• Kubernetes - Used to create resource in your K8S cluster
  • Kube Version > 1.10:
    • Instuction to install on cluster version < 1.10
  • Disk size 50GB per node
• Codefresh - Used to create resource in Codefresh
  • Authenticated context exist under $HOME/.cfconfig or authenticate with Codefesh CLI

• Download venona's binary
  • With homebrew:
    • brew tap codefresh-io/venona
    • brew install venona
• Create namespace where venona should run
  

  kubectl create namespace codefresh-runtime

• Create new runtime-environment with Venona's agents installed
  

  venona install --kube-namespace codefresh-runtime

• Get the status
  

  venona status
kubectl get pods -n codefresh-runtime

• Make sure the PersistentLocalVolumes feature gate is turned on
• Venona's agent is trying to load avaliables apis using api /openapi/v2 endpoint Add this endpoint to ClusterRole system:discovery under rules[0].nonResourceURLs

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: system:discovery
rules:
- nonResourceURLs:
  - ...other_resources
  - /openapi
  - /openapi/*
  verbs:
  - get

• Make sure your user has Kubernetes Engine Cluster Admin role in google console
• Bind your user with cluster-admin kubernetes clusterrole

  kubectl create clusterrolebinding NAME --clusterrole cluster-admin --user YOUR_USER

Installation of Venona on Kubernetes cluster installing 2 groups of objects, Each one has own RBAC needs and therefore, created roles(and cluster-roles) The resource descriptors are avaliable here List of the resources that will be created

• Agent (grouped by /.*.venona.yaml/)
  • service-account.venona.yaml - The service account that the agent's pod will use at the end
  • cluster-role-binding.venona.yaml - The agent discovering K8S apis by calling to openapi/v2, this ClusterRoleBinding binds bootstraped ClusterRole by Kubernetes system:discovery to service-account.venona.yaml. This role has only permissions to make a GET calls to non resources urls
  • role.venona.yaml - Allow to GET, CREATE and DELETE pods and persistentvolumeclaims
  • role-binding.venona.yaml - The agent is spinning up pods and pvc, this biniding binds role.venona.yaml to service-account.venona.yaml
• Runtime-environment (grouped by /.*.re.yaml/) Kubernetes controller that spins up all required resources to provide a good caching expirience during pipeline execution
  • service-account.dind-volume-provisioner.re.yaml - The service account that the controller will use
  • cluster-role.dind-volume-provisioner.re.yaml Defines all the permission needed for the controller to operate correctly
  • cluster-role-binding.dind-volume-provisioner.yaml - Binds the ClusterRole to service-account.dind-volume-provisioner.re.yaml

After a successfull installation of Venona, you'll be able to run a Codefresh pipeline on the configured cluster.
However, the pipeline itself dosent have any permission to connect to the hosted cluster.
To make it work you need to add the cluster to Codefresh (make sure the service acount has all the permissions you need)

codefresh create cluster --kube-context CONTEXT_NAME --namesapce NAMESPACE --serviceaccount SERVICE_ACCOUNT --behind-firewall

To upgrade existing runtime-environment, a one that was created without Venona's agent, run:

• Find the name of the cluster was linked to that runtime environment
  Example: codefresh get cluster
• Install
  Example: venona install --cluster-name CLUSTER
• Get the status
  Example: venona status RUNTIME-ENVIRONMENT
  Example: kubectl get pods -n NAMESPACE