Skip to content

SSL

SSL Overview

  • SSL (Secure Socket Layer) is a security protocol which encrypts the connections established between Webserver and the client (browser).
  • In this chapter, we learn how Spinnaker communicates from external parties to Spinnaker Instance, which might be any requests between
    1. Browser & Spinnaker UI (Deck)
    2. Deck and Gateway (API gateway)
    3. Client and Gate

Steps to Generate Self Signed Cert

  • A self-signed certificate is an identity certificate that is signed by the same entity whose identity it certifies. In technical terms a self-signed certificate is one signed with its own private key.
  • Instructions in this chapter allows user to generate a Self-signed certificate key and server certificate, openssl will be used.
  • Follow the below instruction to create self-signed certificate

    1. Execute the below commands to create CA key

      openssl genrsa -des3 -out ca.key 4096
      

    2. Execute the below commands to Self-sign the Certificate

      openssl req -new -x509 -days 365 -key ca.key -out ca.crt
      

    Note

    Incase if External CA Certificate is being used, skip to the next section to enable the same on Spinnaker.

Steps to Create Server Certificate

  • From this Section, let’s learn how to create Certificate Authority and import the same to a Server Certificate.

    1. Execute the below command, to create a Server key and save it safe.
      openssl genrsa -des3 -out server.key 4096
      
    2. Execute the below command, to generate a certificate signing request for the server. Ensure to specify localhost or Fully Qualified Domain Name of Gate as the Common Name.
          openssl req -new -key server.key -out server.csr
      
    3. Execute the below command, to use CA sign the server’s request. If, external CA is being used, vendor will take care of this step.
          openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -
          CAcreateserial -out server.crt
      
    4. To make the server certificate to importable format convert it to JKS.

    Note

    This creates a p12 keystore file with your certificate imported under the alias “spinnaker” with the key password $YOUR_KEY_PASSWORD.

    1. Execute the below command, to create a JKS file by importing CA Certificate
      keytool -keystore keystore.jks -import -trustcacerts -alias ca -file ca.crt
      
    2. To import the server certificate, execute the below
    $ keytool -importkeystore \
    -srckeystore server.p12 \
    -srcstoretype pkcs12 \
    -srcalias spinnaker \
    -srcstorepass $YOUR_KEY_PASSWORD \
    -destkeystore keystore.jks \
    -deststoretype jks \
    -destalias spinnaker \
    -deststorepass $YOUR_KEY_PASSWORD \
    -destkeypass $YOUR_KEY_PASSWORD
    
  • Now Spinnaker is all set to use the Java Keystore, which has all the certificate authority and server certificate.

Steps to Configure SSL for Gate and Deck

  • Execute the below commands, separate to enable SSL for Gate and Deck. We can use ‘Halyard’ to do the same.
  • For Gate:

    KEYSTORE_PATH= # /path/to/keystore.jks
    hal config security api ssl edit \
    --key-alias spinnaker \
    --keystore $KEYSTORE_PATH \
    --keystore-password \
    --keystore-type jks \
    --truststore $KEYSTORE_PATH \
    --truststore-password \
    --truststore-type jks
    hal config security api ssl enable
    
  • For Deck:

    SERVER_CERT= # /path/to/server.crt
    SERVER_KEY= # /path/to/server.key
    
    hal config security ui ssl edit \
    --ssl-certificate-file $SERVER_CERT \
    --ssl-certificate-key-file $SERVER_KEY \
    --ssl-certificate-passphrase
    
    hal config security ui ssl enable
    

Steps to Deploy Spinnaker with SSL

  • Execute the below command to deploy Spinnaker with all the SSL settings
    hal deploy apply
    

Verify SSL Setup

  • To Verify SSL setup, ensure to access all the Spinnaker Endpoints like Gate or Deck over SSL.

Next Steps

  • To Proceed further one much choose an authentication method
  • OAuth 2.0
  • SAML
  • LDAP
  • X.509

Comments