{"id":19259255,"url":"https://github.com/concourse/hush-house","last_synced_at":"2026-06-23T10:31:32.388Z","repository":{"id":34407952,"uuid":"159085120","full_name":"concourse/hush-house","owner":"concourse","description":"Concourse k8s-based environment","archived":false,"fork":false,"pushed_at":"2023-12-12T16:48:31.000Z","size":692,"stargazers_count":30,"open_issues_count":33,"forks_count":24,"subscribers_count":14,"default_branch":"master","last_synced_at":"2025-02-23T18:17:39.292Z","etag":null,"topics":["concourse","helm","kubernetes"],"latest_commit_sha":null,"homepage":"https://hush-house.pivotal.io","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/concourse.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-11-25T23:38:33.000Z","updated_at":"2024-10-03T22:28:39.000Z","dependencies_parsed_at":"2023-12-12T18:25:39.883Z","dependency_job_id":"faac5258-11eb-499a-a4fa-e13296fdf6bb","html_url":"https://github.com/concourse/hush-house","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/concourse/hush-house","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/concourse%2Fhush-house","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/concourse%2Fhush-house/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/concourse%2Fhush-house/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/concourse%2Fhush-house/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/concourse","download_url":"https://codeload.github.com/concourse/hush-house/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/concourse%2Fhush-house/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34686725,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-23T02:00:07.161Z","response_time":65,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["concourse","helm","kubernetes"],"created_at":"2024-11-09T19:15:51.798Z","updated_at":"2026-06-23T10:31:32.367Z","avatar_url":"https://github.com/concourse.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# HUSH-HOUSE\n\n\u003cbr /\u003e\n\n\u003cimg align=\"left\" width=\"296\" height=\"222\" src=\"https://upload.wikimedia.org/wikipedia/commons/thumb/e/ea/EM_NELLIS_HUSH_HOUSE_%282786461516%29.jpg/512px-EM_NELLIS_HUSH_HOUSE_%282786461516%29.jpg\"\u003e\n\n\u003cbr /\u003e\n\n\u003e A **hush house** is an enclosed, noise-suppressed facility used for testing aircraft systems,\n\u003e including propulsion, mechanics, electronics, pneumatics, and others.\n\n\n\u003cbr /\u003e\n\n\nThis repository contains the configuration of [hush-house.pivotal.io](https://hush-house.pivotal.io), [metrics-hush-house.concourse-ci.org](https://metrics-hush-house.concourse-ci.org), and any other [Kubernetes (K8S)](https://kubernetes.io/docs/concepts/overview/what-is-kubernetes/) deployments using the `hush-house` Kubernetes cluster available in the shared Concourse [Google Cloud](https://cloud.google.com/) account.\n\n\u003cbr /\u003e\n\n\n**Table of contents**\n\n\u003c!-- START doctoc generated TOC please keep comment here to allow auto update --\u003e\n\u003c!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE --\u003e\n\n\n- [Repository structure](#repository-structure)\n- [Dependencies](#dependencies)\n- [Gathering acccess to the cluster](#gathering-acccess-to-the-cluster)\n- [IaaS](#iaas)\n- [Deployments](#deployments)\n  - [Creating a new deployment](#creating-a-new-deployment)\n  - [Without any credentials setup](#without-any-credentials-setup)\n  - [With credentials](#with-credentials)\n  - [Visualizing metrics from your deployment](#visualizing-metrics-from-your-deployment)\n- [SSHing into the Kubernetes node VM](#sshing-into-the-kubernetes-node-vm)\n- [k8s cheat-sheet](#k8s-cheat-sheet)\n  - [Contexts](#contexts)\n  - [Namespaces](#namespaces)\n  - [Nodes](#nodes)\n  - [Kubernetes for credential management](#kubernetes-for-credential-management)\n- [Bootstrapping the cluster](#bootstrapping-the-cluster)\n  - [Getting the GCP credentials](#getting-the-gcp-credentials)\n  - [Applying the Terraform](#applying-the-terraform)\n  - [Creating the base Kubernetes objects](#creating-the-base-kubernetes-objects)\n\n\u003c!-- END doctoc generated TOC please keep comment here to allow auto update --\u003e\n\n## Repository structure\n\n```sh\n.\n│\n├── deployments \t\t# Where you can find all deployments that get\n│   │\t\t\t\t# continuously deployed by `hush-house` when changes\n│   │\t\t\t\t# to configurations in this repository are made.