DNS and SSL

What To Expect

This guide should include:

Create a DNS Entry for your Load Balancer

Add a DNS Entry to your DNS management system. You should only need to add a DNS entry for the user-facing ELB which is what you use to currently access Spinnaker. It typically has a name such as the one below

armoryspinnaker-prod-external-123456789.us-west-1.elb.amazonaws.com

Add a CNAME entry for the given ELB to create a simple name you will use to access your instance of Spinnaker, e.g. spinnaker.armory.io.

Update Spinnaker Configuration

Update the values for DECK_HOST and API_HOST in your environment file in the /opt/spinnaker/env directory.

DECK_HOST=http://spinnaker.mydomain.com
API_HOST=http://spinnaker.mydomain.com:8084

SSL Termination at the ELB

For SSL, it can be beneficial to terminate SSL at the Elastic Load Balancer (ELB) whenever feasible. Amazon has the Key Management Service (KMS) for this purpose. If you need to handle certificate management at the application level, you might want to check out Netflix’s Lemur project.

Note: Even if you terminate SSL at the ELB, you must still give Spinnaker a certificate due to workflow bugs between Spring and Tomcat. This certificate is only used between the ELB and Spinnaker.

Enabling HTTPS/SSL in Spinnaker

In order to enable SSL we’ll need to provide Gate (and thus Java) with certificates in a java keystore (JKS) and terminate at the ELB. This will ensure secure communication between your browser/clients and Spinnaker Deck & Gate

Note: Even if you terminate SSL at the ELB, you must still give Spinnaker a certificate due to workflow bugs between Spring and Tomcat. This certificate is only used between the ELB and Spinnaker.

For the following example we’re going to create self-signed certificates although for production use you will want to have an official certificate authority (CA) sign your certificate.

You can either import your own cert or create a self signed cert:

  • Importing your own Certificate.
    export YOUR_KEY_PASSWORD=""
    export YOUR_KEYSTORE_PASSWORD=""
    keytool -importkeystore -srckeystore server.p12 -srcstoretype pkcs12 -srcalias spinnaker -srcstorepass ${YOUR_KEY_PASSWORD} -destkeystore keystore.jks -deststoretype jks -destalias server -deststorepass ${YOUR_KEY_PASSWORD} -destkeypass ${YOUR_KEYSTORE_PASSWORD}
    
  • Creating a self-signed CA (EXPIRES IN 360 DAYS) with java keystore.
    apt-get install -y openjdk-7-jre-headless
    export YOUR_KEYSTORE_PASSWORD="someRandomPa33W0rdForKeystoreForELBtoGateCommunication"
    echo -e "\n\n\n\n\n\ny\n" | keytool -genkey -keyalg RSA -alias server -keystore keystore.jks -storepass ${YOUR_KEYSTORE_PASSWORD} -validity 360 -keysize 2048
    mv keystore.jks /opt/spinnaker/config/
    

In /opt/spinnaker/config/gate-local.yml add the following, making sure to replace the password with your own that you provided in the previous step:

server:
  ssl:
    enabled: true
    keyStore: /opt/spinnaker/config/keystore.jks
    keyStorePassword: ${YOUR_KEYSTORE_PASSWORD}
    keyAlias: server

Update our API_HOST and DECK_HOST environment variables to now have https. Add the following into default.env or if your environment specific env file place it in there: ${CLOUD_STACK}.env:

API_HOST=https://spinnaker.example-domain.com:8084
DECK_HOST=https://spinnaker.example-domain.com

Update your ELB to contain the following port mappings:

elb

Now you can restart Armory Spinnaker by doing

service armory-spinnaker restart