Install terraform and terraform-provider-coreosbox
brew install terraform
brew tap 'samsung-cnct/terraform-provider-coreosbox'
brew install terraform-provider-coreosbox
On a non-OSX platorm, follow the installation directions for terraform and then unzip the appropriate release of terraform-provider-coreosbox to the terraform path.
Install ansible
pip install -r requirements.txt
You'll need to pre-create some credentials for each instance of kraken-ci:
- kraken-ci
- choose a name for this instance, we'll call it "example-kraken-ci"
- generate ssh keys, eg:
mkdir -p keys && ssh-keygen -q -t rsa -N '' -C example-kraken-ci -f ./keys/id_rsa
- generate secrets
- TODO: how to generate jenkins secrets
- TODO: how to generate docker/config.json
- re-use secrets from a previous kraken-ci installation, we'll assume example-kraken-ci-prime
aws s3 cp --recursive s3://sundry-automata/secrets/ ./secrets
- choose a region, we'll assume "us-west-2"
- make an s3 bucket: s3://example-kraken-ci-backup
- choose an s3 bucket, we'll assume "sundry-automata"
- upload generated ssh keys
aws s3 cp ./keys/* s3://sundry-automata/keys/
- upload jenkins secrets
aws s3 cp ./secrets/* s3://sundry-automata/secrets/
- this would be "us-west-2"
- choose/create an IAM user, we'll assume "example-aws-user"
- update/create access credentials at
- Pick a "dev project" (we'll assume this to be k8s-work)
- Pick a "prod project" (we'll assume this to be cnct-productioncluster)
- Generate JSON-formatted keys for the 'Compute Engine default service account' (or another account with at least Editor access) for both projects
- GCE_SERVICE_ACCOUNT_ID - this is the id of the dev project SA
- GCE_PROD_SERVICE_ACCOUNT_ID - this is the id of the prod project SA
- Upload the dev project key to s3://sundry-automata/secrets/
- Upload the prod project key to s3://sundry-automata/secrets/
- Slack
- choose/create a slack team, we'll assume "example-team"
- manage apps for that team at
- add a jenkins-ci app
- choose a channel, we'll assume "#pipeline"
- look for the "Token" setting on the next page
- Github
- choose/create a github org, we'll assume "example-org"
- choose/create a github user, we'll assume "example-github-user"
- ensure "example-github-user" is a member of "example-org"
- sign in as example-github-user, add generated ssh key ( via
- go to
- configure a new OAuth App
- name: example-kraken-ci
- url:
- description: example-kraken-ci instance of kraken-ci
- callback url:
- look for the Client ID and Client Secret on the next page
- sign in as example-github-user, generate at
- this would be "example-github-user"
Create an env file or otherwise populate your environment with the required secrets and settings.
$ cat > .env-example-kraken-ci <<EOS
export AWS_ACCESS_KEY_ID="<aws access key>"
export AWS_SECRET_ACCESS_KEY="<aws secret key>"
export AWS_DEFAULT_REGION="<aws region>"
export SLACK_API_TOKEN="<slack api token>"
export GITHUB_CLIENT_ID="<github app id>"
export GITHUB_CLIENT_KEY="<github app key>"
export GITHUB_ACCESS_TOKEN="<github token>"
export GITHUB_USERNAME="<github user>"
export GCE_SERVICE_ACCOUNT_ID="dev project SA id"
export GCE_PROD_SERVICE_ACCOUNT_ID="prod project SA id"
export KRAKEN_CI_NAME="example-kraken-ci"
$ . .env-example-kraken-ci && ./ --dump-data yes
Point your browser to
You should see the jenkins dashboard. Now try:
$ . .env-example-kraken-ci && ./ --dump-data no
No graceful termination / draining is in place, so coordinate with your team members accordingly
$ . .env-example-kraken-ci && ./
To test out / verify letsencrypt connectivity using their staging server, use the --test-instance yes
flag or export TEST_INSTANCE=yes
. This will produce invalid certificates that may be rejected by your browser.
Instead of specifying all of the command line switches you can export the environment variables used in file
- Currently no locking is implemented for the S3 state backend. Coordinate with your team members accordingly.
- jenkins secrets are manually generated
- docker/config.json generation is undocumented