\n│   │\n│   │\n│   ├── with-creds\t\t# Deployments that require credentials that do not exist\n│   │   │\t\t\t# in this repository (as they're not public)\n│   │   │\n│   │   ├── Makefile\t\t# Scripting related to the deployments\n│   │   │\n│   │   ├── hush-house  # The web nodes of the `hush-house` Concourse deployment\n│   │   ├── worker\t\t  # The deployment of the kgeneric pool of workers that connect to `hush-house`\n│   │   └── metrics\t\t  # The `metrics` deployment\n│   │\n│   │\n│   │\n│   └── without-creds\t\t# Deployments that require NO credentials, i.e., that rely\n│       │\t\t\t# solely on public values from this repository.\n│       │\n│       ├── Makefile\t\t# Scripting related to the deployments.\n│       │\n│       └── bananas\t\t# Fully functioning example deployment.\n│\n│ \n├── helm\t\t\t# Scripts to automate the provisioning of Helm and its\n│\t\t\t\t# server-side component (tiller)\n│\n│\n├── Makefile\t\t\t# General scripting for getting access to the cluster and\n│\t\t\t\t# setting up the pipelines.\n│\n│\n└── terraform\t\t\t# Terraform files for bringing up the K8S cluster and other\n    │\t\t\t\t# configuring other infrastructure components necessary\n    │\t\t\t\t# for the deployments (addresses + cloudsql).\n    │\n    ├── main.tf\t\t\t# Entrypoint that makes use of modules to set up the IaaS\n    │\t\t\t\t# resources.\n    │\n    ├── address\t\t\t# Module to create addresses ...\n    ├── cluster\t\t\t# Module for creating GKE clusters w/ node pools\n    │   └── vpc\t\t\t# Module for setting up the VPC of the cluster\n    └── database\t\t# Module for setting up CloudSQL\n\n```\n\n\n## Dependencies\n\n- [LastPass CLI (`lpass-cli`)](https://github.com/lastpass/lastpass-cli)\n  - `brew install lastpass-cli`\n- [Terraform CLI (`terraform`)](https://www.terraform.io/)\n  - `brew install terraform`\n- [Helm (`helm`)](https://helm.sh/)\n  - `brew install kubernetes-cli`\n  - `brew install helm \u0026\u0026 mv /usr/local/bin/helm{,3}` (for `ci`)\n  - `brew install helm@2` (for the other deployments)\n- [Kapp (`kapp`)](https://get-kapp.io/) (for `ci`)\n  - `brew tap k14s/tap`\n  - `brew install kapp`\n- [Helm diff plugin (`helm diff`)](https://github.com/databus23/helm-diff)\n  - `helm plugin install https://github.com/databus23/helm-diff --version master`\n- [Google Cloud CLI](https://cloud.google.com/sdk/docs/)\n  - `brew cask install google-cloud-sdk`\n\n*ps.: if you're creating your own environment based on an existing k8s cluster, you'll probably only need `helm`.*\n\n\n## Gathering acccess to the cluster\n\n0. Install the [dependencies](#dependencies)\n\n1. Configure access to the Google Cloud project\n\n```sh\ngcloud config set project cf-concourse-production\ngcloud config set compute/zone us-central1-a\ngcloud auth login\n```\n\n\n2. Retrieve the k8s credentials for the cluster\n\n```sh\ngcloud container clusters get-credentials hush-house\n```\n\n\n3. Initialize the Helm local configuration\n\nNote.: this is only needed if you've never initialized `helm` locally.\n\n```sh\nhelm init --client-only\n```\n\n\n4. Retrieve the Helm TLS certificates and the CA certificate\n\n\n```sh\n# fetch the creds to lpass\nmake helm-creds\n\n# copy the credentials to $HELM_HOME\nmake helm-set-client-creds\n```\n\n5. Run Helm command against Hush-House requires `--tls`.For example,\n\n```sh\nhelm install ... --tls\n```\n\n## IaaS\n\nAs `hush-house` is a complete environment for deploying Concourse and any other Helm charts, it requires few infrastructure pieces to be in place.\n\nAll of that is provisioned using [`terraform`](https://terraform.io), having its configuration under the [`./terraform` directory](./terraform).\n\n**Make sure you DON'T change the IaaS parameters in the Google Cloud Console** - modifications *MUST* be made through `terraform`.\n\n\n\n## Deployments\n\nIn the `hush-house` cluster, there are currently a few Helm charts deployments running.\n\nAs mentioned in the [repository structure section](#repository-structure), these all live under [`./deployments`](./deployments).\n\nCheck the [`deployments` README](./deployments/README.md) to know more about them.\n\n\n### Creating a new deployment\n\nTo create a new deployment of your own, a Chart under `./deployments/(with|without)-crekds` needs to be created (given that every deployment corresponds to releasing a custom Chart).\n\nThere are two possible types of deployments we can create:\n\n1. without any credentials setup, and\n2. with credentials.\n\n\n\n\n### Without any credentials setup\n\n*tl;dr: copy the `./deployments/without-creds/bananas` directory and change `bananas` to the name of the deployment you want.