Setting up TLS for spinnaker microservices


Has anyone tried making Spinnaker use HTTPS for internal communication between the Spinnaker microservices?

Are there https enabled images etc? Halyard doesn’t seem to offer any help in this topic. Is the only alternative to deploy all the needed services by ourself?


Hmm, in order to do this for services other than Gate or Deck while continuing to use Halyard, you probably need to override the Spring Boot values yourself via the -local.yml files, and override the baseUrls for each service to include https.


That’s definitely one part. I’m more worried about getting the certificates in place.

I thought of two approaches:

  • mount the tomcat/nginx etc config and the certificate/ca as a volume
  • add a sidecar container that runs nginx in every pod and forwards https traffic to the service as normal http

However, both approaches would require editing the k8s spec, which we don’t have access to since we deploy with halyard


This image:

from suggests that it should be possible, but how?


On phone here, so please forgive brevity. Im going off old instructions here, so some of these options may have changed. The gist is to turn on TLS on each server with

  port: 7002
    enabled: true
    keyStore: /path/to/config/spinnaker-keystore.p12
    keyStoreType: PKCS12
    keyStorePassword: super_top_secret
    trustStore: /path/to/config/spinnaker-truststore.p12
    trustStoreType: PKCS12
    trustStorePassword: super_top_secret_2
    clientAuth: need

  legacyServerPort: 7101

To tell clients services to send certs, use:

  keyStore: /path/to/config/orca-client.p12
  keyStorePassword: top_secret
  trustStore: /path/to/config/services-truststore.p12
  propagateSpinnakerHeaders: true
  connectTimeoutMs: 60000
  readTimeoutMs: 60000

I remember seeing a PR recently that bumped the OkHttp client library version, so I hope these settings still apply.

That being said, I don’t know if halyard mounts the provided certs on each service, or just in Gate. Might be a good enhancement from the community.


@trissanen , i secured the deck and the gate communication using ssl , i have deployed traefik which reverse proxies the requests to ingress and at the same time give ssls , and then ingress reverse proxying the requests to the pod , in this way i am able to load balance and at the same way secure the communication between the ui and api . And i use halyard to override the url , in the config file . In this way no need to expose the microservices .