spinnaker: X.509 (with SAML enabled) breaks between Spinnaker upgrades (between 1.13.11 to 1.14.X+)
Issue Summary:
When Spinnaker is upgraded from version 1.13.11 to 1.14.XX or 1.15.0 - X.509 stops working. When using roer, I’m able to see the SAML login page. Same behavior happens with Spin CLI.
Cloud Provider(s):
Environment:
Distributed Spinnaker version 1.15.0, running on GKE, with Cloud Memorystore and Cloud SQL. Halyard version is 1.20.1.
SAML enabled. SSL is offloaded in Gate and Deck, not in load balancers.
Feature Area (if this issue is UI/UX related, please tag @spinnaker/ui-ux-team):
Authentication (SAML / X.509)
Description:
I’d expect X.509 work on newer (1.14.X, 1.15.X) versions of Spinnaker as with 1.13.11. Or have instructions on what to reconfigure (on Gate, probably?).
Steps to Reproduce:
- Working setup: Spinnaker 1.13.11 with SAML and X.509 enabled. X.509 access works with both roer and Spin CLI
- Upgrade Spinnaker to version 1.14.<latest> or 1.15.0 - and try to “roer -v app list”. Witness roer to get a SAML login page.
Additional Details:
–
About this issue
- Original URL
- State: closed
- Created 5 years ago
- Comments: 18 (1 by maintainers)
This is exactly what we encountered. X.509 breaks on 1.14+ when saml is enabled. All api calls to spin-gate using x.509 cert are redirected to SSO login url
confirmed. we did the same thing. default server port and api port both https. cicd tools use api port and human web browser goes to the default server port. all working. WOOT! thanks @iniinikoski
@iniinikoski our spin-gate currently only has https port open. When we first set it up, we tried to open 2 ports: HTTP for traffic from load balancer (human users that use browser + SSO), and HTTPS for traffic with x.509 cert (other ci-cd tools), but it somehow we couldn’t get it to work correctly. we tried many combinations of port configuration but none of them worked as expected.
Anyway, so our spin-gate right now only has HTTPS listener. traffic from browser goes to AWS ALB, ALB terminates SSL there and makes another HTTPS connection to spin-gate. Without x.509 cert, these connections are redirected to our SSO provider, which expected.
CICD tools send https request with x.509 cert directly to spin-gate (spin-gate and those cicd tools are all in the same namespace, and we use spingate.namespace.svc as endpoint). it works fine with spinnaker 1.13, but started breaking since 1.14 (in spin-gate log, we can see those connections being redirected to SSO provider).