Use Reliably Environments

This guide goes into the details of creating and using Reliably environments to inject contexts into your Reliably Plans.

Reliably Experiments describe a set of activities to conduct. These activities are usually context-dependent. For instance, a given experiment may be designed to work against Kubernetes. You would expect that such an experiment can target any Kubernetes cluster that you run, therefore credentials should not be embedded into the experiment.

This is where Reliably Environments come into play. They allow you to declare a set of environment variables and secrets that you can attach to a Reliably Plan for a particular run of an Experiment. Thus providing the context it needs.

The Basics

Create an Environment

To create an environment, go to the New environment page and start filling out the form as needed.

Provide a name that you can easily recall what it covers later on. Then set as many environment variables and secrets, which are encrypted internally, as you need.

When creating a secret as a file, the path must start with /home/svc.

Delete an Environment

You can delete environments at will but only when all Reliably Plan that use them have also been deleted first. This prevents mistakes where a Plan tries to run and cannot find its Environment.

Common Patterns

This section will introduce common Environment patterns that will help you pass the right context to a variety of experiments.

These patterns apply to any Reliably Deployment type. But you declare these variables and secrets in Reliably only when using a Reliably Cloud deployment. Otherwise, these variables and secrets are declared directly on the platform you use to execute Reliably Plans.

Kubernetes

Experiments targetting Kubernetes clusters usually require a service account that will define the Kubernetes API server endpoint and credentials to authenticate to it. The service account should then have the right roles to perform the experiment’s activities, using the least privileges approach.

A screenshot of the Reliably Kubernetes environment form.

TypeNameValue
Environment VariableKUBECONFIG/tmp/config
Secret File/tmp/configThe content of a Kubernetes Service Account file

Leave the KUBECONFIG variable to its default value in most cases.

If you experiment is targetting a Google Cloud GKE cluster and you run it from Reliably Cloud, your kubeconfig should not use the gke-gcloud-auth-plugin authentication approach as the GOOGLE_APPLICATION_CREDENTIALS environment variable cannot be set in Reliably Cloud.

Instead, modify your kubeconfig to use a regular token approach instead.

For instance:

$ kubectl config set-credentials default --token=$(gcloud auth print-access-token)
$ kubectl config set-context <CLUSTER NAME> --user=default

If you target a GKE cluster and run from GCP resources (GKE itself, Cloud Run) you will have to follow that approach until this issue is taken into account by upstream. Note that, tokens have a default lifetime of 3600s only so you will have to regularly update the credentials.

If you target a GKE cluster but run the experiment from anywhere else, feel free to keep the gke-gcloud-auth-plugin authentication approach as described in the GCP documentation.

AWS

Experiments targeting AWS resources usually require enough information to authenticate.

A screenshot of the Reliably AWS environment form.

TypeNameValue
Environment VariableAWS_REGIONA valid AWS region
Secret VariableAWS_ACCESS_KEY_IDThe AWS access key for the AWS account to use
Secret VariableAWS_SECRET_ACCESS_KEYThe AWS secret key for the AWS account to use

Alternatively, you can only use a secret file as well:

TypeNameValue
Environment VariableAWS_REGIONA valid AWS region
Secret File/home/svc/.aws/credentialsThe content of an shared credentials file

Google Cloud Platform

Experiments targetting GCP services usually require a service account, which should have the right roles to perform the experiment’s activities.

A screenshot of the Reliably Google Cloud Platform environment form.

TypeNameValue
Environment VariableGOOGLE_APPLICATION_CREDENTIALS/home/svc/gcp.json
Secret File/home/svc/gcp.jsonThe content of a GCP Service Account key file

Azure

Experiments targeting Azure services requires a set of values to authenticate with the right Azure endpoint and services.

A screenshot of the Reliably Azure environment form.

TypeNameValue
Azure Client IDAZURE_CLIENT_ID
Azure Tenant IDAZURE_TENANT_ID
Azure Subscription IDAZURE_SUBSCRIPTION_ID
Azure Client SecretAZURE_CLIENT_SECRET

GitHub

Experiments targetting GitHub services require a token with the appropriate permissions for the experiments in the Reliably Plan.

A screenshot of the Reliably GitHub environment form.

TypeNameValue
Secret VariableGITHUB_TOKENThe token value

The token must have enough permissions for the experiment to perform its operations.