Select Page
by

Vardhan NS

|
Jan 29, 2021
last updated on April 21, 2023
Share

Background 

Spinnaker instances often use x.509 as a certificate authority (ca) issued by Identity Provider (IDP) for authentication in Spinnaker. Spin CLI is the command-line interface to access Spinnaker from outside using a terminal rather than a browser. We can manage applications, pipelines, pipeline templates as a code, projects, and canary configs through Spin CLI. Spin CLI makes it easier to automate the creation/ modification of applications and/or pipelines. For all those Spinnaker instances where the Identity Provider (IDP) is x.509 certificate authority (ca) and x.509 certificates are used for Spinnaker authentication, Spin CLI clients are not able to access Spinnaker. But Spin CLI can be configured with x.509 to authenticate calls against Spinnaker. 

Here in this blog, we will show you how to configure the Spin CLI client and Spinnaker instance in order to let Spin CLI access Spinnaker using the x.509 authentication method. 

Steps to configure Spin CLI to access Spinnaker using X.509 authentication

    1. Install Spin CLI on Linux Ubuntu:

      Instructions For ubuntu:

				
					curl -LO https://storage.googleapis.com/spinnaker-artifacts/spin/$(curl-s https://storage.googleapis.com/spinnaker-artifacts/spin/latest/linux/amd64/spin)
chmod +x spin
sudo mv spin /usr/local/bin/spin

 2.Expose spin-x509gate  on 8085 port as a LoadBalancer

  1. Create a DNS record that points to LoadBalancer DNS name of spinx509 service ( for AWS based load balancers)
    Examplespin-x509gate.dev.system.io
        a. In the security group of load balancer add only the required ip address.
        b. Get the DNS name of spinx509 gate service loadbalancer.
        c. Edit inbound rule.
        d. Add rule:
           TypeCustom port:8085 to the loadbalancer of spinx509 service    

 3.Get tls.crt and tls.key and ca.crt locally

				
					kubectl -n spinnaker get secret mtlscerts-secret -o jsonpath='{.data.tls\.crt}'| base64 -d > tls.crt
kubectl -n spinnaker get secret mtlscerts-secret -o jsonpath='{.data.tls\.key}'| base64 -d > tls.key
kubectl -n spinnaker get secret mtlscerts-secret -o jsonpath='{.data.ca\.crt}'| base64 -d > ca.crt

Note:
    a. Have the tls.crt and tls key in a known path,
        For example: /home/user/.spin
    b. Create a folder in below path and store the ca cert in it:
        /usr/local/share/ca-certificates/shared

    1. You need to add that CA certificate to the system’s trusted CA repository.

      sudo update-ca-certificates

    2. Add endpoints and tls cert and key paths to Spin CLI config:
				
					gate:
    endpoint: https://spin-x509gate.dev.system.io:8085
auth:
    enabled: true
    x509:
    certPath: /home/user/.spin/tls.crt
    keyPath: /home/user/.spin/tls.key

    1. To use x509 from the browser:
      Chrome -> settings -> security -> certificate -> import certs -> import thepkcs12 from mtlpkcs12 secret
      Go to https://spin-x509gate.dev.system.io:8085
    2. Test if you are able to list spinnaker applications using spin-cli:
      spin applications list
    3. Manage Applications via these commands
      a. To create an application using spin cli:
           spin application save --application-name my-app --owner-email
         someone@example.com --cloud-providers "aws, kubernetes"
      b. To delete application using spin cli:
            spin application delete my-app
    4. Manage Pipelines via these commands
      a. To list pipelines using Spin CLI:
          spin pipeline list --application my-app
      b. To create a pipeline using spin cli:
          spin pipeline save --file
    5. To delete pipeline using spin cli command is:
      spin pipeline delete --name my-pipeline --application my-app

Conclusion

In this article, we have shown you the steps to enable Spin CLI access to Spinnaker even when x.509 authentication is enabled. This will help you to overcome the access issues with the certs and Spin CLI configs.  

If you wish to streamline your Continuous Delivery, learn about different Spinnaker authentication methods please read the following articles:

  1. Implementation of Basic Authentication for Prometheus and Alertmanager 
  2. Deploying Spinnaker in GKE with LDAP authentication
  3. Authentication for Spinnaker Services using x509 client certificate
  4. How to set up Mutual TLS (mTLS) Authentication for Spinnaker Services
  5. Configuring Spinnaker Authentication with Azure Active Directory
  6. SAML Authentication on Spinnaker using GSuite
  7. Spinnaker Authorization setup using GSuite
Download Advanced deployment strategies

About OpsMx

Founded with the vision of “delivering software without human intervention,” OpsMx enables customers to transform and automate their software delivery processes. OpsMx builds on open-source Spinnaker and Argo with services and software that helps DevOps teams SHIP BETTER SOFTWARE FASTER.

Tags : Authentication, CI/CD, Continuous Delivery, Spin CLI, Spinnaker, x.509

Vardhan NS

Vardhan is a technologist and a marketing professional, currently working as a Sr. PMM at OpsMx. His strength lies in understanding complex technologies, and explaining them in un-complicated ways. Vardhan is a passionate Product Marketer with a keen focus on Content, helping brands Position themselves uniquely with clear messaging and competitive differentiation. Outside of work, he is an athlete that is passionate about Football, Swimming and Surfing.

Link

0 Comments

Submit a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

You May Like

What is Blue Green Deployment ?

April 9, 2021
Share

Why is modernizing software delivery essential for business success

April 13, 2022
Share

Why worry about Delivery & Deployment Security?

May 8, 2023
Share

Recent Posts

Videos & Podcasts : How To Build Amazon AMI Image Using Spinnaker

Ship better software faster

OpsMx adds security and intelligent automation to your software delivery process