SSL

This is an older version of the document. To view the most recent version of the document, click here.

SSL Overview

  • SSL (Secure Socket Layer) is a security protocol which encrypts the connections established between Webserver and the client (browser).

  • In this chapter, we learn how Spinnaker communicates from external parties to Spinnaker Instance, which might be any requests between

    1. Browser & Spinnaker UI (Deck)

    2. Deck and Gateway (API gateway)

    3. Client and Gate

Steps to Generate Self Signed Cert

  • A self-signed certificate is an identity certificate that is signed by the same entity whose identity it certifies. In technical terms a self-signed certificate is one signed with its own private key.

  • Instructions in this chapter allows user to generate a Self-signed certificate key and server certificate, openssl will be used.

  • Follow the below instruction to create self-signed certificate

    1. Execute the below commands to create CA key

      openssl genrsa -des3 -out ca.key 4096
    2. Execute the below commands to Self-sign the Certificate

      openssl req -new -x509 -days 365 -key ca.key -out ca.crt

    Note: Incase if External CA Certificate is being used, skip to the next section to enable the same on Spinnaker.

Steps to Create Server Certificate

  • From this Section, let’s learn how to create Certificate Authority and import the same to a Server Certificate.

    1. Execute the below command, to create a Server key and save it safe.

      openssl genrsa -des3 -out server.key 4096
    2. Execute the below command, to generate a certificate signing request for the server. Ensure to specify localhost or Fully Qualified Domain Name of Gate as the Common Name.

          openssl req -new -key server.key -out server.csr
    3. Execute the below command, to use CA sign the server’s request. If, external CA is being used, vendor will take care of this step.

          openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -
          CAcreateserial -out server.crt
    4. To make the server certificate to importable format convert it to JKS.

    Note

    This creates a p12 keystore file with your certificate imported under the alias “spinnaker” with the key password $YOUR_KEY_PASSWORD.

    1. Execute the below command, to create a JKS file by importing CA Certificate

      keytool -keystore keystore.jks -import -trustcacerts -alias ca -file ca.crt
    2. To import the server certificate, execute the below

    $ keytool -importkeystore \
    -srckeystore server.p12 \
    -srcstoretype pkcs12 \
    -srcalias spinnaker \
    -srcstorepass $YOUR_KEY_PASSWORD \
    -destkeystore keystore.jks \
    -deststoretype jks \
    -destalias spinnaker \
    -deststorepass $YOUR_KEY_PASSWORD \
    -destkeypass $YOUR_KEY_PASSWORD
  • Now Spinnaker is all set to use the Java Keystore, which has all the certificate authority and server certificate.

Steps to Configure SSL for Gate and Deck

  • Execute the below commands, separate to enable SSL for Gate and Deck. We can use ‘Halyard’ to do the same.

  • For Gate:

    KEYSTORE_PATH= # /path/to/keystore.jks
    hal config security api ssl edit \
    --key-alias spinnaker \
    --keystore $KEYSTORE_PATH \
    --keystore-password \
    --keystore-type jks \
    --truststore $KEYSTORE_PATH \
    --truststore-password \
    --truststore-type jks
    hal config security api ssl enable
  • For Deck:

    SERVER_CERT= # /path/to/server.crt
    SERVER_KEY= # /path/to/server.key
    
    hal config security ui ssl edit \
    --ssl-certificate-file $SERVER_CERT \
    --ssl-certificate-key-file $SERVER_KEY \
    --ssl-certificate-passphrase
    
    hal config security ui ssl enable

Steps to Deploy Spinnaker with SSL

  • Execute the below command to deploy Spinnaker with all the SSL settings

    hal deploy apply

Verify SSL Setup

  • To Verify SSL setup, ensure to access all the Spinnaker Endpoints like Gate or Deck over SSL.

Next Steps

  • To Proceed further one much choose an authentication method

  • OAuth 2.0

  • SAML

  • LDAP

  • X.509

Last updated