Version: 0.9

Creating Robots for CI

Currently, you can create a robot and assign it the build.run and cluster.deployment roles. This lets the robot trigger builds and deployments for a specific team in a CI system.

This topic illustrates an example of creating a robot and assigning it the build.run role. This lets the robot trigger any build managed under Kore for a specific team.

You can see details of these roles by running: kore get role ROLE-NAME -o yaml. Use the -t flag to specify a team other than your default team.

For more information, see kore get role.

Prerequisites for assigning build and deploy roles#

  • To assign the build.run role you must have a build set up first. See Manage Container Builds.
  • To assign the cluster.deployment role you must have a cluster and a namespace set up first, and you must already have the artifact/image available to deploy. See Clusters and Namespaces.

Create a robot - UI method#

To create a build robot/token for a team:

  1. In the Team view of the Kore Portal, navigate to Robots.

  2. Click Create new robot, fill in the Robot name and Robot description, and then click Next.

  3. Click Select role for the role(s) you want to assign. For this example, select build.run, and then click Next.

    The Set parameters form displays the parameter selections required by the role(s) you've assigned to this robot.

    If you click Next without selecting a role, you can save this robot, copy its environment variables, and assign the role(s) later using the CLI. See Assign roles to robots after creation.

  4. For the build.run role, select the build you want this robot to trigger from the drop-down list, and then click Save.

    The next page displays this robot's environment variables.

  5. Click Copy to clipboard to copy the environment variables to use in CI, and then click Close.

    note

    You will not be able to see or copy the environment variables once you click Close, but you can regenerate a robot token later. See Regenerate a robot token.

Create a robot - CLI method#

info

Take a look at Using Policy Profiling, an experimental feature, for a more dynamic approach.

To create a build robot/token for a team:

The following creates a robot and assigns the robot permission to trigger all builds.

  1. Create a robot for all builds:

    kore create robot NAME

    In this example, the robot name is builds:

    $ kore create robot builds
    ✔ Please provides a description of use for this account: Builds deployments robot account
    ✔ Use can use the following secrets within your chosen CI
    KORE_SERVER=https://HOST-NAME
    KORE_TEAM=TEAM-NAME
    KORE_TOKEN=TOKEN-STRING

    Environment variables are returned when you create the robot. You can also regenerate a robot token later—See Regenerate a robot token.

  2. Assign the build.run permissions to the robot:

    kore assign role build.run

    Follow the prompts to select a Robot Account. For this example specify its name as builds. You can choose a specific build from the list (recommended) or all. This grants the robot access to trigger a build or all builds. For example:

    $ kore assign role build.run
    ? Who should the role apply to (i.e. users, robots)
    Team Member - allows you to limit the scope by the team member
    All Subjects - allows you to scope to all subjects
    ▸ Robot Account - allows you to limit the scope to a specific robot account
    All Robots - scopes the permission to all robot accounts in kore
    Subject Scope - limits the scope of the token (user, robot)
    Team Role - limits the scope by team role membership of the user
    ↲ Back
    ...
    ✔ You have chosen the role: "build.run"
    ✔ Policy will apply to robot: builds
    ◉ The role has the optional value: "build" (single)
    ✔ You have selected all as the build:
    Role has been successfully assigned to subject/s

    A policy is now assigned for this robot to trigger all builds for this team.

  3. To view the policy created above, run:

    kore get policy --robot ROBOT-NAME

    For example:

    $ kore get policy --robot builds
    NAME STATUS AGE
    build-nginx-robot-62hrf Success 74s

Regenerate a robot token#

You may need to regenerate a robot token for an existing robot if you did not copy environment variables when creating that robot for CI.

To regenerate a robot token:

  1. Run the command:

    kore create robot-token ROBOT-NAME --regenerate

For more information, see kore create robot token.

Use the robot token and run the build in CI#

Once you have a robot token, in your chosen CI system, you must add:

  1. The kore run build command. Examples:

    • kore run build BUILD-NAME
    • kore run build BUILD-NAME -t TEAM-NAME --tag IMAGE-TAG

    For more information, see Manage Container Builds.

  2. The environment variables/secrets:

    • KORE_SERVER=HOST-NAME is the kore API server, which you can see using kore profile ls.
    • KORE_TEAM=TEAM-NAME is the team the build is in.
    • KORE_TOKEN=TOKEN-STRING is the decoded secret from the robot.

For detailed information on adding environment variables in two popular CI systems, see:

To download and install the Kore CLI, see Get the CLI.

Use the robot to access a cluster#

You can exchange a robot token for a short-lived access token to access a cluster. To do this, you create a robot and assign it the cluster.deployment role, use the environment variables generated for the robot in your CI system, and then run kore kubeconfig as shown below.

# Create a robot and assign it the cluster.deployment role
$ kore create robot <NAME> ..
# Or if the robot already exists you can assign a role
$ kore assign role cluster.deployment --robot <NAME>
...
# Use the robot account in CI pipeline - assuming you have taken the KORE_TOKEN,
# KORE_SERVER and KORE_TEAM environment variables from the robot. You can download the Kore CLI from
# https://docs.appvia.io/kore/releases or use docker image quay.io/kore/cli:<VERSION>.
# Provision a kubeconfig configuration file to speak to the cluster.
$ kore kubeconfig --cluster <NAME>
# Run kubectl commands as needed for the cluster
$ kubectl [commands]

View or assign roles to robots#

You can see all the robots for your team in the Kore UI > Robots page, and whether they've been assigned the build.run or cluster.deployment roles.

View robot roles#

To view robot roles:

  • If a role is assigned to a robot:

    • For build.run the role and the build name are shown.
    • For cluster.deployment the role, cluster, and namespace are shown.
  • To see an assigned role's permissions, click the right arrow.

Assign roles to robots after creation#

Currently, you must use the CLI to assign a role to a robot that was created but not assigned a role.

To assign a role to a robot after it's been created:

  1. In the Robots page, find the robot with no role assigned.

  2. Click Assign roles via the CLI.

  3. Copy the command shown, and then run it in the CLI.

    You'll be prompted for inputs.