*\n\n0. Create a directory under `./deployments/without-creds`, and get there:\n\n```sh\nmkdir ./deployments/without-creds/bananas\ncd ./deployments/without-creds/bananas\n```\n\n\n1. Populate the repository with the required files for a Helm Chart, as well as metadata about itself (`Chart.yaml`):\n\n```sh\n# Create the required files\ntouch ./{Chart.yaml,requirements.yaml,values.yaml}\n\n\n# Populate `Chart.yaml` file with some info about it\necho '---\nname: bananas\nversion: 0.0.1\ndescription: a test deployment!\nmaintainers:\n- name: ciro\n' \u003e ./Chart.yaml\n```\n\n\n2. Add the concourse release candidate as a dependency\n\n```sh\necho '---\ndependencies:\n- name: concourse\n  version: 0.0.15\n  repository: https://raw.githubusercontent.com/concourse/charts/gh-pages/\n' \u003e ./deployments/bananas/requirements.yaml\n```\n\nps.: the version can be retrieved from [concourse/charts](https://github.com/concourse/charts/tree/gh-pages).\n\npps.: the upstream version of the Chart could be used too! See [`helm/charts`](https://github.com/helm/charts) for instructions.\n\n\nWith that set, `hush-house` is ready to have the deployment going.\n\nYou can either trigger the deployment from your own machine if you have Helm already set up, or make a PR to `hush-house` so that the pipeline does it all for you.\n\nOnce the process is completed, you should be able to see your resources under the deployment namespace:\n\n\n```\nkubectl  get pods --namespace=bananas\nNAME                                  READY   STATUS    RESTARTS   AGE\nbananas-postgresql-7f779c5c96-c8f4v   1/1     Running   0          2m\nbananas-web-78db545cc9-xrzd9          1/1     Running   1          2m\nbananas-worker-78f6cddccb-brvm9       1/1     Running   0          2m\nbananas-worker-78f6cddccb-qd6zn       1/1     Running   0          2m\nbananas-worker-78f6cddccb-xv7p5       1/1     Running   0          2m\n```\n\n\n### With credentials\n\nA deployment that requires credentials that can't be publicly shared involve all of the steps above, including some few more. Once those steps were finish, proceed with the following  :\n\n\n1. Create the `values.yaml` file with public configurations\n\n```sh\necho '---\nconcourse:\n  worker:\n    replicas: 3\n  concourse:\n    web:\n      prometheus:\n        enabled: true\n' \u003e ./deployments/bananas/values.yaml\n```\n\n\n2. Populate the `.values.yaml` file with credentials\n\n\n```sh\necho '---\nconcourse:\n  secrets:\n    localUsers: test:something\n' \u003e ./deployments/bananas/.values.yaml\n```\n\n*ps.: this can be left blank*\n\n\n3. Populate the `hush-house-main` namespace with your credentials\n\nHaving `kubectl` configured (see [*gathering access to the cluster*](#gathering-access-to-the-cluster)) with access to `hush-house-main`, create the secret using the `hush-house-creds-secrets-$DEPLOYMENT` target from [`./deployments/with-creds/Makefile`](./deployments/with-creds/Makefile):\n\n```sh\n# go back to `./deployments/with-creds`\ncd ..\nmake hush-house-creds-secrets-bananas\n```\n\n\n### Visualizing metrics from your deployment\n\nWhen using the Concourse Helm chart, metrics get scrapped and graphed by default under https://metrics-hush-house.concourse-ci.org if [Prometheus](https://prometheus.io) integration is enabled.\n\nTo do so, make sure you have `concourse.web.prometheus.enabled` set to `true` and the `prometheus.io` annotations added to `concourse.web`:\n\n```yaml\nconcourse:\n  web:\n    annotations:\n      prometheus.io/scrape: \"true\"\n      prometheus.io/port: \"9391\"\n  concourse:\n    web:\n      prometheus:\n        enabled: true\n```\n\nWith that set, head to the `Concourse` dashboard under the metrics address provided above and change the `Namespace` dropdown to the one corresponding to the name of your deployment.\n\n\n## SSHing into the Kubernetes node VM\n\nAs the worker nodes created by worker pools declared in [the main Terraform file](./terraform/main.tf) are just regular GCP instances, these can be accessed using the regular ways of accessing VMs through `gcloud`.\n\n\n```sh\n# The name of the instance can be retrieved from the\n# command that lists nodes connected to the k8s cluster:\n# - `kubectl get nodes`.\nNODE_NAME=\"gke-hush-house-test-workers-1-46b1d860-65mf\"\n\n\n# Use `gcloud` to facilitate the process of getting the\n# right credentials set up for SSHing into the machine.