π Introduction#
When using Firestartr, each client should have a repository called .firestartr, which should contain a variety of YAML files describing many different aspects of the client’s repository, registry and application structures.
π Repo structure#
The repo structure is as follows:
apps/
ββ app1.yaml # app1 configuration YAML
ββ app2.yml # app2 configuration YAML
docker_registries/
ββ releases.yaml # releases registry configuration YAML
ββ snapshots.yaml # snapshots registry configuration YAML
platforms/
ββ cluster1.yaml # cluster1 configuration YAML
ββ cluster2.yml # cluster2 configuration YAML
providers/
ββ [app-name]/
ββ [claim-kind]/ # currently only the 'TFWorkspace' kind is supported
ββ [tenant]/
ββ [env]/
ββ provider1.yaml
ββ provider2.yaml
validations/
ββ apps/
ββ [app-name]/
ββ [claim-kind]/ # currently only the 'TFWorkspace' kind is supported
ββ validation1.yaml
ββ validation2.yaml
ββ policies/
ββ policy1.rego
ββ policy2.regoA detailed explanation of each configuration file will be provided below.
π§ App configuration example and field description#
name: app1
state_repo: "firestartr-test/state-app-sample-app"
platforms: [cluster-name]
services:
- repo: firestartr-test/build-and-dispatch-images-react
service_names: [micro-a, micro-b]
- repo: firestartr-test/another-build-and-dispatch-images-react
platforms: [cluster-name-2]
service_names: [micro-a, micro-b]- name: the name of the application for which this configuration will be applied. This value is used in the
make_dispatches.yamlfile (more info here) - state_repo: the state repo related to the application (each application should have its own state repo).
- platforms: (optional) a list of platforms where this app is deployed. These platform names should match the ones defined in the platforms configuration files.
- services: a list of service objects. Each of them contains:
- repo: the repository where objects will be uploaded. If they are prefixed by whether they are a docker image or a helm chart, this field’s value should be only the last part of the repo name (i.e., if images are prefixed with
service/and a image is uploaded asservice/client/service-name, this fields value should beclient/service-name). See the registry configuration files for more info on how to set the prefix. - platforms: (optional) a list of platforms where this service is ALLOWED TO deploy. If not specified, it will be allowed to deploy to all platforms defined in the
platformsfield of this app configuration file. If the global field is also missing, it’ll be treated the same as setting it as[]. These platform names should match the ones defined in the platforms configuration files. This field overrides the globalplatformsfield, i.e. if this field is specified, the platforms defined in the globalplatformsfield will be ignored for this service. - service_names: names of the services allowed to be saved for this app. These service names are the ones that are later written to the
images.yamlfile.
- repo: the repository where objects will be uploaded. If they are prefixed by whether they are a docker image or a helm chart, this field’s value should be only the last part of the repo name (i.e., if images are prefixed with
π§ Registry configuration example and field description#
name: snapshots # This is going to be used in the helmfile registry alias
registry: prefappacr.azurecr.io
image_types: [snapshots]
default: true
auth_strategy: azure_oidc
base_paths:
services: "service"
charts: "charts"- name: a name for the registry, which will be used by some of our apps.
- registry: url to the registry where the objects will be uploaded to.
- image_types: a list of strings, which can be either “snapshots”, “releases” or both. Specifies which type of images can be uploaded to this registry.
- default: when no registry is specified, use the one that has this field’s value set to true. There shouldn’t be multiple registries with this field set to true, but if there are, the first one found will be used.
- auth_strategy: type of authentication to use when login to the registry. Can be one of
azure_oidcoraws_oidc - base_paths: an object detailing the prefixes to use when uploading a service or chart to this registry. It has two properties:
- services: the prefix to use when uploading docker images (e.g. if this field’s value is
serviceand we upload to theprefapp/applicationrepository, the final coordinate will beservice/prefapp/application). - charts: the prefix to use when uploading helm charts (e.g. if this field’s value is
chartand we upload to theprefapp/deploymentrepository, the final coordinate will bechart/prefapp/deployment).
- services: the prefix to use when uploading docker images (e.g. if this field’s value is
π§ Platform configuration example and field description#
kubernetes platform example:
type: kubernetes
name: cluster-name
tenants: [test-tenant]
envs: [dev, pre]tfworkspaces platform example:
type: tfworkspaces
name: my-cloud-account
tenants: [my-tenant]
envs: [dev, pre]
allowedClaims:
- resourceTypes:
- az-vmss
- az-aks
providers:
- azure-predev-account
backend: terraform-backend-azure- type: describes the technology this platform uses. Allowed values are
kubernetes,tfworkspacesorvmss. - name: the name of this platform. This value is used in the
make_dispatches.yamlfile (more info here). - tenants: A list of strings, used when this platform is set as a configuration value alongside one or multiple tenants for validation.
- envs: A list of strings, used when this platform is set as a configuration value alongside one or multiple environments for validation.
- allowedClaims: A list of objects describing which TFWorkspace claims are allowed to be deployed to this platform, and which providers and backends they should use. This field should only be set when
type: tfworkspaces. Each object has the following fields:- resourceTypes: a list of strings, each of which is the name of a resource type. Any TFWorkspace claims that have any of these values set as their
resourceTypewill be allowed by this platform. - providers: a list of strings, each of which is the name of a provider defined in the providers configuration files. If a claim uses one of these providers, it’ll be allowed to be deployed to this platform.
- backend: a string describing the name of the backend configuration that should be used for claims matching this condition.
- resourceTypes: a list of strings, each of which is the name of a resource type. Any TFWorkspace claims that have any of these values set as their
π§ Providers configuration example and field description#
name: provider-my-tenant-dev
resourceTypes:
- resourceType1
- resourceType2
...- name: the name of this provider.
- resourceTypes: A list of strings, each of which is the name of a resource type this provider applies to.
π§ App validation configuration example and field description#
name: my-validation
description: "My validation description"
regoFile: path/to_the/rego_file.rego
applyTo: [condition list]
data:
- key1: value1
- key2: value2
...- name: the name of the validation file, which must be unique between them.
- description: a brief description of what this validation does. Purely for human readability purpouses.
- regoFile: path to the rego file, relative to the policies folder (i.e., this field’s value will be concatenated to
.firestartr/validations/policieslike so:.firestartr/validations/policies/[this_fields_value]) - applyTo: a list of conditions which describe to which claims this validation applies to. For this, for each value in each element of the list, an AND operation is done with each other value of that element, then for each element an OR operation is done against each other element. See “About the applyTo field values” to learn more about the possible values of this field.
- data: key-value pairs, where each key is a variable name and each name its value, to be used inside the
regoFilefile.
π’ About validation policies#
These are regular .rego files and have no custom or special values. You can learn more about Rego here