SSL

SSL Overview

  • SSL (Secure Socket Layer) is a security protocol which encrypts the connections established between Webserver and the client (browser).

  • In this chapter, we learn how Spinnaker communicates from external parties to Spinnaker Instance, which might be any requests between

    1. Browser & Spinnaker UI (Deck)

    2. Deck and Gateway (API gateway)

    3. Client and Gate

Steps to Generate Self Signed Cert

  • A self-signed certificate is an identity certificate that is signed by the same entity whose identity it certifies. In technical terms a self-signed certificate is one signed with its own private key.

  • Instructions in this chapter allows user to generate a Self-signed certificate key and server certificate, openssl will be used.

  • Follow the below instruction to create self-signed certificate

    1. Execute the below commands to create CA key

      openssl genrsa -des3 -out ca.key 4096

    2. Execute the below commands to Self-sign the Certificate

      openssl req -new -x509 -days 365 -key ca.key -out ca.crt

    Note: Incase if External CA Certificate is being used, skip to the next section to enable the same on Spinnaker.

Steps to Create Server Certificate

  • From this Section, let’s learn how to create Certificate Authority and import the same to a Server Certificate.

    1. Execute the below command, to create a Server key and save it safe.

      openssl genrsa -des3 -out server.key 4096

    2. Execute the below command, to generate a certificate signing request for the server. Ensure to specify localhost or Fully Qualified Domain Name of Gate as the Common Name.

          openssl req -new -key server.key -out server.csr

    3. Execute the below command, to use CA sign the server’s request. If, external CA is being used, vendor will take care of this step.

          openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -
    CAcreateserial -out server.crt

    4. To make the server certificate to importable format convert it to JKS.

    Note

    This creates a p12 keystore file with your certificate imported under the alias “spinnaker” with the key password $YOUR_KEY_PASSWORD.

    1. Execute the below command, to create a JKS file by importing CA Certificate

      keytool -keystore keystore.jks -import -trustcacerts -alias ca -file ca.crt

    2. To import the server certificate, execute the below

    $ keytool -importkeystore \
-srckeystore server.p12 \
-srcstoretype pkcs12 \
-srcalias spinnaker \
-srcstorepass $YOUR_KEY_PASSWORD \
-destkeystore keystore.jks \
-deststoretype jks \
-destalias spinnaker \
-deststorepass $YOUR_KEY_PASSWORD \
-destkeypass $YOUR_KEY_PASSWORD

  • Now Spinnaker is all set to use the Java Keystore, which has all the certificate authority and server certificate.

Steps to Configure SSL for Gate and Deck

  • Execute the below commands, separate to enable SSL for Gate and Deck. We can use ‘Halyard’ to do the same.

  • For Gate:

    KEYSTORE_PATH= # /path/to/keystore.jks
hal config security api ssl edit \
--key-alias spinnaker \
--keystore $KEYSTORE_PATH \
--keystore-password \
--keystore-type jks \
--truststore $KEYSTORE_PATH \
--truststore-password \
--truststore-type jks
hal config security api ssl enable

  • For Deck:

    SERVER_CERT= # /path/to/server.crt
SERVER_KEY= # /path/to/server.key

hal config security ui ssl edit \
--ssl-certificate-file $SERVER_CERT \
--ssl-certificate-key-file $SERVER_KEY \
--ssl-certificate-passphrase

hal config security ui ssl enable

Steps to Deploy Spinnaker with SSL

  • Execute the below command to deploy Spinnaker with all the SSL settings

    hal deploy apply

Verify SSL Setup

  • To Verify SSL setup, ensure to access all the Spinnaker Endpoints like Gate or Deck over SSL.

Next Steps

  • To Proceed further one much choose an authentication method

  • OAuth 2.0

  • SAML

  • LDAP

  • X.509

PreviousOverviewNextMethods

Last updated