Spinnaker Authentication with Keycloak

-

Spinnaker Authentication with Keycloak

In my previous story I explained how I deployed Spinnaker onto Kubernetes and enabled public access via ingress. In this short story I’m going to explain how I secure Spinnaker by enabling authentication with Keycloak.
For this demo I used Kubernetes running on my Mac and also I’m not going to explain OAuth 2.0, OpenID Connect, all the features of Keycloak.

Keycloak

Keycloak is an Open Source software for Identity and Access Management. It is developed on the top of Wildfly server. It provides support for standard protocols like OpenID Connect, OAuth 2.0, and SAML.

Authentication

Spinnaker authentication involves three main components. They are,
  1. Deck : Sinnaker UI. That is what you see when you access spinnaker.
  2. Gate: API gateway for Spinnaker. All the requests go through the Gate and check whether the request is coming from authenticated user.
  3. Identity Provider: In our case this is Keycloak.
Spinnaker Authentication flow
There are several option that we can configure our identity provider.
For this, we are going to use OAuth 2.0/OIDC.

Configure Keycloak

For this demo, I’m going to use Master realm. First, we have to create a Client for Spinnaker. The client is a trusted browser app or service.
Client for Spinnaker
When we create a client we have to give a unique id for the client. Then we have to select openid-connect as Client protocol. Root URL should be our Spinnaker URL. When we click save, we will get a lot of other options to configure. Then we have to configure a Valid Redirect URI. This is the URI that Keycloak redirects users when the authentication is completed successfully. This should be our Spinnaker gate public URI.
Client Valid Redirect URI
Then we have to change the Access Type to confidential. When we save this we will get new tab called Credentials. What is important here is the Secret. Keycloak use this secret to verify this client. Later when we configure Spinnaker we are going to use this as its secret.
Client credentials tab

Crate User

Our next step is to create a user to login to the Spinnaker. In order to do that click Users tab in Manage section. Then click Add user button. Fill all the necessary details.
Add User page
When you save the user you will get a new tab called Credentials. Enter a new password for this user then click Reset Password button.
Password reset page

Configure Spinnaker

To enable authentication we are going to add some configuration to Spinnaker Gate. In Halyard, we can create a custom profile for Spinnaker and provide custom configurations. For this demo I’m going to use default profile. You can find that in $HOME/.hal/default/profiles directory In order to add a custom configuration to Gate we have to create a file called gate-local.yml in Halyard default profile. The configuration file looks like below.
Key important things in this configuration are,
  • clientId : That is the client id that we gave when we created Spinnaker client in Keycloak
  • clientSecret : This is the secret generated by Keycloak for Spinnaker client.
  • userAuthorizationUri : Keycloak user authorization URI.
  • accessTokenUri : Keycloak token URI
  • userInfoUri : Keycloak user info URI

UserInfoMapping

The userInfoMapping field in the configuration is used to map the names of fields from the userInfoUri request to Spinnaker-specific fields. Keycloak user profile looks like this,
{
  "preferred_username": "Kasun",
  "email": "kasun@mail.com",
  "given_name": "Kasun",
  "family_name": "Ranasinghe"
}
Our userInfoMapping should look like:
userInfoMapping:
  email: email
  firstName: given_name
  lastName: family_name
  username: preferred_username
After that, we can apply this configuration.
hal deploy apply
When we access Spinnaker we will be redirected to Keylocak login page.
Keycloak login page
When we enter login details of the user we created we will be redirected to Spinnaker home page. In Spinnaker we can see the username of the logged in user next to the search field.
All the actions performed in the Spinnaker will be recorded against logged in user. For example, if we execute a pipeline, the username of the user who executed this pipeline, will be displayed against that.
Pipeline executed by logged in user
There are many ways to enable authentication in Spinnaker. My effort here was to demonstrate a way by using Keycloak. The importance of using Keycloak is we use our own hosted Identity provide in place of Identity provider managed by another. And also we will be unable to use providers such as Google Apps for Work / G Suite ,GitHub, Azure due to company policies.

Comments

Post a Comment

Popular posts from this blog

Docker sizing Java application

-
Image
Many developers put java in docker yet they face many issues from development to running containers. Docker sizing Java application As  a Java developer, I faced many issues when dockerizing and running java applications. Running dockrized java application When we start our development we used java 8 as our runtime environment. We ran jars as separate processes (yes using java -jar ) in VM, at that time there was no requirement to dockerize applications and everything worked without any major issues. Later we experienced the need for dockerizing applications. Then we faced many performance issues. Our initial docker environment was just docker containers running in a VM without any container orchestration. When we compared dockerized application with normal java application, the performance of dockerized application was not good. When we set the memory limits for docker application, most of the applications threw  java.lang.OutOfMemoryError: Java heap space .   When we inves
Read more

Four Event Driven Patterns

-
Image
In this story I would like to explain my understanding of the Event Driven Architecture(EDA) and its patterns. I was assigned to introduce the CQRS pattern in my previous company. That is how I got to know about EDA. EDA comes with a lot of concepts like  Events, Commands, Event sourcing, Aggreate, Evet Reaplay  etc.. . I’ll briefly explain what EDA is and what common patterns are. Event Driven Architecture(EDA) EDA is producing, captureing , processing and persisting of Events . The concept of the EDA is not new. When we talk about EDA, we can identify two types of objects, those are  Event  and  Command.  We cannot do a proper implementation without knowing these two. Command Command is a request to a system to do something and sometimes expects a response for that. Command is very specific and it has a known destination. That means we know what is going to process and who is going to execute our command. Let’s take an Ordering System as an example. When we want to
Read more