Security Config
This page describes
spec.spinnakerConfig.config.security
.spec.spinnakerConfig.config.security
Configure Spinnaker’s security. This includes external SSL, authentication mechanisms, and authorization policies.
security:
apiSecurity:
uiSecurity:
authn:
authz:
apiSecurity
uiSecurity
authn
authz
API
spec.spinnakerConfig.config.security.apiSecurity
apiSecurity:
ssl:
enabled:
keyAlias:
keyStore:
keyStoreType:
keyStorePassword:
trustStore:
trustStoreType:
trustStorePassword:
clientAuth:
overrideBaseUrl:
corsAccessPattern:
ssl
:overrideBaseUrl
: If you are accessing the API server remotely, provide the full base URL (including protocol) of whatever proxy or load balancer is fronting the API requests.corsAccessPattern
:^.*$
If you have authentication enabled, are accessing Spinnaker remotely, and are logging in from sources other than the UI, provide a regex matching all URLs authentication redirects may come from.
SSL parameters
enabled
: true or false.keyAlias
: Name of your keystore entry as generated with your keytool.keyStore
: Path to the keystore holding your security certificates. File needs to be present on the machine running Spinnaker. Supports encrypted file.keyStoreType
: The type of your keystore. Examples include JKS, and PKCS12.keyStorePassword
: The password to unlock your keystore. Due to a limitation in Tomcat, this must match your key’s password in the keystore. Supports encrypted value.trustStore
: Path to the truststore holding your trusted certificates. File needs to be present on the machine running Spinnaker. Supports encrypted file.trustStoreType
: The type of your truststore. Examples include JKS, and PKCS12.trustStorePassword
: The password to unlock your truststore. Supports encrypted value.clientAuth
: DeclareWANT
when client auth is wanted but not mandatory orNEED
when client auth is mandatory.
Authentication
spec.spinnakerConfig.config.security.authn
authn:
oauth2:
saml:
ldap:
x509:
iap:
enabled
: true or false.oauth2
:saml
:ldap
:x509
:iap
OAUTH2
spec.spinnakerConfig.config.security.authn.oauth2
oauth2:
enabled:
client:
clientId:
clientSecret:
accessTokenUri:
userAuthorizationUri:
clientAuthenticationScheme:
scope:
preEstablishedRedirectUri:
useCurrentUri:
userInfoRequirements:
resource:
userInfoUri:
userInfoMapping:
email:
firstName:
lastName:
username:
provider:
enabled
: true or false.client
:clientId
: The OAuth client ID you have configured with your OAuth provider.clientSecret
: The OAuth client secret you have configured with your OAuth provider. Supports encrypted value.accessTokenUri
: The access token uri for your OAuth provider.userAuthorizationUri
: The user authorization uri for your OAuth provider.clientAuthenticationScheme
: The client authentication scheme for your OAuth provider.scope
: The scope for your OAuth provider, e.g.user:email
preEstablishedRedirectUri
: The externally accessible URL for Gate. For use with load balancers that do any kind of address manipulation for Gate traffic, such as an SSL terminating load balancer.useCurrentUri
: false
userInfoRequirements
: {} The map of requirements the userInfo request must have. This is used to restrict user login to specific domains or having a specific attribute. Use equal signs between key and value, and additional key/value pairs need to repeat the flag. Example: ‘–user-info-requirements foo=bar –userInfoRequirements baz=qux’.resource
:userInfoUri
: The user info uri for your OAuth provider.
userInfoMapping
:email
: The email field returned from your OAuth provider.firstName
: The first name field returned from your OAuth provider.lastName
: The last name field returned from your OAuth provider.username
: The username field returned from your OAuth provider.
