Setting up TLS for spinnaker microservices


#1

Has anyone tried making Spinnaker use HTTPS for internal communication between the Spinnaker microservices?

Are there https enabled images etc? Halyard doesn’t seem to offer any help in this topic. Is the only alternative to deploy all the needed services by ourself?


#2

Hmm, in order to do this for services other than Gate or Deck while continuing to use Halyard, you probably need to override the Spring Boot values yourself via the -local.yml files, and override the baseUrls for each service to include https.


#3

That’s definitely one part. I’m more worried about getting the certificates in place.

I thought of two approaches:

  • mount the tomcat/nginx etc config and the certificate/ca as a volume
  • add a sidecar container that runs nginx in every pod and forwards https traffic to the service as normal http

However, both approaches would require editing the k8s spec, which we don’t have access to since we deploy with halyard


#4

This image:

from https://www.spinnaker.io/setup/security/authorization/ suggests that it should be possible, but how?


#5

On phone here, so please forgive brevity. Im going off old instructions here, so some of these options may have changed. The gist is to turn on TLS on each server with

server:
  port: 7002
  ssl:
    enabled: true
    keyStore: /path/to/config/spinnaker-keystore.p12
    keyStoreType: PKCS12
    keyStorePassword: super_top_secret
    trustStore: /path/to/config/spinnaker-truststore.p12
    trustStoreType: PKCS12
    trustStorePassword: super_top_secret_2
    clientAuth: need

default:
  legacyServerPort: 7101

To tell clients services to send certs, use:

okHttpClient:
  keyStore: /path/to/config/orca-client.p12
  keyStorePassword: top_secret
  trustStore: /path/to/config/services-truststore.p12
  propagateSpinnakerHeaders: true
  connectTimeoutMs: 60000
  readTimeoutMs: 60000

I remember seeing a PR recently that bumped the OkHttp client library version, so I hope these settings still apply.

That being said, I don’t know if halyard mounts the provided certs on each service, or just in Gate. Might be a good enhancement from the community.