Spinnaker authentication using IAP

#1

We are trying to enable authentication in Spinnaker using IAP.

  • Spinnaker is deployed in GKE using HAL
  • Deck and Gate are exposed to different domains using Ingress and HTTPS is enabled for both.
  • IAP is enabled and credential is created.
  • HAL configurations for IAP have been done and redeployed. BaseURLs for UI & API have been set.
  • CORS pattern is set to the UI URL.

Now when i try to open the application, initially the redirects to https://accounts.google.com/o/oauth2/v2/auth?.… fails a few times (CORS error) before sending me to the log in page. Once logged in, my name appears in the welcome page of Spinnaker. After this stage all API (Gate) calls are failing with CORS error (Access to XMLHttpRequest at ‘https://spinnaker-api.abc.com/webhooks/preconfigured’ from origin ‘https://spinnaker.abc.com’ has been blocked by CORS policy: Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.). Same is the issue with Applications call as well.

We have set the baseURLs for UI as well as API. So ideally CORS should have been taken care of.

Any help would be highly appreciated.

Thanks!

#2

@sweetib hi…i saw a few posts by you that says you have configured IAP for Spinnaker. Could you please give me directions on it. Thanks!!!

#3

@bhavith I followed the official halyard commands as mentioned here https://www.spinnaker.io/reference/halyard/commands/#hal-config-security-authn-iap

Though we were not able to take IAP to production setup as it was having some bugs https://github.com/spinnaker/spinnaker/issues/3213

If you have not enabled fiat it should be fine. But I have done this on GCE deployment for Spinnaker, not GKE. The load balancer that you have exposed your gate/deck service on, you need to enable IAP on that load balancer. IAP is only supported on https global lb on GCP as far as I know.

1 Like
#4

thanks @sweetib!!! your inputs helped. I had to edit the .hal/default/service-settings/deck.yml file to make /gate proxy available.

#5

Hi @bhavith can you give more details on your implementation?
I’m currently having the same setup as you: spinnaker running on GKE, exposing deck and gate under an Ingress with 2 NodePort services . Currently, I can only enable IAP for deck.

Also, how can you authenticate to the gate from outside (for example from a webhook)? Do you need to attach any token with the request?

#6

Hi harry,
The ingress you created for Gate is not required. Deck has an endpoint /gate that you can activate and use. The API URL will be https://DECKURL/gate.

To enable the /gate endpoint, edit the file .hal/default/service-settings/deck.yml
Reference: https://github.com/helm/charts/commit/5a95accf98734a2c301ba40045184281f0ddb5b2#diff-1f4ada09744f95decb1cb95f5c0f43bb

Ensure that you enable IAP from halyard.

There are a few endpoints which are open, for eg. the webhook. So what we did was create an nginx deployment in the same cluster and forward the traffic to the gate pod and only to that specific endpoint.

Regards,
Bhavith

#7

Been trying to enable IAP auth and running into some similar issues – when the gate endpoint is called end up with a 502. Disabling IAP in spinnaker, I’m able to access spinnaker (deck) but API requests fail for cors policy issues.

Deck spinnaker.domain.com
Gate spinnaker-api.domain.com

I have IAP enabled in GCP for both endpoints above ^
I get a bunch of redirects and CORS violation errors and eventually a 502 when IAP is enabled via hal.

The file referenced above as .hal/default/service-settings/deck.yml does not exist in my hal setup.

This seems to be the case even if using oauth2 instead of iap (with google), so it could some kind of proxy related stuff – not really sure where to look to debug it.

#8

Hi,

There is an internal endpoint in deck using which you can access Gate. So set the Gate URL as spinnaker.domain.com/gate. This way you won’t get the CORS error.

No need to expose Gate using another Ingress and IAP is only required on the Deck endpoint.

Create the deck.yml in the mentioned location (.hal/default/service-settings). And execute “hal deploy apply”. This will create the /gate endpoint in the deck.

Content of deck.yml should be:
env:
API_HOST: http://spin-gate.{{ .Release.Namespace }}:8084

Ensure that you enable IAP using hal and set the JWT header.

  • Bhavith
1 Like
#9

Worked like a charm, thank you!

#10

This was the next thing I was about to look at – since with IAP there’s not [yet] a way to whitelist/bypass paths like the ones needed for webhooks. You just exposed the webhooks path in a separate ingress that bypasses IAP, is that correct?

Where the spin-gate NodePort service has IAP disabled (no BackendConfig) and spin-deck has a BackendConfig enabling IAP.

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: spinnaker
spec:
  rules:
    - host: spinnaker.domain.com
      http:
        paths:
          - backend:
              serviceName: spin-deck
              servicePort: 9000
            path: /*
          - backend:
              serviceName: spin-gate
              servicePort: 8084
            path: /webhooks/*
          - backend:
              serviceName: spin-gate
              servicePort: 8084
            path: /health
  tls:
    - hosts:
        - spinnaker.domain.com
    - secretName: <redacted>

Update – You have to manually edit the GLB health check to /health and expose it as well, using the Ingress above.

#11

well, we are using a proxy that forwards the traffic directly to the internal LB or service.