provider
: One ofazure
,github
,oracle
,other
,google
SAML
spec.spinnakerConfig.config.security.authn.saml
saml:
enabled:
metadataLocal:
metadataRemote:
issuerId:
keyStore:
keyStorePassword:
keyStoreAliasName:
serviceAddress:
userAttributeMapping:
firstName:
lastName:
roles:
lastName:
username:
email:
enabled
: true or false.metadataLocal
: The address to your identity provider’s metadata XML file. File needs to be present on the machine running Spinnaker. Supports encrypted file.metadataRemote
: The address to your identity provider’s metadata XML file. This is a URL.issuerId
: The identity of the Spinnaker application registered with the SAML provider.keyStore
: Path to the keystore that contains this server’s private key. This key is used to cryptographically sign SAML AuthNRequest objects. File needs to be present on the machine running Spinnaker. Supports encrypted file.keyStorePassword
: The password used to access the file specified in –keystore. Supports encrypted value.keyStoreAliasName
: The name of the alias under which this server’s private key is stored in the –keystore file.serviceAddress
: The address of the Gate server that will be accesible by the SAML identity provider. This should be the full URL, including port, e.g. https://gate.org.com:8084/. If deployed behind a load balancer, this would be the load balancer’s address.userAttributeMapping
:firstName
: The first name field returned from your SAML provider.lastName
: The last name field returned from your SAML provider.roles
: The roles field returned from your SAML provider.lastName
: The last name field returned from your SAML provider.username
: aThe username field returned from your SAML provider.email
: The email field returned from your SAML provider.
LDAP
spec.spinnakerConfig.config.security.authn.ldap
ldap:
enabled:
url:
userDnPattern:
userSearchBase:
userSearchFilter:
managerDn:
managerPassword:
groupSearchBase:
enabled
: true or false.url
: ldap:// or ldaps:// url of the LDAP serveruserDnPattern
: The pattern for finding a user’s DN using simple pattern matching. For example, if your LDAP server has the URL ldap://mysite.com/dc=spinnaker,dc=org, and you have the pattern ‘uid={0},ou=members’, ‘me’ will map to a DN uid=me,ou=members,dc=spinnaker,dc=org. If no match is found, will try to find the user using user-search-filter, if set.userSearchBase
: The part of the directory tree under which user searches should be performed. If user-search-base isn’t supplied, the search will be performed from the root.userSearchFilter
: The filter to use when searching for a user’s DN. Will search either from user-search-base (if specified) or root for entires matching the filter, then attempt to bind as that user with the login password. For example, the filter ‘uid={0}’ would apply to any user where uid matched the user’s login name. If –user-dn-pattern is also specified, will attempt to find a match using the specified pattern first, before searching with the specified search filter if no match is found from the pattern.managerDn
: An LDAP manager user is required for binding to the LDAP server for the user authentication process. This property refers to the DN of that entry. I.e. this is not the user which will be authenticated when logging into DHIS2, rather the user which binds to the LDAP server in order to do the authentication.managerPassword
: The password for the LDAP manager user.groupSearchBase
: The part of the directory tree under which group searches should be performed.
x509
spec.spinnakerConfig.config.security.authn.x509
x509:
enabled:
roleOid:
subjectPrincipalRegex:
enabled
: true or false.roleOid
: The OID that encodes roles that the user specified in the x509 certificate belongs tosubjectPrincipalRegex
:EMAILADDRESS=(.*?)(?:,|$)
The regex used to parse the subject principal name embedded in the x509 certificate if necessary
IAP
spec.spinnakerConfig.config.security.authn.iap
iap:
enabled:
jwtHeader:
issuerId:
audience:
iapVerifyKeyUrl:
enabled
: true or false.jwtHeader
: The HTTP request header that contains the JWT token.issuerId
: The Issuer from the ID token payload.audience
: The Audience from the ID token payload. You can retrieve this field from the IAP console.iapVerifyKeyUrl
: The URL containing the Cloud IAP public keys in JWK format.