\n#\n# ps.: you must have `gcloud` credentials set up before\n#      proceeding - check out the section `Gathering acccess to the cluster`\n#      in this README file.\ngcloud compute \\\n\tssh \\\n\t--zone us-central1-a \\\n\t$NODE_NAME\n```\n\n## k8s cheat-sheet\n\nHere's a quick cheat-sheet that might help you get started with `kubectl` if you've never used it before.\n\n\n### Contexts\n\nThese are the equivalent of Concourse `target`s, storing auth, API endpoint, and namespace information in each of them.\n\n- Get all configured contexts:\n\n```sh\nkubectl config get-contexts\n```\n\n\n- Change something in a context (for instance, the `namespace` to a default one):\n\n```sh\nkubectl config set-context $context \\\n\t--namespace=$new_default_namespace\n```\n\n\n- Set the context to use:\n\n```sh\nkubectl config use-context $context\n```\n\n\n### Namespaces\n\nA virtual segregation between resources in a single cluster.\n\nIt's common to have environments associated with namespaces such that their resources get isolated too. In this scenario, you can think of namespaces as BOSH deployments - they're all managed by the same director, but they get their instances and other resources isolated from each other.\n\nThe namespace to target is supplied via the `--namespace` flag, or having a default namespace set to the context (see [#contexts](#contexts)).\n\n\n### Nodes\n\nSimilar to `bosh vms`, it's possible to gather the list of instances that compose our cluster.\n\n- Retrieve the list of all registered k8s nodes:\n\n```sh\nkubectl get nodes\n```\n\n- Describe (get events and extra information of) a particular node:\n\n```sh\nkubectl describe node $node_name\n```\n\n### Kubernetes for credential management\n\nJust like you can tie Vault or CredHub to your Concourse instances in order to have secrets suport, you can also make use of Kubernetes secret for that, with some specialties:\n\n- Can't make use of `_`  in the names (a limitation from k8s secrets)\n\nFor instance, the Secret `something_a` is invalid:\n\n```\nmetadata.name:\n  Invalid value: \"something_a\":\n    a DNS-1123 subdomain must consist of lower case alphanumeric characters, '-' or '.',\n    and must start and end with an alphanumeric character (e.g. 'example.com', regex used\n    for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')\n```\n\n- Names must not be longer than `63` characters\n\n- for interpolating ((mything)):\n\n```\nkubectl create generic mything \\\n  --from-literal=value=$value \\\n  --namespace $prefix$team\n```\n\n- for interpolating nested structures ((mything.foo)):\n\n```\nkubectl create generic mything \\\n  --from-literal=foo=$foo \\\n  --namespace $prefix$team\n```\n\n\n## Bootstrapping the cluster\n\nCreating the `hush-house` cluster on GKE from the ground up requires:\n\n1. having GCP credentials,\n2. applying the Terraform definition under `./terraform`, then\n3. creating few objects in the Kubernetes cluster.\n\nBelow you find instructions to how to do those steps.\n\n### Getting the GCP credentials\n\nAccess to the GCP credentials for `hush-house` can be granted through a GCP JSON key stored in LastPass.\n\nThe `Makefile` at the root of this repository contains a target for retrieving that key and placing it at the right place:\n\n```sh\nmake gcp-key\n```\n\n### Applying the Terraform\n\nWith the credential obtained, we can follow up creating the underlying resources in the IaaS (GCP), using the defitnions under the `./terraform` directory.\n\n```sh\ncd ./terraform\nterraform apply\n```\n\n\n### Creating the base Kubernetes objects\n\nA fully working `hush-house` Kubernetes clusters requires few components: a Tiller deployment (the server-side compoennt of Helm), and a custom `StorageClass` (so we can create PersistentVolumeClaims based of SSD storage).\n\n\nTo configure Tiller, first get the Helm certificates and keys from LastPass and then run the script that bootstraps it.\n\n*Note.: the script is meant to be run with the current working directory pointing to `cluster-bootstrap`.*\n\n```sh\nmake helm-creds\ncd ./cluster-bootstrap\n./bootstrap-tiller.sh\n```\n\nTo finish the bootstrapping, we now need to create the StorageClass. From the root of this repository, run the following:\n\n```sh\ncd ./cluster-bootstrap/storage\n./ssd-storage-class.sh\n```\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fconcourse%2Fhush-house","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fconcourse%2Fhush-house","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fconcourse%2Fhush-house/lists"}