Expose x.509 enabled Spinnaker API endpoints for Spin CLI access

Spinnaker Authentication using x.509 certificates

Background 

Spinnaker instances often use x.509 as a certificate authority (ca) issued by Identity Provider (IDP) for authentication in Spinnaker. Spin CLI is the command-line interface to access Spinnaker from outside using a terminal rather than a browser. We can manage applications, pipelines, pipeline templates as a code, projects, and canary configs through Spin CLI. Spin CLI makes it easier to automate the creation/ modification of applications and/or pipelines. For all those Spinnaker instances where the Identity Provider (IDP) is x.509 certificate authority (ca) and x.509 certificates are used for Spinnaker authentication, Spin CLI clients are not able to access Spinnaker. But Spin CLI can be configured with x.509 to authenticate calls against Spinnaker. 

Here in this blog, we will show you how to configure the Spin CLI client and Spinnaker instance in order to let Spin CLI access Spinnaker using the x.509 authentication method. 

Steps to configure Spin CLI to access Spinnaker using X.509 authentication

    1. Install Spin CLI on Linux Ubuntu:

      Instructions For ubuntu:
      curl -LO
      https://storage.googleapis.com/spinnaker-artifacts/spin/$(curl-s
      https://storage.googleapis.com/spinnaker-artifacts/spin/latest/linux/amd64/spin
      chmod +x spin
      sudo mv
      spin /usr/local/bin/spin

    2. Expose spin-x509gate  on 8085 port as a LoadBalancer
    3. Create a DNS record that points to LoadBalancer DNS name of spinx509 service ( for AWS based load balancers)
      Example: spin-x509gate.dev.system.io
          a. In the security group of load balancer add only the required ip address.
          b. Get the DNS name of spinx509 gate service loadbalancer.
          c. Edit inbound rule.
          d. Add rule:
             Type: Custom port:8085 to the loadbalancer of spinx509 service
    4. Get tls.crt and tls.key and ca.crt locally

      kubectl -n spinnaker get secret mtlscerts-secret -o jsonpath='{.data.tls\.crt}'| base64 -d > tls.crt
      kubectl -n spinnaker get secret mtlscerts-secret -o jsonpath='{.data.tls\.key}'| base64 -d > tls.key
      kubectl -n spinnaker get secret mtlscerts-secret -o jsonpath='{.data.ca\.crt}'| base64 -d > ca.crt
      Note:
          a. Have the tls.crt and tls key in a known path,
              For example: /home/user/.spin
          b. Create a folder in below path and store the ca cert in it:
              /usr/local/share/ca-certificates/shared

    5. You need to add that CA certificate to the system’s trusted CA repository.

      sudo update-ca-certificates

    6. Add endpoints and tls cert and key paths to Spin CLI config:
      gate:

          endpoint: https://spin-x509gate.dev.system.io:8085
      auth:
          enabled: true
          x509:
          certPath: /home/user/.spin/tls.crt
          keyPath: /home/user/.spin/tls.key
    7. To use x509 from the browser:
      Chrome -> settings -> security -> certificate -> import certs -> import thepkcs12 from mtlpkcs12 secret
      Go to https://spin-x509gate.dev.system.io:8085
    8. Test if you are able to list spinnaker applications using spin-cli:
      spin applications list
    9. Manage Applications via these commands
      a. To create an application using spin cli:
           spin application save --application-name my-app --owner-email
         someone@example.com --cloud-providers "aws, kubernetes"
      b. To delete application using spin cli:
            spin application delete my-app
    10. Manage Pipelines via these commands
      a. To list pipelines using Spin CLI:
          spin pipeline list --application my-app
      b. To create a pipeline using spin cli:
          spin pipeline save --file
    11. To delete pipeline using spin cli command is:
      spin pipeline delete --name my-pipeline --application my-app

Conclusion

In this article, we have shown you the steps to enable Spin CLI access to Spinnaker even when x.509 authentication is enabled. This will help you to overcome the access issues with the certs and Spin CLI configs.  

If you wish to streamline your Continuous Delivery, learn about different Spinnaker authentication methods please read the following articles:

  1. Implementation of Basic Authentication for Prometheus and Alertmanager 
  2. Deploying Spinnaker in GKE with LDAP authentication
  3. Authentication for Spinnaker Services using x509 client certificate
  4. How to set up Mutual TLS (mTLS) Authentication for Spinnaker Services
  5. Configuring Spinnaker Authentication with Azure Active Directory
  6. SAML Authentication on Spinnaker using GSuite
  7. Spinnaker Authorization setup using GSuite

If you want to know more about the Spinnaker or request a demonstration, please book a meeting with us.


OpsMx is a leading provider of Continuous Delivery solutions that help enterprises safely deliver software at scale and without any human intervention. We help engineering teams take the risk and manual effort out of releasing innovations at the speed of modern business. For additional information, contact us.

Leave a Comment

Your email address will not be published.

You may like