Authorization
spec.spinnakerConfig.config.security.authz
authz:
enabled:
groupMembership:
enabled
: true or false.groupMembership
:
Group Membership
groupMembership:
service:
google:
roleProviderType: GOOGLE
credentialPath:
adminUsername:
domain:
github:
roleProviderType: GITHUB
baseUrl:
accessToken:
organization:
file:
roleProviderType: FILE
path:
ldap:
roleProviderType: LDAP
url:
managerDn:
managerPassword:
userDnPattern:
userSearchBase:
groupSearchBase:
userSearchFilter:
groupSearchFilter:
groupRoleAttributes:
service
: One ofEXTERNAL
,FILE
,GOOGLE
,GITHUB
,LDAP
google
:roleProviderType
:GOOGLE
credentialPath
: A path to a valid json service account that can authenticate against the Google role provider. File needs to be present on the machine running Spinnaker. Supports encrypted file.adminUsername
: Your role provider’s admin username e.g. admin@myorg.netdomain
: The domain your role provider is configured for e.g. myorg.net.
github
:roleProviderType
:GITHUB
baseUrl
: Used if using GitHub enterprise some other non github.com GitHub installation.accessToken
: A personal access token of an account with access to your organization’s GitHub Teams structure. Supports encrypted value.organization
: The GitHub organization under which to query for GitHub Teams.
file
:roleProviderType
:FILE
path
: A path to a file describing the roles of each user.
ldap
:roleProviderType
:LDAP
url
: ldap:// or ldaps:// URL of the LDAP servermanagerDn
: The manager user’s distinguished name (principal) to use for querying ldap groups.managerPassword
: The manager user’s password to use for querying ldap groups. Supports encrypted value.userDnPattern
: The pattern for finding a user’s DN using simple pattern matching. For example, if your LDAP server has the URL ldap://mysite.com/dc=spinnaker,dc=org, and you have the pattern ‘uid={0},ou=members’, ‘me’ will map to a DN uid=me,ou=members,dc=spinnaker,dc=org. If no match is found, will try to find the user using –user-search-filter, if set.userSearchBase
: The part of the directory tree under which user searches should be performed. If –user-search-base isn’t supplied, the search will be performed from the root.groupSearchBase
: The part of the directory tree under which group searches should be performed.userSearchFilter
: The filter to use when searching for a user’s DN. Will search either from –user-search-base (if specified) or root for entires matching the filter.groupSearchFilter
: The filter which is used to search for group membership. The default isuniqueMember={0}
, corresponding to the groupOfUniqueMembers LDAP class. In this case, the substituted parameter is the full distinguished name of the user. The parameter ‘{1}’ can be used if you want to filter on the login name.groupRoleAttributes
: The attribute which contains the name of the authority defined by the group entry. Defaults tocn
.
UI
spec.spinnakerConfig.config.security.uiSecurity
uiSecurity:
ssl:
overrideBaseUrl:
overrideBaseUrl
: If you are accessing the UI server remotely, provide the full base URL (including protocol) of whatever proxy or load balancer is fronting the UI requests.ssl
:
SSL
uiSecurity:
ssl:
enabled:
sslCertificateFile:
sslCertificateKeyFile:
sslCertificatePassphrase:
sslCACertificateFile:
enabled
: true or false.sslCertificateFile
: Path to your .crt file. File needs to be present on the machine running Spinnaker. Supports encrypted file.sslCertificateKeyFile
: Path to your .key file. File needs to be present on the machine running Spinnaker. Supports encrypted file.sslCertificatePassphrase
: The passphrase needed to unlock your SSL certificate. This will be provided to Apache on startup. Supports encrypted value.sslCACertificateFile
: Path to the .crt file for the CA that issued your SSL certificate. This is only needed for localgitdeployments that serve the UI using webpack dev server. File needs to be present on the machine running Spinnaker. Supports encrypted file.
Kustomize patch examples
You can see examples in the spinnaker-kustomize-patches
repo’s security
folder.
Feedback
Was this page helpful?
Thank you for letting us know!
Sorry to hear that. Please tell us how we can improve.
Last modified April 28, 2021: (af4a12f)