Helm Deployment via VMware Aria Automation Code Stream + Kubernetes

-

 

Overview

This deployment model integrates VMware Aria Automation Code Stream with Kubernetes to securely and automatically execute Helm chart deployments.

The approach leverages a short-lived Kubernetes Job that handles:

  • Git repository checkout

  • Helm chart installation/upgrade

  • Automatic cleanup post-execution

This ensures secure, ephemeral, and repeatable deployments with minimal cluster footprint.


Design Components

🔹 Code Stream Pipeline

  • Type: Kubernetes Task

  • Trigger: Manual or scheduled

  • Inputs: Git credentials (e.g., gitusername1, gitpassword2)

  • Purpose: Submits Kubernetes Job manifest to the target cluster


🔹 Kubernetes Job

  • API Version: batch/v1

  • Namespace: <Name Space>

  • Service Account: crypto (preconfigured RBAC permissions)

  • Image: Custom Alpine with Helm + Git CLI (k8s:1.33.3)

  • Execution Steps:

    1. Clone Helm chart from internal GitLab

    2. Run helm upgrade --install with values file

    3. Deploy resources into target namespace


🔹 Security Controls

  • ServiceAccount RBAC: Least-privilege access (create/update/patch on deployments, secrets, configmaps)

  • ImagePullSecrets: (creds) for private registry authentication

  • Git Access: HTTPS with token-based authentication

🔹 Lifecycle Management

  • Restart Policy: Never

  • Retries: backoffLimit: 0 (fail fast)

  • Cleanup: ttlSecondsAfterFinished: 60 for automatic pod/job deletion


Deployment Flow

  1. Pipeline Trigger → User initiates Code Stream pipeline with GitLab inputs

  2. Job Submission → Code Stream submits manifest to Kubernetes API

  3. Git & Helm Execution → Job container clones repo and runs helm upgrade --install

  4. Helm Deployment → Resources applied into namespace (--create-namespace if needed)

  5. Cleanup → Job & pod auto-delete after 60s/120s

  6. Validation → Operator checks with helm status & Kubernetes resources


Process Flow Diagram



Key Highlights

  1. Ephemeral Execution → No long-running CI/CD pods; jobs auto-cleanup

  2. Isolation → Each deployment runs independently, avoiding conflicts

  3. Rollback Readyhelm rollback services <REVISION> --namespace <NS> supported via pipeline

  4. Secure by Design → ServiceAccount with least privilege, private registry auth

  5. Namespace Agnostic → Can target any namespace via manifest update

  6. Minimal Footprint → TTL ensures no resource leftovers

  7. Scalable → Parallel deployments for multiple teams without interference


Implementation & Output

  • Code Stream pipeline screenshot




  • vRO task execution (optional)

  • Kubernetes Job logs

         kubectl get jobs -n <name space>

  • Helm release status (helm status <release> -n <namespace>)

        helm history application-name -n <name space>

  • Namespace pods/services after deployment


Further Automation

If you need enhancements or additional automation features, feel free to reach out. HashtagForge


Comments

Post a Comment

Popular posts from this blog

Creating Snapshots for Unmanaged VMs in Aria Automation (vRealize Automation)

-
Image
 In multi-tenant environments powered by Aria Automation (vRealize Automation) , it's common for tenants to occasionally request snapshots for unmanaged virtual machines (VMs) . These unmanaged VMs exist in vCenter but are not provisioned through vRA and therefore fall outside the standard automation lifecycle. To address this need without impacting the broader environment or other tenants, we implemented a dedicated catalog item that allows tenants to safely request snapshots for their unmanaged VMs— securely, in isolation, and with auditability . Here’s how we approached this solution using a custom workflow and catalog configuration in Aria Automation. The Challenge Tenants may operate legacy or externally imported VMs that are not managed via vRA’s provisioning engine. Creating snapshots for these VMs traditionally requires manual intervention from infrastructure teams, which: Increases support overhead Introduces potential human errors Offers ...
Read more

Bulk import security policies into Palo Alto Networks firewalls

-
Image
To bulk import security policies into Palo Alto Networks firewalls, you'll typically need to leverage the Palo Alto API or CLI with a script. I am using an Excel file (XLS), IP address validation, and mapping source and destination zones, for comprehensive solution to automate the process. 1. Input from XLSX File : You will first need to read the data from the XLS file. 2. Check for Existing Rules : Before creating new rules, you should check if similar rules already exist on the firewall. This could be done by comparing the rule names, source, and destination IPs, and zones. 3. Mapping Source Zone and Destination Zone : Ensure that the source and destination zones are correctly mapped according to your firewall configuration. 4. IP Address Validation : Before adding a rule, you'll need to validate that the IP addresses specified in the file are valid 📝  Flow Diagram  (Text Representation) Further Automation If you need enhancements or additional automation features , fee...
Read more

Automating Tag Creation & Assignment to VMs with vRA + vRO

-
Image
  Use Case Summary A user provisions a VM from vRA. Once the VM is deployed in vCenter , a vRO workflow is triggered via Event Broker subscription. The workflow: Checks if the Tag exists (using REST API to NSX-T). If not found, creates the Tag under the correct category. Assigns the Tag to the newly provisioned VM. This eliminates the need for manual intervention and ensures every VM is tagged correctly for policies, automation, and visibility . High-Level Flow VM Provisioning in vRA User requests VM with required details (e.g., Environment, Owner, Application). Event Broker Subscription After provisioning, vRA triggers a vRO workflow . vRO Workflow Actions Connects to vCenter using REST API. Checks if Tag exists. If exists → Skip creation. If not exists → Create new Tag under category. Assigns Tag to the VM. Result VM is provisioned with the right tags automatically applied . Flow Diagram Steps Start VM Prov...
Read more