This section will cover communication with parties external to your Spinnaker instance. That is, any requests between your browser and the Deck host (the UI), between Deck and Gate (the API gateway), and between any other client and Gate.
It is strongly encouraged that your entire communication with all players is conducted over HTTPS. Most modern identity providers already run HTTPS-only, and you should look for a different solution provider if yours does not.
Info: Many users like to get authentication working before adding HTTPS, but experience bears out that the transition is not smooth. It is recommended to put at least a temporary SSL solution in place first.
We will use
openssl to generate a Certificate Authority (CA) and a server certificate. For the
purposes of this tutorial, we’ll use a self-signed CA. You may consider using an external CA to
minimize browser configuration, but it’s not necessary (and can be expensive).
Use the steps below to create a certificate authority. If you’re using an external CA, skip to the next section.
- Create the CA key.
openssl genrsa -des3 -out ca.key 4096
- Self-sign the CA certificate.
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
- Create the server key. Keep this file safe!
openssl genrsa -des3 -out server.key 4096
- Generate a certificate signing request for the server. Specify
localhostor Gate’s eventual fully-qualified domain name (FQDN) as the Common Name (CN).
openssl req -new -key server.key -out server.csr
- Use the CA to sign the server’s request. If using an external CA, they will do this for you.
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt
- Format server certificate into Java Keystore (JKS) importable form
YOUR_KEY_PASSWORD=hunter2 openssl pkcs12 -export -clcerts -in server.crt -inkey server.key -out server.p12 -name spinnaker -password pass:$YOUR_KEY_PASSWORD
This will create a p12 keystore file with your certificate imported under the alias “spinnaker” with the key password $YOUR_KEY_PASSWORD.
- Create Java Keystore by importing CA certificate
keytool -keystore keystore.jks -import -trustcacerts -alias ca -file ca.crt
- Import server certificate
$ keytool -importkeystore \ -srckeystore server.p12 \ -srcstoretype pkcs12 \ -srcalias spinnaker \ -srcstorepass $YOUR_KEY_PASSWORD \ -destkeystore keystore.jks \ -deststoretype jks \ -destalias spinnaker \ -deststorepass $YOUR_KEY_PASSWORD \ -destkeypass $YOUR_KEY_PASSWORD
Voilà! You now have a Java Keystore with your certificate authority and server certificate ready to be used by Spinnaker!
Use Halyard to Configure Gate
With the above certificates and keys in hand, you can use Halyard to set up SSL for Gate and Deck.
KEYSTORE_PATH= # /path/to/keystore.jks hal config security api ssl edit \ --key-alias spinnaker \ --keystore $KEYSTORE_PATH \ --keystore-password \ --keystore-type jks \ --truststore $KEYSTORE_PATH \ --truststore-password \ --truststore-type jks hal config security api ssl enable
SERVER_CERT= # /path/to/server.crt SERVER_KEY= # /path/to/server.key hal config security ui ssl edit \ --ssl-certificate-file $SERVER_CERT \ --ssl-certificate-key-file $SERVER_KEY \ --ssl-certificate-passphrase hal config security ui ssl enable
Each authentication mechanism is configured differently depending on where the SSL connection is terminated. Learn more about how the different network architecture options and how it affects your setup.