Spinnaker Authentication with Cloud IAP
After setting up a private GKE cluster and deploying Spinnaker, I wanted to allow developers to access the Spinnaker web interface without having to use SSH tunnels. What’s wrong with SSH tunnels? Well, they tend to generate support overhead and not every developer wants to set up an SSH tunnel.
Since we are running Spinnaker within Google Cloud Platform, we decided to leverage Google’s identity aware proxy IAP. This is an amazing service provided by Google that allows you to expose your web applications on the Internet while providing a high level of security with minimum configuration. “Cloud IAP works by verifying user identity and context of the request to determine if a user should be allowed to access an application or a VM” [1].
Configuring Spinnakers Ingress
When using the Spinnaker helm chart, you may notice that within the values.yaml there are two ingress definitions, one for Gate (API Gateway) and one for Deck (UI). Since we are using IAP to configure authentication, I strongly recommend configuring one ingress controller. I used the following Kubernetes definition to configure one ingress controller for both Gate and Deck.
When the above Kubernetes Ingress definition gets applied to your cluster, an HTTP(S) load balancer gets created.
Configuring IAP
After you have applied the ingress controller to your Kubernetes cluster, you will need to open the Google Cloud Console and navigate to the “Identity-Aware Proxy” under the “IAM & admin” tab.
You should see your ingress controller under the “HTTPS Resources” as shown below.
Click the IAP switch for both spin-deck and spin-gate; this enables IAP protection for both services. Once you have enabled IAP protection, you need to get an audience token, which can be retrieved by clicking on the horizontal dots and selecting “Signed Header JWT Audience”.
Copy the audience token for your Spinnaker configuration.
Configure IAP in Spinnaker
Now that we have the audience token, exec into the Halyard pod to configure Spinnaker. When you are in the Halyard pod, you can execute the following commands to enable IAP.
$ hal config security authn iap edit --audience /projects/XX/global/backendServices/YY
$ hal config security authn iap enable
$ hal deploy applyAfter your final command, Halyard deploys the new configuration for IAP and restarts the appropriate pods.
Testing
When you have configured Spinnaker with the IAP audience token, you are ready for some testing! Navigate to your Spinnaker instance. This should redirect you to Google asking you to permit IAP access; once complete, you should be able to log in to Spinnaker.
If you do not receive the Spinnaker login screen but receive a message “You don’t have access”, check that your user has been given “IAP-secured Web App User” access [2] within the project.