Skip to main content

How to disable security (Authn and Authz) for Spinnaker Migration testing

Introduction

When admins are testing migration of their production Spinnaker instance to a new cluster or environment, they may need to do some testing on the new environment without the production security permissions in place. (ex: OKTA, SAML, LDAP) If users were to try testing the pipelines or Spinnaker UI in the new environment, Spinnaker may throw permissions errors or the new environment may not be accessible. 

Prerequisites

Access to the current Spinnaker instance configuration 

Instructions

In order to make sure the testing and the new instance can be access and used without any permission concerns is to comment out the security sections in the Kustomize.yml except for the security/patch-gate-tomcat-headers.yml if it is being used in the environment. Depending on what the administrators specifically has set up for security, the admins may also need to comment out portions of the gate and SpinnakerService settings. Here is an example config where Authn and x509 are commented out in SpinnakerService.yml

#-----------------------------------------------------------------------------------------------------------------
# Example configuration for exposing spinnaker with NodePort Kubernetes services
#-----------------------------------------------------------------------------------------------------------------
apiVersion: spinnaker.armory.io/v1alpha2
kind: SpinnakerService
metadata:
  name: spinnaker
spec:
  spinnakerConfig:
    config:
      security:
        apiSecurity:
          overrideBaseUrl: https://minnaker.us-east-1.elb.amazonaws.com:8084
          ssl:
            enabled: true
            keyAlias: gate
            keyStore: encryptedFile.jks
            keyStoreType: jks
            keyStorePassword: spinnaker # The password to unlock your keystore. Due to a limitation in Tomcat, this must match your key's password in the keystore.
#            trustStore: encryptedFile.jks
#            trustStoreType: jks
#            trustStorePassword: spinnaker # The password to unlock your truststore.
#            clientAuth: WANT # Declare 'WANT' when client auth is wanted but not mandatory, or 'NEED', when client auth is mandatory.
        uiSecurity:
          overrideBaseUrl: https://minnaker.us-east-1.elb.amazonaws.com:9000
          ssl:
            enabled: true
            sslCertificateFile: encryptedFile.crt
            sslCertificateKeyFile: encryptedFile.key
            sslCertificatePassphrase: spinnaker # Your passphrase
#        authn:
#          x509:
#            enabled: true
#            roleOid: 1.2.840.10070.8.1
#            subjectPrincipalRegex: EMAILADDRESS=(.*?)(?:,|$)
#    profiles:
#      gate:
#        default:
#          apiPort: 8085

  kustomize:
    deck:
      service:
        patches:
          - |
            spec:
              type: NodePort
              ports:
              - name: http
                port: 9000
                targetPort: 9000
                nodePort: 30000
    gate:
      service:
        patches:
        - |
          spec:
            type: NodePort
            ports:
            - name: http
              port: 8084
              targetPort: 8084
              nodePort: 30084
#            - name: x509
#              port: 8085
#              targetPort: 8085
#              nodePort: 30085