Deploying Spinnaker on Kubernetes with Helm 3: A Step‑by‑Step Guide

Spinnaker is a continuous‑delivery platform originally developed by Netflix. This article demonstrates how to deploy Spinnaker on a Kubernetes cluster using Helm 3, addressing challenges such as GFW proxy configuration, Helm repository setup, and chart compatibility with Kubernetes 1.16+ API versions.

First, verify the versions of Helm and kubectl:

$ helm version
$ kubectl version

Configure Helm to use the Microsoft chart repository and update it:

$ helm repo ls
NAME            URL
stable          https://mirror.azure.cn/kubernetes/charts/
$ helm repo update
# ...output indicating successful update...

Because Kubernetes 1.16+ deprecates older API versions, the Spinnaker chart must be fetched and its Deployment/StatefulSet resources updated to apps/v1 and include selector.matchLabels where needed:

$ helm fetch stable/spinnaker
$ tar -xvf spinnaker-1.23.2.tgz

Modify the chart’s values.yaml to set the Spinnaker version, replace the default GCR image registry with the Azure mirror, and configure a Ceph RBD storage class for persistent volumes:

apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: rook-ceph-block
provisioner: rook-ceph.rbd.csi.ceph.com
reclaimPolicy: Retain
parameters:
  pool: k8s-test-pool
  imageFormat: "2"
  imageFeatures: layering
  csi.storage.k8s.io/provisioner-secret-name: rook-csi-secret
  csi.storage.k8s.io/provisioner-secret-namespace: rook
  csi.storage.k8s.io/node-stage-secret-name: rook-csi-secret
  csi.storage.k8s.io/node-stage-secret-namespace: rook
  csi.storage.k8s.io/fstype: ext4

Specify the same storage class for Halyard, Redis, Minio, and other components in values.yaml:

halyard:
  persistence:
    storageClass: rook-ceph-block
redis:
  master:
    persistence:
      storageClass: rook-ceph-block
minio:
  persistence:
    storageClass: rook-ceph-block

Configure Halyard to use a proxy by setting the JAVA_OPTS environment variable:

halyard:
  env:
    - name: JAVA_OPTS
      value: "-Djava.security.egd=file:/dev/./urandom -Dhttp.proxyHost=10.151.30.11 -Dhttps.proxyHost=10.151.30.11 -Dhttp.proxyPort=8118 -Dhttps.proxyPort=8118 -Dhttp.nonProxyHosts=\"localhost|*.spinnaker.com\""

Clone the customized chart, create the spinnaker namespace, and install the chart with Helm:

$ git clone https://github.com/cnych/spinnaker-helm spinnaker
$ kubectl create ns spinnaker
$ helm install spinnaker --namespace spinnaker ./spinnaker

After installation, verify the Pods. If any Deployments still reference the old gcr.io registry, edit them to use the Azure mirror gcr.azk8s.cn:

$ kubectl edit deploy spin-deck -n spinnaker
# replace gcr.io with gcr.azk8s.cn

Once all Pods are running, expose Spinnaker via a Traefik IngressRoute (HTTPS) and a redirect middleware:

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: spin-deck-https
  namespace: spinnaker
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`spinnaker.qikqiak.com`)
      kind: Rule
      services:
        - name: spin-deck
          port: 9000
  tls:
    certResolver: ali
    domains:
      - main: "*.qikqiak.com"
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: redirect-https
  namespace: spinnaker
spec:
  redirectScheme:
    scheme: https
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: spin-deck-http
  namespace: spinnaker
spec:
  entryPoints:
    - web
  routes:
    - match: Host(`spinnaker.qikqiak.com`)
      kind: Rule
      services:
        - name: spin-deck
          port: 9000
      middlewares:
        - name: redirect-https

After DNS resolves spinnaker.qikqiak.com to the cluster, the Spinnaker UI becomes accessible. This completes the initial deployment; further exploration can cover Spinnaker’s advanced features.