerhub
option specifies that this service account can be used only to create events having a value ofbrigade.sh/dockerhub
in the event'ssource
field. This is a security measure that prevents the gateway from using this token for impersonating other gateways.
⚠️ be sure you are using Helm 3.7.0 or greater and enable experimental OCI support:$ export HELM_EXPERIMENTAL_OCI=1
-
As this gateway requires some specific configuration to function properly, we'll first create a values file containing those settings. Use the following command to extract the full set of configuration options into a file you can modify:
$ helm inspect values oci://ghcr.io/brigadecore/brigade-dockerhub-gateway \ --version v0.4.1 > ~/brigade-dockerhub-gateway-values.yaml
-
Edit
~/brigade-dockerhub-gateway-values.yaml
, making the following changes:-
host
: Set this to the host name where you'd like the gateway to be accessible. -
brigade.apiAddress
: Set this to the address of the Brigade API server, beginning withhttps://
. -
brigade.apiToken
: Set this to the service account token obtained when you created the Brigade service account for this gateway. -
service.type
: If you plan to enable ingress (advanced), you can leave this as its default --ClusterIP
. If you do not plan to enable ingress, you probably will want to change this value toLoadBalancer
. -
tokens
: This field should define tokens that can be used by clients to send events (webhooks) to this gateway. Note that keys are completely ignored by the gateway and only the values (tokens) matter. The keys only serve as recognizable token identifiers for human operators.
⚠️ By default, TLS will be enabled and a self-signed certificate will be generated.For a production-grade deployment you should explore the options available for providing or provisioning a certificate signed by a trusted authority. These options can be located under the
tls
andingress.tls
sections of the values file. -
-
Save your changes to
~/brigade-dockerhub-gateway-values.yaml
. -
Use the following command to install the gateway:
$ helm install brigade-dockerhub-gateway \ oci://ghcr.io/brigadecore/brigade-dockerhub-gateway \ --version v0.4.1 \ --create-namespace \ --namespace brigade-dockerhub-gateway \ --values ~/brigade-dockerhub-gateway-values.yaml \ --wait \ --timeout 300s
If you overrode defaults and set service.type
to LoadBalancer
, use this
command to find the gateway's public IP address:
$ kubectl get svc brigade-dockerhub-gateway \
--namespace brigade-dockerhub-gateway \
--output jsonpath='{.status.loadBalancer.ingress[0].ip}'
If you overrode default configuration to enable support for an ingress controller, you probably know what you're doing well enough to track down the correct IP for that ingress controller without our help. 😉
With this public IP in hand, optionally edit your name servers and add an A
record pointing a domain name to the public IP.