OpsMx
Search…
How to set up Mutual TLS (mTLS) Authentication for Spinnaker Services
Spinnaker services communicate and exchange sensitive data with each other. When TLS (Transport Level Security) is enabled between the services it ensures that all of this data is encrypted. Communication between services happens only when they have valid certificates.
Mutual authentication or two-way authentication refers to two parties authenticating each other at the same time. Enabling Mutual TLS (mTLS) provides an additional layer of security for the Spinnaker services as only validated clients can interact with the services.
When a client connects to a server:
  1. 1.
    The server responds with its certificate signed by a valid CA (certificate authorities) and the client validates it.
  2. 2.
    The server sends requests for a certificate from the client and validates the same after receiving it.

How to create certificates for mutual tls using cert-manager?

To enable mutual TLS, you need to get a certificate (a type of file) from a Certificate Authority (CA). The cert-manager is a native Kubernetes certificate management controller. It can help with issuing certificates from a variety of CA (certificate authorities) sources, such as Let’s Encrypt, HashiCorp Vault, Venafi, a simple signing key pair, or self-signed. It will ensure certificates are valid and up to date, and attempt to renew certificates at a configured time before expiry. Here’s how you can create certificates using the cert-manager:

Pre-requisites:

Kubernetes, cert-manager

Steps:

  1. 1.
    Create a cluster issuer to issue self-signed certificates using the below YAML code with kubectl create -f as shown below:
1
apiVersion: cert-manager.io/v1alpha2
2
kind: ClusterIssuer
3
metadata: name: selfsigned-issuer
4
spec:selfSigned: {}
5
kubectl create -f clusterissuer.yml
6
kubectl get clusterissuer
Copied!
2. Create a certificate authority (CA) certificate that can use the above self-signed issuer. Change the namespace below to the namespace where spinnaker is installed. Also, include any other Subject Alternate Names in the dnsNames field.
1
apiVersion: cert-manager.io/v1alpha2
2
kind: Certificate
3
metadata:
4
name: mtlsca
5
namespace: spintest
6
spec:
7
secretName: cacert
8
isCA: true
9
issuerRef:
10
name: selfsigned-issuer
11
kind: ClusterIssuer
12
commonName: mtlsca
13
dnsNames:
14
– “*.spintest.svc”
15
– localhost
16
kubectl create -f cacert.yml
17
kubectl -n spintest get certs
18
kubectl -n spintest get secret
Copied!
3. Create a certificate authority issuer that can use the above ca certificate. Change the namespace below to the namespace where spinnaker is installed.
1
apiVersion: cert-manager.io/v1alpha2
2
kind: Issuer
3
metadata:
4
name: caissuer
5
namespace: spintest
6
spec:
7
ca:
8
secretName: cacert
9
kubectl -n spintest create -f caissuer.yml
10
kubectl -n spintest get issuer
Copied!
4. Create a certificate using the caissuer. Change the namespace below to the namespace where the spinnaker is installed. Also, change the dnsNames. This expects a pkcs12 passphrase in a secret called passphrasesecret.
1
kubectl -n spintest create secret generic passphrasesecret –from-literal=passphrase=mysecrepassphrase
2
This secret will be used later in configuring the spinnaker files.
3
apiVersion: cert-manager.io/v1alpha2
4
kind: Certificate
5
metadata:
6
name: mtlscerts-pkcs12
7
namespace: spintest
8
spec:
9
secretName: mtlscerts-pkcs12
10
duration: 2160h # 90d
11
renewBefore: 360h # 15d
12
commonName: spintest.svc
13
keystores:
14
pkcs12:
15
create: true
16
passwordSecretRef:
17
name: passphrasesecret
18
key: passphrase
19
dnsNames:
20
– “*.spintest.svc”
21
– localhost
22
usages:
23
– digital signature
24
– key encipherment
25
– server auth
26
– client auth
27
issuerRef:
28
name: caissuer
29
kind: Issuer
30
kubectl create -f mtlscerts.yml
31
kubectl -n spintest get certs
32
kubectl -n spintest get secret mtlscerts-pkcs12 -o yaml should show ca.crt, tls.crt,tls.key and keystore.p12
33
kubectl -n spintest get secret mtlscerts-pkcs12 -o jsonpath='{.data.ca\.crt}’ | base64 -d >ca.crt
Copied!
5. From clouddriver pod get the cacerts file:
1
kubectl -n spintest cp clouddriverpod:/etc/ssl/certs/java/cacerts cacerts
2
keytool -import -file ca.crt -keystore cacerts
3
kubectl -n spintest create secret generic cacerts –from-file=cacerts
Copied!
6. Make the following changes in spinnaker by exec into halyard pod:
  • In /home/spinnaker/.hal/default/service-settings , change svc.yaml ( example echo.yml, clouddriver.yml) to mount secret on to svc and overridebaseurl from http to https:
1
kubernetes:
2
volumes:
3
– id: cacerts
4
mountPath: /etc/ssl/certs/java
5
type: secret
6
readOnly: true
7
– id: mtlscerts-pkcs12
8
mountPath: /pkcs12
9
type: secret
10
readOnly: true
11
overrideBaseUrl:
12
https://spin-clouddriver.spintest.svc:7002
Copied!
  • Change the service name, namespace and port accordingly. In /home/spinnaker/.hal/default/profiles, change svc-local.yml ( example echo-local.yml, clouddriver-local.yml) to add https to server and okHttpClient:
1
server:
2
port: 7002
3
ssl:
4
enabled: true
5
keyStore: /pkcs12/keystore.p12
6
keyStoreType: PKCS12
7
keyStorePassword: changeit # from the passphrase secret
8
trustStore: /etc/ssl/certs/java/cacerts
9
trustStoreType: JKS
10
trustStorePassword: changeit # from the passphrase secret
11
clientAuth: need
12
okHttpClient:
13
keyStore: /pkcs12/keystore.p12
14
keyStorePassword: changeit # from he passphrase secret
15
trustStore: /etc/ssl/certs/java/cacerts
16
propagateSpinnakerHeaders: true
17
connectTimeoutMs: 60000
18
readTimeoutMs: 60000
Copied!
7. Hal deploy apply after you are done.
Conclusion:
After applying the above configuration changes to your Spinnaker deployment, the Mutual TLS (mTLS) Authentication for Spinnaker Services is enabled thereby making it secure to communicate securely over the network with other services.
Last modified 10mo ago