layout | title | sidebar | ||
---|---|---|---|---|
single |
Authentication |
|
{% include toc %}
Spinnaker's authentication mechanism supports a variety of different login sources. There are a lot of moving parts involved with getting this to work just right. Here are some of the basics and tools that make setup easier to configure and test.
There are three basic systems involved with Spinnaker's authentication workflow: your identity provider, Gate, and Deck. The changes will primarily be made to either your identity provider or Gate. Deck itself will not require changes or updates, but it's useful to understand how all three parts interact.
gate(Gate) idp(IdentityProvider) deck(Deck/Browser)
deck-->gate gate-->deck deck-->idp idp-->deck
-
Deck: Spinnaker's UI. Consists of a set of static HTML, JavaScript, and CSS files. Generally served from an Apache server, but there is nothing special about Apache that makes Deck work. Replace with your favorite HTTP(S) server if you'd like. The Javascript being an SPA Single Page Application is going to do the communication with your identity provider. Which IDP is determined by Gate.
-
Gate: Spinnaker's API Gateway. All traffic (including traffic generated from Deck) flows through Gate. It is the point at which authentication is confirmed and one point (of several) where authorization is enforced.
-
Identity Provider: Your organization's OAuth 2.0, SAML 2.0, or LDAP service. X.509 client certificates can be used in addition to any of these services, or used standalone.
Getting the authentication working rarely happens on the first try. Each login attempt during configuration (or development) causes a new session to be established in Gate's session repository. Re-using these sessions is undesirable when testing configuration changes.
We highly recommend using Google Chrome's Incognito mode{:target="_blank"} when working with configuration changes.
- Open a new Incognito window.
- Navigate to your Spinnaker's Deck endpoint.
- Observe behavior and make configuration change. Restart affected Spinnaker service.
- Close Incognito window.
- Repeat from step 1.
A common issue with Incognito windows is that they all share the same cookie jar. This means that when you want to test a new configuration change, you need to close all Incognito windows. Otherwise, the session cookie will not be deleted.
{% include mermaid %}
- Methods
- OAuth 2.0/OIDC - The main examples are Google & GitHub endpoints.
- SAML - Lots of examples on this with one of the most prevalent being Okta.
- LDAP - This covers Active Directory and other LDAP servers, such as OpenLDAP.
- X.509 - Often used for client or application communications. Can operate in conjunction with other authentication methods.
Set up Authorization.
Learn how to configure Spinnaker to communicate over SSL.