spinnaker: [gate] SSL w/ apiPort and ssl: enabled causes tomcat to start 2 https ports
An issue is not a place to ask questions. Please use Slack or Stack Overflow.
Before you open an issue, please check if a similar issue already exists or has been closed before.
Make sure you have read through the Spinnaker FAQ and Halyard FAQ to provide as much information as possible.
A descriptive title.
Starting gate with a gate-local.yml file with an apiPort and ssl: enabled setting causes gate to start with 2 https ports (instead of one for apiPort and the other on http)
Environment
Kubernetes on AWS
Feature Area
Gate SSL
Description
Based on the docs from Armory.io and Spinnaker’s Authentication section, I expect my default.apiPort setting to start an SSL port, and leave 8084 as HTTP. (We terminate SSL at an AWS ELB, forwarding to 8084).
Steps to Reproduce
Given this gate-local.yml file:
default:
apiPort: 8085
x509:
enabled: true
server:
port: '8084' # we don't actually use this, we use the legacy port to get a non-ssl port. This is just to enabled ssl on 8084 since spinnaker docs seem to lie about this
address: '0.0.0.0'
tomcat:
protocolHeader: X-Forwarded-Proto
remoteIpHeader: X-Forwarded-For
internalProxies: .*
ssl:
enabled: true
keyStore: /opt/spinnaker/config/keystore.jks
keyStorePassword: "{reacted}"
keyAlias: server
trustStore: /opt/spinnaker/config/keystore.jks
trustStorePassword: "{redacted}"
clientAuth: want
It starts an SSL listener for both 8084 and 8085, as printed by Tomcat logs:
Tomcat started on port(s): 8084 (https) 8085 (https)
My workaround is to use the undocumented field legacyServerPort field and setting that to 8084:
default:
apiPort: 8085
legacyServerPort: 8084
x509:
enabled: true
server:
port: '9001' # we don't actually use this at this point but we get port collisions if its 8084
This solves the problem:
Tomcat started on port(s): 9001 (https) 8084 (http) 8085 (https)
This page is what I followed for the expected behavior: https://www.spinnaker.io/setup/security/authentication/x509/
You can move the client certificate-enabled port by setting default.apiPort value to something other > than 8084. This enables an additional port configuration that is hardcoded to need a valid X.509 > certificate before allowing the request to proceed.
The 3rd party, Armory.io, also expects this in a guide: https://docs.armory.io/install-guide/auth/#x509
About this issue
- Original URL
- State: closed
- Created 6 years ago
- Reactions: 5
- Comments: 19
Commits related to this issue
- Use healthEndpoint if defined when transforming a server port If a custom healthEndpoint is defined it should be used otherwise k8s will never mark the node as ready. I encountered this bug with the... — committed to dmichel1/spinnaker-operator by dmichel1 3 years ago
- Use healthEndpoint if defined when transforming a server port If a custom healthEndpoint is defined it should be used otherwise k8s will never mark the node as ready. I encountered this bug with the... — committed to dmichel1/spinnaker-operator by dmichel1 3 years ago
Note: Replace
defaultwith whatever the name of your current profile is. In most cases it isdefault, but just be aware to not blindly copy-pasta this.For anyone else getting tripped up on this, what you want is
~/.hal/default/profiles/gate-local.yml
~/.hal/default/service-settings/gate.yml
Then Tomcat will start with
Tomcat started on port(s): 9002 (https) 8084 (http) 8085 (https)Everything else should be configured with the appropriate
hal configcommand. Filenames ingate-local.ymlor similar will NOT be translated when you runhal deploy applyand you will getFileNotFoundExceptionin your logs.When you inform halyard of files via
hal configit will drop those files into/home/spinnaker/.hal/default/staging/dependences(or whatever profile name you have in place ofdefault) and then update the file paths in your main config YAML file to account for thisdependencydirectory.*-local.ymlfiles are literally just dropped into/opt/spinnaker/configas-is with no updates.e.g.
Hope that helps.