SSL (Secure Socket Layer) is a security protocol which encrypts the connections established between Webserver and the client (browser).
In this chapter, we learn how Spinnaker communicates from external parties to Spinnaker Instance, which might be any requests between
Browser & Spinnaker UI (Deck)
Deck and Gateway (API gateway)
Client and Gate
A self-signed certificate is an identity certificate that is signed by the same entity whose identity it certifies. In technical terms a self-signed certificate is one signed with its own private key.
Instructions in this chapter allows user to generate a Self-signed certificate key and server certificate, openssl will be used.
Follow the below instruction to create self-signed certificate
Execute the below commands to create CA key
openssl genrsa -des3 -out ca.key 4096
Execute the below commands to Self-sign the Certificate
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Note: Incase if External CA Certificate is being used, skip to the next section to enable the same on Spinnaker.
From this Section, let’s learn how to create Certificate Authority and import the same to a Server Certificate.
Execute the below command, to create a Server key and save it safe.
openssl genrsa -des3 -out server.key 4096
Execute the below command, to generate a certificate signing request for the server. Ensure to specify localhost or Fully Qualified Domain Name of Gate as the Common Name.
openssl req -new -key server.key -out server.csr
Execute the below command, to use CA sign the server’s request. If, external CA is being used, vendor will take care of this step.
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt
To make the server certificate to importable format convert it to JKS.
This creates a p12 keystore file with your certificate imported under the alias “spinnaker” with the key password $YOUR_KEY_PASSWORD.
Execute the below command, to create a JKS file by importing CA Certificate
keytool -keystore keystore.jks -import -trustcacerts -alias ca -file ca.crt
To import the server certificate, execute the below
$ keytool -importkeystore \-srckeystore server.p12 \-srcstoretype pkcs12 \-srcalias spinnaker \-srcstorepass $YOUR_KEY_PASSWORD \-destkeystore keystore.jks \-deststoretype jks \-destalias spinnaker \-deststorepass $YOUR_KEY_PASSWORD \-destkeypass $YOUR_KEY_PASSWORD
Now Spinnaker is all set to use the Java Keystore, which has all the certificate authority and server certificate.
Execute the below commands, separate to enable SSL for Gate and Deck. We can use ‘Halyard’ to do the same.
KEYSTORE_PATH= # /path/to/keystore.jkshal config security api ssl edit \--key-alias spinnaker \--keystore $KEYSTORE_PATH \--keystore-password \--keystore-type jks \--truststore $KEYSTORE_PATH \--truststore-password \--truststore-type jkshal config security api ssl enable
SERVER_CERT= # /path/to/server.crtSERVER_KEY= # /path/to/server.keyhal config security ui ssl edit \--ssl-certificate-file $SERVER_CERT \--ssl-certificate-key-file $SERVER_KEY \--ssl-certificate-passphrasehal config security ui ssl enable
Execute the below command to deploy Spinnaker with all the SSL settings
hal deploy apply
To Verify SSL setup, ensure to access all the Spinnaker Endpoints like Gate or Deck over SSL.
To Proceed further one much choose an authentication method